Solved

fallback Internet access in SBS 2003 network

Posted on 2010-08-15
7
336 Views
Last Modified: 2012-05-10
Looking to offer a fallback internet access scenario in SBS2003 network.

The setting is

>Comcast Internet Modem
     >Cisco Router
                  >NIC1 (192.168.1.2)
                  >SBS2003
                  >NIC2 (192.168.0.2)
    >unmanaged switch
    >”Network” (192.168.0.x)

“Network” being (1) a wireless access point with half a dozen laptops, (2) NAS, (3) printer.

I want to continue to provide Internet access (albeit without the access to Exchange/email) in case the SBS 2003 box goes down.  SBS 2003 contains DC, DHCP, DNS, ISA, etc.  As there are no significant fluctuations, the DHCP leases are sufficiently long (7 days) to survive normal downtime for reboots, etc.  A DNS is available from the ISP.

Ideally, I would NOT want to configure static settings in the client TCP/IP settings to point to the SBS 2003 DNS with ISP DNS being secondary but leave client settings dynamically.

With all that said, what’s the best way, if there is any, to implement an “escape route” out of the network for pure internet access?

Should/Can I have a second router between the Cisco router and the switch to allow for a second gateway out of the 192.168.0.x network, in parallel to the SBS box?
With above, how do I avoid to have traffic take the shortcut as long as the SBS box is available?
What is the best (or at least a professional) practice to address this?
I’m happy to add/exchange modems, switches, etc. with the right technology to make this work but I wish I knew where best to go.

Thanks in advance.....  J
0
Comment
Question by:The_Book_Guy
7 Comments
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 250 total points
ID: 33441117
First, I've never been a fan of having traffic flow through SBS. I think it was a bad security practice when it was done, and SBS 2008 doesn't even support this topology anymore...so when MS got serious about security, they seemed to agree.
So with that in mind, here is how you'd add redundancy if you feel you need it (generally in a small business network, the cost is higher than the benefit, so that *if* definitely applies).
1) Reconfigure SBS into a single NIC configuration. It is simply another machin on your 192.168.0.x network.
2) If your Cisco device is also a security device, make its internal LAN address a 192.168.0.x address and hook it up to the switch. It will be the default gateway, not SBS.
3) If your Cisco device is NOT a security device, replace it. Sonicwall, Watchguard, an MS ISA/TMG appliance, or even another Cisco (their ASA series are nice) are all good security appliances with full routing functionality.
4) Now for the meat of the issue. SBS is still your DNS server for your clients. If you add your ISP's (or any 3rd party DNS server) as secondary DNS servers, you will have issues because those servers are not aware of your Active Directory infrastructure and thus do not have the appropriate DNS records to properly esrve your internal clients. BIG problems ensue when people try this. Don't do it.
5) Of course, #4 means that when the SBS server is offline, internet access still works (default gateway is not SBS anymore) but DNS does not. We need to fix this by offering another DNS server that *is* active directory aware. Enter....a second domain controller. You'll install a second server, join it to your SBS domain, dcpromo it to a domain controller, and make sure DNS is replicating between the two. IT can now be added as a secondary DNS server to your clients.
Done properly you can now take SBS or the other server offline and still have internet access, still have an AD DC to process logins, and, overall, be 90% functional. But itis, of course, a full server on your network, which means it has to be patched, managed, requires hardware, and the appropriate licensing. But it is the only *right* way to offer the services you want.
In most cases, it is more economical to make sure you have a rock-solid SBS server with redundant power supplies, a solid hardware RAID infrastructure, and a good support contract where you can get parts shipped overnight (or faster.) That, and good backups, and downtime is usually negligable.
-Cliff
 
0
 

Author Comment

by:The_Book_Guy
ID: 33441259
Great points. 200% spot on.

The Cisco router (RV02) does in fact "some" security.  I did have the box in a single NIC set up before and all worked as you describe above, rather nicely actually.

The one but vital reason for the switch to dual NICs was that the RV02 did not nearly do enough to keep security scans happy (need to have from an external vendor to prove PCI/credit card security for).  The solution that does keep the external PCI scans (which are basically daily attempts to hack into your system) very happy is the ISA firewall.

The downtime of the SBS box is rather negible, if it is 15min for a reboot once every one or two weeks, i.e., it does perform rather solidly and it is about engineering those few minutes away.  Data is back-up regularly, the oldest system state backup is 2 days, with a combination of shadow copies and online backups users can loose a maximum of 4 hours of work if a file gets lost.  All rather minimal.

As I do need ISA firewall performance or better I need to keep the SBS2003 box in the mainstream for now, until find something equivalent to sit in front of it to then go back to single NIC.

Thanks either way, sometimes it is alread good to hear what is a solid solution and what is not.  The pain of growing out of a one server environment.

J
0
 
LVL 16

Assisted Solution

by:Michael Ortega (Internetwerx, Inc.)
Michael Ortega (Internetwerx, Inc.) earned 250 total points
ID: 33441275
So I'm a little confused about what your end objective is.

Is it just to reconfigure your private network so that there is DNS failover? That's what cgaliher addresses in his comment.

Or

Is it to not only address DNS failover, but actually have internet failover if your primary internet service goes down?

If your trying to provide internet failover as well you would need to institute the blow:

1. You would need another link to the internet, e.g. DSL, Cable, T1, 3G, etc.
2. You would need a router that supports WAN failover (or Network Load Balancing)

There are a ton of devices out there that support WAN failover, but I generally stick with Cisco. Their support rocks which would be especially important if you're not familiary with configuring WAN failover and need to lean on them for help.

You can go ASA, but ASA's are really a firewall and not much of a router. As long as you have a modem providing ethernet to the ASA you'll be ok for implementing WAN failover. Alternatively, you can get a smaller ISR. The ISR's come in all sorts of flavors, e.g. DSL, 3G, etc. The 1900 series are modular, so you can add what interfaces you need.

In terms of DNS failover I would recommend as cgaliher did above in that you should setup a secondary AD server as a backup. Alternatively, you could setup, through DHCP, a secondary DNS server like 8.8.8.8 (Google nameserver) for backup public DNS resolution. It's not preferred because of the possible authentication issues on the domain, but a lot times it's not much of an issue because of how your clients cache their credentials. I've only really had issues with public DNS as a secondary DNS server on a client when initially joining that system to the domain.

MO
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:The_Book_Guy
ID: 33441310
Good questions.  No, it is not internet fallover into the network.  I'm not sure I can remember our internet having been down in the last 10+ years. Very reliable.

It is "simply" the fallover of internet access once the dual NIC SBS Box goes down.  The one NIC setup DNS solution described by both works fine, been there, done that.  As I'm currently strongly biased towards the dual NIC implementation for the use of the ISA (to truly separate internal from external traffic) though, there doesn't seem to be a good solution available with one SBS 2003 box.

J
0
 
LVL 16
ID: 33441311
The requirement of ISA on the network and the assumption that you're filtering your clients' access to the internet through it for the sole purpose of pen tests from your PCI compliance vendor is a bit inefficient. You should eliminate your ISA dependencies after fixing your WAN security infrastructure. The "Linksys" router that you're using should be adequate for PCI Compliance. If you're passing certain traffic through, e.g. HTTP, HTTPS, etc., you most likely need to fix issues like weak ciphers, etc. that are enabled on your SBS by default. If for some reason the "Linksys" router really isn't adequate for defeding your PCI Compliance vendors pen tests then you should replace that equipment with something more commercial grade, like an ASA - Cisco ASA 5505 would be adequate for your size of network.

MO
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34936252
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Help needed with BIND9 DNS on Ubuntu. 22 68
PDC - DC Sync error 13 38
HP Laser Jet Errors 10 56
Restore DNS Record 5 47
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now