|
Posted by Bryan L on February 19, 2007, 11:02 am
Please log in for more thread options Right.
Network info:
SBS has single nic, everything is currently behind an older sonicwall
router/firewall doing NAT. Very soon will be running with Cisco 2800 series
router behind Cisco ASA firewall. Current rules use 1:1 NAT from a public
IP dedicated to SBS. Going forward with new firewall, not sure if will
continue to use 1:1 NAT or if will port-forward only traffic explicitly
allowed for the SBS. The latter is, I'm sure, more secure, but I'll need to
work out exactly what ports I need to allow.
> Bryan,
>
> I have cross-posted this to the SBS newsgroup.
>
> Also, you have not detailed the physical network config,
> which is needed info; i.e. is the SBS dual-nic'd and/or
> is this all behind a hardware router with or without
> firewall capability, etc..
>
> Roger
>
>> My current servers / roles:
>>
>> - 1 SBS 2003 R2. This means it's running AD, Exchange, and IIS (for OWA
>> & RWW).
>> - 1 Server 2003 R2 File Server (very new and high-powered)
>> - 1 Server 2003 SP1 running SQL 2000 - part of our mission-critical CRM
>> app.
>> - 1 Server 2003 SP1 running IIS - part of our mission-critical CRM app
>> (it's a .NET 1.1 App).
>> - 1 Server 2003 SP1 - Very old, hardware becoming unreliable, it
>> currently hosts our DNN/IIS based electronic in-out board, local only
>> (not published), and a SQL server used by email archiving/indexing
>> software. Used to also be our file server but due to being unreliable,
>> the new, high-powered server was brought in to replace it.
>>
>> Here's the deal: I want to finish migrating stuff off the old server so I
>> can retire it. But I also want to add some new roles/abilities, and
>> that's where things get sticky.
>>
>> What I want to do:
>>
>> - DCPromo another server so I have a backup of the AD on my SBS.
>> - Migrate and Publish the DNN/IIS in-out board so it's accessible from
>> offsite
>> - Migrate the SQL server off the old box.
>>
>> Restrictive Issues:
>> - The CRM vendor strongly recommends not adding roles to the servers
>> running their app; ignoring this probably means I'd be running in an
>> unsupported configuration. If at all possible, they should remain
>> dedicated servers to their app only.
>> - Best practices says (iiuc) that I shouldn't host AD on a published IIS
>> box.
>> - The SBS is already doing a lot - our sharepoint-based intranet also
>> lives there, along with our domain-wide antivirus management.
>>
>> My options as I see them:
>>
>> - I could load all this stuff on my new server -- it certainly has the
>> power. But that would put AD, IIS, and SQL all on the same machine. Not
>> just IIS, but a *published* IIS site (though it would be for employee use
>> only).
>> - I could ignore my CRM vendor's advice, install DNN on the CRM's IIS
>> server, and migrate and publish the DNN site on that server. AD and SQL
>> could then be put on the new file server.
>> - I could use the free vmware server on the new file server to host AD or
>> IIS virtually. Not sure which role would be better suited to a virtual
>> machine, but the other role could be hosted directly on the file server.
>> I've never used the free vmware server before.
>> - I could install DNN on my SBS, since it's already a published IIS
>> server.
>>
>> As you can see, each of those options has it's flaws, but for now getting
>> an additional new server is out of the question. I've also wondered
>> about the fact that my SBS is already running AD and a published IIS
>> server on the same box. Would I increase my attack surface by the same
>> amount whether I publish the DNN site on my SBS, or whether I host AD and
>> the DNN site on my new file server? I'm not security-savvy enough to
>> see which option presents the fewest security evils. Or is there another
>> option I'm not seeing?
>>
>> Thanks in advance for all comments, and for reading a long post.
>>
>> Bryan
>>
>
>
| 
XML Sitemap