Re: Network topology questions from a new sbs user

Wow, I'm really happy with how active and helpful this forum looks to be so
far!
Glad to hear that the ISA won't slow things down. I'll have to look into
what that 'considerable committment' involves. Is it more considerable than a
few hours' time? If so, then could I get similar results from a hardware VPN
firewall (e.g. the Linksys - RVS4000 - 4-Port 10/100/1000 Gigabit Security
Router with VPN)?
AFAIK, the action pack is for internal use - employees only, and then only
up to the # of licenses. I couldn't use it for an external web site. But it
is fine for our small office use, right?

"Merv Porter [SBS-MVP]" wrote:

No, ISA will not slow things down, but requires a considerable committtent
(IMO) to implement. Without RAID, you need to make sure that you always
maintain good, full daily backups in case of hard drive failure. Also, make
sure that at least one set of the backups are stored offsite (or at least as
far away from the server as possible) to prevent against losing them in case
of fire, theft, water damage, etc.

Also, I assume you know that the Action Pack Subscription is not for general
use:
(unless the customer is an accounting firm: MPAN
http://accounting.microsoft.com/accountants/mpanbenefits.asp)

----------------------------------
Microsoft Action Pack
END-USER LICENSE AGREEMENT FOR MICROSOFT SOFTWARE
http://209.85.165.104/search?q=cache:e78btJx05GMJ:https://msdb.ru/Downloads/Businessresources/Maps/MscomrusMapsLicenseAgreement.doc+microsoft+action+pack+eula&hl=en&ct=clnk&cd=1&gl=us

2. Restriction. You acknowledge that the Subscription is restricted to
resellers, consultants, VARs, value-added providers, system integrators,
developers, system builders, hosts, service providers or IT professionals
who sell Microsoft products or provide solutions based on Microsoft products
and technologies to third-party customers, and whose Subscription
applications have been submitted to Microsoft as specified in this Agreement
and accepted by Microsoft. By submitting your application and accepting the
Subscription you warrant that you meet the criteria to receive the
Subscription.

3(a) The Products are protected by applicable copyright laws and
international treaty provisions. You must treat the Products like any other
copyrighted material, and may not copy, use, or distribute Products except
as specifically authorized by Microsoft. You acknowledge that all Products
are Not for Retail Distribution (NFD) software and may not be resold,
transferred, assigned to any third party, or installed at a customer site.
Products may not be used for any purpose other than internal business use,
demonstration, testing, education, or evaluation of the Products. Product
Licenses will expire at the end of the term of this Agreement; and you must
then remove all copies of Products licensed under this Agreement, unless
valid licenses are either purchased for them, or, if applicable, obtained by
renewal of this Agreement.
----------------------------------

--
Merv Porter [SBS-MVP]
============================

"doucettea" <doucettea@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:36B5E353-CDA5-4C56-A799-802B7446BC0F@xxxxxxxxxxxxxxxx
Thank you, Merv and Joe, for your replies.
I will spend some time implementing your suggestions and the suggestions
from the links you provided.
I gather that I need to go with 2 NICs, keep the server on 24x7 and
install
the ISA component.
Joe, you indicated that ISA involved a learning curve. Is this a steep one
with SBS (with such a small network environment)?
Also, the server is not all that fast. It is a single P4 2.6GHz machine
with
non-RAID EIDE HDDs x7200 rpm. Would the internet be slowed down for the
other
computers? Would ISA slow down the server or clients significantly?

Thanks again,
Ari


"Joe" wrote:

doucettea wrote:
Hi all,
I am new to Windows Server and to SBS, having recently acquired it in
the MS
Action Pack for a small business.
I have a setup question regarding network topology...How should I set
it up?

The business is a home office and has 4 computers + the server (the 5th
computer, repurposed). Server has 2 NICs. Connection to the internet is
by
cable-modem, on IP dynamically assigned by Comcast.
I have a:
Cable modem / VOIP box
Router with NAT firewall, DHCP capability, 4 wired ports and a wireless
access point
Gigabit switch with 5 ports
One more WAP

What is the best way to lay out the network? I want the 4 internal
comptuers
to be able to access the internet and the intranet. 3 are wired and 1
is a
laptop with wi-fi.
The router and switch are both Dlink and can do uPNP.

Forget uPnP. Really. There's nothing it can do for business users that
you wouldn't much rather do manually.


I don't want to have an external website (it is hosted by a third
party) but

Absolutely correct. Running a public web site is, or most certainly
ought to be, a full-time job. That's 24 hours a day, not eight.

I do want to allow external employees to access the intranet. I set up
a
dyndns.org account and will try to use that (maybe I'll post about that
once
the server is set up?).
I don't know if this is possible, but I don't want the SBS to have to
be
turned on for the other computers to access the internet. (But I
understand
that it would need to be turned on to access anything that resides on
it...)
VPN would also be nice? The router can be set to allow VPN
pass-through.

Should I go with:
Cable modem <-> Router w/ firewall <-> SBS external NIC <-> SBS <-> SBS
internal NIC <-> Switch <-> PCs with wired LAN and also WAP

If this is the case:
I assume SBS will do the DHCP? Will the SBS need to be turned on for
the
other computers to access the internet? Also, will the SBS set-up
wizards
take care of assiging the right IP addresses to the SBS and to all the
computers?

Yes, all that is true.


Is there a different topology that I sould be going with instead? Do I
need
to use both NICs (seems to be the majority opinion of the MVPs whose
posts
I've read about this)?

If not leaving the SBS machine on is important, then two-NIC mode is
out. The alternative is to use a good firewall, and have the single SBS
NIC and all workstations connected by a switch, along with the WAP.

A critical point is whether you want to learn ISA. ISA is only active
when two NICs are used, when all Internet activity occurs through the
SBS, and when it must be powered. SBS Premium has ISA, Standard does
not, so not all of your customers will use it. If any do, then you need
to understand it, which means two NICs and SBS on.

There's no real problem with switching between the two modes. You will
meet some customers who will need to move from one NIC to two, and an
understanding of the issues will be useful. There's nothing like doing
it yourself regularly to give you the necessary knowledge.

DHCP and DNS: the SBS *must* provide DNS service to all its clients,
including those using VPN. DHCP is optional but easier. The SBS must
also be the WINS server, and if it is the DHCP server it will tell its
clients this. If you use a different DHCP server, you must configure it
to give the SBS IP address as both DNS and WINS servers. If SBS is the
DHCP server, this is automatic.

Firewalls are an entertaining subject. SBS standard in two-NIC mode,
and most common low-cost routers, do stateful packet inspection, which
is the core firewall function. ISA in SBS Premium adds a number of
useful features, and also a web proxy server, which prevents some types
of attack which a packet filter cannot see.

In a customer's production environment, a reputable packet-filtering
router will offer as much protection as SBS Standard in two-NIC mode,
while a more expensive firewall appliance or SBS Premium in two-NIC
mode will offer much more safety. Two different firewalls will give a
little more protection than one, so if there are no problems in doing
so, use SBS two-NIC in preference to one-NIC, even if you have another
firewall in place. Part of your job will be to weigh the pros and cons
of doing this.




.

Relevant Pages

  • Re: RWW Timing
    ... If you have installed ISA, ... Expand the server node and highlight ''Monitoring''. ... In the following website you can find many useful resources related to SBS ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: RWW - Cant login
    ... Premium and ISA. ... In the Microsoft Internet Security and Acceleration Server 2004 ... In the center pane, find a policy named SBS Internet Access Rule, ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 with ISA 2004 and EX2003 on dual gateway network
    ... the SBS CEICW ('Connect to the Internet' task, SBS console), are you ... It seems like the ISA server is blocking all replication and/or RPC ...
    (microsoft.public.windows.server.sbs)
  • Re: DNS Issues?
    ... I checked my connection limits in ISA and lo and behold there was a custom ... Rule: SBS Internet Access Rule ... directly from my SBS server? ...
    (microsoft.public.windows.server.sbs)
  • RE: Help with Internet and Email wizard
    ... Thank you for posting in the SBS newsgroup. ... On SBS Server, run the CEICW, go through "Connection Type" page, on ... Since we don't want to set up an external internet access, ... We can select Option one "Create a new Web server certificate" to ...
    (microsoft.public.windows.server.sbs)