Joining web server to SBS domain - any pre-cautions?

Tutorials Win: Microsoft Windows Forum

Hi All,

We are running SBS 2003 Standard SP2 with exchange.

I'm trying to plan for joining our web server (Server 2003 Std. installed)
to our SBS domain. The web server is live and hosting our website at the
moment.

I don't know enough about IIS to foresee any prolems that may arise with the
account profile changeover. Any thoughts to consider or suggestions would be
much appreciated. Thanks so much in advance.
cheers,
-mike
Top

Re: Joining web server to SBS domain - any pre-cautions? by Lanwench

Lanwench
Fri Jul 11 14:50:56 PDT 2008

Mike <none> wrote:
> Hi All,
>
> We are running SBS 2003 Standard SP2 with exchange.
>
> I'm trying to plan for joining our web server (Server 2003 Std.
> installed) to our SBS domain. The web server is live and hosting our
> website at the moment.
>
> I don't know enough about IIS to foresee any prolems that may arise
> with the account profile changeover. Any thoughts to consider or
> suggestions would be much appreciated. Thanks so much in advance.
> cheers,
> -mike

For reasons of security, I suggest you put this server in a DMZ and don't
let it touch your LAN at all. There's no need for it to belong to your
domain and it would be a very bad idea for it to do so.


Top

Re: Joining web server to SBS domain - any pre-cautions? by Leythos

Leythos
Fri Jul 11 15:50:37 PDT 2008

In article <Orqdb534IHA.776@TK2MSFTNGP04.phx.gbl>, "Mike" <none> says...
> Hi All,
>
> We are running SBS 2003 Standard SP2 with exchange.
>
> I'm trying to plan for joining our web server (Server 2003 Std. installed)
> to our SBS domain. The web server is live and hosting our website at the
> moment.
>
> I don't know enough about IIS to foresee any prolems that may arise with the
> account profile changeover. Any thoughts to consider or suggestions would be
> much appreciated. Thanks so much in advance.

Putting ANY webserver on the same network as your company files is a
very bad idea and is a very good way to get hacked and then compromised.

You should have a REAL FIREWALL APPLIANCE, not just a NAT Router.

Real firewalls provide multiple physical networks that are isolated from
each other and only permit traffic by user created rules.

A single public IP can provide HTTP access for the DMZ Network and also
provide HTTPS access to the LAN without the outsiders knowing the
difference.

If you firewall has a DMZ and it's in the same Subnet as the LAN, then
it's not a firewall.

A typical LAN would be 192.168.3.1/24 with
a typical DMZ being 192.168.8.1/24

They are isolated from each other by default.

The only rule would be:

Allow HTTP LAN > DMZ (web erver IP)
Disallow ANY DMZ > LAN



--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
Top

Re: Joining web server to SBS domain - any pre-cautions? by Mike

Mike
Fri Jul 11 16:44:03 PDT 2008

Yes, I have a REAL FIREWALL and i know what a DMZ is, thank you very much.
No need to talk to me like I'm stupid buddy.


"Leythos" <void@nowhere.lan> wrote in message
news:1215823735_161406@news.usenet.com...
> In article <Orqdb534IHA.776@TK2MSFTNGP04.phx.gbl>, "Mike" <none> says...
>> Hi All,
>>
>> We are running SBS 2003 Standard SP2 with exchange.
>>
>> I'm trying to plan for joining our web server (Server 2003 Std.
>> installed)
>> to our SBS domain. The web server is live and hosting our website at the
>> moment.
>>
>> I don't know enough about IIS to foresee any prolems that may arise with
>> the
>> account profile changeover. Any thoughts to consider or suggestions would
>> be
>> much appreciated. Thanks so much in advance.
>
> Putting ANY webserver on the same network as your company files is a
> very bad idea and is a very good way to get hacked and then compromised.
>
> You should have a REAL FIREWALL APPLIANCE, not just a NAT Router.
>
> Real firewalls provide multiple physical networks that are isolated from
> each other and only permit traffic by user created rules.
>
> A single public IP can provide HTTP access for the DMZ Network and also
> provide HTTPS access to the LAN without the outsiders knowing the
> difference.
>
> If you firewall has a DMZ and it's in the same Subnet as the LAN, then
> it's not a firewall.
>
> A typical LAN would be 192.168.3.1/24 with
> a typical DMZ being 192.168.8.1/24
>
> They are isolated from each other by default.
>
> The only rule would be:
>
> Allow HTTP LAN > DMZ (web erver IP)
> Disallow ANY DMZ > LAN
>
>
>
> --
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> spam999free@rrohio.com (remove 999 for proper email address)


Top

Re: Joining web server to SBS domain - any pre-cautions? by Mike

Mike
Fri Jul 11 16:51:29 PDT 2008

Thanks for the second set of eye's Lanwench. That one went right over my
head since I'm not the one who setup our physical LAN/ My real reasoning
behind this was for backup purposes since everything is centralized through
the SBS server. I'll have to think of another way to automate backups for
our webserver. Have a great weekend.

"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message
news:eHdwmQ64IHA.4492@TK2MSFTNGP04.phx.gbl...
> Mike <none> wrote:
>> Hi All,
>>
>> We are running SBS 2003 Standard SP2 with exchange.
>>
>> I'm trying to plan for joining our web server (Server 2003 Std.
>> installed) to our SBS domain. The web server is live and hosting our
>> website at the moment.
>>
>> I don't know enough about IIS to foresee any prolems that may arise
>> with the account profile changeover. Any thoughts to consider or
>> suggestions would be much appreciated. Thanks so much in advance.
>> cheers,
>> -mike
>
> For reasons of security, I suggest you put this server in a DMZ and don't
> let it touch your LAN at all. There's no need for it to belong to your
> domain and it would be a very bad idea for it to do so.
>


Top

Re: Joining web server to SBS domain - any pre-cautions? by Leythos

Leythos
Fri Jul 11 17:10:11 PDT 2008

In article <#EMBBA74IHA.2332@TK2MSFTNGP03.phx.gbl>, "Mike" <none>
says...
> Yes, I have a REAL FIREWALL and i know what a DMZ is, thank you very much.
> No need to talk to me like I'm stupid buddy.
>

Don't be offended, your question sounded like a novice as any seasoned
IT person knows what I stated - that's why I replied and with the
details I did.


--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
Top