• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Small business server setup suggestions

S

spyordie007

Diamond Member
PMed question from tfinch2:
I have a question, and perhaps you'd be able to help. I'm pretty new to the IT game (about a year), and I'm currently a junior studying CS and accounting minor.

I started to work for an accounting firm and on the IT side doing basic administration, and end-user support for the office and our clients. I was not there when the current simple network infrastructure was implemented, so I had no say-so in it. Basically it goes

Internet ->

Windows 2000 SBS (Domain Controller) w/2 GB NICS running: DHCP, Internal DNS, Exchange, ISA, Terminal Services ->

Gigabit Switch ->

~15 Nodes

(Basically all our eggs in one basket, External DNS and Webhosting is co-located).

So now management wants to go with the same company who did the W2KSBS install for new server(s) because I am starting school again in August (will still be working, just not full time). So the company proposed basically the same installation except a seperate server for Terminal Services because of course you can't have TS in 2003 on a domain controller.

(Also, Software costs aren't a problem, we are an Action Pack Subscriber.)

Personally, I feel that this might be not such a smart setup because if the DC goes down, the whole network does as well. We have that problem now. The server might go down Friday night, nobody is there to reboot it until Monday morning, and all e-mail for instance is lost. Also, the network might grow to 30 nodes and TS is going to be used more and more. How much can SBS 2003 handle before it needs more help? With this many mailboxes, should Exchange be isolated? The consulting company doing the install doesn't think it's necessary to implement a VPN. Sure we are small/medium, but would this be an ideal infrastructure:

Internet ->

Router/Firewall/VPN appliance handling DHCP ->

Switch ->

Nodes + Domain controller running DNS and ISA + Exchange Server + Application/File/Terminal Services server.

Would this be overkill? Am I going crazy? Please help.

Also, what Router/Firewall/VPN appliance would you recommend to implement a setup like the one proposed.

Thanks

Travis
Click to expand...
This looks like an excelent question to start a thread over so figured I would put it up; I'll post my own response shortly.
 
A lot of differant questions so I'm going to jump around.
So the company proposed basically the same installation except a seperate server for Terminal Services because of course you can't have TS in 2003 on a domain controller.
Click to expand...
I like to build redundancy into design wherever posible, however for a company as small as yours (15-30 nodes) adding in extra servers is only adding in extra complexity. I think the consulting company is on the right track suggesting one SBS 2003 server to do Exchange and run as a DC and than a seperate TS. Also technically you could run TS on a DC, it's just a very bad idea (security and stability wise).
Personally, I feel that this might be not such a smart setup because if the DC goes down, the whole network does as well. We have that problem now. The server might go down Friday night, nobody is there to reboot it until Monday morning, and all e-mail for instance is lost.
Click to expand...
What to do to help keep it up longer? A nice UPS would be a good start. Also keep in mind that email is a best effort technology, if the server is down for a short period of time you'll get incomming email from the sending servers once yours comes back up.
How much can SBS 2003 handle before it needs more help?
Click to expand...
The short answer is that SBS is designed for up to 75 users, after that you need 2003 Standard.
The consulting company doing the install doesn't think it's necessary to implement a VPN.
Click to expand...
What are you looking to impliment a VPN for? SBS is capable of doing this also, but I wouldnt impliment it unless you have a reason to do so.
Also, what Router/Firewall/VPN appliance would you recommend to implement a setup like the one proposed.
Click to expand...
ISA is a fantastic router/firewall.

Setup would basically be:
Internet>SBS Premium>LAN

A lot of your questions/ideas are good, but they dont make a lot of sense in a deployment this small (especially if there is no full-time IT staff). In operations this small it's best to keep things simple.

Good luck,
Erik
 
Originally posted by: spyordie007
What to do to help keep it up longer?
Click to expand...

I have this UPS on it:

http://www.newegg.com/Product/Product.asp?Item=N82E16842101130

Originally posted by: spyordie007
What are you looking to impliment a VPN for?
Click to expand...

We are going to have atleast 3 accountants doing field work and a partner who telecommutes. I've always been under the impression that the more layers the security the better. How secure is TS by itself? This isn't going to be just spreadsheets and e-mail over TS. It's going to be sensitive and sometimes confidential data.
 
TS by itself is fairly secure, however there are some known possible attack vectors (i.e. MITM attacks). Sounds like your deployment is a good candidate for VPN, fortunetly this is an out of the box capability of SBS (I would do it via ISA).
 
SBS 2003 Servers, loaded onto decent hardware, with ECC memory and RAID 1 or RAID 5 drives, DON'T GO DOWN. Period. I manage quite a few of them at various clients, and the odds of having a PROPERLY MAINTAINED SBS Server go down are pretty low.....

If you need to run Terminal Server, you'll have to run it on a separate Server. SBS 2003 won't allow you to run in Terminal Server Application Mode. Only in Administrative Mode, which is NOT how you want to run application programs.

SBS's Remote Web Workplace, which allows you to work remotely on office PCs or on Servers, is somewhat more secure than standard Remote Desktop. It isn't vulnerable to Man-in-the-Middle attacks like standard Remote Desktop is.

Frankly, most security breaches are caused by:
Poor Passwords
Improperly maintained and unpatched servers
Unpatched Application programs
Internal Users clicking and running Trojans, Worms, and Spyware

Look at the latest attack on the Debian Linux development servers. They were running OLDER versions of Debian on their development servers, with KNOWN VULNERABILITES. and the DEVELOPERS of Debian LINUX were using easy-to-break passwords.....

VPNs have valid uses, but remember that they INCREASE the vulnerability of your network to attack. If an offsite User gets malware, when he/she VPNs in, they are now placing that contaminated PC DIRECTLY on your internal network.

ISA Server 2004 has some tools to help minimize the VPN risk, but they are a bit of work to implement. You can also subnet your internal network to keep VPN users off your main network if you wish, but they wouldn't be VPNing in if they didn't need access to SOMETHING on your internal network.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top