Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


fallback Internet access in SBS 2003 network

Posted on 2010-08-15
Medium Priority
Last Modified: 2012-05-10
Looking to offer a fallback internet access scenario in SBS2003 network.

The setting is

>Comcast Internet Modem
     >Cisco Router
                  >NIC1 (
                  >NIC2 (
    >unmanaged switch
    >”Network” (192.168.0.x)

“Network” being (1) a wireless access point with half a dozen laptops, (2) NAS, (3) printer.

I want to continue to provide Internet access (albeit without the access to Exchange/email) in case the SBS 2003 box goes down.  SBS 2003 contains DC, DHCP, DNS, ISA, etc.  As there are no significant fluctuations, the DHCP leases are sufficiently long (7 days) to survive normal downtime for reboots, etc.  A DNS is available from the ISP.

Ideally, I would NOT want to configure static settings in the client TCP/IP settings to point to the SBS 2003 DNS with ISP DNS being secondary but leave client settings dynamically.

With all that said, what’s the best way, if there is any, to implement an “escape route” out of the network for pure internet access?

Should/Can I have a second router between the Cisco router and the switch to allow for a second gateway out of the 192.168.0.x network, in parallel to the SBS box?
With above, how do I avoid to have traffic take the shortcut as long as the SBS box is available?
What is the best (or at least a professional) practice to address this?
I’m happy to add/exchange modems, switches, etc. with the right technology to make this work but I wish I knew where best to go.

Thanks in advance.....  J
Question by:The_Book_Guy
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 59

Accepted Solution

Cliff Galiher earned 1000 total points
ID: 33441117
First, I've never been a fan of having traffic flow through SBS. I think it was a bad security practice when it was done, and SBS 2008 doesn't even support this topology when MS got serious about security, they seemed to agree.
So with that in mind, here is how you'd add redundancy if you feel you need it (generally in a small business network, the cost is higher than the benefit, so that *if* definitely applies).
1) Reconfigure SBS into a single NIC configuration. It is simply another machin on your 192.168.0.x network.
2) If your Cisco device is also a security device, make its internal LAN address a 192.168.0.x address and hook it up to the switch. It will be the default gateway, not SBS.
3) If your Cisco device is NOT a security device, replace it. Sonicwall, Watchguard, an MS ISA/TMG appliance, or even another Cisco (their ASA series are nice) are all good security appliances with full routing functionality.
4) Now for the meat of the issue. SBS is still your DNS server for your clients. If you add your ISP's (or any 3rd party DNS server) as secondary DNS servers, you will have issues because those servers are not aware of your Active Directory infrastructure and thus do not have the appropriate DNS records to properly esrve your internal clients. BIG problems ensue when people try this. Don't do it.
5) Of course, #4 means that when the SBS server is offline, internet access still works (default gateway is not SBS anymore) but DNS does not. We need to fix this by offering another DNS server that *is* active directory aware. Enter....a second domain controller. You'll install a second server, join it to your SBS domain, dcpromo it to a domain controller, and make sure DNS is replicating between the two. IT can now be added as a secondary DNS server to your clients.
Done properly you can now take SBS or the other server offline and still have internet access, still have an AD DC to process logins, and, overall, be 90% functional. But itis, of course, a full server on your network, which means it has to be patched, managed, requires hardware, and the appropriate licensing. But it is the only *right* way to offer the services you want.
In most cases, it is more economical to make sure you have a rock-solid SBS server with redundant power supplies, a solid hardware RAID infrastructure, and a good support contract where you can get parts shipped overnight (or faster.) That, and good backups, and downtime is usually negligable.

Author Comment

ID: 33441259
Great points. 200% spot on.

The Cisco router (RV02) does in fact "some" security.  I did have the box in a single NIC set up before and all worked as you describe above, rather nicely actually.

The one but vital reason for the switch to dual NICs was that the RV02 did not nearly do enough to keep security scans happy (need to have from an external vendor to prove PCI/credit card security for).  The solution that does keep the external PCI scans (which are basically daily attempts to hack into your system) very happy is the ISA firewall.

The downtime of the SBS box is rather negible, if it is 15min for a reboot once every one or two weeks, i.e., it does perform rather solidly and it is about engineering those few minutes away.  Data is back-up regularly, the oldest system state backup is 2 days, with a combination of shadow copies and online backups users can loose a maximum of 4 hours of work if a file gets lost.  All rather minimal.

As I do need ISA firewall performance or better I need to keep the SBS2003 box in the mainstream for now, until find something equivalent to sit in front of it to then go back to single NIC.

Thanks either way, sometimes it is alread good to hear what is a solid solution and what is not.  The pain of growing out of a one server environment.

LVL 16

Assisted Solution

by:Michael Ortega
Michael Ortega earned 1000 total points
ID: 33441275
So I'm a little confused about what your end objective is.

Is it just to reconfigure your private network so that there is DNS failover? That's what cgaliher addresses in his comment.


Is it to not only address DNS failover, but actually have internet failover if your primary internet service goes down?

If your trying to provide internet failover as well you would need to institute the blow:

1. You would need another link to the internet, e.g. DSL, Cable, T1, 3G, etc.
2. You would need a router that supports WAN failover (or Network Load Balancing)

There are a ton of devices out there that support WAN failover, but I generally stick with Cisco. Their support rocks which would be especially important if you're not familiary with configuring WAN failover and need to lean on them for help.

You can go ASA, but ASA's are really a firewall and not much of a router. As long as you have a modem providing ethernet to the ASA you'll be ok for implementing WAN failover. Alternatively, you can get a smaller ISR. The ISR's come in all sorts of flavors, e.g. DSL, 3G, etc. The 1900 series are modular, so you can add what interfaces you need.

In terms of DNS failover I would recommend as cgaliher did above in that you should setup a secondary AD server as a backup. Alternatively, you could setup, through DHCP, a secondary DNS server like (Google nameserver) for backup public DNS resolution. It's not preferred because of the possible authentication issues on the domain, but a lot times it's not much of an issue because of how your clients cache their credentials. I've only really had issues with public DNS as a secondary DNS server on a client when initially joining that system to the domain.

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!


Author Comment

ID: 33441310
Good questions.  No, it is not internet fallover into the network.  I'm not sure I can remember our internet having been down in the last 10+ years. Very reliable.

It is "simply" the fallover of internet access once the dual NIC SBS Box goes down.  The one NIC setup DNS solution described by both works fine, been there, done that.  As I'm currently strongly biased towards the dual NIC implementation for the use of the ISA (to truly separate internal from external traffic) though, there doesn't seem to be a good solution available with one SBS 2003 box.

LVL 16

Expert Comment

by:Michael Ortega
ID: 33441311
The requirement of ISA on the network and the assumption that you're filtering your clients' access to the internet through it for the sole purpose of pen tests from your PCI compliance vendor is a bit inefficient. You should eliminate your ISA dependencies after fixing your WAN security infrastructure. The "Linksys" router that you're using should be adequate for PCI Compliance. If you're passing certain traffic through, e.g. HTTP, HTTPS, etc., you most likely need to fix issues like weak ciphers, etc. that are enabled on your SBS by default. If for some reason the "Linksys" router really isn't adequate for defeding your PCI Compliance vendors pen tests then you should replace that equipment with something more commercial grade, like an ASA - Cisco ASA 5505 would be adequate for your size of network.

LVL 71

Expert Comment

by:Chris Dent
ID: 34936252
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor ( Top Charts is a view in which you can set seve…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question