Webserver setup

Felix

Felix

Felix

Soldato
Joined
25 Jan 2003
Posts
2,701
I am looking at installing a web server for work. It will be running w2003 ent edition. Currently our website is hosted externally but we are bringing it in house and having it located on site.

Now to avoid external visitor traffic going though a LAN switch I had thought of putting the server on the DMZ. However the internal users will still use the web server from within the site and therefore to avoid having to go out onto the internet and then back in to the webserver I thought I could multi home the server. 1 Nic for the DMZ (with an external address) and 1 NIC (with an internal address) for the internal traffic.

Has anyone done this? My main concern is the security and being w2003 its not the best for starters!
 
Management decision!

Edit: I think it also down to them wanting to setup a sharepoint server and having that in house too.
 
Couldnt you run in NAT'd?
Though security may not be the best. In house is also hard if you have poor internet bandwith
 
I run a win2k3 web server with Apache at home, runs fine but i've never been a fan of IIS in general anyway.

1 DMZ + 1 Lan sounds fine to me, patch the whole lot up before you put it live and you'll be fine.
 
Last edited:
Sp00n said:
1 DMZ + 1 Lan sounds fine to me, patch the whole lot up before you put it live and you'll be fine.
Click to expand...

It's fine if you want to totally circumvent your firewall. If you're web server gets hacked then they've got a completely unprotected connection into your local network - so why have a DMZ?

Have to say I agree, unless you have a semi decent setup in house (a few hours UPS backup and resilient internet connections from different providers) there's not many good reasons to bring hosting in house.
 
I thought I could multi home the server
Click to expand...
please, please, please do NOT do this!!!

if you have to bring it in house, run it in a dmz. you'll have an internet dns record for the public facing address. nat this on the firewall to the private address. setup a policy from untrust -> dmz which only permits inbound http requests to it. https too, if you use it. then, for internal access to the website, point your internal dns record to the private address. setup a policy from trust -> dmz which then permits inbound http requests to it. again https too, if you use it.

edit: also, if your bringing it in-house, make damn sure you keep it properly patched and looked after!
 
Last edited:
Thanks for the replies, you have cemented my concerns!

We have around 20 other servers so bringing 1 in house shouldn't be an issue for patching or UPS. Our internet connection is flawless too.
 
Felix said:
Thanks for the replies, you have cemented my concerns!

We have around 20 other servers so bringing 1 in house shouldn't be an issue for patching or UPS. Our internet connection is flawless too.
Click to expand...

Really? Does your website matter to you a lot?

Is your connection flawless when BT have a faulty DSLAM and it takes 3 days to sort it out? I've seen it happen. Or when the power company have a brainwave and knock out the power without warning for 6 hours - does your UPS cover that? People host in datacenters for a reason.

In my opinion you shouldn't do it, if you need to ask about it then you really shouldn't do it...
 
I was pushing for it to be hosted in a datacenter but they wouldn't have it. We have the spare hardware so they werent keen on spending anymore. Also, our website isn't critical for our line of business.

We also had our ISP in the other day and they are drawing up recovery plans in the event of the line going down.

Though it doesn't make such difference we have a LAN Extension Service line rather than ADSL.
 
You must log in or register to reply here.
Back
Top Bottom