How do a DMZ and VPN work together?

In this Q&A, network security expert Mike Chapple explains the three distinct network zones in a typical firewall scenario and reveals how the DMZ and VPN, in particular, co-exist.

If you have a VPN firewall router, will it be affected in any way by the setup of a DMZ server? In other words, would a DMZ server and a VPN be able to co-exist together?

A demilitarized zone (DMZ) and virtual private network (VPN) can certainly co-exist. In fact, they were designed to work together.

In the typical firewall scenario, the firewall separates three distinct network zones: the Internet, the private network and the DMZ. Inbound connections from the Internet are allowed only to servers in the DMZ; no direct connections are allowed between the Internet and the private network. Servers that offer services to the public (e.g. Web servers, SMTP servers) are placed in the DMZ, while servers that offer services to internal users reside on the private network.

The VPN provides remote users with access to private resources. Users authenticate to the VPN, and may then access internal resources on the private network through that VPN connection.

More on this topic

  • Learn why enterprise users should not be placed in a DMZ.
  • In our Identity and Access Management School, Lisa Phifer highlights the innovations in VPN technology.


Dig Deeper on Network security

Enterprise Desktop
Cloud Computing