This article was previously published under Q191146
Retired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
This article explains how to create a so-called DMZ network usingMicrosoft Proxy Server 2.0. A DMZ (demilitarized zone) is essentially a network that exists between two other networks. Usually the two other networks do not trust each other.
A DMZ is generally used with Microsoft Proxy Server when the Server Proxyand Reverse Proxy features cannot be used. If you are using an Apple,UNIX, OS/2, or other operating system and you are not publishing HTTP,configuring a DMZ network is recommended.
NOTE: The Server Proxy feature works only with applications on theMicrosoft Windows platform; the Reverse Proxy feature works only with HTTPservers. If your application runs on Windows, it is recommended that youuse the Server Proxy or Reverse Proxy features to publish from behind theProxy Server computer. More information about these features can be foundin the "Configuring Multi-server Environments" sectionof the Microsoft Proxy Server 2.0 documentation.
The following example demonstrates how to create a DMZ with a Proxy Servercomputer.
The three networks are separate physical segments connected to a MicrosoftProxy Server 2.0 computer using three network cards (NIC).
Network A = Internet Network B = DMZ Network C = Private intranet
Because Network B (DMZ) is partially trusted by Network C, and Network Cdoes not trust Network A, the DMZ should be protected. The Proxy Server2.0 packet filter driver protects networks B and C, because it filters alltraffic that passes through the NIC on network A.
Install Microsoft Proxy Server 2.0 on a threeNIC computer (one for each network: intranet, Internet, and DMZ). Be sure to select the Disable Packet Filtering option in the Proxy Server settings.
The Internet and DMZ networks must have valid Internet Protocol (IP) addresses, and these addresses must be on different logical subnets in order for routing to function.
The intranet NIC and DMZ NIC TCP/IP addresses must be included in the Proxy Server computer's Local Address Table (LAT).
Any servers on the DMZ segment must also use a valid IP address and must not be included in the LAT on the Proxy Server computer.
Enable IP forwarding on the Proxy Server computer. After this is enabled, computers on the Internet segment should be able to ping servers on the DMZ segment.
If you are unable to ping from the Internet segment to the DMZ segment, verify that your Internet router or gateway has a valid route to your DMZ segment. If not, you must manually add a static route to the Internet router. If the router is managed by your Internet Service Provider, the ISP will have to make this change for you.
The default gateway addresses of computers located on the DMZnetwork should be set to the address of the DMZ NIC on the Proxy Server computer.
Enable Packet Filtering on the Proxy Server computer. You shouldopen all relevant static filters (to enable traffic between the Internet and the DMZ computers). To do this, you must manually create packet filterexceptions or use predefined packet filters in the Proxy Server securitysettings and specify the address of the computer(s) on the DMZ network.
For example, if you have a UNIX computer on the DMZ and you want> Internet hosts to connect to it using Telnet, the following packet filter would allow Telnet connections through but block all other connections to the UNIX server:
DMZ UNIX server IP address = 172.16.0.1
In the Proxy Server security dialog box, select Add to add a packet filter exception.
Use either of the following Packet Filter properties as examples:
Custom filter ------------- Protocol ID: TCP Direction: BOTH Remote Port: ANY Local port: FIXED PORT 23 Local host: INTERNAL COMPUTER 172.16.0.1 Remote host: ANY HOST (single host can be used for added security) HTTP ---- Protocol ID: TCP Direction: BOTH Remote Port: ANY Local port: FIXED PORT 80 Local host: INTERNAL COMPUTER 172.16.0.1 Remote host: ANY HOST (single host can be used for added security)