locked
Public/private ips combination RRS feed

  • Question

  • Hi

    SBS 2011 std.

    We have a few public ips that we would like to use with some of the machines in SBS domain for direct remote access. All pcs currently are on private 192.168.1.x range and some of the machines would still need to remain on the range. My question is how do we handle public ips so we can have direct remote access to the relevant pcs but the pcs are also able to work as seamlessly as possible with the rest of pc in the same SBS LAN on private range? We would be using a demarcation router Cisco 887 with 30mb leased line + possibly looking at Cisco 5506X if it would help in required setup in any way.

    Thanks

    Regards




    • Edited by Y a h y a Thursday, September 17, 2015 1:03 PM
    Thursday, September 17, 2015 12:48 PM

Answers

  • Yahya:

    First: exposing your internal network to the public is a bad idea.

    Second:  exposing your internal network to the public is a bad idea.

    Third:  exposing your internal network to the public is a bad idea.

    You already have SBS RWA and you could, although this almost as bad, use different RDP ports for each system you want to address from outside.  But this is also not a good idea.

    Now, in case I missed something about the need or desire to do this can you help us understand why you would want to do this?

    And did I say that exposing your internal network to the public is a bad idea?


    Larry Struckmeyer[MVP] If your question is answered please mark the response as the answer so that others can benefit.

    Thursday, September 17, 2015 4:59 PM
  • Well, yes it will be a security issue.  Anyone with a port or ip scanner can find those public IPs and bang away at the user names and  passwords.  They will eventually get in.  And then mess with your server from the inside out.

    Better to RWA to the SBS, and have the idracs on the same subnet.  If your concerned you need to use the IDRAC on the SBS, or can't access the SBS, put some remote control agent on another box on the same subnet.

    I will add that if you can find the edge device capable of forwarding to a different IP range inside the LAN from outside as well as your internal subnet you could get access that way, but I would only do that if the firewall was able to challenge the connection for usernames and password before allowing access.  And you should use different user names and passwords on the firewall from any on the LAN.


    Larry Struckmeyer[MVP] If your question is answered please mark the response as the answer so that others can benefit.




    Thursday, September 17, 2015 10:42 PM

All replies

  • Yahya:

    First: exposing your internal network to the public is a bad idea.

    Second:  exposing your internal network to the public is a bad idea.

    Third:  exposing your internal network to the public is a bad idea.

    You already have SBS RWA and you could, although this almost as bad, use different RDP ports for each system you want to address from outside.  But this is also not a good idea.

    Now, in case I missed something about the need or desire to do this can you help us understand why you would want to do this?

    And did I say that exposing your internal network to the public is a bad idea?


    Larry Struckmeyer[MVP] If your question is answered please mark the response as the answer so that others can benefit.

    Thursday, September 17, 2015 4:59 PM
  • Hi Larry

    Public ips are going to iDracs on multiple Dell servers. Hopefully that wont be big security issue and it is really required we think.

    Thanks

    Regards

    Thursday, September 17, 2015 7:52 PM
  • Well, yes it will be a security issue.  Anyone with a port or ip scanner can find those public IPs and bang away at the user names and  passwords.  They will eventually get in.  And then mess with your server from the inside out.

    Better to RWA to the SBS, and have the idracs on the same subnet.  If your concerned you need to use the IDRAC on the SBS, or can't access the SBS, put some remote control agent on another box on the same subnet.

    I will add that if you can find the edge device capable of forwarding to a different IP range inside the LAN from outside as well as your internal subnet you could get access that way, but I would only do that if the firewall was able to challenge the connection for usernames and password before allowing access.  And you should use different user names and passwords on the firewall from any on the LAN.


    Larry Struckmeyer[MVP] If your question is answered please mark the response as the answer so that others can benefit.




    Thursday, September 17, 2015 10:42 PM