SBS 2008 Remote Web Access
Hello, I have a network question. I'm trying to add a second NIC to a server running SBS2008 so that remote web access can be directed through a DMZ on a seperate subnet from the Primary NIC. Has anyone had any luck with this? Does it cause any issues with SBS operations on "company web" sharepoint? Edge: Cisco IOS based Firewall, NAT. DMZ VLAN will attach directly to this router. Distribution/Access: Routing and switching here handles voice and data traffic. SBS server is directly attached to the Data VLAN Subnet. The new NIC will need to attach to the DMZ VLAN on the Edge. Simple enough. My main concern is that this is in production and I have no way to lab first. I thought I would check here first to see if anyone has had any issues and to guide me if needed. PS. What SSL ports do I need to open on the edge router into the DMZ. I read 80, 447,987, I think. Thanks a bunch, Matt
September 27th, 2009 9:03am

hi,SBS 2k8 does not support multihoming - more specifically, the wizards do not support this.They will always disable all other NICs and revert you back to single-NIC setup. You would be able to configure it manually though, but the scenario is not supported and you are assumed to have only single-NIC setup inside LAN. I would rather resign from that idea than have repeated problems when MS releases any patches or updates and the wizards will be triggered destroing your manual config.It is always quite complicated to have multihomed DCs anyway and not a best practice.Also it wouldn't bring you any better security exposing the DC into DMZ - the result from security point of view is just the same as having it with asingle NIC inside.Simply said - you can do it, but you will have problems later.ondrej.
Free Windows Admin Tool Kit Click here and download it now
September 27th, 2009 9:19am

Thanks Ondrej, Do you have any workarounds for this issue? Can I redirect the Remote Web Access traffic to a server inside the DMZ that will redirect to the SBS? I know that there has got to be a way to do it. What about Hyper-V. Is it possible to configure a second instance and use the second NIC? I would then redirect back to SBS. I am a Cisco network guy just learning servers. Just thoughts, please bounce them back. As far as the DMZ. My understanding is that the only security issue would be from the three open ports, but I see what you mean about the DC inside the DMZ Vlan. The server does not know which subnet is correct and will act as DC for both networks, making it exposed. Thanks and I appreciate it. Matt
September 27th, 2009 10:20am

yes, you could be able to redirect the traffic to the DMZ web server/proxy - ideally ISA Server. But why would you do it? You probably have ASA, don't you? Then why not using it as a reverse web proxy with its own SSL certificate decrypting all the traffic, inspecting and only then forwarding inside directly to the SBS. With this solution, you would have two firewalls in the path of the packets - the full featured applicationinspection on CISCO, the other in the form of Windows Firewall which is solid TCP/UDP/IP firewall. What additional security would you achieve by the DMZ web server?SBS primary goal is to provide the server services for small businesses for very cheap price. If you have the CISCO appliance, this was probably at least twice (if only :-)) that expensive as the OEM SBS OS that you probably deployed.You could as well have Windows Essentials Business Server which would be more flexible solution providing still discounted 3-5 server operating systems counting ISA Server as well.Anyway - all the web services on SBS are running on 443 TCP except for SharePoint Services (which may not be required by your users) which occupy port 987 TCP (normal HTTPS on that port, just different to make it simple with a single IP address assumed in small businesses).If you also enabled TCP 80, there is HTTP redirect sent from SBS to provide users with a simple experience, but is not necessary if the users are willing to type httpS :-)o.
Free Windows Admin Tool Kit Click here and download it now
September 27th, 2009 12:19pm

This particular customer is using Cisco SMART products. UC500. No ASA. You are correct, ASA5510 would cost much more than SBS2008.
September 27th, 2009 8:15pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics