| Author |
Message |
Will Niccolls
Guest
|
 Posted:
Wed Jan 19, 2005 4:12 am Post subject:
Migration, Liscensing, Etc. |
|
|
Current system: Existing peer network with 10 personnel running a variety
of Win98, XP Home, and XP Pro machines. Internet connected via a Netgear
614 Router/Firewall feeding a switched hub and 802.11 access point. In the
next weeks I'll be migrating to the SBS 2003 server with a three disk RAID 5
and Exchange.
4 of the 10 users have laptops AND desktops, often they are connected to the
network simultaneously on their laptop and desktop. Are there any
liscensing issues with this "more machines than users" scenario? (I'd
complain that the incremental cost of adding an 11th user is outrageous, but
besides the futility of complaining, I'm not the one footing the bill).
Another question. For users of XP Home and Win98, are there any limitations
on the migration? My understanding is that these OS's can't become part of
a domain, does that mean these users won't be logged in as a specific user?
Will they still be able to access shared resources on the server that have
permissions opened to all LAN traffic? And does this affect the liscensing
in any way? Will they be able to access Exchange and Sharepoint Services?
Over the next months I'll be upgrading all machines to XP Pro.
And one more question. We have a web server that serves customers to access
some of their account info. I plan on putting this on the DMZ port of the
firewall. Any considerations I should be aware of for security in this
configuration?
Thank you,
Will Niccolls |
|
| Back to top |
|
 |
Javier Gomez [SBS MVP]
Guest
|
| Posted:
Wed Jan 19, 2005 4:38 am Post subject:
Re: Migration, Liscensing, Etc. |
|
|
| Quote: | 4 of the 10 users have laptops AND desktops, often they are connected to
the network simultaneously on their laptop and desktop. Are there any
liscensing issues with this "more machines than users" scenario? (I'd
complain that the incremental cost of adding an 11th user is outrageous,
but besides the futility of complaining, I'm not the one footing the
bill).
|
Nope. If you have 10 Users and you buy 5 additional User CALs then you can
have as many devices as you like.
| Quote: | Another question. For users of XP Home and Win98, are there any
limitations on the migration? My understanding is that these OS's can't
become part of a domain, does that mean these users won't be logged in as
a specific user? Will they still be able to access shared resources on the
server that have permissions opened to all LAN traffic? And does this
affect the liscensing in any way? Will they be able to access Exchange
and Sharepoint Services?
|
XP Home cannot join the domain. The only thing you can do is have the same
username/password on the local account as in the domain so it "sort of"
works... but this is crappy. You really have to move to XP pro or 2000.
Windows 98 can be part of the domain, just that you have to do it manually
(no connect computer wizard). Do a search in this NG for XP Home and another
for Windows 98 to see the workarounds in more detail.
| Quote: | Over the next months I'll be upgrading all machines to XP Pro.
|
Smart move! :-)
| Quote: | And one more question. We have a web server that serves customers to
access some of their account info. I plan on putting this on the DMZ port
of the firewall. Any considerations I should be aware of for security in
this configuration?
|
Sounds good. My suggestion is that you use 2 NICs in your SBS box and put
the web server in between the router and the SBS box. Personally, I wouldn't
use the DMZ port and just forward the appropiate ports instead. Be aware
that unless you have more than 1 static IP the the http-> https redirector
will not work (since you can't forward port 80 to the sbs box) and if your
webserver requires SSL (443) then you will have problems with using
OWA/RWW/etc. as well.
--
Javier [SBS MVP]
www.msmvps.com/javier
<< SBS ROCKS!!! >> |
|
| Back to top |
|
|
Will Niccolls
Guest
|
| Posted:
Wed Jan 19, 2005 8:37 pm Post subject:
Re: Migration, Liscensing, Etc. |
|
|
"Javier Gomez [SBS MVP]" wrote:
| Quote: | Will Niccolls wrote:
Another question. For users of XP Home and Win98, are there any
limitations on the migration? My understanding is that these OS's can't
become part of a domain, does that mean these users won't be logged in as
a specific user? Will they still be able to access shared resources on
the server that have permissions opened to all LAN traffic? And does
this affect the liscensing in any way? Will they be able to access
Exchange and Sharepoint Services?
XP Home cannot join the domain. The only thing you can do is have the same
username/password on the local account as in the domain so it "sort of"
works... but this is crappy. You really have to move to XP pro or 2000.
Windows 98 can be part of the domain, just that you have to do it manually
(no connect computer wizard). Do a search in this NG for XP Home and
another for Windows 98 to see the workarounds in more detail.
Over the next months I'll be upgrading all machines to XP Pro.
Smart move! :-)
|
Ok, so they can't really join a domain ( this issue alone was enough for me
to advocate moving the entire office to open source systems, btw) but they
can still access Sharepoint and Exchange services?
| Quote: | And one more question. We have a web server that serves customers to
access some of their account info. I plan on putting this on the DMZ
port of the firewall. Any considerations I should be aware of for
security in this configuration?
Sounds good. My suggestion is that you use 2 NICs in your SBS box and put
the web server in between the router and the SBS box. Personally, I
wouldn't use the DMZ port and just forward the appropiate ports instead.
Be aware that unless you have more than 1 static IP the the http-> https
redirector will not work (since you can't forward port 80 to the sbs box)
and if your webserver requires SSL (443) then you will have problems with
using OWA/RWW/etc. as well.
|
We have several static IPs available so the http(s) redirection won't be an
issue. Let me also make sure I understand exactly what you mean by putting
"the web server in between the router and the SBS box.". Are you saying
that one NIC will be connected to a the web server and incoming internet,
and the other NIC will connected to the local LAN hub? This is similar to
the recommended configuration of SBS with two NICs, but with the addition of
the web server on the WAN NIC side of the network, correct?
(On a side note, the web server and associated database are not "mission
critical" and the data is purely for the convenience of customers--important
but it can be recreated with a minimum of hassle. It runs Apache Tomcat and
MySQL)
Thanks again to you and all the MVPs, this group is an invaluable resource,
without it I would never even consider the migration to this OS. As it is,
I'm looking forward to tinkering with confidence.
Will Niccolls |
|
| Back to top |
|
|
Javier Gomez [SBS MVP]
Guest
|
| Posted:
Wed Jan 19, 2005 9:08 pm Post subject:
Re: Migration, Liscensing, Etc. |
|
|
Hi!
| Quote: | Ok, so they can't really join a domain ( this issue alone was enough for
me to advocate moving the entire office to open source systems, btw) but
they can still access Sharepoint and Exchange services?
|
If you have the same username/password on the local account... yes. If not,
then you would have to enter it each time.
| Quote: | We have several static IPs available so the http(s) redirection won't be
an issue.
|
Some low end firewall routers don't support multiple external IPs... so make
sure your router supports it (if you are going to use it).
| Quote: | Let me also make sure I understand exactly what you mean by putting "the
web server in between the router and the SBS box.". Are you saying that
one NIC will be connected to a the web server and incoming internet, and
the other NIC will connected to the local LAN hub? This is similar to the
recommended configuration of SBS with two NICs, but with the addition of
the web server on the WAN NIC side of the network, correct?
|
Just to be clear:
Internet
|
Firewall/Router
| |
Web Server SBS
|
switch/hub
|
workstations
Its the same setting as using a DMZ port on the firewall. The problem is
that the definition of "DMZ" for most firewalls is "forward all available
ports to that IP"... which is erroneous and I don't like. I prefer to
forward the necessary ports only (and you have a true DMZ between the
firewall and the SBS box.).
| Quote: | (On a side note, the web server and associated database are not "mission
critical" and the data is purely for the convenience of
customers--important but it can be recreated with a minimum of hassle. It
runs Apache Tomcat and MySQL)
|
That's exactly the kind of server you would put on a DMZ.
| Quote: | Thanks again to you and all the MVPs, this group is an invaluable
resource, without it I would never even consider the migration to this OS.
As it is, I'm looking forward to tinkering with confidence.
|
Thanks! We all been down that road at some point. I hope your migration goes
smoothly.... Great to have you in our community!
--
Javier [SBS MVP]
www.msmvps.com/javier
<< SBS ROCKS !!! >> |
|
| Back to top |
|
|
Will Niccolls
Guest
|
| Posted:
Wed Jan 19, 2005 10:47 pm Post subject:
Re: Migration, Liscensing, Etc. |
|
|
"Javier Gomez [SBS MVP]" wrote in message
news:OEd9Skj$EHA.3924@TK2MSFTNGP15.phx.gbl...
| Quote: |
Some low end firewall routers don't support multiple external IPs... so
make sure your router supports it (if you are going to use it).
Just to be clear:
Internet
|
Firewall/Router
| |
Web Server SBS
|
switch/hub
|
workstations
Its the same setting as using a DMZ port on the firewall. The problem is
that the definition of "DMZ" for most firewalls is "forward all available
ports to that IP"... which is erroneous and I don't like. I prefer to
forward the necessary ports only (and you have a true DMZ between the
firewall and the SBS box.).
|
Yes, I'll need to upgrade the Firewall/Router. I found several Linksys
products that seem to fit the bill, for example:
http://www.linksys.com/products/product.asp?grid=34&scid=29&prid=639
<quote> The Linksys 10/100 4-Port VPN Router is an advanced Internet-sharing
network solution for your small business needs. Like any router, it lets
multiple computers in your office share an Internet connection. But the
unique dual Internet ports on the 10/100 4-Port VPN Router let you connect a
second Internet line as a backup to insure that you're never disconnected.
Or, use both Internet ports at the same time, and let the router balance
your office's requirements between them for maximum bandwidth efficiency.
"<end quote>
This would seem to support at least two IP's, if anyone has experience with
this or similar products I'd like to hear about it. I'll update this thread
once I confirm the multiple IP support.
Will Niccolls |
|
| Back to top |
|
|
Javier Gomez [SBS MVP]
Guest
|
| Posted:
Wed Jan 19, 2005 11:02 pm Post subject:
Re: Migration, Liscensing, Etc. |
|
|
| Quote: | This would seem to support at least two IP's, if anyone has experience
with this or similar products I'd like to hear about it. I'll update this
thread once I confirm the multiple IP support.
|
I have a client using its cousing (the RV082) and it supports 2 IPs... but
take into account that's not what it was designed for (although I don't see
why it wouldn't work as well). If you already have a router... do you need
https on the webserver? Because if you don't then there is no need for
concern. If you do, then you can simply get another "el cheapo" router and
use it in conjuction with the one you have.
I'm assuming you want to save some $$$... if not then get a router that
supports multiple IPs binded to the same interface (I believe most mid-level
boxes would do it-> watchguard, fortinet, etc.). So, if you need to have
another IP in the future you don't end up having to buy another one.
My $0.02,
--
Javier [SBS MVP]
www.msmvps.com/javier
<< SBS ROCKS!!! >> |
|
| Back to top |
|
|
Will Niccolls
Guest
|
| Posted:
Thu Jan 20, 2005 12:02 am Post subject:
Re: Migration, Liscensing, Etc. |
|
|
"Javier Gomez [SBS MVP]" <javier_gomez@REMOVE.THIS.engineer.com> wrote in
message news:uvqwoik$EHA.2584@TK2MSFTNGP09.phx.gbl...
| Quote: | This would seem to support at least two IP's, if anyone has experience
with this or similar products I'd like to hear about it. I'll update
this thread once I confirm the multiple IP support.
I have a client using its cousing (the RV082) and it supports 2 IPs... but
take into account that's not what it was designed for (although I don't
see why it wouldn't work as well). If you already have a router... do you
need https on the webserver? Because if you don't then there is no need
for concern. If you do, then you can simply get another "el cheapo" router
and use it in conjuction with the one you have.
I'm assuming you want to save some $$$... if not then get a router that
supports multiple IPs binded to the same interface (I believe most
mid-level boxes would do it-> watchguard, fortinet, etc.). So, if you need
to have another IP in the future you don't end up having to buy another
one.
|
Ah, I see. I could connect my incoming internet (a point to point wireless
provider, comes into the office via CAT 5 attached to a small reciever on
the roof) to a hub, then the two routers to the hub, each with its own IP?
No https.
I don't mind spending 150-200, but it seems that the Fortinets, etc you
start getting into the 400 range and that's a bit steep.
Thanks again,
Will Niccolls |
|
| Back to top |
|
|
Javier Gomez [SBS MVP]
Guest
|
| Posted:
Thu Jan 20, 2005 12:55 am Post subject:
Re: Migration, Liscensing, Etc. |
|
|
| Quote: | Ah, I see. I could connect my incoming internet (a point to point
wireless provider, comes into the office via CAT 5 attached to a small
reciever on the roof) to a hub, then the two routers to the hub, each
with its own IP?
|
Yep... you can do that.
If that's the case... I wouldn't bother with 2 IPs. There is really no need
and you will be gaining no benefit.
| Quote: | I don't mind spending 150-200, but it seems that the Fortinets, etc you
start getting into the 400 range and that's a bit steep.
|
I'm sure you could find a router that does it for $200... In fact, the other
option would be to put the webserver directly to the net (with a software
firewall) and spend $0. But, why bother? :-)
--
Javier [SBS MVP]
www.msmvps.com/javier
<< SBS ROCKS!!! >> |
|
| Back to top |
|
|
Matt Gibson
Guest
|
| Posted:
Thu Jan 20, 2005 2:20 am Post subject:
Re: Migration, Liscensing, Etc. |
|
|
Remember though, a Fortinet does more than just a firewall.
It does AV filtering, Grayware/Malware filtering, IDS/IPS, and a whole host
of other things.
It's WELL worth the money.
-Matt
"Will Niccolls" <wn@nullsoft.com> wrote in message
news:ed$CZEl$EHA.2600@TK2MSFTNGP09.phx.gbl...
| Quote: |
"Javier Gomez [SBS MVP]" <javier_gomez@REMOVE.THIS.engineer.com> wrote in
message news:uvqwoik$EHA.2584@TK2MSFTNGP09.phx.gbl...
This would seem to support at least two IP's, if anyone has experience
with this or similar products I'd like to hear about it. I'll update
this thread once I confirm the multiple IP support.
I have a client using its cousing (the RV082) and it supports 2 IPs...
but take into account that's not what it was designed for (although I
don't see why it wouldn't work as well). If you already have a router...
do you need https on the webserver? Because if you don't then there is no
need for concern. If you do, then you can simply get another "el cheapo"
router and use it in conjuction with the one you have.
I'm assuming you want to save some $$$... if not then get a router that
supports multiple IPs binded to the same interface (I believe most
mid-level boxes would do it-> watchguard, fortinet, etc.). So, if you
need to have another IP in the future you don't end up having to buy
another one.
Ah, I see. I could connect my incoming internet (a point to point
wireless provider, comes into the office via CAT 5 attached to a small
reciever on the roof) to a hub, then the two routers to the hub, each
with its own IP?
No https.
I don't mind spending 150-200, but it seems that the Fortinets, etc you
start getting into the 400 range and that's a bit steep.
Thanks again,
Will Niccolls
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in