Rebuilding our LAN: need recommendations please

bcontento

Distinguished
Apr 5, 2011
3
0
18,510
I'm in the process of rebuilding our business LAN to be more efficient and was hoping for some guidance from the networking pros (I am not).

our current configuration:

- 2 bonded T1s for voice and data ===>
- SonicWall TZ170 VPN / firewall ===>
- 3 Dell PowerConnect 2600 switches ===>
- our network:
- Windows Small Biz Server 2003 (AD, DNS, Exchange, etc). This server is multi-homed (2 NICs: one on a public IP to allow Exchange server access to the world and one on our internal IP range)
- a variety of other servers, NAS, etc
- desktops, printers, etc.
- wireless routers for internal connections

<==== remote office SonicWall TZ170 connected to primary office via site to site tunnel


current issues:

- we are adding another remote office and will be moving the TZ170 from our main office there and replacing it with a SonicWall NSA240 (huge upgrade) to handle firewall, content filtering, intrusion, etc

- our SBS2003 public NIC is currently NOT behind the firewall and gets hit pretty heavy with login attempts (failed thanks to good passwords).

- We have to run an FTP server to give clients access to files on a specific server. Right now, we create a user account in AD and point the outside users to our public IP address on the SBS box where they login with that AD account for access. When the public FTP is turned on, the server gets hammered with login hack attempts.

- a small army of field workers using Verizon 3G/4G aircards on laptops to connect via VPN. Right now, those users also connect to our SBS box on the public IP for AD credentials and IP address assignment. The connection is handled internally by the SBS box and it's often painfully slow


questions:

- best practice for handling the Exchange server and the public IP NIC on the Exchange server?

- leave it as is and just plug the 2nd NIC into the bandwidth with a public IP address

- connect that NIC to a certain port on the new firewall, assign that port the public IP address and configure it to handle intrusion, etc (assuming that can be done)

- move away from multi-homing (2 NICs on different IP segments) and utilizing routing in the firewall/router to forward the mail traffic to the server (assuming that can be done)


- FTP: move away from utilizing the public IP on the 2nd NIC in the SBS box and move to handling the routing of FTP services through the firewall and point the traffic to the correct server. Should I be utilizing a different port number than standard FTP ports to avoid hacks?


- general architecture: right now, the three switches and all of the boxes in the network point to the LAN address of the existing SonicWall gateway. The three switches are plugged one into the next into the next into the SonicWall (ROUTER 3 ==> LAN port of ROUTER 2 ==> LAN port of ROUTER 1 ==> LAN port on the SonicWall). the new firewall has 6 10/100 ports and 3 gigabit ports. Everything on our network is gigabit. Should each switch be plugged directly into the firewall or doesn't it matter? I read something about stringing switches together setting them up physically how I have them but pointing each's DNS and gateway setting to the next router up in the line (ROUTER 3 points to ROUTER 2 for DNS/GATEWAY, ROUTER 2 then points to ROUTER 1 for DNS/GATEWAY, and ROUTER 1 points to the Firewall). Make any real sense/difference?


I think this is about it (as if it's not enough) for now. Thanks for any guidance and suggestions!!
 
First thing I would never connect a Microsoft Server directly to the internet, as you can see people love it.

Assign Static Ips to you SBS and use the SonicWall to redirect traffic for FTP and Exchange. Connect one of the two NICs in your SBS to the SonicWall X3-X8 and the other to Switch2.

Let your SonicWall handle the security. The only thing I cannot remember is if you need to one WAN port per Public IP or if one WAN port can handle multiple Public IPs.

just connect Switch1 to the SonicWall X0.

also I would make a connection between Swich1 and Switch3
 

bcontento

Distinguished
Apr 5, 2011
3
0
18,510
Thanks very much for the reply. Just found this which helps clear my mind a bit:

3 GbE, 6 FE ports (each can be configured separately, e.g. you can choose port X1 and X7 to be WAN connection. However X0 and X1 is fixed as LAN and WAN respectively)

so, I'm thinking I should utilize 3 distinct public IP address (one for Exchange traffic only, one for FTP traffic only, and one for the office HTTP/everything else traffic). Does that sound right? Then I would use SW X1 (fixed WAN port for office HTTP traffic and configure 2 other ports to be WAN ports with the other two public IP addresses (one for FTP and one for Exchange).. ?

I'm guessing and learning....

WAN bandwidth <==> SW X1 (WAN port)

SWITCH 1 <==> SW X0 (LAN port)

SWITCH 1 <==> SWITCH 2

SBS NIC 1 (static LAN IP??) <==> SW X3 (port configured to handle Exchange traffic in and out) routed to <==> SW X4 (configured as a WAN port connected to our bandwidth)

SBS NIC 2 (static LAN IP) <==> SWITCH 2

SWITCH 1 <==> SWITCH 3


switches: do i leave their default gateway address pointed to the LAN address of the SonicWall?
 

bcontento

Distinguished
Apr 5, 2011
3
0
18,510
i misspoke. Our switches are PowerConnect 2724's.

everything else look about right in concept? Specifically:

SBS NIC 1 (static LAN IP??) <==> SW X3 (port configured to handle Exchange traffic in and out) routed to <==> SW X4 (configured as a WAN port connected to our bandwidth)

again, I greatly appreciate the help!!