Will a Web Filtering Profile (limiting time of Social Networking) work on the DMZ as it does on the LAN?

Chasster123,

Policy rule can be applied on any zone and traffic is filtered. So you can filter social media from DMZ to WAN. Also for security reason, hosts in DMZ should have access to only website used to update servers content and not used for surfing on internet.

Understand.

Likely I need to address the two-building split differently.

Perhaps put building 1 on the LAN and building 2 on another ETH port (maybe 4).

I think in that mode (not using the purpose of the DMZ) access to the Domain server will be OK even with the LAN and ETH4 being on separate subnets.

cs

If you want to have them in different subnet, it is a good solution. The alternative is to connect both building using different ethernet ports and create a bridge. The bridge then belogs to zone LAN.

For security prospective, use VLAN or different subnet is the best way.

Could not get the Web filtering to function on the DMZ so setting up ETH4 as the second path.

I think this method is better in this case as these two subnets sharing the Domain Server should be less of an issue versus breaking the DMZ somewhat to get traffic flowing back to the LAN (domain and antivirus updates).

cs

Domain server should be on separate VLAN or subnet. In this way XG can filter traffic and use advanced engine (AV, IPS, etc..) to protect domain servers from attacks coming from clientside.

This is the best way to achieve security. It requires rules and more overhead but at least you control traffic from/to servers.

Agreed.

This process is also means of educating Single Server SMB's that they should spend appropriately for a proper design.

Thanks.

cs