Hello,

I need advice on proper placement of my webserver. Our webserver is
multihomed. One interface has out public IP bound and the other one has an
assigned IP on our internal network. Not sure why it was setup this way. the
internal NIC has no gateway.... this makes administring this box from our
corpoate lan very difficult   The server is a member server in our AD forset,
but you cant add AD user accounts to the local administratos group, you cant
browse the internal LAn very well.....there seems to be many little nit pcik
operational problems....... folks that know some history claim that adding
the proper gateway on the internal NIC config...that this gateway will become
the defacto gateware for the "whole box"  and screws up the WEBSERVER   it
becomse un reachable from the internet ...... this gatewaye on the external
port must always point to the ISP



do we have a bad design implemented ...any rccomendations ?

On 5/14/2009 6:52 AM, Dan DeCoursey wrote:
Ok.  Depending on the age of the box, this may have been typical for the
time or the school of thought for the admin that made this design decision.

Is the public interface in a DMZ / behind an upstream firewall?

Aside from the security implications and the need for a firewall on the
public interface, this is not entirely a bad config.

If the server was set up prior to common adoption of NAT or by an
administrator with an older or anti-NAT school of thought, this would be
one of the more obvious choices.

I take it that your corporate LAN has multiple subnets?  Thus making the
box such that it will only communicate with the internet and systems
with in the subnet that it is physically connected to.

If you have a multi-subnet corporate LAN, this will indeed make things
more complicated.  Especially if you are not using bridge-head servers
for AD replication to reach this box.

This is what I would expect.

Just because you have to use your ISP's router as the box's default
gateway does not mean that you can't have routes to the rest of your
network.

Open a command prompt and set up static (persistent) routes to the rest
of you corporate LAN by way of the routers on the internal subnet that
the server is connected to.  I.e.:

    route add <network> mask <netmask> <gateway>

You can optionally set a metric and / or interface for the route.

To make the route static / persistent across reboots add a "-p" between
"route" and "add".  As always you can get a complete description via
"route /?" at the command line.

I don't know that it is /bad/ per say, just not as common as it once was.

The main thing you have to worry about is how much of the server is
exposed by being directly connected to the internet.  Following that you
want to worry about what could happen if someone does breach the server
and if they can then use it as a stepping stone to get to the rest of
your network.

I would make sure that this server is behind some sort of firewall.  I
would prefer a hardware firewall or something else that is separate from
the system so that it can not be changed / opened up / disabled if the
system its self is breached.  (This is the same problem with using any
host based firewall.)



Grant. . . .

No login prompt from IIS when using IE
Microsoft-WebDAV-MiniRedir/6.0.6001
How to solve Error message 401.2 in IIS 5.1?
Extende logging option in IIS 6
HttpWebRequest return 401, only when credentials are supplied
Help with HTTP 401.2 - Access is denied error
IIS 6.0 on 2003 STD svr - 401.3 error with odd group membership is
IIS7: require LDAP authentication for restricted network access
Re: IIS7 - # of universal group memberships breaks kerberos authentica
Re: IIS certificate chain doesn't contain root CA cert in Server Hello