Networks

General discussion

Gravatar
Locked

Network Design

By Eminent87 ·
Hi,

I'm setting up a new office and would like some help with the design. This network will be entirely on Windows, all servers will be on Windows 2003 server with Active Directory, Exchange 2003 server and clients will be on either XP or 2000 pro. I've never designed a network before so I like so detail help if possible. The following is what I have so far. Is the following setup the most efficient way to incorporate a sonicwall and an ISA server together? The biggest problem I'm having is that the ISA server has 2 NICs, external and internal - since everything is NAT through the sonicwall, how can I give the ISA a public IP address on the external NIC while maintaining the private IP address on the internal NIC? Is it even possible to do this or do I have to turn off NAT on the sonicwall?

-----Internet-----
|
----DSL Modem----
|
----SonicWall---- SOHO2 with no DMZ
|
----ISA Server---- ISA 2000 server
|
-----------Switch----------------------
| | | | |
Mail-1 Mail-2 File PDC Workstations
Server Server Server Server

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
+ Follow this Discussion ·
| Thread display: Collapse - | Expand +

All Comments

gravatar
Collapse -

by Eminent87 In reply to Network Design

Sorry, I was trying to incorporate a diagram but the format got all screwed up.

gravatar
Collapse -

by zaferus In reply to Network Design

I've worked quite a bit with SonicWALLs (a few hundred installs), hopefully I can help.

First of all - having two firewalls is NOT better than one. To get two NAT devices to talk nicely to each other you'll need to do a little dancing in your configuration and it normally causes nothing but headaches in the long run especially as the network grows and changes or if you get VPN involved (even non-SonicWALL) which can then become your own personal nightmare.

Your best configuration option is to:
1. Update your SonicWALL to firmware 6.5.x. Since you have a Generation 2 SonicWALL there will be no cost to upgrade your firmware. Don't forget to save your configuration first and have a copy of 6.4 firmware on hand in case your SOHO/2 pukes during the update. Also you will need a valid mysonicwall account that you used to register the SOHO/2 to begin with to do all of this.

2. Reinstall your ISA server (and remove one NIC). Set it to be a proxy server only. SonicWALL has stateful packet inspection and I believe does a better job firewalling than ISA would anyways.

3. Set your SonicWALL to Proxy Relay (under advanced settings) and put in the IP of your proxy ISA server.

Now you have a solid firewall and a solid proxy server both doing what they do best without interfering with each other. I hope you go with this solution as it is ten times better than a double NAT solution.

Zaf

gravatar
Collapse -

by Eminent87 In reply to

Hi Zaf,

Thanks for your input but from what I heard if you configure ISA in cache mode you are limit to what you can do and losing all of the nice functionality that ISA was design for. For example, you cannot restrict messenger or streaming video in cache mode only.

I'm in a process of testing the double NAT scenario in a lab but I can't seem to forward request to the ISA external interface.

gravatar
Collapse -

by zaferus In reply to Network Design

If you want to use ISA as a firewall, your best bet may be to put your SonicWALL into "Standard mode". This way it becomes a "bridge" and does not NAT - but will still Firewall. In standard mode it's LAN and WAN IP will be the same.

It should pass traffic straight to your ISA server without complication.

The other thing you can do is set up a static route for the ISA server and the LAN behind it.

Part of your current problem is because of double NAT the SonicWALL does not understand how it can be getting traffic from a network that is not defined to it, or how to get traffic to your LAN as it can only see your ISA server.

This is under advanced - routes. the Gateway setting is the ISA WAN IP, the destination network and subnet is the range of your LAN (just put x.x.x.0 for the IP) and the port would be the LAN port.

Try to update your firmware first if you can some of the older firmwares used to have some bugs with this; but either configuration should work ok.

Zaf

gravatar
Collapse -

by Eminent87 In reply to

Hi Zaf,

Thanks for your suggestions, I will give it a try.

gravatar
Collapse -

by Eminent87 In reply to Network Design

This question was closed by the author

Back to Networks Forum
6 total posts (Page 1 of 1)  

Start or search

Related Forums