small network design problem

It's been years since I did this, but what I remember goes like this.

1) you can use the internet/external IP of the router to connect (most users won't like that though) or you can use your internet domain (EG www.yourcomp.com) and add a mapping (CName) in the external DNS for something like corp.yourcomp.com to point the external IP of the router or vpn appliance you're using.

2) in your router (or proxy) map corp.yourcomp.com to redirect to your internal server IP (10.1.1.20) and if it's your mail server then you use port 25 or what ever you use.

3) you test it from outside of your network (EG home)

4) you should have someone else test it with your instructions

For more security, multi-home your server and put the second IP address in the redirect from the router.

You should have access control on the server too.

This is not the most current solution though, most people would use a VPN hardware appliance. For better security, higher number of connections, and better failover, etc...

hope that helps.

I'm not a real expert on this, but this will probably work:
First, you need to know your network ip address from the outside, as mentioned,
something like http://12.345.678.999 and then you go into your router configuration and set your main HTTP server box to be forwarded on port 80. If you have a linksys router, that would be in applications and gaming. There you select which box on your lan you want requests for port 80 to be forwarded. For example, that box may have the lan address 192.168.1.103
It's best at this point that it has a static address on the LAN, and also that your ISP gives you a static address. If not, as the poster above mentioned, you can use a service (I've used dyndns.com). They can give you a text name so your users don't have to use a number, also they can set you up with some software to update your numeric address when it changes if you do not have a static ip address.
On your other two server boxes, I would use an alternate port number for the service, like 8080 for the second box, etc. (rather than 80), then set it up the same way in your router as mentioned above.
Use this for a choosing reference, just don't use a reserved number:

http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

If you use Apache, it's easy to modify this.
Then, for your users to get to the other boxes, all they would have to do it append the alternate port number at the end of the URL.
http://12.345.678.999:8080/index.html (etc.)
The people on your lan will need to use this method too, but need not use the outside address. They could just use (for example) http://192.168.1.103 for the first server on default port 80, http://192.168.1.104:8080 for the second box, etc. (if it's on 104)
Be sure to set your firewalls to allow this too. Hope this helps.

Frank F.

Some suggestions regarding security:

Turn on the router firewall and firewalls for all machines connected to the netwoork. This is Defense in depth. enumerate all sensitive data and access controls, then implement a security policy that enforces it. Add a Security monitoring tool like alien Vault as a virtual machine on one of the servers. this will monitor security events. Examine the logs daily and insure accesses are authorized. Users are the biggest threat to the internal network security. Lock down workstation usb connections and cd/dvd write capabilities if you need to protect sensitive data from escaping. Email is also a way for sensitive data to escape.

I would like to make these servers accessible to workers outside the company but I dont really know how to do it. Should I buy a domain name from the isp??

The network topology goes like.... isp>>> router>>> switch >>>linking 3 servers.

In this case, how would communication occur if the domain name / ip address is allocated to the router and a page from one of the servers is being requested in case I am implementing twice NAT?

For the first question: if this is for a company, yes I would get a domain name. The tricky part comes with the IP address. If you have a static IP address (one address that never changes) you typically can configure a static IP to a certain domain name on your domain name providers control panel. Or you could establish your own DNS server but this is beyond a quick posting.

If you have a dynamic IP address the tricky part is to make sure that this IP address is always assigned to the same hostname (www.example.com, mail.example.com, ...). There are services like DynDNS who did that for years. Not sure they are still running but definitly worth looking. For a corporate solution, a dynamic IP is not recommended though.

The other parts of your question I would solve as described in the previous posts.

Maba

Using apache's url rewrite you can remove all external url and reduce exposing internal network configuraton to the outside world.

I'm not a real expert on this, but this will probably work:
First, you need to know your network ip address from the outside, as mentioned,
something like http://12.345.678.999 and then you go into your router configuration and set your main HTTP server box to be forwarded on port 80. If you have a linksys router, that would be in applications and gaming. There you select which box on your lan you want requests for port 80 to be forwarded. For example, that box may have the lan address 192.168.1.103
It's best at this point that it has a static address on the LAN, and also that your ISP gives you a static address. If not, as the poster above mentioned, you can use a service (I've used dyndns.com). They can give you a text name so your users don't have to use a number, also they can set you up with some software to update your numeric address when it changes if you do not have a static ip address.
On your other two server boxes, I would use an alternate port number for the service, like 8080 for the second box, etc. (rather than 80), then set it up the same way in your router as mentioned above.
Use this for a choosing reference, just don't use a reserved number:

http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

If you use Apache, it's easy to modify this.
Then, for your users to get to the other boxes, all they would have to do it append the alternate port number at the end of the URL.
http://12.345.678.999:8080/index.html (etc.)
The people on your lan will need to use this method too, but need not use the outside address. They could just use (for example) http://192.168.1.103 for the first server on default port 80, http://192.168.1.104:8080 for the second box, etc. (if it's on 104)
Be sure to set your firewalls to allow this too. Hope this helps.

Frank F.

The NAT and PAT configurations will work here, equip yourself with a domain name, obviously an ip address, servers should have static ip addresses. There is a great amount of information out there relating to what you are wanting to do. But these two configs will be a start.

Are you trying to make a URL from each server visible, or are you trying to provide VPN functionality?

If you are pointing at a web server on each server these will work, but if you are trying to give file service and access to a database for example redirecting with your router may not work.

For a company I'd suggest getting a domain name, if your ISP provides a static IP great, point it at that, then configure a VPN server using something like OpenVPN or even MS RRAS service and point your router to that server. If you have a dynamc IP use DynDNS or something similar to direct the URL for the clients to point at your router. Then the client computers on the outside will have full access to your network and all resources. Hopefully it goes without saying enable all your firewalls, antivirus, and if possible use nonstandard ports, security is paramount when opening this kind of access.

Mark

The other part that can be done is that the use of a ISA Firewall service to redirect to a specific server is also a good idea. Meaning the use of a domain name I.E. http://yourdomain.com, then use the ISA firewall program on one server to redirect the path I.E. yourdomain.com/mail is redirected to the internal IP of 192.168.0.XXX

This keeps the traffic separate to the independent servers and the domain records only point to one machine, cutting the time for a request down. This will also increase the security of you network as the ISA Firewall handles the request and will also handle the login/domain information of your network. Single point of entry = less points of failure.

Hi
I would suggest that a virtual private network (VPN) is essential and I quote from a Microsoft article VPN is a means of connecting to a private network (such as your office network) by way of a public network, such as the Internet.

Your connection to the Internet should use a dedicated line such as T1, Fractional T1, or Frame Relay. The WAN adapter must be configured with the IP address and subnet mask assigned for your domain or supplied by an Internet service provider (ISP), as well as the default gateway of the ISP router.

This is one option

Hi
I would suggest that a virtual private network (VPN) is essential and I quote from a Microsoft article VPN is a means of connecting to a private network (such as your office network) by way of a public network, such as the Internet.

Your connection to the Internet should use a dedicated line such as T1, Fractional T1, or Frame Relay. The WAN adapter must be configured with the IP address and subnet mask assigned for your domain or supplied by an Internet service provider (ISP), as well as the default gateway of the ISP router.

This is one option

I guess it depends on what you want to achieve. And don't take Microsofts word for it. My guess would be that for a mail server configuration they would recommend to buy a new server that runs Exchange 2010 instead of my 10 year old HP Netserver running Linux plus Postfix plus SpamAssassin plus Postgrey.

Sometimes there are alternatives to Microsofts view of the world. :-/

Thanks to all of you. You are really helping me in that project.

Actually, I am designing a network for a company which has a DNS server, Mail server, Proxy Server and Web server. I just wanted to know how to make these servers accessible to outside employees.

What I concluded is that I should get a dedicated line, a static IP address, then implement VPN on the local network, right? But, just a quick question, the servers should get static IPs and secondly is a file server important?

I do not know how VPN works in terms of packet forwarding inside the LANs.

Should I set all servers to static IP, then simply run the VPN software?? Port forwarding on the router is another option but I would like to relieve much burden from the outside employees shoulders.

All severs should have static IPs. Use the router to forward the ports needed to each server I.e. 110, 25 forward to the mail server. Internet request 80 to the web server. So forth an so on. If you need vpn again set the pprt forward to the server handling the vpn software. All internal internet request should go to the proxy server aas it will handle the in out request. Wash rinse repeat until all ports required are done and all services requested are open to public.

Thanks to all of you. You are really helping me in that project.

Actually, I am designing a network for a company which has a DNS server, Mail server, Proxy Server and Web server. I just wanted to know how to make these servers accessible to outside employees.

What I concluded is that I should get a dedicated line, a static IP address, then implement VPN on the local network, right? But, just a quick question, the servers should get static IPs and secondly is a file server important?

I am assuming all the companies office servers (DNS, Mail, Proxy, Web) are on a LAN in one of the non-routable IP-Blocks. The most commonly used blocks are 10.0.0.0 to 10.255.255.255 and 192.168.0.0 to 192.168.255.255.

These blocks are not routable on the public internet.

So the mechanics work like this:
- the remote client tries to establish a VPN link to the "external" static IP address where the VPN-Server in the company listens.
- once the VPN tunnel is established the DHCP server (most likely the same one as the DNS server) will issue an IP address to the connecting remote machine out of its own IP address space. At the same time it will tell the remote machine which DNS server to use (this is all normal DHCP behaviour).
- with that the remote client is "part" of the corporate network

So the connection mechanics look like this

Remote client                                          Corporate network VPN srv
(ISP dynamic address)     34.56.78.90 <------------------> 99.88.77.66  (external static IP)
OOOOOOOOOOOOOOOOOOOOOOOOOOO The layer above forms the VPN tunnel OOOOOOOOOOOOOOOOOOOOOOO
(DHCP assigned address) 192.168.99.88 <------------------> 192.168.99.1 (one example server address)

To the other question regarding the servers: yes inside the corporate network I would assign static IPs to the servers as well. This can be accomplished in two ways, either assign the IPs statically on the servers themselves or (maybe more elegant) let the DHCP server always assign the same IP-address to those servers (based on the MAC-address of the LAN card).

Comments from a previous forum hope they don’t mind for my info and maybe yours

Make the ADSL line your default gateway and NAT outbound traffic behind that address range. This means all traffic will go via the ADSL line.

Add Static Routes for your VPN Peers via the T1 Line router.

Also you may need to add the encryption domains as static routes via the T1 router as well.

Set VPN Link selection to use the T1 IP address, set to reply via same interface and set Source IP to be the T1 IP address as well.

This will ensure that the VPN traffic is routed out via the T1.

This ensures that all Site-2-Site traffic is routed via the T1 and all other traffic is routed via the ADSL line as you want.

As forwarding VPN packets within the network I would guess that it would be an added expense but my impression is that you can if you have it set up to do so back to the world of Microsoft (Microsoft Exchange Server) and cost implications

I am open to correction on that as I am a relative newbie

Thanks to all of you. You've cleared my mind of all doubts.

Comments from a previous forum hope they don’t mind for my info and maybe yours

Make the ADSL line your default gateway and NAT outbound traffic behind that address range. This means all traffic will go via the ADSL line.

Add Static Routes for your VPN Peers via the T1 Line router.

Also you may need to add the encryption domains as static routes via the T1 router as well.

Set VPN Link selection to use the T1 IP address, set to reply via same interface and set Source IP to be the T1 IP address as well.

This will ensure that the VPN traffic is routed out via the T1.

This ensures that all Site-2-Site traffic is routed via the T1 and all other traffic is routed via the ADSL line as you want.

As forwarding VPN packets within the network I would guess that it would be an added expense but my impression is that you can if you have it set up to do so back to the world of Microsoft (Microsoft Exchange Server) and cost implications

I am open to correction on that as I am a relative newbie

Yes and no. The part that you need to remember about a VPN is that there are many versions. A VPN concentrator (software or hardware) accepts all incoming request provided that the port is forwarded, it will not care from what IP, that is what the NAT table of a router is for. While this is a good idea of how the VPN reacts, the set up is simple. I ca gladly explain this in better detail outside of this solved thread.