Wednesday, April 30, 2008

An Interesting Turn for My Blog ...

I am really impressed how much activity I get on my blog. I had an interesting turn of events on Friday. A small business owner was having some pain with his SBS 2003 install because he did not have a good firewall in front of it. This is at least how I understood his message to me. Here is what he had to say:

Hi Mark,

I stumbled across your blog (and a forum post or 2) while I was searching for info on how to best configure a SBS 2003 server behind a TZ 180. I am the owner of a small steel fabrication business and by default a the one man IT department for our 12 person operation. I have been running a 2 NIC SBS 2003 setup with Exchange for 5 years without a problem, but for a lot of different reasons including lost sleep I just ordered a TZ 180 25 person total secure package to stick in front of it.

Any tips for a dumb welder turned designated IT guy on this? I was assuming that I should keep the 2 NIC setup and figure out how to set up the SonicWALL to accommodate, but I have seen a few recommendations to switch the SBS over to 1 NIC (and your comment that you have deployed "a ton" of SBS 2003 boxes behind the TZ180s prompted this message). We do have a couple of employees using RWW and I would like to continue this.

Our email is hosted by Earthlink and the SBS box goes and fetches it POP3 and then distributes. Recently, I set up a Gmail account that I first forward the Earthlink email to, let Gmail filter, and then pass back to a "clean" Earthlink mailbox before our server downloads. My staff loves me for this as I spare them from a ton of spam. Will the sonic wall box take care of this or do I need to keep the Gmail filter going? Are your typical SBS setups running Exchange, or do you advise hosted Exchange? I am all about doing less IT and more running the business so please steer me toward the more hands off solution...

thanks for your time.

I happen to be in Dallas, TX at the SMB Summit event. I was speaking with Becky Ochs who is the Product Manager for Small Business Server at  Microsoft. They have officially dropped the server from the edge of the network and removed ISA from the Small Business Server. It is now a one NIC box. With what products are available for the SMB space for a firewall, I really think this is a smart move. Anyway's, this could not have been more timely. I put together what I think is a good roadmap on how to add a SonicWALL firewall in front of an SBS Server 2003. Here is my reply:

Overall this should not be a tough move. First off it sounds like you are doing a pretty good job not working in IT and managing your SBS server. I am in Dallas with the Microsoft Product Manager for SBS, Becky Ochs, and her presentation specifically mentioned how SBS will no longer be a two NIC server on the edge of the network. With that in mind the answer to your question is a one NIC setup is where you want to go.

A caveat to making this change is whether or not you are using ISA server. As long as the answer is no then the following steps should make this process simple. Here is what to do.

1. Set-up the TZ180W and connect it to the Internet. The WAN IP setup depends on your service with the ISP. Hopefully you have a fixed IP address. If not I would look into it as everything works better. Register your device and make sure it can get out to the Internet. Set the LAN IP to an address that is unique to the network. My suggestion is if the server has an address near one end of the network like x.x.x.1, set the firewall LAN interface address to x.x.x.254. It is a good practice to keep these addressed to the end of the subnet.

2. With the SonicWALL firewall connected go to the SBS Server Manager and run the Internet Connection Wizard (ICW). During the wizard setup change the NIC settings to a single NIC config. Do not change anything else. This especially includes the server certificate settings. Go ahead and disable the WAN NIC to prevent any confusion.

3. The last step is to give the new Internet path to the workstations. Most likely they get IP addresses from the DHCP server on the SBS Box. An afterthought here is to make certain that DHCP on the TZ180 LAN range is disabled. This is very, very important. The ICW should have fixed the DHCP server but you still may need to open the DHCP MMC and add the new gateway address which is IP address of the LAN interface on the SonicWALL. Reboot the workstations and confirm the can get to the Internet.

If all has gone well and according to plan your internal configuration is complete. The last step is to open up the ports needed for public services on the SBS server. They are as follows:

1. Port 25 for inbound mail on Exchange. I will address this more in a few moments as your mail is setup a bit uniquely. Set this rule up for now but do not turn it on until you are ready to receive Exchange E-mail.

2. Port 80/443 for web based remote services such as xxx.domain.xxx/exchange (OWA) and xxx.domain.xxx/remote (RWW).

3. Port 4125 to allow remote access to servers and workstations via Remote Desktop from the Remote Web Workplace

4. Port 444 if you allow access to the companyweb from the Internet

5. Port 1723 if you allow Microsoft VPN access to you network.

That should get everything working and in a single NIC configuration using the TZ180W as the new firewall/gateway.

As far as Exchange goes, I would dump all that complicated email travel and use the server you are paying for. If SPAM is a concern there are a couple of great solutions. One is to use Postini which is owned by Google. The cost per user is really pretty low. You could also use a software product like Sophos Pure Message for SBS. This works pretty well too and will eliminate most all SPAM. A third choice and my preference is a SonicWALL E-Mail Security device which installs very easily and like software or an outside service will filter all your email. In my opinion E-Mail Security gives you the most control, flexibility, growth, and value. It is totally hands off and will proxy your email if the server goes down for any reason as long as your connection the Internet is still in place.  You can have one email address per user  that is web accessible, will sync to a windows phone in real time, and will work with Microsoft Outlook 2003 or later at home or anywhere else you have a connection on the Internet. It is ROCK SOLID and all my SBS users engage Exchange as their email server.

After getting a reply back from the sender I figured this was good data for the community and I should get it out here the the general public. Hope it helps all!

 

No comments: