If that was your configuration (no public users, only VPNed
users or corporate users) would you still run the web server
on its own hardware?
"No public users" means there isn't even a public IP for the web server,
right? External users must VPN in. We're not talking about a
public-facing server that the public doesn't know about, right?
In that case I don't see the need to have a second web server. The
"users" have as much access as they do to your database server anyway
(ignoring stuff like interior firewalls and multi-network
configurations).
Also, a dose of reality needs to enter into the equation (like always).
If you're looking to add a second 400 as the "web server" and you're
going to spend 5 figures to do it it's a very different setup and ROI
question than adding another 1U Dell pizza box to the rack. As always,
it's risk _management_ not risk _elimination_. If the company makes an
informed decision that the risk doesn't outweigh the cost that's fine
w/me. I know and support many companies that don't have split tiers. The
question is, did they look at the risk and expense and make an informed
decision, or did they just throw it all on one box and not even consider
the exposure.
-Walden
midrange.com
