If the Web Server and Application Server are installed on the same machine, then open the standard port 80 for all incoming/outgoing HTTP traffic or port 443 for HTTPS secured traffic.
If the Web Server and Application Server are installed on separate machines, as shown in the following illustration, then you must configure the firewalls to allow the Web Server and Application Server to communicate with each other.
If your solution uses a configuration similar to this illustration, then follow these minimum guidelines to configure your firewalls:
-
The front-end firewall between the perimeter network (DMZ) and external network must be configured to allow inbound traffic on port 80, or port 443 for HTTPS.
-
The back-end firewall between the perimeter network and your internal network also must be configured to allow traffic on port 80, or port 443 for HTTPS. This firewall should only allow inbound traffic originating from the perimeter network and destined for the Application Server's IP address or subnet.
-
The back-end firewall should only allow outbound traffic destined for the Web Server's IP address or subnet.