Topology Question.... Soulhuntre 28.06.2007 00:28:01 In a perfect world, I would allow SBS to add ISA as a security layer to my network. That would leave me with this topology... lets call it topology "A". Cable modem -> Nat / WiFi / Router (uPnP) -> SBS External Nic -> SBS -> SBS Internal Nic -> Switch -> Workstations That gives me the most security, but may cause problems (see considertations below). Another possibility is... lets call it topology "B". Cable modem -> SBS External Nic -> SBS -> SBS Internal Nic -> Nat / WiFi / Router (uPnP) -> Workstations That keeps me with ISA as a good firewall layer though it may cause seperate issues. The Last is... Another possibility is... lets call it topology "C". Cable modem -> Nat / WiFi / Router (uPnP) -> Switch -> Workstations and SBS server Considerations: Since we are a game development company we do have an XBOX 360 on the network that REQUIRES uPnP to function well and is WiFi. Under topology A I would can hook that directly into the Router via Wifi and it will be outside my network. That should work fine for Xbox Live but my research shows that the ISA will cause problems with the Xbox getting into the intranet to act as a media extender for data on internal shares. Under Topology B the Media Extender functionality will work fine, but the lack of uPnP on the ISA firewall will cause serious problems for Xbox Live testing. Topology "C" is probably the least intrusive change - SBS will jsut use uPnP to configure the firewall and all will be well. The only thing I really lose is the extra layer of protection from the ISA firewall. I knwo this forum is pretty down on uPnP - but for a small company doing this type of development we cant ignore it and we dont have the resources to fire up too many divergent networks. Our developers need to get to Exchange and need to be able to work on the Xbox. We can't put the Xbox on a network of its own because XNA (the developer kit) needs PC <-> Xbox access. Thanks for your thoughts!

Re: Topology Question.... "Eugene Tan" <TechHelp-at.insights.com.sg[ at ]newsgroups.nospam> 28.06.2007 06:12:22 hi, I think you may not have adequate understanding, based on your description of topology B & C. In "C", the scenario works if the SBS is using only 1 NIC. The whole network (not just SBS) then won't have the protection of ISA (which is on the SBS). Also, if you enable the WiFI of the router, IMO that might be a big risk since it exposes your entire LAN to WiFI, and securing air can be pretty difficult. As I understand it, you need uPNP in order for the Xbox Live to auto configure. You also need the developers to have access to the Xbox. I'm not sure how to configure for Xbox Live or media extender over a router, but if you have the necessary ports etc, I believe you can try to do this. You can try topoA and enable uPNP. uPNP is supported by SBS. But you will need to configure the necessary ports on ISA so that traffic can move from your Xbox to PCs behind the ISA. It opens up some ports in your ISA, but if you disable the WiFi of this 'DMZ' network, it is a reasonbly safe solution. Another suggestion is a variation of your topo A & B and safer. Use topoA or topoB - SBS can be directly connected to the Cmodem or a router. SBS internal NIC connects to switch, connect PCs directly to switch. Connect router's WAN port to the switch, and connect your Xbox to LAN port of router. Enable uPNP. You need to configure the router to route traffic between the SBS LAN as well as set the Internet gateway to the SBS IP. Fix an IP for the router, or use SBS DHCP to reserve the router's IP. Configure ISA to accept all outbound traffic for the router IP addr. If you don't enable Wifi, you can probably enable all traffic on the router (i.e. make it open). If you have a manageable switch you can also configure VLANs if the switch supports uPNP. My suggestion may be unnecessarily complex because I don't know the uPNP protocol, otherwise you could simply drop the router. HTH, Eugene Tan SBS MVP ================================= "Soulhuntre" <Soulhuntre[ at ]discussions.microsoft.com> wrote in message news:FC746ED0-0D81-4796-8EC1-3F51511EE1C9[ at ]microsoft.com... [Quoted Text] > In a perfect world, I would allow SBS to add ISA as a security layer to my > network. That would leave me with this topology... lets call it topology > "A". > > Cable modem -> Nat / WiFi / Router (uPnP) -> SBS External Nic -> SBS -> > SBS > Internal Nic -> Switch -> Workstations > > That gives me the most security, but may cause problems (see > considertations > below). > > Another possibility is... lets call it topology "B". > > Cable modem -> SBS External Nic -> SBS -> SBS Internal Nic -> Nat / WiFi / > Router (uPnP) -> Workstations > > That keeps me with ISA as a good firewall layer though it may cause > seperate > issues. > > The Last is... Another possibility is... lets call it topology "C". > > Cable modem -> Nat / WiFi / Router (uPnP) -> Switch -> Workstations and > SBS > server > > Considerations: > > Since we are a game development company we do have an XBOX 360 on the > network that REQUIRES uPnP to function well and is WiFi. > > Under topology A I would can hook that directly into the Router via Wifi > and > it will be outside my network. That should work fine for Xbox Live but my > research shows that the ISA will cause problems with the Xbox getting into > the intranet to act as a media extender for data on internal shares. > > Under Topology B the Media Extender functionality will work fine, but the > lack of uPnP on the ISA firewall will cause serious problems for Xbox Live > testing. > > Topology "C" is probably the least intrusive change - SBS will jsut use > uPnP > to configure the firewall and all will be well. The only thing I really > lose > is the extra layer of protection from the ISA firewall. > > I knwo this forum is pretty down on uPnP - but for a small company doing > this type of development we cant ignore it and we dont have the resources > to > fire up too many divergent networks. Our developers need to get to > Exchange > and need to be able to work on the Xbox. We can't put the Xbox on a > network > of its own because XNA (the developer kit) needs PC <-> Xbox access. > > Thanks for your thoughts! >

Re: Topology Question.... Soulhuntre 28.06.2007 06:48:01 Hey there ... my comments are below... [Quoted Text] > You can try topoA and enable uPNP. uPNP is supported by SBS. > But you will need to configure the necessary ports on ISA so that > traffic can move from your Xbox to PCs behind the ISA. It opens > up some ports in your ISA, but if you disable the WiFi of this 'DMZ' > network, it is a reasonbly safe solution. Thats what I am thinking is the safest... Topo A allows the xbox unfettered access to the net at large, and keeps wifi outside my intranet. The only sticking points will be... 1) Can I get the Xbox to hit the media extender functions on the internal network 2) Can I get the intranet boxes to properly make all the outgoing connections they need (I can probably just enable all outgoiung traffic at the ISA - the risk is minor in my circumstance). When yous ay SBS "supports" uPnP... you dotn mean the ISA in SBS has a uPNP proxy module right? ISA never used to have that.

Re: Topology Question.... "Eugene Tan" <TechHelp-at.insights.com.sg[ at ]newsgroups.nospam> 30.06.2007 07:59:26 hi, If you know what traffic flows between xbox and the PCs, you can config ISA for it. I'm not sure what you mean by Ques2. You can configure ISA to allow certain types of traffic, by default it does, based on the userID's group type. HTH, Eugene Tan ============================== "Soulhuntre" <Soulhuntre[ at ]discussions.microsoft.com> wrote in message news:894468CB-8818-4304-ADB7-BFA331707D67[ at ]microsoft.com... [Quoted Text] > Hey there ... my comments are below... > >> You can try topoA and enable uPNP. uPNP is supported by SBS. >> But you will need to configure the necessary ports on ISA so that >> traffic can move from your Xbox to PCs behind the ISA. It opens >> up some ports in your ISA, but if you disable the WiFi of this 'DMZ' >> network, it is a reasonbly safe solution. > > Thats what I am thinking is the safest... Topo A allows the xbox > unfettered > access to the net at large, and keeps wifi outside my intranet. The only > sticking points will be... > > 1) Can I get the Xbox to hit the media extender functions on the internal > network > > 2) Can I get the intranet boxes to properly make all the outgoing > connections they need (I can probably just enable all outgoiung traffic at > the ISA - the risk is minor in my circumstance). > > When yous ay SBS "supports" uPnP... you dotn mean the ISA in SBS has a > uPNP > proxy module right? ISA never used to have that.