Announcement

Collapse
No announcement yet.

Opinion on topology for this setup

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Opinion on topology for this setup

    I have a customer that hosts web sites. They have a web server and a DNS server. They also have a terminal server with proprietay software they rent out to clients. Finally, they have a couple of file servers and workstaions.

    Everything is configured as a workgroup and a WatchGuard firewall/router directs ports to various boxes using 1:1 NAT. The customer wants to move to a domain and purchased Small Business Server 2003 R2.

    I am suggesting they put the web server on a DMZ they set up on the WatchGuard. Their DNS server will have to be on the WAN side and the WatchGuard only has one DMZ port. I have suggested they get a different DSL line in with another provider and hang their DNS server off of that.

    The SBS install can go as planned and SBS can still be the DNS server. I am not sure what to do with the stand-alone terminal server. Clients outside the LAN will access this. Should I hang this off the WAN too or should I allow the clients access to in on the LAN, maybe through a VPN connection first.

    Any and all input appreciated.
    Network Engineers do IT under the desk

  • #2
    Re: Opinion on topology for this setup

    what model of watchguard is it?

    We've just upgraded from the series 3 to the X and if you get the Pro licence you can use all 8 of the ports and configure them as you wish so DMZs, multi-lan, multi-isp connections etc are all easily configured. If you're on a series three they're doing some nice trade in options too.
    This message represents the official view of the voices in my head

    Comment


    • #3
      Re: Opinion on topology for this setup

      It's a Firebox x20e. WatchGuard thinks they do it better,

      Some "DMZ" configurations place public servers outside a firewall and behind
      a WAN access router. In such configurations, you must rely on router packet
      filtering to protect your servers. Your Firebox can do a much better job
      protecting your public servers than WAN access routers can, and 1:1 NAT
      makes the task very easy.


      I am suggesting my customer hang their Web server of the DMZ on the WatchGuard. I also suggested they bring in a second DSL servcie and hang their DNS server off that. Considering the proprietary use of the TS, I am suggesting they leave it on the LAN with 1:1 NAT but to leave it as a stand-alone TS so we do not have to change the licensing.

      Thanks,
      Network Engineers do IT under the desk

      Comment


      • #4
        Re: Opinion on topology for this setup

        Just a question, why adding a DNS server in the DMZ?
        I think it will be rather costly to add a second DSL line for a reason I can't follow yet.

        Maybe you should create a drawing of your wanted setup to see if it make any sense.
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Opinion on topology for this setup

          External DNS servers which are publically accessed are placed on the DMZ. The WatchGuard only has one DMZ port and we don'e want Internet trafic on the LAN, even if it is only DNS packets.

          SBS 2003 has to be the DNS server for the LAN and is not going to work in a MASTER / MASTER relationship with another DNS server on the LAN.
          Network Engineers do IT under the desk

          Comment


          • #6
            Re: Opinion on topology for this setup

            Hmmm an own hosted DNS server... For what? a few www records and a MX record?
            If it's a small company (which looks like it when you buy SBS I would kick it out.... but that''s me.
            I rather leave it by the ISP.
            But either way you don't need to add a second WAN link.
            I'm serving quite a few large customers and quite rarely they have multiple WAN (internet) links

            And you are talking about Master/Master? What do you mean with that?

            Just keep it simple like this:

            Code:
            DSL --- firewall --- LAN
                          |
                          |---DMZ
            Last edited by Dumber; 18th December 2008, 23:09.
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: Opinion on topology for this setup

              It's a web hosting company with hundreds of domains being hosted. Most web hosting companies host their own DNS. RFC best practices calls for two DNS server, one being on a different network.

              I am trying to bring together three components, an SBS server for the LAN, and existing web hosting operation, and a hosted TS application.
              Network Engineers do IT under the desk

              Comment


              • #8
                Re: Opinion on topology for this setup

                Ahhhh That wasn't in the info you posted earlier.
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: Opinion on topology for this setup

                  DNS redundancy is expressed as master/slave or multi master (master master). Because public DNS servers do not sit inside a companies LAN (that already has an internal DNS server), they take a role as MASTER.

                  The DNS server in an SBS network also plays the role as MASTER. When you suggested I place a public DNS server on the LAN, both DNS servers hold a role as MASTER and could never co-exist.

                  I don't think I did a good job explaining what I am trying to accomplish because we are not on the same page. I hope my last e-mail clarified things.

                  Thanks,
                  Network Engineers do IT under the desk

                  Comment


                  • #10
                    Re: Opinion on topology for this setup

                    What did I fail to explain originally?
                    Network Engineers do IT under the desk

                    Comment


                    • #11
                      Re: Opinion on topology for this setup

                      Well I didn't know it was a hosting company and then I can understand why they have external DNS servers available.

                      However, my simple drawing can still be valid, and you can place the external dns servers in the DMZ. Rather let external users query DNS servers in the DMZ then in private LAN. (however, master - master thingie isn't a issue. They won't take precedence and also clients only query the DNS servers you have given in the DHCP scope or in the TCP/IP properties.)

                      I think you should first have a look how the load is on the internet feed and the firewall.
                      If load is rather low and if you look at possible grow then you might go for the solution I provided earlier.
                      Marcel
                      Technical Consultant
                      Netherlands
                      http://www.phetios.com
                      http://blog.nessus.nl

                      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                      "No matter how secure, there is always the human factor."

                      "Enjoy life today, tomorrow may never come."
                      "If you're going through hell, keep going. ~Winston Churchill"

                      Comment


                      • #12
                        Re: Opinion on topology for this setup

                        I thought about the DNS server on the DMZ, but the best I can determine, as long as the WatchGuard is in 'route' mode, I only have one DMZ port. I could move the DNS server to the hosting server and then bind the public IP addresses for the web server and the DNS server to the one NIC.

                        The customer in question hosts the DNS for a couple other customers of mine. Their Internet went down on them several time on the weekend for a variety of reasons and this reaked havok on my customers that are surgically attached to their Blackberries.

                        This is another reason, and why it is considered a 'best practice', to have two DNS servers on different networks. I also made this suggestion earlier this year and I will push the idea again. In this case, we can run DNS on the web server and run a DNS server on the new server. These will have multi-master roles and the drawback is that changes to the DNS on one server will have to be updated on the other server.

                        Incidently, I do not manage this network, - they have their own in-house support person.

                        Thanks,
                        Network Engineers do IT under the desk

                        Comment

                        Working...
                        X