Thursday, May 01, 2008

Preparing your Network for Small Business Server 2008

Well, as you know, Small Business Server 2008 is scheduled to be released at the end of this year, and it's coming with a rather big change that I wanted you to be ready for.  That change is the server will be a single-nic solution only.  Thus moving forward, you should start to think about removing the dual-nic solutions at your sites to prepare to migrate to SBS 2008, if you choose to.

Why was this decision made you ask?  Well, it comes down to customer research showing that the majority of installations are single-network card solutions with a hardware firewall router.  The second reason is OS support for a network firewall.

In Windows Server 2003, when it was originally released, the firewall included with the Operating System was called RRAS (Routing and Remote Access Service).  With the release of Windows Server 2003 SP1, (and XP SP2) the Windows Firewall was introduced to the public, leaving administrators of Medium to Enterprise networks with questions on which was the better Firewall solution to use.

With the release of Windows Server 2008, the firewall component of RRAS was removed in favor of the superior Windows Firewall.  The reasoning was that the Windows Firewall uses higher-end inspection methods than the RRAS firewall (think of Windows Firewall as closer to ISA, although clearly, not all the way there and RRAS as close to one of those consumer based routers < $50, which does port blocking only).  Clearly the Windows Firewall is the better choice.

However, due to the fact that the Windows Firewall is designed to protect the local box only, it does not protect the network (or more specifically, NAT) traffic through the box.  The NAT functions that comes with RRAS in 2008 is lower in the network stack then the firewall (where as in 2003, they were at the same level, or at least worked together).  The Windows Firewall does not protect NAT, thus if inbound traffic to port “X” not headed for the local machine, is passed through the machine without the Windows Firewall’s knowledge.  Thus, as designed, the Windows Firewall is a “host” firewall only, it does *not* protect NAT traffic.

Due to this major change in the Operating System behavior and the customer research, Windows Small Business Server 2008 will support a single network card, with the requirement of a separate firewall to protect the network.  This can be your favorite hardware or software firewall solution (or combo of course!)



Internet Security and Acceleration
I wanted to also add some information regarding Internet Security and Acceleration server (ISA). As you probably noted from the website. ISA is not longer included in the Premium offering of SBS 2008. This has been replaced with a second copy of Windows Standard Server 2008, which can be used to run ISA on the edge of your network, or a line of business application with SQL. ISA must be purchased seperately.

For those of you under Software Assurance, Microsoft will have some "make-good", announced around the time of the product, most likely in the next few months.

16 comments:

Unknown said...

Any word on whether current SBS2003 Premium customers with Software Assurance will get something to allow them to continue using ISA?

Sean Daniel said...

Paul,

Thanks for your comment, I have appended the post above. Essentially Microsoft will make-good on the software assurance customers. This will be announced in the next few months along with the product as it goes public.

Stay tuned ....

David Schrag said...

Sean, please clarify what steps, if any, are recommended for existing dual-NIC SBS03 installations, and why these steps are necessary. Moving a production server from dual-NIC to single-NIC is no small affair, and I think I speak for most in the community when I say we only want to do this if there's going to be a big reward for doing so.

Sean Daniel said...

A reward? like saving time on your next migration? That's a pretty good reward...

It's actually not as difficult as you think. The team is still working on exact steps, but you setup your firewall device, and plug it into the LAN with the LAN nic. Then you unplug the WAN link from your SBS WAN link to the WAN link of the firewall device, then run CEICW on the 2003 box, and switch it to a single-nic.

David Schrag said...

But what's the advantage of changing a working configuration now? Why not just wait until it's time for migration? If it's as simple as you say, then doing it now saves you only a few minutes at migration time. On the other hand, if it doesn't go smoothly (and believe me, I've been there) then you've taken a working system and broken it.

Anonymous said...

If the SBS 2003 Premium License isn't OEM then ISA 2004 can be used on the 2nd Windows 2008 server after migrating SBS 2003 to SBS 2008, correct?

Sean Daniel said...

Unfortunately the ISA version that comes with SBS 2003, is only licensed to run on SBS 2003, that copy cannot be used on another server other than SBS 2003.

Sorry.

Anonymous said...

No more ISA in SBS? That sucks. All my clients have dual NICs and ISA is the gatekeeper of their network.

In-my-not-so-humble-opinion, ISA is also the way to go. Other firewalls, such as Sonic, require a yearly subscription. And now I have to push that down my client's throats.

JamesNT

Philip Elder Cluster MVP said...

I too am disappointed with the loss of ISA.

We are at 99% SBS 2K3 R2 Premium level with our clients.

ISA was a huge selling feature for our clients. Especially those in the professional services industries that are covered by compliance regulations and liability rules for their workers.

The protection offered by ISA was second to none and, in the case of our smaller clients will be sorely missed.

Philip
MPECS Inc.

Sean Daniel said...

Hi Philip,

ISA can still be run on the second server you get with Premium. It just has to be purchased seperately.

Thanks for your comment!
Sean

Michael said...

Seems a second server will be required for 2008 Premium's firewall. Why not just buy Standard edition and use a free firewall like IPCOP, Endian, or Untangle on a cheap Linux box?

http://www.synergymx.com/page.php?Title=Review_-_IPCop_Firewall_1.4/

Anonymous said...

I wonder which customers Microsoft asked about this? Like others, all of our SBS customers use a dual-NIC configuration. SBS even replaced some hardware firewalls since the customers liked/wanted the consistent Windows management interface. This is very disappointing. The cost to small business just went up.

Anonymous said...

As usual it's one step forwards and two backwards for Microsoft! Almost all our current networks are SBS Premium 2003 Dual NIC with ISA server. Works well, is a complete integrated system and is modular! So what if most users only use a single NIC solution? With 2003 it doesn't matter. You can either do it either way!! Purchasing ISA server separately (per CPU count and user count etc) PLUS an additional server box in my opinion is just completely ridiculous. More expense, more to go wrong etc. etc.
The REAL cost will be more. If it's not I'll eat my shoes.
It's the same when they went from SBS 2000 to SBS 2003. Take out the terminal server licences and only allow 2 simultaneous connections.
Come on people! Microsoft only give the ILLUSION they're really offering more. 2008 may be easier to set up, easier to configure and easier to implement but it ain't better value for money!
And no, I'm not going to use a $50 router to do the job of ISA server.

Thats my little rant for the day. I feel better now.

Sean Daniel said...

Thanks for all your comments. Customers under SA will get a copy of ISA to use on a secondary server in the network. And if you don't get an SA copy of ISA, we actually recommend a higher quality router then the $50 home class routers, something like a sonicwall or watchguard.

dazzabozza said...

Hi Sean

With the ability for 2 NICs being unsupported I have a question - for our clients we use a 2 NIC setup in SBS2003 (default gateway) along with ethereal packet capture to detect things like PCs that may be infected with SPAM engines etc. What would you suggest as a suitable alternate?

Darryl

Sean Daniel said...

The best way I have seen to do this is to replace your router with an ISA server. If it's important to the customer to track internet usage, then the cost of ISA is justifiable. There are lower end routers that can do the same too. I would start there.