suggestion on how to handle this job

[rasczak]

I've got a customer who is insistent on hosting their website on their premises. They're purchasing sbs 2008 foundation, want to setup a domain, and host a multiuser quickbooks app with a CRM application running on top of it. I don't have a problem setting up the network nor the applications, however, i've never set a website for a customer so i was wondering if you all could give me some tips. he's already got the domain name picked out and would like for me to purchase it as well as set up the new email addresses. he's got a simple linksys router, and 1 server with an extra workstation on the side with which i could probably throw ubuntu/apache for webservices in a dmz if his router is capable of it. the other workstations will need internet connectivity as well. please be blunt, let me know what i should do, what i could do, and what i should stay away from. this is a bit over my head concept wise, but i'm confident i can get the job done right.

thanks

 

[RadiclDreamer]

Buy the domain name, point the records to the external ip of your network. NAT/PAT the http/https ports as well as the email ports if they are running a mail server (whichever you need) to the inside server.

I recommend getting a good firewall and configuring it correctly when doing this and toss it on a proper DMZ, by exposing this to the internet you are opening yourself up to risks. For most small business the few bucks a month to have someone host it is money well spent as you dont have to go through the security costs and hassle. I would also recommend something more than a linksys for this job, something that is security minded like an ASA 5505 is more along the lines of what i would want protecting my business network.

 

[kevnich2]

Yeah having a server to host quickbooks and things like that onsite is fine but using the same server for a website on premise is totally different. I'd highly suggest your customer host their domain with a hosting company for security purposes. One compromise and their business data is exposed.

 

[JackMDS]

Yeah having a server to host quickbooks and things like that onsite is fine but using the same server for a website on premise is totally different. I'd highly suggest your customer host their domain with a hosting company for security purposes. One compromise and their business data is exposed.

+1


😎

 

[Emulex]

nah a cheap edimax/xincom/hotbrick (all the same chinese junk) dual wan router works good. it can do dyndns even so you could have a t-1 (cbeyond/voice) and a backup comcast business . that's what i do the slow cbeyond (2+ t-1's) handle the secure data and less important stuff goes over the cheaper comcast (42/7).

spend $19 for 1and1.com developer account, it includes a real SSL cert (not a cheapie) for life, MX backup in case your links go down - very valuable - free - and runs most apps depending on package (win/linux). extremely high uptime on my linux package. free domain privacy and i think that level package includes 4 or 5 free domain yearly's as well.

you will not find many other webhost that will give you those business oriented features for that price. I've had over 100K emails on their nemesis MX backup mail servers in a mail bomb scenario someone hit me with - and it took a few days to process them all but they did not get rejected lol. i had to slowly let them come in to avoid losing any potential customer email.

they can host b2b data (xml/biztalk) locally but have their front facing at 1and1 communicating using ajax/xml/soap/whatever as a compromise.

 

[theevilsharpie]

If your web site is just a static site or a simple dynamic site, hosting it on your SBS box is fine. If it's more than that or you expect a large amount of traffic, I'd recommend hosting it at a professional hosting firm, if only for performance reasons.

I would also recommend something more than a linksys for this job, something that is security minded like an ASA 5505 is more along the lines of what i would want protecting my business network.

Lulz.

 

[rasczak]

thanks for the responses. I'll research more. the site itself doesn;t produce a lot of traffic. at most it gets 50 to 60 hits a month or less. i was more concerned about the security aspect of protecting the internal network from outside attacks.

 

[Modelworks]

If you want to run the website and and quickbooks on the same box then start reading up on virtualization . It is how many businesses do it and still keep the security high.

 

[Nothinman]

I would also recommend something more than a linksys for this job, something that is security minded like an ASA 5505 is more along the lines of what i would want protecting my business network.

While I'm not saying that an ASA isn't a good choice, we sell and support a lot of them, the ASA isn't going to give you any additional protection for the website itself. You're still opening up IIS to the world and any exploits in it or the website that it's hosting will still give the attacker the same level of access to the server hosting it. If you add in the IPS module that's different, but that comes with a whole other host of issues.

thanks for the responses. I'll research more. the site itself doesn;t produce a lot of traffic. at most it gets 50 to 60 hits a month or less. i was more concerned about the security aspect of protecting the internal network from outside attacks.

And you should be because if someone happens to break into that server via IIS or Exchange they'll have access to everything else on that server as well. Generally you want a hard separation between internal servers and anything that's open up to the Internet. Although sadly most non-technical people either don't understand that or think the cost is too high and say they're willing to take the risk. That is, until they finally do get compromised and have to deal with the fallout.

 

[Emulex]

For exchange i would have that behind the red zone (firewall) and vpn only access - then have/rent a qmail server or two (openbsd+qmail is pretty much bulletproof). then use pop to exchange to suck in the emails to the exchange. This would isolate your SBS2008 from the wild and decrease your chances of being haxored greatly.

it is absolutely frightening to have windows servers open to the internet.

 

[kevnich2]

If you plan on hosting your website on the same server as your critical important data - it's a matter of when that data is compromised, not if. Sorry, just being honest here. No server that has critical business data should EVER be accessible from the internet.

Modelwork's suggestion of using virtual server's for this would work, however. Create a virtual server with the web server and another virtual server for your business data and only allow access to the web server virtual server.

 

[klocwerk]

If you plan on hosting your website on the same server as your critical important data - it's a matter of when that data is compromised, not if. Sorry, just being honest here. No server that has critical business data should EVER be accessible from the internet.

Modelwork's suggestion of using virtual server's for this would work, however. Create a virtual server with the web server and another virtual server for your business data and only allow access to the web server virtual server.

This.
Do NOT run a public website on your quickbooks server, for the love of god.

 

[drebo]

it is absolutely frightening to have windows servers open to the internet.

This may have been true 10 years ago, but now it's just FUD.

The vast majority of vulnerabilities in the networking world are at the application level and those exist equally on Windows and Linux.

I run MANY Windows servers directly on the internet with a variety of applications and I have never once had a problem.

 

[SammyJr]

it is absolutely frightening to have windows servers open to the internet.

Why?

Exchange and IIS are both perfectly secure. Problems can arise when patches aren't applied, proper firewalls aren't in place, and in IIS's case, if custom website code is insecure. This isn't any different than on Linux or any other complex system.