Help! My office T1 project has had a case of SERIOUS scope creep, require assistance

[vi edit]

/me puts up the white flag

About 3 weeks ago I posted a topic about what router would serve the needs of my companies up and coming T1 line. At the time, all we were planning on using it for was internet access. I was looking at a Cisco 1600 or 2600 series. I was going to get a 2600 and run both nat and firewalling. My how things have changed.

We got hit by the sircam virus pretty hard last week, and they have had problems in the past with the virus (read: click happy employees who don't look at attachments before opening). So, now I'm looking at hosting our own email server and putting on some sort of filtering/virus scanning software on top of the T1 project as well as a bunch of other things.

So far, here are the list of needs that we have
1) T1 termination
2) firewalling
3) email hosting
4) email scanning and administration
5) web based email access
6) web site hosting
7) VPN access
8) Terminal services for shooting telecommuters a desktop

Here is what I *think* we need, please DO advise on the decisions

1) T1 termination: Cisco 1750 w/ CSU/DSU
2) Firewalling: not sure yet. I have a SonicWall firewall "appliance" that was left over from an earlier consultant. Would this work?
3) Email Hosting: Exchange server 2000 running on a Win2k Server
4) Email Scanning and Admin: Trend Micro Scan Mail
5) Web based email: Web Based Outlook through Exchange 2000
6) Web site hosting: IIS through 2000 server
7) VPN: PPTP and Win2k Server VPN Server
8) Terminal server for Win2k

I've got a pretty nice quote from Dell on one of their Poweredge 1400 Servers to take care of the hardware requirements. They will also toss on Win2k Server as well.

This is my first time working with a T1, cisco equipment, 2000 Server, and Exchange(I told you we had a serious case of scope creep )

I've got some questions though...aside from the first 8

1) Do I need anything else besides the T1 service, 2k Server, and Exchange to run my own mail server? Are there any other services that I would need to install that would not be included with those three items?

2) I don't believe that the Cisco 1750 supports IPSec protocol for VPN's. Is PPTP an acceptable alternative?

3) Is there any shame in admitting defeat?

[EDIT]
I looked into, and really wanted to go with Small Business Server 2000. Unfortunately, this won't work out for us. By the time I set up all of my remote users that will be accessing the Web Based Outlook, I'll be far beyond the 50 users that SBS2k supports. This provided the need to go with win2k server and Exchange as standalone products.

[EDIT #2]
I forgot to describe my current user base. I have ~25 computers in the office accessing the internet and it's services. I also have about 30 remote locations that have local ISP dial up access. These 30 dial up users would use their local internet connections to browse to our website and log into their web based mail account.

I can forsee about 5 VPN users at any given time, as well as around 3 Terminal Service users at any given time.

 

[Vegito]

W2K VPN is very sluggish, just so that you dont have high expectations... I sorta have a similar setup and work well.. do you really want to use IIS ? Thats the cause of the bug Apache for 2K works.

I use McAfee for backoffice, 1 version installs on E2K and has a outbreak utility where if the traffic for email picks up, it'll shut exchange down.

Use McAfee for workstation which scans email/internet downloads, etc. Except it is really slow when doing scans.

Sonicwall has content filtering so you'll have firewall virus protection, server protection and workstation protection..
good luck..

 

[vi edit]

I've got another box that I can toss Redhat onto and run an Apache webserver I could also use good old Boa as a web server, but that's a little cryptic.

I haven't ruled Linux out

 

[Techwhore]

Apache's not just for linux anymore! Use it!

I'm not too sure about exchange, i'm sure that'd work fine. But i'm looking into CommuniGate Pro right now. Looks pretty good. This would be ideal if you ran that red hat box.

 

[vi edit]

forcesho, The speed of W2k's VPN shouldn't be that big of an issue. I just need to get network access to run a very old dos based accounting program. It doesn't require much bandwith at

The reason that I was looking at MS Exchange is because of the huge amount of support in both the software and reference areas. I have a pretty good sized selection of virus scanners for Exchange, as well as a pretty good selection of "how to" books for Exchange. The web based outlook is also in a format that is familiar to my users so very little retraining would be necessary to get them using it.

 

[Garion]

If you're going to put in a "real" firewall and really protect your network there's no reason to open up a titanic-sized security hole and run your VPN on your Win2K server. You also don't want to run it on the router, since that's outside the firewall. Another Mac-truck-sized security hole is opening up access to the internal network from ANYTHING outside the firewall - Packets are too easy to spoof.

Your best bet is to look at the VPN options that are available on the SonicWall. Most of their products are reasonably robust and offer good VPN options. VPN's are traditionally done at the firewall level for most small businesses, unless you can afford to spend an extra $2000 for a dedicated VPN server.

Your ideas for Exchange and ScanMail are right on the money. Exchange rocks (but is very complex to setup and maintain), Scanmail is very effective at stopping viruses and Outlook Web Access works quite well for web-based e-mail access. Just make VERY sure you keep up on your IIS patches! Don't want another code red distributor around!

If your company is hip on antivirus, don't forget to run one on the server to block any infected files.

MS Terminal Server on the W2K box is nice, but a large security hole. If you use it from the Internet you should make your firewall rules pretty restrictive as to who can access it or not.

Lessee.. To run all this on one box. It'll be a PDC, a file server, run tape backups (I assume - Veritas BackupExec is the way to go), run Exchange and IIS. I'm assuming you're looking at a dual P3 with 512MB - 1 GB RAM? That's probably about what you'd want.

- G

 

[Vegito]

For 1 Box, if its PDC/backup/iis/exchange, I would get min 2 GB memory... exchange is memory chew and memory is so cheap now anyway

 

[vi edit]

Excellent replies so far, thanks!

As for the server, here is what I have quoted -

- Single P3-1 gig (dual processor capable)
- 512 RAM (might bump up to 1 gig afterwards)
- 4 x 18g 10,000 RPM SCSI drives on a RAID hardware adapter w/ 128 meg cache
- 20/40 DDS4 TBU using Backup Exec
- Dual redundant power supply
- CDROM
- Win2k Server w/ 5 cals
- other "basic" stuff

Total: $4448 after tax and shipping.

How would a Sonic Wall XPRS2 with the Anti Virus plugin work for our company? Basically, it will scan at the gateway level, as well as do the scans at the client levels. This combined with the ScanMail for Exchange should make a three tiered front against viruses.

I'm still up in the air on a router. If I purchase the IPSec VPN package for the Sonic wall, the router will also have to natively support IPSec as well, correct?

The low end Ciscos, IE 1600 & 1750 don't support it I believe. Is there a router, under $2500, that anyone knows off hand that will support the IPSec VPN function of the firewall?

 

[Ender78]

Just a note here, the 1750 does support IPSec (co/ Firewall Feature Set)

http://www.cisco.com/warp/public/cc/pd/rt/1700/prodlit/1750_ds.htm

1) As it appears as if you want all licensing to be legit you need to make sure
that you have sufficient licensing for all you apps:

1) IIS (if you are doing web hosting, you are only allowed a certain number
of connections)
2) Exchange (I have no idea how licensing works here)
3) Terminal Server (If you are runnin apps remotely, you will need to purchase licensing. Remote Admin mode limits the applications that can be run remotely and only allows for two connections as far as I recall).
4) If you are running all these servers, you will also need to run DNS (Win2K Server has a built in DNS server). Do you want to host DNS internally (or farm it out to someone for a small anual charge). What type of redundancy do you need for mail ? (Do you want someone to cache and hold your mail in case there is a service interuption?) Externally hosted DNS is the better way to go if you want redunancy (You need two DNS servers in any case for a registrar to aprove the domains registration). Will you have an ISDN line or other type of backup for the Internet connection ? Once you take things in house, you take on a great deal of responsibility !! Colocation an option ?

In addition/instead of using a firewall, is NAT an option ? Do you really need to have all your workstations to have public access. I am personally a big fan of NAT (Network Address Translation).

5) If you choose to use IPSec or another VPN client.

6) WebAccess to mail is a very dangerous thing. I would avoid allowing access
to it at all costs. Anyone here know anything about exchange mail security. Is there a way to have secure authentication occur? I would prefer to have a VPN session opened between client and server and use plain old Outlook instead of webmail).

 

[Garion]

If you're running your IPSec VPN on your firewall your router will treat it just like normal IP traffic - You don't have to have any special software. You need the router software only if you're going to use it as the endpoint for your VPN which you're not. Otherwise, IP is IP.

I'd recommend looking at the second processor out of the box. With all of that running on one box you're probably going to need it and adding a second processor isn't quite as simple as you'd expect it to be. On NT it was really a "format and re-install", I heard 2K is better but still not easy.

That flavor of SonicWall might be a bit slim for what you want to do - I'd look at the SonicWALL Pro, which you can get for around $2200. Much more horsepower and will do a better job for what you want.

- G

 

[Techwhore]

<< On NT it was really a &quot;format and re-install&quot;, I heard 2K is better but still not easy. >>



He's right, and it's not easier in 2k... the HAL still doesn't recompile when adjusted so the only way to go from uniprocessor to SMP is a format/reinstall. On the other hand, the only REAL way to know if u're gonna need an extra processor is to start out with one and run audits, see if processes build up.

I'd probably go with two just to be on the safe side and spare myself any hassle.

 

[vi edit]

Ok, I'm really going to show my ignorance here

When I registered for the T1, I only reserved 4 IP addresses. I thought it would be one for the router, one for the exchange server, one for a web server of some form, and then another open for whatever might come up.

Outside of that, I was planning on using the NAT function of the router to share out the T1 access to the users.

If I put a firewall between the router and the internal network, will that kill my ability to do NAT? I was hoping to do static 192.168.0.XXX IP addresses internally, and then just use the DNS and gateway functions of Windows networking to share out the T1 via the router.

If I do NAT with the router, does that somewhat illeviate the need of a firewall?

Damn I feel like such a newbie...oh wait I am to this stuff :\

 

[Garion]

It depends on how SonicWall works - You might need all four, you might just need two. I'm sure the SonicWall does NAT, so you can use the 192.168.x.x address space inside your network - That's a given.

Firewalls work in one of two ways. A Cisco PIX works with &quot;conduits&quot; which send traffic from an external &quot;real&quot; IP address back to an internal &quot;private&quot; IP address. Each conduiut carries only the traffic that you specify.

Many other firewalls do Port Address Translation, PAT. In this case, the firewall only has a single outside IP address and different ports are mapped back. For example, port 80, 443 and port 25 would be mapped back to your Win2K server. IF you had another FTP server in your network (which you don't, just an example) you could map back port 21 to a DIFFERENT IP address inside. A good example of a firewall that uses PAT is the Cisco router IOS firewall.

OK, just did some looking - The SonicWall looks like a nice and easy firewall and it uses the second method, PAT. In this case, you really ONLY need two IP's - One for the router and one for the firewall. You setup &quot;public lan servers&quot; for services like http or SMTP. Should be very easy to configure. I checked out their admin guide and it's a piece of cake. Don't be too afraid of this box - It's designed for pretty much anyone to configure.

You don't want to use NAT on the router - It's a pain to configure and takes a lot of horsepower on the box. Your firewall will do 90% of the work - All your router does is to pass data from your network to your ISP via the T1 - Anything else is not really necessary and can be much better and more efficiently done on the firewall. Routers are designed to route. Yes, they CAN do NAT, firewalls and VPN but there's better ways to do all that.

- G

 

[Tallgeese]

<<Here is what I *think* we need, please DO advise on the decisions>>
Here goes, but remember, this advice may be worth exactly what you are paying for it

1) T1 termination: Cisco 1750 w/ CSU/DSU
This includes VDF (voice/data/fax) support. If not planning to use, go with a data only model and put the extra $$$ somewhere else.

2) Firewalling: not sure yet. I have a SonicWall firewall &quot;appliance&quot; that was left over from an earlier consultant. Would this work?
Any hardcoded or practical user or throughput limits? Still depends on the model and age, and other factors. Best course is to decide all the kinds of traffic you need to support, then all the types of access control you want to perform on that traffic, and then make this decision. Separate box.

3) Email Hosting: Exchange server 2000 running on a Win2k Server
Good choice, if you want the shared calendaring and groupware features. If you just want mail, there are definitely cheaper, better solutions. If going w/ EX anyway, stay up on Service Packs. Make sure you have good antivirus (prefer NAI/McAfee) and tape backup (prefer Veritas) systems, with appropriate procedures. Exchange environments perform best with a server dedicated to running Exchange. W2K (which EX2K requires) also needs a few important infrastructure services to be running (AD, DDNS, and then some other niceties like DHCP and WINS sure help with stability, availability). Another box for these infra-services.

4) Email Scanning and Admin:
Prefer NAI/McAfee Enterprise (they've changed the suite name several times).

5) Web based email: Web Based Outlook through Exchange 2000
A *HUGE security hole in OWA was recently revealed. Last I heard, MS released two consecutive patches, both of which cause Exchange Servers to hang within 24 hours. Have not heard of a permanent fix. Avoid this.

6) Web site hosting: IIS through 2000 server
Two words: CODE RED. Seriously, if this is a public server, make it a separate box located on a DMZ network. If a private server, don't allow unencrypted, unathenticated connections to it. Install some AV either way, and maybe an IDS system.

7) VPN: PPTP and Win2k Server VPN Server
I would make sure any authenticated user connecting from outside, no matter what the service, had to come in via an encrypted VPN tunnel. At the number of users you are talking about, look at a VPN concentrator, separate from your firewall and router. Another piece of hardware.

8) Terminal server for Win2k
Works well, but needs *LOTS* of horsepower. Every user session requires its own system resources on the same box. Also, licensing can get quite pricey. Expect the Terminal Server to be more &quot;crashy&quot; than a normal Win2K box. Will need to know what applications/environments you plan to use to give better advice. Probably the beefiest of your boxes.

I've got a pretty nice quote from Dell on one of their Poweredge 1400 Servers to take care of the hardware requirements. They will also toss on Win2k Server as well.
I daresay that a single 1400 would never handle all this with enough stability or performance, not matter what size your outfit.

FWIW, and HTH