Can SBS 2000 be put behind a firewall?

Hello Experts,

I am dealing with an old server that just can't stomach it's load but buget won't stomach a new server so I'm looking for ways to alieviate the server's stress.  Presently, it is running Microsoft Small Business Server 2000.  The server hosts a website, email, performs routing & firewall responsiblities, and serves files to the 9 client (Win98) network.  I want to put the server behind a Cisco PIX 501 to both alieviate some stress from the server and put me one step closer to a multi-server network.  

I would like the Cisco PIX 501 to start serving DHCP and handle all internet access for the client computers.  What changes will I need to make to the servers built-in ISA firewall to make this happen.  The server will still be responsible for hosting files, email, and the website.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I do not have experience with the PIX 501 personally, but have setup networks in the fashion that you are considering many times.  Most appliance based firewalls support DHCP, so you are in luck.  

1)  The quickest, easiest, and safest thing is really to make as little changes as possible.  Just add an appliance based firewall, simply put the firewall between the server and the outside network router (or cable/dsl modem).  Many firewalls have an option of operating with a "drop in" configuration as well as a routed configuration.  (Watchguard firewalls / Fortinet Firewalls have this "dop in" configuration for sure.)  Just configure the firewall to open up and allow only the traffic types and destination ports that you wish to allow.  This also elleviates you from having to mess with a production server, which in my honest opinion should never ever be done for any reason.  (Servers should be "set it and forget it" once live.)

2)  A routed configuration can be implemented easily that can afford you minimal configuration should you wish to leave ISA in tact.  Here is an example of one scenario if you were to do it in a routed configuration:

Network 1 - Internal Network
Network 2 - DMZ
Network 3 - External Network

Network 1 -
Network 2 -
Network 3 -

Network 1 --->  SBS Server --->  Network 2 ---> Firewall ---> External Network

Network 1 ---> Internal Network Switch / Hub / Access Point
Network 1 ---> SBS Internal Server Network Adapter
Network 2 ---> SBS External Server Network Adapter
Network 2 ---> Firewall Internal Network Port
Network 3 ---> Firewall External Network Port
Network 3 ---> Router Internal Network Port

On the firewall, open up and allow traffic to traverse the firewall based on the port you wish to allow.  For example, allow port 80 (http), port 25 (smtp), ICMP (ping) (for troubleshooting), and anything else that you may have - such as PPTP/VPN, etc.  Make sure that you tell it where to go, i.e. any traffic coming in on Firewall External Port  80 should go to SBS External Server Network Adapter Port 80.

3)  Lastly, a routed configuration where by you uninstall ISA and just firewall / NAT between the outside network and your inside network:

Internal Network ---> Internal Network Switch / Hub / Access Point
Internal Network ---> SBS Internal Server Network Adapter (Plug into switch)
Internal Network ---> Firewall Internal Network Port (Plug into switch)

External Network ---> Firewall External Network Port (Plug into Router)
External Network ---> Router Internal Network Port (Plug into Firewall)

I recommend going with option #1 b/c this is a live production server.  I would also consider adding memory to the server.  Multipurpose servers can never have enough RAM.  

(If you want to really speed up the server, install and regularly run Perfect Disk or some other Disk Defragger.  Multipurpose servers tend to Fragment their disks so much more than single purpose machines since there is usually much more asynchronous and synchronous disk I/O happening at the same time.)

I hope this answers your question.  If not, just ask away.  
You can certainly have the firewall replace the function of the ISA server.  And once the firewall is up and running, you can disable the ISA server and even uninstall it from SBS.

You will have to make sure that the firewall can publish the web site from SBS which shouldn't be a problem.  You can take out the second NIC on the SBS so that there is no confusion as to internal/external nics too.

My thoughts are to disable ISA (not uninstall it) and disable the external nic (not uninstall it) that way you can easily go back to the way it was if you have a problem with the new firewall.  then after a while you feel comfortable with the new setup, go ahead and uninstall them.  

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ewhitakerAuthor Commented:
Thank you for taking the time to write such detailed suggestions.  I really do appreciate them.  I'm going to make the transition in about 40 minutes here so I will let you guys know how it goes / award points.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Good Luck.  Be sure to post what your results, findings.
ewhitakerAuthor Commented:
It seemed simple enough going in, but I was not able to make it happen.  I disabled the External NIC and went into component services and stoped the ISA service.  I was only able to get WinXP and Win2K client out to the internet.  The Win98 clients wouldn' t play nice and could not get the web page to come up so my problem seems not to be network config but firewall config.  I have contacted  another more experienced network guy and will update with the resolution, and finally award the points.
Do the 98 clients have the default gateway set to the ip of the new firewall?  Did you have the firewall client instaslled on them? What about the web proxy settings?  If they were setup as either firewall or web proxy clients, you will have to change them.
Kudos to Trymelatr - proxy clients is what I'd be looking at.  Go to the control panel and see if they exist.  Go to IE, Tools, Internet Options, Connections, Lan Settings.

Try to ping outward.  From DOS, perform a "tracert" to an ip address that is external - such as c:\tracert -d

(-d disables dns lookups which slows down the process.)

Perform a "route print" from dos on the 98 clients - see if the default route is the IP address of your firewall's internal adapter.  If not type in something like this:

route add mask -p  (xxx's is the ip of your firewalls internal adapter, -p makes it persistant)
ewhitakerAuthor Commented:
Sorry to keep you all waiting.  The problem was a misconfigured router.  Now that it is corrected, the WAN adapter of the server is disabled and ISA has been turned off.  Everything is behind the PIX box now and best of all, I don't have to deal with ISA anymore!  Thanks!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.