Here are my thoughts on the preferred order of placement options for the Expressway appliances, assuming you are using VMWare here and not the "physical" appliance versions:
- "Dual DMZ" deployment
- Server Placement:
- Expressway E LAN#1 in "DMZ A"
- Expressway E LAN#2 in "DMZ B" with a static 1 to 1 NAT
- Expressway C on the "inside" network
- Advantages:
- More secure since external traffic will traverse 2x DMZs
- You do not have to trunk the VMWare environment directly to the internet as you would with option #2
- Disadvantages:
- Requires more firewall config with the second DMZ (increased complexity)
- Other Notes:
- This is my go to design for Expressway, in my opinion it is the best. If for some reason the EXP-E is compromised, the attacker still has a DMZ between themselves and the inside of the network.
- "Single DMZ" deployment
- Server Placement:
- Expressway E LAN#1 in "DMZ A"
- Expressway E LAN#2 directly connected to the internet
- Expressway C on the "inside" network
- Advantages:
- Easier than option #1 since there is only a single DMZ to configure
- Disadvantages:
- Requires you to trunk the "internet" network to your VMWare environment.
- Less secure than option #1. The EXP-E is not behind any firewall on LAN#2.
- Other Notes:
- This deployment method works just fine. If you only have one DMZ to work with, I would use this option.
I have also seen deployments that put the EXP-E LAN#2 behind an internet DMZ with one to one NAT and put LAN#1 on the voice network where the EXP-C lives. I do not recommend this approach as if the EXP-E were compromised, an attacker would gain access to the inside of your network. At minimum, keep a firewall between the EXP-C and the EXP-E.
I hope this helps.
