Network policy & Access Services

Hi,

we are about to deply Server 2008, Network policy and access services.

We have the server setup issuing dhcp to our clients and have shared the internet using ICS and the whole thing works great.

We are about to install the IIS component to host some websites.

We know we need security to protect us from the Internet, and presume on Server 2008, Network policy and access services is the way to go.

Our primary concern is we dont want our workstations to all of a sudden stop connecting to the internet because we set this service up. At the moment, the workstations do not need to be part of the domain to gain internet access. We like it this way for most of our computers.

Will Network policy and access services affect this and is there anything we should know or look out for. We have done a fair bit of reading and this question has bugged me.

Look forward to your assistance
LVL 1
ben_watersAsked:
Who is Participating?
 
Encrypted1024Commented:
"Will doing this turn the WRT54GL into a router / firewall that will minimise the exposeure to the Internet of my server?"
 Yes.
If you do it the way you are doing it, yes it will protect your PC's from the internet (sort of) but your server is directly connected to the internet. Nothing is protecting it. Yes, Windows firewall is on the server but it is no replacement for a hardware firewall. The WRT54GL combined with the windows firewall on the server will provide a much more secure way for your users and server to connect to the internet.
ICS does not provide a proper firewall for your network. It has very limited functionality. If you were to use a Windows server as an internet gateway, I would sugest moving you web server to an alternate server.
If you want to use a Windows server as a router/firewall, I would suggest using ISA server.
0
 
Encrypted1024Commented:
Hmm. Using ICS on a server is not a well used practice. I am not sure this is the best confuguration. You may consider a different network design.
Use a router/firewall as your internet gateway. Have your clients and server point at the router as your default gateway. Then forward ports to your web server.
This will provide security for your web server as well as safe internet access for your client PCs.
0
 
ben_watersAuthor Commented:
Is the Linksys WRT54GL a good place to start regarding routers? At the moment I have the linksys device connected to the servers second NIC (the first NIC is conneted straight to the linksys modem AM300) , and the server is assining DHCP via a wired switch and also via dhcp forwarding to the linksys device which also has wirless setup.

I love the setup I have at the moment, but we want a webserver to run off this server (hence network policy to work as a firewall) and also have the workstations working as they are now via DHCP.

0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Encrypted1024Commented:
I believe you have over complicated your setup and also exposed your server to the Internet unnecessarily. Here is my recommendation:
Plug the WAN port of the WRT54GL into the AM300 modem.
Plug one of the LAN ports on the WRT45GL into your switch.
Disable your secon NIC on your Server.
Plug your Server and client PC's into your switch.
Set your default gateway on the server and all PC's to be the WRT54GL's intrnal IP.
Use the DHCP Server in Windows server for DHCP.
Forget about ICS, it will only hurt you.
0
 
ben_watersAuthor Commented:
Will doing this turn the WRT54GL into a router / firewall that will minimise the exposeure to the Internet of my server?

I had it all set up working great, will this still do all the same functions?
0
 
ben_watersAuthor Commented:
Isnt the Server working as a router to block the bad side of the internet? Seeing as it is setup with windows firewall and the network policy and access i want  to setup. I am now confused. Microsoft says you can do it this way or with a router. We wanted to seperate internet trafic and local trafic.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.