[Last Call] Learn how to a build a cloud-first strategyRegister Now


Can SBS 2000 be put behind a firewall?

Posted on 2004-11-09
Medium Priority
Last Modified: 2013-11-16
Hello Experts,

I am dealing with an old server that just can't stomach it's load but buget won't stomach a new server so I'm looking for ways to alieviate the server's stress.  Presently, it is running Microsoft Small Business Server 2000.  The server hosts a website, email, performs routing & firewall responsiblities, and serves files to the 9 client (Win98) network.  I want to put the server behind a Cisco PIX 501 to both alieviate some stress from the server and put me one step closer to a multi-server network.  

I would like the Cisco PIX 501 to start serving DHCP and handle all internet access for the client computers.  What changes will I need to make to the servers built-in ISA firewall to make this happen.  The server will still be responsible for hosting files, email, and the website.

Question by:ewhitaker
  • 3
  • 3
  • 2

Assisted Solution

RichardCorbett earned 1600 total points
ID: 12541789
I do not have experience with the PIX 501 personally, but have setup networks in the fashion that you are considering many times.  Most appliance based firewalls support DHCP, so you are in luck.  

1)  The quickest, easiest, and safest thing is really to make as little changes as possible.  Just add an appliance based firewall, simply put the firewall between the server and the outside network router (or cable/dsl modem).  Many firewalls have an option of operating with a "drop in" configuration as well as a routed configuration.  (Watchguard firewalls / Fortinet Firewalls have this "dop in" configuration for sure.)  Just configure the firewall to open up and allow only the traffic types and destination ports that you wish to allow.  This also elleviates you from having to mess with a production server, which in my honest opinion should never ever be done for any reason.  (Servers should be "set it and forget it" once live.)

2)  A routed configuration can be implemented easily that can afford you minimal configuration should you wish to leave ISA in tact.  Here is an example of one scenario if you were to do it in a routed configuration:

Network 1 - Internal Network
Network 2 - DMZ
Network 3 - External Network

Network 1 -
Network 2 -
Network 3 -

Network 1 --->  SBS Server --->  Network 2 ---> Firewall ---> External Network

Network 1 ---> Internal Network Switch / Hub / Access Point
Network 1 ---> SBS Internal Server Network Adapter
Network 2 ---> SBS External Server Network Adapter
Network 2 ---> Firewall Internal Network Port
Network 3 ---> Firewall External Network Port
Network 3 ---> Router Internal Network Port

On the firewall, open up and allow traffic to traverse the firewall based on the port you wish to allow.  For example, allow port 80 (http), port 25 (smtp), ICMP (ping) (for troubleshooting), and anything else that you may have - such as PPTP/VPN, etc.  Make sure that you tell it where to go, i.e. any traffic coming in on Firewall External Port  80 should go to SBS External Server Network Adapter Port 80.

3)  Lastly, a routed configuration where by you uninstall ISA and just firewall / NAT between the outside network and your inside network:

Internal Network ---> Internal Network Switch / Hub / Access Point
Internal Network ---> SBS Internal Server Network Adapter (Plug into switch)
Internal Network ---> Firewall Internal Network Port (Plug into switch)

External Network ---> Firewall External Network Port (Plug into Router)
External Network ---> Router Internal Network Port (Plug into Firewall)

I recommend going with option #1 b/c this is a live production server.  I would also consider adding memory to the server.  Multipurpose servers can never have enough RAM.  

(If you want to really speed up the server, install and regularly run Perfect Disk or some other Disk Defragger.  Multipurpose servers tend to Fragment their disks so much more than single purpose machines since there is usually much more asynchronous and synchronous disk I/O happening at the same time.)

I hope this answers your question.  If not, just ask away.  

Accepted Solution

trymelatr earned 400 total points
ID: 12544410
You can certainly have the firewall replace the function of the ISA server.  And once the firewall is up and running, you can disable the ISA server and even uninstall it from SBS.

You will have to make sure that the firewall can publish the web site from SBS which shouldn't be a problem.  You can take out the second NIC on the SBS so that there is no confusion as to internal/external nics too.

My thoughts are to disable ISA (not uninstall it) and disable the external nic (not uninstall it) that way you can easily go back to the way it was if you have a problem with the new firewall.  then after a while you feel comfortable with the new setup, go ahead and uninstall them.  

Author Comment

ID: 12548422
Thank you for taking the time to write such detailed suggestions.  I really do appreciate them.  I'm going to make the transition in about 40 minutes here so I will let you guys know how it goes / award points.
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.


Expert Comment

ID: 12548605
Good Luck.  Be sure to post what your results, findings.

Author Comment

ID: 12555500
It seemed simple enough going in, but I was not able to make it happen.  I disabled the External NIC and went into component services and stoped the ISA service.  I was only able to get WinXP and Win2K client out to the internet.  The Win98 clients wouldn' t play nice and could not get the web page to come up so my problem seems not to be network config but firewall config.  I have contacted  another more experienced network guy and will update with the resolution, and finally award the points.

Expert Comment

ID: 12555619
Do the 98 clients have the default gateway set to the ip of the new firewall?  Did you have the firewall client instaslled on them? What about the web proxy settings?  If they were setup as either firewall or web proxy clients, you will have to change them.

Expert Comment

ID: 12555736
Kudos to Trymelatr - proxy clients is what I'd be looking at.  Go to the control panel and see if they exist.  Go to IE, Tools, Internet Options, Connections, Lan Settings.

Try to ping outward.  From DOS, perform a "tracert" to an ip address that is external - such as c:\tracert www.yahoo.com -d

(-d disables dns lookups which slows down the process.)

Perform a "route print" from dos on the 98 clients - see if the default route is the IP address of your firewall's internal adapter.  If not type in something like this:

route add mask xxx.xxx.xxx.xxx -p  (xxx's is the ip of your firewalls internal adapter, -p makes it persistant)

Author Comment

ID: 12614693
Sorry to keep you all waiting.  The problem was a misconfigured router.  Now that it is corrected, the WAN adapter of the server is disabled and ISA has been turned off.  Everything is behind the PIX box now and best of all, I don't have to deal with ISA anymore!  Thanks!

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This program is used to assist in finding and resolving common problems with wireless connections.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question