I'm in the process of rebuilding our business LAN to be more efficient and was hoping for some guidance from the networking pros (I am not).
our current configuration:
- 2 bonded T1s for voice and data ===>
- SonicWall TZ170 VPN / firewall ===>
- 3 Dell PowerConnect 2600 switches ===>
- our network:
- Windows Small Biz Server 2003 (AD, DNS, Exchange, etc). This server is multi-homed (2 NICs: one on a public IP to allow Exchange server access to the world and one on our internal IP range)
- a variety of other servers, NAS, etc
- desktops, printers, etc.
- wireless routers for internal connections
<==== remote office SonicWall TZ170 connected to primary office via site to site tunnel
current issues:
- we are adding another remote office and will be moving the TZ170 from our main office there and replacing it with a SonicWall NSA240 (huge upgrade) to handle firewall, content filtering, intrusion, etc
- our SBS2003 public NIC is currently NOT behind the firewall and gets hit pretty heavy with login attempts (failed thanks to good passwords).
- We have to run an FTP server to give clients access to files on a specific server. Right now, we create a user account in AD and point the outside users to our public IP address on the SBS box where they login with that AD account for access. When the public FTP is turned on, the server gets hammered with login hack attempts.
- a small army of field workers using Verizon 3G/4G aircards on laptops to connect via VPN. Right now, those users also connect to our SBS box on the public IP for AD credentials and IP address assignment. The connection is handled internally by the SBS box and it's often painfully slow
questions:
- best practice for handling the Exchange server and the public IP NIC on the Exchange server?
- leave it as is and just plug the 2nd NIC into the bandwidth with a public IP address
- connect that NIC to a certain port on the new firewall, assign that port the public IP address and configure it to handle intrusion, etc (assuming that can be done)
- move away from multi-homing (2 NICs on different IP segments) and utilizing routing in the firewall/router to forward the mail traffic to the server (assuming that can be done)
- FTP: move away from utilizing the public IP on the 2nd NIC in the SBS box and move to handling the routing of FTP services through the firewall and point the traffic to the correct server. Should I be utilizing a different port number than standard FTP ports to avoid hacks?
- general architecture: right now, the three switches and all of the boxes in the network point to the LAN address of the existing SonicWall gateway. The three switches are plugged one into the next into the next into the SonicWall (ROUTER 3 ==> LAN port of ROUTER 2 ==> LAN port of ROUTER 1 ==> LAN port on the SonicWall). the new firewall has 6 10/100 ports and 3 gigabit ports. Everything on our network is gigabit. Should each switch be plugged directly into the firewall or doesn't it matter? I read something about stringing switches together setting them up physically how I have them but pointing each's DNS and gateway setting to the next router up in the line (ROUTER 3 points to ROUTER 2 for DNS/GATEWAY, ROUTER 2 then points to ROUTER 1 for DNS/GATEWAY, and ROUTER 1 points to the Firewall). Make any real sense/difference?
I think this is about it (as if it's not enough) for now. Thanks for any guidance and suggestions!!
our current configuration:
- 2 bonded T1s for voice and data ===>
- SonicWall TZ170 VPN / firewall ===>
- 3 Dell PowerConnect 2600 switches ===>
- our network:
- Windows Small Biz Server 2003 (AD, DNS, Exchange, etc). This server is multi-homed (2 NICs: one on a public IP to allow Exchange server access to the world and one on our internal IP range)
- a variety of other servers, NAS, etc
- desktops, printers, etc.
- wireless routers for internal connections
<==== remote office SonicWall TZ170 connected to primary office via site to site tunnel
current issues:
- we are adding another remote office and will be moving the TZ170 from our main office there and replacing it with a SonicWall NSA240 (huge upgrade) to handle firewall, content filtering, intrusion, etc
- our SBS2003 public NIC is currently NOT behind the firewall and gets hit pretty heavy with login attempts (failed thanks to good passwords).
- We have to run an FTP server to give clients access to files on a specific server. Right now, we create a user account in AD and point the outside users to our public IP address on the SBS box where they login with that AD account for access. When the public FTP is turned on, the server gets hammered with login hack attempts.
- a small army of field workers using Verizon 3G/4G aircards on laptops to connect via VPN. Right now, those users also connect to our SBS box on the public IP for AD credentials and IP address assignment. The connection is handled internally by the SBS box and it's often painfully slow
questions:
- best practice for handling the Exchange server and the public IP NIC on the Exchange server?
- leave it as is and just plug the 2nd NIC into the bandwidth with a public IP address
- connect that NIC to a certain port on the new firewall, assign that port the public IP address and configure it to handle intrusion, etc (assuming that can be done)
- move away from multi-homing (2 NICs on different IP segments) and utilizing routing in the firewall/router to forward the mail traffic to the server (assuming that can be done)
- FTP: move away from utilizing the public IP on the 2nd NIC in the SBS box and move to handling the routing of FTP services through the firewall and point the traffic to the correct server. Should I be utilizing a different port number than standard FTP ports to avoid hacks?
- general architecture: right now, the three switches and all of the boxes in the network point to the LAN address of the existing SonicWall gateway. The three switches are plugged one into the next into the next into the SonicWall (ROUTER 3 ==> LAN port of ROUTER 2 ==> LAN port of ROUTER 1 ==> LAN port on the SonicWall). the new firewall has 6 10/100 ports and 3 gigabit ports. Everything on our network is gigabit. Should each switch be plugged directly into the firewall or doesn't it matter? I read something about stringing switches together setting them up physically how I have them but pointing each's DNS and gateway setting to the next router up in the line (ROUTER 3 points to ROUTER 2 for DNS/GATEWAY, ROUTER 2 then points to ROUTER 1 for DNS/GATEWAY, and ROUTER 1 points to the Firewall). Make any real sense/difference?
I think this is about it (as if it's not enough) for now. Thanks for any guidance and suggestions!!