Question about my network setup - please comment

[PeeluckyDuckee]

I have a wireless cable/dsl switch where all my dc, member server, and client workstations are connected to. Ideally, I wanted to have two separate private subnets and not have any of the dc/workstations connect directly to the switch. My dsl software ppoe softare isn't playing nice when attach it to the ISA server (member server) that has more than one NIC. The requests gets sent to and from both nics, and it just seems to stall and replies to requests don't go across the proper link.

Anyhow, so for the moment, all workstations and dc is connected to the same switch, under the same 192.168.1.x subnet. This doesn't seem like the best topology for security. I wish to have all internet requests (http, exchange (smtp), ftp go thru the ISA server first.

All dc and workstations have the isa firewall client installed. It can't be bypassed by modifying IE properties since I have that locked down with a GPO right now. But my question is how vulnerable is the dc/workstation from outside the LAN?

Also, an update on the exchange2k situation. Did a reinstall of exchange2k but still didn't see the proper tabs in ADUC or the ability to create mailboxes for users. I left it for awhile, then went back to it (about a day or two later), and voila, its all there again Is this similar situation to what happens when you first do a dcpromo on a machine and have to wait awhile till the 4 folders in dns forward lookup zone slowly begin to appear?

Thx.
Plucky

 

[JustinLerner]

Peelucky, you ought to know how to do this. Your first security assumption is correct: separate subnets are better for security.

Separate your LAN and WAN connections into separate subnets/networks. Include only one ISA server WAN/NIC IP address in the same subnet with your DSL service modem or 'proxy' server. You ought to know how to setup your ISA server to force all traffic through the ISA server. Set all LAN clients and NIC's (except for one ISA NIC to be used as WAN/NIC) to get dynamic private addresses from your local DC and make sure the LAN private subnet range is a different subnet/network than the private subnet set or used by your DSL modem and the second ISA NIC for WAN or Internet inbound/outbound traffic.

The problem would seem to be your ISA client/server setup and addressing if traffic is not being proxied through the ISA server.

There is no reason not to directly connect your ISA WAN/NIC to the DSL modem with a crossover cable, since the DSL is never going to be as fast as 100Mbps anyhow. First I would test the ISA with all clients and NIC's attached to the switch, then directly connect the ISA WAN/NIC to the DSL modem with crossover. This would ensure the greatest security without any significant loss of performance except the loss of full duplex traffic on the 100Mbps link (like I said, it should not really be significant, since your DSL connection is not likely to be anywhere near that speed.)

As for PPOE, I don't know how this could/should affect your setup, but my thought is that it should primarily affect the DSL modem, not the network. Sorry, I don't have enough experience there.

 

[PeeluckyDuckee]

Question, the nic that connects directly to the dsl modem, should I provide it with a specific ip address or not? Reason I ask is because whether I define an ip for it or not it still works. But normally I give it a 192.168.1.x, point the default gateway to my external public ip address, and one dns to the ISP and the other to my own internal dns. Any issues here? With regards to pointing to my internal dns server on the wan nic? When web/ftp requests hit me, at the wan nic, the nic can use both dns servers to try to resolve that requests. Of course my internal dns server knows where the resource is, so I'm thinking it is appropriate and necessary that it get hit with the request?

The ISA server would also be a router, utilizing the 2nd internal LAN nic. This nic would be connected to my Linksys 4-port switch/router. The hardware router would have a separate subnet, of say, 172.16.x.x There would be rip routing between the two routers? Here's where I'm also a bit confused. I'm utilizing two routers, but I ask myself the question, why?? Is it necessary? Am I making things more complicated that they should be? I want to make use of the hardware router because it's an integrated WAP, plus I need my 802.11b laptop to be a part of the network.

So the dc and the workstations are one the 172 subnet. The exchange server is on the 172 as well. For web/ftp, does it make a difference whether it's on the outer 192 subnet or internal? The ad-integrated dns server is on the dc. I also have a standard secondary dns server on the isa server. Necessary?

DNS forwarders are not used. Should they be? Requests and responses are getting where they should be. So I'm thinking of the if its not broken don't fix it kinda deal and commit to simplicity.

I've studied ccna and networking in general, but as you can see, I'm no expert and things are sometimes still confusing, and I don't know where they fit into the picture. Gonna switch over to cable soon and see if the problem with the two nics still pops up. Wanted to switch awhile ago, dsl is slow and flaky at the moment.


Thx VERY much on any help on this.

 

[PeeluckyDuckee]

a quick diagram.....

cable modem (209.202.33.45)
=
=
=
ISA wan nic (192.168.1.x)
-----------------------------
ISA Server (web/ftp/router)
-----------------------------
ISA LAN nic (192.168.1.x)
=
=
=
Linksys 4-port router/switch WAP dsl/cable modem (172.16.x.x)
- (port 2) DC 172.16.x.x
- (port 3) Exchange/DHCP 172.16.x.x
- (port 4) Hub
- clients
- clients
- clients

- wireless laptop 172.16.x.x



Does the above look correct?

 

[PeeluckyDuckee]

Clients accessing the internet thru the isa server slows to a crawl sometimes. At other times it seems decent. Did a test with only 2 clients and it was SLOW. Could the fact that having only 512mb ram on the isa server affect performance? Its a P3-733 machine.

ADSL has been acting up for the past 3 weeks, that may have something to do with it as well. But we did have a tech fellow from the ISP come and touch up on the phone line. Will know if this is the culprit once I switch to cable within the next 2 weeks.

A side question, if I want to use cable internet, is it a MUST that the ISP come do the install for me? Or can I choose to install it myself?

 

[PeeluckyDuckee]

Threw in another proc and running smp mode right now, client machines accessing the internet seems a bit faster. But I don't think that is the reason. It may very well be adsl giving me lackluster performance every now and then. And yes, I also know that making your cpu faster won't make your internet go faster

 

[Nucleus111]

The ISA WAN NIC should be using DHCP or a Static IP assigned from ISP