Provide access to the Internet with an Airwall Gateway in the DMZ

Provide Access to the Internet with an \ Airwall Gateway in the demilitarized zone (DMZ).

If you have protected devices that need access to the Internet (to get updates from Windows Update, or report to a cloud reporting service that is not protected by an Airwall Gateway, Agent, or Server, for example), you can provide that access by putting an Airwall Gateway in the DMZ (demilitarized zone, or perimeter network).

Note: It can be more practical to use a Microsoft WSUS server to provide a local copy of Windows and other Microsoft updates rather than allowing devices on the Overlay access to the Internet. For more information on this option, see Windows WSUS help.

How to Provide Access as Securely as Possible

When you put an Airwall Gateway in the DMZ, basically the entire world is a “Trusted Device” for the Overlay, so you need to tightly control the access into the Airwall Gateway Overlay. To do this, you must:

  • Locate the Airwall Gateway in the DMZ adjacent to the firewall
  • Configure strong firewall policies regarding traffic to and from the Overlay.
  • Have a security policy on your firewall that doesn't open the HIP tunnel up to the entire world.

Use the following guidelines to provide access in the most secure way possible.

CAUTION: Potential Routing Issues with a Layer 3 (Routed) Overlay: When you are deploying the DMZ Airwall Gateway, and add the local device to the DMZ Airwall Gateway, a route appears on all of your Airwall Gateways that have policy with the DMZ Airwall Gateway. This route can cause routing issues if you have a Layer 3 (Routed) Overlay, and you may need to adjust local routes on the Airwall Gateways and Airwall Agents and Servers accordingly.
Warning: Windows and Mac Airwall Agents and Serverss: If you add the route to policy with a Windows or Mac Airwall Agent or Server, it causes the Airwall Agent or Server to enter Full Tunnel mode and direct all network traffic through the HIP tunnel.

Before you Begin

This procedure requires the following:

  • Conductor V2.2x or later
  • A physical or virtual Airwall Gateway v2.2.x or later to use as the DMZ Airwall Gateway.

Before you configure a Airwall Gateway in the DMZ, you must:

  • Have a firewall or switch set up on your network and connected to the Internet.
  • Have an open port on your firewall or switch to connect the Airwall Gateway.

Deploy the Airwall Gateway in the DMZ

To deploy an Airwall Gateway in the DMZ:

  1. Install the Airwall Gateway in the DMZ
  2. Configure the Firewall
  3. Configure the DMZ Airwall Gateway
  4. Test the DMZ Airwall Gateway and Firewall Configuration
  5. Connect the DMZ Airwall Gateway to the Internet
  6. Test the Deployment
    The following diagram gives an overview of how the Airwall Gateway is installed in the DMZ:

    Diagram showing the Airwall Gateway installed in the DMZ, with firewall security policy protecting the Airwall Gateway

    For more details, see the following sections.

Step 1: Install the Airwall Gateway in the DMZ

Install a Airwall Gateway in the DMZ with the Overlay Port plugged in to the Firewall (or the switch that is hosting the DMZ).

Step 2: Configure the Firewall

Configure your firewall to limit inbound traffic to the IP of the Airwall Gateway. You want to allow outbound traffic and inbound traffic for open connections. This configuration prevents hosts on the Internet from scanning the DMZ and the Airwall Gateway. For more information, see the instructions for your firewall.

Step 3: Configure the DMZ Airwall Gateway

Configure the Overlay port group on the DMZ Airwall Gateway as follows:

  1. Add the IP address of the interface of the Firewall in the DMZ.
  2. Set the Default Route to the interface of the Firewall.
  3. Check Enable source NAT to force all overlay traffic to appear to come from the Airwall Gateway.

Step 4: Test the DMZ Airwall Gateway and firewall configuration

Test your configuration to make sure it is working as you expected.

Step 5: Connect the DMZ Airwall Gateway to the Internet

To connect the DMZ Airwall Gateway to the Internet, you set up the local device and Overlay.

  1. On the DMZ Airwall Gateway, in Local Devices, click Add Device, and add the Local Device
  2. Create an overlay called Internet Access (or similar name, so you know what permissions it implies).
  3. Add the Local Device and all devices that require Internet access.
    Note: As a best practice, configure overlays to limit connectivity to only those devices and servers that must communicate with each other.
  4. Create trust from all other members of the Internet Access overlay to only to the device (a Hub and Spoke arrangement, not a mesh).

Step 6: Test the deployment

  1. In the Conductor, open the DMZ Airwall Gateway, and go to Diagnostics > Check connectivity.
  2. In Ping a single IP address, under IP address or hostname, select Overlay Port group.
  3. Enter the IP of a known host on the Internet, such as, and select Ping.
    If the ping succeeds, the deployment is working.