Advice on new network setup 4

[DanielUK]

Hi, not sure if this is the best forum for this.

I'm after a bit of advice on the upgrading of our existing network and software as we move to a bigger premises.

Current situation: I work in a small mail order/call center environment with about 11 users currently running on a Win2k network (1 Win2k DC and a member server as backup) with a 3Com OfficeConnect unmanaged 16 port switch. Broadband is provided for by an inexpensive Netgear ADSL Modem Router DG834 and I have a backup ISDN router which is a Cisco 801.

So far this setup has worked fine and been managed by myself as the only IT person in the company.

This new move to a bigger place will bring oppurtunity to expand the number of staff (to a maximum of 30) working in the same building. We're also changing to a more robust database system which will mean a lot of database traffic going to and from the database servers. The good thing with this database app is it's geared for thin clients so i can re-use some of our existing hardware.

I have a limited budget to setup what I think I need, which has to be manageable by one person and hopefully use some existing hardware. I plan to keep my DC and member server and get two new 2003 servers (1 as backup) purely for the database application.

So, I need recommendations for the following:

1. A single 48 port 10/100 switch. Not sure whether a unmanaged switch will be good enough but I hear good things regarding the HP Procurve 2650.


2. A printer server..will any old machine do e.g. a celeron 500 with 1 gig ram?


3. A Terminal Services server...again, what specs should this be? FYI, the client machines will connect to the database app via RDP through the Terminal Services server. We're also going to allow RDP from outside so the odd user can access the database app from home.


4. Broadband and firewalling/security. I'm not sure whether my cheap DG384 is up to the job or should I be looking at something beefier or maybe a separate hardware firewall? We use broadband for browsing, emailing and it will for the link between our database stock system and our remotely hosted webistes, to update stock etc Ideally I would like something not too expensive and easy to manage as I had a helluva time setting up my Cisco 801 ISDN router!


5. Email. We currently (and very clumsily) use Outlook Express on a number of workstations. I need to move up a step to something that is more centrally managed that at least give a shared inbox. Will Outlook do this? Exchange is a bit costly at this time and seems to be very resource hungry both in managing and hardware so I'm keen to avoid it at this stage. Any suggestions on how to manage this?


Thanks in advance for any advice on any of the above!

Dan

 

[porkchopexpress]

For the size setup that you are talking about have you considered Small Business Server as this is reasonably priced and comes with Exchange server and a selection of great tools including secure remote access if you needed it.

http://www.microsoft.com/windowsserver2003/sbs/default.mspx

We use HP switches and they are excellent if a bit on the pricey side, for lower priority areas w sometimes use Netgear that have also never given us any problems.

We also run a print server that servers 16 busy laser printers and a colour copier and that is a P3 1GHz with 1 Gig RAM.

 

[DanielUK]

Thanks, this is the sort of advice based on experience I need. I like the thought of exchange but it scares me the amount of management it might take to set up and run properly.

Thanks

Dan

 

[kmcferrin]

1. Any switch will probably suit your needs. If you want to get fancy and start doing VLANs, QoS, and such, then you may want to look into getting a managed switch. But if you switch will be in a fairly secure location and you just need basic functionality, just about anything with 48 ports will do. My personal preference is Cisco, but HP makes good switches as well.

2. You could use just about anything as a print server and it would be able to handle it. But rather than getting yet another box, consider this: You have 2 servers running Windows 2000, one is a DC and one is a member server. You don't have a second DC for fault tolerance, which is bad. I would recommend promoting your member server a DC, that way if one of the servers dies you will still have the ability to log in to the domain. I don't know what's on your current DC, but you could use one or the other of them for file sharing and printer sharing. Print servers really don't generate much of a workload unless your serving thousands of print queues.

3. This is probably the hardest question of the bunch, because sizing a terminal server properly requires knowing what the workload is going to be. How many users are going to be using it simultaneously, and how CPU and I/O intensive is the application that it will be running? Will this application server also be hosting the database for the application as well, or will that be on a different box? If so, then the specs will increase. What database is this application running on? How big of a databse is it? All of those factors will go into the mix. Hopefully your software vendor will be able to help you size something appropriately.

4. I'm not familiar with the DG384, but if it is serving your needs then I would stick with it. However, if you are looking into remote access for users form home you may want to move up to something that supports VPN connections. The Cisco ASA lines are pretty nice firewalls, and also do IPD/IDS and IPSec and SSL VPNs as well as DMZs. If you intend to allow your users to connect to the terminal server form home, you will want some sort of VPN solution rather than just allowing all inbound RDP traffic to go through to your terminal server that hosts your main business critical application. One possible solution is a device with a DMZ port that supports VPN. Then you have your remote clients VPN to the box in the DMZ (which would be a terminal server), and from there access their applications. That way you have two layers of firewall between your systems and the Internet.

5. Outlook won't get you anything that Outlook Express doesn't if you aren't using some sort of centralized mail system. Outlook Express is a POP3/IMAP mail client. Outlook is a more featured mail client that can do POP3/IMAP and MAPI, that also supports calendars, contacts, etc, but it is still only a mail client. You need a server that supports that functionality, which means Exchange.

What it sounds like to me is that your company is getting ready to make a leap from the SOHO to the small office size of infrastructure. You're basically talking about an entire infrastructure upgrade. It sounds like the company is beginning to grow into areas that you don't have a lot of experience (technology-wise, anyway). You probably want to start shopping around for some local companies that specialize in small business infrastructure design and sales. Most fair-sized cities will have a number of companies that can provide solutions for you, and having a partner to help you come up with solutions that meet your needs can help you avoid potential problems and learn a little more.

 

[rphips]

DanielUK

as porkchopexpress pointed out 2003 small business server will give you what you need -

I am the only one in IT here and like you we grew rapidly from 10 to 65 people with a huge warehouse and all - I currently have set up a 2003 SMB for DC and mail services - My main DB server and a DMZ server (Linux) that sits outside of my SOnic firewall -

We use putty to gain access to the db programs and the DMZ server controls the WEB site.

All putty (free program) requires a password the is controlled by the DC (Kerios)

The DMZ Server has only 2 users and both had passwords generated by Apache WEB Server. (Standard WEB security)

The sonic wall firewall is set up with a main (DSL) and a opt (ISDN)incase the main should drop SonicWall help set it up no charge and I have found thier help desk as execellent.

The switches where given by DELL when I boughty 2 servers (if you spend you money with them the will give you gifts) and they work just as well as any out there.

I use Exchange that came with SMB2003 this allows sharing of calendars and folders

I use a old Dell LS700 for Print services but only for the older DOT Matrix machines the newer lazers are IP direct.

I set up NetGear access points in repeating mode to cover the warehouse with WIFI using WEP and Access Control to ensure security. This covered the scanners within the warehouse (inventory control)

over all the network runs fast and smooth and I have increased productivity and reduced downtime for under $15,000 - thats for

2 servers
1 Sonic Firewall
3 Netgear Access Points
1 SBE 2003 Software






bob

"ZOINKS !!!!!"

Shaggy

 

[kmcferrin]

The only concern that I have about Small Business Server is that I don't think it can be integrated into an existing domain, which you already have. Otherwise that might be a good place to start.

 

[rphips]

What is your current domain

Windows 2000, NT, ?

To get where you need to go you might have to do some distructive work and rebuild your Domain - or once you get the 2003 SBE installed promote it to DC and demote the other box



bob

"ZOINKS !!!!!"

Shaggy

 

[DanielUK]

Thanks guys, this is extremely useful.

kmcferrin, sorry my lack of terminology got the better of me, the "member server" I referred to is a DC, I set it up in case the PDC crashes.

Both existing DCs are Windows 2000. I plan to keep them in their current role as DCs but remove our existing database app from them in favour of using two brand new Windows 2003 Servers for running the new database application and it's backup/shadowing.

The softare vendors are providing the new database app servers so they'll be able to size them appropriately. When I've asked about an existing setup they've said that the clients RDP into the database app via a Terminal Services server and this is in a 60 user environment. I'm guessing that is then the best way to go. Probably best I get details of the TS server from them.

I'll look into using the other DC as a print server, thanks for the tip.

Bob, sounds exactly like our scenario with warehouse etc How do you find managing the exchange server by yourself? Unfortunately I do everything related to IT in the company from building websites, driving e-commerce forward, database management as well as looking after the network. Is your kind of setup pretty much self running?

Thanks for all the information, I'll read and digest tomorrow.

Dan

 

[rphips]

DanielUK

The way I set up the network was to make it as reliable and self reliant as possible - the set up I did was to utilize the SUSE linux box (DMZ server) with its POP3 and SMPT mail capabilities to filter email and foward it to the exchange server - this keeps the exchange server hidden from unwanted source from taking it over and decreases the chances of getting viruses and unwanted email.

The DMZ server also host our web site and provides the security for the website.

The exchange server is basically a storage area that gives us the capabilities to share calendars and folders. Plus it gives the company security knowing emails are now bieng backed up.

I use SonicWalls VPN system for any users that needs to access the system to get email or any file.

I am currently taken a DELL 4100 and setting it up as a backup DMZ utilizing SUSE heartbeat program this way if the Main DMZ skips or goes down the backup will take over the mains IP address thus our customers will never know of the outage.

Putty is a Telnet program that my dealers use to access their records on my database system from the outside - but to gain access to this data they have to go through the DMZ server which only allows them access via login and password (strictly enforced by Kerios) -this way none of my systems sit outside and the only way in is through the DMZ server or hacking the Sonic Wall





bob

"ZOINKS !!!!!"

Shaggy

 

[DanielUK]

Thanks again Bob,

Which SonicWalls firwall do you use, they do a few smaller ones that look as though they might do the trick?

Does the firewall physically connect to a modem/router or is all that within the firewall itself? Sorry if that's a stupid question!

I have a question on the network topology that should be used in this scenario. As I see it it's:

Internet --> Modem/Router --> Firewall (e.g. SonicWalls) --> Switch (e.g. ProCurve 2650) --> Internal Network

Does that sound about right? Again, sorry if it's a daft question.

Thanks

Dan

 

[rphips]

DanielUK

The internet connects to the modem/Router which then connects to the FireWall(Sonic 4060 but the TZ170 are excellent to) then to the switch and out to users

The 4060 model came with both a WAN port LAN Port an extra port and a Optional port for fail over

The TZ170 come with only the WAN port but you can upgrade and initialize the Option port

Both are easly configured and you can use them as your DHCP or to provide updated virus protection to your users - the VPNs whether site-to-site or individual are a snap to configure with step by step procedures built in - or just use thier wizard.



bob

"ZOINKS !!!!!"

Shaggy

 

[DanielUK]

Thanks Bob, that's really useful information and will help me decide on what hardware I needs.

Thanks again

Dan

 

[DanielUK]

Hi Bob, have got another question about SonicWalls.

It now turns out we don't need really a Terminal Services server but I do want one or two people to be able to access the database app from home time to time. Would the Sonicwalls VPN system negate the need for a TS server or DMZ server to sit between the database server and the internet? Or is it essential from a security standpoint to have a DMZ server for the purposes of logging in to the database app?

Thanks again

Dan

 

[kmcferrin]

It's not truly necessary to have a server in the DMZ for TS if only a couple of people need to access the server remotely. You can just as easily let them come in via VPN directly to the internal zone. But in such a case, I would definitely make sure to restrict their traffic only to the necessary server.

I'm also assuming that the DB server is a TS server as well.

 

[DanielUK]

Thanks kmcferrin,

I've been reading up on firewall topologies and thinking, rather than having an authentication server in the DMZ and the setting up and maintenance required, is it worth having another firewall device in place to create a second layer of firewall protection? I'm not sure if I like the idea of a hacker being able to get past one layer of firewall defence before he hits the internal network. Or is a server in the DMZ the only way to go to give a second layer?

Thanks

Dan

 

[kmcferrin]

The DMZ is basically a way to get a second layer without the extra cost and complication of using two firewalls. If someone managed to get control of the server in the DMZ, they still have to get through the firewall again to get to the internal network. If your firewall is set up properly then there will be only the bare minimum ports opened between the DMZ and the internal network, and those will only be open between the specific hosts that would use them.

 

[DanielUK]

Thanks kmcferrin,
I'll look into what's needed to set up a DMZ server to do this.

Question for Bob (rphips): We need to get a printer for the warehouse to print off dockets/labels etc Just wanted to ask your advice and see what you use for this?

Thanks

Dan

 

[rphips]

DanielUK

Since we us a lot of 3 part paper I use a simple DOT-Matrix printer - Labels are printed using a Zebra 1700 label machine all tied in via a HP Print server that is controlled by the print server since our DB program likes (works better) this way - I also deploy 4 dot matrix printers via wireless print servers so they can be moved around the warehouse - this way users can scan product and print out what the need right there.

kmcferrin is correct in if you only have a couple of people utilizing the outside access a VPN might be better way to go - We are a COOP and have thousnads of dealers hitting our site daily so I need the double layer of security

Glad to be of help any other questions feel free to ask



bob

"ZOINKS !!!!!"

Shaggy

 

[DanielUK]

Thanks Bob, again, really useful information.

I guess Dot Matrix printers are pretty bomb proof in a warehouse setting. Hadn't considered them.

Could you tell me what make scanners you have and how they interface over wireless with your database? I'm assuming they feed the information straight into the inventory control app rather than storing the information and then having to be docked and transferred?

Thanks again,

Dan

 

[rphips]

Good week a coming

Scanners - I use Symbol Scanners that connect directly to CSP pages (the database interface) this way when they scan the model numbers are placed directly into the database where needed - since I control the database I modify the CSP pages and the code on where to place the data.

The scanners connect to the 3 access point in bridge mode kinda of in a v shape with the main one in the middle with 9 decibal antennas and one to the far right with 5 dc antennas and one to the far left. Both the left and the right communicate with the master in the middle but not to each other - Using 128 bit WEP and access control for security.



bob

"ZOINKS !!!!!"

Shaggy