logic1cs
asked on
SBS 2003 best practices.
I’d love to see something like a definitive answer to this question:
Which of these 3 configurations of SBS 2003 is the “best practice”?
Assume that external access to the server is required for things like OWA and Remote Workplace
Option 1: SBS is the firewall and LAN internet gateway, directly connected to the internet via 2nd NIC
Option 2: SBS is the gateway (again via 2nd NIC) with a router or firewall appliance between it an the Internet
Option 3: SBS and client systems all use the router as the gateway/firewall; SBS has a single NIC
Option 3 is what we’ve been doing, but my feeling is the option 2 is probably the best. On the other hand, I remain concerned about the load on the server due to all LAN internet traffic passing through it. I have no idea whether that is a real issue or not.
This is a rather broad question I know, I'm looking for some definitive pro's and con's.
Which of these 3 configurations of SBS 2003 is the “best practice”?
Assume that external access to the server is required for things like OWA and Remote Workplace
Option 1: SBS is the firewall and LAN internet gateway, directly connected to the internet via 2nd NIC
Option 2: SBS is the gateway (again via 2nd NIC) with a router or firewall appliance between it an the Internet
Option 3: SBS and client systems all use the router as the gateway/firewall; SBS has a single NIC
Option 3 is what we’ve been doing, but my feeling is the option 2 is probably the best. On the other hand, I remain concerned about the load on the server due to all LAN internet traffic passing through it. I have no idea whether that is a real issue or not.
This is a rather broad question I know, I'm looking for some definitive pro's and con's.
Lee W, MVP
Do some server monitoring - see what kind of performance you are getting out of things with System Monitor. It can monitor your NIC throughput - for one or both NICs. With option 1 you are putting a highly insecure system right on the internet for people to attack. Bad idea (I don't care how much you patch it, people keep finding holes in Windows security and exploiting them). Option 2 to me has some logic - until you realize that all you're doing is adding another layer of failure. To keep your client workstations on the internet BOTH the router/firewall appliance AND the server must remain on. Now this can actually work to your advantage if you want to use Windows to track throughput and use programs like Network Monitor to spy in the traffic actually going out to the internet. But other than that, I'd consider it a waste. Option 3 is the most logical and the one I'd recommend.
ASKER
Thanks for the quick response.
I'm not referring to a specific network with this query. Server monitoring is always being done on our networks on a regular basis. We look after large and small networks for our clients, I'm trying to establish a "best practice".
I totally agree that option 1 is out of the question I just put it there for reference more than anything.
I'm not referring to a specific network with this query. Server monitoring is always being done on our networks on a regular basis. We look after large and small networks for our clients, I'm trying to establish a "best practice".
I totally agree that option 1 is out of the question I just put it there for reference more than anything.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.