Re: SBS 2003 2NIC's

Hi,

Some very good advice here on routing, IP's, disaster recovery etc. I agree
with most of Steve's advice on ensuring a good disaster recovery plan, RAID,
etc but disagree on the firewall advice. The BT supplied router (probably
2Wire?) is OK for residential use but I wouldn't use it in a corporate
environment. The issue of spending a large amount of money on a firewall is
something that crops up here now and again. The way I look at it is this:
Invest (note: not 'spend') as much in your hardware firewall as you can
afford. It's a false economy to lay out £1000's on a server, £100's on Anti
Virus software, £100's/£1000's on backup hardware and then use the free
router, worth about £70, to protect it all (on that note, BT are the worst
ISP in the UK in my opinion - I've got 3 clients using them and incompetent
is the word that comes to mind - I hope you never need to forward mail
externally or use direct push/Blackberry etc as BT will simply not allow this
through their servers). Disaster recovery is something that you definitely
need but hopefully will never need. If your data gets into the wrong hands,
it could destroy your credibility or even worse, your company. If your server
is ever compromised, it's not yours anymore. A complete rebuild would be
required - with the associated costs - and could you guarantee that last
night's backed up data doesn't contain bots, spyware etc planted by a hacker
? A good hardware firewall, properly configured will prevent this. Larry is
correct - Sonicwall, Watchguard, Cisco PIX etc is what you need to implement.
Forget free routers that come with ISP packages. If you can stretch to it, a
UTM device is even better - you get the firewall plus anti spam, anti malware
etc. No harm in having 2 levels of anti malware eh ? Just my 2 cents.

Regards Colin.

"spm" wrote:

wigwam326@xxxxxxxxxxxxxx wrote:

Server

External NIC

IP 192.168.1.2
Subnet 255.255.255.0
Gateway 192.168.1.254
DNS - NOT SURE WHAT TO PUT IN HERE, DO I USE THE ONE PROVIDED BY BT?

IP 192.168.1.1 DCHP enabled
Subnet 255.255.255.0
Gateway - NOT SURE WHAT TO PUT IN HERE IS IT THE EXTERNAL NIC?
DNS 192.168.1.1

No, this is wrong. First, the external and internal NICs need to be on
different subnets. Second, the DNS server for all NICs - both of the
server's, and all of the clients' - need to be the IP address of the
server's *internal* NIC. Third, don't give fixed IP addresses to any of
the clients - use DHCP (running on the server) to push out settings to
all clients. If you have a *need* to fix the IP address of a client,
use a DHCP reservation on the SBS instead. Finally, don't use
192.168.1.x for - this can cause problems for VPN clients which are
typically on local 192.168.0.x or 192.168.1.x subnets. Use at least
192.168.16.x, 192.168.17.x or higher.

Also, Don't be tempted to assign your ISP's DNS servers to any of the
NICs, anywhere on your network - this will give you problems. The ISP's
DNS servers are used as forwarding servers by the SBS's own DNS server
- you tell the SBS what these are using the CEICW.

Most of this can be configured by using the CEICW (Configure Email and
Internet Connection Wizard) on the server. Do *not* try to do things
like this manually - ALWAYS, ALWAYS, ALWAYS USE THE WIZARDS. First, I'd
configure the router on the 192.168.17.1, say. Turn off its DHCP server
and give the server's external NIC an IP address of 192.168.17.2, say.
Now run and complete the CEICW. Make sure all of your clients are set
to use DHCP (and renew their addresses, or reboot them). Done.

Lastly, a word about your router. I'm not sure of the real firewall
capabilities of your router, but at first glance it will probably do.
There are those here who will tell you you have to spend a small
fortune on a "real" firewall, arguing that it's a small price to pay to
protect your company's data. The argument is somewhat flawed, though.
You protect your company's data by putting in place a proper disaster
recovery plan, a part of which is a strong backup and restore procedure
which you verify works properly. Judicious use of RAID and other
redundant hardware is another part. Your exposure then is not the cost
of the data, but the costs of implementing the disaster recovery plan,
should it ever be needed. That will better enable you to trade off
expenditure against budget.

--
Regards,
Steve.

.

Relevant Pages

  • RE: SBS2k3 VPN Issue
    ... Your SBS server has only one Nic. ... VPN clients to the same IP as the LAN, the clients can RDP either Server or ... When the server assigns the VPN clients the different IP ... <between the internal and external nics, hence routing the request, or have ...
    (microsoft.public.windows.server.sbs)
  • Re: Win2K RRAS/VPN Help
    ... > if you try to configure different gateway settings on the NICs). ... > on the server itself. ... *.201 thru *.225 IPs for VPN clients. ... RRAS using *.200 and clients getting *.200+ IPs. ...
    (microsoft.public.win2000.ras_routing)
  • Re: Help! Clients are off the network.
    ... Run the change server IP wizard to move it to 192.168.xx.2,. ... If none of this fixes it, give us a new config and look at the properties of the DHCP server and make sure your switch is working. ... You certainly need to get DHCP running properly on the SBS so that clients can receive a valid IP address. ... or fix the iphone with one or two nics your call. ...
    (microsoft.public.windows.server.sbs)
  • Re: Problem using Remoting with 2 NICs
    ... The server itself is currently running in a dual NIC configuration at ... I have clients connecting successfully on NIC 1, ... When both NICs are enabled. ...
    (microsoft.public.dotnet.framework.remoting)
  • Re: Terminal Service provided an invalid license
    ... Try deleting the locally stored license from the clients. ... you won't have to require new licenses. ... But you would need to reset all thin clients in a disaster recovery ... Terminal Servers cannot use the restored LS as a Licensing Server. ...
    (microsoft.public.windows.terminal_services)