How do I setup SBS2003 R2 Standard with Watchguard Firebox X10e  for VPN ?

Posted on 2008-11-04
Last Modified: 2013-11-16
Here's my equipment and software. Keep in mind none of this is installed yet.
Dell Server with 2 NIC Cards
SBS 2003 R2 Standard.
6 Gateway Vista Workstations.
Atlantic Broadband modem with Static IP
10 port switch
Wireless router linksys
(2) Watchguard Firebox X10e

I want to connect our two offices (different city's) with the fireboxes.
The server side has the static ip.

Some of the questions are:

Where will the incoming cable modem line connect? To the firebox first? then to switch and then to nic on server? Can anyone give me a layout for the physical hookup?
What about DHCP. SBS usually wants to be the DHCP server, so how do I do this?

Since I will be pointing my domain records to the static ip for exchange , is there anything I need to think about as far as this setup with the Fireboxes??
Question by:emumaster

    Author Comment

    I am heading out to lunch, so if you guys answer or have a question, I'll be back at 1:00pm EST
    And thanks ahead of time for your advice !!
    LVL 77

    Accepted Solution

    -SBS configured with 2 NIC's is intended to be a gateway for your LAN clients. In order for a remote site to gain access you need to open many ports. your best bet would be to disable the WAN/public facing NIC. Do so, and then re-run the Configure E-mail and Internet Connection Wizard located under server management | internet and e-mail | connect to the internet.
    -The physical connections will then be as follows:
    Internet=>modem=>Watchguard=>switch=>SBS, clients, and wireless Linksys (configured as an access point, not a gateway)
    -SBS needs to be the DHCP server. If it is not already, see "Configuring Settings for an Existing DHCP Server Service on Your Network" 1/2 way down the page.
    -the remote site must use a different subnet than the SBS site. For example if the SBS site uses 192.168.1.x, the remote site must use something like 192.168.2.x
    -the local and remote site MUST use different subnets, this applies to mobile VPN clients as well. Therefore at the primary site it is a good idea to avoid common subnets such as 192.168.0.x, 192.168.1.x, 192.168.2.x, 10.0.0.x, 10.10.10.x
    -If you change the servers LAN IP you MUST do so using the change server IP wizard, located under server management | internet and e-mail
    -The remote site must also point to your SBS for DNS, and not the public IP. They must also not use the ISP's DNS even as an alternate (second) DNS server

    Afraid I am no help with the Watchguard actual site -to-site VPN connection.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now