Avatar of Abid
Abid
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Internet redundancy in SBS 2003 environment

Hello All,

We have a fairly old tower server running SBS 2003 in multi-homed environment. I have recently deployed a Windows 2003 Standard (SP2) for redundancy as a virtual machine running on VMware hypervisor. The new server is acting as a Replica DC and Secondary DNS Server. Replication is working fine without any errors. All client machines obtain their IP automatically from DHCP and now show the secondary DNS in ipconfig results. Please have a look at the network diagram to understand how the network is laid out.

Network diagram
SBS 2003 is doing NAT and shows as Default Gateway in client machines in ipconfig. My question is that if SBS 2003 server goes down for a longer period of time. How can I make sure the clients continue to get internet? I assume if I unplug the cable which is coming "from the router to External NIC" and plug it directly into the switch the internet will be made available to all clients immediately. Will this work?

I do understand due to no hardware firewall in place the network will be exposed to internet. Please advice.

Kind regards,
Abid
Microsoft Legacy OSWindows Networking

Avatar of undefined
Last Comment
Abid

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
neilpage99

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
neilpage99

Depending on your firmware of the Netgear GSM7224, you can enable inter-VLAN routing. So if you carve out a VLAN for the 213.120.x.x subnet, and place a switch port of the GSM7224 in that VLAN, you can route between that and the 192.168.x.x VLAN. I would still advise against this as there would practically be no firewalling/filtering going on.

ftp://downloads.netgear.com/files/gsm7224-gsm7248v2_ds_18feb10.pdf
neilpage99

Abid

ASKER
Thanks guys!

I don't hav much knowledge of switcing or VLANs and besides these switches will be changed sometime soon. They are old and out of warranty for long.

I am thinking of changing the network layout as below. Planning to convert SBS 2003 from multihomed (Dual-NIC) to single NIC and plugging directly into the switch with addition of firewall.

Proposed Network model
What will happen to VPN clients? Will SBS be able to continute to provide VPN?
Also please suggest a suitable less-costly firewall device.

Thanks!
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
neilpage99

VPN can operate perfectly through a firewall appliance. You have to open the necessary ports (i.e. IP 47 and TCP 1723 for PPTP, TCP HTTPS 443 for SSL VPN, etc) to allow the tunnels to pass through.

You proposed diagram is a stark improvement from the first diagram. It also sets you up for firewall high availability, if you so desire. This would allow a complete failure at the firewall level, while not impacting production traffic. This would obviously depend on your firewall/version/license etc and would require at least two firewall appliances - something you may not be interested in.

There are a lot of discussions on Experts-Exchange as well as millions of other sites around the internet regarding "good firewall alternatives". It's an exhaustive topic. There are so many schools of though, experiences, and fans out there of different products. It will ultimately come down to your specific requirements and budget; then your pool of experience and comfort level with different brands and technologies. Every situation has a "perfect" solution, but no solution is perfect for every situation. You need to compile a careful list of requirements, then find a good match. For example:

1. what is the VPN technology you're using, and what ports must be open to accommodate the VPN tunnels passing through the firewall?

2. Do you want or will you want firewall high availability in the future?

3. What services will you be hosting behind your firewall?  (i.e. web servers, email servers, etc)

4. Will you want to establish branch office VPN's as well as remote access VPN's ?

5. What is your approximate budget (including licenses, support etc) for one or more firewall appliances?

6. What firewall technologies are you most comfortable with, and are you willing to explore firewall command line interfaces (CLI) as an alternative or in addition to graphical interfaces?

7. What encryption level(s) do you need?  (DES, 3DES, AES, etc?)

8. Do the firewall appliances need to be rack-mounted?

...these are just examples - you have other requirements to consider too.

Also, I always look to avoid dual-NIC'ing a server whenever possible, especially domain controllers, and Exchange servers. Exceptions would be if the second NIC is for a backup solution VLAN or something like that. I'm not saying that it's "BAD" to dual-NIC a server - I just try to avoid it when possible because it simplifies administration and troubleshooting later.
Abid

ASKER
Hi Neil,

Thanks you very much for your time and attention. Your reply was very helpful and informative. For some time I had been thinking of making the SBS 2003 work on single NIC. Here are some of the requirements for a hardware firewall:

1. At the moment SBS 2003 is configured for "Routing and Remote Access" doing VPN for clients. The remote access utility (produced by SBS itself) is installed on all remote clients. there are 10 PPTP and 5 L2TP ports available.

2. Hardware Firewall will become single point of failure for WAN so high availability will be desireable.

3. Only Exchange 2003 and default sites (OWA, SharePoint etc) are running in IIS

4. Only Remote Access is required (no branch offices)

5. Budget is around 300~500£ (one off) and then some support charges on annual bases

6. GUI based only - Ease of management is highly desired

7. Encryption level can be any

8. Rack-mountable desireable otherwise desk-based will be fine also

Hope this gives you an idea of what I need. VPN-less firewalls may also work as SBS 2003 handles VPN connections very well. My only concern is that if SBS goes down remote clients will not be able to connect to the network. So if VPN was being handled by the firewall, remote users can still access the network and shared resources (e.g., NAS).

Now all I need is to (a) identify a good hardware firewall and (b) a detailed user guide to convert SBS 2003 from dual to single NIC while making sure I don't break anything in the process.

Any further thoughts?
Abid
SOLUTION
neilpage99

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Abid

ASKER
Thank you Neil,

Sorry for the delayed feedback, as I was away on holidays. I will go through your links now to convert SBS 2003 to single NIC configuration. Once it is done and firewall is in place, I am sure life will become easier for me.

Sonicwall TZ series firewalls look very good but slightly over the budget. I will look for more available options thoroughly. I will close the thread now and will award points. Many thanks for your help. Perhaps I will post a new thread if I have any further questions.

Kind regards,
Abid
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.