Need advise from the experts, SBS or not to SBS?

[InlineFive]

Hey all,

On the side I work for a small retail organization with about 25 employees with six computers and three printers (all networked). They will probably be expanding to at least 10 computers and four printers in the future. I am very experienced with Windows XP troubleshooting, maintenance and know the OS very well. Now Domain networking is a whole new experience for me but I believe that with some reading and training I will be well up to the task.

Current network setup:

DSL Connection (768/128)
|
Sonicwall TZ-170
||
Six computers (WinXP Professional, Office 2003 Basic, all in workgroup configuration)
Three assorted network printers

Here are a few of my problems.

1. Computer maintenance is starting to be painful as are updates (sometimes neglected).
2. File security is becoming a large problem.
3. eMail security is also becoming a problem.
4. I need a way to branch out with L2TP access for offsite workers. (The Sonicwall VPN "solution" is teh suck, IMHO.)
5. Expandability of network is limited (because of administrative hassles).

With that in mind I have been looking around and SBS 2003 looks like it is promising. I can easily manage computers, users and printers, file security is a moot point now that the files are centralized and as a result email security is too. I am in school but I plan to setup a test network (with the wonders of VirtualPC) to further investigate it's potential.

One of my largest questions is wherether SBS Premium is worth the additional cost.

1. SQL Server might be useful but only if I can install McAfee Protection Pilot/ePolicy Orchetrator on the server. Although I have seen that 3rd party apps can be an issue on SBS.
2. ISA server looks interesting but I already have the Sonicwall (which besides VPN does a good job). Are there any useful benefits that are not apparent from MS's website?

And I am also wondering about CALs, it seems like the max I can get is 10 (orig 5 + add 5). I will license it per computer (because of above computer:user ratio) and I want the network to be expandable above 10 computers.

So I am asking the wise OS community if this seems like a logical move for me and the company. All views (however negative they may be) are welcome and greatly appreciated.

Thanks in advance!

I5

 

[RebateMonger]

You already seem to have an understanding of some of the things that SBS 2003 offers. SBS is a great product for offices with 2 to 75 computers.

I highly recommend you consider SBS 2003 Premium Edition, for the following reasons:

1) I've seen SBS 2003 Premium Retail for less than $1000. That's only about $500 more than Standard Edition. If you later decide you made a mistake and what to upgrade, it'll cost you $900 for the Upgrade license.
2) Many new applications are requiring full SQL Server. That's included in Premium.
3) ISA 2004 is a fantastic product. It's a first-class firewall, and has the ability to control or block just about ANY application (due to its Application-level filtering ability, not found in most hardware firewalls). Addtionally, it allows companies to monitor and control the use of the Internet by employees. This is VERY commonly requested, trivial to do with ISA, and difficult to do with many other firewalls.
4) ISA 2004 is also a great VPN Server. It can set up PPTP or L2TP VPNs in a few seconds. It can handle thousands of VPN clients simultaneously.
5) ISA can also easily do Site-to-Site VPNs if you wish (you'll need a Windows Server 2003 at the remote site).

I have no idea what McAfee Protection Pilot is. Sorry. I use Exchange-Server aware Antivirus and Anti-Spam applications to remove malware at the Server before the client PCs ever see it.

You can have up to 75 CALS on an SBS Server. Licensing is per User or per Device. YOU decide how you want to distribute the CALS. CALS are about $80 apiece. If you have one computer per User, but they will also be working from home (typical), then you'll be better off with User CALS. If you have only a few computers and lots of Users (multiple shift operations, for instance), then Device CALS are more economical. You can mix CALs if you want, but only in increments of 5.

Many people use multiple devices nowadays: PocketPCs, SmartPhones, Notebooks, etc., so User CALS are better for many offices.

I highly recommend using Harry Brelsford's first SBS 2003 book: SBS 2003 Best Practices as a guide while doing your first SBS installs. It's VERY important to do them by the book. Fixing an incorrectly-configured SBS Server is painful, and not for an SBS beginner.

When installing an SBS network, have definite User, Computer, and Email naming policies in mind. Install ALL Users, Computers, Servers, and printers using the SBS Wizards! If you go around the Wizards for adding Users and Computers and additional Servers, you'll regret it later.

And use dual NICs in the SBS computer. Use it as your office router, DHCP Server, and internal DNS Server.

 

[spyordie007]

A agree with RebateMonger :thumbsup:

Erik

 

[stash]

Great information as always RebateMonger. I was wondering though, what antivirus and antispam apps do you use/recommend?

 

[spyordie007]

I dont see any reason that ePO would not run on SBS though you may want to verify that with NAI before committing; I'm not familier specifically with the Protection Pilot application.

What I do for SPAM/Virus apps (just because Stash brought it up) is:
Seperate mail gateway cluster on the DMZ running Clearswift's MIMESweeper for SMTP and Norman AV

Internally Exchange 2003 with NAI's GroupShield

Clients with Outlook 2003 (Mostly) and McAfee VirusScan Enterprise managed by ePO

Obviously this wouldnt be cost effective in a small business; but figured somebody might find it interesting.

Regards,
Erik

 

[InlineFive]

Okay, two more questions:

1. I am confused about how Outlook (and Frontpage) works. Do you automatically receive Outlook bundled with the server for each user? Or is it limited on a CAL basis (in this case one "instance" per computer)?

And what happens when the .pst files grow to be rather large? Some of our users have .pst files in excess of 300MB and that would take forever to stream over the network. Unless it is possible to archive portions on the server on a need-to-access basis?

2. Would you recommend using the server (with ISA) in place of the Sonicwall? Or use the Sonicwall as the first line of defense (externally) with the ISA server second to fine tune things?

Thanks!

 

[RebateMonger]

1) You get a single FrontPage license with SBS Premium Edition. That's worth about $125.

You get an Outlook license for all licensed Users and Computers. When each computer joins the SBS Domain, Outlook 2003 is automatically installed and configured if it isn't already present. I'm really not sure how you're supposed to handle Outlook installation if a licensed computer is never joined to the SBS Domain. Most of my clients already use Office 2003 anyway.

You don't normally use .PST files with Exchange. Normally you set Outlook to use Cached Exchange Mode. It keeps a synchronized copy of your Exchange Mailbox on your client computer. The first time you log onto Exchange, the entire mailbox is downloaded. After that, only changes are uploaded/downloaded. It's pretty fast if you aren't dialing in from a modem. Some of my clients have 2+GB mailboxes. The total of all mailboxes is limited to 75GB.

Alternatively, you can also use Outlook Web Access. This is web-based email that has ALMOST all the features of full Outlook 2003, including contacts, calendars, and public folders.

2) You can use the SonicWall in front of ISA if you want. SBS will detect and automatically program Plug-and-Play devices. I don't know if SonicWalls are PnP or not. Whether you NEED a hardware firewall in front of ISA is a matter of debate. It certainly couldnt' hurt, but every device you add makes your network a bit more complicated to configure and troubleshoot.

 

[InlineFive]

I see, thanks for the clarification on both accounts!

My trial copy of SBS2003 should arrive within the week (no download option ). So I'm going to get the book you recommended, the most current backup and have at it.

You'll probably hear from me then.

 

[imported_Phil]

In terms of updates, you might want to look at WSUS (Windows Server Update Service). It works by downloading all the updates for client operating systems and installed versions of Office that you select, and the clients go straight to the server for their updates rather than the Internet. This saves on bandwidth a lot, you can deny certain updates that you don't want installed, and above all else, it lets you see which computers need updates, and which are completely up-to-date. Excellent bit of software, and it's free from Microsoft.
One thing to note though; it does like RAM. For the configuration you specified, 1GB should be the minimum with 2GB being a better option.

 

[smashp]

I aggree with rebatemonger about everthing except ISA server.

Stick to one nic in the server and use a hardware firewall. if you dont like the Sonicwall( yes their interfaceis a PIA) maybe check out M0n0wall. Its Based on BSD and can run on embedded devices. you can get anembedded device for about $250 or use an old pc.

Also In reguard to maintenance youll want to read up on WSUS


also, my standard solution for a small buisness server includes

norton antivirus enterprise for server,client and email virus scanning. (Great because you can push the client out) and you are entitled to the newest version as long as you keep your licencing up to date every year.

Gfi Mail Essentials for antispam on exchange. great because users can add items to the whitelist and the blacklist, Baysian analy, directory harvesting and now phishing attemps. runs on the same server with no need for a seperate Spam box.

Backup- fo straight file backup, the backup program with SBS2003 comes with a open file agent pretty much. You can use that unless you are interested in individual mailbox recovery or do not want to start and stop sql before and after backups, then its backupexec for SBS which gives you the exchange and sql agents and you can add remote agents to backup, say a term server or a blackberry server. Also use the shawdow copy features of SBS.


When you understand all the features of SBS and get a full solution for a client, it becomes an easy sell because it enables small companies to utilize large scale systems just like large corporations for a fraction of a cost.

Exchange 2003 with Rpc access for outlook is great.

The last new SBS deploy I did was for 30 clients, all the clients were xp, but they werent all patched up to date and a few had virus protection.

Time to prep server for install was 5 hrs..

2 of us did the install. We put their server in place, exported all their mailboxes out of exchange 2000, joined all the new pc's to the new domain usisng the connect client wizard in 5 hrs.

by the end of the night, all the clients had outlook 2003, windows SP2 and all updates, antivirus installed and all network drives and priters mapped.

 

[InlineFive]

Thanks for the info smashp.

We currently use McAfee ePO in conjunction with Virusscan Enterprise 8.0i and it works in a very similiar way to what you are discussing.

As for IAS, I think I'll go SB2003 Premium for having the benefit of the SQL server and the RADIUS functionality in IAS. Although I do agree that having the Sonicwall protect the network is a good idea. In my mind placing the network, well, everything box on the frontline doesn't sound too hot.

And your deploy sounds deceptively simple, but it also sounds like you aren't fresh meat.

 

[spyordie007]

Gfi Mail Essentials for antispam on exchange. great because users can add items to the whitelist and the blacklist, Baysian analy, directory harvesting and now phishing attemps. runs on the same server with no need for a seperate Spam box.

How well is Mail Essentials working for you smashp?

I had done some fairly extensive testing of it a few years back and ended up going with Clearswift's product. At the time I had some problems with the services locking up on me and wasnt overly impressed with the product. Clearswift's MIMESweeper for SMTP was more expensive, but I think it was worth the extra costs.

We specifically wanted it to be off of our Exchange servers so we run the mail gateways on seperate boxes on our DMZ. Clearswift's product can be used either way ("MIMESweeper for SMTP" vs. "MIMESweeper for Exchange"); I *think* that Mail Essentials can be run on a dedicated SMTP gateway also.

 

[smashp]

Originally posted by: spyordie007

Gfi Mail Essentials for antispam on exchange. great because users can add items to the whitelist and the blacklist, Baysian analy, directory harvesting and now phishing attemps. runs on the same server with no need for a seperate Spam box.

How well is Mail Essentials working for you smashp?

I had done some fairly extensive testing of it a few years back and ended up going with Clearswift's product. At the time I had some problems with the services locking up on me and wasnt overly impressed with the product. Clearswift's MIMESweeper for SMTP was more expensive, but I think it was worth the extra costs.

We specifically wanted it to be off of our Exchange servers so we run the mail gateways on seperate boxes on our DMZ. Clearswift's product can be used either way ("MIMESweeper for SMTP" vs. "MIMESweeper for Exchange"); I *think* that Mail Essentials can be run on a dedicated SMTP gateway also.

Version 11 and 12 are solid.

Yes it can be run as a perimiter gateway also. We have only ever run into problems with GFI if you forget to exclude the gfi program folder from antivirus scanning and exclude it from backup jobs.

Ususally when it used to bind up a service, it was because antivirus was scanning the log files or backup software was accessing the log files.

I personnally think Mail essentials is one of the Best Software Spam solutions out there and its price is very competitive for smalled companies( which is the majority of who I work with)


It also integrates great with Exchange 2003 junkmail folder. and the Auto-whitelist is really good also.

 

[spyordie007]

Yeah I think it was something like version 9 when I was testing it...

Thanks for the info, it's good to hear that their product is working well in your deployments.

 

[RebateMonger]

I think that WSUS is probably overkill and an unnecessary complication on a network with 6 or 10 PCs. WSUS has had known problems with certain OEM PCs with SBS.

I recommend using dual NICs with SBS for the following reasons:
1) It allows enabling the SBS Server Firewall to protect the Internal network.
2) It allows ISA (if installed) to act as a firewall and to control and monitor client computer access.
3) It avoids common misconfiguration issues. It pretty-much guarantees that the SBS Server is the DHCP and DNS Server for the Internal clients.
4) It keeps internal users from going around the SBS Server when accessing the Internet.

If you check out the popular SBS consulting groups (like Yahoo's SBS2K or MSSmallBiz), you'll find that that majority of SBS specialists use dual NICs.

The only disadvantage of using dual NICs is that if the SBS Server goes down, internal users will lose Internet connectivity. But if the Server goes down hard, they'll also lose Email and access to shared Company documents, so that Server needs to be fixed immediately, anyway. Having a properly managed SBS Server with ECC memory and RAID 1 drives going down hard is pretty rare.

 

[spyordie007]

I think that WSUS is probably overkill and an unnecessary complication on a network with 6 or 10 PCs. WSUS has had known problems with certain OEM PCs with SBS.

I agree, on a network that size I would just use a GPO to configure the WU client on the computers and have it pull the updates direction from Microsoft. Besides if you're running WSUS it requires that someone (i.e. you) has to get into it regularly to approve updates. WSUS doesnt do you much good if the updates are never approved.

 

[rasczak]

Originally posted by: RebateMonger


You don't normally use .PST files with Exchange. Normally you set Outlook to use Cached Exchange Mode. It keeps a synchronized copy of your Exchange Mailbox on your client computer. The first time you log onto Exchange, the entire mailbox is downloaded. After that, only changes are uploaded/downloaded. It's pretty fast if you aren't dialing in from a modem. Some of my clients have 2+GB mailboxes. The total of all mailboxes is limited to 75GB.

This is dependent on whether or not your users are using roaming profiles or local. If your users are moving from station to station you might be better served setting up roaming profiles for them and have them create a pst in their home directory. If not then Rebates way is a great way to go.

 

[InlineFive]

Originally posted by: jpbelauskas

Originally posted by: RebateMonger


You don't normally use .PST files with Exchange. Normally you set Outlook to use Cached Exchange Mode. It keeps a synchronized copy of your Exchange Mailbox on your client computer. The first time you log onto Exchange, the entire mailbox is downloaded. After that, only changes are uploaded/downloaded. It's pretty fast if you aren't dialing in from a modem. Some of my clients have 2+GB mailboxes. The total of all mailboxes is limited to 75GB.

This is dependent on whether or not your users are using roaming profiles or local. If your users are moving from station to station you might be better served setting up roaming profiles for them and have them create a pst in their home directory. If not then Rebates way is a great way to go.

Is that a per user setting?

 

[spyordie007]

This is dependent on whether or not your users are using roaming profiles or local. If your users are moving from station to station you might be better served setting up roaming profiles for them and have them create a pst in their home directory. If not then Rebates way is a great way to go.

I disagree.

If you have users frequently roaming between machines you should not be using PSTs or cached mode. You should just have your outlook clients connecting to the server and leaving the data there.

If you have a bunch of users with roaming profiles that dont change machines frequently (which we have a lot of) than I suggest Exchange Cached Mode (just like RebateMonger stated). The first time they log into a machine it would have to setup an offline cache, but from than on it's quick and generates minimal network traffic. The offline cache is stored in the local settings directory which is not moved with the profile so it would stay on that one machine.

If you stick the PST in their userprofile than it would have to load the entire thing when you log in and than offload it every time you log off.

Is that a per user setting?

Yes

 

[RebateMonger]

Originally posted by: jpbelauskas
If your users are moving from station to station you might be better served setting up roaming profiles for them and have them create a pst in their home directory.

Roaming profiles sometimes make sense, but be sure to evaluate all your options. Using .PST files across a network is unsupported by Microsoft, but people certainly do it. PST files are known to be prone to corruption and Microsoft says that their use across a network can cause corruption.

And, of course, using .PST files kills your ability to easily use OWA or Outlook's wonderful RPC over HTTPS mode.

 

[InlineFive]

A thought just occured to me, our users constantly use the computer at different times, many take turns. So having to constantly log out and in and out and in and out and in might be a pain without more consoles.

So (until they move to their new location which is three times as large) would the money be better invested in an IPS?

Once again I find myself in a state of indecision and question.

 

[RebateMonger]

You can also use SmartCards to simplify logons and improve security.

 

[benDalton]

I, personally, love SBS 2k3. I had a consulting company when it was first released and we had an installation the DAY OF REALEASE. It was crazy. We did run into some issues, there used to be an issue w/ the dhcp clients not correctly obtaining a dns server address, but I believe that was fixed w/ a patch.

For all the reasons you are looking for, I definitely recommend sbs. The premium additions of SQL server and ISA make a helluva good deal when you think about it. We have had VERY little problems with third party software.

Great product, and I highly recommend it.

I second the recommendation of Harry Brelsford's book, in fact, If you were interested, I'd gladly sell you my copy at a discounted rate.

Good luck!