[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 312
  • Last Modified:

how to set server structure

hi all

I plan to size servers and their roles for company (about 100 useres) now all is on one sbs2000 server.
I want to have: Two Domain conntrolers ( win2008 server std, exchange2007, and etc.(wsus, sharepoint services, Office comm. server)
I can't use EBS becouse in future i need to establish trust reletionships with others domains.
This is what i am thinking of (with using 3 physical machins: ISA(3 nics, DC with exch, DC1)

                                            |                        | internal NIC2  -> LAn clients
internet ->external NIC 1 |   ISA 2006      |
                                                 |                        | internal NIC3 -> LAN for servers (w2k8 DC with                exch2007,w2k8 DC1)

in this case i have servers protected from both internet and local and i think is a good solution.
BUT  in this a) ISA is very sensitive, what if isa fails? b) is in that possibility to doing exchange cluster without adding phisical machines?

i have read about instaling exch on DC.
i am not looking for general solution but a good advice and right path to future planing

What are Your suggestions mayby different structure??
maybe virtualize someting in this?

unfortunately this is a trial account sa propably i can't post it back to your posts
Drawing1.pdf
0
Userek
Asked:
Userek
  • 5
  • 4
1 Solution
 
tigermattCommented:

Your proposed ISA configuration is one I would avoid. In separating the LAN from the servers via an ISA Server would require significant considerations in terms of routing between the two networks. You also place a rather large single point-of-failure into the network; if the ISA Server failed, you would lose connectivity between the LAN and the servers.

Instead, I'd suggest connecting the servers and LAN clients to the same switch. The ISA Server can then be connected to that switch and be used (with 2 NICs) as a gateway to the Internet. If necessary, you could segregate traffic using VLANs - a much more robust solution than an ISA Server to perform this routing.

An Exchange CCR (automated failover) or SCR (standby continuous replication) Cluster would require at least 2 installations of Exchange. With suitable server hardware, you can use virtualisation (such as VMWare) to virtualise two Exchange machines on the same server. This would give software resilience, while no hardware redundancy of Exchange in case of a hardware failure.

-Matt
0
 
UserekAuthor Commented:
ok
thank You for different look on my problem.

I totally agree, in my solution Isa is "large single point-of-failure into the network" and this is what i need
to do something on it and avoid isa fail down-  but what? cluster? or ... i dont know.
from the other hand this solution gives me a added protection for my servers (i mean DC, exch behind nic on isa) vs connecting servers direct to the lan as You mention
i met my solution couple of times in other enviroments implemented successfully (on other "it" portal)
in this doc http://www.isaserver.org/tutorials/Teaching-Boss-Network-ISA-Firewall-Part1.html 
part: Inter-network Access Control Solution this configuration on isa is sugessted and suported

What You mean in this: "In separating the LAN from the servers via an ISA Server would require significant considerations in terms of routing between the two networks"
please post details  on it.
0
 
tigermattCommented:

You could use multiple ISA servers if you wished, but this would add unnecessary complexity to the network. The point I was trying to make is rather than relying on hardware, such as switches and VLANs, to achieve routing and segregation in your network, you are relying on a software product. It is more likely for a more complicated software package to fail than it is for dedicated switching hardware to fail.

You can achieve the same result which you are achieving with ISA by purchasing a Layer 3 VLAN-capable switch, and configuring your servers and LAN on separate VLANs. Routing is then performed between VLANs, per the rules you configure, by the Layer 3 switch. ISA Server then sits on the outside, and acts as the gateway for the network.

ISA does give protection, and still would give protection. I'm not saying to remove the ISA Server from the deployment completely; I'm just saying to not use it for routing between servers and LAN, but instead, use it for the routing between the public network (Internet) and your internal network.

-Matt
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
UserekAuthor Commented:
ok

I agree and the fact is that is pretty good idea.
actually i'am looking on this capabilty on my dell powerconnect  2748 switch to decide what to choice from that two ideas.

of course Isa will be still a network point which needs to consider a redundancy.
THX
0
 
tigermattCommented:

The technical specifications show the switch supports VLANs: http://www.dell.com/content/products/productdetails.aspx/pwcnt_2748?c=us&cs=555&l=en&s=biz.

Whether it is a Layer 2 or Layer 3 switch remains to be seen; if it is Layer 2, you'd need a separate router device to enable routing between the VLANs. The point I am making is that using hardware to do this, rather than using an ISA Server, will be much more reliable, will be a LOT less likely to fail, and will be a much simpler configuration to handle (which indirectly contributes to the reliability).

-Matt
0
 
UserekAuthor Commented:
unfortunately its Layer 2 and the third party router will be needed
OK sa ganerally speaking i will consider it all and so on.

Thank You for Your opinion and help
0
 
tigermattCommented:

Why the auto-close request, and why am I only receiving 200 points? I believe I have answered your question as fully as possible within the realms of this particular question.
0
 
UserekAuthor Commented:
sorry my fault with point - should be 500 is it correct? I agree that Your answers was helpfull
0
 
tigermattCommented:

Thank-you :-)
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now