VPN/NAT questions

Hi all,

I have a box running Server 2k3 Standard and two XP Pro SP 2 boxes. What I'm trying to do is set up a FTP site, and access the internet through the server. I would rather keep all the files on the XP boxes and just set up a Virtual Directory with IIS to get them on the net.

I'm wondering about the Physical topography for this. I have a LinkSys RTP 300 router behind my modem, the three boxes and a simple 4 port workgroup Hub.


1.) Do I need to run DNS on the server?

2.) Is NAT required since I'm already behind a router? And if so...

3.) Would I set the TCP/IP settings for the clients to static IP's in the 192.168.*.* range and point them to the server for DNS?

4.) There will be two NIC's in the server box, correct?


Thanks in advance. Any help here would be greatly appreciated!

 

Do you mean that you want to use IIS' FTP facility to publish the files from the server, and then you want to allow access to that server from the internet? If so:

1. FTP is not one of IIS' strongest points. Personally I'd use third party FTP server software that is dedicated to this task. I've used Titan FTP server with good results, but there are plenty of others out there.

2. FTP is not the most secure of protocols. The main problem is that it uses one port for controlling the data flow and another port for the actual transfer. That makes it difficult for firewalls to track. So I would encourage you to look at other solutions before committing yourself to FTP.

3. If you do go for FTP you will not need to set up NAT on the server. Just use NAT on the router and forward ports 20 and 21 to the server from the router.

4. You will not NEED to set up DNS on the server for this to work. However, if you are using AD on your network setting up DNS on the server will be a good idea. If you do this, the client PCs will need to use the server as their DNS server.

5. Using a private IP address space (192.168.x.x or 10.x.x.x) inside your network (and behind a NAT router) is good practice.

6. The system can work with either one or two NICs in the server. It depends how well you set up the server as to which is better. If the only security you have is the router NAT, using two NICs isn't going to achieve much. If you have a good router with stateful firewalling built in, or even better a dedicated hardware firewall, adding a second NIC again isn't going to achieve a lot. However, if you run firewall software on the server (ISA for example) adding a second network card will allow you to use the server firewall to protect the other internal PCs; but this is probably the most difficult set up to implement securely. Personally I'd recommend the dedicated hardware firewall option.

Having said all that, I would ask the question "who is going to access these files ". If you are setting this up to allow a small number of co-works to access their files from home, VPN is a much better solution.

 

Thanks for the reply Reggie,

As far as who will access the site, it's just a little File Depot for myself and a handfull of friends. The bonus is it ties in with my current 290 studies, at least as far as IIS 6.0 goes. I originally thought of VPN but I have no idea how to create a website to enable the downloading/uploading of files. So in that regard, FTP seemed the logical choice.

So your saying the physical toplolgy would be:

Modem>>Router>>Server>>Hub>>Client1/Client2. That begs a question. If I don't have two NIC's in the server box, how do I connect it to the router and THEN connect the server to the Hub??


I have RRAS installed and enabled but it's a bit beyond the scope of my knowledge since it doesn't come up until 291...

Is there a decent Step by Step type resourse for what I'm trying to do? HTML is something I don't want to spend any time on since I'm studying for the 290 right now.

 

Only if you have good firewalling on the server. If not, I'd suggest:

Modem>>Router>>Hub>>Server and Clients.

With ports 20 and 21 forwarding to the server.

This is the simplest set up. A rule of thumb is that a simple set up is easier to set up well, and a well set up simple solution is always better than a poorly set up complicated solution. If you go this way, I strongly recommend that you run personal firewalls on the clients (with the local network trusted).

However, the problem with this set up is that you are exposing the server's FTP to everyone on the internet. I would still recommend that you look at the VPN option. especially if the group of users is less than 10.

For that matter have a look at 24Jedi's SSH based solution. Combining SSH with FTP would be a much more secure solution and might well give you just what you want.

 

The "firewalling" on most cheap ADSL/DSL router is simply NAT. This does give you some protection from natsies on the internet. But NAT is relatively easy to get past.

Therefore, I agree with your post, but would strongly recommend that the PCs run personal firewall software (Zone alarm for example) as well rather than simply relying on the router blocking malicious internet traffic.

 

The ONLY thought/suggestion I have is to replace the HUB with a SWITCH.

I have no idea what the difference is but I was using a Hub for a while and now seem to get MUCH better behavior with a Switch.

My Routing goes.

PCs/Printer>Switch>Router>Modem.

BillyBob

 

Thank you TonyT

BillyBob

 

Hmmm, It might be time to buy a switch. But the LinkSys Workgroup Hub I have is 10/100

 

Hmmm, It might be time to buy a switch. But the LinkSys Workgroup Hub I have is 10/100

Yes it is time. ( From experience I think so anyway )

I had a Linksys hub that was the same as you have but the Switch was a GREAT improvement.

All of my machines are standalone. None depend on the other for anything.

Alias; Nothing is shared. And no one machine needs to be on at all times.

BillyBob

 

Well, it's off to PriceGrabber yet again...


A computer is a hole on my desk where my money goes... LOL