Member Server with Interface in Permiter Network and also interface on internal LAN

Member Server with Interface in Permiter Network and also interface on internal LAN

Post by Les Connor » Mon, 17 May 2004 20:42:19


Hi Bill,

If it were me, I'd put the members server on the lan, and outsource the web
site. Having the memberserver on the lan for all the reasons you mentioned
has benefits, especially as sbs integrated configuration and managment is
all set up to make this easy.

To host your web site, you could dmz the web server off the pix, and use it
for nothing but that. But I think you'll find that the above scenario gets
you way more bang for the buck, as web hosting is very affordable and the
risk is all somebody elses :-).

--
Les Connor [SBS MVP]
-------------------------------------
SBS Rocks !





second
share
 
 
 

Member Server with Interface in Permiter Network and also interface on internal LAN

Post by Bill » Tue, 18 May 2004 02:45:45

My network so far looks like this:

DSL
|
PIX 501
|
SBS 2003 Standard w/2 NIC
|
Internal LAN

I want to add a Windows 2003 webserver to run the public website, but I
would also like to use it for files sharing and print services on the
internal LAN. I thought I would dual NIC it with one interface having an
external IP on the same subnet as the SBS outside interface, and the second
interface would have an internal LAN IP statically assigned. I would allow
port 80 access to the outside interface of the Windows 2003 server through
the PIX. The windows 2003 member server would not have any domain
information, etc.

Is this configuration valid? What are the Security implications? Could I
also run terminal services on this same server so internal users could share
an application where the data store would be on the SBS server?



--
~~ To give a person an opinion one must first judge well whether that
person is of the disposition to receive it or not.

 
 
 

Member Server with Interface in Permiter Network and also interface on internal LAN

Post by Mark Manci » Tue, 18 May 2004 09:23:51

total agreement with Les. Aside from getting more features and being
cheaper, also more secure.

--
Sincerely,
Mark Mancini, CCA, CCNA, Master CIW&CI, CNE 4&5, MCSE+I 4&2000
www.MCSE2000.com
www.AppLauncher.com





web
it


allow
through
 
 
 

Member Server with Interface in Permiter Network and also interface on internal LAN

Post by Tony S » Tue, 18 May 2004 11:21:36

n general, although SBS Standard (RRAS/ICF) can forward
from a WAN address to only one LAN address, you can point
to a member server but that means you'll have to give up
the Default Website resources (OWA, OMA, TSWeb, etc)...

But, recently I've been considering that it's possible to
configure a second website on the SBServer sharing the
same IP address and port but using a unique IIS Host
Header... then configure a re-direct to the Member Server.

So, it's possible. And, if you know what you're doing I
wouldn't mind too much the warnings that deploying
websites is unsafe... Certainly there is additional risk
associated with doing <anything>, but if you dedicate
yourself to understanding what you need to secure your
deployment, for most people it should be an acceptable
risk.

After all... I can personally remember not too long ago
that people were saying the same thing about connecting to
the Internet... "No one in their right mind should
recommend connecting their network to the Internet. It's
an invitation to hacking and asset loss."

Well, yes.

Tony Su




features and being
4&2000
message
and outsource the
reasons you mentioned
configuration and managment is
the pix, and use
above scenario gets
affordable and the
public website, but I
services on the
interface having an
interface, and the
assigned. I would
Windows 2003 server
have any domain
implications? Could I
internal users could
SBS server?
well whether that