Help putting together a server for Routing/Firewall/VPN purposes

we're currently in the process of putting together our own server Firewall/Router. We were going to use a dedicated solution from someone like Juniper or Watchguard, but it is going to be a lot more cost-effective if we use a server machine we were planning to get already, instead.

About us: We're a website that is going to have two servers behind the Firewall/Router Server (a web server and a database server). All three servers are going to be running Windows Server 2008 R2 x64.

Excuse the crudity of my diagram (I know it's not even close to being technically correct, but it hopefully makes our topology a little clearer)...

Diagram

#1 ROUTING

We are using RRAS to configure our routing. At the moment this is configured to give our Web App server internet access (through RRAS's NAT) but I need to set up port forwarding so that any request to port 80 is sent directly to the Web App server.

#2 FIREWALL

Would Windows Advanced Firewall do our required job acceptably? (I imagine the answer to this is yes.)

#3 VPN

Setting up a VPN has been a pain so far (certificates are annoying!). Every tutorial I've seen seems to have a DNS and DHCP roles running on their VPN machine... why is this? Are they both necessary or can I bin them?

Overall

Are the any more tips on how to configure this server for our needs?

Thanks for any advice. I'm sorry if this is a really badly asked question! (There is a bounty, at least :)


You can use RRAS for firewalling, NAT and VPN, so, yes, you can give a single public IP address to your Windows Server 2008 firewall and have it route traffic for all your internal network and forward specific ports (f.e. 80) to your internal servers, and you can also have it act like a VPN server (PPTP and/or L2TP). RRAS has been around since Windows 2000, and it does its job quite nicely for simple setups.

It isn't a full firewall/proxy solution, though; you can't define fine-grained policies, it doesn't do any web proxying (be it straight or reverse), it can't filter traffic at the application level and it doesn't log network traffic for further analysis.

In short: yes, RRAS can do anything you need, simply and somewhat crudely; but it isn't a full-blown network access and security solution like ISA or TMG.


I just set up something pretty similar about an hour ago. Windows Server 2008 R2 is a fully viable solution for what you're doing.

I agree with the comments so far about using ISA for the firewall. Windows firewall could work but it's pretty basic and doesn't have any IDS or filtering. ISA is the way to go if you can, otherwise Windows Firewall is ok as a stepping stone.

For your VPN, no, DNS and DHCP don't need to be on the same server as RRAS. DNS can be anywhere, and DHCP just needs to be in the internal subnet.

For your internal IPs, they can originate on the firewall/router server, so the top left line in your diagram is really a line inside of the green line. Use VPN to connect to the firewall/router/vpn server which will assign an internal IP.

For the database server, just give it an internal IP and it will only be accessible from the inside.

On the router server's internal NIC, assign a x.x.x.1 (i.e. 10.0.0.1) IP and use that as your gateway for your internal NIC on the web server and for your database server. That will give you the internal network and routing.

Also, if you install RD Gateway Server, you can RDP to your inside computer from outside the network too.


If you are set on using a Server2008 box as your firewall, then you may want to consider using ISA.