Provide access to the Internet with an Airwall Gateway in the DMZ

Provide Access to the Internet with an \ Airwall Gateway in the demilitarized zone (DMZ).

If you have protected devices that need access to the Internet (to get updates from Windows Update, or report to a cloud reporting service that is not protected by an Airwall Gateway, Agent, or Server, for example), you can provide that access by putting an Airwall Gateway in the DMZ (demilitarized zone, or perimeter network).

Note: It can be more practical to use a Microsoft WSUS server to provide a local copy of Windows and other Microsoft updates rather than allowing devices on the Overlay access to the Internet. For more information on this option, see Windows WSUS help.

How to Provide Access as Securely as Possible

When you put an Airwall Gateway in the DMZ, basically the entire world is a “Trusted Device” for the Overlay, so you need to tightly control the access into the Airwall Gateway Overlay. To do this, you must:

  • Locate the Airwall Gateway in the DMZ adjacent to the firewall
  • Configure strong firewall policies regarding traffic to and from the Overlay.
  • Have a security policy on your firewall that doesn't open the HIP tunnel up to the entire world.

Use the following guidelines to provide access in the most secure way possible.

CAUTION: Potential Routing Issues with a Layer 3 (Routed) Overlay: When you are deploying the DMZ Airwall Gateway, and add the 0.0.0.0/0 local device to the DMZ Airwall Gateway, a 0.0.0.0/0 route appears on all of your Airwall Gateways that have policy with the DMZ Airwall Gateway. This route can cause routing issues if you have a Layer 3 (Routed) Overlay, and you may need to adjust local routes on the Airwall Gateways and Airwall Agents accordingly.
Warning: Windows and Mac Airwall Agentss: If you add the 0.0.0.0/0 route to policy with a Windows or Mac Airwall Agent, it causes the Airwall Agent to enter Full Tunnel mode and direct all network traffic through the HIP tunnel.

Before you Begin

This procedure requires the following:

  • Conductor V2.2x or later
  • A physical or virtual Airwall Gateway v2.2.x or later to use as the DMZ Airwall Gateway.

Before you configure a Airwall Gateway in the DMZ, you must:

  • Have a firewall or switch set up on your network and connected to the Internet.
  • Have an open port on your firewall or switch to connect the Airwall Gateway.