Network policy & Access Services


we are about to deply Server 2008, Network policy and access services.

We have the server setup issuing dhcp to our clients and have shared the internet using ICS and the whole thing works great.

We are about to install the IIS component to host some websites.

We know we need security to protect us from the Internet, and presume on Server 2008, Network policy and access services is the way to go.

Our primary concern is we dont want our workstations to all of a sudden stop connecting to the internet because we set this service up. At the moment, the workstations do not need to be part of the domain to gain internet access. We like it this way for most of our computers.

Will Network policy and access services affect this and is there anything we should know or look out for. We have done a fair bit of reading and this question has bugged me.

Look forward to your assistance
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hmm. Using ICS on a server is not a well used practice. I am not sure this is the best confuguration. You may consider a different network design.
Use a router/firewall as your internet gateway. Have your clients and server point at the router as your default gateway. Then forward ports to your web server.
This will provide security for your web server as well as safe internet access for your client PCs.
ben_watersAuthor Commented:
Is the Linksys WRT54GL a good place to start regarding routers? At the moment I have the linksys device connected to the servers second NIC (the first NIC is conneted straight to the linksys modem AM300) , and the server is assining DHCP via a wired switch and also via dhcp forwarding to the linksys device which also has wirless setup.

I love the setup I have at the moment, but we want a webserver to run off this server (hence network policy to work as a firewall) and also have the workstations working as they are now via DHCP.

I believe you have over complicated your setup and also exposed your server to the Internet unnecessarily. Here is my recommendation:
Plug the WAN port of the WRT54GL into the AM300 modem.
Plug one of the LAN ports on the WRT45GL into your switch.
Disable your secon NIC on your Server.
Plug your Server and client PC's into your switch.
Set your default gateway on the server and all PC's to be the WRT54GL's intrnal IP.
Use the DHCP Server in Windows server for DHCP.
Forget about ICS, it will only hurt you.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

ben_watersAuthor Commented:
Will doing this turn the WRT54GL into a router / firewall that will minimise the exposeure to the Internet of my server?

I had it all set up working great, will this still do all the same functions?
ben_watersAuthor Commented:
Isnt the Server working as a router to block the bad side of the internet? Seeing as it is setup with windows firewall and the network policy and access i want  to setup. I am now confused. Microsoft says you can do it this way or with a router. We wanted to seperate internet trafic and local trafic.
"Will doing this turn the WRT54GL into a router / firewall that will minimise the exposeure to the Internet of my server?"
If you do it the way you are doing it, yes it will protect your PC's from the internet (sort of) but your server is directly connected to the internet. Nothing is protecting it. Yes, Windows firewall is on the server but it is no replacement for a hardware firewall. The WRT54GL combined with the windows firewall on the server will provide a much more secure way for your users and server to connect to the internet.
ICS does not provide a proper firewall for your network. It has very limited functionality. If you were to use a Windows server as an internet gateway, I would sugest moving you web server to an alternate server.
If you want to use a Windows server as a router/firewall, I would suggest using ISA server.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.