Question

Photo of Mike Sipps

0

Putting external website in production

Is there anyone out there who would share their knowledge and experience on configuring external access to Rock in a DMZ?  I am trying to figure out how to securely deploy the external IIS server in a DMZ.  I have been researching this subject and can find no clear guidelines.  I would love to talk about your successful configuration.


Mike

  • Photo of Jim Michael

    0

    So I assume you're self-hosting, right? We are, too. We have the Rock IIS web server in a DMZ, and the SQL server inside on the LAN. The config is actually pretty straightforward and mainly done in the firewall. You basically need to:

    - Create a DMZ zone if it doesn't already exist. 

    - Install a Windows VM into this zone to be the web server

    - Create access "pinhole" rules that allow the web VM access to ONLY the minimal things it needs to do its job.. this means a rule for TCP 1433 between the web server IP and the SQL server IP, and perhaps one to allow UDP 53 for DNS if you want the web server to use your internal DNS... but we didn't even do that. We made our web server point to a public DNS and instead made HOSTS file entries for the few internal hosts the web server needs to look up.

    - Install Rock

    - Create access rules that allow public clients to get to ONLY port 80/443 on the web server.

    That's all I can think of off the top of my head. If you have more specific questions I'm happy to try and answer.