fallback Internet access in SBS 2003 network

Looking to offer a fallback internet access scenario in SBS2003 network.

The setting is

>Comcast Internet Modem
     >Cisco Router
                  >NIC1 (
                  >NIC2 (
    >unmanaged switch
    >”Network” (192.168.0.x)

“Network” being (1) a wireless access point with half a dozen laptops, (2) NAS, (3) printer.

I want to continue to provide Internet access (albeit without the access to Exchange/email) in case the SBS 2003 box goes down.  SBS 2003 contains DC, DHCP, DNS, ISA, etc.  As there are no significant fluctuations, the DHCP leases are sufficiently long (7 days) to survive normal downtime for reboots, etc.  A DNS is available from the ISP.

Ideally, I would NOT want to configure static settings in the client TCP/IP settings to point to the SBS 2003 DNS with ISP DNS being secondary but leave client settings dynamically.

With all that said, what’s the best way, if there is any, to implement an “escape route” out of the network for pure internet access?

Should/Can I have a second router between the Cisco router and the switch to allow for a second gateway out of the 192.168.0.x network, in parallel to the SBS box?
With above, how do I avoid to have traffic take the shortcut as long as the SBS box is available?
What is the best (or at least a professional) practice to address this?
I’m happy to add/exchange modems, switches, etc. with the right technology to make this work but I wish I knew where best to go.

Thanks in advance.....  J
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
First, I've never been a fan of having traffic flow through SBS. I think it was a bad security practice when it was done, and SBS 2008 doesn't even support this topology anymore...so when MS got serious about security, they seemed to agree.
So with that in mind, here is how you'd add redundancy if you feel you need it (generally in a small business network, the cost is higher than the benefit, so that *if* definitely applies).
1) Reconfigure SBS into a single NIC configuration. It is simply another machin on your 192.168.0.x network.
2) If your Cisco device is also a security device, make its internal LAN address a 192.168.0.x address and hook it up to the switch. It will be the default gateway, not SBS.
3) If your Cisco device is NOT a security device, replace it. Sonicwall, Watchguard, an MS ISA/TMG appliance, or even another Cisco (their ASA series are nice) are all good security appliances with full routing functionality.
4) Now for the meat of the issue. SBS is still your DNS server for your clients. If you add your ISP's (or any 3rd party DNS server) as secondary DNS servers, you will have issues because those servers are not aware of your Active Directory infrastructure and thus do not have the appropriate DNS records to properly esrve your internal clients. BIG problems ensue when people try this. Don't do it.
5) Of course, #4 means that when the SBS server is offline, internet access still works (default gateway is not SBS anymore) but DNS does not. We need to fix this by offering another DNS server that *is* active directory aware. Enter....a second domain controller. You'll install a second server, join it to your SBS domain, dcpromo it to a domain controller, and make sure DNS is replicating between the two. IT can now be added as a secondary DNS server to your clients.
Done properly you can now take SBS or the other server offline and still have internet access, still have an AD DC to process logins, and, overall, be 90% functional. But itis, of course, a full server on your network, which means it has to be patched, managed, requires hardware, and the appropriate licensing. But it is the only *right* way to offer the services you want.
In most cases, it is more economical to make sure you have a rock-solid SBS server with redundant power supplies, a solid hardware RAID infrastructure, and a good support contract where you can get parts shipped overnight (or faster.) That, and good backups, and downtime is usually negligable.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The_Book_GuyAuthor Commented:
Great points. 200% spot on.

The Cisco router (RV02) does in fact "some" security.  I did have the box in a single NIC set up before and all worked as you describe above, rather nicely actually.

The one but vital reason for the switch to dual NICs was that the RV02 did not nearly do enough to keep security scans happy (need to have from an external vendor to prove PCI/credit card security for).  The solution that does keep the external PCI scans (which are basically daily attempts to hack into your system) very happy is the ISA firewall.

The downtime of the SBS box is rather negible, if it is 15min for a reboot once every one or two weeks, i.e., it does perform rather solidly and it is about engineering those few minutes away.  Data is back-up regularly, the oldest system state backup is 2 days, with a combination of shadow copies and online backups users can loose a maximum of 4 hours of work if a file gets lost.  All rather minimal.

As I do need ISA firewall performance or better I need to keep the SBS2003 box in the mainstream for now, until find something equivalent to sit in front of it to then go back to single NIC.

Thanks either way, sometimes it is alread good to hear what is a solid solution and what is not.  The pain of growing out of a one server environment.

Michael OrtegaSales & Systems EngineerCommented:
So I'm a little confused about what your end objective is.

Is it just to reconfigure your private network so that there is DNS failover? That's what cgaliher addresses in his comment.


Is it to not only address DNS failover, but actually have internet failover if your primary internet service goes down?

If your trying to provide internet failover as well you would need to institute the blow:

1. You would need another link to the internet, e.g. DSL, Cable, T1, 3G, etc.
2. You would need a router that supports WAN failover (or Network Load Balancing)

There are a ton of devices out there that support WAN failover, but I generally stick with Cisco. Their support rocks which would be especially important if you're not familiary with configuring WAN failover and need to lean on them for help.

You can go ASA, but ASA's are really a firewall and not much of a router. As long as you have a modem providing ethernet to the ASA you'll be ok for implementing WAN failover. Alternatively, you can get a smaller ISR. The ISR's come in all sorts of flavors, e.g. DSL, 3G, etc. The 1900 series are modular, so you can add what interfaces you need.

In terms of DNS failover I would recommend as cgaliher did above in that you should setup a secondary AD server as a backup. Alternatively, you could setup, through DHCP, a secondary DNS server like (Google nameserver) for backup public DNS resolution. It's not preferred because of the possible authentication issues on the domain, but a lot times it's not much of an issue because of how your clients cache their credentials. I've only really had issues with public DNS as a secondary DNS server on a client when initially joining that system to the domain.

INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

The_Book_GuyAuthor Commented:
Good questions.  No, it is not internet fallover into the network.  I'm not sure I can remember our internet having been down in the last 10+ years. Very reliable.

It is "simply" the fallover of internet access once the dual NIC SBS Box goes down.  The one NIC setup DNS solution described by both works fine, been there, done that.  As I'm currently strongly biased towards the dual NIC implementation for the use of the ISA (to truly separate internal from external traffic) though, there doesn't seem to be a good solution available with one SBS 2003 box.

Michael OrtegaSales & Systems EngineerCommented:
The requirement of ISA on the network and the assumption that you're filtering your clients' access to the internet through it for the sole purpose of pen tests from your PCI compliance vendor is a bit inefficient. You should eliminate your ISA dependencies after fixing your WAN security infrastructure. The "Linksys" router that you're using should be adequate for PCI Compliance. If you're passing certain traffic through, e.g. HTTP, HTTPS, etc., you most likely need to fix issues like weak ciphers, etc. that are enabled on your SBS by default. If for some reason the "Linksys" router really isn't adequate for defeding your PCI Compliance vendors pen tests then you should replace that equipment with something more commercial grade, like an ASA - Cisco ASA 5505 would be adequate for your size of network.

Chris DentPowerShell DeveloperCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.