Member Server with Interface in Permiter Network and also interface on internal LAN

Discussion in 'Windows Small Business Server' started by Bill, May 16, 2004.

  1. Bill

    Bill Guest

    My network so far looks like this:

    DSL
    |
    PIX 501
    |
    SBS 2003 Standard w/2 NIC
    |
    Internal LAN

    I want to add a Windows 2003 webserver to run the public website, but I
    would also like to use it for files sharing and print services on the
    internal LAN. I thought I would dual NIC it with one interface having an
    external IP on the same subnet as the SBS outside interface, and the second
    interface would have an internal LAN IP statically assigned. I would allow
    port 80 access to the outside interface of the Windows 2003 server through
    the PIX. The windows 2003 member server would not have any domain
    information, etc.

    Is this configuration valid? What are the Security implications? Could I
    also run terminal services on this same server so internal users could share
    an application where the data store would be on the SBS server?
     
    Bill, May 16, 2004
    #1
    1. Advertisements

  2. Hi Bill,

    If it were me, I'd put the members server on the lan, and outsource the web
    site. Having the memberserver on the lan for all the reasons you mentioned
    has benefits, especially as sbs integrated configuration and managment is
    all set up to make this easy.

    To host your web site, you could dmz the web server off the pix, and use it
    for nothing but that. But I think you'll find that the above scenario gets
    you way more bang for the buck, as web hosting is very affordable and the
    risk is all somebody elses :).
     
    Les Connor [SBS MVP], May 16, 2004
    #2
    1. Advertisements

  3. Bill

    Mark Mancini Guest

    total agreement with Les. Aside from getting more features and being
    cheaper, also more secure.

    --
    Sincerely,
    Mark Mancini, CCA, CCNA, Master CIW&CI, CNE 4&5, MCSE+I 4&2000
    www.MCSE2000.com
    www.AppLauncher.com



     
    Mark Mancini, May 17, 2004
    #3
  4. Bill

    Tony Su Guest

    In general, although SBS Standard (RRAS/ICF) can forward
    from a WAN address to only one LAN address, you can point
    to a member server but that means you'll have to give up
    the Default Website resources (OWA, OMA, TSWeb, etc)...

    But, recently I've been considering that it's possible to
    configure a second website on the SBServer sharing the
    same IP address and port but using a unique IIS Host
    Header... then configure a re-direct to the Member Server.

    So, it's possible. And, if you know what you're doing I
    wouldn't mind too much the warnings that deploying
    websites is unsafe... Certainly there is additional risk
    associated with doing <anything>, but if you dedicate
    yourself to understanding what you need to secure your
    deployment, for most people it should be an acceptable
    risk.

    After all... I can personally remember not too long ago
    that people were saying the same thing about connecting to
    the Internet... "No one in their right mind should
    recommend connecting their network to the Internet. It's
    an invitation to hacking and asset loss."

    Well, yes.

    Tony Su



     
    Tony Su, May 17, 2004
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.