We help IT Professionals succeed at work.

Internet redundancy in SBS 2003 environment

362 Views
Last Modified: 2012-06-06
Hello All,

We have a fairly old tower server running SBS 2003 in multi-homed environment. I have recently deployed a Windows 2003 Standard (SP2) for redundancy as a virtual machine running on VMware hypervisor. The new server is acting as a Replica DC and Secondary DNS Server. Replication is working fine without any errors. All client machines obtain their IP automatically from DHCP and now show the secondary DNS in ipconfig results. Please have a look at the network diagram to understand how the network is laid out.

Network diagram
SBS 2003 is doing NAT and shows as Default Gateway in client machines in ipconfig. My question is that if SBS 2003 server goes down for a longer period of time. How can I make sure the clients continue to get internet? I assume if I unplug the cable which is coming "from the router to External NIC" and plug it directly into the switch the internet will be made available to all clients immediately. Will this work?

I do understand due to no hardware firewall in place the network will be exposed to internet. Please advice.

Kind regards,
Abid
Comment
Watch Question

This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Depending on your firmware of the Netgear GSM7224, you can enable inter-VLAN routing. So if you carve out a VLAN for the 213.120.x.x subnet, and place a switch port of the GSM7224 in that VLAN, you can route between that and the 192.168.x.x VLAN. I would still advise against this as there would practically be no firewalling/filtering going on.

ftp://downloads.netgear.com/files/gsm7224-gsm7248v2_ds_18feb10.pdf
AbidIT Manager

Author

Commented:
Thanks guys!

I don't hav much knowledge of switcing or VLANs and besides these switches will be changed sometime soon. They are old and out of warranty for long.

I am thinking of changing the network layout as below. Planning to convert SBS 2003 from multihomed (Dual-NIC) to single NIC and plugging directly into the switch with addition of firewall.

Proposed Network model
What will happen to VPN clients? Will SBS be able to continute to provide VPN?
Also please suggest a suitable less-costly firewall device.

Thanks!
VPN can operate perfectly through a firewall appliance. You have to open the necessary ports (i.e. IP 47 and TCP 1723 for PPTP, TCP HTTPS 443 for SSL VPN, etc) to allow the tunnels to pass through.

You proposed diagram is a stark improvement from the first diagram. It also sets you up for firewall high availability, if you so desire. This would allow a complete failure at the firewall level, while not impacting production traffic. This would obviously depend on your firewall/version/license etc and would require at least two firewall appliances - something you may not be interested in.

There are a lot of discussions on Experts-Exchange as well as millions of other sites around the internet regarding "good firewall alternatives". It's an exhaustive topic. There are so many schools of though, experiences, and fans out there of different products. It will ultimately come down to your specific requirements and budget; then your pool of experience and comfort level with different brands and technologies. Every situation has a "perfect" solution, but no solution is perfect for every situation. You need to compile a careful list of requirements, then find a good match. For example:

1. what is the VPN technology you're using, and what ports must be open to accommodate the VPN tunnels passing through the firewall?

2. Do you want or will you want firewall high availability in the future?

3. What services will you be hosting behind your firewall?  (i.e. web servers, email servers, etc)

4. Will you want to establish branch office VPN's as well as remote access VPN's ?

5. What is your approximate budget (including licenses, support etc) for one or more firewall appliances?

6. What firewall technologies are you most comfortable with, and are you willing to explore firewall command line interfaces (CLI) as an alternative or in addition to graphical interfaces?

7. What encryption level(s) do you need?  (DES, 3DES, AES, etc?)

8. Do the firewall appliances need to be rack-mounted?

...these are just examples - you have other requirements to consider too.

Also, I always look to avoid dual-NIC'ing a server whenever possible, especially domain controllers, and Exchange servers. Exceptions would be if the second NIC is for a backup solution VLAN or something like that. I'm not saying that it's "BAD" to dual-NIC a server - I just try to avoid it when possible because it simplifies administration and troubleshooting later.
AbidIT Manager

Author

Commented:
Hi Neil,

Thanks you very much for your time and attention. Your reply was very helpful and informative. For some time I had been thinking of making the SBS 2003 work on single NIC. Here are some of the requirements for a hardware firewall:

1. At the moment SBS 2003 is configured for "Routing and Remote Access" doing VPN for clients. The remote access utility (produced by SBS itself) is installed on all remote clients. there are 10 PPTP and 5 L2TP ports available.

2. Hardware Firewall will become single point of failure for WAN so high availability will be desireable.

3. Only Exchange 2003 and default sites (OWA, SharePoint etc) are running in IIS

4. Only Remote Access is required (no branch offices)

5. Budget is around 300~500£ (one off) and then some support charges on annual bases

6. GUI based only - Ease of management is highly desired

7. Encryption level can be any

8. Rack-mountable desireable otherwise desk-based will be fine also

Hope this gives you an idea of what I need. VPN-less firewalls may also work as SBS 2003 handles VPN connections very well. My only concern is that if SBS goes down remote clients will not be able to connect to the network. So if VPN was being handled by the firewall, remote users can still access the network and shared resources (e.g., NAS).

Now all I need is to (a) identify a good hardware firewall and (b) a detailed user guide to convert SBS 2003 from dual to single NIC while making sure I don't break anything in the process.

Any further thoughts?
Abid
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
AbidIT Manager

Author

Commented:
Thank you Neil,

Sorry for the delayed feedback, as I was away on holidays. I will go through your links now to convert SBS 2003 to single NIC configuration. Once it is done and firewall is in place, I am sure life will become easier for me.

Sonicwall TZ series firewalls look very good but slightly over the budget. I will look for more available options thoroughly. I will close the thread now and will award points. Many thanks for your help. Perhaps I will post a new thread if I have any further questions.

Kind regards,
Abid

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.