Userek
asked on
how to set server structure
hi all
I plan to size servers and their roles for company (about 100 useres) now all is on one sbs2000 server.
I want to have: Two Domain conntrolers ( win2008 server std, exchange2007, and etc.(wsus, sharepoint services, Office comm. server)
I can't use EBS becouse in future i need to establish trust reletionships with others domains.
This is what i am thinking of (with using 3 physical machins: ISA(3 nics, DC with exch, DC1)
| | internal NIC2 -> LAn clients
internet ->external NIC 1 | ISA 2006 |
| | internal NIC3 -> LAN for servers (w2k8 DC with exch2007,w2k8 DC1)
in this case i have servers protected from both internet and local and i think is a good solution.
BUT in this a) ISA is very sensitive, what if isa fails? b) is in that possibility to doing exchange cluster without adding phisical machines?
i have read about instaling exch on DC.
i am not looking for general solution but a good advice and right path to future planing
What are Your suggestions mayby different structure??
maybe virtualize someting in this?
unfortunately this is a trial account sa propably i can't post it back to your posts
Drawing1.pdf
I plan to size servers and their roles for company (about 100 useres) now all is on one sbs2000 server.
I want to have: Two Domain conntrolers ( win2008 server std, exchange2007, and etc.(wsus, sharepoint services, Office comm. server)
I can't use EBS becouse in future i need to establish trust reletionships with others domains.
This is what i am thinking of (with using 3 physical machins: ISA(3 nics, DC with exch, DC1)
| | internal NIC2 -> LAn clients
internet ->external NIC 1 | ISA 2006 |
| | internal NIC3 -> LAN for servers (w2k8 DC with exch2007,w2k8 DC1)
in this case i have servers protected from both internet and local and i think is a good solution.
BUT in this a) ISA is very sensitive, what if isa fails? b) is in that possibility to doing exchange cluster without adding phisical machines?
i have read about instaling exch on DC.
i am not looking for general solution but a good advice and right path to future planing
What are Your suggestions mayby different structure??
maybe virtualize someting in this?
unfortunately this is a trial account sa propably i can't post it back to your posts
Drawing1.pdf
ASKER
ok
thank You for different look on my problem.
I totally agree, in my solution Isa is "large single point-of-failure into the network" and this is what i need
to do something on it and avoid isa fail down- but what? cluster? or ... i dont know.
from the other hand this solution gives me a added protection for my servers (i mean DC, exch behind nic on isa) vs connecting servers direct to the lan as You mention
i met my solution couple of times in other enviroments implemented successfully (on other "it" portal)
in this doc http://www.isaserver.org/tutorials/Teaching-Boss-Network-ISA-Firewall-Part1.html
part: Inter-network Access Control Solution this configuration on isa is sugessted and suported
What You mean in this: "In separating the LAN from the servers via an ISA Server would require significant considerations in terms of routing between the two networks"
please post details on it.
thank You for different look on my problem.
I totally agree, in my solution Isa is "large single point-of-failure into the network" and this is what i need
to do something on it and avoid isa fail down- but what? cluster? or ... i dont know.
from the other hand this solution gives me a added protection for my servers (i mean DC, exch behind nic on isa) vs connecting servers direct to the lan as You mention
i met my solution couple of times in other enviroments implemented successfully (on other "it" portal)
in this doc http://www.isaserver.org/tutorials/Teaching-Boss-Network-ISA-Firewall-Part1.html
part: Inter-network Access Control Solution this configuration on isa is sugessted and suported
What You mean in this: "In separating the LAN from the servers via an ISA Server would require significant considerations in terms of routing between the two networks"
please post details on it.
You could use multiple ISA servers if you wished, but this would add unnecessary complexity to the network. The point I was trying to make is rather than relying on hardware, such as switches and VLANs, to achieve routing and segregation in your network, you are relying on a software product. It is more likely for a more complicated software package to fail than it is for dedicated switching hardware to fail.
You can achieve the same result which you are achieving with ISA by purchasing a Layer 3 VLAN-capable switch, and configuring your servers and LAN on separate VLANs. Routing is then performed between VLANs, per the rules you configure, by the Layer 3 switch. ISA Server then sits on the outside, and acts as the gateway for the network.
ISA does give protection, and still would give protection. I'm not saying to remove the ISA Server from the deployment completely; I'm just saying to not use it for routing between servers and LAN, but instead, use it for the routing between the public network (Internet) and your internal network.
-Matt
ASKER
ok
I agree and the fact is that is pretty good idea.
actually i'am looking on this capabilty on my dell powerconnect 2748 switch to decide what to choice from that two ideas.
of course Isa will be still a network point which needs to consider a redundancy.
THX
I agree and the fact is that is pretty good idea.
actually i'am looking on this capabilty on my dell powerconnect 2748 switch to decide what to choice from that two ideas.
of course Isa will be still a network point which needs to consider a redundancy.
THX
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
unfortunately its Layer 2 and the third party router will be needed
OK sa ganerally speaking i will consider it all and so on.
Thank You for Your opinion and help
OK sa ganerally speaking i will consider it all and so on.
Thank You for Your opinion and help
Why the auto-close request, and why am I only receiving 200 points? I believe I have answered your question as fully as possible within the realms of this particular question.
ASKER
sorry my fault with point - should be 500 is it correct? I agree that Your answers was helpfull
Thank-you :-)
Your proposed ISA configuration is one I would avoid. In separating the LAN from the servers via an ISA Server would require significant considerations in terms of routing between the two networks. You also place a rather large single point-of-failure into the network; if the ISA Server failed, you would lose connectivity between the LAN and the servers.
Instead, I'd suggest connecting the servers and LAN clients to the same switch. The ISA Server can then be connected to that switch and be used (with 2 NICs) as a gateway to the Internet. If necessary, you could segregate traffic using VLANs - a much more robust solution than an ISA Server to perform this routing.
An Exchange CCR (automated failover) or SCR (standby continuous replication) Cluster would require at least 2 installations of Exchange. With suitable server hardware, you can use virtualisation (such as VMWare) to virtualise two Exchange machines on the same server. This would give software resilience, while no hardware redundancy of Exchange in case of a hardware failure.
-Matt