Network/Firewall suggestions. Win 2k SBS. WIN XP PRO

[Jwyatt]

Hi and TIA for anyhelp.
I have a client with an existing newtork. 8 office WIN XP PRO PCs and one 2k SBS server. The office has not had internet until recently. I setup a seperate laptop for one user, but they now want acccess to all comps, but not for browsing, but remote management, and possible remote access.
I need all systems (except the laptop already setup for full access) to be able to access only one domain on the net for now(may change later). I think i'll use windows firewall to block all except the one i need. Should i block all ports as well, or does windows firewall do that alread?

Now for the server. Which firewall should i look at? Should i consider setting up a proxy server on the server to use with the other pcs, or use a regular firewall on the server?

With only one web site allowed, should i worry about anti virus, or other threats? The web site allowed will be the remote management company. Except the one stray laptop(the owners) all will be locked down to that site.

Any help is much appreciated.

 

[RebateMonger]

You already own the tools you need. SBS 2000 includes ISA 2000, a full-featured corporate firewall, and Remote Web Workplace, for remote access to your PCs and to your network. You need to configure it for a 2-NIC network and make SBS your DNS and DHCP Server, as well as the Default Gateway for all your client PCs.

The best move is probably to upgrade to SBS 2003, Premium Edition and install ISA 2004. The upgrade cost for your office, since you already have SBS 2000 which included ISA, isn't that bad. ISA 2004 is easier to configure and work with than ISA 2000, and SBS 2003 is MUCH more reliable tha SBS 2000.

Once you have ISA Server configured, you can basically block or allow whatever web sites you want, on User-by-User or Computer-by-Computer basis.

And, yes, you should configure a server-based, Exchange aware AntiVirus solution, that scans incoming email, the Server itself, and monitors all the client PCs.

 

[InlineFive]

Originally posted by: RebateMonger
And, yes, you should configure a server-based, Exchange aware AntiVirus solution, that scans incoming email, the Server itself, and monitors all the client PCs.

Are you saying that I could run something like McAfee ePolicy Orchestrator on SBS2k3? Or a timeclock program that uses SQL? I thought you should never install stuff like that on DCs.

 

[RebateMonger]

Originally posted by: InlineFive
Are you saying that I could run something like McAfee ePolicy Orchestrator on SBS2k3? Or a timeclock program that uses SQL? I thought you should never install stuff like that on DCs.

Well, folks install SQL-using applications SBS all the time. Usually, the application is run once to set up the central SQL or MSDE database and then seldom run again. Both SQL and MSDE (or the new SQL 2005 equivalent) are certainly frequently used on SBS servers.

I don't know the details of ePolicy Orchestrator, so I can't comment. Whether to install a particular application on SBS should be considered on a case-by-case basis.

 

[InlineFive]

Originally posted by: RebateMonger

Originally posted by: InlineFive
Are you saying that I could run something like McAfee ePolicy Orchestrator on SBS2k3? Or a timeclock program that uses SQL? I thought you should never install stuff like that on DCs.

Well, folks install SQL-using applications SBS all the time. Usually, the application is run once to set up the central SQL or MSDE database and then seldom run again. Both SQL and MSDE (or the new SQL 2005 equivalent) are certainly frequently used on SBS servers.

I don't know the details of ePolicy Orchestrator, so I can't comment. Whether to install a particular application on SBS should be considered on a case-by-case basis.

In my case the Timeclock program and ePolicy Orchestrator (a centralized AV managment server and console) are used very frequently through out the day. It's not a one time shot by any means.

 

[Jwyatt]

Originally posted by: RebateMonger
You already own the tools you need. SBS 2000 includes ISA 2000, a full-featured corporate firewall, and Remote Web Workplace, for remote access to your PCs and to your network. You need to configure it for a 2-NIC network and make SBS your DNS and DHCP Server, as well as the Default Gateway for all your client PCs.

Im already using the server as the dhcp server. I get what your saying here, but how hard will it be to configure the ISA2000 . I dont think there ready to upgrade the server yet.

The best move is probably to upgrade to SBS 2003, Premium Edition and install ISA 2004. The upgrade cost for your office, since you already have SBS 2000 which included ISA, isn't that bad. ISA 2004 is easier to configure and work with than ISA 2000, and SBS 2003 is MUCH more reliable tha SBS 2000.

Once you have ISA Server configured, you can basically block or allow whatever web sites you want, on User-by-User or Computer-by-Computer basis.

And, yes, you should configure a server-based, Exchange aware AntiVirus solution, that scans incoming email, the Server itself, and monitors all the client PCs.

Im using Avast on desktops for different clients. How is there server edition? I priced it and to run 10 desktop and the server is roughly 1grand for 3 years. This is an Optomitrist(sp?) office, so they may classify as a medical institution which will give an additional 30% off. Sounds reasonable to me.

I'm consearned about the quality of the product. The PCs there have had little to no problems since I upgraded them to XP a little over a year ago.

 

[RebateMonger]

Server editions of the various AV programs cost about $25 per client PC per year. The same as buying desktop AV licenses. One license goes to the Server to protect it and to per-scan incoming Exchange email so that no virus-laden email ever gets to the client PCs. It makes it much easier to maintain licenses and to ensure that all PCs are properly protected. You'll get a warning email if any clients see a virus.

I haven't used ISA 2000 on SBS 2000. On SBS 2003, the ISA 2004 configuration is automatic when you run the "Connect to the Internet" Wizard. Blocking or allowing certain web sites isn't horribly difficult. Monitoring the web traffic of each User or Computer is a bit tougher and requires some study unless you get somebody who's an expert.

ISA, in its basic SBS-installed form, is pretty simple. But ISA is a VERY complex product with tons of capabilities. It can do things far beyond a typical business-class hardware firewall. That kind of complexity can require significant knowledge to make it do some of the more advanced duties.