Re: Best (recommended) extranet setup

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Ok, new plan then, I like the way that was recommended. Anyone have specific
models for the firewall hardware?

Thanks

Lee

"Neteng" wrote:

> There really isn't a need for dual NIC's (unless for redundancy). All
> servers should be behind a firewall, that's mandatory. I have never used MS
> VPN, I've always used Cisco. They make a solid firewall that can also
> terminate a VPN (both client and site to site). Jason's points are
> excellent, make sure to note them as well.
>
> "Lee" <latrotter@xxxxxxxxxxxxxx> wrote in message
> news:6B2BAF1E-2C92-42D4-9B04-A5C469CFABB8@xxxxxxxxxxxxxxxx
> > Here is how I was going to do it,
> >
> > Server A - Exchange, DC, SQL Server
> > 2 NICs - 1 To Server B and 1 to VPN to Homeoffice
> >
> > Server B - IIS, ISA (Proxying to Server A)
> > 2 NICs - 1 To Server A and 1 to Internet
> >
> > But what you are saying is both should be behind a dedicated packet
> > filter/firewall. What do you recommend for firewall hardware for this?
> > What do you recommend for a point to point VPN?
> >
> > Thanks
> >
> > "Jason Gurtz" wrote:
> >
> > > On 8/2/2005 12:03, Lee wrote:
> > > > Yes we're going to put an exchange server there as well as a windows
> share
> > > > point services server. Both those will be using the domain
> controller,
> > > > behind an ISA server. So we will treat them like they are in out
> intranet,
> > > > and the co-location is more like a branch office. How reliable is a
> windows
> > > > to windows VPN? Will it need frequent manual intervention? I have
> only used
> > > > it on my desktop and usually have fairly frequent disconnects.
> > >
> > > This sounds like a recipe for disaster. The two servers should be
> sitting
> > > behind a packet filter at a minimum.
> > >
> > > A hardware VPN link would probably prove to be the most reliable. I
> would
> > > trust a private point-to-point for the domain traffic a bit more.
> > >
> > > Something like this:
> > >
> > > Co-Lo Facility Across WAN
> > > ---------------------------------+ +---------------------
> > > | |
> > > | |
> > > +-----------------+
> > > +------+ | |
> > > | | LAN | Home Office LAN |
> > > |Server| | | |
> > > | A |-----+ +--------+--------+
> > > | | | +---------------+ |
> > > | | | | | |
> > > | | +--+ Router #1 +-----Link-1---+
> > > +------+ | | |
> > > | +---------------+
> > > | _
> > > | +---------------+ #-#-#-##}
> > > +------+ | | Router #2 | {# # # ##}
> > > | | +--+ +-----{# Internet ##}
> > > |Server| | | Packet Filter | {## # # ##}
> > > | B |-----+ +---------------+ {###_##}
> > > | | |
> > > | |
> > > | |
> > > +------+
> > >
> > > | |
> > > | |
> > > ---------------------------------+ +---------------------
> > >
> > > Note: Both servers have Private IP addresses (e.g. 10.x.x.x,
> 192.168.x.x,
> > > etc...) Link-1 could be a VPN or could be truly private--point-to-point
> > > frame relay over ds1 or ds3 or something like that. Router #2 would do
> > > filtering and port forwarding as necessary for your applications (Web,
> > > mail, Remote admin, etc...
> > >
> > > Depending on your mail setup it might be a good idea to have a Unix
> based
> > > mail switch/smtp filter in front of your exchange server.
> > >
> > > ~Jason
> > >
> > > --
> > >
>
>
>
.