Best Setup for Small Office

[bradul]

What is the best setup for a small office with a dedicated server running Windows SBS2003 and 5 clients all wired, no wireless planned?
Options I have seen are: internet -> hardware firewall -> gigabit switch, internet -> router with built in switch with software firewall, or internet -> router ->gigabit switch with software firewall.
Does gigabit communication between the pcs and server provide a noticeable over 10/100 options?
Would like to keep the cost reasonable, office just bought new server and will be replacing two of the client pcs.

Thanks in advance to anyone who can help

 

[DrGreen2007]

For a small office, 5 users, I think the "internet -> hardware firewall -> gigabit switch" would be good.

You could use an old PC for the hardware firewall using Endian or IPCop (I like Endian)

 

[RebateMonger]

The way that most folks who specialize in Windows SBS 2003 would set up an office:

Internet===> Hardware Router or Hardware Firewall===> SBS 2003 in Dual-NIC mode with Windows Firewall turned on===> Switch====> Client PCs and Member Servers. The "Internal" SBS Server NIC should be the DHCP and DNS and WINS Server for the entire office, as well as the Default Gateway for the Client PCs and Member Servers.

All of my new SBS 2003 installs are "Premium Edition", with ISA 2004 enabled. If the client is going to use a VPN (I always use the ISA 2004 VPN setup), I'll sometimes leave the Hardware Router/Firewall out of the network because a lot of low-end Routers don't do GRE or L2TP passthrough properly.

For a 5-client office I'd choose a Gigabit switch, since they are now dirt cheap. But most clients will never be able to see the difference between the Gigabit and 100Mbps switch. You could put devices like printers and scanners on a separate 100Mbps switch if you need to save money.

 

[InlineFive]

Originally posted by: RebateMonger
The way that most folks who specialize in Windows SBS 2003 would set up an office:

Internet===> Hardware Router or Hardware Firewall===> SBS 2003 in Dual-NIC mode with Windows Firewall turned on===> Switch====> Client PCs and Member Servers. The "Internal" SBS Server NIC should be the DHCP and DNS and WINS Server for the entire office, as well as the Default Gateway for the Client PCs and Member Servers.

All of my new SBS 2003 installs are "Premium Edition", with ISA 2004 enabled. If the client is going to use a VPN (I always use the ISA 2004 VPN setup), I'll sometimes leave the Hardware Router/Firewall out of the network because a lot of low-end Routers don't do GRE or L2TP passthrough properly.

For a 5-client office I'd choose a Gigabit switch, since they are now dirt cheap. But most clients will never be able to see the difference between the Gigabit and 100Mbps switch. You could put devices like printers and scanners on a separate 100Mbps switch if you need to save money.

Why not always leave the additional hardware firewall out of the picture with ISA? Seems to me like it would create much additional complication when ISA can protect the entire network just fine.

 

[RebateMonger]

Originally posted by: InlineFive
Why not always leave the additional hardware firewall out of the picture with ISA? Seems to me like it would create much additional complication when ISA can protect the entire network just fine.

That's what I do for my own personal servers.

But, then, again, it's always difficult to argue against "defense in depth". Not that an ISA Server doesn't do the same thing (and more) than most hardware firewalls (especially the low-end ones usually used by small businesses).

There's always compromises in developing a security system, balancing cost and complication against "ultimate security". When used with ISA, I consider an external firewall as just one more thing to keep updated, one more password to remember, and one more item to troubleshoot in case of networking problems. But not everybody feels that way.