Dom
Member
Registered: 13th Sep 03
User status: Offline
|
Long story short, we're moving offices and as the previous IT company got given the boot (mixture of stupidly expensive vs. them bodging/not really doing a lot) and with me (software dev) being the only one in the office that knows anything IT, I’ve been punted into the seat of reconfiguring the network
The current network/server situ looks like this -
It's a fairly straight forward setup, granted it currently has issues regarding redundancy/fall over situations, but personally I think it's a bit of a backwards setup created by the IT company with the SBS box (white box server, chugs a bit, could do with replacing at some point) having all those roles, DNS/DHCP (I know SBS likes to be the DHCP/DNS provider), yet not in a dual NIC setup ie: WWW -> Router/Firewall -> SBS -> Switch -> Client machines (something like
>THIS<).
I'm also not hugely convinced with the Cisco router as it has dropped connection a few times, so I’m thinking of replacing that. Obviously wireless is dealt with by the Cisco and the SBS box deals with VPN, which I’ve been told is a bit of a no-no and should be handled by hardware where possible.
Before the questions, requirements - must have wireless access for business phones (and the odd laptop) although this is critical like the wired network; must have VPN access for remote access aka for when the MD goes on holiday and needs access to software/DBs; small business setup/no more than 5/6 client machines tops and as usual I have little budget to do anything.
From what I’ve been told, the office building/complex (multiple businesses under one roof) has redundancies in place for power and internet; so that should be taken care of.
Questions -
1) Regarding router/firewall replacement; I was thinking of either the Juniper SSG5 or SRX100 as I know a few people that rave about them for small business installs (obviously including Enterprise). Has anyone had experience setting up either using ScreenOS or Juno OS? Heard Juno OS is a bit of a mare of a learning curve compared to Screen OS although Juno is a lot more powerful. Otherwise something Dray Tek, like the 3300V+, although I’ve heard of a few people having serious issues with them and support is apparently dire. Anything Cisco is well out of budget.
2) Would I be better off leaving the network in the same configuration or moving the SBS box to a dual NIC setup? If it's dual NIC'd how would that effect VPN access, would it better to give the router/firewall that role or leave the SBS box to deal with it?
3) I know you can get the SSG5 in a wireless version but that's over a £100 more than the standard SSG5; am I right I could just slap on a WAP (looking at a £20 TP-Link) to whatever router/firewall we get? In either the current configuration or a dual NIC SBS configuration, where is it best to place the WAP; off the router/firewall or the switch?
4) Another idea was to replace the server with a new SBS box (been looking at the HP Microserver), new Gb switch, remove the router/firewall completely and get SBS to do everything - wise idea or a bit silly and I SHOULD have a hardware firewall solution before the server? I have a feeling I already know this one
5) Anything else I’ve missed, should consider, over looked etc etc?
There is also an ongoing discussion regarding emails and whether or not we need an Exchange setup for so few people, but it is a mixture of what they've always used and me not finding a suitable hosted Exchange solution that meets our requirements with our budget and Google Apps is well out of the question as the MD thought it was "naff".
Cheers for any help
[Edited on 29-05-2011 by Dom]
|
willay
Moderator Organiser: South East, National Events Premium Member
Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
|
1) Never used anything other then linux/free types and Cisco PIX/ASA - All the firewalls you have mentioned will have a GUI that will help you configure the box but it will be the terminology that may get confusing depending on your knowledge/what you have at hand to read. Even though they are all good firewalls they will only be as good as the person configuring them imo.
2) Leave it in its current configuration, doing the dual nic situation will give you a windows box as a lovely single point of failure - and I wouldn't rate anything running Windows to route packets which is that it will essentially be doing.
3) Depending on your network/wireless policy having the wireless terminate into the firewall could help you police what is coming over the airwaves - you could set up rules on the firewall to only allow wireless to access certain services on your internal network. £100 more or not, at least you will have a decent wireless setup and won't be counting on a £20 device for your phones which I would assume is quite important to your business.
4) See point 2, the less work the SBS box has to do the better as it will be serving some pretty important services such as dhcp, storage, dns and mail! Just make sure your internet connection is up to it as imagine what happens when your boss VPNs and starts moving large files or decides he wants to send that 10mb email with all the funny cat pics to 20 people on his mailing list!
Other than that I think you have it covered, just make sure you have all the requirements ticked off and a clear guide of how you will implement it. Other things I would think about is IP addressing which is always important - are you going to give your wireless clients a different range of addresses etc? helps with troubleshooting among other things.
|
VrsTurbo
Premium Member
Registered: 8th Jun 10
User status: Offline
|
The company i work for actaully support your area if you interested in some one doing the work for you?
|
VrsTurbo
Premium Member
Registered: 8th Jun 10
User status: Offline
|
1) SBS is perfectly fine at running RRAS if you are running virgin media ADSL i would go for something along the lines of a Draytek 2820 great for the cost.
Replacing the SBS server with new hardware and starting again is a good solution. Stick in some image based backups and if your hardware is to fail its 24-48hr turn around for a new server to get you backup and running.
depending on how many clients and how much data it could be done over a weekend.
[Edited on 29-05-2011 by VrsTurbo]
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
quote: Originally posted by willay
1) Never used anything other then linux/free types and Cisco PIX/ASA - All the firewalls you have mentioned will have a GUI that will help you configure the box but it will be the terminology that may get confusing depending on your knowledge/what you have at hand to read. Even though they are all good firewalls they will only be as good as the person configuring them imo.
2) Leave it in its current configuration, doing the dual nic situation will give you a windows box as a lovely single point of failure - and I wouldn't rate anything running Windows to route packets which is that it will essentially be doing.
3) Depending on your network/wireless policy having the wireless terminate into the firewall could help you police what is coming over the airwaves - you could set up rules on the firewall to only allow wireless to access certain services on your internal network. £100 more or not, at least you will have a decent wireless setup and won't be counting on a £20 device for your phones which I would assume is quite important to your business.
4) See point 2, the less work the SBS box has to do the better as it will be serving some pretty important services such as dhcp, storage, dns and mail! Just make sure your internet connection is up to it as imagine what happens when your boss VPNs and starts moving large files or decides he wants to send that 10mb email with all the funny cat pics to 20 people on his mailing list!
Other than that I think you have it covered, just make sure you have all the requirements ticked off and a clear guide of how you will implement it. Other things I would think about is IP addressing which is always important - are you going to give your wireless clients a different range of addresses etc? helps with troubleshooting among other things.
Cheers Willay!
Can you recommend any routers/firewalls?
I'm personally against the idea of using a pfsense/smoothwall setup, far too many bad experiences in the past (at that was in home situ's) and it needs to be something that once setup will happily run for a few years without being touched. Cisco gear is well out of our budget, even second-hand, so that's not really an option.
And the reason I mention Juniper is because they are well known in the Enterprise/DC arenas (was recommend them by someone who works at Telehouse) and although they have GUI's, JunoOS is mainly CLI configured hence they steep learning curve. But I agree, it could be an issue regarding setup although I have experience of past experience of dray tek/pfsense, but it will be a learning curve and a lot of booking/web reading either way.
Regarding the wireless, it's a requirement but it's not a priority as it's only for the iPhone's to sync up with Exchange (pointless if you next to your computer) and for someone to browse the net whilst on the crapper. If it failed, no one is going to get fired Hence why I thought I could save £80 (use that to upgrade the SBS box or get a new switch) and bung a WAP on the router/firewall.
Would you recommend offloading DHCP/DNS to the router and just leave the SBS box dealing with Exchange and (very light) file storage?
One question I did have; at the moment the iPhones point to the outside static address for Exchange, obviously, but when using the offices wireless is there any way to route those requests internally without changing anything on the IPs? Am I right in thinking this could be done via static routes?
Cheers again though, have been a big help
VrsTurbo - It's either a new router/firewall or server, haven't got the budget at the moment to do both. A 2820 is what I’ve had experience with in the past (luckily I had someone check over everything ), didn't have any issues but I personally have got anything special to say about them. But the new office connection (flexible; can be anything from 1-100Mbit) is terminated at a patch panel in the cabinet.
p.s - another question, should i leave the SBS box to deal with VPN access or give that role to the new firewall (if that's what we go for)? I've read around at it's been recommended that it's pretty iffy with SBS especially 2003 and hardware VPN is the best option.
[Edited on 29-05-2011 by Dom]
|
John
Member
Registered: 30th Jun 03
User status: Offline
|
SBS is built to do the DHCP and DNS, it won't like it/won't work properly if it's not doing it.
What sort of firewall do you need? There are selections from draytek's built in stuff up to the smoothwalls (really fucking annoying ime) and stuff like the watchguard firebox.
2003 RRAS isn't that good, better in 2008 but drayteks are quite good at the VPN's.
We've got loads in place.
You don't want to do a dual nic setup either, that's well outdated, any more recent SBS won't let you do it at all.
|
willay
Moderator Organiser: South East, National Events Premium Member
Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
|
Agree keep all the DHCP/DNS with the SBS server, just dont do that dual nic lark its a waste of time.
Gotcha regarding the wireless, if it isnt priority then use a cheap device!
RE: iphone sync, can they access the exchange server using the external ip when connecting from the local network? if it works then dont change it. If it doesn't work then you could do it by dns name and your local dns server could give a internal ip for the result where a external dns server would give them the external ip?
Juniper is in the same market position as Cisco imo, what sort of money are the Juniper devices?
Not sure what your experiences with pfsense/smoothwall have been but there is plently of people using it for business needs. Just needs to be managed and configured correctly, alot of places can just set it up and then never touch it again as it just works.
VPN can be handled by your router/firewall if its any good, but depends how you feel configuring/supporting it. This would also mean the SBS server isnt getting spanked for CPU cycles when its decrypting/encrypting all that llovely information for ze vpn
|
John
Member
Registered: 30th Jun 03
User status: Offline
|
Smoothwall works but it's too restrictive for me. It probably is configuration but things like in program updater's are a complete pita.
Some sites just don't like it full stop either, it's modifying the traffic in some way even if it appears like it's not.
|
willay
Moderator Organiser: South East, National Events Premium Member
Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
|
some sites? like websites?
How can a smoothwall/firewall screw with the traffic? do you need to inspect traffic higher than layer3/4?
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
quote: Originally posted by John
SBS is built to do the DHCP and DNS, it won't like it/won't work properly if it's not doing it.
What sort of firewall do you need? There are selections from draytek's built in stuff up to the smoothwalls (really fucking annoying ime) and stuff like the watchguard firebox.
2003 RRAS isn't that good, better in 2008 but drayteks are quite good at the VPN's.
We've got loads in place.
You don't want to do a dual nic setup either, that's well outdated, any more recent SBS won't let you do it at all.
Yeah I’ve heard SBS doesn't really play ball when it's not the DHCP/DNS provider.
Had a very brief look at the XTM 22-W as it was in the same price range as the Juniper's, £360 region for the wireless version (so £100 cheaper than the SSG5-W-W); but I read one iffy review and gave up. Is it worth looking at it again? Anything you recommend?
to be honest I don't need anything fancy in terms of firewalls, chances are what I’m looking at is a bit OTT; it just needs to be reliable, can be left for years without being touched (current situation with the SBS box, hadn't been touched for 4/5years nor rebooted to install any updates prior to joining the company) and if it all goes to pot there is some decent support.
Willay - yeah the iPhones work fine, just always thought it was a bit odd to go 'out' and back 'in' again. But I’m guessing I should 'KISS'
Setup and used pfsense (plus tinkered with smoothwall) only in a home environments (one was a 10 person student house, hammering torrents/web/porn etc); just didn't get on with it and thought it required a stupid amount of input for what you got. It also didn't like being hammered and never managed to get the full throughput of the connection, although I’ve assumed that mainly down the gear it was running on.
Regarding wireless; if I do use a WAP what's the best setup/config? Should I separate it, different addresses? Only internal use, not for public/customers etc.
Again, much appreciated for the help, certainly cleared up a fair amount of questions i had
|
John
Member
Registered: 30th Jun 03
User status: Offline
|
quote: Originally posted by willay
some sites? like websites?
How can a smoothwall/firewall screw with the traffic? do you need to inspect traffic higher than layer3/4?
Websites yeah, the one client we've got it's filtering all web traffic and it definitely messes with the traffic.
I don't know that much about it though, I only touch it when it's broken something.
|
Sam
Moderator Premium Member
Registered: 24th Dec 99
Location: West Midlands
User status: Offline
|
Your router is really just a Linksys which = shit (in my experience of dealing with these), so that definately needs to be replaced.
If you only have 3 desktops and just need wireless/remote access for occasional connections I think your current setup is a bit overkill for such a small network?
If cost is an issue, I would probably just suggest something simple like this:
wireless gigabit router > gigabit switch > Windows "server" PC > local and remote desktops/mobiles
You probably know this already but I'll say it anyway just in case
- the router will handle DHCP etc. you could even assign static IPs to the desktops if you needed to
- the router will have a firewall built-in, and the client PCs/server will obviously have software firewalls
- if you need web filtering, set up a proxy on the server box and get your router to direct any port 80/443 requests to it (some routers do come with web filtering but they are a bit archaic in my experience)
- make sure the wireless on the router is secured (don't use WEP )
- use CAT6 cabling for gigabit networking
- for email you could use a cloud based solution like Google Apps for Domains (Gmail) with your company's domain name - £3.30 a month per user with 25GB email disk space and spam filtering etc. (see here for more details), and you can use your Outlook clients to connect to GMail via IMAP (and of course your users can access their email via the web as well at something like http://www.mydomain.com/email)
- the server box should in the very least have a RAID1 array; make sure you buy three hard drives, fit two in the server for the RAID array and keep the other one as a spare in case one of them dies in future
- for backup, you should backup both locally and to an off-site location: for local just get an external HDD and set a backup program to do a differential file backup every night, and then a few hours later something for a cloud based backup
|
VrsTurbo
Premium Member
Registered: 8th Jun 10
User status: Offline
|
TBF you dont really need VPN access just use RWW.
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
quote: Originally posted by Sam
Your router is really just a Linksys which = shit (in my experience of dealing with these), so that definately needs to be replaced.
If you only have 3 desktops and just need wireless/remote access for occasional connections I think your current setup is a bit overkill for such a small network?
If cost is an issue, I would probably just suggest something simple like this:
wireless gigabit router > gigabit switch > Windows "server" PC > local and remote desktops/mobiles
You probably know this already but I'll say it anyway just in case
- the router will handle DHCP etc. you could even assign static IPs to the desktops if you needed to
- the router will have a firewall built-in, and the client PCs/server will obviously have software firewalls
- if you need web filtering, set up a proxy on the server box and get your router to direct any port 80/443 requests to it (some routers do come with web filtering but they are a bit archaic in my experience)
- make sure the wireless on the router is secured (don't use WEP )
- use CAT6 cabling for gigabit networking
- for email you could use a cloud based solution like Google Apps for Domains (Gmail) with your company's domain name - £3.30 a month per user with 25GB email disk space and spam filtering etc. (see here for more details), and you can use your Outlook clients to connect to GMail via IMAP (and of course your users can access their email via the web as well at something like http://www.mydomain.com/email)
- the server box should in the very least have a RAID1 array; make sure you buy three hard drives, fit two in the server for the RAID array and keep the other one as a spare in case one of them dies in future
- for backup, you should backup both locally and to an off-site location: for local just get an external HDD and set a backup program to do a differential file backup every night, and then a few hours later something for a cloud based backup
Cheers Sam. Unfortunately the MD wasn't interested in Google Apps for email and i've yet to find a suitable hosted Exchange provider that isn't going to cost the earth for our needs; so it looks like the SBS/Exchange box is here to stay for the foreseeable future (not my choice personally though).
Regarding routers/firewalls, someone mentioned a Cisco 877 (on another) and VLan'ing the ethernet ports between WAN and LAN as a cheap solution (apparently they can be had for the £100 mark), although that appears to me as a bit 'bodgy'
Also a Cisco ASA5505 is apparently in the same price range as the Junipers (£300-400) and should be worth looking at. Anyone had experience with the ASA5505?
|
willay
Moderator Organiser: South East, National Events Premium Member
Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
|
yes, just make sure you have the one with the unlimited licence, some are only for 10 users and shit
|
Sam
Moderator Premium Member
Registered: 24th Dec 99
Location: West Midlands
User status: Offline
|
Dom - I think the company Andrew works for offers Exchange hosting. Might be worth a U2U to him?
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
Cheers Willay
Has anyone used MCI Diventi Ltd or 1stAdvance? Seem to be about the best priced compared to Misco/Dabs/Ebuyer etc. Anyone know of any other retailers/online stores for networking gear?
Sam - One of the issues is mailbox sizes; most tend to be 2GB unless on 2010. Cobweb is who i've used in the past and they will be doing 25GB mailboxes but from i've been told it won't happening until later this year.
But cheers, will ask him.
[Edited on 30-05-2011 by Dom]
|
VrsTurbo
Premium Member
Registered: 8th Jun 10
User status: Offline
|
you dont need a fancy firewall/ router at all. Get a new server! really will make more sense yes cost more but be alot better. we have sites using netgear adsl routers/firewalls and they are perfectly fine.
|
willay
Moderator Organiser: South East, National Events Premium Member
Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
|
vrs does have a good point about the firewall/router - whats your remote access requirements?
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
quote: Originally posted by VrsTurbo
you dont need a fancy firewall/ router at all. Get a new server! really will make more sense yes cost more but be alot better. we have sites using netgear adsl routers/firewalls and they are perfectly fine.
It'll probably make the most notiable change, but again it's the budget that is the issue. Was looking at the HP Microserver's as they seem to get decent reviews running SBS 2008 and kitted up with 8GB and a few TB disks it would be a similar price to a router/firewall.
Only issue i have is the 'Cisco' Linksys router currently in place is complete toss, hence replacing it with something 'solid' that'll last a fair while.
By the way, the connection at the moment is via VM cable; in the new place it's terminated on a patch panel and then we pay for what ever level of service we want (from what i remember 1-100MB is available).
Willay - to be honest, remote access is once in a blue moon. It's only for when someone is offsite, which is rarely and is usually the MD on holiday checking reports, and needs to use internal software (or web apps that are IP restricted). At the moment everyone just VPNs to the network, which is dealt with by the SBS 2003 box.
|
VrsTurbo
Premium Member
Registered: 8th Jun 10
User status: Offline
|
SBS2011/2008 will do remote web workplace and its great at doing it!
What is it your company do and how many employees do you have?
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
quote: Originally posted by VrsTurbo
SBS2011/2008 will do remote web workplace and its great at doing it!
What is it your company do and how many employees do you have?
Only 3 at the minute, no more than 5/6 and it's only exchange that gets used the most (+ our software which runs on other boxes / cloud based) - hence why i was thinkig the HP Microserver would be fine, plus £100 cashback if i order today
|
VrsTurbo
Premium Member
Registered: 8th Jun 10
User status: Offline
|
well no need to pay for silly fast internet 20 on a 1-1 contention will be more than enough unless your constantly downloading or uploading large files constantly.
Even 10Mb would do 6 users!
Hp servers are good 3 year NBW just make sure you have a solid backup plan as you have a Single point of Failure. Only SATA discs as well so not as fast as SAS. Depends how often people are going to be accsesing the server with read/write io
Dont forget to budget SBS licence as well.
Around 400-600 for the SBS licence and then you'll need additional CALS too. As your current 2003 licences are not transferable
[Edited on 31-05-2011 by VrsTurbo]
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
quote: Originally posted by VrsTurbo
well no need to pay for silly fast internet 20 on a 1-1 contention will be more than enough unless your constantly downloading or uploading large files constantly.
Even 10Mb would do 6 users!
Hp servers are good 3 year NBW just make sure you have a solid backup plan as you have a Single point of Failure. Only SATA discs as well so not as fast as SAS. Depends how often people are going to be accsesing the server with read/write io
Dont forget to budget SBS licence as well.
Around 400-600 for the SBS licence and then you'll need additional CALS too. As your current 2003 licences are not transferable
[Edited on 31-05-2011 by VrsTurbo]
Yeah know about that, hence why i was thinking keeping 2003 until funds allow for the 2008 cals/license. Either way, after the meeting today it looks like this is being pushed back until after moving in (to be honest i can see it being next year) due to available funds
Cheers all for the help/advice though
|