Use SBS 2003 on a dedicated server located at a hosting company?

Discussion in 'Windows Small Business Server' started by Chris, Apr 12, 2007.

  1. Chris

    Chris Guest

    I'm collaborating with some friends for whom SBS 2003 would seem to offer
    many of the features we are looking for--a basic, public IIS-based ASP.NET
    web site, Exchange Server-based email (including OWA, OMA, and Outlook access
    via RPC-over-HTTP), SharePoint-based document management, and a few simple
    SQL Server-based databases. However, we're not located at any one place;
    rather, we're distributed all across the country--so placing the server in an
    office on a private network isn't practical.

    How realistic is it that SBS 2003 could be safely placed on a dedicated
    server at an Internet-connected hosting company and yet provide secure
    Exchange, OWA/OMA over SSL, SharePoint over SSL, and SQL Server access--and
    yet also provide a publicly accessible web site? Or is this impractical from
    a security point of view? What precautions should I and the hosting company
    make to secure the server? Would SBS 2003's VPN be the best way to access the
    non-public features?
     
    Chris, Apr 12, 2007
    #1
    1. Advertisements

  2. Yes, you could do this, though I would strongly recommend splitting out the
    public web site from the rest. I do this with a couple of charities I
    support. Their public web site is hosted by a third party, and then I have
    an SBS box sitting on a separate hosting site. (well, in both cases it's the
    same actual hosting company, but doesn't need to be.)

    The SBS box does all the email, etc. functionality, plus hosts the
    sharepoint site. We chose SBS Premium, since they have a SQL app they use,
    and I take advantage of the ISA as well. Then, if they need additional
    functionality, you could host a TS box as well as part of that same network.
    Now they can remote in to it via RWW and do pretty much anything they want
    to.

    The key from a security standpoint is that the public site is completely
    separate. For me, that increases my confidence level.
     
    Charlie Russel - MVP, Apr 12, 2007
    #2
    1. Advertisements

  3. Chris

    Chris Guest

    Thanks very much, Charlie! The hosting company has since told me that (in
    their opinion) putting an SBS server 'on the Internet' is fraught with
    problems and will become a serious hacker target. I don't know enough about
    it to say one way or the other--so I really appreciate hearing your comments
    and experiences.

    This is for a charity, also. Good idea about keeping the public web site on
    a different server; however, the Exchange and SharePoint features would still
    be 'publicly accessible', wouldn't they? What is the best way to protect
    those features--and the server, in general--from hackers? I imagine SSL is
    part of the picture; perhaps ISA (which I know next to nothing about), also?
    Do you recommend a hardware firewall, too?

    I'm planning to use SBS Premium and would like to make some non-public SQL
    Server data available to users via SQL Server Reporting Services--again,
    presumably via SSL. Does this sound feasible?
    You lost me. I'm not sure what you mean by 'additional functionality' that
    would require a TS box. And does RWW require a TS box?

    Perhaps it goes without saying, but the users need to be able to work
    regardless of having connectivity to the SBS server. Would their PCs still
    need to be members of the SBS domain?

    Did the hosting company do the install or did you travel there to do it
    yourself? Lastly, can you recommend any articles or blogs that provide a path
    to follow to set this up securely?
     
    Chris, Apr 12, 2007
    #3
  4. Chris,

    I'm not sure the hosting companys message came accross properly. Hopefully,
    they mean that hosting a public web site on an SBS is not a good idea, and
    not that putting an SBS 'on the internet' isn't a good idea.

    But backing up a bit - let's look at the some of the core features of SBS,
    and how hosting may affect their use.

    One of the core functions of SBS is to centralize your company's data
    storage. This provides many features, some of which are:

    a) ability to back up all of the valuable data from one place
    b) ability to apply granular access controls
    c) previous versions

    That's all great stuff. Where the workstations and SBS are connected to the
    SBS via 10, 100, or 1000 mbps connections, life is good - access to data
    between the workstation and server is quick and painless.

    If you move your workstation to the internet, you'd be using Remote Web
    Workplace, or VPN, to access the data stored on the SBS, and life isn't so
    good. LOB applications may be painfully slow at best, and at worst data
    corruption will occur. The simple task of opening a word or excel document
    that's stored on the server can take ages. Documents in a sharepoint library
    don't fare any better. (Outlook/Exchange is fine, we don't need to worry
    about this part).

    Remote access is a great feature, and the above scenario is fine for
    occasional access where the alternative is no access - but to make this the
    every-day work experience isn't going to please anyone.

    So, what can be done?

    If you have a Windows XPP + computer connected via the lan to the SBS, a
    remote user can log onto that computer via Remote Web Workplace/connect to
    my computer (RDP), and do his work. Because the workstation is local to the
    SBS, where the data is stored, all data access is local, and fast.

    The issue is that this doesn't scale very well: Windows XPP will only allow
    a single user session, so if you have 3 remote users that all want to work
    at the same time, you'll need 3 XPP workstations installed/connected to the
    SBS network.

    The best alternative is install a Terminal Server that's connected to the
    SBS. Access is via Remote Web Workplace, and multiple users can connect
    concurrently. This is very scaleable, and will give you an every-day work
    experience you'll actually be able to use.

    In my opinion, hosted SBS makes no sense whatsoever without a Terminal
    Server - and makes a very elegant solution with one.
     
    Les Connor [SBS MVP], Apr 12, 2007
    #4
  5. Chris

    Joe Guest

    All the web services of SBS, apart from a hypothetical public website,
    are https, using SSL. As that stands, it encrypts sessions and proves
    the identity of the server to its clients. You can also configure
    any/all of the services to require a client certificate, which very
    sharply limits who can connect. RWW uses the RDC protocol, but that
    only connects after a successful https session is opened.
    That's probably a matter for the hosting company. Almost certainly,
    you will just ask for a particular set of ports to be forwarded.
     
    Joe, Apr 12, 2007
    #5
  6. Les has provided the information that covers your question about Terminal
    Services and RWW. And has done an excellent job of laying out the issues of
    expecting fully remote users to be able to work as if they were in an
    office. Basically, I agree fully that trying to do this with all your users
    essentially fully remote will be an unsatisfactory experience. But using
    Remote Web Workplace and a Terminal Server allows you to have your users be
    remote AND still work locally to the SBS server. The experience should be
    quite acceptable. If you also enable Outlook over HTTPS you can give them
    full access to email without requiring that they use a session on the
    server - in many cases that will be sufficient for your users at least some
    of the time, IME. And when they need more, they can use an RWW session.

    As for setting up the SBS box - unless the hosting company has experience
    doing SBS and fully understands it, I'd suggest that you get an experienced
    SBS specialist to do it. Most of us who spend much time with SBS grow to
    realize that "big server" folks just don't get it and keep trying to do
    things in their traditional ways. Thus either breaking or limiting the
    effectiveness of some of the best features of SBS.

    OTOH, having them configure the Terminal Server makes perfect sense. Nothing
    special there - it just gets joined to the SBS domain as a member server.
     
    Charlie Russel - MVP, Apr 12, 2007
    #6
  7. Chris

    Chris Guest

    Thanks, Les, Joe, and Charlie.
    Really? Separate from this endeavor, I use a SharePoint site that is hosted
    at a company in the mid-West that specializes in SharePoint hosting. I
    haven't used it much for document management--but when I have, the experience
    was pretty good; i.e., using Word to navigate libraries and open and save
    files. Certainly, it wasn't as quick as local or local network access, but it
    was useable. I just tried it again now; it was good.

    I'd really like to avoid having users RDP into a server to do document
    management. Users can live with the reduced performance, if my experience is
    any indication. There are no LOB applications involved at this point.
    I guess I need to look further into what RWW is. I'm not sure how it would
    fit in, especially if my solution doesn't include a separate terminal server
    box.
    I appreciate that. Do you have any suggestions on how I can go about
    contracting an experienced SBS specialist?
     
    Chris, Apr 12, 2007
    #7
  8. Last question first: Well, a good way to start is to look and see if there's
    an SBS MVP in your are. Or an SBS Users Group.

    The rest of them -- Frankly, my experiences with SharePoint haven't been all
    that positive. For intermittent, occasional file sharing? sure. For serious
    collaborative work, or for normal day to day LAN behaviour? Doesn't work for
    me. Actually, if I were looking for a distributed application that did
    secure file sharing and collaboration, I'd choose Groove. Several of us have
    been playing around with it and I'm frankly quite impressed.

    RWW is essentially a Terminal Services/Remote Desktop proxy. It allows users
    to remote into their work desktops. Of course, if they don't have a work
    desktop, you need to provide them one. I have one of my groups that uses an
    Access database application extensively. No way I'm going to allow them to
    run that across the internet, nor is it a candidate for SharePoint. So I
    have two Virtual XP machines running on the SBS box. The RWW in to one of
    the XP machines and run the application from there. They're starting to
    outgrow the solution, however, so the developer is going to port it to SQL,
    and I'm going to set up a Terminal Server machine.
     
    Charlie Russel - MVP, Apr 13, 2007
    #8
  9. Chris

    Chris Guest

    I checked Microsoft's SBS User Group site. There are no SBS user groups in
    the area; the closest one is in Manhattan. I'm working on contacting someone
    there.
    At this point, intermittent, occasional file sharing is all we need. We're
    looking for a basic, shared document repository--to eliminate the passing
    around via email of documents, wondering which version is the master.

    In some ways, SBS might be overkill for this project--but it contains the
    ingredients of what we are looking for. In the past, I've set up SBS servers
    on local networks...including Internet email. I like that it simplifies many
    of the administration and setup tasks.

    As a test, perhaps I should install SBS on an extra PC I have lying around
    my house...connect it to my network...and then let the users go at it. I
    imagine it would be difficult setting up outbound SMTP traffic, since my ISP
    likely blocks port 25 traffic. If the test is successful and we decide to
    place this solution at a hosting company, then my question comes back to:
    What precautions need to be made to secure an SBS server that is at a hosting
    company?
     
    Chris, Apr 13, 2007
    #9
  10. The issues of being at a hosting company are no different than being
    anywhere else. With the one exception that you actually have most physical
    access concerns thoroughly handled by the hosting company.

    I know of at least one company that does hosting of SBS and thoroughly
    understands it. www.ownwebnow.com.
     
    Charlie Russel - MVP, Apr 13, 2007
    #10
  11. AAAARRRRRGGGGHHHHH - I hate you, vehemently.

    RWW is a set of web pages. One of the microsofties gives a very good
    description of it in a message I read several hundred ago (so I ain' gonna
    find it). There is a small part of RWW which allows either 'Connect to my
    computer at work' or 'Connect to my company's application sharing server',
    NEITHER of these DISTINCT uses IS RWW.

    RWW is a central website to access server resources, including OWA,
    CompanyWeb and the RDP proxy. It is also an information page containing
    Outlook over HTTPS config information, server information if applicable, and
    the VPN connectoid download.

    this RWW=RDP foolishness just leads to confusion.

    PS I don't really hate you, but I got your attention, right?
     
    SuperGumby [SBS MVP], Apr 14, 2007
    #11
  12. I'm dropping in the middle here on Les' post for a reason. I've read the
    whole thread available as of this time.

    Les, would you be happy to have that hosting company set up a Windows x64
    box that never participates in the domain? Give you 'remote desktop' to it.
    I bet you know where I'm heading. The hosting company becomes responsible
    (to the degree that I want) to install/maintain a very basic Windows Server.
    It has one app on it for my benefit, Virtual Server.

    I find this a particularly interesting scenario for the virtualisation of
    SBS. One heiney kickin' hosted box and both SBS and the TS in the virtual
    environment. The main reason I see a real advantage here is that performance
    is going to be limited more by the access to the box than it's raw
    performance being decreased due to running virtual.

    and I'd probably use SBS Standard (which may make Les fall off his chair, he
    knows I like ISA) in a dual NIC setup with one NIC going to the real
    hardware and being on a 2nd public IP and the other NIC being a virtual
    switch shared with the TS.

    I would rely on the hosting company to supply firewall services. Of my two
    public IP's I would need _only_ 3389 to the host system and only the
    standard mix of SBS ports to the 2nd IP (25, 443, 444, 4125).

    The website would not be on SBS. This doesn't need discussion beyond what
    occurs elsewhere and maybe:
    SBS is in no way any less secure than any other Windows Server as a hosting
    platform, it's IIS and IIS is currently not particularly fallible in any
    way. The problem is that it breaks the rules for 'web server', it's a DC,
    it's the main data repository for your network, should it get compromised
    your whole AD and all it contains is toast. The generally accepted norm is
    that web servers are dedicated to task and disposable, SBS is neither.

    Virtual SBS + TS with a small number of users, hosted, I reckon it would
    work.


     
    SuperGumby [SBS MVP], Apr 14, 2007
    #12
  13. Yes, I agree. This is actually a quite compelling scenario. Unfortunately,
    ISA isn't supported in that scenario, but that's the only limitation. I like
    it a lot.

    --
    Charlie.
    http://msmvps.com/xperts64
    http://mvp.support.microsoft.com/profile/charlie.russel


     
    Charlie Russel - MVP, Apr 15, 2007
    #13
  14. Yeah, you got it. And I knew you didn't.

    See to me, RWW _is_ RDP - it's all I care about or want from it. Yes, I
    know, there are other things there, if you want need them. But there is one
    thing I want from RWW and that's the RDP proxy. And you know, that's true
    for most installations I support. All the other stuff is nice, but
    unnecessary to me. OWA I already have. And could care less about now that I
    have RPC over HTTPS.

    All the rest of what is sitting at RWW's home page is far less compelling
    than the RDP proxy. That is a kick-butt feature that big server folks would
    kill for. And will _finally_ have a solution for with Longhorn and the new
    TS Gateway functionality.

    --
    Charlie.
    http://msmvps.com/xperts64
    http://mvp.support.microsoft.com/profile/charlie.russel


     
    Charlie Russel - MVP, Apr 15, 2007
    #14
  15. I like it too. If you're going for hosted SBS, that's the hosting companies
    perogative whether it's virtualized, or not. So long as performance is
    respectable, I'd have no issue. It's only for the speed of access to data
    from afar that wants a local desktop to log onto, and TS is the way to get
    that and allow scaleability.

    I'm definately not hung up on ISA, and as time goes by ISA goes 'bye'. Only
    20% of my SBS have ISA now, and I'm taking it off another network shortly.

    --
    Les Connor [SBS MVP]


     
    Les Connor [SBS MVP], Apr 15, 2007
    #15
  16. All of mine have had it. And probably will, at least until we move into the
    next release. What I'm missing at this point is a 64bit version of ISA. Give
    me that, and I have a perfect all in one on this box. The host running ISA,
    with TS and SBS as separate guests.

    --
    Charlie.
    http://msmvps.com/xperts64
    http://mvp.support.microsoft.com/profile/charlie.russel


     
    Charlie Russel - MVP, Apr 15, 2007
    #16
  17. however, continuing this stupid RWW=RDP fallacy makes everyone's life
    harder.

    It's not right. It complicates things unnecessarily. It never should have
    become popular.

     
    SuperGumby [SBS MVP], Apr 15, 2007
    #17
  18. Once there's 64 bit ISA that is a sweet setup. Except for the cost ;-/.

    --
    Les Connor [SBS MVP]


     
    Les Connor [SBS MVP], Apr 15, 2007
    #18
  19. I've got the box sitting here for it, too. This HP ML-350 G5 is a sweet,
    sweet box. I would so love to move my production environment onto it in that
    type of scenario.

    --
    Charlie.
    http://msmvps.com/xperts64
    http://mvp.support.microsoft.com/profile/charlie.russel


     
    Charlie Russel - MVP, Apr 15, 2007
    #19
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.