We just bought a machine to serve as our in-house production server. For security reasons, we don't want this machine connected to the internet. However, we do have an intranet with a wiki and all the workstations in the office need to be able to get to pages on our intranet. I don't see how this could easily be done because if the server is connected to the router, it will automatically be on the internet (as far as I understand), and if the server is not connected to the router, I don't know how the other workstations would be able to see it.
For all I know, maybe the idea of letting all our workstations (which are connected to the internet) connect to the server defeats the purpose of having the server not be on the internet.
My question is: Is it just as bad to have our server connected to a machine that's connected to the internet as it would be to have the server connected to the internet itself? If not, is there an easy way to allow all our office's workstations to connect to the server?
This depends on WHY you don't want it connected to the internet. If you don't want the content on it browsable by people on the internet then its a simple case of configuring (or not configuring) your router so that it doesn't route requests to the new server.
If you are worried about it having internet access because you dont want people using it to download torrents, porn or any other un-savory internet content then using the features of your router/firewall to bar it from internet is the way to go. Of course this does depend on how sophisticated your router is.
If you are worried about it catching something nasty then I don't think preventing it from having internet access is necessary. Make sure that no incoming traffic from the internet is routed to it, make sure its firewall is running and it is patched and have a policy in place to say it should not be used for internet browsing. If poeple are likely to forget then give it a static address and no default gateway (assuming your network is only one subnet). Then anyone breaking the policy would have to do so deliberatly.
Of course you may have other reasons for preventing its internet access, if so then if you could tell us maybe we will have some better suggestions. A little more information about your router and the rest of your network might be useful as well.
You need to use appropriate firewall ACLs to protect your in-house server.
Set a static IP on this "server" and do not give it a default gateway. It will not be able to find a route to and from the Internet through your router and then only be accessible from the LAN.
Simply configure the server to only have LAN access.. As Phoebus said, using ACL's on your firewall to stop access to it..
Your internal DNS will direct internal users to the intranet/wiki..
Quite simple..
I've read that several times and I'm still not sure I understand tbh, but based on how I'm interpreting it..
You have a new server that is going to (amongst other things) host your internal Intranet, but you don't want it to have internet access (i.e. the server can't get to the internet, and people on the internet can't get to it?).
If that's the case you should be able to configure your router so that your servers IP address doesn't have internet access - obviously there are a lot of blanks that it would be useful to have filled in, but in general terms that's pretty simple to do.
At my job we have an few industrial saws with integrated PC's that our CAD techs can upload drawings to. We didn't want it to be able to access the internet so we just didn't give it a gateway, it was still able to talk with all the PC's on our LAN. This will only be useful if the server is on the same LAN and doesn't need to talk to any devices across a WAN.
Assuming that your router is a typical consumer firewall/NAT appliance, you don't need to worry about your server being visible to the internet. It isn't.
By default, nothing on your internal LAN is reachable from the internet. The stateful firewall on your router will only allow internet traffic into your LAN when that traffic is part of a previously established connection (initiated, presumably, by an outgoing connection from a machine on your LAN). If you want your server to be visible to the internet at large, you need to deliberately configure your router to forward the appropriate port(s) to your server. Simply do not do that, and your server should be invisible to the internet.
For your users you can also modify \Windows\System32\drivers\etc\hosts to point "Wiki" to your servers statically assigned internal IP. They can just go to http://wiki and they are there.
For your server you can also do this for patching purposes or as stated above - just do the reverse and give it the dfgw addrress so it can get out and get patches, driver updates, etc. then take the dfgw off when you are done.
Also if security concerns are that great you might want to scan the server, turn off any unnecessary services and other chatty things that are going to be running in a default install.
And watch your internal users too :)