I NEED HELP with some Real World Network design!!!!

Hi Life Savers

I’m new to “Real Word� networking and HOPE to find some HELP here answering
some (stupid) questions.

I work in a company of about 30 users. We have 1 windows server 2003 as PDC
in Active directory domain. All clients are Windows XP Pro. The domain name
is (petra.local) I have the PDC server also configured as DNS for local use.
I use local IP addresses for LAN (100.100.100.X)

Now the company is growing…they want to add:
- One IIS Server that will host the company website (still under construction)
- One Exchange server
- One Firewall

Here is what I want to know:

1. How many Public IP addresses do we need? Will one public IP be enough for
the whole company? Can I subnet the public IP address to additional Public
IP addresses for the other servers Or do I need one Public IP for EACH of the
3 new servers (FW, Exchange, IIS)

2. If one IP address is enough, to which server I should assign it? To the
Firewall or
To the IIS

4. Regarding the Firewall: Is it better to use a Hardware FW or a Software
one?

5. If the ISP provide us with a Hardware Firewall and I also use a Windows
server 2003 as an additional Firewall with 2 NICs and set it up as NAT
server, How do I configure the IP address of the server to go through the ISP
Firewall.

6. Do I need to setup my own public DNS server or I can just rely on the ISP
for DNS services?


I REALLY appreciate your help guys

1. How many Public IP addresses do we need? Will one public IP be enough for
> the whole company? Can I subnet the public IP address to additional
> Public
> IP addresses for the other servers Or do I need one Public IP for EACH of
> the
> 3 new servers (FW, Exchange, IIS)

-You need only one public IP for the whole company although your ISP will
give you an IP set ,for example 198.200.200.5 to 198.200.200.10

> 2. If one IP address is enough, to which server I should assign it? To the
> Firewall or
> To the IIS

-It should be assigned to the firewall.
> 4. Regarding the Firewall: Is it better to use a Hardware FW or a Software
> one?

-You can use ISA server 2004 or 2006 (Standard edition will be enough)

> 5. If the ISP provide us with a Hardware Firewall and I also use a
> Windows
> server 2003 as an additional Firewall with 2 NICs and set it up as NAT
> server, How do I configure the IP address of the server to go through the
> ISP
> Firewall.

-You will have to do that through the ADSL Router's control panel.

> 6. Do I need to setup my own public DNS server or I can just rely on the
> ISP
> for DNS services?

Your internal DNS server should be replication with your ISP's DNS server
,but all the clients including servers and excluding the DNS server should
use the Internal DNS server ,they shouldn't be allowed to DNS outside the
local DNS server (you can set it up on the PDC server)

Best regards
"Zegra1" <(E-Mail Removed)> wrote in message
news:6D57EA5C-D2AD-48E9-BFBB-(E-Mail Removed)...
> Hi Life Savers
>
> I’m new to “Real Word” networking and HOPE to find some HELP here
> answering
> some (stupid) questions.
>
> I work in a company of about 30 users. We have 1 windows server 2003 as
> PDC
> in Active directory domain. All clients are Windows XP Pro. The domain
> name
> is (petra.local) I have the PDC server also configured as DNS for local
> use.
> I use local IP addresses for LAN (100.100.100.X)
>
> Now the company is growing…they want to add:
> - One IIS Server that will host the company website (still under
> construction)
> - One Exchange server
> - One Firewall
>
> Here is what I want to know:
>
> 1. How many Public IP addresses do we need? Will one public IP be enough
> for
> the whole company? Can I subnet the public IP address to additional
> Public
> IP addresses for the other servers Or do I need one Public IP for EACH of
> the
> 3 new servers (FW, Exchange, IIS)
>
> 2. If one IP address is enough, to which server I should assign it? To the
> Firewall or
> To the IIS
>
> 4. Regarding the Firewall: Is it better to use a Hardware FW or a Software
> one?
>
> 5. If the ISP provide us with a Hardware Firewall and I also use a
> Windows
> server 2003 as an additional Firewall with 2 NICs and set it up as NAT
> server, How do I configure the IP address of the server to go through the
> ISP
> Firewall.
>
> 6. Do I need to setup my own public DNS server or I can just rely on the
> ISP
> for DNS services?
>
>
> I REALLY appreciate your help guys
>

"Zegra1" <(E-Mail Removed)> wrote in message
news:6D57EA5C-D2AD-48E9-BFBB-(E-Mail Removed)...
> I work in a company of about 30 users. We have 1 windows server 2003 as
> PDC
> in Active directory domain. All clients are Windows XP Pro. The domain
> name
> is (petra.local) I have the PDC server also configured as DNS for local
> use.
> I use local IP addresses for LAN (100.100.100.X)

That is not a valid RFC Private Address. Do not give use "fake"
numbers,...we have to make judgment calls based on what those numbers really
are,..."fake" numbers = bad/flawed advise.

> 1. How many Public IP addresses do we need? Will one public IP be enough
> for
> the whole company? Can I subnet the public IP address to additional
> Public
> IP addresses for the other servers Or do I need one Public IP for EACH of
> the
> 3 new servers (FW, Exchange, IIS)
>
> 2. If one IP address is enough, to which server I should assign it? To the
> Firewall or
> To the IIS

One IP number
....On the Firewall

> 4. Regarding the Firewall: Is it better to use a Hardware FW or a Software
> one?

All Firewalls run on software,...and all Firewalls running on software run
on hardware. The answer is,...there is no "real" difference, and it is
irrelevant. I use MS ISA Server and trust it totally,...you can buy it in
both "software" and in a "hardware" format.

> 5. If the ISP provide us with a Hardware Firewall and I also use a
> Windows
> server 2003 as an additional Firewall with 2 NICs and set it up as NAT
> server, How do I configure the IP address of the server to go through the
> ISP
> Firewall.

Get rid of one of them. I see no point in creating the excessive complexity
of a Back-to-Back DMZ unless you have the experience and skill to deal with
such and have a good valid reason for having one.

> 6. Do I need to setup my own public DNS server or I can just rely on the
> ISP
> for DNS services?

It's not "either/or".
Both are required.

All machines on the LAN (every last one of them) uses the AD/DNS on the DC.
They should *never* use anything else anywhere. Then in the Config of the
AD/DNS you add the ISP's DNS To the Forwarders List. You can optionally
leave the list blank and the AD/DNS will use Root Hints.

Make sure the Firewall allows the AD/DNS machine to make outbound DNS
queries,...but the Firewall should *not* allow any other machine to do so in
order to weed out machines with "rogue" DNS entries.

Zegra1 <(E-Mail Removed)> wrote:
> Hi Life Savers
>

Hi - I replied, at some length, to your other post in
microsoft.public.windows.server.general I'm quite sure that it was
inadvertent on
your part, but it is quite frustrating to spend a lot of time answering
someone, just to find they've posted their identical message to another
group. This is essentially asking people to duplicate the efforts of others.

In the future, please don't multipost - if you need to post to multiple
groups, it's best to crosspost instead, by posting a single message to a
handful of relevant groups (separate the NG names with commas) so that
everyone can follow the thread. Multiposting wastes everyone's time,
including yours, and may lead to your actually getting *less* help rather
than more.

You should also consider using a news client, such as Forte Agent,
Thunderbird, or even Outlook Express, rather than the pretty clunky web
interface to the newsgroups. It's a lot easier to do nearly everything that
way. You can mark messages to be watched, filter the views so you can see
replies to your posts easily, and search - and crossposting is easier.

The Microsoft public news server is msnews.microsoft.com and you can
subscribe to as many groups as you like; no authentication is required.

The following is from a post by MVP Malke ...

-------------------------------------------------------
Here's information on Usenet and using a newsreader:

http://www.elephantboycomputers.com/page3.html#12-09-02 - a brief
explanation of newsgroups
http://michaelstevenstech.com/outlo...ssnewreader.htm
http://rickrogers.org/setupoe.htm
http://support.microsoft.com/defaul...wto/default.asp
- Set Up Newsreader

http://www.dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html
http://aumha.org/nntp.htm - list of MS newsgroups
microsoft.public.test.here - MS group to test if your newsreader is
working properly
http://www.mailmsg.com/SPAM_munging.htm - how to munge email address
http://www.blakjak.demon.co.uk/mul_crss.htm - multiposting vs.
crossposting

Some newsreaders for Windows
http://www.forteinc.com/agent/index.php - for Forte
http://www.mozilla.org (Thunderbird does newsgroups)
http://gravity.tbates.org/

-------------------------------------