Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

DMZ on Pix

I want to put a Citrix terminal server on my dmz that from there will have access to a MSSQL database on the inside network. My question is why is this neccessary? Is not this the same as putting the Citrix on the inside network and just setting up 1 static and 1 ACL for the relative ports. I realize the DMZ is more secure than the internal network but when I open the ports and set up a static from the dmz to the inside it seems that I am just essesntially adding one more step and more statics to manage. Can someone please elaborate alittle more on this.

Thanks Joe

New Member

Re: DMZ on Pix

1. DMZ is less secure than the inside network. That is the concept of DMZ.

2. The reason why you want to put your Citrix server on the DMZ and the MSSQL server on the inside network is that, if somebody breaks into the citrix server and hence the DMZ, your SQL database is still safe.

3. Throguh the firewall, you only open ports so that ONLY the citrix machine can access the SQL server. host to host and only required ports.

Hope this helps.

New Member

Re: DMZ on Pix

The reason is that traffic will be required to pass through 2 firewall rulesets (called the layer seperatred model). One to access the Citrix box and one for the citrix box to connect to the SQL server. Direct access to your local LAN means that if the Citrix box is owned, a potential attacker has access to your entire internal network. It is not essential to do this but is a good security practice

CreatePlease to create content