Internet redundancy in SBS 2003 environment
Hello All,
We have a fairly old tower server running SBS 2003 in multi-homed environment. I have recently deployed a Windows 2003 Standard (SP2) for redundancy as a virtual machine running on VMware hypervisor. The new server is acting as a Replica DC and Secondary DNS Server. Replication is working fine without any errors. All client machines obtain their IP automatically from DHCP and now show the secondary DNS in ipconfig results. Please have a look at the network diagram to understand how the network is laid out.
SBS 2003 is doing NAT and shows as Default Gateway in client machines in ipconfig. My question is that if SBS 2003 server goes down for a longer period of time. How can I make sure the clients continue to get internet? I assume if I unplug the cable which is coming "from the router to External NIC" and plug it directly into the switch the internet will be made available to all clients immediately. Will this work?
I do understand due to no hardware firewall in place the network will be exposed to internet. Please advice.
Kind regards,
Abid
We have a fairly old tower server running SBS 2003 in multi-homed environment. I have recently deployed a Windows 2003 Standard (SP2) for redundancy as a virtual machine running on VMware hypervisor. The new server is acting as a Replica DC and Secondary DNS Server. Replication is working fine without any errors. All client machines obtain their IP automatically from DHCP and now show the secondary DNS in ipconfig results. Please have a look at the network diagram to understand how the network is laid out.
SBS 2003 is doing NAT and shows as Default Gateway in client machines in ipconfig. My question is that if SBS 2003 server goes down for a longer period of time. How can I make sure the clients continue to get internet? I assume if I unplug the cable which is coming "from the router to External NIC" and plug it directly into the switch the internet will be made available to all clients immediately. Will this work?
I do understand due to no hardware firewall in place the network will be exposed to internet. Please advice.
Kind regards,
Abid
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Your FSM can do it too - but even this doc assumes you'll be using a firewall:
http://support.netgear.com/ci/fattach/get/96/1268666783/redirect/1/filename/Layer%203%20switches%20-%20Routing%20VLANs%20with%20Shared%20Internet%20Access%20v2.pdf
http://support.netgear.com/ci/fattach/get/96/1268666783/redirect/1/filename/Layer%203%20switches%20-%20Routing%20VLANs%20with%20Shared%20Internet%20Access%20v2.pdf
ASKER
Thanks guys!
I don't hav much knowledge of switcing or VLANs and besides these switches will be changed sometime soon. They are old and out of warranty for long.
I am thinking of changing the network layout as below. Planning to convert SBS 2003 from multihomed (Dual-NIC) to single NIC and plugging directly into the switch with addition of firewall.
What will happen to VPN clients? Will SBS be able to continute to provide VPN?
Also please suggest a suitable less-costly firewall device.
Thanks!
I don't hav much knowledge of switcing or VLANs and besides these switches will be changed sometime soon. They are old and out of warranty for long.
I am thinking of changing the network layout as below. Planning to convert SBS 2003 from multihomed (Dual-NIC) to single NIC and plugging directly into the switch with addition of firewall.
What will happen to VPN clients? Will SBS be able to continute to provide VPN?
Also please suggest a suitable less-costly firewall device.
Thanks!
VPN can operate perfectly through a firewall appliance. You have to open the necessary ports (i.e. IP 47 and TCP 1723 for PPTP, TCP HTTPS 443 for SSL VPN, etc) to allow the tunnels to pass through.
You proposed diagram is a stark improvement from the first diagram. It also sets you up for firewall high availability, if you so desire. This would allow a complete failure at the firewall level, while not impacting production traffic. This would obviously depend on your firewall/version/license etc and would require at least two firewall appliances - something you may not be interested in.
There are a lot of discussions on Experts-Exchange as well as millions of other sites around the internet regarding "good firewall alternatives". It's an exhaustive topic. There are so many schools of though, experiences, and fans out there of different products. It will ultimately come down to your specific requirements and budget; then your pool of experience and comfort level with different brands and technologies. Every situation has a "perfect" solution, but no solution is perfect for every situation. You need to compile a careful list of requirements, then find a good match. For example:
1. what is the VPN technology you're using, and what ports must be open to accommodate the VPN tunnels passing through the firewall?
2. Do you want or will you want firewall high availability in the future?
3. What services will you be hosting behind your firewall? (i.e. web servers, email servers, etc)
4. Will you want to establish branch office VPN's as well as remote access VPN's ?
5. What is your approximate budget (including licenses, support etc) for one or more firewall appliances?
6. What firewall technologies are you most comfortable with, and are you willing to explore firewall command line interfaces (CLI) as an alternative or in addition to graphical interfaces?
7. What encryption level(s) do you need? (DES, 3DES, AES, etc?)
8. Do the firewall appliances need to be rack-mounted?
...these are just examples - you have other requirements to consider too.
Also, I always look to avoid dual-NIC'ing a server whenever possible, especially domain controllers, and Exchange servers. Exceptions would be if the second NIC is for a backup solution VLAN or something like that. I'm not saying that it's "BAD" to dual-NIC a server - I just try to avoid it when possible because it simplifies administration and troubleshooting later.
You proposed diagram is a stark improvement from the first diagram. It also sets you up for firewall high availability, if you so desire. This would allow a complete failure at the firewall level, while not impacting production traffic. This would obviously depend on your firewall/version/license etc and would require at least two firewall appliances - something you may not be interested in.
There are a lot of discussions on Experts-Exchange as well as millions of other sites around the internet regarding "good firewall alternatives". It's an exhaustive topic. There are so many schools of though, experiences, and fans out there of different products. It will ultimately come down to your specific requirements and budget; then your pool of experience and comfort level with different brands and technologies. Every situation has a "perfect" solution, but no solution is perfect for every situation. You need to compile a careful list of requirements, then find a good match. For example:
1. what is the VPN technology you're using, and what ports must be open to accommodate the VPN tunnels passing through the firewall?
2. Do you want or will you want firewall high availability in the future?
3. What services will you be hosting behind your firewall? (i.e. web servers, email servers, etc)
4. Will you want to establish branch office VPN's as well as remote access VPN's ?
5. What is your approximate budget (including licenses, support etc) for one or more firewall appliances?
6. What firewall technologies are you most comfortable with, and are you willing to explore firewall command line interfaces (CLI) as an alternative or in addition to graphical interfaces?
7. What encryption level(s) do you need? (DES, 3DES, AES, etc?)
8. Do the firewall appliances need to be rack-mounted?
...these are just examples - you have other requirements to consider too.
Also, I always look to avoid dual-NIC'ing a server whenever possible, especially domain controllers, and Exchange servers. Exceptions would be if the second NIC is for a backup solution VLAN or something like that. I'm not saying that it's "BAD" to dual-NIC a server - I just try to avoid it when possible because it simplifies administration and troubleshooting later.
ASKER
Hi Neil,
Thanks you very much for your time and attention. Your reply was very helpful and informative. For some time I had been thinking of making the SBS 2003 work on single NIC. Here are some of the requirements for a hardware firewall:
1. At the moment SBS 2003 is configured for "Routing and Remote Access" doing VPN for clients. The remote access utility (produced by SBS itself) is installed on all remote clients. there are 10 PPTP and 5 L2TP ports available.
2. Hardware Firewall will become single point of failure for WAN so high availability will be desireable.
3. Only Exchange 2003 and default sites (OWA, SharePoint etc) are running in IIS
4. Only Remote Access is required (no branch offices)
5. Budget is around 300~500£ (one off) and then some support charges on annual bases
6. GUI based only - Ease of management is highly desired
7. Encryption level can be any
8. Rack-mountable desireable otherwise desk-based will be fine also
Hope this gives you an idea of what I need. VPN-less firewalls may also work as SBS 2003 handles VPN connections very well. My only concern is that if SBS goes down remote clients will not be able to connect to the network. So if VPN was being handled by the firewall, remote users can still access the network and shared resources (e.g., NAS).
Now all I need is to (a) identify a good hardware firewall and (b) a detailed user guide to convert SBS 2003 from dual to single NIC while making sure I don't break anything in the process.
Any further thoughts?
Abid
Thanks you very much for your time and attention. Your reply was very helpful and informative. For some time I had been thinking of making the SBS 2003 work on single NIC. Here are some of the requirements for a hardware firewall:
1. At the moment SBS 2003 is configured for "Routing and Remote Access" doing VPN for clients. The remote access utility (produced by SBS itself) is installed on all remote clients. there are 10 PPTP and 5 L2TP ports available.
2. Hardware Firewall will become single point of failure for WAN so high availability will be desireable.
3. Only Exchange 2003 and default sites (OWA, SharePoint etc) are running in IIS
4. Only Remote Access is required (no branch offices)
5. Budget is around 300~500£ (one off) and then some support charges on annual bases
6. GUI based only - Ease of management is highly desired
7. Encryption level can be any
8. Rack-mountable desireable otherwise desk-based will be fine also
Hope this gives you an idea of what I need. VPN-less firewalls may also work as SBS 2003 handles VPN connections very well. My only concern is that if SBS goes down remote clients will not be able to connect to the network. So if VPN was being handled by the firewall, remote users can still access the network and shared resources (e.g., NAS).
Now all I need is to (a) identify a good hardware firewall and (b) a detailed user guide to convert SBS 2003 from dual to single NIC while making sure I don't break anything in the process.
Any further thoughts?
Abid
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thank you Neil,
Sorry for the delayed feedback, as I was away on holidays. I will go through your links now to convert SBS 2003 to single NIC configuration. Once it is done and firewall is in place, I am sure life will become easier for me.
Sonicwall TZ series firewalls look very good but slightly over the budget. I will look for more available options thoroughly. I will close the thread now and will award points. Many thanks for your help. Perhaps I will post a new thread if I have any further questions.
Kind regards,
Abid
Sorry for the delayed feedback, as I was away on holidays. I will go through your links now to convert SBS 2003 to single NIC configuration. Once it is done and firewall is in place, I am sure life will become easier for me.
Sonicwall TZ series firewalls look very good but slightly over the budget. I will look for more available options thoroughly. I will close the thread now and will award points. Many thanks for your help. Perhaps I will post a new thread if I have any further questions.
Kind regards,
Abid
Microsoft Legacy OS
The Microsoft Legacy Operating System topic includes legacy versions of Microsoft operating systems prior to Windows 2000: All versions of MS-DOS and other versions developed for specific manufacturers and Windows 3/3.1, Windows 95 and Windows 98, plus any other Windows-related versions, and Windows Mobile.
55K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
ftp://downloads.netgear.com/files/gsm7224-gsm7248v2_ds_18feb10.pdf