2003 server in private ip vlan advice

I'm being asked to implement several 2003r2 servers and put them on in a
private ip address vlan. All clients are on public ip addresses. I'm
concerned that there are a lot of problems that will result from not putting
public ip addresses on them, for example no updates, ipsec problems.
Any pros / cons / advice will be greatly appreciated.
--
x

What exactly was the purpose of giving them public addresses e.g.,
web servers, remote access servers? You have nothing to be concerned
about. Give them private address and use NAT.

"chaz2bo" <(E-Mail Removed)> wrote in message news:
> I'm being asked to implement several 2003r2 servers and put them on in a
> private ip address vlan. All clients are on public ip addresses. I'm
> concerned that there are a lot of problems that will result from not
> putting
> public ip addresses on them, for example no updates, ipsec problems.
> Any pros / cons / advice will be greatly appreciated.
> --
> x

I'm new to MS Servers and don't have much time and no training. Doing it from
the books. I'm not familiar with how to implement NAT. I need to do it the
quickest / easiest way possible while paying attention to security. Thanks
--
x


"Michael Giorgio - MS MVP" wrote:

> What exactly was the purpose of giving them public addresses e.g.,
> web servers, remote access servers? You have nothing to be concerned
> about. Give them private address and use NAT.
>
> "chaz2bo" <(E-Mail Removed)> wrote in message news:
> > I'm being asked to implement several 2003r2 servers and put them on in a
> > private ip address vlan. All clients are on public ip addresses. I'm
> > concerned that there are a lot of problems that will result from not
> > putting
> > public ip addresses on them, for example no updates, ipsec problems.
> > Any pros / cons / advice will be greatly appreciated.
> > --
> > x
>
>
>

You don't need NAT between the two segments.
Routing between the segment will work just fine in a closed environment.

The problem is that the Servers in the Private IP Segment will not be able
to access the Internet without NAT,...however the public IP Segment already
probably access the Internet directly without NAT because they are already
on the Internet the start with. But you can't put NAT between the two
Segments because it will isolate the server from the rest of the LAN.

So if you use NAT,...both the private and the public segments will have to
be behind the NAT device which means you will need an additional Public
Segment (new subnet) to put on the "outside" of the NAT device with the old
Public Segment behind the NAT device. This allows the Private and Public
segments to interact freely with each other and will allow them both to
access the Internet normally.

Running Public IP#s on a LAN is always a *disaster* and this is just another
demonstration of that.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com



"chaz2bo" <(E-Mail Removed)> wrote in message
news:C707F1DA-1A66-4912-B0A4-(E-Mail Removed)...
> I'm new to MS Servers and don't have much time and no training. Doing it
> from
> the books. I'm not familiar with how to implement NAT. I need to do it the
> quickest / easiest way possible while paying attention to security. Thanks

Just not enough information from the OP to give any advise. Not
sure why you are talking about routing between two segments
but you are correct. I assumed there is a firewall in between the
clients and the internet and if that's the case the firewall will handle
NAT.

"Phillip Windell" <@.> wrote in message news:
> You don't need NAT between the two segments.
> Routing between the segment will work just fine in a closed environment.
>
> The problem is that the Servers in the Private IP Segment will not be able
> to access the Internet without NAT,...however the public IP Segment
> already probably access the Internet directly without NAT because they are
> already on the Internet the start with. But you can't put NAT between the
> two Segments because it will isolate the server from the rest of the LAN.
>
> So if you use NAT,...both the private and the public segments will have to
> be behind the NAT device which means you will need an additional Public
> Segment (new subnet) to put on the "outside" of the NAT device with the
> old Public Segment behind the NAT device. This allows the Private and
> Public segments to interact freely with each other and will allow them
> both to access the Internet normally.
>
> Running Public IP#s on a LAN is always a *disaster* and this is just
> another demonstration of that.

"Michael Giorgio - MS MVP" <(E-Mail Removed)> wrote in
message news:(E-Mail Removed)...
> Just not enough information from the OP to give any advise.

That is the case most of the time I am afraid :-)
Most will interpret the question differently from each other, so I just give
my idea of how I think it would be best and see where it goes from there.

> Not sure why you are talking about routing between two segments
> but you are correct. I assumed there is a firewall in between the
> clients and the internet and if that's the case the firewall will handle

If I understood correctly the LAN exists currently with a single segment
that runs with Public IP#s. So I suspect there is no NAT device currently.
The new servers are supposed to go on a "new" segment that runs Private IP#s
(Vlans or not Vlans, is irrelevant).

The problem is the they need to interact normally with the rest of the
existing LAN on the Pubic IP#s. That is no problem for a LAN Router that
would have to be put between them because it wouldn't care about Pirvate vs
Public IP#s, it will treat them both the same. However the Internet access
becomes a problem for the Private segment. The Public segment is already
working with the Internet just fine, directly, without NAT,..but the Private
segment cannot work with the Internet without NAT, yet you can't put a NAT
device between the Segments without screwing up the two-way connectivity
between the segments.

So my solution is to place a NAT Device between the Internet and the entire
LAN,...effectively the Public segment would be treated as if it was Private
IP#s even though it really isn't. This would require an addition Public
Segment (that doesn't exist yet) to be on the "outside" of the NAT Device so
that the current Public IP#s can go behind the NAT Device as if they were
Private IP#s.

Now to me,...the solution is to stop using Public IP#s on a private LAN in
the first place and to design it the way it should be designed, but not
everyone has the stomach or the ambition to correct something like that.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------

I hear you. I guess I just can't imagine private computers
sitting on the public side in some sort of DMZ with minimal
security but who knows...

"Phillip Windell" <@.> wrote in message news:
> "Michael Giorgio - MS MVP" <(E-Mail Removed)> wrote in
> message news:
> That is the case most of the time I am afraid :-)
> Most will interpret the question differently from each other, so I just
> give my idea of how I think it would be best and see where it goes from
> there.
>
>> Not sure why you are talking about routing between two segments
>> but you are correct. I assumed there is a firewall in between the
>> clients and the internet and if that's the case the firewall will handle
>
> If I understood correctly the LAN exists currently with a single segment
> that runs with Public IP#s. So I suspect there is no NAT device currently.
> The new servers are supposed to go on a "new" segment that runs Private
> IP#s (Vlans or not Vlans, is irrelevant).
>
> The problem is the they need to interact normally with the rest of the
> existing LAN on the Pubic IP#s. That is no problem for a LAN Router that
> would have to be put between them because it wouldn't care about Pirvate
> vs Public IP#s, it will treat them both the same. However the Internet
> access becomes a problem for the Private segment. The Public segment is
> already working with the Internet just fine, directly, without NAT,..but
> the Private segment cannot work with the Internet without NAT, yet you
> can't put a NAT device between the Segments without screwing up the
> two-way connectivity between the segments.
>
> So my solution is to place a NAT Device between the Internet and the
> entire LAN,...effectively the Public segment would be treated as if it was
> Private IP#s even though it really isn't. This would require an addition
> Public Segment (that doesn't exist yet) to be on the "outside" of the NAT
> Device so that the current Public IP#s can go behind the NAT Device as if
> they were Private IP#s.
>
> Now to me,...the solution is to stop using Public IP#s on a private LAN in
> the first place and to design it the way it should be designed, but not
> everyone has the stomach or the ambition to correct something like that.
>