One Firewall Two Networks

dafitzgerald used Ask the Experts™
I have an existing MS network behind a Watchguard Firebox 700 firewall and I want to host an entirely different domain behind the same firewall using Windows 2003 SBS without intefering with the original network.  I'm sure there is a lot more information needed to provide the correct solution so just ask.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
If all you want is a spearate new domain it's quite straight forward. A router separates two or more networks anyway. So as longa s you have the right ip address range (different network range from the existent one) all you need is to phisically connect your devices and install Active Directory.

Now, as you know, active directory needs a dns server. so make sure you are also providing a dns server for the new domain.

Basically, just ignore the fact that you have a domain inplace already. Once you finish deploying the new domain, ensure connectivity between the two networks exist. (or, you might just want not to proide such connectivity - it's entirely up to u).
What do you mean by different "domain" ? is it about DNS or just IP ? I assume you want to add a new subnet.

If I remember correctly the 700 has at least 3 interfaces, so you just need to configure an unused one with an IP of your new subnet, then create associated rules for it. That should be transparent to the other network.

Do you expect to open your SBS on the internet ? (hope not)

Mmh, based on rafael's comment I'm lost now. Was this a question about firewalls or about Windows Domains therefore Active Directory ?

Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Top Expert 2007
If you want to use FW as a network seperator this can be done by using the third port [DMZ] on the FB 700; if you are already using the interface for DMZ, then you have multiple subnets on the WG by creating secondary networks, however, these secondary networks would TALK to each other.

When you add devices to the DMZ then by default the traffic from trusted to DMZ is allowed but traffic from DMZ to trusted is disallowed.

If your DMZ port is already utilized and you wish to keep both networks seperate, then as said in first post, you would need some hardware device like a router, L3 switch.
Top Expert 2007

As you already have win2003 SBS, you can also use it as a network separator if you have two or more NICs on your win2003 server. You would need to enable NAT, follow the article below:
The_Real_Clippe, don't get lost. The question is actually about both things ;) How to setup multiple separate domains (in the same forest or not) using a firewall/router separating the actual networks.... Obviously you can have one machine joining multiple servers. But my guess is that the question is actualy about setting up a different network, on a different domain, using the same connectivity device (in this case, the same router). According to my understanding, the explanation given in my 1st post, stands.


I thought I posted a comment before assigning points but I don't see it...Rafael_acc is correct the question pertains to connecting two seperate and distinct domains to the internet through a common gateway and I believe between the three of you I have enough information to start working on getting the two domains online via a DMZ setup.

Thanks again.

thanks. you are wellcome.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial