Windows 2003. Configuring multiple subnets on the same server

Windows 2003. Configuring multiple subnets on the same server

Our server is running W2K3 Enterprise. Internal departments with different
subnets need to connect to this server and also to the internet. Server have
multiple NICs. Questions:

1) How can I configure multiple subnets on this same server, using only 1
NIC?

2) Can I utilize the remaining NICs to accommodate the different subnets?

3) Do I need some type of routing software for this purpose? Someone
suggested a DHCP, but I am not sure how that would work in an environment
where the other subnets are static IPs.

Thanks in advance for your help.
--
Regards,

Andy

Why are you trying to configure multiple subnets on the server? Client
machines do not need to be in the same IP subnet as the server to access it.
Standard IP routing should cover what you need. If this machine is a DC, do
not even think about adding extra NICs to it.

How are these internal departments connected? How do they access the
Internet at present?

"gocrm" <(E-Mail Removed)> wrote in message
news:A6BF2894-A1D1-496E-9801-(E-Mail Removed)...
> Windows 2003. Configuring multiple subnets on the same server
>
> Our server is running W2K3 Enterprise. Internal departments with
> different
> subnets need to connect to this server and also to the internet. Server
> have
> multiple NICs. Questions:
>
> 1) How can I configure multiple subnets on this same server, using only 1
> NIC?
>
> 2) Can I utilize the remaining NICs to accommodate the different subnets?
>
> 3) Do I need some type of routing software for this purpose? Someone
> suggested a DHCP, but I am not sure how that would work in an environment
> where the other subnets are static IPs.
>
> Thanks in advance for your help.
> --
> Regards,
>
> Andy

Hi Bill,

The reason for multiple subnets on the same server is due to the
Virtualization environment. I am trying to avoid the VMs have direct access
to the HOSTs on the same subnet. At the same token, I need the VMs to be
able to communication between different HOSTs.

Right now, each department have their own servers. Each server act as its
own HOST and have multiple Virtual Machines (VMs) underneath it. They are on
different subnets. I would like to unite the VMs to be on the same subnets,
but will be on a different subnet than the HOST servers.

Hope my explainations are clear enough? Thank you Bill.
--
Regards,

Andy


"Bill Grant" wrote:

> Why are you trying to configure multiple subnets on the server? Client
> machines do not need to be in the same IP subnet as the server to access it.
> Standard IP routing should cover what you need. If this machine is a DC, do
> not even think about adding extra NICs to it.
>
> How are these internal departments connected? How do they access the
> Internet at present?
>
> "gocrm" <(E-Mail Removed)> wrote in message
> news:A6BF2894-A1D1-496E-9801-(E-Mail Removed)...
> > Windows 2003. Configuring multiple subnets on the same server
> >
> > Our server is running W2K3 Enterprise. Internal departments with
> > different
> > subnets need to connect to this server and also to the internet. Server
> > have
> > multiple NICs. Questions:
> >
> > 1) How can I configure multiple subnets on this same server, using only 1
> > NIC?
> >
> > 2) Can I utilize the remaining NICs to accommodate the different subnets?
> >
> > 3) Do I need some type of routing software for this purpose? Someone
> > suggested a DHCP, but I am not sure how that would work in an environment
> > where the other subnets are static IPs.
> >
> > Thanks in advance for your help.
> > --
> > Regards,
> >
> > Andy
>
>
>

Combining this info with the diagram you posted in the
public.virtualserver NG, I am beginning to see what you want to do.

If you have a NIC in each host machine which is plugged into a port on
your internal switch (switch2 in your diagram) and link the NICs on your vm
guest machines to this network, they should all be able to communicate
because, from a networking point of view, they are all in the same segment.
The virtual machines will behave just like additional machines plugged into
the switch. You cannot use a loopback adapter in this case, because you need
to be able link virtual machines which are running on a different host. (Any
other physical machines plugged into this switch will also be reachable).

To access the Internet these machines would use the ISA server vm. This
machine would have its "public" NIC connected to switch1. This NIC would be
isolated from the host machine (as discussed in another posting) to avoid
the possibility of bypassing the ISA firewall.

With this setup, all of the machines actually plugged into switch2 and
all of the vms with one NIC will be in your private network. They will
access the Internet through ISA server running in one vm, which is connected
to the Internet via switch1. This NIC is in the same IP subnet as the other
machines on switch1. It does not have an IP address on the host machine.

Hi Bill,

You are a genius. You've just solved the mystery to my config problems.

1) You mentioned about isolating one of the NIC from the host machine. How
do I configure the isolation? I looked at the property settings and does see
"VMWARE Bridge Protocol". Is this what you were referring to? If so, I
would just uncheck everything else... including TCP/IP Protocol? Is this
what you were referring to?

Also, I am confused at the comment where you mentioned "to avoid the
possibility of BYPASSING the ISA Firewall". Could you please clarify the
"bypassing" term when referring to the ISA and the HOST?

2) I clearly understood about one of the NIC is in the same IP subnet as the
other
machines on switch1. You mentioned it does not have an IP address on the
host machine. So do I just leave it blank in the auto detect mode for both
IP and DNS?

Thanks a million!





--
Regards,

Andy


"Bill Grant" wrote:

> Combining this info with the diagram you posted in the
> public.virtualserver NG, I am beginning to see what you want to do.
>
> If you have a NIC in each host machine which is plugged into a port on
> your internal switch (switch2 in your diagram) and link the NICs on your vm
> guest machines to this network, they should all be able to communicate
> because, from a networking point of view, they are all in the same segment.
> The virtual machines will behave just like additional machines plugged into
> the switch. You cannot use a loopback adapter in this case, because you need
> to be able link virtual machines which are running on a different host. (Any
> other physical machines plugged into this switch will also be reachable).
>
> To access the Internet these machines would use the ISA server vm. This
> machine would have its "public" NIC connected to switch1. This NIC would be
> isolated from the host machine (as discussed in another posting) to avoid
> the possibility of bypassing the ISA firewall.
>
> With this setup, all of the machines actually plugged into switch2 and
> all of the vms with one NIC will be in your private network. They will
> access the Internet through ISA server running in one vm, which is connected
> to the Internet via switch1. This NIC is in the same IP subnet as the other
> machines on switch1. It does not have an IP address on the host machine.
>
>
>

Q1. I can't help you with VMWARE Bridge protocol. I don't run VMWare. You
certainly do clear Internet Protocol (TCP/IP). You do not want the host IP
stack to know about this NIC.

The vm running ISA has two network connections. One is to the public
network and one is to the private side. If your host machine is connected to
the private side you must ensure that it does not have any possible
connection to the public network. If it does there is always a chance that
traffic from the public side could reach the private network (or vice versa)
without going through the firewall. That is why it is important that the
public NIC in the host machine is accessible to the vm but isolated from the
host machine.

Q2. It does not really matter. The host machine will never see this NIC. It
is effectively disabled as far as the OS in the host machine is concerned.
All traffic going through this NIC is handled by the IP stack in the virtual
machine. The IP stack in the host only sees the NIC which is on the private
network.

"gocrm" <(E-Mail Removed)> wrote in message
news:998F28A3-A86B-417C-AEFF-(E-Mail Removed)...
> Hi Bill,
>
> You are a genius. You've just solved the mystery to my config problems.
>
> 1) You mentioned about isolating one of the NIC from the host machine.
> How
> do I configure the isolation? I looked at the property settings and does
> see
> "VMWARE Bridge Protocol". Is this what you were referring to? If so, I
> would just uncheck everything else... including TCP/IP Protocol? Is this
> what you were referring to?
>
> Also, I am confused at the comment where you mentioned "to avoid the
> possibility of BYPASSING the ISA Firewall". Could you please clarify the
> "bypassing" term when referring to the ISA and the HOST?
>
> 2) I clearly understood about one of the NIC is in the same IP subnet as
> the
> other
> machines on switch1. You mentioned it does not have an IP address on the
> host machine. So do I just leave it blank in the auto detect mode for
> both
> IP and DNS?
>
> Thanks a million!
>
>
>
>
>
> --
> Regards,
>
> Andy
>
>
> "Bill Grant" wrote:
>
>> Combining this info with the diagram you posted in the
>> public.virtualserver NG, I am beginning to see what you want to do.
>>
>> If you have a NIC in each host machine which is plugged into a port
>> on
>> your internal switch (switch2 in your diagram) and link the NICs on your
>> vm
>> guest machines to this network, they should all be able to communicate
>> because, from a networking point of view, they are all in the same
>> segment.
>> The virtual machines will behave just like additional machines plugged
>> into
>> the switch. You cannot use a loopback adapter in this case, because you
>> need
>> to be able link virtual machines which are running on a different host.
>> (Any
>> other physical machines plugged into this switch will also be reachable).
>>
>> To access the Internet these machines would use the ISA server vm.
>> This
>> machine would have its "public" NIC connected to switch1. This NIC would
>> be
>> isolated from the host machine (as discussed in another posting) to avoid
>> the possibility of bypassing the ISA firewall.
>>
>> With this setup, all of the machines actually plugged into switch2
>> and
>> all of the vms with one NIC will be in your private network. They will
>> access the Internet through ISA server running in one vm, which is
>> connected
>> to the Internet via switch1. This NIC is in the same IP subnet as the
>> other
>> machines on switch1. It does not have an IP address on the host machine.
>>
>>
>>