Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


NEED ADVICE - Network/Domain Reconfig.

Posted on 2003-10-22
Medium Priority
Last Modified: 2013-12-07
I was asking before about issues with my ISP private-public IP routing. Im definitely NOT an IT expert, but Im the only one my company has right now, so I have to figure this out. Anyway, the situation has changed, as now my ISP is willing to offer us an IP range of 6 Public (Global) IP addresses.

Im not sure how to make the most of these addresses given the following needs and conditions:

1) network of about 60 computers in the building, 15 in one sub-office/company, and the rest in another sub-office/company, all in the SAME building using the SAME net connections
2) 3 windows 2k servers
3) 1 firewall/router device (NETGEAR - 255 users)
4) 1 registered domain, possibly another in near future, total of 2 MAX
5) NEED: remote access "Windows file sharing" of files/directories both on servers AND on select office client computers
6) NEED: Active Directory/DNS/DHCP/VPN-Remote Domain Access/IIS/EMAIL
7) 10baseT ISP connections going into servers and router

- 1 of the 2 companies in the building already has its own domain/AD (small real estate co.) somewhat setup, and the other (retail stores co.) will want its own domain/AD/Remote access capabilities. Most important Issue will be providing REMOTE DOMAIN LOG ON/VPN ACCESS for work@home EXEC's.

Thought about doing the following:
1) place 2 win2k servers on first 2 of the public IPs. These servers will act as IIS for about 3 websites (1 machine handles 2 real estate co. sites w/ headers, other handles only 1 site for retail co.), EMAIL SRVRS, DC's and DNS for both domains in the buidling, as well as DNS serving for clients on LAN (domain clients).

2) place FIREWALL/ROUTER on 3rd public IP, disable its DHCP/admin functions, place all general office clients(from BOTH companies), as well as 3rd win2k database server (for retail company) behind firewall/ROUTER.

3) "backdoor" the 2 servers into the FIREWALLED/NAT-ed/CLIENTS LAN by adding 2nd Netcard to each server, configure them to handle DNS/DHCP/ act as DOMAIN CONTROLLERS for the 2 separate DOMAINS/AD's in the building.

4) set ROUTER as DEFAULT gateway for all internet traffic (ISP provides in-/out-bound 10baseT connection). Router takes care of translating net traffic.

5) maybe eventually place a 3rd server on another Public IP to act as a dedicated RRAS/VPN server by also backdooring it into the LAN???? Not sure...

6)save remaining couple of IPs for expansion/emergency use.

1) Will a setup like this allow a remote client to LOG ON to one of the domains/domain controllers/ or VPN server, and access a file share on EITHER:

A) one of the publicly exposed server machines
B) a client machine which exists on NAT-ed network behind the firewall/ROUTER?
-Some of the software the companies use is based solely on WINDOWS FILE SHARING/ MS LAN connections for data retrieval from the server, and the software wont accept any other type of net location designation/url to locate the server data files, so its critical that a remote client be able to locate these data directories in the form "\\server\data_files."  

Im worried about the following happening:  a remote client will log on to one of the domains via one of the  publicly exposed servers, it will try to access a resource on the internal/FIREWALLED/NAT-ed LAN, the server will return the source computer's private IP address to the remote client (since the source computer is inside NAT-ed LAN), and the remote client wont be able to find the address & access the LAN resources.

2)Is backdooring the win2k servers into the LAN REALLY that insecure???
-I know it bypasses the firewall and defeats the whole purpose, but I really want to expose the lan net clients to the server resources on an internal 100MB connection, without having their server-to-client traffic go out the NETGEAR box (increasing traffic across FIREWALL), out to the next router on 10baseT, and back into the servers on 10baseT. The company info isnt SUPER confidencial, mission critical, or subject to corp. espionage or anything like that, but decent security is still a definite requirement.

3) Are there any other disadvantages to this setup, or, simply, a MUCH BETTER way of doing things?????? Id REALLY APPRECIATE THE HELP
Question by:skimz1
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4

Expert Comment

ID: 9601526
 What will you be using to authenticate VPN connections?   I would strongly suggest you keep your servers behind the router/firewall with private addresses only.   I would get a VPN appliance to run parallel with your netgear box or alternatively replace your netgear with one that does all three; routing, firewall and VPN.   There's some fine products from Sonicwall, Netscreen, Cisco and Snapgear that will do just that.  Assign 1 public IP to the Netgear.  Save the other IP's for the router to do port forwarding of specific ports to internal hosts if need be.

Author Comment

ID: 9601740
Thanks. Again, excuse my ignorance. but youre saying that there are routers that will accept assignment of multiple IP addresses and forward them to the correct internal hosts/ports???

Expert Comment

ID: 9602010
 In a word, Yes.    I have actually used that functionality on some Sonicwall equipment but it's been quite some time ago so the details escape me but I would be surprised if they don't all support this.  Our current Cisco PIX will do it as well.  You just have to tell it what to do, in my case its for our email server.  If I receive a smtp request for a public address,  we told the pix forward this request through this specific port only to this specific host inside the lan.
  Take a look here:   go to the access and advanced tabs, it will show you a bit how you might  do it with their equipment.  This is not by any means an endorsement of sonicwall.    All the others can probably do the same but your netgear is probably geared more to a home user than an enterprise solution.

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Author Comment

ID: 9602083
Another thing, if I decide to go with a setup like the one you mentioned (everything behind the firewall, set up Multi homed router), will I still have problems with DNS entries/queries? Since the server will have a private address, querying the server will return its private address. Same goes with trying to log on remotely

Accepted Solution

birdski earned 150 total points
ID: 9602120
 Shouldn't be any,  our VPN solution assigns an internal address to VPN clients and it works great.  The clients look like any other machine on the lan.  It all depends on how you implement it.

Author Comment

ID: 9602313
Do you have a domain / AD set up? Thats the thing. I wanted our DNS servers to be the authorities for our 2 domains, and resolve dns queries (both public and private) for our domain/AD/web/ftp/mail. The vpn solution youre offering sounds awesome as far as remote access goes, but Im worried it gets me back to square one as far as private/public addressing conflicts for the dns servers. Initially, our ISP did the routing/forwarding for us, and just assigned us a large private range that they managed/routed. If we needed a certain private ip to be DMZ'ed, they forwarded one of their public IPs to our DMZ. I tried doing this, by setting up the DNS/DC servers as "DMZ's" and having the ISP link/forward these private addresses to 2 separate public IPs.  However, The DNS servers cant seem to deal with having a private address, because they keep returning their private addresses to any public (outside the office intranet) DNS query, whether it be a web request, or a domain LOG ON attmpt. Even if I added new host files, or "Aliases" for the domain to the DNS zone file, and configured these new host files to "point" to the public IP addresses. They would still return the private address. It was really inconsistent. Sometimes a DNS query would return the (right) public IP, sometimes it would return the (wrong) private one. Id have to flush my DNS cache on my home computer, ping different aliases/hosts for the domain, and hope that Id finally get the right response (the public IP). I just figured that having the DNS servers on "real-deal" public IP addresses would solve everything. If you have anymore advice, Id appreciate. I hope I made all of this somewhat clear.

Im just going to go ahead and give you the measley 50 points, since youve been the most willing to help me out with these long, drawn out questions. Im a "free-loading" non-registered guest visitor, so thats all I have left to offer you as far as points go. Maybe, once I get some spending cash, I'll sign up and score some more points and hook you up.hehe.

Expert Comment

ID: 9602498
Points aren't the motivation here really,  just exercising my brain and trying to help when able.
yes, W2k/AD all the way, EVERYTHING inside.  

Keep internal and external DNS completely seperate.    Let your ISP host records that are for public consumption only ie; WWW, FTP, SMTP, etc..  Use AD integrated DNS for all internal queries and set up DNS forwarding on your server to your ISP and alternatively to the root servers.  Mixing the 2 sounds like trouble.  Keep your DC's inside.  Exposing them in any way sounds very dangerous.  
  As for remote access and name resolution,   have your ISP create a record for whatever host is your VPN box unless you want everyone to connect to an address only. Have your VPN box assign internal addresses to clients and point to internal DNS only.  As long as the DNS forwarding is working on your servers, there should be no name resolution problems  

Author Comment

ID: 9603265
Ok, that sounds like it will work, but its definitely not what I was hoping for, but I guess its reasonable. The main issue for us was to be able to control our own dns records, and update them with the ISP's DNS servers dynamically. That way, we could change things around at our convenience (domain name records) and not have to constantly call, be on their schedule/convenience, and risk having them screw things up (as they have plenty of times in the past...their tech support sucks). Since everything is kinda "experimental" right now, as far as IT goes, we've been making a WHOLE LOT of calls to the ISP, constantly bugging them to help us out, and theyve been getting less and less helpful as a result. I guess we'd have to sacrifice this extra control in exchange for VPN gateway, and ease of secure remote access.

Anyway, I guess I need take this into consideration. Everything behind the VPN router vs. the control associated with having the servers out in the open. Thanks a whole lot though, I really appreciate it.

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question