Need help planning out my business network.


Broken In
I'm planning on setting up a small server system at home for holding our business data.
Ours is a small service-oriented company, and we will have several field personnel out in the field in the near future, and they will need to connect to our server via their laptops in order to view information, update information etc.
So my primary requirement is to set up a database server that houses the actual company data, and a web server that holds the front-end application that the field personnel then connect to over VPN through their laptops.

I have virtually no knowledge of networking or server administration, since I am primarily a database programmer and application developer.

I plan to use Windows Server 2008 R2 for the servers, SQL Server 2008 Express for the database, IIS7 (that comes with Windows 2008 R2) for the web server, and PHP (whichever is the latest version).
I have already purchased some hardware for two physical servers.

Now after speaking to some database administration guys over at MSDN over issues of database security, they told me I'd be better off splitting the functions of database server, web server (for our website), web server (for our VPN), and the domain controller over different servers - if possible physical machines, or if not, at least through Hyper-V virtualization.
They also told me that the database server has to be completely inaccessible from the net, and the only machine permitted to connect to it should be the web server, and that too in a very limited capacity.

Like I mentioned, I have purchased hardware for only two physical servers (no more money left). For now, my server/network architecture looks like this - I will buy a router shortly to connect to the internet (most likely from the cable company, not MTNL ADSL). The router also acts as a switch and allows me to set up a small LAN. Then I connect both the physical servers to the router in star-topology.
For now, one machine will exclusively be the database server. The other machine will have to do all other jobs of the two web servers, domain controller, etc. I have yet to decide whether I will put all these functions on the same instance of Windows 2008, or will I use virtualization to separate these functions on different instances (which is where I need the help of experts here in deciding).
But then this means my database server IS connected to the internet if it is connected to the router. To avoid this, the only other topology I can think of is to put two network cards on the second physical server, and connect the database server to one network card, and then connect to the router from the second network card.
Even if I were to use an actual switch in between my severs and the routers, my database server still gets exposed to the internet.
So I would appreciate some help in determining the best topology for my network, so that my database server is not exposed to the internet.
Also bear in mind that as future expansion, I plan to put in a hardware firewall right behind the router (which will mean I WILL have to spend some money and get an actual switch, because after I put the firewall, I will no longer be able to use the router as switch).

Next, I need some help in configuring my servers themselves.
I asked this question to the database guys, but they didn't know the answer. Is it wise (from a security standpoint) to put a domain controller on the same machine that has a web server? Because Microsoft discourages putting a domain controller on the same machine as a database server, that much we know for sure.

Lastly, my questions won't end here, and I need professional help in tightening security on my boxes. Is there any person out there experienced in network and Windows Server administration, and who does admin work on a freelance basis that I could consult? I'd be happy to pay for their services. I'm based in the suburbs of Mumbai.
Top Bottom