5

we're currently in the process of putting together our own server Firewall/Router. We were going to use a dedicated solution from someone like Juniper or Watchguard, but it is going to be a lot more cost-effective if we use a server machine we were planning to get already, instead.

About us: We're a website that is going to have two servers behind the Firewall/Router Server (a web server and a database server). All three servers are going to be running Windows Server 2008 R2 x64.

Excuse the crudity of my diagram (I know it's not even close to being technically correct, but it hopefully makes our topology a little clearer)...

Diagram

#1 ROUTING

We are using RRAS to configure our routing. At the moment this is configured to give our Web App server internet access (through RRAS's NAT) but I need to set up port forwarding so that any request to port 80 is sent directly to the Web App server.

#2 FIREWALL

Would Windows Advanced Firewall do our required job acceptably? (I imagine the answer to this is yes.)

#3 VPN

Setting up a VPN has been a pain so far (certificates are annoying!). Every tutorial I've seen seems to have a DNS and DHCP roles running on their VPN machine... why is this? Are they both necessary or can I bin them?

Overall

Are the any more tips on how to configure this server for our needs?

Thanks for any advice. I'm sorry if this is a really badly asked question! (There is a bounty, at least :)

Django Reinhardt
  • 2,256
  • 3
  • 38
  • 55

8 Answers8

5

You can use RRAS for firewalling, NAT and VPN, so, yes, you can give a single public IP address to your Windows Server 2008 firewall and have it route traffic for all your internal network and forward specific ports (f.e. 80) to your internal servers, and you can also have it act like a VPN server (PPTP and/or L2TP). RRAS has been around since Windows 2000, and it does its job quite nicely for simple setups.

It isn't a full firewall/proxy solution, though; you can't define fine-grained policies, it doesn't do any web proxying (be it straight or reverse), it can't filter traffic at the application level and it doesn't log network traffic for further analysis.

In short: yes, RRAS can do anything you need, simply and somewhat crudely; but it isn't a full-blown network access and security solution like ISA or TMG.

Massimo
  • 68,714
  • 56
  • 196
  • 319
2

I just set up something pretty similar about an hour ago. Windows Server 2008 R2 is a fully viable solution for what you're doing.

I agree with the comments so far about using ISA for the firewall. Windows firewall could work but it's pretty basic and doesn't have any IDS or filtering. ISA is the way to go if you can, otherwise Windows Firewall is ok as a stepping stone.

For your VPN, no, DNS and DHCP don't need to be on the same server as RRAS. DNS can be anywhere, and DHCP just needs to be in the internal subnet.

For your internal IPs, they can originate on the firewall/router server, so the top left line in your diagram is really a line inside of the green line. Use VPN to connect to the firewall/router/vpn server which will assign an internal IP.

For the database server, just give it an internal IP and it will only be accessible from the inside.

On the router server's internal NIC, assign a x.x.x.1 (i.e. 10.0.0.1) IP and use that as your gateway for your internal NIC on the web server and for your database server. That will give you the internal network and routing.

Also, if you install RD Gateway Server, you can RDP to your inside computer from outside the network too.

Scott Forsyth
  • 16,339
  • 3
  • 36
  • 55
1

If you are set on using a Server2008 box as your firewall, then you may want to consider using ISA.

DanBig
  • 11,393
  • 1
  • 28
  • 53
  • Ahh... thanks for that, I think this may be what we need. Not much online documentation for it, though :-/ I'll keep searching. – Django Reinhardt Nov 05 '09 at 14:31
  • 4
    Check here for just about anything you need to know about ISA. http://www.isaserver.org/ – DanBig Nov 05 '09 at 14:36
  • Very bad answer which caused me to waste a crap load of time: ISA Server isn't compatible with Windows Server 2008 (x86 or x64). – Django Reinhardt Nov 22 '09 at 13:41
  • 1
    Why don't you want to set up a 2003 box with ISA? It's still fully supported and it works great. – Massimo Nov 23 '09 at 06:06
  • You can download the Forefront TMG RC now. Why not give it a try? You may not be able to get it for free from your BizSpark sub, but at least you can try it out now and if it fits, think about purchasing it. http://www.microsoft.com/DOWNLOADS/details.aspx?FamilyID=e05aecbc-d0eb-4e0f-a5db-8f236995bccd&displaylang=en – DanBig Nov 23 '09 at 13:13
  • @Dan Thanks, but a) there's a reason why we have a BizSpark subscription (we're a start-up with no money :) and b) I wouldn't want to put beta/RC software on a production server. Thanks for the link, though. I may try it on a another machine at some point. – Django Reinhardt Nov 25 '09 at 18:48
  • @Massimo, that's a good question. I wasn't sure if that would be an easier solution or not, so I ended up pursuing this one. I'm slowly getting there, though. Do you think ISA Server would be THAT much quicker and easier than RRAS? – Django Reinhardt Nov 25 '09 at 18:50
  • No, but it would definitely be **A LOT MORE POWERFUL**. BTW, Forefront TMG has already been released, it isn't RC anymore. – Massimo Nov 25 '09 at 19:51
  • @Massimo I'm not really lacking for power at the moment. Our setup is pretty simple stuff and will only require VPN/RDP access from one external IP address. Obviously that means I lock down security pretty damned tightly. Also, see point a) to Dan: We don't have the $6000 dollars required for a single Enterprise License. – Django Reinhardt Nov 26 '09 at 09:32
  • TMG is not in beta/rc - it's released and is the "new version of ISA for 2008"... mostly anything ISA applies to TMG as well, it's "just" a product rebrand... – Oskar Duveborn Nov 26 '09 at 11:38
  • So I take it you'll be paying for the license then, Oskar? – Django Reinhardt Nov 26 '09 at 21:00
1

To be honest why not go with a mid-low end Small business router from linksys. I use the RV042 in that exact setup. I have one IP address that is forwarded to the Webserver (using NAT) on 80 and 443 and the router is a VPN server as well just using the Windows VPN client. It's about $200 then your server is actually physically removed from the internet should something on the server's software firewall be accidently turned off it won't be sitting exposed on the internet.

SpaceManSpiff
  • 2,547
  • 18
  • 19
  • Yep, we did consider it, but we're also going to use the firewall/router server to capture analytics, so it has an additional purpose aside from firewalling. – Django Reinhardt Nov 05 '09 at 14:30
1

We use Kerio Winroute Firewall on our windows servers. It doesn't do reverse proxy at all but as for everything else it is pretty well supported with features. We've been using it for 8/9 years through the various versions and currently it is very good. It is also cheaper than ISA and much easier to configure.

As for the reverse proxy, we've not needed that yet but would be interested to find out what you do in the end if you need to. We have so far got around it as we have a block of IP addresses so just map those to different internal servers.

Let me know if you need any help with configuring it at all.

Simon Dick
  • 31
  • 3
  • It was very useful 8-9 years ago, when Windows NT couldn't do anything like that. But routing/NAT capabilities have been built-in in Windows RRAS since 2000, making products like WinGate and WinRoute quite useless. – Massimo Nov 23 '09 at 09:12
  • True it does have these features built in, the additional features that Winroute offers make it a much better product. And like any security system would you rely on built-in microsoft software? For simplicity alone Winroute is worth the money. And the VPN clients are great for headless servers to connect to you if required. – Simon Dick Dec 03 '09 at 13:00
1

1) About routing Yes it all can be simply routed to your IIS with RRAS, you only need to set up proper DNS A records and make several clicks in RRAS snap-in and also you need to setup IIS to catch up proper headers and ports.
2) It is possible to work without firewall but of course it will decrease security. It is possible to put simple FreeBSD, Linux or anything else based boundary firewall, or simple hardware firewall.
3) Windows 2008 offers great SSTP, besides PPTP and L2TP, VPN tunnels, which doesn't depend on GRE protocol and work everywhere. But do you really need VPN tunnels? Server 2008 also offers great feature TS RemoteApp which is more securely, because doesn't offer full access to server's network, but only to a particular application.
Do you plan server to host internal web recources as well?

1

I had a similar problem of yours. A gentleman in this forum recommended me to use Astaro Security Gateway.

I grabbed their free home license and played for a while with the software. By the end of the day (actually night), I was able to configure a Pentium 4 machine to act as a successful firewall and a replacement for two separate routers.

Now I run a web server that serves over two WAN IP addresses (with uplink load balancing) and the internal traffic is redirected to the local IP of the server without travelling through the internet.

The advantage of Astaro is that you have granular controls of each and every packet movement in your network. You may have to try it first.

Nirmal
  • 389
  • 1
  • 5
  • 15
  • Darn .. beat me to it! @Django - Astaro is a far better solution than using a Windows server as a firewall. For the cost of Windows server you can get the license and support, which is excellent. – tomjedrz Nov 28 '09 at 06:01
0

You didn't say what platform you're looking at, so I'm going to recommened m0n0wall.

It's an all-inclusive repackaging of FreeBSD for use as a firewall/router/etc.

EDIT
updating based on comments from Django, I thought the Win2k8 servers were to be BEHIND the firewall, not upon which to INSTALL the firewall

With that being the case, my initial recommendation of m0n0wall doesn't make any sense :)

If you change your mind, though, it may still :)

warren
  • 17,829
  • 23
  • 82
  • 134