SBS2008 Single Single NIC only

Discussion in 'Windows Small Business Server' started by Joe#2, Sep 17, 2008.

  1. Joe#2

    Joe#2 Guest

    Is it too soon to ask questions on SBS2008?

    I attended the SBS2008 kickoff last week. As I understand it, SBS2008 (W2K8
    ?) only allows a single NIC card in its serup.

    In the past I've used the Dual NIC setup which allowed me to have an
    "inside" network and an "outside" network. I would setup my Hardware firewall
    and put common printers and non-authinicated SBS users on the "outside"
    network (including wireless access to the internet for vistors). The SBS
    users were on the inside network IE. the 2nd NIC card side of SBS.

    With new SBS2008 networks I will still need to implement this same setup.
    One firewall to connect to the WAN (I use a device that does content
    filtering, email ckecking for Viruses , etc.). Now I have my internal
    network. To isolate the SBS server "internal" users from the external network
    IE prevent the non SBS user from accessing the server , apparently I will
    have to have a second Firewall in front of the SBS2008 server.

    Or is there another way??
    Joe#2, Sep 17, 2008
    1. Advertisements

  2. Hi Joe:

    You are correct, you must have a perimeter firewall. We do not recommend a
    consumer grade Nat router, but rather an industrial strength firewall such
    as ISA server, Watchguard, Sonic Wall, Cisco, Calypitix, and so on.

    Larry Struckmeyer [SBS-MVP], Sep 17, 2008
    1. Advertisements

  3. Sorta, but this is a basic topology question so it doesn't really matter
    what OS you're running.
    That's correct.
    A DMZ of sorts, yes?
    What does that mean?
    What hardware is it?
    You mean, guests, yes?
    (I don't know why you would have printers there.) Your firewall appliance
    may offer a DMZ port, in which case you don't need any additonal hardware. I
    use SonicWALLs which have an OPT port you can use for this purpose - plenty
    of other options too.
    Not necessarily.
    You can also put another proxy server or ISA box in between your network &
    Internet modem/router. This is actually a better place to run ISA anyway.
    Lanwench [MVP - Exchange], Sep 17, 2008
  4. due to the logging, reporting, AD integration and much more, I am
    looking at the Sonicwall TZ190
    Michael Jenkin [SBS-MVP], Sep 18, 2008
  5. Joe#2

    Joe#2 Guest

    Yes, sort of. You had to go thru the SBS firewall or Natting to get inside
    to the SBS domain.
    I use the sonicwall and Calyptic firewalls.
    Guest?! Vistors would be the better term. They are not in the domain so no
    logon is required. All they have to have is DHCP client turned on. They are
    outside the SBS domain but inside the hardware firewall.
    I have the printers there for the reasons stated above. Both vistors and SBS
    domain users can print and access the network but neither has access to the
    Yes. True on ISA, but very expensive as a standalone product.

    Here is a diagram of what I'm currently doing

    EtherNet ----sonicwall-----SBS WAN NIC>SBS>SBS LAN NIC---Domain users
    |----Vistors ouside of SBS, common access
    printers for both groups
    Joe#2, Sep 18, 2008
  6. That's not a very secure DMZ, in my opinion.
    Hmm. What ports are open between LAN and DMZ?
    Yes, I suppose.
    Depending on your SonicWALL model, set up a DMZ using one of the OPT ports.
    Lanwench [MVP - Exchange], Sep 18, 2008
  7. Joe#2

    Joe#2 Guest

    Using the "DMZ" concept is probably the best idea. Funny how you forget the
    availability of that a feature that you havent needed for several years. I've
    never had to use that since I was using the sbs fire wall to seperate it from
    the rest of the network. It might take awile to figure out the rule to open
    port 9100 for the printers, but that really is the cleanest solution. The
    Calyptic firewall has 3 extra ports that I can configure.

    That Calyptic unit is really a nice package. Did you know it has a harddrive
    and will store all of your incomming email for exchange if your server goes

    PS: Also Trend micro "Worry free advanced" includes a free service to route
    your email thru their facility, check for spam and malware, an hold it for 7
    days until your server request it!
    Joe#2, Sep 20, 2008
  8. I haven't used Calyptix but I've heard of it. I'm a Sonicwall girl, myself.
    Yes, I've heard of this but haven't used it. I use Postini or MailFoundry
    for this, generally.
    Lanwench [MVP - Exchange], Sep 20, 2008
  9. Joe#2

    Joe#2 Guest

    Those appear to be really nice. I am particually impressed with the Postini
    product since it allows offsite archive apparently. Thanks for mentioning
    them. You must have a lot of intensive mail users!

    The nice thing about the Trend product is it is free. I have just started
    switching 3 of my customers over this month to Trend from other AV products.
    So far so good. Most on this site tend to speak of Trend Micro rather
    favorbably. I must admit though I liked Symantecs autodetection and exclusion
    of exchange in their 10.6 and 10.7 series.
    Joe#2, Sep 20, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.