Firewall, Networking & Static Routes

[Matt85]

I have a complicated situation. I have a MS Small Business Server 2003 with 2 NIC cards. 1 card plugs into the LAN going switch on the company LAN, the other plugged into the firewall (Sonicwall TZ 170 LAN). The TZ ip is 192.168.0.1 so the IP to the server is 192.168.0.2. The Server is in NAT mode with router. LAN side after going through the server is 192.168.1.1 because it serves sharepoint services i need it to be like this. Ok thats just getting started. We have Mitel SX-200 ICP (VoIP PBX) that is on the same subnet 192.168.1.0. The IP of this system is 192.168.1.2. We have a teleworker server that must have COMPLETE access to the WAN so I put this other server in the DMZ port of the firewall because it must be in a full hardware DMZ not software emulated. The DMZ port is 192.168.2.1 the Teleworker server is 192.168.2.2 and this server must have complete access to WAN and to the LAN to connect to the PBX server that is 192.168.1.2. I believe I have it set up correctly in the firewall routing table since they are on different subnets I had to setup a static route of DEST 192.168.1.0 sub 255.255.255.0 gateway 192.168.0.2 (IP of Windows Server w/ NAT enabled) and when I run a diagnostic test on the teleworker server I get one way communication. Here is an IP recap:

Windows Server LAN (to switch) = 192.168.1.1
Windows Server WAN (to firewall LAN) = 192.168.0.2
Firewall (LAN)= 192.168.0.1
Firewall (DMZ)= 192.168.2.1
VoIP PBX = 192.168.1.2
Teleworker server = 192.168.2.2

DMZ is in NAT mode many to one with seperate public ip.
Teleworker server network config has the subnets 192.168.0.0 & 192.168.1.0 with gateway 192.168.2.1 set up as local networks. I also have a static route setup in the firewall so the firewall is correctly setup. The problem lies with windows because the NAT is enabled I imagine.

I have tried pinging 192.168.0.2 and got a response but don’t get a response on the other side of the server (192.168.1.1). I tried pinging 192.168.2.2 and got a response when I set up a static route one time but I don’t remember which one it was.
Do I need to set up a static route in windows server? I have tried many different routes but none seem to work. Any help is much appreciated!

Matthew McGowan
Reynolds Park

http://www.rpyc.info

 

[ShackDaddy]

Seems to me that you shouldn't need to NAT at all. If this was my network, I would hand off the entire firewall role to the SonicWall and run the SBS on a single NIC with a single IP bound to it. Then you wouldn't have to deal with the NAT issue.

I have built something close to what you are describing before for two clients on SBS, and in both situations I simplified their networks a couple of years later. A lot of the problem is that SBS doesn't work well with complexity outside of itself. It hides all sorts of interesting things (lots outside the scope of what you'd expect from the GUI) behind wizards, and once you introduce complexity it didn't expect, you can never use the wizards again without breaking what you built. When you are in the enterprise environment, it's different, and you can configure a standard Windows 2003 or RedHat server to do exactly what you want, for the most part. All this to say: because you've got SBS, I'd keep the environment simple.

Are you running ISA on your server? If so, that would give you more control.

ShackDaddy

 

[Matt85]

I do not have ISA but will sharepoint services my e-mail and remote web workplace work if I don't have it in NAT mode with 2 Nic cards or will it work with just one? I also want to leave our network on the 192.168.1.0 subnet so should I change the firewall subnet if I want to use 1 NIC card if it will work? But as for static routes is there no way around what I already have?

Matthew McGowan
Reynolds Park

http://www.rpyc.info

 

[ShackDaddy]

Yes, they will work. I've built at least 20 similar servers with a single NIC without any trouble to speak of. You do get a popup when running the Internet Connect Wizard that lets you know that it would be nice to have a second NIC, but that's the only trouble you'll have. No issues with SharePoint or RWW. Just rerun the wizard for remote access once you've done re-ip'ing the server.

Yes, you'd want to change the firewall subnet to 192.168.1.0.

Your problem isn't a routing issue per se, it's a NAT issue that makes certain types of connections unroutable. There's no reason in your case to NAT between two internal subnets. There's also not a lot of great reasons to route at all between internal subnets, NAT or not. I just wouldn't host any HTTP services from internal servers. HTTPS is probably ok.

 

[Matt85]

Ok I just switched it and everything was working fine but now my firewall is saying that there are too many ip addresses and that it only supports 10! That doesn't seem to make sense on their part to charge by how many users are on the system when i can just put another nat and use only one and still be protected just as well. Is this the only why to make it work? I have at least 30 ip addresses on our system.

Matthew McGowan
Reynolds Park

http://www.rpyc.info

 

[ShackDaddy]

Well, the first thing you said was that you had a complicated situation. For a simple situation, you can pay around $300 and get license compliant. What's your time worth? What's simplicity worth?

The fact is, having more than one layer of NAT sucks, but if you'd endure it (and the things that won't work because of it) for another couple of years to save $300, there you are.

ShackDaddy

 

[TechSoEasyMVP]

I'm sorry that I came into this after you've switched things around Matt, because I wouldn't have recommended going to a single NIC. I also don't think that having double-NAT with SBS sucks... it's how the product is designed.

There's a very good example of a Two NIC configuration here:

http://sbsurl.com/twonics

The Configure Email and Internet Connection Wizard (CEICW -- which is linked as Connect to the Internet in the Server Management Console > Internet and Email) handles the entire configuration for you (and for ShackDaddy... the wizards are just scripts... they don't really hide too much because the last screen shows what is going to be modified, and you can always look up the logs in C:\Program Files\Microsoft Windows Small Business Server\Support to see exactly what they do. In an Enterprise environment, you would never put what's in an SBS in the same box... and the only way to keep it synchronized is to use the wizards... or build it the enterprise way and spend thousands of dollars more).

So, Matt... My suggestion would be that you keep your SBS Network separate from the VOIP and Teleworker servers. I think the fact that you've placed the VOIP server in the 192.168.1.x subnet is part of your problem. If it were me, I'd put both the VOIP and Teleworker servers in the 192.168.0.x subnet so that they can still communicate directly with and through the SBS but do not interfere with SBS's control of it's network.

One other thing I'd suggest is that you don't use the current IP subnets that you've chosen for your network. 192.168.1.x and 192.168.0.x (as well as 192.168.2.x) are very common subnets that may be in use by your Teleworkers on their own home networks. This could easily cause a conflict in their connections to you. The recommended subnet for your internal LAN is 192.168.16.x, and I usually use 192.168.15.x for my router's LAN subnet.

Jeff
TechSoEasy