NEED ADVICE - Network/Domain Reconfig.
Posted on 2003-10-22
I was asking before about issues with my ISP private-public IP routing. Im definitely NOT an IT expert, but Im the only one my company has right now, so I have to figure this out. Anyway, the situation has changed, as now my ISP is willing to offer us an IP range of 6 Public (Global) IP addresses.
Im not sure how to make the most of these addresses given the following needs and conditions:
1) network of about 60 computers in the building, 15 in one sub-office/company, and the rest in another sub-office/company, all in the SAME building using the SAME net connections
2) 3 windows 2k servers
3) 1 firewall/router device (NETGEAR - 255 users)
4) 1 registered domain, possibly another in near future, total of 2 MAX
5) NEED: remote access "Windows file sharing" of files/directories both on servers AND on select office client computers
6) NEED: Active Directory/DNS/DHCP/VPN-Remote Domain Access/IIS/EMAIL
7) 10baseT ISP connections going into servers and router
- 1 of the 2 companies in the building already has its own domain/AD (small real estate co.) somewhat setup, and the other (retail stores co.) will want its own domain/AD/Remote access capabilities. Most important Issue will be providing REMOTE DOMAIN LOG ON/VPN ACCESS for work@home EXEC's.
Thought about doing the following:
1) place 2 win2k servers on first 2 of the public IPs. These servers will act as IIS for about 3 websites (1 machine handles 2 real estate co. sites w/ headers, other handles only 1 site for retail co.), EMAIL SRVRS, DC's and DNS for both domains in the buidling, as well as DNS serving for clients on LAN (domain clients).
2) place FIREWALL/ROUTER on 3rd public IP, disable its DHCP/admin functions, place all general office clients(from BOTH companies), as well as 3rd win2k database server (for retail company) behind firewall/ROUTER.
3) "backdoor" the 2 servers into the FIREWALLED/NAT-ed/CLIENTS LAN by adding 2nd Netcard to each server, configure them to handle DNS/DHCP/ act as DOMAIN CONTROLLERS for the 2 separate DOMAINS/AD's in the building.
4) set ROUTER as DEFAULT gateway for all internet traffic (ISP provides in-/out-bound 10baseT connection). Router takes care of translating net traffic.
5) maybe eventually place a 3rd server on another Public IP to act as a dedicated RRAS/VPN server by also backdooring it into the LAN???? Not sure...
6)save remaining couple of IPs for expansion/emergency use.
1) Will a setup like this allow a remote client to LOG ON to one of the domains/domain controllers/ or VPN server, and access a file share on EITHER:
A) one of the publicly exposed server machines
B) a client machine which exists on NAT-ed network behind the firewall/ROUTER?
-Some of the software the companies use is based solely on WINDOWS FILE SHARING/ MS LAN connections for data retrieval from the server, and the software wont accept any other type of net location designation/url to locate the server data files, so its critical that a remote client be able to locate these data directories in the form "\\server\data_files."
Im worried about the following happening: a remote client will log on to one of the domains via one of the publicly exposed servers, it will try to access a resource on the internal/FIREWALLED/NAT-ed LAN, the server will return the source computer's private IP address to the remote client (since the source computer is inside NAT-ed LAN), and the remote client wont be able to find the address & access the LAN resources.
2)Is backdooring the win2k servers into the LAN REALLY that insecure???
-I know it bypasses the firewall and defeats the whole purpose, but I really want to expose the lan net clients to the server resources on an internal 100MB connection, without having their server-to-client traffic go out the NETGEAR box (increasing traffic across FIREWALL), out to the next router on 10baseT, and back into the servers on 10baseT. The company info isnt SUPER confidencial, mission critical, or subject to corp. espionage or anything like that, but decent security is still a definite requirement.
3) Are there any other disadvantages to this setup, or, simply, a MUCH BETTER way of doing things?????? Id REALLY APPRECIATE THE HELP