Can SBS 2000 be put behind a firewall?

Posted on 2004-11-09
Last Modified: 2013-11-16
Hello Experts,

I am dealing with an old server that just can't stomach it's load but buget won't stomach a new server so I'm looking for ways to alieviate the server's stress.  Presently, it is running Microsoft Small Business Server 2000.  The server hosts a website, email, performs routing & firewall responsiblities, and serves files to the 9 client (Win98) network.  I want to put the server behind a Cisco PIX 501 to both alieviate some stress from the server and put me one step closer to a multi-server network.  

I would like the Cisco PIX 501 to start serving DHCP and handle all internet access for the client computers.  What changes will I need to make to the servers built-in ISA firewall to make this happen.  The server will still be responsible for hosting files, email, and the website.

Question by:ewhitaker
    LVL 2

    Assisted Solution

    I do not have experience with the PIX 501 personally, but have setup networks in the fashion that you are considering many times.  Most appliance based firewalls support DHCP, so you are in luck.  

    1)  The quickest, easiest, and safest thing is really to make as little changes as possible.  Just add an appliance based firewall, simply put the firewall between the server and the outside network router (or cable/dsl modem).  Many firewalls have an option of operating with a "drop in" configuration as well as a routed configuration.  (Watchguard firewalls / Fortinet Firewalls have this "dop in" configuration for sure.)  Just configure the firewall to open up and allow only the traffic types and destination ports that you wish to allow.  This also elleviates you from having to mess with a production server, which in my honest opinion should never ever be done for any reason.  (Servers should be "set it and forget it" once live.)

    2)  A routed configuration can be implemented easily that can afford you minimal configuration should you wish to leave ISA in tact.  Here is an example of one scenario if you were to do it in a routed configuration:

    Network 1 - Internal Network
    Network 2 - DMZ
    Network 3 - External Network

    Network 1 -
    Network 2 -
    Network 3 -

    Network 1 --->  SBS Server --->  Network 2 ---> Firewall ---> External Network

    Network 1 ---> Internal Network Switch / Hub / Access Point
    Network 1 ---> SBS Internal Server Network Adapter
    Network 2 ---> SBS External Server Network Adapter
    Network 2 ---> Firewall Internal Network Port
    Network 3 ---> Firewall External Network Port
    Network 3 ---> Router Internal Network Port

    On the firewall, open up and allow traffic to traverse the firewall based on the port you wish to allow.  For example, allow port 80 (http), port 25 (smtp), ICMP (ping) (for troubleshooting), and anything else that you may have - such as PPTP/VPN, etc.  Make sure that you tell it where to go, i.e. any traffic coming in on Firewall External Port  80 should go to SBS External Server Network Adapter Port 80.

    3)  Lastly, a routed configuration where by you uninstall ISA and just firewall / NAT between the outside network and your inside network:

    Internal Network ---> Internal Network Switch / Hub / Access Point
    Internal Network ---> SBS Internal Server Network Adapter (Plug into switch)
    Internal Network ---> Firewall Internal Network Port (Plug into switch)

    External Network ---> Firewall External Network Port (Plug into Router)
    External Network ---> Router Internal Network Port (Plug into Firewall)

    I recommend going with option #1 b/c this is a live production server.  I would also consider adding memory to the server.  Multipurpose servers can never have enough RAM.  

    (If you want to really speed up the server, install and regularly run Perfect Disk or some other Disk Defragger.  Multipurpose servers tend to Fragment their disks so much more than single purpose machines since there is usually much more asynchronous and synchronous disk I/O happening at the same time.)

    I hope this answers your question.  If not, just ask away.  
    LVL 2

    Accepted Solution

    You can certainly have the firewall replace the function of the ISA server.  And once the firewall is up and running, you can disable the ISA server and even uninstall it from SBS.

    You will have to make sure that the firewall can publish the web site from SBS which shouldn't be a problem.  You can take out the second NIC on the SBS so that there is no confusion as to internal/external nics too.

    My thoughts are to disable ISA (not uninstall it) and disable the external nic (not uninstall it) that way you can easily go back to the way it was if you have a problem with the new firewall.  then after a while you feel comfortable with the new setup, go ahead and uninstall them.  

    Author Comment

    Thank you for taking the time to write such detailed suggestions.  I really do appreciate them.  I'm going to make the transition in about 40 minutes here so I will let you guys know how it goes / award points.
    LVL 2

    Expert Comment

    Good Luck.  Be sure to post what your results, findings.

    Author Comment

    It seemed simple enough going in, but I was not able to make it happen.  I disabled the External NIC and went into component services and stoped the ISA service.  I was only able to get WinXP and Win2K client out to the internet.  The Win98 clients wouldn' t play nice and could not get the web page to come up so my problem seems not to be network config but firewall config.  I have contacted  another more experienced network guy and will update with the resolution, and finally award the points.
    LVL 2

    Expert Comment

    Do the 98 clients have the default gateway set to the ip of the new firewall?  Did you have the firewall client instaslled on them? What about the web proxy settings?  If they were setup as either firewall or web proxy clients, you will have to change them.
    LVL 2

    Expert Comment

    Kudos to Trymelatr - proxy clients is what I'd be looking at.  Go to the control panel and see if they exist.  Go to IE, Tools, Internet Options, Connections, Lan Settings.

    Try to ping outward.  From DOS, perform a "tracert" to an ip address that is external - such as c:\tracert -d

    (-d disables dns lookups which slows down the process.)

    Perform a "route print" from dos on the 98 clients - see if the default route is the IP address of your firewall's internal adapter.  If not type in something like this:

    route add mask -p  (xxx's is the ip of your firewalls internal adapter, -p makes it persistant)

    Author Comment

    Sorry to keep you all waiting.  The problem was a misconfigured router.  Now that it is corrected, the WAN adapter of the server is disabled and ISA has been turned off.  Everything is behind the PIX box now and best of all, I don't have to deal with ISA anymore!  Thanks!

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now