Administering an ISP Installation

Advantages of This Topology

This topology works well for the following reasons:

• It does not overload the front-end network with traffic generated by applications or with network traffic coming from the administration servers. Therefore, the full front­end network bandwidth can be dedicated to the Internet connection.
• The back end, where the data is stored, is not directly exposed to the Internet. Instead, only the services in the production Web servers can gain access to the back-end network, thus interposing an isolation layer between the network where the actual data resides and the Internet.

  You might want to set up an isolation layer to protect the customers’ stored data. If the data is eventually exposed to the Web through the Web server, you need to protect it from unwanted alteration. The domain controllers are in the back end in order to keep them from direct exposure to the Internet.

  Note   In this solution, all of the dual-homed computers must have the IP routing option turned off. Otherwise you will lose this layer of isolation.

In the front-end network you must use only officially released Internet addresses, because the front end is the only network connected to the Internet. In the back end, you should use private IP addresses (like 10.x.x.x class A addresses or 172.16.x.x class B addresses that are properly subnetted) in order to save officially released IP addresses for the front end. All traffic between the back-end and the front-end networks passes through the applications in the production Web servers.

© 1997-1999 Microsoft Corporation. All rights reserved.