Windows 2003. Configuring multiple subnets on the same server

Our server is running  W2K3 Enterprise.  Internal departments with different subnets need to connect to this server and also to the internet.  Server have multiple NICs.  Questions:

1) How can I configure multiple subnets on this same server, using only 1 NIC?

2) Can I utilize the remaining NICs to accommodate the different subnets?

3) Do I need some type of routing software for this purpose?  Someone suggested a DHCP, but I am not sure how that would work in an environment where the other subnets are static IPs.

Thanks in advance for your help.
impireAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian PiercePhotographerCommented:
How many subnets are we talking about. If its only a couple then you can put two network cards in the server and assign an IP address on one subnet to one, and an IP address on the other subnet to the other. You can then install the Routing and Remote Access Server RRAS (Part of windows) to act as a LAN router.

See http://www.microsoft.com/technet/network/rras/default.mspx

If you have a lot of subnets then hardware routing may be more appropriate.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
impireAuthor Commented:
Our servers will have 2-4 subnets each.  I already have 4 NICs in each of the server, could I just utilize those instead of having to install hardware routing?

I need these subnets to access the internet as well as users accessing it from the internet via VPN.  In a nutshell, how does RRAS route the subnet?

How secure is RRAS?  Will I be better off installing an ISA, which basically can also act as a LAN Gateway, correct?

I see some posts about IP forwarding.  How does it work to support multi-subnet environment?  Is this something that RRAS provides as a built-in feature?

I also see posts that talks about having a DHCP in place to handle multiple subnets.  Is this something you would recommend?


0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
impire,

You posted this question in multiple zones, including the Small Business Server Zone.  Is there an SBS involved with your scenario?  Because if so, this is an important piece of information.

Please advise.

Jeff
TechSoEasy
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

impireAuthor Commented:
Hi Jeff,

Indeed an SBS is involved in our scenario.  

HOST1 is W2K3 Enterprise SP2.  SBS is running as a Virtual Machine under VMWARE.  SBS is acting as a firewall.  There are other VMs "underneath" SBS and are configured as WS

HOST2 is W2K3 Enterprise  SP2. There are WIN XP Pro and W2K3 Enterprise SP2 running as Virtual Machines under VMWARE.

PURPOSE:  To allow VMs under the SBS of HOST1 to communicate with the VMs of HOST2 and vice versa.  Communications must be on different subnet.  VMs will need Internet access.  VMs will not be allowed to communicate with HOSTs.  Only HOSTs can communicate with each other.  This is to protect HOSTs in its own private sector.
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Well, assuming that the VM's that are on HOST2 are members of the SBS's domain (since SBS must be the root of the domain forest and holder of all FSMO roles) they need to be on the same subnet.  So, while I hear that you are saying they need to be on a different subnet, I'd have to ask why?

Due to the limitations of SBS, in which there cannot be more than 75 devices attached and since there is no support of domain trusts, there is never really a need to have SBS manage more than a single subnet.  All of the SBS configuration wizards (scripts) are designed to work only with a single IP Subnet on the LAN.  

So, you need to determine if SBS is the proper server to be using in this scenario... or if perhaps your strict "must be on a different subnet" rule is really required.

Jeff
TechSoEasy
0
impireAuthor Commented:
Hi Jeff,

Hope you had a nice weekend.  Sorry if my comments confused you.  I meant to say that even though the VMs reside on 2 different hosts, they do need to be on the same subnet.  I was implying that the HOSTs will need to be on a different subnet than the VMs.  The trick is to allow the VMs to communicate with each other without compromising the HOSTs.  Meaning the VMs will not be able to access the HOST, this is the reason for it's isolation to be on the different subnet.

I think I got it figured out.  It required 3 NICs on each HOST.  1 for the host to communicate with each other.  The second and 3rd NIC will have no IP assigned.  So the SBS as VM will utilize the 2nd NIC to get out to the internet.  Then I create a separate VLAN for the 3rd NIC, which allow the VMs to communicate with each other.  This seems to be working fine as I got them to pass traffics back and forth without any problem.  All VMs sees each other.  VMs does not see HOSTs and get out to the internet via the SBS (which serves as an ISA).  The SBS utilize that 2nd NIC, which connected to a PIX-520, which direct traffics out to the net.
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Well, I'm not sure how it works in VMWare, but with Virtual Server 2005, the Virtual Machine can share the same physical NIC.  You would be able to also create virtual network adapters that would communicate through the single physical NIC on the host.

See http://www.microsoft.com/technet/prodtechnol/virtualserver/deploy/cvs2005.mspx  for an example.

Jeff
TechSoEasy
0
impireAuthor Commented:
Hi Jeff,

The topology would be the same for both MS VS and VMWARE.  Thanks for the article.  However, it does not address having VMs and HOSTs totally isolated on different subnets and at the same time, both could get out to the internet.  It also doesn't address how to have multiple subnets on the same server without exposing the HOSTs to the VMs.
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
If the hosts were not in the SBS domain, then you couldn't really access anything on them.

Jeff
TechSoEasy
0
impireAuthor Commented:
But if they are on the same subnet and the SBS is going out to the internet via that NIC on the host, that is a security risk.  Since the ISA on the SBS treat the host as just another host outside of its network, that leave the host vulnerable.  This is the reason why I configured 3 NICs and with different subnets.  1 for the host to communicate with each other, the 2nd NIC for the SBS to get out on its on isolated path (different subnet), and the 3rd NIC is only for the VMs to communicate with each other, as well as to the inside network of the SBS.
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
That does make sense.

Jeff
TechSoEasy
0
impireAuthor Commented:
I also used a Layer 3 Switches to route NIC1 and NIC2 to its own destination (going outside to the PIX-525).  I also placed all 3 NICs each on its own private VLAN.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.