Web Hosting Talk : Web Hosting Main Forums : Colocation and Data Centers : network setup (win2K)

[tveye]

Getting ready to install 4 servers (2 database and 2 web). I'll have 5 usable IPs. Plan to manage everything via Terminal Services (Remote Desktop).

1) Should I set up Active Directory (which requires running DNS on at least one) or make them all standalone servers?

2) For security purposes and to make the best use of the 5 IPs, I wanted to give the database servers private IPs only, but on second thought wouldn't that prevent me from accessing them with Terminal Services? What's the best way?

Thanks

[Jay Suds]

You will likely see very few benefits of running AD with just 4 servers.

From a security POV, if you don't want your database servers externally accessible, but you still want to be able to manage them remotely, you can do a few things, but they could get costly.

- Cheapo method, would require 2 NICs per web server and 2 switches:

Data Center Uplink
|
switch #1
| |
Web1 Web2
| |
switch #2
| |
DB1 DB2

With this method, you would relay a TS connection through either web server to your DB servers.

- More Expensive - Requires firewall (such as SonicWall SOHO5 + VPN)

Data Center Uplink
|
Firewall / VPN Device
| | | |
Web1 Web2 DB1 DB2

Configure firewall to only allow only neccessary traffic, do not allow external SQL connections or RDP traffic. Setup a VPN tunnel with the firewall, which will provide you with full remote access to your servers over an encrypted link.

Most Expensive -
Same idea as with one firewall, but use two firewalls. The first firewall will use an external subnet with the web servers hanging off of it. The second firewall will use a non-routeable subnet, and only allow port 1433 traffic through, from the external subnet facing it only. Second firewall is uplinked to the first firewall. Same as before, you would setup a VPN tunnel for management / TS access. In order to "route" the non-routeable subnet locally, your firewall devices would have to support static routing (most do).

I'm sure there's more/better solutions to this, but hey - it's 3:20AM

[tveye]

Thanks for your help Jay! With the first method, how do you relay a TS connection?

[Jay Suds]

Install TS Client on the web server. The, TS to the Web Server, open TS client on the Web Server and TS to the SQL Server.

[tveye]

Thanks Jay. I thought that's what you meant but wasn't sure.

So for the first method (just to make sure I'm clear) you're suggesting to plug uplink, web1_nic1, and web2_nic1 into switch_1. Then connect web1_nic2, web2_nic2, db1_nic1, and db2_nic1 into switch_2. Correct?

With that setup could the web servers use all 5 public IPs (say 3 on one, 2 on the other) while the DB boxes use private IPs?

[RackMy.com]

Don't run AD if you don't

[tveye]

Quote:

Originally posted by RackMy.com
Don't run AD if you don't

Huh? Don't run it if I don't what?

[Jay Suds]

I think it should have read "Don't run AD if you don't [have to]". Anyhow, you have understood things correctly. The web servers would get all of the external IPs, and you would load private IPs on nic_2 on the web servers and the SQL servers.

[Potsie]

You really don't need the second NIC and switch if you're cool with the "TS in a TS session" method.
Be warned that it can be slow. It does work fine for me on a 256K up Cable connection from home, but is much more responsive on the 512k SDSL at the office. Not sure why, but the upload seems to make a difference.

[Avatar]

You could also use an managed switch with support for VLAN's instead of 2 switches.