An Interesting Turn for My Blog ...

I am really impressed how much activity I get on my blog. I had an interesting turn of events on Friday. A small business owner was having some pain with his SBS 2003 install because he did not have a good firewall in front of it. This is at least how I understood his message to me. Here is what he had to say:

Hi Mark,

I stumbled across your blog (and a forum post or 2) while I was searching for info on how to best configure a SBS 2003 server behind a TZ 180. I am the owner of a small steel fabrication business and by default a the one man IT department for our 12 person operation. I have been running a 2 NIC SBS 2003 setup with Exchange for 5 years without a problem, but for a lot of different reasons including lost sleep I just ordered a TZ 180 25 person total secure package to stick in front of it.

Any tips for a dumb welder turned designated IT guy on this? I was assuming that I should keep the 2 NIC setup and figure out how to set up the SonicWALL to accommodate, but I have seen a few recommendations to switch the SBS over to 1 NIC (and your comment that you have deployed "a ton" of SBS 2003 boxes behind the TZ180s prompted this message). We do have a couple of employees using RWW and I would like to continue this.

Our email is hosted by Earthlink and the SBS box goes and fetches it POP3 and then distributes. Recently, I set up a Gmail account that I first forward the Earthlink email to, let Gmail filter, and then pass back to a "clean" Earthlink mailbox before our server downloads. My staff loves me for this as I spare them from a ton of spam. Will the sonic wall box take care of this or do I need to keep the Gmail filter going? Are your typical SBS setups running Exchange, or do you advise hosted Exchange? I am all about doing less IT and more running the business so please steer me toward the more hands off solution...

thanks for your time.

I happen to be in Dallas, TX at the SMB Summit event. I was speaking with Becky Ochs who is the Product Manager for Small Business Server at  Microsoft. They have officially dropped the server from the edge of the network and removed ISA from the Small Business Server. It is now a one NIC box. With what products are available for the SMB space for a firewall, I really think this is a smart move. Anyway's, this could not have been more timely. I put together what I think is a good roadmap on how to add a SonicWALL firewall in front of an SBS Server 2003. Here is my reply:

Overall this should not be a tough move. First off it sounds like you are doing a pretty good job not working in IT and managing your SBS server. I am in Dallas with the Microsoft Product Manager for SBS, Becky Ochs, and her presentation specifically mentioned how SBS will no longer be a two NIC server on the edge of the network. With that in mind the answer to your question is a one NIC setup is where you want to go.

A caveat to making this change is whether or not you are using ISA server. As long as the answer is no then the following steps should make this process simple. Here is what to do.

1. Set-up the TZ180W and connect it to the Internet. The WAN IP setup depends on your service with the ISP. Hopefully you have a fixed IP address. If not I would look into it as everything works better. Register your device and make sure it can get out to the Internet. Set the LAN IP to an address that is unique to the network. My suggestion is if the server has an address near one end of the network like x.x.x.1, set the firewall LAN interface address to x.x.x.254. It is a good practice to keep these addressed to the end of the subnet.

2. With the SonicWALL firewall connected go to the SBS Server Manager and run the Internet Connection Wizard (ICW). During the wizard setup change the NIC settings to a single NIC config. Do not change anything else. This especially includes the server certificate settings. Go ahead and disable the WAN NIC to prevent any confusion.

3. The last step is to give the new Internet path to the workstations. Most likely they get IP addresses from the DHCP server on the SBS Box. An afterthought here is to make certain that DHCP on the TZ180 LAN range is disabled. This is very, very important. The ICW should have fixed the DHCP server but you still may need to open the DHCP MMC and add the new gateway address which is IP address of the LAN interface on the SonicWALL. Reboot the workstations and confirm the can get to the Internet.

If all has gone well and according to plan your internal configuration is complete. The last step is to open up the ports needed for public services on the SBS server. They are as follows:

1. Port 25 for inbound mail on Exchange. I will address this more in a few moments as your mail is setup a bit uniquely. Set this rule up for now but do not turn it on until you are ready to receive Exchange E-mail.

2. Port 80/443 for web based remote services such as xxx.domain.xxx/exchange (OWA) and xxx.domain.xxx/remote (RWW).

3. Port 4125 to allow remote access to servers and workstations via Remote Desktop from the Remote Web Workplace

4. Port 444 if you allow access to the companyweb from the Internet

5. Port 1723 if you allow Microsoft VPN access to you network.

That should get everything working and in a single NIC configuration using the TZ180W as the new firewall/gateway.

As far as Exchange goes, I would dump all that complicated email travel and use the server you are paying for. If SPAM is a concern there are a couple of great solutions. One is to use Postini which is owned by Google. The cost per user is really pretty low. You could also use a software product like Sophos Pure Message for SBS. This works pretty well too and will eliminate most all SPAM. A third choice and my preference is a SonicWALL E-Mail Security device which installs very easily and like software or an outside service will filter all your email. In my opinion E-Mail Security gives you the most control, flexibility, growth, and value. It is totally hands off and will proxy your email if the server goes down for any reason as long as your connection the Internet is still in place.  You can have one email address per user  that is web accessible, will sync to a windows phone in real time, and will work with Microsoft Outlook 2003 or later at home or anywhere else you have a connection on the Internet. It is ROCK SOLID and all my SBS users engage Exchange as their email server.

After getting a reply back from the sender I figured this was good data for the community and I should get it out here the the general public. Hope it helps all!

 

Technorati Tags: Small Business Server 2003,SonicWALL,TZ180,TotalSecure,Single NIC Configuration,SBS Server 2008,SMB Summit,E-Mail Security,Microsoft Exchange

SonicWALL NSA E-Class looks to be a big win for Willow Creek Community Church

Anyone one who knows me or reads my blog can be certain of one thing. I like SonicWALL products. The company's product line is growing and maturing so fast it is incredible. This growth charge is being lead now by the Enterprise Class firewalls or E-Class as they are known. These products are changing the landscape and have raised the bar in performance and throughput. There is not another enterprise class product on the market that can do what the E-Class firewalls do. When you consider the price, the E-Class is by far the best value for the dollar.

I have to say that working with churches is always an honor. I just completed a job for Willow Creek Community Church, a church known not just here in the United States but worldwide for it's service to Jesus Christ. Having been given the trust of a church of this size and stature in the ministry is nothing less than a true God thing. Kudos to Kurt Donnan and his team at Willow Creek for the opportunity.

The project was to replace their SonicWALL Pro 4060 which has been in service for about three years. It currently has a 45 Meg connection via a DS3 and was pretty much at its limit handling what the Willow network was throwing at it. The replacement for the Pro 4060 was to be a pair of brand new E-Class NSA 6500 Firewalls. They were to be installed in a High-Availability pair to not only upgrade the capability at the head end of the network but to also add a layer of redundancy as the previous install was a single point of failure for the network.

Now, as anyone who has cut over the gear connecting a big network to the Internet knows, this can be a nightmare for the users if the project is not well thought out and carefully executed. Down time is never really acceptable and can ultimately create a black eye for the IT department of any network. This was no different at Willow Creek. Fortunately, SonicWALL made this process much easier by allowing the content rules and programming of the Pro 4060  to be importable into the new E-Class. I was not about to take for granted that this would work smoothly so Kurt, myself, and his team all diligently reviewed every rule, process, and custom bit of configuration that was imported to the E-Class device. When done the only thing we found is that some orphaned firewall rules that really should have not been in place on the Pro 4060 were successfully cleaned up and purged from our new configuration. That was the first sign things were really headed in the right direction. We went ahead and shut down the Pro 4060 and lit up the E-Class box to the production network. The outbound connections all came up with no issues at all. As we audited inbound traffic we noticed that connections were not being made. My suspicion was that some NIC's were not happy about the hardware change in real time and mid-stream. I simply rebooted the E-Class gear and the servers that were not communicating. Every single connection came online and worked flawlessly. Total time from Pro 4060 shutdown to E-Class NSA 6500 assuming all network functionality was less than 10 minutes. For the end uses at Willow Creek the change was totally transparent. The quote was "It can't be that easy. This was the easiest cut-over we have ever done." I really can't take the credit here. Kudos to SonicWALL and the engineers that developed the NSA E-Class products. They are simply awesome!

Post conversion I thought we should test the new install performance. The inbound connection is 45 MB over a DS3 so we should have been able to get the E-Class to show us some real use with the network in production. Here is a snapshot of the E-Class on a Monday just after conversion with podcasts, credit cards, browsing, email, downloads, and everything else going on.

Can you say yawn? Only 2 CPUs were in process! To be fair it was later in the day but we  still thought there would be more load then that. This was with all the UTM (Unified Threat Management) turned on. To just push the issues we decided to max out the DS3 with 7 simultaneous downloads of Vista SP1, several video streams, -t pings to outside servers, etc. The graph of the DS3 showed it right at the top of its inbound limit. Below is the graph of the E-Class CPU graph.

We managed to get 5 CPUs engaged. CPU 2 actually got to 41% for a brief second but I could not snap the photo quickly enough. When we ran this test we had already installed the second E-Class for a High Availability fail-over. We pulled the plug on unit one and the only thing we lost on all the stuff that was running was one ping at about 30 ms.

The E-Class boxes are a great product. If you have a Cisco, Juniper, Fortinet, Watchguard, or any other firewall solution or are looking to make a change, contact Willow Creek and see what they think. I think they will tell you to give the E-Class some serious consideration. In the ministry space as well as any other market there is no other product that can come close to providing top value for the ever shrinking IT dollar.

 

Technorati Tags: E-Class,NSA 6500,Firewalls,SonicWALL,NSA,Willow Creek,Unified Threat Management,UTM,Ministry IT,upgrades

Microsoft does VoIP for the small to medium business!

Did you know that Microsoft has a VoIP system? Well they do and so far I really like it. They are OEMing the software to several hardware companies to build and integrate into a  system. The company I have chosen to start with is D-Link. I have never thought of D-Link as a higher end hardware company but this system is a pretty big departure from the home grade equipment I have used from them in the past.

         

Getting back to the topic at hand... The Response point system is an SMB  to Medium Business VoIP solution with a host of features, bells, and whistles. The features have really been crafted carefully to meet the needs of this space. Most mid-sized PBX phone systems as well as bigger VoIP systems, like those from Cisco, have a pretty big up-front cost. I have sold several mid-sized phone systems and it is nothing to get up to seven to ten thousand dollars. The Response Point system bundled as a 10 user set with a four line PTSN gateway(regular old business lines on copper) can install and be ready to go for less than four thousand dollars complete. Some pre-requisites to that number are a good quality switch but not necessarily something in the layer 3 arena, a good basic network with a really good firewall/router (a SonicWALL TZ180 or similar) but preferably a server like a Small Business Server, and good documentation as to what is already in place. Unfortunately, my first deployment did not have these qualifications in place so it was a little more difficult then it had to be.

The feature that really make the system a winner in my opinion is that everything is voice activated. The phones have a little blue button with the Response Point logo and that is the key to the whole system. For example, if a call comes in and you have a receptionist she can transfer that call by hitting the magic blue button and saying "Transfer to Mike." The system confirms by automated voice that the call will be transferred to Mike and confirms that the attendant can now hang up the phone. Intercom calls are simple pressing the blue button and saying "Call name or Extension number. Calls can also be made to predefined lists that are customized to each user. Out side calls are very similar to intercom  calls. The user just states the name on the list. These names can come from any number of sources but the really big plus is that it is integrated to Microsoft Outlook for its contacts and it is seamless. There is a client that installs on the workstations and adds complete management of the user's phone right from the computer screen without having to navigate any cryptic menus. Calls to the users phone show a pop-up with the inbound caller's name, caller-id, or both.

Retrieving voice mail can really be a pain. Leave it to the Response Point system to make it a breeze. The users can choose to forward all call to an outside line like a cell phone. Better yet, if you don't want to ring up all the extra minutes you can have all your voice mails bound to an email and sent to you in an audio file. It is not a 40,000 unified messaging system but this really does fit the bill for those with five to seventy-five users. No guessing on when a message came in or who it was from. All that is included right in the email. Listen to the messages from a computer, smartphone, blackberry, or anything else that can receive an email.

I saw this system back in September of '07 at the SMB Nation Event in Seattle at the Microsoft campus. It was impressive then and now that I have a demo and one installed it is truly an incredible value for the power. I wish it had  T1 & PRI gateways as well as a VoIP gateway to interface with VoIP providers worldwide. I hear that is coming though. That would nearly eliminate the need for copper dial-tone altogether. No dates yet on these features but stay tuned. Right now D-Link is selling the systems faster than they can make them. On average the wait time has been thirty days or even longer. Several shipments have made it to the states from over-seas assembly facilities and all those shipments have been bundled into 5 and 10 user skews. Individual phones and gateways are just now becoming available for larger deployments and I am already taking orders for installs with more than ten phones.

Microsoft has a great online demonstration of the system. Follow the link and take a look for yourself. It looks to be a blockbuster solution.

Technorati Tags: VoIP,Microsoft,Response Point,D-Link,Telephone,Small Business,CITRT,PBX