Create a Virtual Windows Domain with Virtual DMZ (Part 4)

For the final part of my network I am moving my IIS server into a Screened Subnet . I need to change the IP address of the web server and place it between a Wingate Firewall and pfSense Firewall (acting as a firewall this time as opposed to the router only function from earlier). I’ve discussed installing and configuring pfSense in a earlier post.

My actual PC (my host) acts as the outside world to the internal network contained in my Oracle Virtual Box. The network now looks this

I contact the web server in the diagram via the IP address which is the IP address issued by the DHCP on my Wireless Network piped into my home by my ISP. The URL looks something like this, This URL is entered into a browser from my physical PC.

The URL hits the Wingate Firewall where I have a redirect rule to redirect to the IIS web server ( The Web server then contacts the MySQL Server on the Ubuntu machine ( It does this via a TCP rule on port 3306 (3306 is the default TCP port for MySQL) opened up on the pfSense Firewall. No other communication is permitted from the DMZ web server to the internal network.

I can now probe, attack and map this network from my host PC ( A good lab to work with. As it happens I won’t be doing that just yet!

Going back to my Hands-On goals I’m diverting to the New York Polytechnic online resources and Webgoat tutorials. I’ll be posting my progress through both of these areas as I go.

One last thing. The Windows XP machines on my internal network do not currently have internet access. In the coming weeks I’ll come back and correct this when I deploy a web proxy to my internal network and open up communication through my DMZ to allow these machines contact the web.

Hope this was of interest and use to anyone reading this!

Install WinGate
1. Download WinGate from here
2. I’ll leave the WinGate guys show you how to install the firewall
3. If you are using this for lab purposes it comes with a single free licence. Ideal for this purpose.
4. Set up your two network interfaces. One should be your external connection (e.g. internet). The other should be your protected internal network.

Create A Redirect Rule on WinGate
1. Open WinGate admin console
2. Go to Control Panel>Extended Networking>Port Security
3. Because this is a redirect from an external network to the DMZ, select Internet Computes to the Wingate PC checkbox
4. Select the TCP checkbox
5. We are directing a HTTP request so enter 80 in the Ports to textbox
6 Enter the IP address you are redirecting to in the Redirect Packet to IP Address textbox
7. Click the Dont translate source IP address checkbox
8. Click OK to exit and save your settings

Open a TCP port on pfSense
1. Open the pfSense web console
2. Default user name and password: admin/pfsense
3. Select Firewall>Rules from the drop down menu
4. Click the WAN interface (this will be your DMZ IIS server)
5. Select the + sign to add a new rule
6 Select WAN as the Interface
7. Select TCP as the Protocol
8. Select single host or alias in the Source
9. Still in Source enter the IP address of your DMZ IIS server
10. Select single host or alias in the Destination
11. Still in Destination enter the IP address of your MySQL server on your secure internal network
12. In Destination port range select from other and enter 3306
13. In Destination port range select to other and enter 3306
14. Tick Log if you want to log your packets over this rule
15. Hit Save and wait for pfSense to apply your changes
16. Once changes are applied your rule is active


Create a Virtual Windows Domain with Virtual DMZ (Part 3)

For part 3 of my virtual network I have created an IIS Web Server hosting an old dating web site I wrote many years ago. The web server runs on another Windows XP machine (SP3).

It runs on top of MySQL Server 5.5. The MySQL Server runs on 64 Ubuntu 12.04 Desktop.

For the time being both the IIS Web Server and Ubuntu machine run on the same network. In part 4 of the network build I will move the web server into a screen subnet DMZ where it will contact the MySQL Server.

The network now looks like this

Install MySQL 5.5 on Ubuntu 12.04
1. Open a Terminal Window in Ubuntu
2. Type this command sudo apt-get install mysql-server-5.5
3. Enter your password to authenticate, and apt will download the MySQL files and install them on your Ubuntu machine. Just a note, you will be asked for your MySQL root password during this process
4. When the installer finishes you are returned to the command line
5. Type the following command to activate MySQL sudo mysql_install_db
6. Type the following command to tighten the security settings on your MySQL database sudo mysql_secure_installation
7. MySQL is up and running.
6. Here are some pointers to getting started with your MySQL installation
7. One point here, in part 4 I will be accessing MySQL remotely. This will mean giving whatever database user you are using to connect to the database special privileges. I’ll go through this in the next post

Create a Virtual Windows Domain with Virtual DMZ (Part 2)

For part two of the network I have used pfSense as a router (all firewall and NAT serveices have been disabled) and installed Oracle XE on Ubuntu 12.04. I have also installed Oracle SQL Developer on the XP Clients to connect to the Oracle db on a new subnet.

Steps to install each are as follows:

Install and Configure pfSense
1. Download pfSense
2. As I mentioned previously I’m using Oracle Virtual Box to create my virtual machines. You will need to create a virtual machine of type BSD, FreeBSD(64 bit) to install pfSense
3. You will need to enable two Network Adapters of ‘Internal Network’ type on your pfSense virtual machine
4. One should be the internal network that your Windows Domain sits on. the other Should be the network you intend to place your Unbuntu and Oracle db on
5. Kick off the install by referencing the pfSense iso through the virtual machine you have just created.
6. Select ‘1. Boot pfSense [default]’ from the boot menu
7. Select the ‘(I)nstaller’ option
8. Accept all defaults that follow. Screen shots of the installation process are here on the pfSense website
9. After installation pfSense reboots and you are asked to configure the device
10. when you are asked ‘Do you want to set up VLANs now?’ type ‘n’
11. Type ’em0′ for the WAN interface name
12. Type ’em1′ for the LAN interface name
13. Simply hit enter when prompted for the ‘Optional 1’ interface
14. Hit ‘y’ when you are asked to proceed with the names you have assigned to the LAN and WAN interfaces.
15. pfSense now applies your configuration and displays its interface menu. The device is up and running
16. All that remains is to apply the correct IP addresses to your LAN and WAN interfaces
17. Select ‘2) Set interface(s) IP Address’ from the console menu
18. For the LAN and WAN interfaces enter a valid IP address for the Windows Domain network and one for the Ubuntu machine you will create later in this part of the network creation. It’s a matter of choice what private IP address you set at this stage.
19. The IP address you set in the router will act as the default gateway for the XP machines and Ubuntu machine respectively
20. Now configure the pfSense device as a router only. This step disables the firewall functionality of pfSense. I will use pfSense as an actual firewall in a later section but for now I only need it to act as a router.
21. pfSense is now configured
22. If that didn’t make sense here’s a video link from pcaddicts explaining the installation

Install Ubuntu 12.04
1. Get the Ubuntu installation here
2. Create a Ubuntu 64bit (need this to install 64bit version of Oracle XE 11.2) virtual machine
3. The installation is quite simple, but here’s a how-to link from the Ubuntu website

Install Oracle XE 11.2 on Ubuntu 12.04
1. Get the Oracle installation here
2. Installing Oracle XE on Ubuntu can be a tricky but here’s an excellent guide on how to do it
3. Just two points on this installation, section ‘C.5. Setup Oracle environment variables’ did not work for me and I had to explicitly set the variables. I did so in the terminal window with the commands below:
export ORACLE_HOME=/u01/app/oracle/product/11.2.0/xe
export ORACLE_BASE=/u01/app/oracle
4. If you want to start Oracle automatically each time your Ubuntu machine starts carry out the steps listed here in Manish Raj’s blog. Thanks Manish!
5. Finally load a sample db which you can connect to. Here’s a simple db script from the Oracle XE tutorial series. Open the tutorial and select the attachments tab to download the db script.

Install Oracle SQL Developer
1. Finally install Oracle SQL Developer on your XP Client machines
2. Set up a connection through SQL Developer and connect to your Oracle DB. Just one point here, you will need to turn off the windows Firewall to allow SQL Developer connect to the Oracle db on the Ubuntu machine.

Create a Virtual Windows Domain with Virtual DMZ Network Diagram (Part 2)

For the second part of my network creation, I am going to extend the current network to include a different subnet. This subnet is connected via a router to the XP clients on my Windows 2008 Domain. The new subnet contains an Ubuntu machine that hosts an Oracle XE 11.2 database server. In the mocked network the XP clients use Oracle SQL Developer to connect to the Oracle database hosted on the new subnet. The extended network now looks like this.

I’ve outlined how I built the new components in the next post.

Create a Virtual Windows Domain with Virtual DMZ Network Diagram (Part 1)

At the end of the Create a Virtual Windows Domain with Virtual DMZ Diagram (Part 1) my virtual network now looks like this.

The two IP addresses listed against the XP machines are the dynamically allocated addresses handed out by the DHCP server. The default gateway listed will be used to communicate with a different subnet. The subnet will be created in the next part of the network build.

The Windows 2008 Server has the Active Directory Domain Services, DHCP Server and DNS Server roles installed.

The IP range for the DHCP server is to

Create a Virtual Windows Domain with Virtual DMZ (Part 1)

As part of my Hands-Goals I’ve created the first part of my virtual Windows domain.

The domain has a Microsoft Windows 2008 R2 Server as a domain controller. The controller has the following roles added – DNS, Active Server and DHCP which is issuing IP address to any client machines on the domain.

I’ve created two virtual Windows XP machines (with Service Pack 3) and added these in to my Windows domain.

All this is created using VirtualBox. I played around with Microsoft Virtual PC 2007, but found VirtualBox to be the most straightforward of the two when it came to creating virtual machines.

I’m running a Dell PowerEdge SC440 as my host machine. The spec of this physical machine is: 2GB RAM (hoping to bump this up in the next two weeks) and a 75GB hard disk. I’ve installed Windows XP with Service Pack 3 on top as the operating system.

Here is the list and order of tasks needed to create the domain.

1. Install VirtualBox on your PC
2. Create a virtual machine in VirtualBox to host Windows 2008 R2 Server
3. Create two virtual machines in VirtualBox to host Windows XP (with Service Pack 3)
4. Install DNS on your Windows 2008 R2 Server virtual image
5. Install DHCP on your Windows 2008 R2 Server virtual image
6. Create your Windows Domain. I’ve used 10.0.0.x as my private IP range for this domain. The domain controller is and the DHCP range is from
7. I’ve used a superb tutorial on how to do this from Brian Tucker. Brian’s tutorial is aimed at Windows 2003 server. Drop me an emailBut the steps are pretty much identical for Windows 2008. The only real difference between the two is that the reverse pointer record does not have to be created manually in 2008, as the system automatically creates it.

NOTE: I’ve created all my virtual machines on VirtualBox’s ‘Internal Network’ adapter setting. This creates a sub-net on your host machine that cannot be contacted by the host or by other sub-nets without the use of some kind of routing functionality. This is by choice. The reasoning behind this will become apparent in the subsequent parts of this domain/dmz exercise.

I’ll post a diagram of this domain as it stands in the next few days. And add it to as the domain grows to include DB servers, routers etc.