Solved

Setting up Two (2) Static IP Addresses for Two (2) Exchange Servers

Posted on 2004-09-27
33
299 Views
Last Modified: 2010-03-18
Background:
I have a project where one company is splitting into two. Ownership wants to have two autonomous networks sharing one broadband pipe (T1). Security is a large concern. Ownership wants access to both sides but does not want other users to have access to both sides.

Currently, the Broadband connection comes to a Modem/Router then goes through a Watchguard Firewall which is subsequently connected to a dumb hub. At the end of all that is a Windows 2000 Server running Exchange and a seperate Windows 2000 Server acting as a simple file server.

The end result of this project should be two networks that have the same capability -namely, hosting exchange.

Question:
Firstly, can I simply request two (2) static IPs from the ISP and setup (2) routers on the WAN side with their respective Static IPs?
Secondly, how do I manage and evenly distribute broadband bandwidth between two networks? Is their a such thing as T1 modem per se? What hardware am I going to need? What hardware would you recommend?

Any suggestions on overall topology are welcomed. Your assistance is appreciated.
0
Comment
Question by:mrcomputerman
  • 17
  • 13
  • 2
  • +1
33 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 12163035
Question 1, yes you can.. Do you want your exchange server to have their own IP? or do you want to do port fowarding to your exchange server? If you only do port fowarding, then you need 2 public IP, if you want your servers to have their own IP, you'll need 4...
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12163092
That is what you need to do right?

       Internet
           |
   Provider's router
         /          \
  Router1 -- Router2
       |               |
    Exch1        Exch2
0
 

Author Comment

by:mrcomputerman
ID: 12165783
One of the objectives of this project was to design the network in such a way that would be easily relocated (hardware and all). With that said, I want two seperate networks -each with it's own static ip. The only thing that should be shared is the broadband connection.

So to answer your question, I believe I want a static (public) ip address for each router and ports forwarded for exchange and other services on both sides. Again, the ONLY thing that should be shared between the two is the broadband connection. In Yan West's diagram I see a connection between Router1 and Router2 - What is this (connection)? And is it necessary?

In regards to hardware, is there a firewall/router (combination) that would be a good fit in this setup? We plan to add VPN capability in the future. Keep in mind however, that there is no formal IT dept, so ease of use is important. I'm somewhat fond of Watchguard.

Please let me know if I'm not being concise and clear.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12169160
BTW I installed the link between the 2 routers to let the 2 network communicate togetter. Why? Because you have to have some access between the 2.. even if it's only for yourself. You would setup an ACL Defining that access.  Usually, you do not have access to your provider's router. That is why i the routing should be done directly between these 2 routers..

I would definitly go with a single firewall setup btw.. one with multiple interfaces supporting VPN..
Cisco's pix firewall can't be beaten in my own opinion..

You would use a PIX 515E or a PIX 525, depending on the traffic you'll generate, how many vpn tunnels/clients will be up, etc..etc..

Using this setup, the diagram would be like this

              Internet
                   |
          Provider'S router
                   |
             PIX FIREWALL
             /                  \
          Exch1            Exch2
      (network1)     (Network 2)


Then woudlnt be able to do simple port fowarding, because you can only foward port 25 on 1 address. So you would have to have a public IP for
1- You Firewall
2- Exch1
3- Exch2

Using ACLS in your firewall, you would be able to determine the rules that allows/deny traffic between the different interfaces.

PIX 515E
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/ps4094/index.html
PIX 525
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/ps2118/index.html

These firewalls supports VPN Accelerator cards, and multiple interfaces..


0
 
LVL 2

Expert Comment

by:abissa
ID: 12169726
If your Watchguard firewall is not from the Soho family nor the Firebox X Edge family, you can set up the configuration described by Yan_west by using the "Trusted" port for network1 and "Optional" port for network2 (Firebox II and III denomination - it would be port 1 and port 2 on the Firebox X series). If you have a Soho, you will have to change your firewall.
0
 

Author Comment

by:mrcomputerman
ID: 12173095
If at all possible, I'd like to have a firewall on each side -simply because I'd want the ability to pick up and move the entire network on one side without any adverse effects on the other side. Is that plausible or is this bad design?

Furthermore, I imagined having access to both sides via terminal services (simply connecting via public IP to the server).  Again, is this bad design?

Ultimately, these two companies will split sometime in the near future and will have two (2) different physical locations. This network needs to be designed with that in mind.

A question in my initial posting that has yet to be addressed is, "how do I manage and evenly distribute broadband bandwidth between two networks? Is their a such thing as T1 modem per se? What hardware am I going to need? What hardware would you recommend?"

This was what I had in mind:

                                   Internet
                                        |
                              Providers' Router
                             /                      \
                 Firewall/Router 1     Firewall /Router2
                *PUBLIC IP 1              *PUBLIC IP 2
                         /                              \
                 Exchange 1                    Exchange 2

*The Public IPs would be on the WAN side of the Firewall/Router with ports forwarded to each exchange server.
Is this layout possible? Does it make sense? What hardware is necessary to make this happen? EASE OF USE IS PARAMOUNT. Preferably GUI instead of command line configuration.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12173346
You don't really need 2 firewall.. both network would be completly independant in the design I gave you..

Using my design, you will have access to both networks via terminal services.. I would do it Via a VPN Connection btw.. connecting yourself via remote desktop out of a ipsec secure connection would not be very secure..

If you want to eventually split your network in 2 completly different network, at 2 physical location, they YES you would need 2 firewalls.. depending on the size of your new organizations, a PIX 506E would now be enough, and would be less costly too..  The design you provided us would be fine at this moment..

Pix 506e (command line + GUI possible)
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/ps4336/

btw.. what you want is Load Balancing for your internet connection. I only know about this if you have 2 independant internet connection comming in your network.. you could do that with this kind of device:
http://www.foundrynet.com/switch/linkload.html

But to load balance between 2 networks and 1 connection? No idea..

0
 

Author Comment

by:mrcomputerman
ID: 12174375
Question 1: Just to be clear -will my design work? Is it bad design? Please explain your answer.
Question 2: Is the PIX 506E a firewall and a router? Is it easy to setup for someone with no experience with Cisco?
Question 3: Is there any other hardware besides the firewalls that I need to have?
Question 4: Is there such a thing as a T1 modem? Typically, what equipment do ISPs provide?
Lastly, Please explain how these devices connect.
0
 
LVL 2

Expert Comment

by:abissa
ID: 12178364
If you have one incomming Internet connection and two networks, stick to one firewall with multi-port capability as you would need one port for each company network. This design is easy to implement and will have the same functionnality, security features and access controls as a theoritical (as I do not know if it is possible to split one incoming Internet to two firewalls even with additional hardware) 2 firewalls solution. As well, the configuration work when you do the "physical" company network separation would be the same if you add a new firewall at that time or have to move the previously configured firewall to the new place. In short, my recommendation is to use one firewall until you do the final split. There is no reason to have 2 firewalls until then. Now, if you absolutly want to have a 2 firewall design, I would do it like this:

                                    Internet
                                         |
                                  ISP's Router
                                         |
                                   Firewall 1
                                   /          \
                      Exchange 1     Firewall 2
                                                 \
                                             Echange 2

Hope this helps ;-)
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12179517
Abissa config would be fine also mrcomp :) Like I advised you, you should stick with a multiple interface firewall.. If you move your network to a new location eventually, you'll only have to purchase a second one, and add it to your config.

Your design would work if your provider'S router has multiple interfaces.. Usually, these router only have a WAN interface, and only one other for your network.... so it would not work in this case..

Yes, all PIX Firewalls route traffic between their interfaces, no problem to that.. but the 506E only has 2 interfaces.. so if you need to make a more complex configuration, your caught, and can't do anything.
You do not need any other hardware then what you told us in your diagram.. I'm sure you already have your switches installed.

Usually, Providers provide you with the connection, the modem and the router..  T1 line plugs directly in the modem via a special interface card..
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12179520
not the modem, sorry, the router :)
0
 

Author Comment

by:mrcomputerman
ID: 12181513
In regards to Yan West's Diagram:

              Internet
                   |
          Provider'S router
                   |
             PIX FIREWALL
             /                  \
          Exch1            Exch2
      (network1)     (Network 2)

Yan West explains that I will need 1 Public IP for the router 1 Public IP for each of the exchange servers for a total of three. However, I do not want to assign a static IP to the exchange server. Instead I want a Public IP assigned to a router and forward the neccessary ports; pop3, terminal services, pcanywhere etc -which, btw, may all point to different machines. (Sure I could forward ports on the server - but that is not ideal and is bad design in my opinion. What happens if the server crashes?)

I need a scheme more akin to Yan West's very first layout:

       Internet
           |
   Provider's router
         /          \
  Router1 -- Router2
       |               |
    Exch1        Exch2

But it needs to be firewalled and it needs to be easy to setup and maintain. I need to know the number of public ips and hardware that is neccesary to make this happen.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12182059
Doing port fowarding like you are doing for all services are *NOT* a secure thing... Terminal services/pcanyware should not be directly accessed via the internet. You should *ONLY* access them through a secure VPN Connection. SMTP Has to be accessed directly, but not the other things.. the *ONLY* thing that should be opened is port 25, for smtp and port 443(SSL) for Outlook web access. nothing else.

TO do the second diagram, your provider'S router would need to have 2 interfaces for your 2 other Firewall/router that are in your network. Usually, these routers do not have this many interfaces.   Secondly, a setup like this *cannot* be that simple... why not simply going with my 1st diagram in your previous post, and purchase a second firewall when you move your network?

if your provider have a 3 interfaces router, then yes you could do this

     Internet
           |
   Provider's router
         /          \
 Firewall1   Firewall2
       |               |
    Exch1        Exch2

and when you would move your network, you would only take everything behind firewall 2 and move it to another localtion, along with firewall 2, and hook it up the new internet connection.
0
 

Author Comment

by:mrcomputerman
ID: 12182506
The first diagram:

              Internet
                   |
          Provider'S router
                   |
             PIX FIREWALL
             /                  \
          Exch1            Exch2
      (network1)     (Network 2)

This diagram demands thats I assign a static public ip to each exchange server which also means that it is a permanent fixture in this network. What happens if the server crashes? No one outside will have access to any internal resources because all the ports are forwarded through this machine.

Why is forwarding a port such as 3389 (terminal services) on a router insecure?!

What is necessary on the client and server end to create the secure VPN connection that you're talking about (hardware and software)?
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12182602
If the server crash? you mean, if the firewall crash right? If the firewall crash, it's like anything else, you must have a service contract of 4 hours for repair on it..

Ok, why is opening port 3389 bad.. because if someone scans the internet, and endup scanning your ip for opened port, he will see that port 3389 is opened, with this, he can use some tools to try to get in your network.. (brute force password detection, etc..).. also, if he has a remote desktop client, he can simply type your IP, and he will get a windows login prompt automaticly..

THe big majority of today'S firewall have integrated VPN. after you have configured your firewall for VPN Access, you can give your users a VPN Client software. This software will create a secure tunnel going through the internet, into your network. This tunnel will be heavily encrypted, so no one can see what is passing through it.

Ex: with the cisco Pix you can use the cisco vpn client, netgear Firewall also have their own clients.. etc..
0
 

Author Comment

by:mrcomputerman
ID: 12183835
Quote from Yan West "If the server crash? you mean, if the firewall crash right?"

I'm slightly confused. If the Public IP is assigned to the server doesn't that mean that all traffic to that IP would be routed by the server (i.e. port 3389 -> 192.168.x.x, port 80 -> 192.168.x.x, etc.) ? Subsequently, if the server crashes there is nothing to route that traffic -right?

I assume that we're assigning static (public) ips to each of the servers because the firewall cannot route traffic for 2 public ip addresses. Am I on the right track or no? Is traffic for both of these (public) ip addresses handled by the PIX firewall? Which device is handling routing (or DHCP for that matter)?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 15

Expert Comment

by:Yan_west
ID: 12184179
No, traffic to the server, is routed by the firewall, to the server.

let's say your server as an public ip of 1.2.3.4 (whatever)..

All request to this address pass through your provider'S router. After, they knock at the door of your firewall. You firewall says: Do I know this address? Yes? Ok, send the traffic over to 192.168.1.6 (that would be your exchange server private ip).. you don't have to configure your exchange server with this ip btw... You only have to tell the firewall that everything to this public address should be sent to a certain private IP (exchange server)..

"I assume that we're assigning static (public) ips to each of the servers because the firewall cannot route traffic for 2 public ip addresses. Am I on the right track or no? Is traffic for both of these (public) ip addresses handled by the PIX firewall? Which device is handling routing (or DHCP for that matter)?"

Exactly :) the firewall is handling the routing.. basicly it allows nothing in from the internet, but everything else inside is opened.. (from the inside to the outside, and from inside interface 1 to inside interface 2). After this, you can compose rules that gives restriction like.

Allow only traffic on port 25 from the internet to get in my network, but ONLY when the target is this X public IP, and only to this Y private IP...
Or
Allow only traffic from Private IP Z on network 1 to go to private ip A on network 2..

The possibilities are infinite.. hehe.

Example of PIX ACLS..
This is my config for my ouside interface (this can also be configure via GUI):

access-list acl_outside permit tcp any host 207.22.33.44 eq smtp
access-list acl_outside permit tcp any host 207.22.33.44 eq https
access-list acl_outside deny ip any any

first line = let port 25 in for host 207.22.33.44
second line = let port 443 in for host 207.22.33.44
third line = Block everything else..

Later in my config i have:

static (inside,outside) 207.22.33.44 192.168.1.5 netmask 255.255.255.255 0 0

This tells my router that everything comming for address 207.22.33.44 is sent to private address 192.168.1.5







0
 

Author Comment

by:mrcomputerman
ID: 12185335
Great explanation!

So I guess my final question would be, can the pix firewall route traffic for two public ips?

Simply put, can I program the firewall with two (Public) IPs and use the firewall to route that traffic? For instance, I want port 3389 for Public IP 1.2.3.4 to got to 192.168.1.1 and I want port 3389 for Public IP 1.2.3.3 to go to 10.0.0.5. BTW, I understood your point about the port scanning and closing 3389 but I'm using 3389 for the purposes of this example (and because I might have to do this temporarily until I figure this VPN deal out). :)

Lastly, can the firewall serve as a DHCP Server for Network 1 & 2 (please see our diagrams)? If not, what do you recommend?
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12185973
Yes it can..

Yes you can route traffic to port 3389 to as many computer as you want, as long as they have their own private ip.. you would then put multiple line like this in your config,

static (inside,outside) 207.22.33.44 192.168.1.5 netmask 255.255.255.255 0 0
static (inside,outside) 207.22.33.45 192.168.1.6 netmask 255.255.255.255 0 0

and also

access-list acl_outside permit tcp any host 207.22.33.44 eq 3389
access-list acl_outside permit tcp any host 207.22.33.45 eq 3389

Last point, don't use your firewall to provide DHCP, always use your windows 2000 Domain controller.. Why? Because your 2000 DHCP can pass additional information to clients that your firewall cannot. (ex: Proxy, DNS, Gateway, etc..) You also have a nice interface to manage your DHCP SCOPE, you can also naje Address reservation. Address reservation is something that let your DHCP Server give an address to a client, and always give the same address, exactly like it would be a fixed address.  Why do this? Because sometimes, you run out of static addresses and the only one available are in your DHCP Scope.
0
 

Author Comment

by:mrcomputerman
ID: 12186115
Here's my wrap-up;

1) "When you say, "Yes you can route traffic to port 3389 to as many computer as you want, as long as they have their own private ip..."

By private ip I assume you're talking about the internal ip (i.e. 192.168.x.x) -right?

2) So the only hardware that I need to be concerned about is the firewall and you recommend the Cisco PIX firewall. How do you rate it for:
A. ease of setup
B. ease of use
C. scalability
and D. vendor support? If I were exploring alternatives what features do I need to look for?

0
 

Author Comment

by:mrcomputerman
ID: 12186126
Quick additional question - How many ip (public) addresses do I need? and why? It would be helpful if I could see your diagram with hardware and the static IP that is associated with each.

Thanx
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12189541
sorry, own public ip :) made an error :)

Ease of setup and of use: pretty easy if you use the GUI, Hard with the command line interface..  But the command line interface is MUCH MORE POWERFULL :)

C. Scalability: Great.. yo if you purchase a 515 modem or more, you can add in other interfaces, VPN Accelerator card, etc.. I'm not going to lie to you, they are more expensive, but they are the Best, most recommended firewall on the market.

You have to purchase a support contract from cisco that you have to renew each year after this.. their support is lightning fast, and you always speak with people that are so competant that it makes you feel like a child :).. the support contract is also pretty expensive..

If you want something cheaper, and a bit easier to use, you could get a netscreen firewall.. they are also very good,

one of these would be nice for you : http://www.juniper.net/products/glance/nscn_25_50.html   The 25 model is propably ok :), I cannot tell you anything about them technicaly, I never used them, I only heard alot of good of them..
0
 

Author Comment

by:mrcomputerman
ID: 12190535
Yan West writes, "sorry, own public ip :) made an error :)"

I don't understand what you mean by the above.

These questions still remain:

1) "When you say, "Yes you can route traffic to port 3389 to as many computer as you want, as long as they have their own private ip..." By private ip I assume you're talking about the internal ip (i.e. 192.168.x.x) -right?

2) How many ip (public) addresses do I need? and why? It would be helpful if I could see your diagram with hardware and the static IP that is associated with each.

I feel that all my questions have been answered with the exception of these two. Could you please post the final diagram with the hardware (make & model) and note which device is responsible for handling each IP that is neccesary?

Thank you.
0
 
LVL 15

Accepted Solution

by:
Yan_west earned 500 total points
ID: 12190849
a public IP, it means a ip address that is available directly on the internet, provided to you via your ISP.. you would need 3 public address.

1 for your firewall
1 for your exchange box #1
1 for your exchange box #2

If you also need to use remote desktop on multiple machine, you will need a public IP for these machine too... unless you do simple port fowarding. If you do port fowarding, you will only be able to foward port 3389 to 1 computer in your network.  The way to prevent this is by using a VPN Connection. A vpn connection would bring a computer ouside your LAN.. (like your home computer), inside your lan for the duration of the vpn connection. It's exactly like your home computer would be sitting in your network. This way, you could do anything that your work PC would do.. including printing, using remote desktop anywhere you want, etc..

I would recommend you to purchase a cisco pix.. the 515e model would be fine.. Do not forget that you have to purchase an additional interface card along the the firewall, because the firewall only comes with 2 interfaces..

                Internet
                   |
          Provider'S router
                   |
             PIX FIREWALL(public ip 1) + (association of public ip 2 + 3 to private IP of exchange box #1 and #2)
             /                  \
          Exch1            Exch2
      (network1)     (Network 2)





0
 

Author Comment

by:mrcomputerman
ID: 12191124
Can the cisco pix route traffic for an unlimited number of public ips?

I assume by interfaces you mean RJ45 ports? 1 for the ISP Router and 1 for each switch (for a total of three)?
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12191228
We route 5.. i never found any specification on how many it does.. but i would assume that you can add up as many as you want in there..

Yes, that's it, rj 45 ports.. speak with a provider about this for prices and specification.. there is a 1 year warranty on the pix, you have to purchase a support contract for all the next years.. it'S called Cisco SMART support contract..
0
 

Author Comment

by:mrcomputerman
ID: 12192529
OK. Assuming that I understand your explanation to the following, this will be my last post.

Just for clarity's sake - One Cisco PIX switch with an additional interface card will route traffic for three IPs? Which means that I can forward any port anywhere for any of these IPs?

Again, why does the firewall need it's own (public) IP? Why not just the two for the exchange servers?

Will the firewall have a single private address or will there be a private address for each interface (rj45 port)?

Please be thorough.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12192750
ok, it'S a pix firewall not switch :)

yes, it will route traffic for multiple public IP... no problem..

the PIX need a public IP because it has an outside interface directly plugged on the internet.. if you ever need to connect yourself via VPN to your network, you will need to indicate the public IP of the firewall to be able to make a tunnel.. the tunnel is between your computer, and the firewall.. so you need the firewall public IP to do it..
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12192785
BTW, i would recommend that your initial setup, in any case, should be done by a professional with experience in this domain... you will pay 300-500$ of setup, but you will be sure that everything is fine..

Oh, and the firewall will have a single private address on the outside interface.

The 2 other interfaces  will have private addresses.. (on the same address range of your private lans..)
0
 

Author Comment

by:mrcomputerman
ID: 12194113
Yan, you've been most excellent.

I appreciate the recommendation of hiring a professional but in this case I'm it. Unless I delv in and do it, I'll never learn. And I'm here to learn.

Trust me, I'll figure it out -even if I end up buying two of everything! LOL

Thanx Again.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12194192
My pleasure :)

also check the netscreen firewalls, heard they were excellent btw.. and I think they are easier to setup.. read about it as much as you can...
0
 

Expert Comment

by:red_level
ID: 15107544
Yan,

I have a situation that is similar to this that I would like you to participate in the resolution.  I posted it today as: Allowing two Exchange 2003 servers to communicate behind a PIX 515 firewall.  If you have time please take and look and let me know what you think.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 15107800
give me the link to it.. i'll check it out as soon as I have a little time.. :) i'm kindda in a rush right now lol
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now