Re: Network topology questions from a new sbs user

doucettea wrote:
Hi all,
I am new to Windows Server and to SBS, having recently acquired it in the MS Action Pack for a small business.
I have a setup question regarding network topology...How should I set it up?

The business is a home office and has 4 computers + the server (the 5th computer, repurposed). Server has 2 NICs. Connection to the internet is by cable-modem, on IP dynamically assigned by Comcast.
I have a:
Cable modem / VOIP box
Router with NAT firewall, DHCP capability, 4 wired ports and a wireless access point
Gigabit switch with 5 ports
One more WAP

What is the best way to lay out the network? I want the 4 internal comptuers to be able to access the internet and the intranet. 3 are wired and 1 is a laptop with wi-fi.
The router and switch are both Dlink and can do uPNP.

Forget uPnP. Really. There's nothing it can do for business users that
you wouldn't much rather do manually.


I don't want to have an external website (it is hosted by a third party) but

Absolutely correct. Running a public web site is, or most certainly
ought to be, a full-time job. That's 24 hours a day, not eight.

I do want to allow external employees to access the intranet. I set up a dyndns.org account and will try to use that (maybe I'll post about that once the server is set up?).
I don't know if this is possible, but I don't want the SBS to have to be turned on for the other computers to access the internet. (But I understand that it would need to be turned on to access anything that resides on it...)
VPN would also be nice? The router can be set to allow VPN pass-through.

Should I go with:
Cable modem <-> Router w/ firewall <-> SBS external NIC <-> SBS <-> SBS internal NIC <-> Switch <-> PCs with wired LAN and also WAP

If this is the case:
I assume SBS will do the DHCP? Will the SBS need to be turned on for the other computers to access the internet? Also, will the SBS set-up wizards take care of assiging the right IP addresses to the SBS and to all the computers?

Yes, all that is true.


Is there a different topology that I sould be going with instead? Do I need to use both NICs (seems to be the majority opinion of the MVPs whose posts I've read about this)?

If not leaving the SBS machine on is important, then two-NIC mode is
out. The alternative is to use a good firewall, and have the single SBS
NIC and all workstations connected by a switch, along with the WAP.

A critical point is whether you want to learn ISA. ISA is only active
when two NICs are used, when all Internet activity occurs through the
SBS, and when it must be powered. SBS Premium has ISA, Standard does
not, so not all of your customers will use it. If any do, then you need
to understand it, which means two NICs and SBS on.

There's no real problem with switching between the two modes. You will
meet some customers who will need to move from one NIC to two, and an
understanding of the issues will be useful. There's nothing like doing
it yourself regularly to give you the necessary knowledge.

DHCP and DNS: the SBS *must* provide DNS service to all its clients,
including those using VPN. DHCP is optional but easier. The SBS must
also be the WINS server, and if it is the DHCP server it will tell its
clients this. If you use a different DHCP server, you must configure it
to give the SBS IP address as both DNS and WINS servers. If SBS is the
DHCP server, this is automatic.

Firewalls are an entertaining subject. SBS standard in two-NIC mode,
and most common low-cost routers, do stateful packet inspection, which
is the core firewall function. ISA in SBS Premium adds a number of
useful features, and also a web proxy server, which prevents some types
of attack which a packet filter cannot see.

In a customer's production environment, a reputable packet-filtering
router will offer as much protection as SBS Standard in two-NIC mode,
while a more expensive firewall appliance or SBS Premium in two-NIC
mode will offer much more safety. Two different firewalls will give a
little more protection than one, so if there are no problems in doing
so, use SBS two-NIC in preference to one-NIC, even if you have another
firewall in place. Part of your job will be to weigh the pros and cons
of doing this.
.

Relevant Pages

  • Re: SBS VPN setup?
    ... And if you have a hardware firewall you haven't flashed in years they just got in through a exploit. ... SBS plugs into a switch with the other computers and the switch is plugged into a firewall appliance with 2-nics. ... To compare apples to apples, let us assume there is a network setup as I outlined above...and the firewall appliance is an ISA server, such as those available from Celestix. ... > learn and test the RWW solution before deploying it. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS VPN setup?
    ... The 2-nic configuration is used when the SBS server will *also* act as your network's firewall. ... You purchase 2k3 PREMIUM and that comes with ISA to handle the firewall duties. ... To compare apples to apples, let us assume there is a network setup as I outlined above...and the firewall appliance is an ISA server, such as those available from Celestix. ...
    (microsoft.public.windows.server.sbs)
  • Re: Urgent! New router and big disaster
    ... so we don't even know if dhcp is configured on ... Les Connor [SBS Community Member - SBS MVP] ... no internet connection from the server. ... dns suffix search list: MuellerElectrical.local ...
    (microsoft.public.windows.server.sbs)
  • Re: DHCP and companyweb problems
    ... If the DHCP traffic is being denied by ISA which rule is it showing that is ... SBS FTP Server Access, RDP Server Access, RDP Outbound disabled. ... Client name is correct ...
    (microsoft.public.windows.server.sbs)
  • Re: Urgent! New router and big disaster
    ... Set the 'external' interface of SBS to get it's IP via DHCP from the router ... If the ws does not get an IP from DHCP check the event log on the server, ... They can go one day with out internet, ...
    (microsoft.public.windows.server.sbs)
Loading