To use an External Router or not to use an External Router that is the question

Discussion in 'Windows Small Business Server' started by Steve Remington, Aug 22, 2004.

  1. Heelo All,

    I am in the process of planning my first implementation of MS SBS 2003
    Premium Edition.

    Below is a summary of network related functionality required:

    * Run MS Exchange as email server for the company
    * Provide web access to Exchange email server
    * Provide access to remote access to network resources using VPN over a
    generic internet connection
    * Provide remote IP access to servers of a third party application
    sevice provider.

    I am looking for thoughts from the members of the group as to which is the
    better option with respect to the Internet connection. From what I can see
    the two Internet connection options are:

    1) Connecting a dual NIC server directly to internet (via ADSL modem in this
    case) and use the firewall capabilities of SBS 2003 Premium Edition

    OR

    2) Connecting a Router/Switch/Firewall device to the internet and then have
    a single NIC server running SBS 2003 Premium Edition connected to the
    Router/Switch/Firewall device.

    I have read that using option 2 means that it is not possible to use the
    firewall functionality of MS SBS 2003. Are there any other drawbacks or
    limitation of using this approach?

    In short is it better to using an implementation that uses the ISA Firewall
    included with MS SBS 2003 or is it better to use an external firewall and
    forego the ISA functionality?

    Thanks in advance to all who reply with comments.

    Regards,
    Steve
     
    Steve Remington, Aug 22, 2004
    #1
    1. Advertisements

  2. Or ... option three

    Dual nic
    External firewall/Router AND ISA 2000

    Why? Because I prefer the reporting that ISA 2000 has, the control it
    provides but I like to have another firewall/router on the outside that
    limits the log file traffic to only those ports I want open.

    You just use the router and forward the ports to the "external" nic of
    the SBS 2003.

    Susan
     
    Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP], Aug 22, 2004
    #2
    1. Advertisements

  3. Steve Remington

    Gordon Ryan Guest

    You then also benefit from the cache functions of ISA 2000.

    Gordon
     
    Gordon Ryan, Aug 22, 2004
    #3
  4. Frank McCallister, Aug 22, 2004
    #4
  5. The issue I have here is that I hate putting all functions (Exchange
    and ISA) onto one box, especially if it is a DC. Why go to that extra
    trouble when a router will do what you want in most situations,
    especially if it has a good rule based firewall?

    Andrew.
     
    Andrew Hodgson, Aug 22, 2004
    #5
  6. Hi Andrew

    But that is how SBS was designed to put all of that on one box for small
    business applications. A router doesn't come close to providing the security
    that ISA provides plus the additional performance gains on Internet access.
    In addition you get administrative control of Workstations Internet access
    by user groups that you can't get easily with a router and AD policy.

    Frank
     
    Frank McCallister, Aug 22, 2004
    #6
  7. Most routers I see don't have as good of features, as good of a
    community, as "beefy" of rulesets as ISA.

    If the server goes down... your DNS is toast anyway... so you won't be
    surfing the net.

    Most folks that install a hardware firewall do not buy the equivalent
    hardware version that it would take to replace ISA.

    Add to that the loss of the two nic setup.... sorry it but it's not
    extra trouble at all. IMHO it's more hassle for a single nic/hardware
    firewall.

    Close down the ports, only open what you need and if you are running
    with local admin on those desktops, dude your security issues are on
    those desktops, not on that server.
     
    Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP], Aug 22, 2004
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.