Solved

NEED ADVICE - Network/Domain Reconfig.

Posted on 2003-10-22
8
288 Views
Last Modified: 2013-12-07
Ok,
I was asking before about issues with my ISP private-public IP routing. Im definitely NOT an IT expert, but Im the only one my company has right now, so I have to figure this out. Anyway, the situation has changed, as now my ISP is willing to offer us an IP range of 6 Public (Global) IP addresses.

Im not sure how to make the most of these addresses given the following needs and conditions:

1) network of about 60 computers in the building, 15 in one sub-office/company, and the rest in another sub-office/company, all in the SAME building using the SAME net connections
2) 3 windows 2k servers
3) 1 firewall/router device (NETGEAR - 255 users)
4) 1 registered domain, possibly another in near future, total of 2 MAX
5) NEED: remote access "Windows file sharing" of files/directories both on servers AND on select office client computers
6) NEED: Active Directory/DNS/DHCP/VPN-Remote Domain Access/IIS/EMAIL
7) 10baseT ISP connections going into servers and router

- 1 of the 2 companies in the building already has its own domain/AD (small real estate co.) somewhat setup, and the other (retail stores co.) will want its own domain/AD/Remote access capabilities. Most important Issue will be providing REMOTE DOMAIN LOG ON/VPN ACCESS for work@home EXEC's.

Thought about doing the following:
1) place 2 win2k servers on first 2 of the public IPs. These servers will act as IIS for about 3 websites (1 machine handles 2 real estate co. sites w/ headers, other handles only 1 site for retail co.), EMAIL SRVRS, DC's and DNS for both domains in the buidling, as well as DNS serving for clients on LAN (domain clients).

2) place FIREWALL/ROUTER on 3rd public IP, disable its DHCP/admin functions, place all general office clients(from BOTH companies), as well as 3rd win2k database server (for retail company) behind firewall/ROUTER.

3) "backdoor" the 2 servers into the FIREWALLED/NAT-ed/CLIENTS LAN by adding 2nd Netcard to each server, configure them to handle DNS/DHCP/ act as DOMAIN CONTROLLERS for the 2 separate DOMAINS/AD's in the building.

4) set ROUTER as DEFAULT gateway for all internet traffic (ISP provides in-/out-bound 10baseT connection). Router takes care of translating net traffic.

5) maybe eventually place a 3rd server on another Public IP to act as a dedicated RRAS/VPN server by also backdooring it into the LAN???? Not sure...

6)save remaining couple of IPs for expansion/emergency use.

Questions:
1) Will a setup like this allow a remote client to LOG ON to one of the domains/domain controllers/ or VPN server, and access a file share on EITHER:

A) one of the publicly exposed server machines
B) a client machine which exists on NAT-ed network behind the firewall/ROUTER?
 
-Some of the software the companies use is based solely on WINDOWS FILE SHARING/ MS LAN connections for data retrieval from the server, and the software wont accept any other type of net location designation/url to locate the server data files, so its critical that a remote client be able to locate these data directories in the form "\\server\data_files."  

Im worried about the following happening:  a remote client will log on to one of the domains via one of the  publicly exposed servers, it will try to access a resource on the internal/FIREWALLED/NAT-ed LAN, the server will return the source computer's private IP address to the remote client (since the source computer is inside NAT-ed LAN), and the remote client wont be able to find the address & access the LAN resources.

2)Is backdooring the win2k servers into the LAN REALLY that insecure???
-I know it bypasses the firewall and defeats the whole purpose, but I really want to expose the lan net clients to the server resources on an internal 100MB connection, without having their server-to-client traffic go out the NETGEAR box (increasing traffic across FIREWALL), out to the next router on 10baseT, and back into the servers on 10baseT. The company info isnt SUPER confidencial, mission critical, or subject to corp. espionage or anything like that, but decent security is still a definite requirement.

3) Are there any other disadvantages to this setup, or, simply, a MUCH BETTER way of doing things?????? Id REALLY APPRECIATE THE HELP
0
Comment
Question by:skimz1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 1

Expert Comment

by:birdski
ID: 9601526
 What will you be using to authenticate VPN connections?   I would strongly suggest you keep your servers behind the router/firewall with private addresses only.   I would get a VPN appliance to run parallel with your netgear box or alternatively replace your netgear with one that does all three; routing, firewall and VPN.   There's some fine products from Sonicwall, Netscreen, Cisco and Snapgear that will do just that.  Assign 1 public IP to the Netgear.  Save the other IP's for the router to do port forwarding of specific ports to internal hosts if need be.
0
 

Author Comment

by:skimz1
ID: 9601740
Thanks. Again, excuse my ignorance. but youre saying that there are routers that will accept assignment of multiple IP addresses and forward them to the correct internal hosts/ports???
0
 
LVL 1

Expert Comment

by:birdski
ID: 9602010
 In a word, Yes.    I have actually used that functionality on some Sonicwall equipment but it's been quite some time ago so the details escape me but I would be surprised if they don't all support this.  Our current Cisco PIX will do it as well.  You just have to tell it what to do, in my case its for our email server.  If I receive a smtp request for a public address,  we told the pix forward this request through this specific port only to this specific host inside the lan.
  Take a look here: http://www.sonicwall.com/products/demo/index.html   go to the access and advanced tabs, it will show you a bit how you might  do it with their equipment.  This is not by any means an endorsement of sonicwall.    All the others can probably do the same but your netgear is probably geared more to a home user than an enterprise solution.
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 

Author Comment

by:skimz1
ID: 9602083
Another thing, if I decide to go with a setup like the one you mentioned (everything behind the firewall, set up Multi homed router), will I still have problems with DNS entries/queries? Since the server will have a private address, querying the server will return its private address. Same goes with trying to log on remotely
0
 
LVL 1

Accepted Solution

by:
birdski earned 50 total points
ID: 9602120
 Shouldn't be any,  our VPN solution assigns an internal address to VPN clients and it works great.  The clients look like any other machine on the lan.  It all depends on how you implement it.
0
 

Author Comment

by:skimz1
ID: 9602313
Do you have a domain / AD set up? Thats the thing. I wanted our DNS servers to be the authorities for our 2 domains, and resolve dns queries (both public and private) for our domain/AD/web/ftp/mail. The vpn solution youre offering sounds awesome as far as remote access goes, but Im worried it gets me back to square one as far as private/public addressing conflicts for the dns servers. Initially, our ISP did the routing/forwarding for us, and just assigned us a large private range that they managed/routed. If we needed a certain private ip to be DMZ'ed, they forwarded one of their public IPs to our DMZ. I tried doing this, by setting up the DNS/DC servers as "DMZ's" and having the ISP link/forward these private addresses to 2 separate public IPs.  However, The DNS servers cant seem to deal with having a private address, because they keep returning their private addresses to any public (outside the office intranet) DNS query, whether it be a web request, or a domain LOG ON attmpt. Even if I added new host files, or "Aliases" for the domain to the DNS zone file, and configured these new host files to "point" to the public IP addresses. They would still return the private address. It was really inconsistent. Sometimes a DNS query would return the (right) public IP, sometimes it would return the (wrong) private one. Id have to flush my DNS cache on my home computer, ping different aliases/hosts for the domain, and hope that Id finally get the right response (the public IP). I just figured that having the DNS servers on "real-deal" public IP addresses would solve everything. If you have anymore advice, Id appreciate. I hope I made all of this somewhat clear.

Im just going to go ahead and give you the measley 50 points, since youve been the most willing to help me out with these long, drawn out questions. Im a "free-loading" non-registered guest visitor, so thats all I have left to offer you as far as points go. Maybe, once I get some spending cash, I'll sign up and score some more points and hook you up.hehe.
0
 
LVL 1

Expert Comment

by:birdski
ID: 9602498
Points aren't the motivation here really,  just exercising my brain and trying to help when able.
yes, W2k/AD all the way, EVERYTHING inside.  

Keep internal and external DNS completely seperate.    Let your ISP host records that are for public consumption only ie; WWW, FTP, SMTP, etc..  Use AD integrated DNS for all internal queries and set up DNS forwarding on your server to your ISP and alternatively to the root servers.  Mixing the 2 sounds like trouble.  Keep your DC's inside.  Exposing them in any way sounds very dangerous.  
  As for remote access and name resolution,   have your ISP create a record for whatever host is your VPN box unless you want everyone to connect to an address only. Have your VPN box assign internal addresses to clients and point to internal DNS only.  As long as the DNS forwarding is working on your servers, there should be no name resolution problems  
0
 

Author Comment

by:skimz1
ID: 9603265
Ok, that sounds like it will work, but its definitely not what I was hoping for, but I guess its reasonable. The main issue for us was to be able to control our own dns records, and update them with the ISP's DNS servers dynamically. That way, we could change things around at our convenience (domain name records) and not have to constantly call, be on their schedule/convenience, and risk having them screw things up (as they have plenty of times in the past...their tech support sucks). Since everything is kinda "experimental" right now, as far as IT goes, we've been making a WHOLE LOT of calls to the ISP, constantly bugging them to help us out, and theyve been getting less and less helpful as a result. I guess we'd have to sacrifice this extra control in exchange for VPN gateway, and ease of secure remote access.

Anyway, I guess I need take this into consideration. Everything behind the VPN router vs. the control associated with having the servers out in the open. Thanks a whole lot though, I really appreciate it.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question