move from sever ICS to hw gateway

[zevon8]

hi all

I currently have a LAN that uses the servers POTS modem and the servers ICS for internet.

Win2K server, stations are winXP pro

We are getting wireless hispeed and a gateway/router.

The server has a database running on it.

How do I continue to use the server to issue IP's ( for database connectivity ) but not provide ICS, since the router/gateway will be the new internet connection.

Do I simply disable DHCP on the router and assign it an IP?
How do I prevent the server from handing out the IP that I
gave the router?

Am I getting wild about something simple?

Thanks for reading, all help appreciated.

[gunrunnerjohn]

Are you sure your database requires the server to issue the IP addresses? That seems to be an odd requirement.

I'd look into keeping it simple, just let the broadband router do it's thing and use the server to handle the database, giving it a fixed IP address

As far as keeping the DHCP from stepping on other fixed addresses, you just set the DHCP server parameters to keep the pool of automatic addresses from overlapping any fixed addresses.

[zevon8]

Hi gunrunnerjohn,

thanks for a quick reply. I think you are right, the DB doesnt require the server to be the IP issuer. I should have explained better, sorry. what I was worried about was losing the ICS feature of DHCP if I disabled ICS, resulting in the workstations not knowing where the server was on the network if the server got a random IP form the gateway. Since ICS fixes the local NIC to 192.168.0.1 , workstations DB prog knows where the server is.

I really don't know too much about this, but I had another coffee, and this is what I was thinking may work:

a) turn off ICS on server
b) fix server NIC at 192.168.0.1
c) set each workstation to a fixed IP, use ISP DNS's IP's
d) don't use DHCP on the router/gateway LAN side
e) set LAN IP on gateway.
f) aim each workstation at the gateway IP for internet.
g) ban traffic from the server on the gateway to the 'net

step (g) is to keep the server from chatting with the world.

From Microsoft KB articals it seems you cant range IP addy's or manually configure much when using ICS, so this is what I came up with.

Am I going in a bad direction?

Thanks

[glc]

This is a LOT easier - and how I do my networks:

Let the router be the DHCP server and assign IP addresses to the workstations.

Assign the server a static IP, in the router's subnet but out of its DHCP scope. Set the server to use the router's IP address for its default gateway and DNS if you want the server to have Internet access.

Does the server *HAVE* to specifically be 192.168.0.1 or can it be anything, as long as it doesn't change?

[gunrunnerjohn]

I'd assign the server a fixed IP, since that's pretty much always a good idea. I'd leave all the workstations running with dynamic IP addresses, because it makes it MUCH easier to live with. I'd setup the broadband router normally, just as the basic instructions lead you, DHCP server on, and set the range to exclude the server fixed IP and the router's fixed IP. Say the router was 192.168.0.1, and you set the server to be 192.168.0.2, you could start your DHCP pool at 192.168.0.10 to 192.168.0.100, leaving yourself 90 automatic IP addresses, and a few spare fixed ones in the range of your "server" boxes.

Since ICS would be totally disabled in this scenario, it's configuration or restrictions don't enter into the conversation.

You can restrict Internet traffic in the router by MAC address or IP address. While you're talking about banning all Internet traffic to the server, I'd rethink that. It's nice to be able to update applications, operating systems, virus protection, etc. from your broadband connection. You'll have the basic firewall protection of the broadband router to keep outside threats outside, and you can add a software firewall layer if you feel the need.

[zevon8]

I'm back

Thanks glc and gunrunnerjohn.

Looked over the info, and you both have better ideas than mine. I also cringed at the idea of setting IP's on the workstations, been there done that, and the T-shirt don't fit.

I think I will let the router do DHCP, range it, and fix the server to its current 192.168.0.1 IP.

glc-

the snag is that I kinda have to leave the server at the above IP. You have to specify it during the client software installation and as such, is a hassle to redo on each client. Its all done during a DOS script that configs each client site licence. The package is then "compilied" and installed.
------
gunrunnerjohn-

I think I may still isolate the server, I dont mind "dropping the wall" by unchecking a rule when I need to do updates . One other reason for isolation is that part of the DB software has a remote console sorta like PCAnywhere for the sofware company to dial in on and update/fix the database. This thing is running 24/7 and seems like an open invite to trouble on high speed. Right now on dial-up they have to call me and get me to log off the internet so they can grope around the console, so if I "firewall it up" on high speed, they still have to call me. hehe.
-------

thanks for all your help, I think you are both right, and will do what you said.

[gunrunnerjohn]

If you leave the server at that address, you can just change the router's address to 192.168.0.2, that's pretty easy to do in the setup screens.

[zevon8]

exactly, gunrunnerjohn

hmm.. this all seems to have turned out to be pretty straight forward after all. heh

nothing beats a great forum discussion to clear the mind when you get bogged down in all the details.

thanks everyone, I have one less worry at the office.

[glc]

Go ahead and put the server on the Internet - just make the software company dial up to get access like they have been doing. Put a modem on the server and configure the remote console for direct dialin, do not link the console to TCP/IP access.

[gunrunnerjohn]

Gee glc, we had this all sorted out, and now you're throwing a monkey wrench into the machinery!

[zevon8]

heh...

the modem is already in the server, I had no use for it elsewhere, so no plans to remove it.

I know how to remove the TCP/IP binding to the modem, but this may break the console app. Oh well Will have to see how the console app chooses it communication point.

I guess I could make the software verdor sort it out. thats why we pay for those huge support contracts I guess.

thanks people

[glc]

No need to unbind TCP/IP from the modem - all I'm saying is don't allow the software company direct TCP/IP access into your system through the Internet, just let them keep dialing in directly.

If the server is behind a router, it's not open to the world unless you start forwarding ports to it.

[zevon8]

true, glc

I will ask them ( the DB people ) how to limit the console access to direct dial via modem. that is, if the application is capable of establishing a connection through any available TCP/IP route. If it isn't that smart, and only knows about the modem through settings that are in place, I can just leave the POTS line off until they need to dial in.

cheers

[glc]

There will not be an available TCP/IP route if you don't open any ports in the router/firewall. It should work the same way it does now - when dialed into. I'd just leave the pots line hooked to the modem and let them dial in when they need to.

[zevon8]

Hi glc

true, the only reason I was going to drop the POTs line off the modemwas so that it could be used elsewhere in the office, for an extra FAX line, etc. and switch it back when they needed to dial in.

since we have to pay for the line anyways, and its not in the hunt group for rollover, may as well get some productivity out of it.

thanks for the info.

[glc]

You can hook the line to a fax machine too - and set the auto answer on the fax to less rings than the modem - and just turn the fax machine off when they need to dial in.