DNS & Firewall - Best Practice

Similar Messages

• DNS Configured-Best Practice on Snow Leopard Server?

  How many of you configure and run DNS on your Snow Leopard server as a best practice, even if that server is not the primary DNS server on the network, and you are not using Open Directory? Is configuring DNS a best practice if your server has a FQDN name? Does it run better?
  I had an Apple engineer once tell me (this is back in the Tiger Server days) that the servers just run better when DNS is configured correctly, even if all you are doing is file sharing. Is there some truth to that?
  I'd like to hear from you either way, whether you're an advocate for configuring DNS in such an environment, or if you're not.
  Thanks.

  Ok, local DNS services (unicast DNS) are typically straightforward to set up, very useful to have, and can be necessary for various modern network services, so I'm unsure why this is even particularly an open question.  Which leads me to wonder what other factors might be under consideration here; of what I'm missing.
  The Bonjour mDNS stuff is certainly very nice, too.  But not everything around supports Bonjour, unfortunately.
  As for being authoritative, the self-hosted out-of-the-box DNS server is authoritative for its own zone.  That's how DNS works for this stuff.
  And as for querying other DNS servers from that local DNS server (or, if you decide to reconfigure it and deploy and start using DNS services on your LAN), then that's how DNS servers work.
  And yes, the caching of DNS responses both within the DNS clients and within the local DNS server is typical.  This also means that there is need no references to ISP or other DNS servers on your LAN for frequent translations; no other caching servers and no other forwarding servers are required.

• Setup internal and external DNS namespaces best practice

  Is external name space (e.g. companydomain.com) and internal name space (e.g. corp.companydomain.com or companydomain.local) able to run on the same DNS server (using Microsoft Windows DNS servers)?
  MS said it is highly recommended to use a subdomain to handle internal name space - say corp.companydomain.com if the external namespace is companydomain.com.  How shall this be setup?  Shall I create my ADDS domain as corp.companydomain.com directly
  or companydomain.com then create a subdomain corp?
  Thanks in advanced.
  William Lee
  Honf Kong

  Is external name space (e.g. companydomain.com) and internal name space (e.g. corp.companydomain.com or companydomain.local)
  able to run on the same DNS server (using Microsoft Windows DNS servers)?
  Yes, it is technically feasible. You can have both of them running on the same DNS server(s). Just only your public DNS zone can be published for external resolution.
  MS said it is highly recommended to use a subdomain to handle internal name space - say corp.companydomain.com
  if the external namespace is companydomain.com.  How shall this be setup?  Shall I create my ADDS domain as corp.companydomain.com directly or companydomain.com then create a subdomain corp?
  What is recommended is to avoid having a split-DNS setup (You internal and external DNS names are the same). This is because it introduces extra complexity and confusion when managing it.
  My own recommendation is to use .local for internal zone and .com for external one.
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• DNS best practice in local domain network of Windows 2012?

  Hello.
  We have a small local domain network in our office. Which one is the best practice for the DNS: to setup a DNS in our network forwarding to public DNSs or directly using public DNS in all computers including
  server?
  Thanks.
  Selim

  Hi Selim,
  Definately the first option  "setup a DNS in our network forwarding to public DNSs " and all computers including server has local DNS configured
  Even better best practice would be, this local DNS points to a standalone DNS server in DMZone which queries the public DNS.
  Using a centralized DNS utilizes the DNS cache to answer similar queries, resulting in faster response time, less internet usage for repeated queries.
  Also an additional DNS layer helps protect your internal DNS data from attackers out in the internet.
  Using internal DNS on all the computer will also help you host intranet websites and accessibility to them directly. Moreover when you are on a AD domain, you need to have the computers DNS configured properly for AD authentication to happen.
  Regards,
  Satyajit
  Please “Vote As Helpful”
  if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

• 2K8 - Best practice for setting the DNS server list on a DC/DNS server for an interface

  We have been referencing the article 
  "DNS: DNS servers on <adapter name> should include their own IP addresses on their interface lists of DNS servers"
  http://technet.microsoft.com/en-us/library/dd378900%28WS.10%29.aspx but there are some parts that are a bit confusing.  In particular is this statement
  "The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain
  controller and it points only to itself for name resolution, it can become an island and fail to replicate with other domain controllers. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller.
  The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller.”
  The paragraph switches from using the term "its own IP address" to "loopback" address.  This is confusing becasuse technically they are not the same.  Loppback addresses are 127.0.0.1 through 127.255.255.255. The resolution section then
  goes on and adds the "loopback address" 127.0.0.1 to the list of DNS servers for each interface.
  In the past we always setup DCs to use their own IP address as the primary DNS server, not 127.0.0.1.  Based on my experience and reading the article I am under the impression we could use the following setup.
  Primary DNS:  Locally assigned IP of the DC (i.e. 192.168.1.5)
  Secondary DNS: The assigned IP of another DC (i.e. 192.168.1.6)
  Tertiary DNS:  127.0.0.1
  I guess the secondary and tertiary addresses could be swapped based on the article.  Is there a document that provides clearer guidance on how to setup the DNS server list properly on Windows 2008 R2 DC/DNS servers?  I have seen some other discussions
  that talk about the pros and cons of using another DC/DNS as the Primary.  MS should have clear guidance on this somewhere.

  Actually, my suggestion, which seems to be the mostly agreed method, is:
  Primary DNS:  Locally assigned IP of the DC (i.e. 192.168.1.5)
  Secondary DNS: The assigned IP of another DC (i.e. 192.168.1.6)
  Tertiary DNS:  empty
  The tertiary more than likely won't be hit, (besides it being superfluous and the list will reset back to the first one) due to the client side resolver algorithm time out process, as I mentioned earlier. Here's a full explanation on how
  it works and why:
  This article discusses:
  WINS NetBIOS, Browser Service, Disabling NetBIOS, & Direct Hosted SMB (DirectSMB).
  The DNS Client Side Resolver algorithm.
  If one DC or DNS goes down, does a client logon to another DC?
  DNS Forwarders Algorithm and multiple DNS addresses (if you've configured more than one forwarders)
  Client side resolution process chart
  http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-
  logon-to-another-dc-and-dns-forwarders-algorithm.aspx
  DNS
  Client side resolver service
  http://technet.microsoft.com/en-us/library/cc779517.aspx 
  The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP
  http://support.microsoft.com/kb/320760
  Ace Fekay
  MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.
  I agree with this proposed solution as well:
  Primary DNS:  Locally assigned IP of the DC (i.e. 192.168.1.5)
  Secondary DNS: The assigned IP of another DC (i.e. 192.168.1.6)
  Tertiary DNS:  empty
  One thing to note, in this configuration the Best Practice Analyzer will throw the error:
  The network adapter Local Area Connection 2 does not list the loopback IP address as a DNS server, or it is configured as the first entry.
  Even if you add the loopback address as a Tertiary DNS address the error will still appear. The only way I've seen this error eliminated is to add the loopback address as the second entry in DNS, so:
  Primary DNS:  The assigned IP of another DC (i.e. 192.168.1.6)
  Secondary DNS: 127.0.0.1
  Tertiary DNS:  empty
  I'm not comfortable not having the local DC/DNS address listed so I'm going with the solution Ace offers.
  Opinion?

• IronPort ESA best practice for DNS servers?

  Hello!
  Is there a best practice for what servers should be used for the Cisco IronPort DNS servers?
  Currently when I check our configuration, we have set it to "Use these DNS servers" and the first two are our domain controllers and last two are Google DNS.
  Is there a best practice way of doing this? I'm thinking of selecting the "Use the Internet's Root DNS Servers" option as I can't really see an advantage of using internal DC's.
  Thoughts?

  Best practice is to use Internet Root DNS Servers and define specific dns servers for any domain that you need to give different answers for. Since internal mail delivery is controlled by smtproutes using internal dns servers is normally not required.
  If you must use internal dns servers I recommend servers dedicated to your Ironports and not just using servers that handle enterprise lookups as well. Ironports can place a very high load on dns servers because every outside connection results in multiple dns lookups. (forward, reverse, sbrs)
  If you don't have enough dns horsepower you are susceptible to a DOS attack either through accident or design. If the Ironports overload your internal dns servers it can impact your entire enterprise.

• CAS array internal DNS IP address best practice

  Hi, Just a question about a best practice approach for DNS and CAS arrays.
  I have an Exchange 2010 Org. I have two CAS/HUB servers and two MBX servers. My external DNS (mail.mycompany.biz) host record points to a public IP address which is NAT'd to the internal IP address of my NLB CAS cluster. I maintain a split brain
  DNS. Should the internal DNS entry for mail.mycompany.biz also point to the public IP address or should it point to the internal IP address of the NLB cluster?

  A few comments:
  The reason you have split DNS is to do exactly these sort of things: inside users hit the inside IP and outside users hit the outside IP.  You'll have to look at your overall network design to see if it makes sense for users to take this shortest route
  to the services, or if there is value in knowing all users simply take the same path.
  You should not be using the same DNS name for your web services (e.g. OWA) as you are for your CAS array.  This can cause very long connection delays on Outlook clients, not to mention overall confusion in your design.  Many orgs will use something
  like "outlook.domain.com" for the Client Access Array and "mail.domain.com" for the web services.  Only the later of these two need to be exposed to the internet.
  Keep in mind, Exchange 2013 dramatically changes this guidance.  There is no more CAS array, and the
  recommended design is to use dedicated namespaces for each web service.
  Mike Crowley | MVP
  My Blog --
  Planet Technologies

• Best practice DNS in VPN environment for Lync2013 clients

  So I do have those site2site VPNs to connect the small branch offices to the main office. Internal DNS makes sure, that the branch offices can acess all the servers/services in the main office with their domain.local namespace.
  In such a scenario will the Lync2013 clients connect through the VPN to the internal sites due to both lyncdiscover and lyncdiscoverinternal being available?
  Wouldn't it cause way less burden on the VPN routers if clients would simply go out to the internet and connect from the external side so all the Lync traffic does not have to be stuffed through the VPN pipe? I dont see the point to encrypt the traffice
  once more.
  Thanks for your suggestions about best practices!
  HST

    Hi,
  When users connect to the corporate network using a VPN client, Lync media traffic is sent through the VPN tunnel. This configuration can create additional latency and jitter because media traffic must pass through an additional layer of encryption and
  decryption. The issue is compounded when the VPN concentrator is busy.
  If you want to connect Lync server from public network you need to deploy an Edge server.
  The solution to force VPN traffic through the Edge Servers must allow external Lync clients connected through VPN, you can refer to the part of "Solution Configuration" in the link below:
   http://blogs.technet.com/b/nexthop/archive/2011/11/15/enabling-lync-media-to-bypass-a-vpn-tunnel.aspx
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• DNS best practice question

  Hello,
  we currently have an issue regarding DNS in a multiple Domain Forest.
  first of all, in the forest there are 5 Domains (names changed):
  dom1.domain.org
  sub.dom1.domain.org
  dom2.domain.org
  dom1.url.de
  dom.de
  As you see, a forest full of Domains not matching ;-)
  We also have multiple sites, and as per network requirements, replication is made trough Domain: dom1.domain.org
  All other Domains replicate only with this one.
  The DNS is currently set up as follows:
  Each Domain Controller holds its own domain as primary AD integrated Domain in DNS (Domain wide repl.).
  All others are set up as Forest Wide AD integrated Stubs.
  Each startup we get Event 4515 on the DCs, that a Zone is available twice.
  So, I have to troubleshoot this infrastructure now.
  Can you tell me, what is best practice here to set up DNS correctly with less replication traffic as possible?
  Best regards

  By Default DNS Zone replication Scope is Domainwide but except _MSDCS Zone . _MSDCS Zone replication should be forest wide. In addition Replication Scope can be decide as per your business requirment.
  Regards~Biswajit
  Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.
  MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
  MY BLOG
  Domain Controllers inventory-Quest Powershell
  Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate
  Generate a Report for installed Hotfix for Bulk Servers

• DNS best practices for hub and spoke AD Architecture?

  I have an Active Directory Forest with a forest root such as joe.co and the root domain of the same name, and root DNS servers (Domain Controllers) dns1.joe.co and dns2.joe.co
  I have child domains with names in the form region1.joe.com, region2.joe.co and so on, with dns servers dns1.region1.joe.co and so on.
  Each region has distribute offices that may have a DC in them, servers named in the form dns1branch1.region1.joe.co
  Over all my DNS tests out okay, but I want to get the general guidelines for setting up new DCs correct.
  Configuration:
  Root DC/DNS server dns1.joe.co adapter settings points DNS to itself, then two other root domain DNS/DCs dns2.joe.co and dns3.joe.co.
  The other root domain DNS/DCs adapter settings point to root server dns1.joe.co and then to itself dns2.joe.co, and then 127.0.0.1
  The regional domains have a root dns server dns1.region1.joe.co with adapter that that points to root server dns1.joe.co then to itself.
  The additional region domain DNS/DCs adapter settings point to dns1.region1.joe.co then to itself then to dn1.joe.co
  What would you do to correct this topology (and settings) or improve it?
  Thanks in advance
  just david

  Hi,
  According to your description, my understanding is that you need suggestion about your DNS topology.
  In theory, there is no obvious problem. Except for the namespace and server plaining for DNS, zone is also needed to consideration. If you place DNS server on each domain and subdomain, confirm that if the traffic browsed by DNS will affect the network performance.
  Besides, fault tolerance and security are also necessary.
  We usually recommend that:
  DC with DNS should point to another DNS server as primary and itself as secondary or tertiary. It should not point to self as primary due to various DNS islanding and performance issues that can occur. And when referencing a DNS server on itself, a DNS client
  should always use a loopback address and not a real IP address. detailed information you may reference:
  What is Microsoft's best practice for where and how many DNS servers exist? What about for configuring DNS client settings on DC’s and members?
  http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx#dnsbest
  How To Split and Migrate Child Domain DNS Records To a Dedicated DNS Zone
  http://blogs.technet.com/b/askpfeplat/archive/2013/12/02/how-to-split-and-migrate-child-domain-dns-records-to-a-dedicated-dns-zone.aspx
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Best practices for 2 x DNS servers with 2 x sites

  I am curious if someone can help me with best practices for my DNS servers.  Let me give my network layout first.
  I have 1 site with 2 x Windows 2012 Servers (1 GUI - 10.0.0.7, the other CORE - 10.0.0.8) the 2nd site connected via VPN has 2 x Windows 2012R2 Servers (1 GUI - 10.2.0.7, the other CORE - 10.2.0.8)  All 4 servers are promoted to DC's and have DNS services
  running.
  Here goes my questions:
  Site #1
  DC-01 - NIC IP address for DNS server #1 set to 10.0.0.8, DNS server #2 set to 127.0.0.1 (should I add my 2nd sites DNS servers under Advanced as well? 10.2.0.7 & 10.2.0.8)
  DC-02 - NIC IP address for DNS server #1 set to 10.0.0.7, DNS server #2 set to 127.0.0.1 (should I add my 2nd sites DNS servers under Advanced as well? 10.2.0.7 & 10.2.0.8)
  Site #2
  DC-01 - NIC IP address for DNS server #1 set to 10.2.0.8, DNS server #2 set to 127.0.0.1 (should I add my 2nd sites DNS servers under Advanced as well? 10.0.0.7 & 10.0.0.8)
  DC-02 - NIC IP address for DNS server #1 set to 10.2.0.7, DNS server #2 set to 127.0.0.1 (should I add my 2nd sites DNS servers under Advanced as well? 10.0.0.7 & 10.0.0.8)
  Under the DNS management > Forward Lookup Zones > _msdcs.mydomain.local
  > properties > Name Servers should I have all of my other DNS servers, or should I have my WAN DNS servers? In a single server scenario I always put my WAN DNS server but a bit unsure in this scenario. 
  Under the DNS management > Forward Lookup Zones > _msdcs.mydomain.local > properties > General > Type should all servers be set to
  Active Directory - Integrated > Primary Zone? Should any of these be set to
  Secondary Zone?
  Under the DNS management > Forward Lookup Zones > _msdcs.mydomain.local > properties > Zone Transfers should I allow zone transfers?
  Would the following questions be identical to the Forward Lookup Zone mydomain.local as well?

  I am curious if someone can help me with best practices for my DNS servers.  Let me give my network layout first.
  I have 1 site with 2 x Windows 2012 Servers (1 GUI - 10.0.0.7, the other CORE - 10.0.0.8) the 2nd site connected via VPN has 2 x Windows 2012R2 Servers (1 GUI - 10.2.0.7, the other CORE - 10.2.0.8)  All 4 servers are promoted to DC's and have DNS services
  running.
  Here goes my questions:
  Site #1
  DC-01 - NIC IP address for DNS server #1 set to 10.0.0.8, DNS server #2 set to 127.0.0.1 (should I add my 2nd sites DNS servers under Advanced as well? 10.2.0.7 & 10.2.0.8)
  DC-02 - NIC IP address for DNS server #1 set to 10.0.0.7, DNS server #2 set to 127.0.0.1 (should I add my 2nd sites DNS servers under Advanced as well? 10.2.0.7 & 10.2.0.8)
  Site #2
  DC-01 - NIC IP address for DNS server #1 set to 10.2.0.8, DNS server #2 set to 127.0.0.1 (should I add my 2nd sites DNS servers under Advanced as well? 10.0.0.7 & 10.0.0.8)
  DC-02 - NIC IP address for DNS server #1 set to 10.2.0.7, DNS server #2 set to 127.0.0.1 (should I add my 2nd sites DNS servers under Advanced as well? 10.0.0.7 & 10.0.0.8)
  Under the DNS management > Forward Lookup Zones > _msdcs.mydomain.local
  > properties > Name Servers should I have all of my other DNS servers, or should I have my WAN DNS servers? In a single server scenario I always put my WAN DNS server but a bit unsure in this scenario. 
  Under the DNS management > Forward Lookup Zones > _msdcs.mydomain.local > properties > General > Type should all servers be set to
  Active Directory - Integrated > Primary Zone? Should any of these be set to
  Secondary Zone?
  Under the DNS management > Forward Lookup Zones > _msdcs.mydomain.local > properties > Zone Transfers should I allow zone transfers?
  Would the following questions be identical to the Forward Lookup Zone mydomain.local as well?
  Site1
  DC1: Primary 10.0.0.7. Secondary 10.0.0.8. Tertiary 127.0.0.1
  DC2: Primary 10.0.0.8.  Secondary 10.0.0.7. Tertiary 127.0.0.1
  Site2
  DC1: Primary 10.2.0.7.  Secondary 10.2.0.8. Tertiary 127.0.0.1
  DC2: Primary 10.2.0.8.  Secondary 10.2.0.7. Tertiary 127.0.0.1
  The DC's should automatically register in msdcs.  Do not register external DNS servers in msdcs or it will lead to issues. Yes, I recommend all zones to be set to AD-integrated. No need to allow zone transfers as AD replication will take care
  of this for you.  Same for mydomain.local.
  Hope this helps.  

• Looking for best practices when creating DNS reverse zones for DHCP

  Hello,
  We are migrating from ISC DHCP to Microsoft DHCP. We would like the DHCP server to automatically update DNS A and PTR records for computers when they get an IP. The question is, what is the best practice for creating the reverse look up zones in DNS? Here
  is an example:
  10.0.1.0/23
  This would give out IPs from 10.0.1.1-10.0.2.254. So with this in mind, do we then create the following reverse DNS zones?:
  1.0.10.in-addr.arpa AND 2.0.10.in-addr.arpa
  OR do we only create:
  0.10.in-addr.arpa And both 10.0.1 and 10.0.2 addresses will get stuffed into those zones.
  Or is there an even better way that I haven't thought about? Thanks in advance.

  Hi,
  Base on your description, creating two reverse DNS zones 1.0.10.in-addr.arpa and 2.0.10.in-addr.arpa, or creating one reverse DNS zone 0.10.in-addr.arpa, both methods are all right.
  Best Regards,
  Tina

• ICMP Best Practices for Firewall

  Hello,
  Is there a such Cisco documentation for ICMP best practices for firewall?
  Thanks

  Hello Joe,
  I havent look for such a document but what I can tell you is the following?
  ICMP is a protocol that let us troubleshoot or test whether IP routing is good on our network or if a host is live on our network so I can tell you that from that perspective this is definetly something good (Not to mention some of the other good usage that we can provide to this protocol such for PATH MTU Discovery, etc).
  But you also have to be careful with this protocol as we all know it's also used to scan or discover hosts on our network.. Even to perform DoS attacks (Smurf attack, etc).
  So what's the whole point of this post:
  Well at least on my opinion I would allow ICMP on my network but I would definetly permit only the right ICMP code messages and I would protect my network against any known vulnerability regarding DoS attacks with ICMP, In this case I will still take advantage of the really useful protocol while protecting my enviroment,
  Hope that I could help
  For Networking Posts check my blog at http://laguiadelnetworking.com/
  Cheers,
  Julio Carvajal Segura

• Best Practices when replacing 2003 server R2 with a new domainname and server 2012 r2 on same lan network

  I have a small office (10 computers with five users) that have a Windows 2003 server that has a corrupted AD. Their 2003 server R2 is essentially a file server and provides authentication.  They purchased a new Dell 2012 R2 server.  
  It seems easier to me to just create a new domain (using their public domain name).  
  But I need as little office downtime. as possible . Therefore I would like to promote this server to its new domain on the same lan as the current domain server.  I plan to manually replicate the users and folder permissions.  Once done, I plan to
  remove the old server from the network and join the office computers to the new domain.  
  They also they are also running a legacy application that will require some tweaking by another tech. I have been hoping to prep the new domain prior to new legacy tech arriving.  That is why I would like both domain to co-exist temporarily. I have read
  that the major issues involved in this kind of temporary configuration will then be related to setting up dns.  They are using the firewall to provide dhcp.
  Are there any best practices documents for this situation?
  Or is there a better or simpler strategy?
  Gary Metz

  I followed below two links. I think it should be the same even though the links are 2008 R2 migration steps.
  http://kpytko.pl/active-directory-domain-services/adding-first-windows-server-2008-r2-domain-controller-within-windows-2003-network/
  http://blog.zwiegnet.com/windows-server/migrate-server-2003-to-2008r2-active-directory-and-fsmo-roles/
  Hope this help!

• Best Practices for Integrating UC-5x0's with SBS 2003/8?

  Almost all of Cisco's SBCS market is the small and medium business space.  Most, if not all of these SMB's have a Microsoft Small Business Server 2003 or 2008. It will be critical, In order for Cisco to be considered as a purchase option, that the UC-5x0 integrates well into these networks.
  To that end, I see a  lot of talk here about how to implement parts and pieces of this, but no guidance from Cisco, no labs and no best practices or other documentation. If I am wrong, please correct me.
  I am currently stumbling through and validating these configurations myself, Once complete, I will post detailed recommendations. However, it would have been nice to have a lab to follow instead of having to learn from each mistake.
  Some of the challanges include;
  1. Where should the UC-540 be placed: As the gateway for QOS or behind a validated UC-5x0 router/security appliance combination
  2. Should the Microsoft Windows Small Business Server handle DCHP (as Microsoft's documentation says it must), or must the UC-540 handle DHCP to prevent loss of features? What about a DHCP relay scheme?
  3. Which device should handle DNS?
  My documentation (and I recommend that any Cisco Lab/Best Practice guidence include it as well) will assume the following real-world scenario, the same which applies to a majority of my SMB clients;
  1. A UC-540 device utilizing SIP for the cost savings
  2. High Speed Internet with 5 static routable IP addresses
  3. An existing Microsoft Small Business Server 2003/8
  4. An additional Line of Business Application or Terminal Server that utilizes the same ports (i.e. TCP 80/443/3389) as the UC-540 and the SBS, but on seperate routable IP's (Making up crazy non-standard port redirections is not an option).
  5. A employee who teleworks from various places that provide a seat and a network jack, which is not under our control (i.e. a employees home, a clients' office, or a telework center). This teleworker should use the built in VPN feature within the SPA or 7925G phones because we will not have administrative access to any third party's VPN/firewall.
  Your thoughs appreciated.

  Progress Report;
  The following changes have been made to the router in support of the previously detailed scenario. Everything appears to be working as intended.
  DHCP is still on the UC540 for now. DNS is being performed by the SBS 2008.
  Interestingly, the CCA still works. The NAT module even shows all the private mapped IP's, but no the corresponding public IP's. I wouldnt recommend trying to make any changes via the CCA in the NAT module.  
  To review, this configuration assumes the following;
  1. The UC540 has a public IP address of 4.2.2.2
  2. A Microsoft Small Business Server 2008 using an internal IP of 192.168.10.10 has an external IP of 4.2.2.3.
  3. A third line of business application server with www, https and RDP that has an internal IP of 192.168.10.11 and an external IP of 4.2.2.4
  First, backup your current configuration via the CCA,
  Next, telent into the UC540, login, edit, cut and paste the following to 1:1 NAT the 2 additional public IP addresses;
  ip nat inside source static tcp 192.168.10.10 25 4.2.2.3 25 extendable
  ip nat inside source static tcp 192.168.10.10 80 4.2.2.3 80 extendable
  ip nat inside source static tcp 192.168.10.10 443 4.2.2.3 443 extendable
  ip nat inside source static tcp 192.168.10.10 987 4.2.2.3 987 extendable
  ip nat inside source static tcp 192.168.10.10 1723 4.2.2.3 1723 extendable
  ip nat inside source static tcp 192.168.10.10 3389 4.2.2.3 3389 extendable
  ip nat inside source static tcp 192.168.10.11 80 4.2.2.4 80 extendable
  ip nat inside source static tcp 192.168.10.11 443 4.2.2.4 443 extendable
  ip nat inside source static tcp 192.168.10.11 3389 4.2.2.4 3389 extendable
  Next, you will need to amend your UC540's default ACL.
  First, copy what you have existing as I have done below (in bold), and paste them into a notepad.
  Then, im told the best practice is to delete the entire existing list first, finally adding the new rules back, along with the addition of rules for your SBS an LOB server (mine in bold) as follows;
  int fas 0/0
  no ip access-group 104 in
  no access-list 104
  access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_24##
  access-list 104 remark SDM_ACL Category=1
  access-list 104 permit tcp any host 4.2.2.3 eq 25 log
  access-list 104 permit tcp any host 4.2.2.3 eq 80 log
  access-list 104 permit tcp any host 4.2.2.3 eq 443 log
  access-list 104 permit tcp any host 4.2.2.3 eq 987 log
  access-list 104 permit tcp any host 4.2.2.3 eq 1723 log
  access-list 104 permit tcp any host 4.2.2.3.35 eq 3389 log 
  access-list 104 permit tcp any host 4.2.2.4 eq 80 log
  access-list 104 permit tcp any host 4.2.2.4 eq 443 log
  access-list 104 permit tcp any host 4.2.2.4 eq 3389 log
  access-list 104 permit udp host 116.170.98.142 eq 5060 any
  access-list 104 permit udp host 116.170.98.143 any eq 5060
  access-list 104 deny   ip 10.1.10.0 0.0.0.3 any
  access-list 104 deny   ip 10.1.1.0 0.0.0.255 any
  access-list 104 deny   ip 192.168.10.0 0.0.0.255 any
  access-list 104 permit udp host 116.170.98.142 eq domain any
  access-list 104 permit udp host 116.170.98.143 eq domain any
  access-list 104 permit icmp any host 4.2.2.2 echo-reply
  access-list 104 permit icmp any host 4.2.2.2 time-exceeded
  access-list 104 permit icmp any host 4.2.2.2 unreachable
  access-list 104 permit udp host 192.168.10.1 eq 5060 any
  access-list 104 permit udp host 192.168.10.1 any eq 5060
  access-list 104 permit udp any any range 16384 32767
  access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
  access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
  access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
  access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 104 deny   ip host 255.255.255.255 any
  access-list 104 deny   ip host 0.0.0.0 any
  access-list 104 deny   ip any any log
  int fas 0/0
  ip access-group 104 in
  Lastly, save to memory
  wr mem
  One final note - if you need to use the Microsoft Windows VPN client from a workstation behind the UC540 to connect to a VPN server outside your network, and you were getting Error 721 and/or Error 800...you will need to use the following commands to add to ACL 104;
  (config)#ip access-list extended 104
  (config-ext-nacl)#7 permit gre any any
  Im hoping there may be a better way to allowing VPN clients on the LAN with a much more specific and limited rule. I will update this post with that info when and if I discover one.
  Thanks to Vijay in Cisco Tac for the guidence.