Joined on 01-13-2004
TechSoup Member
Hey all I have a small office (15 computers). We started as a peer-to-peer setup and have never really left that formula. We have our "server" running win 2k Server edition, and has a raid drive setup to serve all of our data. At this point we are running a VPN, FTP server, with it. I also have a mail server on another stand alone box. We are not running a domain. We have a DSL line to share, it has a static IP. Our printers all have network cards. Right now our setup is as follows:
internet->DSL Modem->Router->Switch->To all Machines, servers and printers.
My question, is how do I set this up in a more conventional setup that is with the server, serving DSL to all the others. The server has 2 NIC cards. Seems to me it should be
internet->DSL Modem-> NIC1 of Server->NIC 2 of server ->switch-> all other machines
Where would the router fit in this? Does it make sense to switch to this. I ask because as of now when connected to our VPN I can only see the Server that hosts the VPN and it seems I will need to setup things like WINS, DNS internally to be able to see other machines.
I guess I learned how to network with Domains with NT but all is different now and I am feeling half lost. Is it worth having a domain for 15 machines? I know this is a very broad sort of post but any and all help is awesome.
Thanks
Is your boss still looking to implement MS Exchange in the budget?
Joined on 01-13-2004
TechSoup Member
No, We found a multi-platform group ware solution that is not exchange.
Joined on 06-09-2003
Davenport, Iowa USA
The answer to the direct question with out looking at all the ramifications of what you want to do.
The router (if you decide to use it) would go between the DSL modem and the NIC1 of the server. You would disable DHCP and just use it as a pass through device to connect the outside world to the server. The purpose of this would be to block all unused ports from even getting to the server and to mask the server’s IP address via the NAT in the router. The benefit of this would be to provide an additional barrier to potential exploits of your server. If you connect the DSL modem directly to the server NIC then you must ensure all unused services in the server are shut off and that only the services you use are available on the NIC1 port because at that point your server is bellied right up to the Internet.
Another solution would be to get a router that does your VPN support so the VPN is hosed off of your server, then you would have your full network visibility through the VPN.
Is there a reason you need more network visibility form the outside? It is a better practice to limit what is visible outside to only what is needed. (nothing is permitted unless it is expressly allowed instead of everything is permitted unless it is expressly denied)
Dave
I wanted to make this comment earlier, but here it is. There is nothing "un-traditional" about your setup. The only reason you would want to change it would probably be for the server to become the router.
:)
Joined on 01-13-2004
TechSoup Member
Thanks, Mike, I am aware it;s not setup in a bad way per se, I just feel that maybe I need to conform in an effort to increase my abilities as times change. I guess I see that somehow this will turn into a domained network in a few years.
Dave, I agree with the need for a little visability as possible. Part of what we do here is GIS. GIS is a VERY data intensive operation. Due to running out of space on our 350Gb server, I had to setup another network storage machine to host our GIS data. This machine needs to be easily accessible to our GIS staff for work at home over the vpn. I am now considering trying to do the GIS work using terminal service, not sure if TS can handle such a heavy workload.
I liked the idea of VPN routers, but it seems to me we would need them on both ends, and well, at this point I would rather not have to have all people change their routers at home to VPNs, although maybe not a terrible idea.
Thanks for all the suggestions.
As a general question along the same lines. Do I have much to be gained by actually having my server host my internal DNS, WINs, DHCP...etc? Thanks in advance.
Nope.
leave it the way it is.
Routers should route and servers should serve. Once you start swapping roles troubleshooting will drive you out of you mind..
oz
Joined on 06-09-2003
Davenport, Iowa USA
You can get VPN routers that host client PCs using VPN client software. In some cases the client software is free, in others you have to pay for each client. (As I recall Cisco, Nortel is the former Sonic Wall the latter) In that connection your client loads the VPN software and connects through the tunnel of their existing home network, their home router just has to accept the port traffic (some firmware upgrades on very old home routers).
If you are running Microsoft servers with active directory you have to have the internal server host DNS WINS, and be prepared to struggle to convince the server not to host DHCP. If you turn DHCP off at the server, you have to configure your DHCP server to point to the Active Directory server for DNS or you will have many weird problems connecting to internal network resources.
Contrary to Microsoft, Ozzie is correct, Routers Route and Servers Serve.
If you need to route the Internet through a device for Proxy, monitoring, billing, control, or bandwidth allocation do it on a separate box from you bread and butter server.
Dave
Joined on 06-09-2003
Davenport, Iowa USA
This probably isn't the best suggestion considering your GIS applications. How about mapping the NAS drives on the server so their available as shares on the server?
TS is going to be your best bet to get the traffic down on the WAN links.
Dave
Joined on 07-20-2005
Hartford, CT
If you do TS, do an analysis on memoery requirements first and make sure the applications you use don't give you issues with it. You can download an eval copy of Windows Server 2003 and run Terminal Services on it to demo the software you use and see how capable a solution that would actually be. Make sure you get about 5 sessions running on the test server using the same software before you make a decision on it. We had an issue implementing a custom software that was recently developed with .NET in a terminal server environment - it was initially a nightmare and a resource hog.