Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25
  1. #11
    Untangler
    Join Date
    Apr 2010
    Posts
    50

    Default

    testing response. None of my responses are appearing due to moderator review requirement, wanted to make sure everything is okay.

    I did enter them in quick reply.

    I've written two versions of what I am attempting to deploy and a verbal description of the network. Can someone check on this for me?
    Last edited by Archness; 09-07-2011 at 06:36 PM. Reason: adding content

  2. #12
    Master Untangler
    Join Date
    Aug 2011
    Location
    Buckhannon, WV
    Posts
    121

    Default

    By default, as long as you don't use the firewall module with a default rule of block, all traffic will flow between LAN 1 and LAN 2 unrestricted. By default, the traffic between the LANs is processed by the modules in your Untangle racks which is often not what you want with traffic simply flowing between two LANs. Bypass rules and firewall rules are completely different. Firewall rules restrict packet flow and the default even with the firewall module is to allow all traffic. Bypass rules define traffic that you don't wish to be scanned by the modules in your racks. Bypassing traffic between the LANs is usually what you want if you don't want to overwhelm your CPU.

    You probably don't want all the services that you list above open to the world. Exchange, file sharing, and RDP are best kept behind a VPN. You can choose to either use the PPTP VPN that you mention above or use Untangle's OpenVPN.

    Just out of curiosity regarding your setup:

    Do you have an existing Windows domain in LAN 1? Are the PCs in LAN 1 joined to this domain?

    Are you planning to have client PCs in LAN 2 joined to the SBS domain?

    I'm just trying to figure out the reasoning behind this setup. I'm sure that I'm not alone.

  3. #13
    Master Untangler
    Join Date
    Aug 2011
    Location
    Buckhannon, WV
    Posts
    121

    Default

    One additional note, you can use port 443 to access Exchange from the Internet. Both Outlook Web Access and RPC over HTTPS operate over 443 and they are designed for Internet use.

  4. #14
    Untangler
    Join Date
    Apr 2010
    Posts
    50

    Default

    Thanks for the help. I should have made some corrections in that services list, RDP and filesharing will not be open to the world. I am looking at using exchange anywhere for the external exchange services.

    There is no DC in LAN1. LAN1 is a smattering of work stations and servers. some of which are for isolated testing. I want to SBS on its own LAN so that if I do want to setup a network with it, there won't be much of an issue with the machines I want isolated.

    Basically, I didn't want to have to rebuild LAN1 around the SBS just have it work so I'm putting it in LAN2.

    So based on the remote access features, all I should have to do for external access to the server is setup 443 and/or the pptp vpn and I have exchange. The issue I forsee being a problem is that SBS servers run a web portal on 443 by default.

    Glad to know I am on the right track with this. I'll be setting it up tomorrow night so we shall see how it goes.

    Thanks,
    -Arch

  5. #15
    Master Untangler
    Join Date
    Aug 2011
    Location
    Buckhannon, WV
    Posts
    121

    Default

    SBS by default works all of that out. Port 443 is overloaded with Remote Web Workplace, Sharepoint, OWA, Outlook anywhere, and maybe something else that isn't coming to mind.

    If there is no DC in LAN1 then you could conceivably combine the LANs without issues. You only have to join the workstations to the domain that you wish to be joined. It is not true that SBS needs to be DHCP by default for communication to happen. The service that clients must get from SBS, and this is true of all Windows domain members, is DNS. You could disable the DHCP service on the SBS server and continue to use your existing DHCP infrastructure or simply modify the SBS DHCP scope to your liking and use that. You will want to just use the SBS DNS server and set it as DNS in your DHCP server. Also set up a forwarder in the SBS DNS server to the existing DNS servers in LAN1. That way clients can still access the domain DNS entries and you don't have to transfer any other internal domain names to the SBS DNS server. In this way your DNS resolution would work as before but with Windows domain entries residing on SBS.

    If you really want an isolated network then more power to you but just know that in your case you can make everything work pretty well as a single subnet.

  6. #16
    Untangler
    Join Date
    Apr 2010
    Posts
    50

    Default

    The other issue is that I don't want SBS to be the DNS. I want it to be a standalone server. 75% of the access to the server will be remote access so I have no need to rebuild the internal network for 25% of the use of a single box.

  7. #17
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,958

    Default

    If you're using SBS, it's a DC, that requires you to use that SBS box as DNS to resolve names for that domain.

    This is one of the larger integration issues you're going to have to tackle.

    What I would do is configure the DNS servers already supporting that LAN to forward requests for the SBS's domain to the SBS for resolution.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #18
    Untangler
    Join Date
    Apr 2010
    Posts
    50

    Default

    The SBS will be in a LAN by itself so I don't have to fight with it. 90% of the connections to it will be via port 443.

  9. #19
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,958

    Default

    Fair enough, but you still need it to be able to authenticate domain resources otherwise nothing will work. Which means the SBS box at least will have to use itself for DNS.

    Also with no trusts, you're duplicating names and passwords... but I assume you know that?
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #20
    Untangler
    Join Date
    Apr 2010
    Posts
    50

    Default

    Yes I know that but this system will have its own set of users separate from the other network.

    I know it seems odd or silly but it easier for me this way.

    Thanks for the help guys I'm bringing it online right now. We shall see how it goes.

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2