Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Setting up firewall appliance, WAP, and SBS 2003 1

Status
Not open for further replies.

victorl

IS-IT--Management
Oct 16, 2006
5
US
I understand that SBS 2003 is intended to work in a certain way, as either a firewall or behind one, but we are a small company, and I have to manage this myself, and am a little confused on how to set this up.

We have been using SBS 2003 for a couple of years behind a firewall appliance. We've had the firewall product since before the SBS, and like how well it works. The SBS server only had one LAN interface, and therefore had its firewall turned off.

Now, I want to add a wireless router to the whole thing, but wanted to place it between the firewall and the SBS, and activate the SBS firewall. This seemed like a good idea since 1) it would require wireless clients to use VPN to access the network behind SBS, and 2) keep my wireless clients behind a firewall, giving some protection.

Is this a supported scenario for SBS 2003? I installed a second NIC, and was hoping to be able to get this to work. However, I couldn't, and now that I think about it, I had both NICs on the same subnet (192.168.1.x)

If I were to keep the LAN side NIC to that subnet, and then change the "ISP" side to 192.168.0.x, would this work? How would I have to configure the SBS to allow traffic from behind the 192.168.1.x subnet to get through to the Internet? Previously, we had them go through the firewall, but it seems that with the new setup, we'd have to have all the client computers go through the SBS's 192.168.1.x address. Am I doing this right?

Thanks,

victorl
 
Yes.. your client PCs on 192.168.1.x would access the net via the SBS. The SBS would be online with the 192.168.0.x (Just make sure and change the IP addres of the router to be 192.168.0.x).

To set it up, just run the "Connect to the Internet" wizard in Server Managment>To Do List. It will ask if you've got 2 NICs etc... and set it all up for you.

Thanks

Kev
 
p.s.

Once it's set up like this, Routing & Remote Access will control the firewall. To Open TCP/UDP Ports (for VPN for example)... goto:

Administrative Tools >
Routing and Remote Access >
ServerName >
IP Routing >
NAT/Basic Firewall >
Right-Click on your Internet NIC LAN >
Properties >
Services & Ports Tab >

Thanks
 
Dotobi,

Thanks for your help. I makes sense, and I wasn't thinking about needing the two different subnets.

Will I have to set up the server to go through my firewall appliance for external traffic, or does the SBS figure that all out automatically?

Thanks again. I'll try this out during the weekend.

Victor
 
the "Connect to the Internet" wizard detects some firewall/router models (it detected my netgear DG834g) and offers the ablility to configure the device for you (provided upnp is enabled on the firewall/router). However, I have not tested this myself. I manually forwarded any ports I wanted to be be open from the firewall/router to the server and had these ports open on the server too.

Using both the hardware firewall and the server's firewall just adds more security.

Thanks

Kev
 
Kev,

Sorry to keep bugging you, but I still haven't gotten it quite right. I can access the internet from behind the SBS which is behind my firewall, but I am having trouble with accessing the SBS's web services from my LAN. I can get to companyweb from the SBS itself, but not from another machine.

Here's my setup:

Firewall
IP: 192.168.0.2
Subnet mask: 255.255.254.0

SBS
Internet IP: 192.168.0.3
Subnet mask: 255.255.254.0
Default gateway: 192.168.0.2
DNS server: My ISP's DNS servers

LAN IP: 192.168.1.2
Subnet mask: 255.255.255.0
Default gateway: Not set because Windows says that it doesn't like gateways to span across different subnets.
DNS server: 192.168.0.2
WINS server: 192.168.1.2

It seems that the SBS can access itself at web and at 192.168.1.1, but from another computer, I get following message:

tinyproxy 1.6.3
The page you requested was unavailable. The error code is listed below. In addition, the HTML file which has been configured as the page to be displayed when an error of this type was unavailable, with the error code 2 (No such file or directory). Please contact your administrator.
Unable to connect

I can access the internet just fine from the other computer (after repairing the DHCP connection for the new settings, I can access the file shares from the SBS, and can access the other machines in the LAN, but can't get to the company web.

What am I overlooking?

Thanks,

Victor
 
Victor,

Don't put the ISPs DNS in your NIC settings on your SBS server. Put the ISPs DNS in the Forwarders of your DNS (found in Administrative Tools). This might not solve the problems you are having with Companyweb on your wks.

regards,
akwong
 
Hey..

It seems that because you've got your DNS server set to 192.168.0.2 the workstations can't see it becuase they're not on that subnet.

The thing to check though is your DHCP server as this is what's kicking out all the IP addresses, DNS server addresses to the workstations.
Administrative Tools>
DHCP>
servername>
your 192.168.1.x scope>
Scope Options>
DNS Server> <<Set this to your server's LAN IP address "192.168.1.2"....

....Then as akwong mentions, put your ISPs DNS servers in the DNS forwarders:
Administrative Tools>
DNS>
Right-Click on ServerName and select properties>
Forwarders Tab> <<Enter your ISP's DNS IP addresses in the list.
 
Dotobi, akwong, thanks for your help.

I did some more digging, and found that I overlooked one thing: not setting the Internet Options properly. I put 192.168.1.* and companyweb in the exclusion list for the firewall, which I did leave at 192.168.0.2, and almost everything seems to work.

The only issue that I've been able to find is that from the LAN, I can't access my firewall appliance at 192.168.0.2 at port 8000 from the LAN, only from the SBS. This port is necessary to access the administrative functions of the appliance. I configured the SBS firewall to allow TCP connections on port 8000, but that didn't seem to make any difference. I just get an access denied mesage. This isn't a huge issue, since I can still go to the administration site from the SBS, but it is annoying.

I did make sure that the DNS forward is set as you both mentioned.

Thanks again,

Victor
 
Don't suppose the firewall is set to only allow Admin Page access from the server's IP address only?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top