doddwell
asked on
Network Configuration with 2 Servers
Hello
I have configured a single Win 2003 server with Exchange 2003 on a test network and everything works fine. I now want to modify the network so that I have 2 Win 2003 servers - one to run Exchange and the other to store files and acts as a Domain Controller (DC).
The exchange server has 2 NICs, the DC has 1 NIC. I have a Netgear router which can perform NAT. My internal network uses 192.168.0.*** and my Subnet is 255.255.255.0.
Router - 192.168.0.1
DC - 192.168.0.3
1.) What IP addresses should I give to the 2 NICs on the Exchange Server?
2.) Where should I perform NAT? In the router or in the Exchange Server?
TA.
I have configured a single Win 2003 server with Exchange 2003 on a test network and everything works fine. I now want to modify the network so that I have 2 Win 2003 servers - one to run Exchange and the other to store files and acts as a Domain Controller (DC).
The exchange server has 2 NICs, the DC has 1 NIC. I have a Netgear router which can perform NAT. My internal network uses 192.168.0.*** and my Subnet is 255.255.255.0.
Router - 192.168.0.1
DC - 192.168.0.3
1.) What IP addresses should I give to the 2 NICs on the Exchange Server?
2.) Where should I perform NAT? In the router or in the Exchange Server?
TA.
ASKER
I know that I only need to use 1 NIC on the Exchange server, but isn't it preferable to use 2?
It depends on your setup. If you wanted to use it you would either have to give it a public IP or an IP on a seperate internal subnet to seperate email traffic from the rest of the network. You could give it an IP of 192.168.1.4, but your router would have to be able to handle two internal subnets.
Even doing this wouldn't really change anything. It wouldn't give you any more bandwidth or help security much.
If you were in a larger environment it could be usefull. If you had a seperate exchange server acting as a gateway to multiple internal exchange servers with email stores on them. You could have one NIC connected to your DMZ and one NIC connected to your internal network. Even in that situation, that wouldn't be the best way to do it because if somehow the gateway exchange server was compromized then they would have full access to your internal network. The way it would be done is to have the gateway exchange server in the DMZ with one NIC and it accepts email from the internet through the firewall, then forwards it to the internal servers back through the firewall to the internal network. At each point the traffic is restricted to only what is expected. I really don't see the need for dual NICs in this case.
You could also use it for background traffic, like for doing backup jobs. Then both servers would have dual NICs and talk to each other on the secondary network and the workstations on the primary network. It really wouldn't make that much difference for only two servers though.
Even doing this wouldn't really change anything. It wouldn't give you any more bandwidth or help security much.
If you were in a larger environment it could be usefull. If you had a seperate exchange server acting as a gateway to multiple internal exchange servers with email stores on them. You could have one NIC connected to your DMZ and one NIC connected to your internal network. Even in that situation, that wouldn't be the best way to do it because if somehow the gateway exchange server was compromized then they would have full access to your internal network. The way it would be done is to have the gateway exchange server in the DMZ with one NIC and it accepts email from the internet through the firewall, then forwards it to the internal servers back through the firewall to the internal network. At each point the traffic is restricted to only what is expected. I really don't see the need for dual NICs in this case.
You could also use it for background traffic, like for doing backup jobs. Then both servers would have dual NICs and talk to each other on the secondary network and the workstations on the primary network. It really wouldn't make that much difference for only two servers though.
Is this a test network to be rolled out to production? Or a test network for testing things before applying to your production network?
In the later case there isn't much need for the Exchange server to use both nics. Enable one, and disable the other. The IP# doesn't matter, as long as its not in use else where.
If it is a test network to become production, then it is best to setup accordingly to how you want your network setup. This will depend on how many users you have, how much resources they need, etc. For me, I found it's easier to setup network load balancing on an exchange server with two nics, more so than trying to multihome. Running NAT/Internet Connection Sharing on the Exchange Server puts a lot more work on the machine than is really neceassy, and can be avoided with the SOHO NAT box.
CH
In the later case there isn't much need for the Exchange server to use both nics. Enable one, and disable the other. The IP# doesn't matter, as long as its not in use else where.
If it is a test network to become production, then it is best to setup accordingly to how you want your network setup. This will depend on how many users you have, how much resources they need, etc. For me, I found it's easier to setup network load balancing on an exchange server with two nics, more so than trying to multihome. Running NAT/Internet Connection Sharing on the Exchange Server puts a lot more work on the machine than is really neceassy, and can be avoided with the SOHO NAT box.
CH
In a small environment, this is probably overkill, but since you have two NICs - you could team them and use Fault Tolerant Load Balancing - so if one cable is accidentally unplugged, or one of your NICs gets misconfigured or dies, you'd still have a connection. Again, overkill - or just disable it - as was suggested for simplicity.
ASKER
Can someone summarise for me? Lets say I have a router, Exchange Server, File Server and a switch. We are a relatively small company. Can you let me know what should plug in where?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Pseudocyber - Originally, that is how I would have configured the network but thought that after a question I recently posted (Q_21434583) it should be different. Based upon the former question I would have thought:
Router plugs into internet
Exchange Server (NIC1) Plugs into Router
Exchange Server (NIC2) Plugs into switch
Domain/file Server plugs into Switch
Clients plug into switch
Router plugs into internet
Exchange Server (NIC1) Plugs into Router
Exchange Server (NIC2) Plugs into switch
Domain/file Server plugs into Switch
Clients plug into switch
It depends. I would really recommend a firewall in between the router and switch, but you didn't mention that.
ASKER
My router has a firewall - should I use an additional one? If so, what do you reccomend and how would the network look?
When you say "router" are you talking about a Linksys or something like that? I would recommend a "real" router - a Sonicwall, Symantec, Checkpoint, etc.
Internet
|
Screening Router (Cisco)
|
Firewall
|
Switch
|
Servers
Internet
|
Screening Router (Cisco)
|
Firewall
|
Switch
|
Servers
Oops, I meant "real" firewall - but "real" router also applies.
ASKER
My test network uses a Netgear DG834G (which does have a firewall but expect it's not ideal). When we go live we'll be using a CISCO 1700 series router.
Your Cisco 1700 can do some Access List type control, but it's not ideal for doing Stateful Packet Inspection.
ASKER
What does a 'real' firewall sit on - a server or PC? Is ISA such a product?
ISA can act like a firewall, but IMHO, no it's not a real firewall - it's a proxy server at heart. Some firewalls will run on servers - such as Checkpoint on Windows or Sun Solaris. However, In my opinion, it's best to run them as an appliance - where the firewall is its own box - less to manage - such as not having to keep up to date with Windows OS patches, worry about Windows vulnerabilities, etc.
The router should already be doing NAT you shouldn't have to do anything.