Setting up a simple network at a data center

I'm setting up a simple network for a non-profit organization, using two new
W2K3 Standard Edition servers that are hosted at a data center. The first
server will be a web server (IIS6) and the second server will run SQL
Server. Only the first server will be accessible to the outside world.

The Windows Firewall is active on both servers, with only the 'Remote
Desktop' exception (i.e, TCP 3389 to just my client's static IP address) and
the 'File and Printer Sharing' exception (i.e., UDP 137, UDP 138, TCP 139,
and TCP 445--all "My network (subnet) only") enabled. The servers are
members of the same workgroup but are in different subnets. Their subnet
mask is the same but their default gateway is different from one another.

I'm experiencing some basic connectivity issues between the two servers;
this is is preventing me from proceeding. I'm attributing this to my lack of
experience in this kind of environment. Although the servers can ping one
another, they do not see each other in My Network Places > Microsoft Windows
Network > [Workgroup Name]. I was unable to see shares between the two
servers until I changed the TCP 139 setting on each server to "Custom list"
and specified the IP address of the other server. Once I made that change, I
was able to access the shares by entering a basic user account and password
that I set up on each server.

In order for the first server to access SQL Server on the second server,
user credentials will need to be established between the two servers. This
might necessitate creating--or be more wise to create--a domain. What
additional traffic (if any) do I need to allow/establish for that?

Ultimately, I'd like the servers to be as accessible to one another as
possible, while minimizing the risk from hackers. Without bogging this
message down with too many more details about what I'm trying to accomplish,
can anyone tell me whether I'm on the right track? Thanks!

"Chris" <(E-Mail Removed)> wrote in message
news:BD26E093-05B8-4C5A-B096-(E-Mail Removed)...
> I'm setting up a simple network for a non-profit organization, using two
> new W2K3 Standard Edition servers that are hosted at a data center. The
> first server will be a web server (IIS6) and the second server will run
> SQL Server. Only the first server will be accessible to the outside world.
>
> The Windows Firewall is active on both servers, with only the 'Remote
> Desktop' exception (i.e, TCP 3389 to just my client's static IP address)
> and the 'File and Printer Sharing' exception (i.e., UDP 137, UDP 138, TCP
> 139, and TCP 445--all "My network (subnet) only") enabled. The servers are
> members of the same workgroup but are in different subnets. Their subnet
> mask is the same but their default gateway is different from one another.
>
> I'm experiencing some basic connectivity issues between the two servers;
> this is is preventing me from proceeding. I'm attributing this to my lack
> of experience in this kind of environment. Although the servers can ping
> one another, they do not see each other in My Network Places > Microsoft
> Windows Network > [Workgroup Name]. I was unable to see shares between the
> two servers until I changed the TCP 139 setting on each server to "Custom
> list" and specified the IP address of the other server. Once I made that
> change, I was able to access the shares by entering a basic user account
> and password that I set up on each server.
>
> In order for the first server to access SQL Server on the second server,
> user credentials will need to be established between the two servers. This
> might necessitate creating--or be more wise to create--a domain. What
> additional traffic (if any) do I need to allow/establish for that?
>
> Ultimately, I'd like the servers to be as accessible to one another as
> possible, while minimizing the risk from hackers. Without bogging this
> message down with too many more details about what I'm trying to
> accomplish, can anyone tell me whether I'm on the right track? Thanks!

Two questions to help clarify your issues and what could be done about
them...

1) Why are your servers on different networks? Is there a good reason?

2) Why aren't you running a firewall in front of your servers so you would
not have to run "Windows Firewall" (which *requires* ICS to also be
running).

-Frank

Thanks, Frank. Sometimes the easiest answers are the hardest to see.

I'm not sure why the servers are on two different networks. Is that part of
the problem with what I'm experiencing? The servers are actually at a
hosting center. I'll check with my contact there to find out what it takes
to get them placed on the same network.

What kind of firewall do you suggest? The hosting company offers hardware
firewall protection, but it's an added expense that I'm wasn't sure was
worth the cost. I figured the Windows Firewall was sufficient for this
implementation. Am I wrong?

SQL doesn't use File Sharing credentials, it uses a separate TCP

"Chris" wrote:

> I'm setting up a simple network for a non-profit organization, using two new
> W2K3 Standard Edition servers that are hosted at a data center. The first
> server will be a web server (IIS6) and the second server will run SQL
> Server. Only the first server will be accessible to the outside world.
>
> The Windows Firewall is active on both servers, with only the 'Remote
> Desktop' exception (i.e, TCP 3389 to just my client's static IP address) and
> the 'File and Printer Sharing' exception (i.e., UDP 137, UDP 138, TCP 139,
> and TCP 445--all "My network (subnet) only") enabled. The servers are
> members of the same workgroup but are in different subnets. Their subnet
> mask is the same but their default gateway is different from one another.
>
> I'm experiencing some basic connectivity issues between the two servers;
> this is is preventing me from proceeding. I'm attributing this to my lack of
> experience in this kind of environment. Although the servers can ping one
> another, they do not see each other in My Network Places > Microsoft Windows
> Network > [Workgroup Name]. I was unable to see shares between the two
> servers until I changed the TCP 139 setting on each server to "Custom list"
> and specified the IP address of the other server. Once I made that change, I
> was able to access the shares by entering a basic user account and password
> that I set up on each server.
>
> In order for the first server to access SQL Server on the second server,
> user credentials will need to be established between the two servers. This
> might necessitate creating--or be more wise to create--a domain. What
> additional traffic (if any) do I need to allow/establish for that?
>
> Ultimately, I'd like the servers to be as accessible to one another as
> possible, while minimizing the risk from hackers. Without bogging this
> message down with too many more details about what I'm trying to accomplish,
> can anyone tell me whether I'm on the right track? Thanks!
>
>

SQL doesn't use file sharing, it uses a TCP port of its own. If this port
isn't open at the SQL server's firewall then you won't have SQL functionality
on the webserver.

http://support.microsoft.com/kb/287932

Basically the webserver needs to have port 80 (and possibly the HTTPS port)
open to the outside world. The SQL server needs to open its SQL port to the
webserver -but preferably not to the outside world as only the webserver
pulls database data from it.

Typically the webserver will run a script which will log-on to SQL with a
predetermined useraccount and password, so only one account is needed on the
SQL server, regardless of Web user.

BTW I'm more familiar with Linux in this role, so forgive me if the
specifics are a little out. The principles will be the same though.

"Chris" wrote:

> I'm setting up a simple network for a non-profit organization, using two new
> W2K3 Standard Edition servers that are hosted at a data center. The first
> server will be a web server (IIS6) and the second server will run SQL
> Server. Only the first server will be accessible to the outside world.
>
> The Windows Firewall is active on both servers, with only the 'Remote
> Desktop' exception (i.e, TCP 3389 to just my client's static IP address) and
> the 'File and Printer Sharing' exception (i.e., UDP 137, UDP 138, TCP 139,
> and TCP 445--all "My network (subnet) only") enabled. The servers are
> members of the same workgroup but are in different subnets. Their subnet
> mask is the same but their default gateway is different from one another.
>
> I'm experiencing some basic connectivity issues between the two servers;
> this is is preventing me from proceeding. I'm attributing this to my lack of
> experience in this kind of environment. Although the servers can ping one
> another, they do not see each other in My Network Places > Microsoft Windows
> Network > [Workgroup Name]. I was unable to see shares between the two
> servers until I changed the TCP 139 setting on each server to "Custom list"
> and specified the IP address of the other server. Once I made that change, I
> was able to access the shares by entering a basic user account and password
> that I set up on each server.
>
> In order for the first server to access SQL Server on the second server,
> user credentials will need to be established between the two servers. This
> might necessitate creating--or be more wise to create--a domain. What
> additional traffic (if any) do I need to allow/establish for that?
>
> Ultimately, I'd like the servers to be as accessible to one another as
> possible, while minimizing the risk from hackers. Without bogging this
> message down with too many more details about what I'm trying to accomplish,
> can anyone tell me whether I'm on the right track? Thanks!
>
>