Re: SBS 3003 Premium - 2 NIC w/ Hardware Firewall
- From: "SuperGumby [SBS MVP]" <not@xxxxxxxxxxx>
- Date: Mon, 17 Jul 2006 07:37:08 +1000
Have another look at Marina's link. We don't post these things just for
typing practice.
Order Service Pack 1
During the CD ordering process, the Windows Small Business Server 2003
Product Key used in your original installation will be required. The Product
Key is located on the back of your product CD case or on the side of your
server box if your current version was purchased through an Original
Equipment Manufacturer (OEM). CDs will be shipped to you within 1-2 weeks in
North America. Expect 6-8 weeks for delivery outside of North America.
North America - order your CD package online. If you encounter problems
during your ordering process, please contact a customer service
representative at 1-800-360-7561.
Europe/Middle East/Africa - order your CD package online. If you encounter
problems during your ordering process, please contact a customer service
representative at direct-mar@xxxxxxxxxxxxxxxxxxxx
Asia Pacific - order your CD package by clicking here to view your country
contact information.
Latin America - order your CD package by clicking here to view your country
contact information.
ISA 2004 is _only_ available through CD order.
"Blase" <Blase@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7DA546A6-CE22-4D37-AA3B-B4367282EEEB@xxxxxxxxxxxxxxxx
I'm trying once again to get some clarity on this issue. I now have the X5
properly installed and everything is working fine - I get full access to
VPN,
remote workplace, rcp over http email, etc. But I am still getting some
periodic hits, sometimes 2,500 at a session, where a bot program or
something
is attempting random login attempts to my server. That is why I opted for
the
external firewall device in the first place. Apparently the X5 will either
not stop that kind of request, or I do not yet have it configured
correctly
to do so.
Seeing the suggestions from SuperGumby, I wanted to add the ISA protection
noted. I never realized I had ISA 2000 as part of my SBS 2003 Premium
software, however, so it has never been installed. SuperGumby suggested I
not
do so, but opt for ISA 2004 instead. So I downloaded ISA 2004 trial to see
if
I could configure it correctly, until further posts from Marina suggested
I
should remove it and use only the CD's that are specifically made for SBS
2003.
At this point, all I want to know is how best to get to ISA 2004 for my
installation. I have always kept this server patched to the latest
updates -
so SBS 2003 SP1 has already been installed. Yet if ISA was never installed
initially, it was obviously not updated to 2004 when I did the SP1 patch.
So
the question is how best to proceed. Should I install ISA 2000 from my
original product CD's and then run the SP1 patch again? Or is there a
better
way? Marina's last post simply gave me the link to the SP1 download page.
SP1
is already installed - but ISA is not. That is the problem here.
"SuperGumby [SBS MVP]" wrote:
I'm not familiar with the X5 so had a quick look at the manual. Very
capable
device and possibly a little on the 'overkill' side for someone who
already
has ISA implemented. I probably would have gone a more simple, and less
expensive, 'simple NAT router' instead.
By implementing the X5 in front of a two NIC ISA SBS you need to consider
some items.
The device itself has VPN endpoint capability, the manual however also
suggests it supports PPTP passthrough. I mention this because I don't
know
how well the X5 handles it, it may work perfectly, many VPN capable
devices
interfere with terminating the tunnel at the SBS.
The manual has instructions for disabling the browser proxy settings,
disregard these instructions in your situation. You will want your
internal
clients to use ISA as proxy, it will then send requests through the X5.
It
is possible to configure ISA to use an 'upstream proxy' but this is not
automatically configured, if you had manually configured ISA to use an
upstream proxy it is this which should be removed to allow the X5 to
'transparent proxy' requests through it.
The manual seems to suggest that the X5 defaults to 192.168.111.1/24 (/24
is
shorthand for a subnet mask of 255.255.255.0, 24 bits) so having your
internal network running 192.168.16.0/24 (SBS default) is fine. The
external
IP address on the SBS should be set to any IP in the 192.168.111.x/24
range,
192.168.111.2 would seem sensible.
your IPConfig should look something like:
C:\Documents and Settings\Administrator>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : sbs
Primary Dns Suffix . . . . . . . : lc.lan
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : lc.lan
Ethernet adapter Server Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NetServer 10/100TX PCI LAN Adapter
Physical Address. . . . . . . . . : removed
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.16.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.16.2
Primary WINS Server . . . . . . . : 192.168.16.2
Ethernet adapter External:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast
Ethernet
NIC
Physical Address. . . . . . . . . : removed
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.111.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.111.1
DNS Servers . . . . . . . . . . . : 192.168.16.2
NetBIOS over Tcpip. . . . . . . . : Disabled
at this point you would run the CEICW with the X5 connected to the
external
interface. A curiosity here is the choices you take. The most obvious
choice
would be that you connect through 'A router with an IP address', DO NOT
select this, instead taking the choice 'Fulltime broadband connection'.
The
router choice is, basically, designed for an ISDN or similar 'demand
dial'
connection.
You should now be able to open the web interface on the X5. You'll need
to
configure it to connect to your ISP and also set the port forwarding to
SBS.
For RWW you want to forward 443 (RWW itself), 444(CompanyWeb), and 4125
(RWW's RDP proxy). For PPTP VPN you need TCP/IP port 1723 and TCP
_protocol_
43 GRE, this may be controlled in a single section controlling PPTP
passthrough (sorry, I didn't go that far through the manual).
You mention FTP. Do you wish to allow outgoing FTP (in which case I
expect
nothing need be done on the X5, but you need to turn off the 'read only'
in
ISA FTP controls) or are you running an FTP server on SBS?
OWA and RPC over HTTPS will also use the port forwarding for 443, same as
RWW.
"Blase" <Blase@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:226682CA-C78D-42E3-ACFF-38E34E5230EE@xxxxxxxxxxxxxxxx
I've had SBS 2003 Premium running for 2 years and recently upgraded to
a
new
server. Wanted to add a firewall appliance for more protection, as we
are
seeing an increase in random login attempts - sometimes 3000 an
evening.
The
ISA provided software firewall has held to date, but the redundancy
seems
like a good idea.
Am struggling to get the configuration correct, however. Have the
internal
NIC appropriately working as 192.168.16.2 defaults. Have a static IP
address
from our ISP assigned to the external NIC. But I assume I now need to
assign
the external static IP address to the firewall appliance, using a
gateway
address to point to the current server external NIC. Is that correct?
And
if
so, what address should it use? Should it be in the same subnet as the
internal NIC?
Assuming I get this properly configured, how do I configure the
firewall
ports correctly (I'm obviously new to firewall setup)? I'm using VPN,
FTP,
OWA and RPC over HTTP for Outlook in addition to typical internet
access.
The
hardware appliance is a Firebox X5 by WatchGuard, if that matters at
all.
Any ideas out there?
.
- References:
- Prev by Date: Re: How to configure ActiveSync?
- Next by Date: Re: Fax Server
- Previous by thread: Re: SBS 3003 Premium - 2 NIC w/ Hardware Firewall
- Next by thread: Re: SBS 3003 Premium - 2 NIC w/ Hardware Firewall
- Index(es):
Relevant Pages
|
