SBS 2008 (or EBS 2008) - New Network Layout?

Discussion in 'Windows Small Business Server' started by Alan, Jul 26, 2008.

  1. Alan

    Alan Guest

    Hi All,

    We currently have a network layout using SBS 2003 as per this diagram:

    http://img180.imageshack.us/img180/8415/20080726oldtopographylq0.png

    I believe this is the most common layout for current SBS 2003 setups
    where a TS is also required (we like to go with 'standard' or 'best
    practice'). The only thing that is perhaps unusual is that we have
    the second TS running Windows Server 2000. This is due to a LoB
    application running on there that is a bit unstable and doesn't play
    nicely with other applications (MS Office!) on the TS. We have about
    40 users and this is not likely to increase over the next five years
    so SBS is still out space.

    The SBS 2003 server is now four years old, and the Windows 2000 Server
    is five years old, so both will be replaced within the next year
    (probably over Xmas or Easter next year). We were intending to
    re-purpose the existing Server 2003 (Terminal Server) machine to run
    the old LoB application, and replace the SBS 2003 / Server 2003 with
    SBS 2008 and Server 2008 with no net change to the layout.

    We have been holding out for SBS 2008 on the grounds that another few
    months won't matter and the warranty on the SBS 2003 machine expires
    in Dec 2008 nicely behind the launch of SBS 2008.


    However, I understand that SBS 2008 does not include ISA 2006 (TMG now
    I believe).


    I also understand that EBS 2008 included multiple server licences.

    Therefore, I am wondering what the new 'standard' or 'best practice'
    would be for the requirements in the diagram linked above? Presumably
    the SBS 2008 machine (if we go with SBS rather than EBS) would now
    have a single NIC and sit on the LAN along with the Terminal Servers
    and Clients? If so, we have to purchase another firewall to replace
    the ISA 2004 that is currently proxying all users' outgoing
    connections and protecting the 'inner sanctum'? If I do that,
    potentially that machine is just a PC (cheap) with some firewall
    application? If so, what application to replicate ISA 2004
    functionality?

    If we go with EBS, then I am thinking that means we get ISA 2006 (TMG
    2006?) but that runs on Server 2008 so I would need to buy three
    (rather than two) new servers?

    Any better ideas that I am not seeing?

    Thanks,


    --

    Alan.

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
     
    Alan, Jul 26, 2008
    #1
    1. Advertisements

  2. What we don't know about your set up and makes a big difference in the
    answers is that unless you have Software Assurance on your current SBS
    setup...
    If you have SBS 2003 with SA, you will get, a license for Win2k3 and
    whatever version of ISA is the latest at the time, because ISA next version
    doesn't run on Server 2008.
    For more info about what you get if you have Software assurance, check here
    http://blogs.technet.com/sbs/archiv...sbs-2003-customers-upgrading-to-sbs-2008.aspx

    If you do not have Software assurance, then you can purchase SBS 2008
    Premium and you will get
    SBS 2008 license
    A separate Win2k8 Server license
    SQL 2008 license

    Please NOTE: Outlook CALS are no longer included with SBS 2008, nor is
    FrontPage included

    So if you get premium SBS 2008, you can have your SBS on one server and run
    your TS on your second server license
    You'll need TS Cals obviously.

    And SBS 2008 only supports 1 nic...so you'll need hardware firewall/router
    in front of your SBS server to connect to the internet.

    Regarding what you get with EBS
    http://www.microsoft.com/windowsserver/essential/ebs/editions.mspx
     
    Cris Hanna [SBS - MVP], Jul 26, 2008
    #2
    1. Advertisements

  3. In my opinion you will be best served with a Firewall device and a Single
    NIC setup in SBS 2008 with W 2008 TS member Server. I don't Know what device
    is currently listed between your WAN and SBS as Firewall but it should be a
    Genuine Firewall to serve in place of ISA
     
    Frank McCallister SBS MVP, Jul 26, 2008
    #3
  4. Alan

    Alan Guest

    Hi Cris,

    We don't have SA and have no current need for SQL, so we would go with
    EBS 2008 Standard with the three (rather than four) Server 2008
    licenses.

    I think that woud mean I would need to purchase a third physical
    server in order to put the 'security server' with TMG in front of the
    LAN in 2-NIC configuration?

    If so, what would be the recommended layout?

    Thanks,

    --

    Alan.

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
     
    Alan, Jul 28, 2008
    #4
  5. Alan

    Alan Guest

    Hi Frank,

    So, to be explicit, you are suggesting purchasing one SBS 2008 plus
    one Server 2008 rather than EBS 2008 Standard (which comes with three
    Server 2008 licenses)?

    Currently, all users in the LAN must authenticate to the proxy server
    (ISA 2004 running on SBS 2003) before they can get 'out' to access the
    internet. This authentication is integrated with their Windows login
    (to the SBS 2003 DC), so they don't need to actually re-authenticate.
    If we go with SBS 2008 + Server 2008 then will that make it harder (or
    impossible?) to do this proxying?

    Ideally (strongly desired but not absolutely essential) we would also
    like to proxy SSL connections through ISA / TMG so that we can log /
    inspect encrypted SSL sessions. To expand further, this is a school,
    so we do have a need to be sure that we know what is coming in and
    going out and the current opacity of SSL connections means that we
    have to resort to client-side logging for this (beyond logging packet
    headers but that doesn't give us any specifics on content) which is
    clearly less than ideal from a security / transparency respect.

    In answer to your query about the firewall between the WAN and the SBS
    2003, this is an Open BSD firewall running on an old PC. It really
    just forwards port 80 to the DMZ, and ports 25 / 443 etc etc to the
    LAN and bounces off everything else.

    Thanks,

    --

    Alan.

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
     
    Alan, Jul 28, 2008
    #5
  6. You can acheive the same "proxy" authenication you have with ISA today with
    any number of hardware firewalls that have integrated Active Directory
    authenication mechanisms included.
     
    Cris Hanna [SBS - MVP], Jul 28, 2008
    #6
  7. Alan

    Alan Guest

    Thanks Cris.

    I'll have to look around at what is available.

    --

    Alan.

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
     
    Alan, Jul 28, 2008
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.