Firewall Protection for New MS Small Biz 2003 Server

Posted on 2006-04-17
Last Modified: 2013-11-16
Greetings all,

I'm a total newbie at MS Small Biz Server.  I know enough about networking to be dangerous to myself and those around me.

The MS instructions seem to be incomprehensible murk.

Many questions:  What is the best (most secure) way to hook our new server up the the Internet?  Right now, it's behind a Symantec Security Appliance.  The serever has 2 NICs.  We want to host our own SSL extranet, as well as have ftp, mail, & etc.

Hardware firewall a good idea?  If yes, then which one?  Will the Symantec work?  Or would a Cisco PIX or NetScreen 5GT (or something else) be better?

We have purchased 5 fixed IPs.  A regular website would use one of the IPs.  The SSL extranet uses another.  How do you do the routing so that a user can get through to the correct IP?

Thanks in advance,

Question by:raortman
    LVL 9

    Expert Comment

    There are plenty options you need to weigh when picking a FW. Such as port forwarding, bandwith utilization and restrictions, NAT, VPN capability, ease of use, cost etc etc.
    I would use Juniper NetScreen FW/VPN's. But depending on your bandwith and other needs as to which model to go with.

    If your servers are on a private IP space, and you have 5 public, then you can use MIP or VIP on a Netscreen to get external people to connect.

    Here is a FW' buyers guide, granted it's from  juniper so it might be slighted towards them but gives you an Idea.

    Refference these 2.

    Author Comment

    Hi jabiii,

    Thank you for your comment and the links.  

    Query:  How does the NetScreen handle the public IPs?  If I were hooking the server straight to the net, I could drop all our public IPs into its front NIC.  How do you accomplish the same goal with a router?  Sorry, I don't know the first thing about MIP or VIP...

    LVL 9

    Accepted Solution

    Well there are obviously alot of possible configurations you could use, using netscreen or not.

    lets say you are using netscreen
    you can use layer 3 solution or layer2

    in layer 2 solution your servers would all have their public IP's and the FW/VPN would have 1 of the IP addresses, and would be like this...
    ISP gateway <> NS <> Servers
    All traffic to and from the servers would be going through the Netscreen, but not being routed by it, only acting as a transparent Firewall. (hence transparent mode)

    IPS Gateway <> NS <> servers/computers
    IN this case all traffic from anything on the right (comps/servers) would use the default gateway of the NS and be routed to/from the internet.
    coming from the outside. the netscreen would have basically a listing of all 5 of the public IP's, keeping 1 public for it'self. and assigns the other 4 IP's directly to one of the internal servers, or maps the public IP's and which port is being used, to the correct server..

    Using MIP. (mapped IP) any connection to would be sent to server for example.

    Using VIP. anything connecting to port 80 on IP would be sent ot 192.x.x.3 any port 22 sent to 1..1.1.3 would be sent to server 192.x.x.4, any thing sent to port 25 at would be sent to server 192.x.x.5 etc, you can send the ports anywhere you want. if you have 2 internal servers using the same port then you would use a secondary external address. etc etc etc

    Junipers website has reall good info for you.
    this help?

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now