To use an External Router or not to use an External Router that is the question

Heelo All,

I am in the process of planning my first implementation of MS SBS 2003
Premium Edition.

Below is a summary of network related functionality required:

* Run MS Exchange as email server for the company
* Provide web access to Exchange email server
* Provide access to remote access to network resources using VPN over a
generic internet connection
* Provide remote IP access to servers of a third party application
sevice provider.

I am looking for thoughts from the members of the group as to which is the
better option with respect to the Internet connection. From what I can see
the two Internet connection options are:

1) Connecting a dual NIC server directly to internet (via ADSL modem in this
case) and use the firewall capabilities of SBS 2003 Premium Edition

OR

2) Connecting a Router/Switch/Firewall device to the internet and then have
a single NIC server running SBS 2003 Premium Edition connected to the
Router/Switch/Firewall device.

I have read that using option 2 means that it is not possible to use the
firewall functionality of MS SBS 2003. Are there any other drawbacks or
limitation of using this approach?

In short is it better to using an implementation that uses the ISA Firewall
included with MS SBS 2003 or is it better to use an external firewall and
forego the ISA functionality?

Thanks in advance to all who reply with comments.

Regards,
Steve

 

Or ... option three

Dual nic
External firewall/Router AND ISA 2000

Why? Because I prefer the reporting that ISA 2000 has, the control it
provides but I like to have another firewall/router on the outside that
limits the log file traffic to only those ports I want open.

You just use the router and forward the ports to the "external" nic of
the SBS 2003.

Susan

 

You then also benefit from the cache functions of ISA 2000.

Gordon

 

Hi Steve

I endorse Susan on this completely! See
http://www.smallbizserver.net/Default.aspx?tabid=52

Frank McCallister

 

The issue I have here is that I hate putting all functions (Exchange
and ISA) onto one box, especially if it is a DC. Why go to that extra
trouble when a router will do what you want in most situations,
especially if it has a good rule based firewall?

Andrew.

 

Hi Andrew

But that is how SBS was designed to put all of that on one box for small
business applications. A router doesn't come close to providing the security
that ISA provides plus the additional performance gains on Internet access.
In addition you get administrative control of Workstations Internet access
by user groups that you can't get easily with a router and AD policy.

Frank

 

Most routers I see don't have as good of features, as good of a
community, as "beefy" of rulesets as ISA.

If the server goes down... your DNS is toast anyway... so you won't be
surfing the net.

Most folks that install a hardware firewall do not buy the equivalent
hardware version that it would take to replace ISA.

Add to that the loss of the two nic setup.... sorry it but it's not
extra trouble at all. IMHO it's more hassle for a single nic/hardware
firewall.

Close down the ports, only open what you need and if you are running
with local admin on those desktops, dude your security issues are on
those desktops, not on that server.