NEED ADVICE - Network/Domain Reconfig.

I was asking before about issues with my ISP private-public IP routing. Im definitely NOT an IT expert, but Im the only one my company has right now, so I have to figure this out. Anyway, the situation has changed, as now my ISP is willing to offer us an IP range of 6 Public (Global) IP addresses.

Im not sure how to make the most of these addresses given the following needs and conditions:

1) network of about 60 computers in the building, 15 in one sub-office/company, and the rest in another sub-office/company, all in the SAME building using the SAME net connections
2) 3 windows 2k servers
3) 1 firewall/router device (NETGEAR - 255 users)
4) 1 registered domain, possibly another in near future, total of 2 MAX
5) NEED: remote access "Windows file sharing" of files/directories both on servers AND on select office client computers
6) NEED: Active Directory/DNS/DHCP/VPN-Remote Domain Access/IIS/EMAIL
7) 10baseT ISP connections going into servers and router

- 1 of the 2 companies in the building already has its own domain/AD (small real estate co.) somewhat setup, and the other (retail stores co.) will want its own domain/AD/Remote access capabilities. Most important Issue will be providing REMOTE DOMAIN LOG ON/VPN ACCESS for work@home EXEC's.

Thought about doing the following:
1) place 2 win2k servers on first 2 of the public IPs. These servers will act as IIS for about 3 websites (1 machine handles 2 real estate co. sites w/ headers, other handles only 1 site for retail co.), EMAIL SRVRS, DC's and DNS for both domains in the buidling, as well as DNS serving for clients on LAN (domain clients).

2) place FIREWALL/ROUTER on 3rd public IP, disable its DHCP/admin functions, place all general office clients(from BOTH companies), as well as 3rd win2k database server (for retail company) behind firewall/ROUTER.

3) "backdoor" the 2 servers into the FIREWALLED/NAT-ed/CLIENTS LAN by adding 2nd Netcard to each server, configure them to handle DNS/DHCP/ act as DOMAIN CONTROLLERS for the 2 separate DOMAINS/AD's in the building.

4) set ROUTER as DEFAULT gateway for all internet traffic (ISP provides in-/out-bound 10baseT connection). Router takes care of translating net traffic.

5) maybe eventually place a 3rd server on another Public IP to act as a dedicated RRAS/VPN server by also backdooring it into the LAN???? Not sure...

6)save remaining couple of IPs for expansion/emergency use.

1) Will a setup like this allow a remote client to LOG ON to one of the domains/domain controllers/ or VPN server, and access a file share on EITHER:

A) one of the publicly exposed server machines
B) a client machine which exists on NAT-ed network behind the firewall/ROUTER?
-Some of the software the companies use is based solely on WINDOWS FILE SHARING/ MS LAN connections for data retrieval from the server, and the software wont accept any other type of net location designation/url to locate the server data files, so its critical that a remote client be able to locate these data directories in the form "\\server\data_files."  

Im worried about the following happening:  a remote client will log on to one of the domains via one of the  publicly exposed servers, it will try to access a resource on the internal/FIREWALLED/NAT-ed LAN, the server will return the source computer's private IP address to the remote client (since the source computer is inside NAT-ed LAN), and the remote client wont be able to find the address & access the LAN resources.

2)Is backdooring the win2k servers into the LAN REALLY that insecure???
-I know it bypasses the firewall and defeats the whole purpose, but I really want to expose the lan net clients to the server resources on an internal 100MB connection, without having their server-to-client traffic go out the NETGEAR box (increasing traffic across FIREWALL), out to the next router on 10baseT, and back into the servers on 10baseT. The company info isnt SUPER confidencial, mission critical, or subject to corp. espionage or anything like that, but decent security is still a definite requirement.

3) Are there any other disadvantages to this setup, or, simply, a MUCH BETTER way of doing things?????? Id REALLY APPRECIATE THE HELP
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 What will you be using to authenticate VPN connections?   I would strongly suggest you keep your servers behind the router/firewall with private addresses only.   I would get a VPN appliance to run parallel with your netgear box or alternatively replace your netgear with one that does all three; routing, firewall and VPN.   There's some fine products from Sonicwall, Netscreen, Cisco and Snapgear that will do just that.  Assign 1 public IP to the Netgear.  Save the other IP's for the router to do port forwarding of specific ports to internal hosts if need be.
skimz1Author Commented:
Thanks. Again, excuse my ignorance. but youre saying that there are routers that will accept assignment of multiple IP addresses and forward them to the correct internal hosts/ports???
 In a word, Yes.    I have actually used that functionality on some Sonicwall equipment but it's been quite some time ago so the details escape me but I would be surprised if they don't all support this.  Our current Cisco PIX will do it as well.  You just have to tell it what to do, in my case its for our email server.  If I receive a smtp request for a public address,  we told the pix forward this request through this specific port only to this specific host inside the lan.
  Take a look here:   go to the access and advanced tabs, it will show you a bit how you might  do it with their equipment.  This is not by any means an endorsement of sonicwall.    All the others can probably do the same but your netgear is probably geared more to a home user than an enterprise solution.
Need More Insight Into What’s Killing Your Network

Flow data analysis from SolarWinds NetFlow Traffic Analyzer (NTA), along with Network Performance Monitor (NPM), can give you deeper visibility into your network’s traffic.

skimz1Author Commented:
Another thing, if I decide to go with a setup like the one you mentioned (everything behind the firewall, set up Multi homed router), will I still have problems with DNS entries/queries? Since the server will have a private address, querying the server will return its private address. Same goes with trying to log on remotely
 Shouldn't be any,  our VPN solution assigns an internal address to VPN clients and it works great.  The clients look like any other machine on the lan.  It all depends on how you implement it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
skimz1Author Commented:
Do you have a domain / AD set up? Thats the thing. I wanted our DNS servers to be the authorities for our 2 domains, and resolve dns queries (both public and private) for our domain/AD/web/ftp/mail. The vpn solution youre offering sounds awesome as far as remote access goes, but Im worried it gets me back to square one as far as private/public addressing conflicts for the dns servers. Initially, our ISP did the routing/forwarding for us, and just assigned us a large private range that they managed/routed. If we needed a certain private ip to be DMZ'ed, they forwarded one of their public IPs to our DMZ. I tried doing this, by setting up the DNS/DC servers as "DMZ's" and having the ISP link/forward these private addresses to 2 separate public IPs.  However, The DNS servers cant seem to deal with having a private address, because they keep returning their private addresses to any public (outside the office intranet) DNS query, whether it be a web request, or a domain LOG ON attmpt. Even if I added new host files, or "Aliases" for the domain to the DNS zone file, and configured these new host files to "point" to the public IP addresses. They would still return the private address. It was really inconsistent. Sometimes a DNS query would return the (right) public IP, sometimes it would return the (wrong) private one. Id have to flush my DNS cache on my home computer, ping different aliases/hosts for the domain, and hope that Id finally get the right response (the public IP). I just figured that having the DNS servers on "real-deal" public IP addresses would solve everything. If you have anymore advice, Id appreciate. I hope I made all of this somewhat clear.

Im just going to go ahead and give you the measley 50 points, since youve been the most willing to help me out with these long, drawn out questions. Im a "free-loading" non-registered guest visitor, so thats all I have left to offer you as far as points go. Maybe, once I get some spending cash, I'll sign up and score some more points and hook you up.hehe.
Points aren't the motivation here really,  just exercising my brain and trying to help when able.
yes, W2k/AD all the way, EVERYTHING inside.  

Keep internal and external DNS completely seperate.    Let your ISP host records that are for public consumption only ie; WWW, FTP, SMTP, etc..  Use AD integrated DNS for all internal queries and set up DNS forwarding on your server to your ISP and alternatively to the root servers.  Mixing the 2 sounds like trouble.  Keep your DC's inside.  Exposing them in any way sounds very dangerous.  
  As for remote access and name resolution,   have your ISP create a record for whatever host is your VPN box unless you want everyone to connect to an address only. Have your VPN box assign internal addresses to clients and point to internal DNS only.  As long as the DNS forwarding is working on your servers, there should be no name resolution problems  
skimz1Author Commented:
Ok, that sounds like it will work, but its definitely not what I was hoping for, but I guess its reasonable. The main issue for us was to be able to control our own dns records, and update them with the ISP's DNS servers dynamically. That way, we could change things around at our convenience (domain name records) and not have to constantly call, be on their schedule/convenience, and risk having them screw things up (as they have plenty of times in the past...their tech support sucks). Since everything is kinda "experimental" right now, as far as IT goes, we've been making a WHOLE LOT of calls to the ISP, constantly bugging them to help us out, and theyve been getting less and less helpful as a result. I guess we'd have to sacrifice this extra control in exchange for VPN gateway, and ease of secure remote access.

Anyway, I guess I need take this into consideration. Everything behind the VPN router vs. the control associated with having the servers out in the open. Thanks a whole lot though, I really appreciate it.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Analysis

From novice to tech pro — start learning today.