Skip to main content
Sign in Menu

DMZ Firewall Ports

Pragya Pokhrel
  • Updated

Problem

In Venio install/upgrade guide, the firewall ports that each server needs are mentioned.  However in planning an update to our environment the web server would be located in a DMZ so it will need to have specific ports opened to the other servers inside the network it communicates with.  With that in mind can you tell me what other servers and ports the web server would need to communicate with inside the network?

Resolution

The only port required on the external-facing firewall to the DMZ is HTTPS port 443 (TCP) for SSL/TLS access. Unencrypted HTTP is available on port 80 (TCP) but NOT recommended.

All Venio services utilize TCP (Transmission Control Protocol). Refer to the below for the ports which need opened between the IIS server in the DMZ and the internal resources: 

Search Server default port: 8090 (TCP)
SQL Server default port: 1433 (TCP)
Export services port: 8093 (TCP)

The web server would need to be able to communicate with the Search Server, SQL database server, and export services. This can be accomplished by opening the ports listed above on the internal network firewall.

The Export Services handle all file activity from IIS, which allows the IIS server to be setup in the DMZ without providing it direct access to internal file shares. The export server will need to be configured properly in order to access the internal file repository. 

It is important to note that the ports have to be opened on the internal-facing firewall of both the web server and the server it needs to communicate with. This will ensure that both the web server and the other server in the network can communicate with each other. Also ensure that the built-in windows firewall or any other software firewall on the web server and the other servers are configured properly to allow the IIS server in the DMZ to communicate properly with the servers on the internal network.

Finally, it is also important to remember to ensure that firewall rules are properly configured to allow the IIS Server to communicate with the other servers. It is recommended to use a whitelist approach to ensure only authorized IPs can access the IIS server in the DMZ. Additionally, it is important to ensure that only the relevant ports are open on the firewall and that no unnecessary access is granted.

Related articles

Comments

0 comments

Please sign in to leave a comment.