Topic: multiple server config?

[dlex]

hi,
I have running 3 SME-servers at our department for about 1 year now and I am quite happy with them. 1 for file/printing, 1 for (web-)mail and 1 for webhosting. our campusnetwork is providing  1 IP for every machine that is connected to the network and there is 1 gateway for every department. this gateway is not providing any firewallprotection to our machines.
I had to install all 3 servers as 'server-only'. now, that our webservices and access from students are growing from project to project I want to add a firewall(smoothwall?) to this network.

network config. as it works right now:
every machine has 1 IP, all have the same subnet and gateway. I want to setup the FW as the only public IP connect the 3 servers via a hub and a second NIC and give them standard IPs like: 192.168.0.1-3.
I am aware of, the fact that the firewall has to forward the different ports to the right servers. http to port 80, etc.
I think I don't have to be worried much about the the workstations, being not behind the FW(all win2k, virusscanned and maintained frequently).
BUT! how do the local clients connect to the servers behind the FW?
Is it done just via the 'add local network' link in the server-manager(s)?
Or is there better way to connect the 2 differents nets???

thanks in advance

dlex

[Bill Talcott]

dlex wrote:
>
> BUT! how do the local clients connect to the servers behind
> the FW?
> Is it done just via the 'add local network' link in the
> server-manager(s)?
> Or is there better way to connect the 2 differents nets???

If the SMEs are NAT-ed behind a router, the regular network PCs won't connect directly to the SMEs. They'll connect to the router's public IP, which will then pass the connection to the proper SME (based on the port forwarding rules).

The router will have an IP in the main network, so the entire NAT-ed group behind that IP is "on that network". I know some of the SME's services limit access to certain ranges for security, so you may need to add the local network entry for that, but you shouldn't for regular communication. I think in Server-Only mode, it allows full access to everything firewall-wise, because it assumes it's already on a secured LAN. I haven't used Server-Only myself, so I'm not 100% sure...

If you are able to give each SME a public IP, I think I'd prefer that way. Not everything works through NAT, so you may encounter problems with some services (though the basics should all work fine).