Servers on Different Subnets

Discussion in 'Windows Small Business Server' started by Robert Zahm, Mar 13, 2006.

  1. Robert Zahm

    Robert Zahm Guest

    I have a question regarding a proposed subnet configuration.

    It was suggested to us that all workstations on our local SBS network reside
    in one subnet, while all server machines (SBS2003 DC included) reside on a
    separate subnet. We have a SonicWall router that I assume can be used to
    allow the networks to see each other. Has anyone else implemented this
    configuration, or have any other advice?

    Thanks,

    Rob
     
    Robert Zahm, Mar 13, 2006
    #1
    1. Advertisements

  2. In
    Sure, you can have servers & workstations in myriad subnets, if you have
    something to route between them. However, my first question is, why is this
    being proposed....and to what end?
     
    Lanwench [MVP - Exchange], Mar 13, 2006
    #2
    1. Advertisements

  3. Robert Zahm

    Russ Grover Guest

    I'd have to ask why also?
    Is it because they want to Isolate Those other servers because they are Web
    servers?
    (That's the only reason I can think of doing that config.)

    Who Suggested this Config and why?

    The Sonicwall is fine also..
    ISP then Sonicwall Then SBS with ISA or not then Switch then Clients..

    Now if those are Web Servers
    You could go

    ISP then Sonicwall, then WebServers Then SBS with ISA or not Then Swithc
    then Clients.

    if they aren't Webservers or servers that need access outside then bring
    them all inside the SBS/Client side

    Does that Help?

    Russ

    PS Typcialy with ISA you don't need Sonicewall, but never can be too Secure
    IMO
    (But you won't see many attacks on the ISA because the Sonicwall well defend
    them.)

    --

    Russ Grover
    SBS2003 Remote Support
    Portland/Beaverton OR
    Email: Sales at SBITS.Biz
    Website: http://www.SBITS.Biz


    "Lanwench [MVP - Exchange]"
     
    Russ Grover, Mar 13, 2006
    #3
  4. Robert Zahm

    Robert Zahm Guest

    Russ,

    This configuration was suggested as a way to keep the servers separate from
    the rest of the network, and possibly restrict access to them.

    The goal is to have the SonicWall between our entire network and the
    Internet, for security as well as VPN connectivity to another network. One
    subnet would contain our SBS server as well as our other server machines.
    The other subnet would contain the client machines. I would have to
    configure the SonicWall to allow communication between the two subnets. Can
    SBS function as a domain controller while on a different subnet from the
    client machines?

    Does this sound like something that I should be able to accomplish, or will
    I need other hardware, such as routers, for each subnet? I am able to
    create the different subnets on the SonicWall, but thus far I have been
    unable to effectively allow machines on one subnet to communicate with
    machines on the other subnet. Do you know of any resources I could use to
    try to accomplish this? I recognize that this seems more like an issue for
    SonicWall than SBS, but I'm hoping that you might be able to point me in the
    right direction.

    Thanks,

    Rob

     
    Robert Zahm, Mar 13, 2006
    #4
  5. In
    But to what end? If I were you I'd ask more questions...and also make sure
    this is something your company actually needs. With regards to restricting
    access, doesn't sound like you'd be doing that for either of your users'
    networks/subnets anyway....so I'm not sure what you'd end up with at the end
    of the day. How big is your company/network? What traffic, exactly, would
    you be restricting?
    That's fine...although I'd make sure the other network is set up as an
    additional site/subnet in AD and has a local DC/GC.
    Perhaps Enhanced OS can do that, but I don't believe Standard can. Anyway,
    this is a job for a router (and I don't mean a consumer-grade gateway).
    Plus, you need to take WINS and DHCP into account to make sure they work
    across the routed subnets.
    That's generally the way you'd do it.
    Again, I suggest you do some more investigation. There's nothing inherently
    *wrong* with what you've been advised to do, necessarily - but it may be an
    elephant gun aimed at a mouse. It certainly adds a lot of complexity to your
    network - and you haven't really described what benefits you'd get out of
    it.
     
    Lanwench [MVP - Exchange], Mar 13, 2006
    #5
  6. Robert Zahm

    Robert Zahm Guest

    Actually, I am able to ping, but name resolution does not work yet, I
    believe due to the fact I am using our old (retiring) SBS server that is on
    the current subnet for DNS resolution. My question about the configuration
    still stands, can SBS operate effectively as a DC for machines on different
    subnets? From your previous answer it sounds like this is the case, I just
    want to make sure before any more time is invested in this.

    Thanks again for your help!

    Rob


     
    Robert Zahm, Mar 13, 2006
    #6
  7. Robert Zahm

    kj Guest

    Ah the facts are starting to leak out.

    Yes, it *can*. It can also be a management nightmare.

    ...but the question remains, why?

    or, what are you trying to keep/block/filter from whom?

    --
    /kj
     
    kj, Mar 13, 2006
    #7
  8. Robert Zahm

    Russ Grover Guest

    This was the question I had..
    To What purpose is this solution for?
    Other than adding more work?

    Like I said I can see if it's servers that are accessed by the outside, and
    you want to isolate them.
    but if it's to isolate them from inside? What do you employees do that you
    need to isolate servers from them?
    (Is this a hacking company? yes that was sarcastic joke)

    Apparently someone has told you to do it this way.
    Make Him/Her explain WHY?
    If a Tech can't tell you the pro's and cons of a network configuration, I'd
    find another one.. IMO

    Please let us know Why you need this configuration..
    Thanks


    --

    Russ Grover
    SBS2003 Remote Support
    Portland/Beaverton OR
    Email: Sales at SBITS.Biz
    Website: http://www.SBITS.Biz


     
    Russ Grover, Mar 13, 2006
    #8
  9. <posted this reply yesterday, but it didn't show up for some reason>

    In
    But to what end? If I were you I'd ask more questions...and also make sure
    this is something your company actually needs. With regards to restricting
    access, doesn't sound like you'd be doing that for either of your users'
    networks/subnets anyway....so I'm not sure what you'd end up with at the end
    of the day. How big is your company/network? What traffic, exactly, would
    you be restricting?
    That's fine...although I'd make sure the other network is set up as an
    additional site/subnet in AD and has a local DC/GC.
    Perhaps Enhanced OS can do that, but I don't believe Standard can. Anyway,
    this is a job for a router (and I don't mean a consumer-grade gateway).
    Plus, you need to take WINS and DHCP into account to make sure they work
    across the routed subnets.
    That's generally the way you'd do it.
    Again, I suggest you do some more investigation. There's nothing inherently
    wrong with what you've been advised to do, necessarily - but it may be an
    elephant gun aimed at a mouse. It certainly adds a lot of complexity to your
    network - and you haven't really described what benefits you'd get out of
    it.
     
    Lanwench [MVP - Exchange], Mar 14, 2006
    #9
  10. Robert Zahm

    Robert Zahm Guest

    Sorry for the delay, this project was put on hold for awhile.

    We aren't actually trying to block/filter anything, and we aren't running
    out of IP addresses on our main subnet, we want to test this configuration
    out as a proposed best practice, and to see if we can restrict access to
    different parts of the network.

    I'm having some doubts as to whether or not this configuration will work, as
    I am unable to resolve the names of devices on the client subnet from the
    new SBS subnet.

    Thanks,

    Rob

     
    Robert Zahm, Apr 6, 2006
    #10
  11. Robert Zahm

    Joe Guest

    That restricts access, doesn't it?

    Seriously, there will be both DNS and routing issues. To reach a device
    in another subnet, DNS must resolve its IP address and the sending
    computer must know which is the correct router to send the message to
    so that it will reach the destination. DHCP confuses DNS unless both are
    carried out by the same Microsoft server, as in SBS. So any machines in
    the distant subnet which must be reachable need to either have static IP
    addresses which are entered in the SBS DNS server, or provision must be
    made for the SBS to supply them with DHCP. I'm not even sure if that is
    possible.

    Finally, all the machines in one subnet which need to access the other
    must be told which computer is the gateway to that subnet. This is done
    by adding static routes to each such computer, or by using a routing
    discovery protocol on the network, or possibly by a policy for the SBS
    domain members. Subnets which don't have independent Internet access are
    easy, as presumably the Internet is reached through the same machine as
    the other subnet, so only a default gateway is needed. This is why the
    machines on your 'client' subnet can see the machines on the other one:
    the DNS server (SBS) is reachable through their default gateway machine,
    and so are the computers on the SBS subnet. This is not true in the
    other direction.

    What you want to do is possible, it's just a bit messy and fragile,
    probably needing some manual configuration on individual computers.
     
    Joe, Apr 6, 2006
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.