Small Business setup questions from a non-IT person

[XedDT]

Hi all; first off thanks for taking the time to read this and help me out. I'll try to keep this short. I am a computer coder but in a few months I will most likely be in the position of setting up a new small business. I will be in charge of all IT decisions including purchasing. This will be for a brand new business so we're starting totally from scratch here.

Requirements for 10 employees with VPN access in case they're working from home:

1) Website: no big deal. I'll make it and host it off site. It will be an online brochure so no functionality. This is not even an issue.

2) Email: I don't want to bother setting up an email server or all the problems that go with it. I would like to just find a company that can provide reliable email service and guarantee that no email will be lost (provided that the email made it to them). So are there companies where I can just buy X number of email accounts with Y amount of total hard drive space? I just don't want to hear "oh sorry our servers were down; you didn't get your mail" from an email company. Reliability is the most important thing here.

3) File Servers: 1 (maybe 2) file servers. The file server will be a dedicated machine. It's not going to do double/triple server duty. I'm thinking of getting a Dell box with 3 drives (Drive 1 OS, Drive 2 and Drive 3 are just data and run as Raid 1). I was also just going to grab an external drive and do manual backups of the data every so often and keep the external drive off site. I'm thinking something simple like Ubuntu server with Samba.
EDIT: I'm wanting to stay away from Microsoft SBS because of my concerns about security. I just need a nuts-and-bolts file server. No "fluff" required or wanted. Granted I have zero experience here but I'm gunshy about the idea of running a Microsoft based server.

4) User systems: Dell laptops with XP-Pro and locked down user accounts. All users will get a personal directory on the file server to keep their data. Nothing worth "keeping" will ever stay on a laptop.

5) Network:

5a) 16 port gigabit switch for hooking all the users up.

5b) We need a VPN setup so that the users can get into the file server(s) from home. Users need to be able to launch a VPN client and then have access to mapped drives just like at work (so no browser based VPN solution). What are my best VPN options? Run a VPN server on a file server (OpenVPN?) or is there a better way?

5c) We'll need internet access but I'm worried about security. There's no need for wireless so I'm safe there. What's the best way to approach this for a non-IT person? I think I might be over my head if I tried to set up a OpenBSD firewall. All we'll need is VPN access and basic internet access. Any ideas?

Thanks again for all the help.

 

[RebateMonger]

You are making life much harder than it needs to be. Every time you add additional servers, you are making your network more complex, harder to maintain, and less reliable.

Just install a single SBS 2003, Premium Edition, server. Set it up in dual-NIC mode as your networks DHCP, DNS, WINS servers, and as the network's Default Gateway.

Use the built-in ISA 2004 Firewall to protect your network and to provide VPN service (although most small businesses use the Remote Web Workplace rather than a VPN). Use Exchange as your email system, and use the SBS Server as your file server. Exchange works great, is extremely reliable, and allows multiple ways to get full access to mail, calendars, contacts, notes, and tasks. Whether you want it or not, you'll have Exchange running on your SBS Server, so you might as well use it. The only "optional" items in an SBS 2003 install are the add-on ISA and SQL Servers.

Most of my new clients are using the built-in SBS Backup utility with removable SATA drives (320GB or 400GB) and do daily backups of their entire system, swapping the drives out and keeping one or more drives offsite. That, combined with the automatic Volume Shadow Copies of Shared Folders (which keeps previous versions of all documents) and the automatic deleted email retention of Exchange 2003 make it near-impossible to lose data.

Keep the Server updated with the latest Microsoft Updates and monitor and react to the daily performance reports, and you should find SBS 2003 extremely reliable and easy to maintain and use.

 

[XedDT]

Thanks RM. I am tempted by the idea of running MS-SBS but to be perfectly honest I have this fear of walking into work one Monday morning only to find out that our server and data is toast because of the latest greatest MS exploit.

I know that no OS is perfect but I want to stay away from MS-SBS simply because it is such a tempting target for blackhats. That's why I was thinking of a *nix based file server solution.

 

[RebateMonger]

Well, what blackhats are looking for is misconfigured and/or unpatched servers. Those exist in both the Windows and Unix world. SBS 2003 and most 'nix servers now come secure upon install. It's what people do to them AFTER installation that makes them insecure.

As far as SBS 2003 Premium Edition, check out ISA 2004's security record. There have been ZERO known vulnerabilites for ISA 2004..

 

[netsysadmin]

I agree with RebateMonger! Sounds like a job for SBS 2003. As far as security goes most places that have had a security issues is because someone left a port open, never bothered to patch a box or left and admin password weak or blank. You could even throw on WSUS onto the SBS server and manage all you server and desktop updates with ease.

John

 

[JackMDS]

Set a none standart system, and you would not be able to take vaction.

With SBS you have a form of Standart.

 

[RebateMonger]

Originally posted by: netsysadmin
...As far as security goes most places that have had a security issues is because someone left a port open, never bothered to patch a box or left and admin password weak or blank.

The only SBS Server I've run into with a successful "attack" was a where where an unknowledgeable person set up an "internal" FTP site (for a scanner), but allowed the anonymous FTP site to be accessed from the Internet. And then he set the Linksys router to forward Internet FTP requests to the SBS Server! Soon, he had 30GB of unwanted garbage on his hard drive's FTP directory.

All of the major Windows Server exploits over the past few years have been against unpatched Windows Server 2000 and SQL 2000 boxes.

My current practice with SBS is to set the User passwords at 14 characters, minimum, to avoid easy-to-guess passwords. I avoid VPNs unless there's an absolute need for one, since it can expose the entire office to worm attack from contaminated remote PCs. Most clients find SBS's Remote Web Workplace to be more useful to them. If you allow VPN connections, be sure to keep firewalls up on all the office PCs.

You could even throw on WSUS onto the SBS server and manage all you server and desktop updates with ease.

Actually, R2 of SBS 2003 comes with integrated WSUS. It's pretty nice.

Originally posted by: JackMDS
Set a none standart system, and you would not be able to take vaction.
With SBS you have a form of Standart.

Yup. I typically spend about two hours a month managing each SBS Server at offices with 5-10 users. This time is mostly for security and log scans and fixing the occasional minor problem. Almost all my monthly billings at ongoing clients are for XP client PCs, NOT for the Server.

 

[XedDT]

Does "remote workplace" work like a VPN? The users will take their laptops home with them so it won't be like they're logging into their work computer since the laptops are their work computers. They need to be able to log in such that their "home" experience is no different than their "at work" experience (mapped drives, email, etc).

Is that how "remote workplace" functions or is it a different concept?

thanks again

 

[RebateMonger]

If they are taking their office PCs (laptops) home, then they'll likely need to VPN in. VPNs can be done with reasonable safety when done from "managed" PCs, where you are reasonably sure they can't become infected by worms, viruses, and trojans.

RWW is a Remote Desktop service that is, typically, used to work on one's Office PC from one's Home PC. For many applications, it works better across the Internet, since you don't need as fast a connection as you need for a functional VPN. VPNs can really suck for large database applications, which run smoothly in Remote Desktop/RWW.

Another alternative that works well for apps that don't work well under VPN is having a separate Terminal Server (using Windows Terminal Services or Citrix). This gives you the ability to work from anywhere on a controlled office desktop, with no need for high-speed connections and with good security.

 

[JackMDS]

VPN is not a remote agent per se, it is a secure tunnel through WANs) Internet. You can have remote applications using other method of security.

However, remote workplace can ?ride? on VPN

Log to this page, http://support.microsoft.com/kb/833983

If you do not have the patient (or the time) for an hour web cast.

Download this power point presentation, http://download.microsoft.com/download/...ae-44da-adf8-684e21915591/wc010804.exe

 

[kevnich2]

If your willing to go with SBS 2003 and perform daily/weekly/monthly backups and keep a weekly backup offsite, keep your server updated with security patches, antivirus, etc, SBS2003 will be perfect for this. For yoru situation, ONE server is all you need. You don't want more servers than you need. I have 55 users at my company and we have one SBS 2003 server that handles our email, file sharing, print sharing, etc. This server runs at about 5% CPU usage consistently. You'll want a decent server (I'd recommend a Dell Poweredge with dual xeon's and probably 2-4gb memory to make sure it's good for several years to come). But really, that's all you need. As others have stated, the more servers you add unnecessarily, the more complex things get unnecessarily. It's easier keeping one server up to date rather than 2, 3, or 4 when you only NEED one. If your not server minded, hire a SBS consultant who can setup the server and show you the key points and how to properly manage the day to day things with it.

 

[spikespiegal]

Here's the posterchild 'Anti Windows Oxymoron' in progress:

User systems: Dell laptops with XP-Pro and locked down user accounts. All users will get a personal directory on the file server to keep their data. Nothing worth "keeping" will ever stay on a laptop.

...and then:

I know that no OS is perfect but I want to stay away from MS-SBS simply because it is such a tempting target for blackhats. That's why I was thinking of a *nix based file server solution.

So, you're going to run Windows OS's on the client systems, but can't justify SBS because it's a hacker-fest. Uh, sorry, but that does not compute. Gee, why aren't you running Linux on the client systems then?

SBS is pretty idiot proof and a solid platform. While I'd prefer focused role servers over SBS, I have to admit I see the darned platform all over the place, and unless the admin is a complete and utter doof, it runs great. Keep it patched, and don't surf from the admin account like you would a beater PC at home, and all is well.

For e-mail accounts, this may seem counter logical, but find a local but reputable hosting company to handle your E-mail and avoid the big guns like Yahoo, MSN, etc. The reason being the smaller compnay is going to be more flexible and less likely to lose mail due to global RBL lists, virus scanning, etc.

 

[pcthuglife]

Aww heck I'll go ahead and say it just to be difficult... Go with linux and setup samba and openvpn. Buy an affordable router/firewall/nat to secure your network. Research a web host that has a high consumer rating. I know several people who use powweb: www.powweb.com and the only problem they've ever experienced is an occasional slow down, but never a complete outage. I think that covers all of your requirements.

 

[XedDT]

Originally posted by: spikespiegal

Here's the posterchild 'Anti Windows Oxymoron' in progress:

...and then:

So, you're going to run Windows OS's on the client systems, but can't justify SBS because it's a hacker-fest. Uh, sorry, but that does not compute. Gee, why aren't you running Linux on the client systems then?

Actually the answer is pretty simple; the users must run windows applications and there is no getting around that. I'll lock the laptops down as much as possible and keep them patched which should hopefully keep them exploit free.

My goal here is to set up a good base working environment that I don't have to spend all day maintaining. I want to set it up, have it run well, and then get back to doing my real job. I don't mind keeping everything patched and up to date but I also don't want to spend 40hrs a week coding and then another 30+ hours a week fighting with the network.

I think you all may have turned me around on this. I'm going to grab the trial version of MS-SBS and kick the tires a bit and see how it goes.

Thanks everyone for your opinions.

 

[RebateMonger]

Originally posted by: XedDT
I think you all may have turned me around on this. I'm going to grab the trial version of MS-SBS and kick the tires a bit and see how it goes.

Thanks everyone for your opinions.

Good luck whatever you chose.

I usually don't recommend the SBS trial version. The problem is that it's a LOT of work to set it up, and if you don't do it properly, which you likely WON'T do the first time you do the install, you'll never really get to see how a properly configured SBS works.

Consider having a local MS-certified Small Business Specialist demonstrate the software to you. Most will have SBS running on their laptop in Virtual PC, or will log you onto a working SBS Server. You can see exactly how the Server works, how it looks to the User, and you can get acquainted with a local expert. You can then decide if you want to proceed and if you want to configure it yourself or get someone to guide you through choosing appropriate hardware and the server/client configuration.

If you want, you can find MS-certified consultants on the Microsoft SmallBusiness site.

 

[InlineFive]

Originally posted by: RebateMonger

Originally posted by: XedDT
I think you all may have turned me around on this. I'm going to grab the trial version of MS-SBS and kick the tires a bit and see how it goes.

Thanks everyone for your opinions.

Good luck whatever you chose.

I usually don't recommend the SBS trial version. The problem is that it's a LOT of work to set it up, and if you don't do it properly, which you likely WON'T do the first time you do the install, you'll never really get to see how a properly configured SBS works.

Consider having a local MS-certified Small Business Specialist demonstrate the software to you. Most will have SBS running on their laptop in Virtual PC, or will log you onto a working SBS Server. You can see exactly how the Server works, how it looks to the User, and you can get acquainted with a local expert. You can then decide if you want to proceed and if you want to configure it yourself or get someone to guide you through choosing appropriate hardware and the server/client configuration.

If you want, you can find MS-certified consultants on the Microsoft SmallBusiness site.

But if you don't start playing with it, how will you ever learn?

 

[spidey07]

Originally posted by: InlineFive
But if you don't start playing with it, how will you ever learn?

This is the biggest mistake ever. You get training/education for this stuff. You don't "play" with it.

Playing with it results in "I can't see my network" without any understanding of what is actually going on.

 

[InlineFive]

Originally posted by: spidey07

Originally posted by: InlineFive
But if you don't start playing with it, how will you ever learn?

This is the biggest mistake ever. You get training/education for this stuff. You don't "play" with it.

Playing with it results in "I can't see my network" without any understanding of what is actually going on.

You're misinterpreting what I am talking about (or maybe I'm not being clear enough). I realize the benefit of education and I agree that it is irreplaceable.

However, book learning and no real world "practice" (on your own network, of course) doesn't make for a very well rounded consultant. This is where the "play" comes into . . . play.

 

[DaiShan]

I agree with a lot of the posters in this thread that adding multiple servers is just going to complicate your life. You can get a colo box from ServerMatrix for $99 a month with cpanel it comes with Exim4 already set up and adding email addresses is easy. You can also run your web site off of the same box. You can manage backups of your file server using rsync to your servermatrix box


/edit for off-site access of files, why bother with a full VPN? If you're considering using Samba anyways, why not just have your developers use winscp to securely retrieve files over the WAN?

 

[InlineFive]

Originally posted by: DaiShan
/edit for off-site access of files, why bother with a full VPN? If you're considering using Samba anyways, why not just have your developers use winscp to securely retrieve files over the WAN?

That also creates many complications. Namely, duplicates running amok between work and personal computers. Not to mention that for security purposes I would much rather keep as much of my company files at work as possible.

However I can understand that for SMBs this is not always possible.

 

[RebateMonger]

Originally posted by: InlineFive
You're misinterpreting what I am talking about (or maybe I'm not being clear enough). I realize the benefit of education and I agree that it is irreplaceable.

However, book learning and no real world "practice" (on your own network, of course) doesn't make for a very well rounded consultant. This is where the "play" comes into . . . play.

There's certainly nothing wrong with installing SBS and "playing with it". Especially with the intent of understanding how it works and how to properly configure it.

My earlier warning about the SBS Trial Version is is intended for the "non-IT person", as the OP described himself/herself. It's like installing Linux "to check it out" and spending a whole weekend just getting it to recognize your network card. It doesn't accomplish the goal, which is to see if the software fulfills your business need.

Evaluating the value of software for your business is not the same thing as learning how to properly install it.

 

[DaiShan]

Originally posted by: InlineFive

Originally posted by: DaiShan
/edit for off-site access of files, why bother with a full VPN? If you're considering using Samba anyways, why not just have your developers use winscp to securely retrieve files over the WAN?

That also creates many complications. Namely, duplicates running amok between work and personal computers. Not to mention that for security purposes I would much rather keep as much of my company files at work as possible.

However I can understand that for SMBs this is not always possible.

It sounds like you want a version control system. Subversion is fantastic and is open source, installs quite easily on any of the debian based distros. I use it in conjunction with Trac for project management for ~400 web sites and 36 developers.

 

[XedDT]

I didn't make myself clear before and I may have used a bad turn of phrase. When I said that I was going to "kick the tires" a bit I did not mean to imply that I was going to "play" with it. I'm not an IT person by trade but I think I'm more knowledgeable than the average user. I've got VMWare running on my desktop and I'm going to use it to install MS-SBS and set up a virtual network with SBS as server and a couple of XPPro virtual clients. I imagine that I'll end up installing it quite a few times before I get a good feel for how everything works.

"Playing" is a really bad idea and normally will lead an inexperienced person down a path of frustration and futility. I'm "kicking the tires" which I think of as a hands on evaluation mixed with a heavy dose of self instruction and web research.

 

[nweaver]

Originally posted by: XedDT

I didn't make myself clear before and I may have used a bad turn of phrase. When I said that I was going to "kick the tires" a bit I did not mean to imply that I was going to "play" with it. I'm not an IT person by trade but I think I'm more knowledgeable than the average user. I've got VMWare running on my desktop and I'm going to use it to install MS-SBS and set up a virtual network with SBS as server and a couple of XPPro virtual clients. I imagine that I'll end up installing it quite a few times before I get a good feel for how everything works.

"Playing" is a really bad idea and normally will lead an inexperienced person down a path of frustration and futility. I'm "kicking the tires" which I think of as a hands on evaluation mixed with a heavy dose of self instruction and web research.

as was stated above, to truely get a feel for SBS, you need someone who is more then "above the average user" who can show you what it can do, not what someone can figure out in a few days. (imho)

 

[nweaver]

Originally posted by: nweaver

Originally posted by: XedDT

I didn't make myself clear before and I may have used a bad turn of phrase. When I said that I was going to "kick the tires" a bit I did not mean to imply that I was going to "play" with it. I'm not an IT person by trade but I think I'm more knowledgeable than the average user. I've got VMWare running on my desktop and I'm going to use it to install MS-SBS and set up a virtual network with SBS as server and a couple of XPPro virtual clients. I imagine that I'll end up installing it quite a few times before I get a good feel for how everything works.

"Playing" is a really bad idea and normally will lead an inexperienced person down a path of frustration and futility. I'm "kicking the tires" which I think of as a hands on evaluation mixed with a heavy dose of self instruction and web research.

as was stated above, to truely get a feel for SBS, you need someone who is more then "above the average user" who can show you what it can do, not what someone can figure out in a few days. (imho)

In fact, I would consider myself a bit of a server admin, and if I was evaluating SBS for a biz, I would call and ask for a demonstration, and maybe THEN I would play with it.