Force Multi-homed Windows Servers to Use Private Network (only) to Specific Servers?

H

Hurin

2[H]4U
Joined
Oct 8, 2003
Messages
2,410
Would tremendously appreciate tips, links, or information on the following problem. . .

Consider. . .

You've got a standard/normal class c network with servers, workstations, visiting laptops, and such.

You've got three Windows servers that must remain on that network so that they can interact with the rest of the network devices and especially the Windows network domain infrastructure. However, those three servers will also be sending and receiving sensitive data that you feel you should protect from man-in-the-middle, ARP/MAC spoofing, etc.

You have been using IPSec encryption between those three servers (configured via group policy) but the performance impact is substantial.

So, via secondary network interfaces on each of the three servers, an urouted vlan, and physical switches, you're able to create a "private link" network for those three servers and give them 192.168.10.0/24 addresses.

Question: How do you preserve those three servers' ability to communicate to all other network devices and the Windows network domain while configuring them so that they *always* use the private link when talking to each other.

Hosts file? Archaic Windows command line routing commands (with which I have no experience)?

Thanks for any pointers provided!

--H
 
two network interfaces on the server

one "public" NIC on 10.0.0.0/24

one "private" NIC on 192.168.0.0/24

Windows takes care of the rest

Still wont solve anything without running a firewall on the server. You should always protect a Windows Server with the firewall and only allow desired services through it. Setting permissions properly is also key.
 
bds1904 said:
two network interfaces on the server
Click to expand...

Yes. I covered that in the question. That's a given. Doesn't answer the question about how you configure the servers to only use that private link when communicating with each other even though they would conceivably be able to communicate across the routed IP network at the IP addresses registered with the domain's DNS.

Okay, I see you have updated your post. :)

one "public" NIC on 10.0.0.0/24

one "private" NIC on 192.168.0.0/24

Windows takes care of the rest

Still wont solve anything without running a firewall on the server. You should always protect a Windows Server with the firewall and only allow desired services through it. Setting permissions properly is also key.
Click to expand...

I do have Windows firewall configured via group policy and would never turn that off. I'd even have firewall on for the private link. I thought perhaps just blocking access via Windows firewall across their routed IPs would do the trick. But I'd hate for the servers to keep repeatedly trying those routed IPs only to be blocked and only then try the private link. Or is Windows smarter than that?

It seems like there should be a more fundamental way of directing the servers to the private link for those three servers only. Rather than depending on Windows firewall to sorta corral them there. ;)

Edit: Also consider that I'd rather not have the private link IPs listed in DNS. So the servers are going to probably need a hosts file entry to find each other I guess.

--H
 
Last edited:
Well, going to give things a try via edited hosts and lmhosts file and some firewall restrictions.

If anyone has a better way, please let me know.

I'll post the results of my own testing and attempt.
 
As long as the "public" network doesn't route to the "secure" network. Traffic to the "secure" network will only traverse those nics.
 
DeChache said:
As long as the "public" network doesn't route to the "secure" network. Traffic to the "secure" network will only traverse those nics.
Click to expand...
But, again, each server will have an IP address on both the public and the private networks. The issue is how to get Windows to "prefer" the private network and never use the public one but only when communicating with one of the aforementioned three servers. To put it another way, the three servers are now communicating with each over the public network, and they will continue to be able to do so after I set up the private network. . . so what is the best way to have them start ignoring the public network and only use the private one when communicating among themselves?

Or were you commenting on how it should work after I set up the hosts file?
 
32 bit static routes on the servers pointing the old public addresses to the the new secure addresses.
 
Assuming you have the default gateway setup on the public adapter and not private, this all boils down to DNS (unless you are calling the servers by IP). If your DNS for server A is the IP on the public LAN, then that is the IP it will use. If it's the private IP, then it will use that and correctly communicate over the private LAN.

If you can't change the DNS to use the private IP (do not put 2 entries for both. Also, make sure the second NIC is not set to register DNS), then you will have to use the host file. The servers will check host file first, then DNS. So if you put the private IP for each of the servers, they will use the private LAN.
 
Hurin said:
But, again, each server will have an IP address on both the public and the private networks. The issue is how to get Windows to "prefer" the private network and never use the public one but only when communicating with one of the aforementioned three servers. To put it another way, the three servers are now communicating with each over the public network, and they will continue to be able to do so after I set up the private network. . . so what is the best way to have them start ignoring the public network and only use the private one when communicating among themselves?

Or were you commenting on how it should work after I set up the hosts file?
Click to expand...


Biznatch said:
Assuming you have the default gateway setup on the public adapter and not private, this all boils down to DNS (unless you are calling the servers by IP). If your DNS for server A is the IP on the public LAN, then that is the IP it will use. If it's the private IP, then it will use that and correctly communicate over the private LAN.

If you can't change the DNS to use the private IP (do not put 2 entries for both. Also, make sure the second NIC is not set to register DNS), then you will have to use the host file. The servers will check host file first, then DNS. So if you put the private IP for each of the servers, they will use the private LAN.
Click to expand...

All of this


Your going to have to either use the Static IP or a different DNS name for the private network your not going to be able to use the same host name and know it will route through the private network.

Personally I don't like editing host files because it can cause a lot of confusion later on.
 
Biznatch said:
Assuming you have the default gateway setup on the public adapter and not private, this all boils down to DNS (unless you are calling the servers by IP). If your DNS for server A is the IP on the public LAN, then that is the IP it will use. If it's the private IP, then it will use that and correctly communicate over the private LAN.

If you can't change the DNS to use the private IP (do not put 2 entries for both. Also, make sure the second NIC is not set to register DNS), then you will have to use the host file. The servers will check host file first, then DNS. So if you put the private IP for each of the servers, they will use the private LAN.
Click to expand...
Yep, hosts file is now the plan. Should know by end of the day (stuck at home right now). This was my initial suspicion of how it would work. But was wondering if there was a more "elegant" way of doing it.

Will also restrict communication between them on the Windows firewalls on each server on the public network.
 
As expected, it was pretty simple. So I guess there's no need for something fancier or more elegant.

Configured the spare NICs in each server to 192.168.20.0/24 addresses. Edited c:\windows\system32\drivers\etc\hosts on each server to have private address for each other (both the simple netbios name and the fully qualified domain name).

Also went and adjusted firewall rules via group policy so that the same traffic over the public interface would be blocked. . . and set up the firewall rules to allow it on the private network (better safe than sorry, defense in depth, etc.).

The servers now see each other and communicate appropriately. Tested various services and ran a backup over the link. . . everything working great at full 950+Mbps.

Should have just done that yesterday and not hassled everyone with the question. =P
 
You must log in or register to reply here.
Back
Top