I am deploying DUO reverse proxy (DNG) with 2FA to protect internal web applications
Normally, I would put the DNG server in firewalled DMZ, then create firewall rules to allow 443 from outside the network to the DMZ proxy.
Create DNS for www.myweb.com points to the IP address of reverse proxy, that's what clients will connect to and that's what presents the TLS certificate.
Then point DNG to internal web server and allow port 80 via firewall rules.
My main concern is this design secure enough to protect the internal servers from any attack or do we need to move internal web server to DMZ as well?
No comments:
Post a Comment