An Interesting Turn for My Blog ...

I am really impressed how much activity I get on my blog. I had an interesting turn of events on Friday. A small business owner was having some pain with his SBS 2003 install because he did not have a good firewall in front of it. This is at least how I understood his message to me. Here is what he had to say:

Hi Mark,

I stumbled across your blog (and a forum post or 2) while I was searching for info on how to best configure a SBS 2003 server behind a TZ 180. I am the owner of a small steel fabrication business and by default a the one man IT department for our 12 person operation. I have been running a 2 NIC SBS 2003 setup with Exchange for 5 years without a problem, but for a lot of different reasons including lost sleep I just ordered a TZ 180 25 person total secure package to stick in front of it.

Any tips for a dumb welder turned designated IT guy on this? I was assuming that I should keep the 2 NIC setup and figure out how to set up the SonicWALL to accommodate, but I have seen a few recommendations to switch the SBS over to 1 NIC (and your comment that you have deployed "a ton" of SBS 2003 boxes behind the TZ180s prompted this message). We do have a couple of employees using RWW and I would like to continue this.

Our email is hosted by Earthlink and the SBS box goes and fetches it POP3 and then distributes. Recently, I set up a Gmail account that I first forward the Earthlink email to, let Gmail filter, and then pass back to a "clean" Earthlink mailbox before our server downloads. My staff loves me for this as I spare them from a ton of spam. Will the sonic wall box take care of this or do I need to keep the Gmail filter going? Are your typical SBS setups running Exchange, or do you advise hosted Exchange? I am all about doing less IT and more running the business so please steer me toward the more hands off solution...

thanks for your time.

I happen to be in Dallas, TX at the SMB Summit event. I was speaking with Becky Ochs who is the Product Manager for Small Business Server at  Microsoft. They have officially dropped the server from the edge of the network and removed ISA from the Small Business Server. It is now a one NIC box. With what products are available for the SMB space for a firewall, I really think this is a smart move. Anyway's, this could not have been more timely. I put together what I think is a good roadmap on how to add a SonicWALL firewall in front of an SBS Server 2003. Here is my reply:

Overall this should not be a tough move. First off it sounds like you are doing a pretty good job not working in IT and managing your SBS server. I am in Dallas with the Microsoft Product Manager for SBS, Becky Ochs, and her presentation specifically mentioned how SBS will no longer be a two NIC server on the edge of the network. With that in mind the answer to your question is a one NIC setup is where you want to go.

A caveat to making this change is whether or not you are using ISA server. As long as the answer is no then the following steps should make this process simple. Here is what to do.

1. Set-up the TZ180W and connect it to the Internet. The WAN IP setup depends on your service with the ISP. Hopefully you have a fixed IP address. If not I would look into it as everything works better. Register your device and make sure it can get out to the Internet. Set the LAN IP to an address that is unique to the network. My suggestion is if the server has an address near one end of the network like x.x.x.1, set the firewall LAN interface address to x.x.x.254. It is a good practice to keep these addressed to the end of the subnet.

2. With the SonicWALL firewall connected go to the SBS Server Manager and run the Internet Connection Wizard (ICW). During the wizard setup change the NIC settings to a single NIC config. Do not change anything else. This especially includes the server certificate settings. Go ahead and disable the WAN NIC to prevent any confusion.

3. The last step is to give the new Internet path to the workstations. Most likely they get IP addresses from the DHCP server on the SBS Box. An afterthought here is to make certain that DHCP on the TZ180 LAN range is disabled. This is very, very important. The ICW should have fixed the DHCP server but you still may need to open the DHCP MMC and add the new gateway address which is IP address of the LAN interface on the SonicWALL. Reboot the workstations and confirm the can get to the Internet.

If all has gone well and according to plan your internal configuration is complete. The last step is to open up the ports needed for public services on the SBS server. They are as follows:

1. Port 25 for inbound mail on Exchange. I will address this more in a few moments as your mail is setup a bit uniquely. Set this rule up for now but do not turn it on until you are ready to receive Exchange E-mail.

2. Port 80/443 for web based remote services such as xxx.domain.xxx/exchange (OWA) and xxx.domain.xxx/remote (RWW).

3. Port 4125 to allow remote access to servers and workstations via Remote Desktop from the Remote Web Workplace

4. Port 444 if you allow access to the companyweb from the Internet

5. Port 1723 if you allow Microsoft VPN access to you network.

That should get everything working and in a single NIC configuration using the TZ180W as the new firewall/gateway.

As far as Exchange goes, I would dump all that complicated email travel and use the server you are paying for. If SPAM is a concern there are a couple of great solutions. One is to use Postini which is owned by Google. The cost per user is really pretty low. You could also use a software product like Sophos Pure Message for SBS. This works pretty well too and will eliminate most all SPAM. A third choice and my preference is a SonicWALL E-Mail Security device which installs very easily and like software or an outside service will filter all your email. In my opinion E-Mail Security gives you the most control, flexibility, growth, and value. It is totally hands off and will proxy your email if the server goes down for any reason as long as your connection the Internet is still in place.  You can have one email address per user  that is web accessible, will sync to a windows phone in real time, and will work with Microsoft Outlook 2003 or later at home or anywhere else you have a connection on the Internet. It is ROCK SOLID and all my SBS users engage Exchange as their email server.

After getting a reply back from the sender I figured this was good data for the community and I should get it out here the the general public. Hope it helps all!

 

Technorati Tags: Small Business Server 2003,SonicWALL,TZ180,TotalSecure,Single NIC Configuration,SBS Server 2008,SMB Summit,E-Mail Security,Microsoft Exchange

Windows Vista and Microsoft Small Business Server

Well, I finally took the plunge out of necessity and am now a user of Microsoft Windows Vista. I had planned to wait a while longer but I had no choice. I update my Tablet PC's every three months or so and put my current model out to my client base and on E-Bay as demos to keep the latest technology in hand. It's not usually a big deal. I can reformat a system in no time. However, with Vista that was not the case for the first time through. I thought about just taking an existing XP license and plopping that on the system but with a ThinkPad Tablet that didn't look like a great idea.

It took about a day of fooling around with the system to get comfortable enough with Vista to find all the stuff I needed to get my data put back and to rejoin to my MS 2003 Small Business Server. There were two major issues during the whole ordeal. The first was figuring out how to create and manage a VPN connection. I had some trouble getting the IP from my SBS VPN connection. I found that I needed to fully patch my SBS Server. There were several patches that are required on SBS 2003 when you want to attach a Vista client. That was the easier of the two main problems.

The second problem was that like many users, I use a self-signed certificate for all the remote connectivity. In Vista, even when logged on as an administrator you can not install self-signed certificates to the "trusted root certification authority". There are a couple of new steps that differ from XP and IE 7. The first is that you have to start IE 7 in an admin mode that runs with "Protected Mode" turned off. The trick is to right click on the IE 7 icon and there will be an option to "Run As Administrator". Of course this will only appear if you actually have admin rights. Once you have started the browser in admin mode you will notice that "Protected Mode" is now off as indicated in the bottom status bar. Now to get your cert installed browse to a secure site from your SBS server like Outlook Web Access or Remote Web Workplace. Click through the certificate error and at the top of the browser next to the address bar will be a certificate error shield. Click the shield and in the dialog box select the "View Certificate" button. A wizard will start and there is an option to install the certificate. Like before in XP you will want to install the certificate in the "Trusted Root Certification Authorities". The difference in Vista is that you must check the box "Show physical stores", expand "Trusted Root Certification Authorities", and select "Local Computer". If you do not take these extra actions you will swear you have lost your mind. The certificate looks like it has installed but it just goes into digital oblivion. Close the browser to close the admin session and re-open IE 7. Browse to the same site on your SBS Server and you should now get to your site with no certificate errors. A padlock should now appear where the error shield was before.

I am still learning Vista and will likely post more soon. These items are pretty crucial for SBS so I am glad to share them with all you other SBS'ers out there. See you all out in Seattle again this year at the end of September at SMB Nation.