The best way to setup a LAN with 2k3 1

[Molenski]

Hi there,

I'm installing a small LAN (about 40 PC's/1 2k3 DC/Multi-Roll server/EPO server) and have been asked the best way to connect the server to the outside world to download WSUS updates and allow the Epo server to download updates.

We have a DSL connection coming on Monday and I'm a bit concerned about plugging this straight into the switch as I'm not sure about the security implications. At first, I only want three machines to access the Internet, the Server for updates, the Epo server (which is actually a workstation) and 1 workstation (XP). I was going to tie this down at the inbuilt firewall on the router and only allow certain these MAC addresses through.

My question/s is/are, would this be secure and would filtering the MAC addresses be the best way of disallowing the workstations access to the outside world? Also, would it be better to run WSUS on the Epo server (if it'll handle it) therby negating the need for the DC to be hooked up to the net. These maybe bone questions...the problem is, I've got quite a lot of experience rolling LAN's out but they've never been connected outside and I want to do it as securily and cleanly as possible. I'm a 'LAN connecting to Internet' virgin!

Please be gentle with your replies!

 

[58sniper]

A dedicated hardware firewall is greatly recommended.

WSUS and EPO aren't that resource intensive, and both could run on a single server (or even a high end workstation).

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[acl03]

I would use another server and add a second domain controller for redundancy. DCs are not resource intensive either, and could probably run on the same single server/workstation that WSUS does.

Thanks,
Andrew

Hard work often pays off over time, but procrastination pays off right now!

 

[Molenski]

Hi there and thanks both for replying.

ACL, that's a good idea about the 2nd DC..I'll do that. Ta.

Sniper, unfortunately there's no chance of a hardware firewall...do you think it might help installing RRAS on the server and using the inbuilt MS Firewall?

Thanks once again.

 

[58sniper]

Not anywhere as much as a hardware firewall. They aren't terribly expensive. You can get a Cisco ASA5505 for <$500.

IMHO, no server should be directly connected to the Internet, nor should traffic go from the Internet directly to an internal server withouth going through a proxy/reverse proxy.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[Molenski]

OK, thanks a lot for that, I'll have a chat with the guy who's running it and see what I can do. Cheers.

 

[acl03]

If you decide to add a second DC, I'd make it a Global Catalog as well as a DNS server.

I would also make sure you are doing, at the very least, system state backups on at least one of your domain controllers (preferably one that is a DNS server).

This will allow you to restore deleted objects/OUs/etc, though it is not entirely simple.

Here's some (ok, a lot) of info on backup/restore from microsoft:

http://technet.microsoft.com/en-us/library/bb727048.aspx

Thanks,
Andrew

Hard work often pays off over time, but procrastination pays off right now!

 

[Molenski]

OK, thanks a lot for that. Will have a look and take on board what you've said. I really appreciate your assistance.