Solved

NEED ADVICE - Network/Domain Reconfig.

Posted on 2003-10-22
8
275 Views
Last Modified: 2013-12-07
Ok,
I was asking before about issues with my ISP private-public IP routing. Im definitely NOT an IT expert, but Im the only one my company has right now, so I have to figure this out. Anyway, the situation has changed, as now my ISP is willing to offer us an IP range of 6 Public (Global) IP addresses.

Im not sure how to make the most of these addresses given the following needs and conditions:

1) network of about 60 computers in the building, 15 in one sub-office/company, and the rest in another sub-office/company, all in the SAME building using the SAME net connections
2) 3 windows 2k servers
3) 1 firewall/router device (NETGEAR - 255 users)
4) 1 registered domain, possibly another in near future, total of 2 MAX
5) NEED: remote access "Windows file sharing" of files/directories both on servers AND on select office client computers
6) NEED: Active Directory/DNS/DHCP/VPN-Remote Domain Access/IIS/EMAIL
7) 10baseT ISP connections going into servers and router

- 1 of the 2 companies in the building already has its own domain/AD (small real estate co.) somewhat setup, and the other (retail stores co.) will want its own domain/AD/Remote access capabilities. Most important Issue will be providing REMOTE DOMAIN LOG ON/VPN ACCESS for work@home EXEC's.

Thought about doing the following:
1) place 2 win2k servers on first 2 of the public IPs. These servers will act as IIS for about 3 websites (1 machine handles 2 real estate co. sites w/ headers, other handles only 1 site for retail co.), EMAIL SRVRS, DC's and DNS for both domains in the buidling, as well as DNS serving for clients on LAN (domain clients).

2) place FIREWALL/ROUTER on 3rd public IP, disable its DHCP/admin functions, place all general office clients(from BOTH companies), as well as 3rd win2k database server (for retail company) behind firewall/ROUTER.

3) "backdoor" the 2 servers into the FIREWALLED/NAT-ed/CLIENTS LAN by adding 2nd Netcard to each server, configure them to handle DNS/DHCP/ act as DOMAIN CONTROLLERS for the 2 separate DOMAINS/AD's in the building.

4) set ROUTER as DEFAULT gateway for all internet traffic (ISP provides in-/out-bound 10baseT connection). Router takes care of translating net traffic.

5) maybe eventually place a 3rd server on another Public IP to act as a dedicated RRAS/VPN server by also backdooring it into the LAN???? Not sure...

6)save remaining couple of IPs for expansion/emergency use.

Questions:
1) Will a setup like this allow a remote client to LOG ON to one of the domains/domain controllers/ or VPN server, and access a file share on EITHER:

A) one of the publicly exposed server machines
B) a client machine which exists on NAT-ed network behind the firewall/ROUTER?
 
-Some of the software the companies use is based solely on WINDOWS FILE SHARING/ MS LAN connections for data retrieval from the server, and the software wont accept any other type of net location designation/url to locate the server data files, so its critical that a remote client be able to locate these data directories in the form "\\server\data_files."  

Im worried about the following happening:  a remote client will log on to one of the domains via one of the  publicly exposed servers, it will try to access a resource on the internal/FIREWALLED/NAT-ed LAN, the server will return the source computer's private IP address to the remote client (since the source computer is inside NAT-ed LAN), and the remote client wont be able to find the address & access the LAN resources.

2)Is backdooring the win2k servers into the LAN REALLY that insecure???
-I know it bypasses the firewall and defeats the whole purpose, but I really want to expose the lan net clients to the server resources on an internal 100MB connection, without having their server-to-client traffic go out the NETGEAR box (increasing traffic across FIREWALL), out to the next router on 10baseT, and back into the servers on 10baseT. The company info isnt SUPER confidencial, mission critical, or subject to corp. espionage or anything like that, but decent security is still a definite requirement.

3) Are there any other disadvantages to this setup, or, simply, a MUCH BETTER way of doing things?????? Id REALLY APPRECIATE THE HELP
0
Comment
Question by:skimz1
  • 4
  • 4
8 Comments
 
LVL 1

Expert Comment

by:birdski
Comment Utility
 What will you be using to authenticate VPN connections?   I would strongly suggest you keep your servers behind the router/firewall with private addresses only.   I would get a VPN appliance to run parallel with your netgear box or alternatively replace your netgear with one that does all three; routing, firewall and VPN.   There's some fine products from Sonicwall, Netscreen, Cisco and Snapgear that will do just that.  Assign 1 public IP to the Netgear.  Save the other IP's for the router to do port forwarding of specific ports to internal hosts if need be.
0
 

Author Comment

by:skimz1
Comment Utility
Thanks. Again, excuse my ignorance. but youre saying that there are routers that will accept assignment of multiple IP addresses and forward them to the correct internal hosts/ports???
0
 
LVL 1

Expert Comment

by:birdski
Comment Utility
 In a word, Yes.    I have actually used that functionality on some Sonicwall equipment but it's been quite some time ago so the details escape me but I would be surprised if they don't all support this.  Our current Cisco PIX will do it as well.  You just have to tell it what to do, in my case its for our email server.  If I receive a smtp request for a public address,  we told the pix forward this request through this specific port only to this specific host inside the lan.
  Take a look here: http://www.sonicwall.com/products/demo/index.html   go to the access and advanced tabs, it will show you a bit how you might  do it with their equipment.  This is not by any means an endorsement of sonicwall.    All the others can probably do the same but your netgear is probably geared more to a home user than an enterprise solution.
0
 

Author Comment

by:skimz1
Comment Utility
Another thing, if I decide to go with a setup like the one you mentioned (everything behind the firewall, set up Multi homed router), will I still have problems with DNS entries/queries? Since the server will have a private address, querying the server will return its private address. Same goes with trying to log on remotely
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Accepted Solution

by:
birdski earned 50 total points
Comment Utility
 Shouldn't be any,  our VPN solution assigns an internal address to VPN clients and it works great.  The clients look like any other machine on the lan.  It all depends on how you implement it.
0
 

Author Comment

by:skimz1
Comment Utility
Do you have a domain / AD set up? Thats the thing. I wanted our DNS servers to be the authorities for our 2 domains, and resolve dns queries (both public and private) for our domain/AD/web/ftp/mail. The vpn solution youre offering sounds awesome as far as remote access goes, but Im worried it gets me back to square one as far as private/public addressing conflicts for the dns servers. Initially, our ISP did the routing/forwarding for us, and just assigned us a large private range that they managed/routed. If we needed a certain private ip to be DMZ'ed, they forwarded one of their public IPs to our DMZ. I tried doing this, by setting up the DNS/DC servers as "DMZ's" and having the ISP link/forward these private addresses to 2 separate public IPs.  However, The DNS servers cant seem to deal with having a private address, because they keep returning their private addresses to any public (outside the office intranet) DNS query, whether it be a web request, or a domain LOG ON attmpt. Even if I added new host files, or "Aliases" for the domain to the DNS zone file, and configured these new host files to "point" to the public IP addresses. They would still return the private address. It was really inconsistent. Sometimes a DNS query would return the (right) public IP, sometimes it would return the (wrong) private one. Id have to flush my DNS cache on my home computer, ping different aliases/hosts for the domain, and hope that Id finally get the right response (the public IP). I just figured that having the DNS servers on "real-deal" public IP addresses would solve everything. If you have anymore advice, Id appreciate. I hope I made all of this somewhat clear.

Im just going to go ahead and give you the measley 50 points, since youve been the most willing to help me out with these long, drawn out questions. Im a "free-loading" non-registered guest visitor, so thats all I have left to offer you as far as points go. Maybe, once I get some spending cash, I'll sign up and score some more points and hook you up.hehe.
0
 
LVL 1

Expert Comment

by:birdski
Comment Utility
Points aren't the motivation here really,  just exercising my brain and trying to help when able.
yes, W2k/AD all the way, EVERYTHING inside.  

Keep internal and external DNS completely seperate.    Let your ISP host records that are for public consumption only ie; WWW, FTP, SMTP, etc..  Use AD integrated DNS for all internal queries and set up DNS forwarding on your server to your ISP and alternatively to the root servers.  Mixing the 2 sounds like trouble.  Keep your DC's inside.  Exposing them in any way sounds very dangerous.  
  As for remote access and name resolution,   have your ISP create a record for whatever host is your VPN box unless you want everyone to connect to an address only. Have your VPN box assign internal addresses to clients and point to internal DNS only.  As long as the DNS forwarding is working on your servers, there should be no name resolution problems  
0
 

Author Comment

by:skimz1
Comment Utility
Ok, that sounds like it will work, but its definitely not what I was hoping for, but I guess its reasonable. The main issue for us was to be able to control our own dns records, and update them with the ISP's DNS servers dynamically. That way, we could change things around at our convenience (domain name records) and not have to constantly call, be on their schedule/convenience, and risk having them screw things up (as they have plenty of times in the past...their tech support sucks). Since everything is kinda "experimental" right now, as far as IT goes, we've been making a WHOLE LOT of calls to the ISP, constantly bugging them to help us out, and theyve been getting less and less helpful as a result. I guess we'd have to sacrifice this extra control in exchange for VPN gateway, and ease of secure remote access.

Anyway, I guess I need take this into consideration. Everything behind the VPN router vs. the control associated with having the servers out in the open. Thanks a whole lot though, I really appreciate it.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now