Server-Only Configuration on the Network DMZ

In this configuration, the server is installed in the Demilitarized Zone (DMZ) of a customer’s existing firewall. It acts only as a server and is protected from Internet exposure by the existing firewall.

Note: In a DMZ configuration, the firewall is the gateway for all traffic.

Firewall Configuration

The enterprise firewall must have three network interfaces: WAN, LAN, and DMZ. Two-port firewalls are not supported.

In the firewall's DMZ, allocate a static IP address to the MBG. Typically, this is a private address as defined in RFC 1918.

On the firewall's WAN interface, configure a static IP address from the public/Internet range. This address must be:

dedicated to the MBG solution
publicly routable via the firewall
reachable from the Internet and the internal network

Note: Teleworker devices point to the IP address on the firewall's WAN interface in order to access the MBG server. If this address changes, the Teleworker devices must be updated accordingly.

MSL Configuration

In MSL, do the following:

Access the MSL Server Console and select Configure this server.
In Local Network Parameters, enter the server's internal (LAN) IP address server or select the default. This address SHOULD be:
- dedicated to the MBG solution
- private (allocated from DMZ network range)
- reachable from the internal network

MBG Configuration

In MBG, do the following:

On the MBG main page, click the Network tab and click Profiles.
Select Server-only configuration on the network DMZ.
Select Apply DMZ configuration.

When configuration is complete, the system will use the public, post-NAT address of the server for both the set-side and ICP-side streaming addresses of the MBG. To determine this address, access the MSL Server Manager, select Review Configuration and examine the Internet Visible IP Address field.

The following diagram provides an example of a “Server-only configuration on the network DMZ”: