Re: Adding Seperate Web Server for Extranet
From: Bill Peng [MSFT] (v-bpeng_at_online.microsoft.com)
Date: 01/08/05
- Next message: Bill Peng [MSFT]: "Re: Exchange 5.5 to SBS2003 migration question"
- Previous message: JV: "Re: logging in to companyweb"
- In reply to: Jim Duncan: "Re: Adding Seperate Web Server for Extranet"
- Next in thread: Alan Billharz [MSFT]: "RE: Adding Seperate Web Server for Extranet"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 8 Jan 2005 09:26:25 +0800
Hi Jim,
Great job!
Thank you for sharing your experience here.
Have a great weekend! :o)
-- Bill Peng MCSE 2000, MCDBA Microsoft Online Partner Support Get Secure! - www.microsoft.com/security ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights. "Jim Duncan" <CollutionsInc@community.nospam> wrote in message news:egKk$lP9EHA.4004@tk2msftngp13.phx.gbl... > Thanks Bill. > > What I keep ending up with is the following topology: > > Internet > | > ---DSL Router w/Firewall---- > | | > SBSServer Web Server > | | > ---------LAN Hub------------- > | | | | | > Client Client Client Client Client > > With the appropriate security in place this should work. > > The web server would be set up with two virtual servers hosting the same > content - one for the extranet and one for the intranet (a la > http://www.microsoft.com/resources/documentation/wss/2/all/adminguide/en-us/stsc04.mspx). > By requiring SSL for the extranet web site I can specify Basic > Authentication for the Extranet virtual server and only open ports 80 and > 443 on the external interface (and the DSL Firewall). Of course the > Internet-facing NIC on both servers would ONLY have TCP/IP bound to them. I > would also enable the built-in Windows firewall on the Web Edition for the > Internet-facing NIC and follow the other guidelines in the IIS and Windows > Server 2003 documentation for securing the web server. > > Licensing: > For the SBS, we already have 20 User CALS and 5 Device CALS. The company > currently only has 10 employees that use computers on a regular basis (10 > User CALS) and one extra machine used occasionally by field employees (on a > shared account) when they come into the office (1 User CAL + 1 Device CAL). > This leaves 9 User CALS and 4 Device CALS currently unused. > > Local accounts (with minimal rights) can be created on the web server for > the extranet users. If I read the licensing info correctly, CALS would not > be needed for the Extranet users since the web server is Web Edition. > > However, as WSS will be storing the data in a SQL instance on the SBS > Server, this might change things. This is hard to pin down because the only > 'user' that will (technically) be connecting to the SQL instance is the > identity account of the Application Pool. > > While the higher-ups that are handing down the requirements might not care > about the licensing and security issues, I most certainly do. If a further > purchase of Licenses and/or Security Hardware is required to make this work > I'll need to explain/prove it to them. > > Thanks again, > Jim > > > > ""Bill Peng [MSFT]"" <v-bpeng@online.microsoft.com> wrote in message > news:4zxPPC78EHA.3520@cpmsftngxa10.phx.gbl... > > Hi Jim, > > > > Windows Server 2003 Web Edition does not support SQL Server 2000; and > > Windows Small Business Server 2003 does not support Trusts. > > > > I assume that you're going to use SBS as the firewall. If so, you may use > > the web publishing/server publishing on the SBS server to publish the > > SharePoint server. > > > > So I recommend you to join the Web Edition server to the SBS 2003 domain. > > (At this point, there's no username and password sync issues.) Then, > > install SharePoint on the Web Edition server and install SQL Server > > instance on the SBS domain controller. At last, you can use the SQL Server > > instance on the SBS server to support SharePoint on the Web Edition > > server. > > > > Last but not least, please also consider the CAL. If it's per device, > > every > > connection from different Internet location to the SBS server will consume > > a CAL. If it's per user CAL, different user accounts will consume > > additional CAL. > > > > I'd like to provide you with the following info for your reference: > > > > How To Configure the Web Publishing Service to Work with Internet Security > > and Acceleration Server in Windows Server 2003 > > http://support.microsoft.com/default.aspx?scid=kb;en-us;323426 > > > > Windows Server 2003 Client Access Licensing Overview > > http://www.microsoft.com/windowsserver2003/howtobuy/licensing/caloverview.ms > > px > > > > I hope the above info helps. > > > > Have a nice day! > > > > Bill Peng > > MCSE 2000, MCDBA > > Microsoft Online Partner Support > > > > Get Secure! - www.microsoft.com/security > > ===================================================== > > When responding to posts, please "Reply to Group" via your newsreader so > > that others may learn and benefit from your issue. > > ===================================================== > > This posting is provided "AS IS" with no warranties, and confers no > > rights. > > -------------------- > >>From: "Jim Duncan" <CollutionsInc@community.nospam> > >>References: <OLwVgFe8EHA.1400@TK2MSFTNGP11.phx.gbl> > > <OmUjlbf8EHA.3616@TK2MSFTNGP11.phx.gbl> > >>Subject: Re: Adding Seperate Web Server for Extranet > >>Date: Tue, 4 Jan 2005 12:39:20 -0800 > >>Lines: 73 > >>Organization: Collutions, Inc. > >>X-Priority: 3 > >>X-MSMail-Priority: Normal > >>X-Newsreader: Microsoft Outlook Express 6.00.2800.1437 > >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 > >>Message-ID: <O#MW51p8EHA.3908@TK2MSFTNGP12.phx.gbl> > >>Newsgroups: microsoft.public.windows.server.sbs > >>NNTP-Posting-Host: fciserver.fcidesign.com 63.198.201.54 > >>Path: > > cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12 > > phx.gbl > >>Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.sbs:134246 > >>X-Tomcat-NG: microsoft.public.windows.server.sbs > >> > >>Thanks Cris. > >> > >>What if it is out in the DMZ but IS a member server (with appropriate > >>firewalling)? Is that a REALLY bad idea? > >>I think I could still add local accounts for non-employees and give them > >>permissions in the SharePoint. > >> > >>-Jim > >> > >>"Cris Hanna [SBS-MVP]" <crisnospamhanna@computingnospampossibilities.net> > >>wrote in message news:OmUjlbf8EHA.3616@TK2MSFTNGP11.phx.gbl... > >>> Jim > >>> I think you're going to find that what you want to do is not covered > > under > >>> the EULA > >>> Since the Web Edition is going to be in the DMZ which is the way I would > >>go > >>> it will not be a member of the domain, and so IMHO (and others are > >>certainly > >>> welcome to voice their interpretation). The SQL version on your SBS > >>server > >>> can only be used to host the backend for YOUR company's website. Since > >>the > >>> Webserver is not participating in the domain, this is a tricky one. > >>And > >>> the big limitation of SBS is it does not support trusts, period > >>> > >>> -- > >>> Cris Hanna [SBS - MVP] > >>> --------------------------------------- > >>> Please reply only to the newsgroup and not to me directly so that > > everyone > >>> can benefit from the information > >>> "Jim Duncan" <CollutionsInc@community.nospam> wrote in message > >>> news:OLwVgFe8EHA.1400@TK2MSFTNGP11.phx.gbl... > >>> > Hello, > >>> > > >>> > I'm going to be setting up an SBS 2003 (Premium) topology like the one > >>> > shown > >>> > at http://www.smallbizserver.net/Default.aspx?tabid=111 but I'll be > >>adding > >>> > an extra Windows Server 2003 Web Edition machine to host an Extranet > >>> > (SharePoint based). > >>> > > >>> > What is the best way to set this up? I'd like to use local accounts > > (not > >>> > create domain accounts) for non-employees to access the web server but > > I > >>> > also don't want to have to create local accounts on the web server for > >>my > >>> > domain users (and try to keep the passwords synchronized). Does the > >>> > web > >>> > server even need to be a member server or can it be a stand-alone out > > in > >>> > the > >>> > DMZ? Would a stand-alone web server be able to 'trust' accounts from > > the > >>> > domain? > >>> > > >>> > The Web Edition will not allow SQL to be installed on it so I plan on > >>> > using > >>> > the SQL on the SBS server for the SharePoint databases. I'm pretty > >>> > sure > >>> > the > >>> > Application Pools on the web server will need to run as domain > >>> > accounts > >>so > >>> > does this mean the web server needs to be a member server? > >>> > > >>> > Thanks, > >>> > Jim > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > >>> > >> > >> > >> > > > >
- Next message: Bill Peng [MSFT]: "Re: Exchange 5.5 to SBS2003 migration question"
- Previous message: JV: "Re: logging in to companyweb"
- In reply to: Jim Duncan: "Re: Adding Seperate Web Server for Extranet"
- Next in thread: Alan Billharz [MSFT]: "RE: Adding Seperate Web Server for Extranet"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
