Happy HOT summer Saturday to you - at least if you are reading in North America!
I am the author fo Windows Small Business Server 2003 best Practices (SBS 2003) and I am posting up a few pages per day unitl SBS 2008 ships!
Today the topic is a under-the-hood lookat SBS 2003's VPN/ architecture. Enjoy!
cheers....harrybbbb
Harry Brelsford
CEO at smb nation, www.smbnation.com Microsoft Small Business Specialist (SBSC), MBA and other goodness like CNE, MCSE, MCT, CLSE, CNP
PS did u know I host a major rager SBS conference in early october in Seattle?
###
Under the Hood: VPN
So what’s the technical view of the VPN connection just made? Figure 8-32 shows the port-activity related to the VPN connection.
Figure 8-32
Observe that Port 1723 is being used for the VPN connection between a remote computer and SBS 2003.
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
BEST PRACTICE: Regarding the day-to-day use of VPN connectivity in SBS 2003, I suggest you view this as a dial-on-demand approach. Whenever I’ve seen SBS sites that view the VPN area as full-time, 7/ 24 connectivity between branch offices, I’ve actively discouraged such thinking, because SBS isn’t positioned as a branch office solution. But it’s fine if a traveling Norm Hasborn needs to VPN into the SPRINGERS network to do some voodoo.
VPN and NAT-T
Finally, it’s beyond the scope of this text and it’s something I’ll pursue in the advanced SBS book later (with step-by-step procedures), but be advised there is an issue with respect to having VPN connections when you place a hardware-based firewall router out in front of SBS 2003 and want to tunnel into the SBS network (especially if you’re adhering to the best practice of a dual firewall). This area is NAT-T over IPSec across the firewall. Technically speaking, IPSec NAT Traversal (NAT-T) allows IPSec clients and server to work when behind a NAT. To use NAT-T, both the remote access VPN client and the remote access server must be IPSec NAT-T-capable. IPSec NAT-T provides UDP encapsulation of IPSec packets to enable Internet Key Exchange (IKE) and Encapsulating Security Payload (ESP)-protected traffic to pass through a NAT. IKE automatically detects that a NAT is present and uses User Datagram Protocol-Encapsulating Security Payload (UDP-ESP) encapsulation to enable ESP-protected IPSec traffic to pass through the NAT.
IPSec NAT-T is supported by the Windows Server 2003 family. As such, it’s supported in SBS 2003. Your next step might be to delve deeper into the issue with the Microsoft Press Windows Server 2003 Resource Kit or look up some articles on TechNet.
Showing posts with label smb nation. Show all posts
Showing posts with label smb nation. Show all posts
Saturday, August 23, 2008
Friday, August 22, 2008
SMB Nation 2008 Sold Out (?) and Launch Party
PRESS RELEASE
SMB Nation 2008 Fall Conference to Hold Launch Party: Small Business Server 2008 and Essential Business Server 2008.
MarketPlace Expo SOLD OUT!
Seattle, WA – August 22, 2008 - Boasting a completely sold out tradeshow hall and host hotel, SMB Nation 2008 will hold a Small Business Server 2008 (SBS) and Essential Business Server (EBS) LAUNCH PARTY on the Saturday night of its October 4-6, 2008 annual conference in Seattle. A 58’ Hatteras yacht will be christened the M.V. SBS 2008 on the pier at the party.
“With the SBS 2008 release-to-manufacturing (RTM) yesterday, we are thrilled to be timed perfectly for the SBS 2008 and EBS 2008 products debut and look forward to toasting its great success,” said Harry Brelsford, founder and CEO of the 20,000 member SMB Nation. “Our conference is uniquely positioned to motivate and educate the small and medium business (SMB) technology consultant, channel partner and computer guy and gal!”
SMB Nation 2008 appears to be outperforming similar technology events with the complete sellout of the MarketPlace Expo tradeshow hall and with attendance figures ahead of last year. “We believe the 600+ attendees will be treated to a unique educational experience and BE THERE for the start for the next generation of SBS and the first release of EBS!” Brelsford added. Over three busy days and nights, attendees will select from three (3) academic tracks including BusinessSpeak, GeekSpeak and “How To” that provide bona fide content without “being sold to.” SMB Nation 2008 has even added a “Speakers Behaving Badly” hotline where attendees can report any speaker from the 40+ content sessions that make commercial statements to insure the most pure attendee experience possible. “We want to avoid the wolf in sheep clothing phenomena,” emphasized Brelsford.
Sponsors and attendees will meet in the spacious Bell Harbor Conference Center. “At a time when similar technology shows are behind plan, we are ahead of plan” said Brelsford. “We believe this underscores the strength of the SMB segment and the optimism our sponsors have about the SBS 2008 and EBS 2008 opportunity.” Intel and Trend Micro are the platinum sponsors leading the event followed by HP and Microsoft. Gold sponsors include Autotask, CMIT Solutions, Aastra, SonicWall and Labtech. Silver sponsors include D&H, The Planet, Connectwise, Citrix, N-able, Reflexion, Tigerpaw Software, Nero, 19Marketplace, Symantec, StorageCraft, Acronis, Calyptix, MaxSP, Doyenz, EMC Retrospect, Quanta\Syspine, Zenith Infotech, Linked In, Backup Assist, CRU DataPort and WatchGuard. Bronze sponsors include Netgear, Untangle, CTL Computers, Level Platforms (LPI), MSP Partners, Linksys by Cisco, Comcast, Diskeeper, Expetec, New Global Telecom (NGT), Pronto Marketing, eFolder, CoreConnex, Highly Reliable Systems, SMB Books & Results Software, Technology Marketing Toolkit, Napera Networks, Independent Computer Consultants Association (ICCA) and Integrated mar.com.
Attendees can expect a high-quality conference with content that has been rigorously scrutinized by esteemed industry conference chairs (Dana Epp, Mikael Nystrom, Curt Hicks and Joe Moore). That has resulted in outstanding speaker selections such as Jeff Middleton, Susan Bradley, Ramon Ray and Amy Babinchak and popular topics such as How to Sell Your SBS\SMB Consulting Practice and Security in SBS 2008.
“So the last question is this. Where will you be October 4-6, 2008?” concluded Brelsford. Attendees can learn more and register at www.smbnation.com.
About SMB Nation
Founded ten years ago by Small Business Server author Harry Brelsford, Bainbridge Island, Washington-based SMB Nation supports small and medium business technology consultants to improve their business and technical skills with publications (books, SMB PC magazine) and events (SMB Nation conferences and workshops). SMB Nation boasts worldwide tribal membership in 30+ countries exceeding 20,000 consultants, resellers, VARs\VAPs and channel partners. Harry Brelsford is a Microsoft Small Business Specialist (SBSC) and holds an MBA from the University of Denver in addition to MCSE, MCT, MCP, CNE, CLSE and CNP certifications.
Contact:
Harry Brelsford
CEO, SMB Nation
206-915-3072
harryb@smbnation.com
Harry Brelsford | CEO | SMB Nation, Inc. | www.smbnation.com
Please attend our SMB Nation 2008 fall conference, October 4-6, 2008
Read Harry's SMB Dude Blog here
Download your copy of SMB PC magazine here
SMB Nation 2008 Fall Conference to Hold Launch Party: Small Business Server 2008 and Essential Business Server 2008.
MarketPlace Expo SOLD OUT!
Seattle, WA – August 22, 2008 - Boasting a completely sold out tradeshow hall and host hotel, SMB Nation 2008 will hold a Small Business Server 2008 (SBS) and Essential Business Server (EBS) LAUNCH PARTY on the Saturday night of its October 4-6, 2008 annual conference in Seattle. A 58’ Hatteras yacht will be christened the M.V. SBS 2008 on the pier at the party.
“With the SBS 2008 release-to-manufacturing (RTM) yesterday, we are thrilled to be timed perfectly for the SBS 2008 and EBS 2008 products debut and look forward to toasting its great success,” said Harry Brelsford, founder and CEO of the 20,000 member SMB Nation. “Our conference is uniquely positioned to motivate and educate the small and medium business (SMB) technology consultant, channel partner and computer guy and gal!”
SMB Nation 2008 appears to be outperforming similar technology events with the complete sellout of the MarketPlace Expo tradeshow hall and with attendance figures ahead of last year. “We believe the 600+ attendees will be treated to a unique educational experience and BE THERE for the start for the next generation of SBS and the first release of EBS!” Brelsford added. Over three busy days and nights, attendees will select from three (3) academic tracks including BusinessSpeak, GeekSpeak and “How To” that provide bona fide content without “being sold to.” SMB Nation 2008 has even added a “Speakers Behaving Badly” hotline where attendees can report any speaker from the 40+ content sessions that make commercial statements to insure the most pure attendee experience possible. “We want to avoid the wolf in sheep clothing phenomena,” emphasized Brelsford.
Sponsors and attendees will meet in the spacious Bell Harbor Conference Center. “At a time when similar technology shows are behind plan, we are ahead of plan” said Brelsford. “We believe this underscores the strength of the SMB segment and the optimism our sponsors have about the SBS 2008 and EBS 2008 opportunity.” Intel and Trend Micro are the platinum sponsors leading the event followed by HP and Microsoft. Gold sponsors include Autotask, CMIT Solutions, Aastra, SonicWall and Labtech. Silver sponsors include D&H, The Planet, Connectwise, Citrix, N-able, Reflexion, Tigerpaw Software, Nero, 19Marketplace, Symantec, StorageCraft, Acronis, Calyptix, MaxSP, Doyenz, EMC Retrospect, Quanta\Syspine, Zenith Infotech, Linked In, Backup Assist, CRU DataPort and WatchGuard. Bronze sponsors include Netgear, Untangle, CTL Computers, Level Platforms (LPI), MSP Partners, Linksys by Cisco, Comcast, Diskeeper, Expetec, New Global Telecom (NGT), Pronto Marketing, eFolder, CoreConnex, Highly Reliable Systems, SMB Books & Results Software, Technology Marketing Toolkit, Napera Networks, Independent Computer Consultants Association (ICCA) and Integrated mar.com.
Attendees can expect a high-quality conference with content that has been rigorously scrutinized by esteemed industry conference chairs (Dana Epp, Mikael Nystrom, Curt Hicks and Joe Moore). That has resulted in outstanding speaker selections such as Jeff Middleton, Susan Bradley, Ramon Ray and Amy Babinchak and popular topics such as How to Sell Your SBS\SMB Consulting Practice and Security in SBS 2008.
“So the last question is this. Where will you be October 4-6, 2008?” concluded Brelsford. Attendees can learn more and register at www.smbnation.com.
About SMB Nation
Founded ten years ago by Small Business Server author Harry Brelsford, Bainbridge Island, Washington-based SMB Nation supports small and medium business technology consultants to improve their business and technical skills with publications (books, SMB PC magazine) and events (SMB Nation conferences and workshops). SMB Nation boasts worldwide tribal membership in 30+ countries exceeding 20,000 consultants, resellers, VARs\VAPs and channel partners. Harry Brelsford is a Microsoft Small Business Specialist (SBSC) and holds an MBA from the University of Denver in addition to MCSE, MCT, MCP, CNE, CLSE and CNP certifications.
Contact:
Harry Brelsford
CEO, SMB Nation
206-915-3072
harryb@smbnation.com
Harry Brelsford | CEO | SMB Nation, Inc. | www.smbnation.com
Please attend our SMB Nation 2008 fall conference, October 4-6, 2008
Read Harry's SMB Dude Blog here
Download your copy of SMB PC magazine here
Saturday, August 9, 2008
Final Thoughts: WSS in SBS 2003
Hi gang - today we reach the end of Chapter 7 of Windows Small Business Server 2003 Best Practices - which focused on Windows SharePoint Services (WSS). I have a few random coolisms and then end by pointing you to 'day SharePoint man Bill English.
enjoy the read...harrybbbb
Harry Brelsford | CEO at SMB Nation | www.smbnation.com
Microsoft Small Business Specialist (SBSC) MBA, MCSE,MCT, CNE and other stuff!
###
Additional WSS Cool Stuff
Enough SPRINGERS step-by-step for a now. I want you to, in your free time, click around WSS and explore the following cool features (I will drill deeply into these areas in my advanced SBS book, so consider this a sneak peek!). You will want to use some or all of these cool things in the real world of SBSing to truly add value.
Documents
Granted, you’ve already worked a lot with documents in this chapter, but I highly recommend you delve deeper into the documents area to learn more. By clicking on Documents and Lists, you can see the types of documents that are suggested for storage in WSS. You will appreciate the descriptive text.
BEST PRACTICE: The incoming fax archive and its functionality to
the fax service (more in Chapter 9) is unique to SBS 2003.
Pictures
This link defines itself but you might use this area as a photo archive.
Notes:
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
Resources
Here are some pointers to some additional SharePoint resources. This chapter, while capable for launching you into using WSS in SBS 2003, is only a start. You have much work ahead of you to master WSS!
Bill English books
Buy anything written by Bill English, a leading SharePoint consultant and author (he is also a SharePoint MVP). You can search on his name and the word “SharePoint” at Amazon to find his latest offerings. As of this writing, his current book, The Administrator’s Guide to SharePoint Portal Server 2001 (Addison-Wesley), is being updated.
By the way, a quick search on Amazon on the term “SharePoint” resulted in a shocking lack of books on this super cool application area (as of late 2003). I’m sure that’ll be remedied within a few weeks as more books hit the stands.
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
And how could you forget that I’ll provide more and more SharePoint secrets in the context of SBS 2003 in my forthcoming advanced SBS 2003 book. Keep monitoring www.smbnation.com for details.
SharePoint Web sites
Because I’m such a fan of Bill English books, you can’t be too surprised that I’d recommend his excellent SharePoint Web site: www.sharepointknowledge.com. Microsoft’s own site for SharePoint is excellent at www.microsoft.com/sharepoint. Searching on Google with the term “SharePoint” resulted in numerous hits including www.sharepointtips.com, www.sharepointcode.com, www.sharepointsample.com, and many other sites! Many of these sites are excellent resources (and the most current resources available).
SharePoint courses
During the depths of the technology recession in the early 21st century, some members of the SBS development team whispered in my ear that I should take the Microsoft Official Curriculum course for SharePoint. And given that it was August (read slow dog days of summer) and my billable hours were down, I went back to school to learn SharePoint. I was led to believe I’d be glad I did once SBS 2003 shipped. The advice was well-founded, because once SBS 2003 hit the streets, I felt I knew WSS reasonably well. You should heed the same advice and go take some courses on SharePoint. As of this writing, the SharePoint curriculum is being revised and you are encouraged to check the Microsoft training site at www.microsoft.com/traincert for the most current course listings. For the record, I took course 2095: Implementing Microsoft SharePoint Portal Server 2001, and I was very pleased (note this is the old SharePoint product).
Bill English delivers SharePoint courses and workshops. Check www.sharepointknowledge.com for his latest offerings. As of this writing, Bill is offering a summit (a four-day course typically in Orlando, Florida, or Anaheim, California, for $2,495) at www.sharepointsummit.com (Figure 7-29).
Notes:
Figure 7-29
Take in some sun in Orlando, Florida to attend the SharePoint Summit!
There is also a SharePoint Boot Camp offering in the US. Visit www.sharepointexperts.com for details.
Summary
This chapter had both a technical and business message focused on WSS. On the technical side, you worked with many primary elements of WSS including the document management and Intranet portal features. On the business side, you were exposed to some value-added thinking about how WSS can extend the SBS network and provide real solutions to real business problems, such as managing information inside a small business. WSS is one of the more important and popular features in SBS 2003, so you should use it to deliver your services as an SBSer to end users in the organization.
enjoy the read...harrybbbb
Harry Brelsford | CEO at SMB Nation | www.smbnation.com
Microsoft Small Business Specialist (SBSC) MBA, MCSE,MCT, CNE and other stuff!
###
Additional WSS Cool Stuff
Enough SPRINGERS step-by-step for a now. I want you to, in your free time, click around WSS and explore the following cool features (I will drill deeply into these areas in my advanced SBS book, so consider this a sneak peek!). You will want to use some or all of these cool things in the real world of SBSing to truly add value.
Documents
Granted, you’ve already worked a lot with documents in this chapter, but I highly recommend you delve deeper into the documents area to learn more. By clicking on Documents and Lists, you can see the types of documents that are suggested for storage in WSS. You will appreciate the descriptive text.
BEST PRACTICE: The incoming fax archive and its functionality to
the fax service (more in Chapter 9) is unique to SBS 2003.
Pictures
This link defines itself but you might use this area as a photo archive.
Notes:
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
Resources
Here are some pointers to some additional SharePoint resources. This chapter, while capable for launching you into using WSS in SBS 2003, is only a start. You have much work ahead of you to master WSS!
Bill English books
Buy anything written by Bill English, a leading SharePoint consultant and author (he is also a SharePoint MVP). You can search on his name and the word “SharePoint” at Amazon to find his latest offerings. As of this writing, his current book, The Administrator’s Guide to SharePoint Portal Server 2001 (Addison-Wesley), is being updated.
By the way, a quick search on Amazon on the term “SharePoint” resulted in a shocking lack of books on this super cool application area (as of late 2003). I’m sure that’ll be remedied within a few weeks as more books hit the stands.
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
And how could you forget that I’ll provide more and more SharePoint secrets in the context of SBS 2003 in my forthcoming advanced SBS 2003 book. Keep monitoring www.smbnation.com for details.
SharePoint Web sites
Because I’m such a fan of Bill English books, you can’t be too surprised that I’d recommend his excellent SharePoint Web site: www.sharepointknowledge.com. Microsoft’s own site for SharePoint is excellent at www.microsoft.com/sharepoint. Searching on Google with the term “SharePoint” resulted in numerous hits including www.sharepointtips.com, www.sharepointcode.com, www.sharepointsample.com, and many other sites! Many of these sites are excellent resources (and the most current resources available).
SharePoint courses
During the depths of the technology recession in the early 21st century, some members of the SBS development team whispered in my ear that I should take the Microsoft Official Curriculum course for SharePoint. And given that it was August (read slow dog days of summer) and my billable hours were down, I went back to school to learn SharePoint. I was led to believe I’d be glad I did once SBS 2003 shipped. The advice was well-founded, because once SBS 2003 hit the streets, I felt I knew WSS reasonably well. You should heed the same advice and go take some courses on SharePoint. As of this writing, the SharePoint curriculum is being revised and you are encouraged to check the Microsoft training site at www.microsoft.com/traincert for the most current course listings. For the record, I took course 2095: Implementing Microsoft SharePoint Portal Server 2001, and I was very pleased (note this is the old SharePoint product).
Bill English delivers SharePoint courses and workshops. Check www.sharepointknowledge.com for his latest offerings. As of this writing, Bill is offering a summit (a four-day course typically in Orlando, Florida, or Anaheim, California, for $2,495) at www.sharepointsummit.com (Figure 7-29).
Notes:
Figure 7-29
Take in some sun in Orlando, Florida to attend the SharePoint Summit!
There is also a SharePoint Boot Camp offering in the US. Visit www.sharepointexperts.com for details.
Summary
This chapter had both a technical and business message focused on WSS. On the technical side, you worked with many primary elements of WSS including the document management and Intranet portal features. On the business side, you were exposed to some value-added thinking about how WSS can extend the SBS network and provide real solutions to real business problems, such as managing information inside a small business. WSS is one of the more important and popular features in SBS 2003, so you should use it to deliver your services as an SBSer to end users in the organization.
Tuesday, July 22, 2008
Wanna attend SMB Nation 2008 fall conference complimentary?
Hey gang - one of our sponsors is giving away a unique prize - the ability to attend SMB Nation complimentary...this is a HUGE WIN for you (albeit, you must win the sweepstakes) because the fall conference (early October) is RIGHT IN THE ZONE for the RTM date for SBS 2008 and EBS 2008....BE THERE!
Join the contest here: http://www.calyptix.com/reg-smbnation2008fall.php
cheers...harrybbbbHArry Brelsfordceo, smb nation, www.smbnation.com
Join the contest here: http://www.calyptix.com/reg-smbnation2008fall.php
cheers...harrybbbbHArry Brelsfordceo, smb nation, www.smbnation.com
Monday, July 21, 2008
Exchange e-mail attachment blocking in SBS 2003 (book excerpt, chapter 5)
Good Monday to you!
Each day, I am posting up a few pages from my Windows Small Buisness Server 2003 Best PRactices book until SBS 2008 ships. Today we look at the native e-mail attachment blocking in Microsoft Exchange Server 2003 in SBS 2003 and also discuss content filtering....this is actually one ofthe really cool features in SBS 2003 (the atachement blocking capability).
Anyways - enjoy the read and the ride....harrybbbb
Harry Brelsford, ceo at SMB Nation, www.smbnation.com
###
Blocking Attachments, E-mails, and Content
There are some interesting capabilities that you might not know about in Exchange in SBS 2003 relating to attachment and domain blocking. Content filtering is another matter I’ll close this section with.
BEST PRACTICE: CRN reported in “Rivals Face Challenge As Microsoft Extends Its Antispam Technology” (http://crn.channelsupersearch.com/news/crn/46130.asp) that Microsoft will offer stronger anti-spam technology in Exchange Server 2003 in the first half of 2004. No other details available at press time but monitor Microsoft’s Exchange and TechNet sites for updated information. CRN at www.crn.com should be monitored as well.
Attachment Blocking
You likely recall the Remove E-mail Attachments page (Figure 4-14) in the EICW from Chapter 4. The function it performs is relatively straightforward: remove e-mail attachments of a certain type. But a question that continually arose during the fall 2003 hands-on labs for SBS 2003 concerned where this setting was being made in the background. Students asked if they could see where the EICW was setting this.
So I researched this by consulting with the Microsoft SBS program manager who owns this functionality and found that:
• An SMTP “sink” is trapping the attachments and handling them according to the rule you set on the Remove E-Mail Attachments page.
• There is no user interface (UI) to “see” where these settings are made or where this activity is occurring (other than the outcome, such as the attachment being removed or saved to a folder).
And don’t forget that we have Outlook 2003 as a backstop to also block common attachments in e-mail. This is covered later in the Outlook 2003 section of this chapter.
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
Junk E-mail Blocking
Another popular question is what native ability Exchange has to block offensive e-mail domains as a poor man’s form of spam blocking (that is, using it instead of purchasing a third-party spam blocking tool). This is most easily accomplished by select and configure the Connection Filtering and Sender Filter tabs on the Message Deliver Properties dialog box that you see in Figure 6-6 (right-click Message Delivery and select Properties under Global Settings in the Exchange System Manager under Advanced Management in the Server Management console).
Figure 6-6
Get to know the Message Delivery Properties sheet if you want to engage in basic e-mail blocking inside of Exchange.
This e-mail blocking can also be accomplished painfully by creating an Active Directory contact object that has the offending e-mail name (such as player@gamblinggreen.com) and then adding it via the Delivery Restrictions tab (click the Add button beneath Reject messages from) on the Small Business SMTP connector Properties screen.
BEST PRACTICE: Of course, I saved perhaps the best junk e-mail blocking discussion for last. Near the end of the fall 2003 SBS 2003 hands-on lab tour in the US, a few students, already having worked with SBS 2003 at that point, waxed poetically about the effectiveness of the Outlook 2003 spam blocking capability. The consensus was it just works. A Microsoft employee echoed the same sentiment as “your Microsoft Research division dollars at work.” Couldn’t have put it better myself!
Content Filtering
Now for the bad news. Content filtering-as many of us know it in third-party spam filters that eliminate offensive e-mails selling Viagra and Vicodin-is not natively available in Exchange (but should be around mid-2004 as per the Best Practice earlier). Don’t be confused because some might think that the Content Restrictions tab on the Small Business SMTP connector Properties screen (Figure 6-6 above) is really performing a filtering function. It is not. It is allowing
e-mail of different priorities, etc. Note that I’ll cover spam blocking in it various forms (attachment blocking, e-mail and domain blocking, and content filtering) more in Chapter 11. You’ll recall that I briefly mentioned spam in Chapter 5. Stand by!
Each day, I am posting up a few pages from my Windows Small Buisness Server 2003 Best PRactices book until SBS 2008 ships. Today we look at the native e-mail attachment blocking in Microsoft Exchange Server 2003 in SBS 2003 and also discuss content filtering....this is actually one ofthe really cool features in SBS 2003 (the atachement blocking capability).
Anyways - enjoy the read and the ride....harrybbbb
Harry Brelsford, ceo at SMB Nation, www.smbnation.com
###
Blocking Attachments, E-mails, and Content
There are some interesting capabilities that you might not know about in Exchange in SBS 2003 relating to attachment and domain blocking. Content filtering is another matter I’ll close this section with.
BEST PRACTICE: CRN reported in “Rivals Face Challenge As Microsoft Extends Its Antispam Technology” (http://crn.channelsupersearch.com/news/crn/46130.asp) that Microsoft will offer stronger anti-spam technology in Exchange Server 2003 in the first half of 2004. No other details available at press time but monitor Microsoft’s Exchange and TechNet sites for updated information. CRN at www.crn.com should be monitored as well.
Attachment Blocking
You likely recall the Remove E-mail Attachments page (Figure 4-14) in the EICW from Chapter 4. The function it performs is relatively straightforward: remove e-mail attachments of a certain type. But a question that continually arose during the fall 2003 hands-on labs for SBS 2003 concerned where this setting was being made in the background. Students asked if they could see where the EICW was setting this.
So I researched this by consulting with the Microsoft SBS program manager who owns this functionality and found that:
• An SMTP “sink” is trapping the attachments and handling them according to the rule you set on the Remove E-Mail Attachments page.
• There is no user interface (UI) to “see” where these settings are made or where this activity is occurring (other than the outcome, such as the attachment being removed or saved to a folder).
And don’t forget that we have Outlook 2003 as a backstop to also block common attachments in e-mail. This is covered later in the Outlook 2003 section of this chapter.
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
Junk E-mail Blocking
Another popular question is what native ability Exchange has to block offensive e-mail domains as a poor man’s form of spam blocking (that is, using it instead of purchasing a third-party spam blocking tool). This is most easily accomplished by select and configure the Connection Filtering and Sender Filter tabs on the Message Deliver Properties dialog box that you see in Figure 6-6 (right-click Message Delivery and select Properties under Global Settings in the Exchange System Manager under Advanced Management in the Server Management console).
Figure 6-6
Get to know the Message Delivery Properties sheet if you want to engage in basic e-mail blocking inside of Exchange.
This e-mail blocking can also be accomplished painfully by creating an Active Directory contact object that has the offending e-mail name (such as player@gamblinggreen.com) and then adding it via the Delivery Restrictions tab (click the Add button beneath Reject messages from) on the Small Business SMTP connector Properties screen.
BEST PRACTICE: Of course, I saved perhaps the best junk e-mail blocking discussion for last. Near the end of the fall 2003 SBS 2003 hands-on lab tour in the US, a few students, already having worked with SBS 2003 at that point, waxed poetically about the effectiveness of the Outlook 2003 spam blocking capability. The consensus was it just works. A Microsoft employee echoed the same sentiment as “your Microsoft Research division dollars at work.” Couldn’t have put it better myself!
Content Filtering
Now for the bad news. Content filtering-as many of us know it in third-party spam filters that eliminate offensive e-mails selling Viagra and Vicodin-is not natively available in Exchange (but should be around mid-2004 as per the Best Practice earlier). Don’t be confused because some might think that the Content Restrictions tab on the Small Business SMTP connector Properties screen (Figure 6-6 above) is really performing a filtering function. It is not. It is allowing
e-mail of different priorities, etc. Note that I’ll cover spam blocking in it various forms (attachment blocking, e-mail and domain blocking, and content filtering) more in Chapter 11. You’ll recall that I briefly mentioned spam in Chapter 5. Stand by!
Wednesday, July 16, 2008
Pardon our dust: SMB PC magazine download link fixed
Howdy folks – pardon the dust but our magazine download link was broken yesterday for the current magazine issue J
Here is the proper link and I even tested it!
http://www.smbnation.com/products_listpage.asp?Category=Publications&Category2=Magazine
Thanks everyone and happy reading!
Cheers….harrybbbbb
Harry Brelsford
CEO, SMB Nation and Microsoft Small Business Specialist (SBSC)!!!
www.smbnation.com
Read my blog: harrybrelsford.wordpress.com
J
Here is the proper link and I even tested it!
http://www.smbnation.com/products_listpage.asp?Category=Publications&Category2=Magazine
Thanks everyone and happy reading!
Cheers….harrybbbbb
Harry Brelsford
CEO, SMB Nation and Microsoft Small Business Specialist (SBSC)!!!
www.smbnation.com
Read my blog: harrybrelsford.wordpress.com
J
Monday, July 14, 2008
Why the heck upgradefrom SBS 2003 to SBS 2008?
I am doing some research for publication and have an important need for answers to thefollowing question:
Q: Whyupgrade from SBS 2003 to SBS 2008?
A:
(add here)
Thanks!
harrybbbbb
Harry Brelsford
CEO at smb nation, www.smbnation.com
Q: Whyupgrade from SBS 2003 to SBS 2008?
A:
(add here)
Thanks!
harrybbbbb
Harry Brelsford
CEO at smb nation, www.smbnation.com
Black Hat Thyself - SBS 2003 (book excerpt)
g'day mates - I am harry brelsford, the author of Windows Small Business Server 2003 Best PRactices (the infamous purple book). I amposting up a few pages per day of this book until SBS 2008 ships for all of us SMB consultants, SBSers, and Microsoft Small Business Specialists (SBSC). Enjoy the read!
Today I speak towards black htting thyself including packet sniffing!
harrybbbbb
Harry Brelsford, ceo at smb nation, www.smbnation.com
###
Black Hat Thyself
So, you think you’re an SBS security hot shot? Perhaps you are. One way to validate whether you’re “hot or not” is to black hat yourself on the inside and outside. That’ll tell you exactly how super you are. In a nutshell, you’d download a port scanner such as GFI’s LANGuard Network Security Scanner (www.gfi.com) and run it against yourself. Figure 5-13 shows how such a scan on the internal LAN might look (revealing tons of information) and Figure 5-14 shows how such a scan might look when run over the Internet, showing only the ports you opened via the EICW. (Talk about a great way to validate your work!)
Figure 5-13
Black hattin’ on the inside.
Notes:
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
Figure 5-14
Black hattin’ on the outside.
BEST PRACTICE: Perform this activity on each SBS network you work on (even if it’s only one). Hopefully, you won’t be too surprised by the outcome (in general, SBSers don’t like to be surprised in this area). If you’re a consultant, share the outcome of this black hat exercise with your clients.
Packet Sniffing
Talk about an MCSE-level exercise that works for us SBSers as well: packet sniffing. Here you would install the Network Monitor tool that is native to the underlying Windows Server 2003 operating system, but not installed by default, and then sniff around. To install the tool, perform the following procedure:
1 Log on as Administrator on SPRINGERS1 (password is Husky9999!).
2 Click Start, Control Panel, Add or Remove Programs.
3 Select Add/Remove Windows Components.
1 Select Management and Monitoring Tools in the Windows Components Wizard.
2 Select Network Monitor Tools and click OK.
3 Click Next.
4 Insert Disc #1 when requested.
8. Click Finish. In Figure 5-15, you can see what the results of a packet sniffing session might look like. This tool can be used to troubleshoot network problems (such as logon problems) and to search for rogue devices (such as another server running network monitoring on your network without your knowledge).
Figure 5-15
The three-finger salute of TCP/IP session establishment is shown here in a Network Monitor session. Look closely at the source and destination address columns (packets 31-33).
BEST PRACTICE: I used this tool once in early 2003 to investigate whether Microsoft automatic update sessions were actually going out into the ether. A client, a well-known Seattle-based author (not me!),
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
believed said updates where going to an offshore site not controlled by Microsoft. The packet analysis facilitated by the Network Monitor tool showed the fears were unfounded. The client then rested easy and allowed his workstation to be automatically updated. I kinda felt like one of the central characters in an old US movie called Ghosbusters and Network Monitor was my tool!
Spam Blocking
Spam blocking fits in the security chapter as well. The malady of “spam” is well known to readers of this book as unwanted e-mail traffic. In fact, the perception of excessive spam on an SBS 2003 network can create unwarranted criticism about SBS 2003 itself, which just isn’t fair.
Spam blocking can be divided into two discussion areas: content filtering and attachment blocking.
Content Filtering
I’ve enjoyed great success using the GFI’s MailEssentials spam blocking program, which more than anything else flexes its muscles in the content filtering department. For example, e-mails with the word “Viagra” are treated as spam and processed accordingly, which might include deletion, move to another folder, etc. MailEssentials is shown in Figure 5-16.
Notes:
Figure 5-16
Meet MailEssentials from GFI. Note that this product is very aggressive out of the box and will sometimes go too far, filtering out legitimate messages.
BEST PRACTICE: Because of the false positives and positive negatives in the world of filtering junk e-mails, the oft-cited security author Roberta Bragg insists that I tell you to send filtered mail to a junk mailbox, instead of deleting it! Right on, Roberta!
Another way to easily engage in a form of content filtering is to utilize the junk mail feature in Outlook 2003. This is a MAJOR IMPROVEMENT in Outlook 2003 and is discussed in Chapter 6.
Attachment Blocking
Of course, the simplest way to invoke attachment blocking is to complete the 15th page of the EICW titled “Remove E-mail Attachments.” I’ll discuss that more in Chapter 6 when you and I look deeper at Exchange Server 2003.
But meet GFI’s MailEssentials once again. Assuming you own this application for its effectiveness in the content filtering area, then consider using it as your attachment blocking tool.
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
BEST PRACTICE: The above statement raises the question about which attachment types to block if you’re using a third party tool such as MailEssentials. This list is easily created by looking at and copying the list from the Remove E-mail Attachments page in the EICW.
And yet another attachment blocking tool is contained within Outlook 2003 itself. Since I don’t want to spill the beans on Chapter 6 yet, I’ll wait to discuss it there. Similarly, you can use the SMTP application filter in ISA Server 2000 to engage in both content filtering and attachment blocking (discussed in Chapter 13).
BEST PRACTICE: I only cite GFI’s spam fighting tool because I know it. The infamous Stu at Sunbelt Software in Tampa FL (www.w2knews.com) markets effective spam blocking tools (“I Hate Spam”) that deserve your purchasing consideration. The SBS-related newsgroups are also a source of information for third-party spam fighting applications (see Appendix A for this information).
Virus Protection
So, would you consider virus protection a germane security topic? You betcha! I’ll discuss this much more in Chapter 11 with some step-by-step procedures using Trend Micro’s OfficeScan suite solution, but I’d be remiss to have a security chapter without emphasizing the importance of virus protection as part of your comprehensive approach to security on your SBS 2003 network.
BEST PRACTICE: I’ll say it here and again later on. Virus protection
is only valid when the data files are up-to-date. More later.
SpyWare
If you want to be humbled in a hurry, download the spyware detection applications from www.BulletProofSoft.com. Install its SpyWatch and SpyWare Remover programs and then, when no one is your witness, run these programs. You might be shocked to see what’s been camping out on your SBS network without your knowledge. Thanks to a student from the Louisville, KY hands-on lab for that tip! Many apparently harmless Web sites accessed by your users are
Visit www.smbnation.com for additional SMB and SBS book, newsletter and conference resources.
really implementing click counters and other spyware nasties. One of the all time greats (or “worsts”) was Gator. An instructor with whom I’ve previously worked on another tour had actually worked for Gator during the dot-com boom and he sends his profound apologies!
FTP Site Notification
And now from the hallowed halls of the Harvard Law School! Did you know that if you dig deep enough into the legal treatise of USA jurisprudence system, you’ll find that long ago, a hacker got off the hook because an FTP site at a company said “Welcome!” Apparently the hacker claimed that he felt invited in to poke around and destroy things. The legal lesson learned here? Prevention! Make the introductory screen of your FTP site say “Authorized Users Only!” or something just as strong.
Today I speak towards black htting thyself including packet sniffing!
harrybbbbb
Harry Brelsford, ceo at smb nation, www.smbnation.com
###
Black Hat Thyself
So, you think you’re an SBS security hot shot? Perhaps you are. One way to validate whether you’re “hot or not” is to black hat yourself on the inside and outside. That’ll tell you exactly how super you are. In a nutshell, you’d download a port scanner such as GFI’s LANGuard Network Security Scanner (www.gfi.com) and run it against yourself. Figure 5-13 shows how such a scan on the internal LAN might look (revealing tons of information) and Figure 5-14 shows how such a scan might look when run over the Internet, showing only the ports you opened via the EICW. (Talk about a great way to validate your work!)
Figure 5-13
Black hattin’ on the inside.
Notes:
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
Figure 5-14
Black hattin’ on the outside.
BEST PRACTICE: Perform this activity on each SBS network you work on (even if it’s only one). Hopefully, you won’t be too surprised by the outcome (in general, SBSers don’t like to be surprised in this area). If you’re a consultant, share the outcome of this black hat exercise with your clients.
Packet Sniffing
Talk about an MCSE-level exercise that works for us SBSers as well: packet sniffing. Here you would install the Network Monitor tool that is native to the underlying Windows Server 2003 operating system, but not installed by default, and then sniff around. To install the tool, perform the following procedure:
1 Log on as Administrator on SPRINGERS1 (password is Husky9999!).
2 Click Start, Control Panel, Add or Remove Programs.
3 Select Add/Remove Windows Components.
1 Select Management and Monitoring Tools in the Windows Components Wizard.
2 Select Network Monitor Tools and click OK.
3 Click Next.
4 Insert Disc #1 when requested.
8. Click Finish. In Figure 5-15, you can see what the results of a packet sniffing session might look like. This tool can be used to troubleshoot network problems (such as logon problems) and to search for rogue devices (such as another server running network monitoring on your network without your knowledge).
Figure 5-15
The three-finger salute of TCP/IP session establishment is shown here in a Network Monitor session. Look closely at the source and destination address columns (packets 31-33).
BEST PRACTICE: I used this tool once in early 2003 to investigate whether Microsoft automatic update sessions were actually going out into the ether. A client, a well-known Seattle-based author (not me!),
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
believed said updates where going to an offshore site not controlled by Microsoft. The packet analysis facilitated by the Network Monitor tool showed the fears were unfounded. The client then rested easy and allowed his workstation to be automatically updated. I kinda felt like one of the central characters in an old US movie called Ghosbusters and Network Monitor was my tool!
Spam Blocking
Spam blocking fits in the security chapter as well. The malady of “spam” is well known to readers of this book as unwanted e-mail traffic. In fact, the perception of excessive spam on an SBS 2003 network can create unwarranted criticism about SBS 2003 itself, which just isn’t fair.
Spam blocking can be divided into two discussion areas: content filtering and attachment blocking.
Content Filtering
I’ve enjoyed great success using the GFI’s MailEssentials spam blocking program, which more than anything else flexes its muscles in the content filtering department. For example, e-mails with the word “Viagra” are treated as spam and processed accordingly, which might include deletion, move to another folder, etc. MailEssentials is shown in Figure 5-16.
Notes:
Figure 5-16
Meet MailEssentials from GFI. Note that this product is very aggressive out of the box and will sometimes go too far, filtering out legitimate messages.
BEST PRACTICE: Because of the false positives and positive negatives in the world of filtering junk e-mails, the oft-cited security author Roberta Bragg insists that I tell you to send filtered mail to a junk mailbox, instead of deleting it! Right on, Roberta!
Another way to easily engage in a form of content filtering is to utilize the junk mail feature in Outlook 2003. This is a MAJOR IMPROVEMENT in Outlook 2003 and is discussed in Chapter 6.
Attachment Blocking
Of course, the simplest way to invoke attachment blocking is to complete the 15th page of the EICW titled “Remove E-mail Attachments.” I’ll discuss that more in Chapter 6 when you and I look deeper at Exchange Server 2003.
But meet GFI’s MailEssentials once again. Assuming you own this application for its effectiveness in the content filtering area, then consider using it as your attachment blocking tool.
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
BEST PRACTICE: The above statement raises the question about which attachment types to block if you’re using a third party tool such as MailEssentials. This list is easily created by looking at and copying the list from the Remove E-mail Attachments page in the EICW.
And yet another attachment blocking tool is contained within Outlook 2003 itself. Since I don’t want to spill the beans on Chapter 6 yet, I’ll wait to discuss it there. Similarly, you can use the SMTP application filter in ISA Server 2000 to engage in both content filtering and attachment blocking (discussed in Chapter 13).
BEST PRACTICE: I only cite GFI’s spam fighting tool because I know it. The infamous Stu at Sunbelt Software in Tampa FL (www.w2knews.com) markets effective spam blocking tools (“I Hate Spam”) that deserve your purchasing consideration. The SBS-related newsgroups are also a source of information for third-party spam fighting applications (see Appendix A for this information).
Virus Protection
So, would you consider virus protection a germane security topic? You betcha! I’ll discuss this much more in Chapter 11 with some step-by-step procedures using Trend Micro’s OfficeScan suite solution, but I’d be remiss to have a security chapter without emphasizing the importance of virus protection as part of your comprehensive approach to security on your SBS 2003 network.
BEST PRACTICE: I’ll say it here and again later on. Virus protection
is only valid when the data files are up-to-date. More later.
SpyWare
If you want to be humbled in a hurry, download the spyware detection applications from www.BulletProofSoft.com. Install its SpyWatch and SpyWare Remover programs and then, when no one is your witness, run these programs. You might be shocked to see what’s been camping out on your SBS network without your knowledge. Thanks to a student from the Louisville, KY hands-on lab for that tip! Many apparently harmless Web sites accessed by your users are
Visit www.smbnation.com for additional SMB and SBS book, newsletter and conference resources.
really implementing click counters and other spyware nasties. One of the all time greats (or “worsts”) was Gator. An instructor with whom I’ve previously worked on another tour had actually worked for Gator during the dot-com boom and he sends his profound apologies!
FTP Site Notification
And now from the hallowed halls of the Harvard Law School! Did you know that if you dig deep enough into the legal treatise of USA jurisprudence system, you’ll find that long ago, a hacker got off the hook because an FTP site at a company said “Welcome!” Apparently the hacker claimed that he felt invited in to poke around and destroy things. The legal lesson learned here? Prevention! Make the introductory screen of your FTP site say “Authorized Users Only!” or something just as strong.
Sunday, July 13, 2008
SBS 2003 NAT\Basic Firewall (book excerpt)
howdy-howdy....harrybbbb here posting up more of my Windows Small Business Server 2003 Best Practices book for your general consumption...hope to havethe whole darnt hing posted up by the time SBS 2008 ships!
harrybbbb
Harry Brelsford ceo at smb nation www.smbnation.com
###
Defining Basic Firewall/NAT
Meanwhile, back in the lecture hall, it’s time to lay one down on you about NAT and the Basic Firewall. You can use Basic Firewall to help secure your network from unsolicited public network traffic, such as traffic sent from the Internet. People who send such traffic might be trying to access your network without your permission. You can enable Basic Firewall for any public interface, including one that also provides network address translation (also known as NAT, an Internet Protocol (IP) translation process that allows a network with private addresses to access information on the Internet for your network).
How Basic Firewall Works
First of all, what is a firewall? Quoting directly from the online help system in SBS 2003: A firewall is a combination of hardware and software that provides
Visit www.smbnation.com for additional SMB and SBS book, newsletter and conference resources.
a security system, usually to prevent unauthorized access from outside to an internal network or intranet. A firewall prevents direct communication between network and external computers by routing communication through a proxy server outside the network. The proxy server determines whether it is safe to let a file pass through to the network. Also called a security-edge gateway.
Next, the Basic Firewall provided via RRAS in SBS 2003 is a stateful firewall which combines dynamic packet filtering of network traffic with a set of static packet filters. Said Basic Firewall monitors traffic that travels through the interface for which Basic Firewall is enabled. If the interface is configured for private network traffic only, Basic Firewall will route traffic among the computers on the private network only. The Basic Firewall will route traffic between a private network and virtual private network (VPN). I define a VPN below in the advanced section.
If the interface is configured for private network traffic and to provide NAT, each packet’s source and destination addresses are recorded in a table. All traffic from the public network is compared to the entries in the table. Traffic from the public network can reach the private network only if the table contains an entry that shows that the communication exchange originated from within the private network. In this way, Basic Firewall prevents unsolicited traffic from a public network (such as the Internet) from reaching a private network. This is a key point, pardner: We’re keeping the bad guy out here.
Service Accessibility
Perhaps you noticed earlier in this RRAS section that adding the additional services by name and port was as easy as dropping beneath the hood and simply selecting from the bevy of services contained on the Services and Ports screen (which you observed in the last step-by-step procedure above). The services on the Services and Ports screen are listed here.
• FTP Server
• Internet Mail Access Protocol Version 3 (IMAP3)
• Internet Mail Access Protocol Version 4 (IMAP4)
• Internet Mail Server (SMTP)
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
• IP Security (IKE)
• IP Security (IKE NAT Traversal)
• Post-Office Protocol Version 3 (POP3)
• Remote Desktop
• Secure Web Server (HTTPS)
• Telnet Server
• VPN Gateway (L2TP/IPSec - running on this server)
• VPN Gateway (PPTP)
• Web Server (HTTP)
And if you insist, you can always add different services via the Add button on the Services and Ports tab just like you could back in the EICW.
Get Certified!
A cool feature that is managed by the Web Server Certificate page in the EICW is the ability to easily install a self-signed certificate on your SBS 2003 server machine.
BEST PRACTICE: Note the self-signed certificate is not the same as installing and configuring Certificate Services to create a certificate authority. (You can see via Control Panel, Add/Remove Programs, Windows Components that Certificate Services HAS NOT BEEN INSTALLED and configured after the Web Server Certificate page in the EICW is complete.) As author Roberta Bragg put it to me, it’s “kool” but it’s not Certificate Services. This is important to understand and perhaps you’d want to proceed to install Certificate Services for other purposes such as e-commerce. That suggestion begs the next point.
So, do you need to continue to pay the SSL King (Verisign) his ransom in the world of SBS 2003? The answer is perhaps not if you were using Certificate Services as your certificate authority. So, save those dollars to be spent on something more meaningful like taking your spouse/partner out to dinner (a real nice dinner in Vegas with your Verisign savings!).
Real world speaking, this self-signed Web certificate will be most noticeable in two ways to users. First, the address in a Web browser (known as the URL) will start with the prefix HTTPS. Second, you’ll typically need to approve the certificate when a security dialog box appears as a user commences a Web session on the SBS 2003 server. And how do you explain this to the same real-world users? Tell them this is akin to logging on to their bank (e.g., Wells Fargo) or brokerage firm (e.g., ETrade).
BEST PRACTICE: The Web Server Certificate page in the EICW is dramatically reducing the number of keystrokes you had to perform in the SBS 2000 time frame to achieve the “nearly” same kind of security-related functionality (granted, I’m comparing apples to oranges here for a few minutes, but go with it). Again, a self-signed certificate and Certificate Services are not the exact same thing.
In my now retired Advanced SBS 2000 Workshop, I demonstrated the keystrokes necessary to (1) install Certificate Services from Control Panel, Add/Remove Programs, Windows Components, (2) create a self-signed certificate, (3) apply the certificate to the appropriate locations (e.g., root of the default Web site in SBS 2003 that houses OWA), and (4) apply the SSL setting to child objects (e.g., the Public folder under IIS). Note these steps, in the SBS 2000 time frame, were documented in the following documents:
• a white paper titled “Step-by-Step Guide for Setting Up a Certificate Authority”
• the following KBase article: “Turning on SSL for Exchange 2000 Server Outlook Web Access” (Q320291)
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
• KBase article: “How to Force SSL Encryption for an Outlook Web Access 2000 Client” (Q279681)
This kinda stuff is now handled via the Web Server Certificate page in the EICW (at least as far as the typical SBS network is concerned). Note the enterprise security folks reading this book would of course beg to differ and point out huge differences in a self-signed certificate and Certificate Services, such as the ability to issue certificates for IPSec (which our little ol’ self-signed certificate can’t do). Enough said.
Advanced SBS Security Topics
No chapter worth its security salt could be devoid of a few advanced security topics even though said topics are beyond the scope of this introductory volume on SPRINGERS! While my future advanced SBS 2003 text will delve deeper and fly further on a single tank of gas, try on a few of the following advanced security topics for size. Security is of such importance that this is one time we can clearly take a respite from the SPRINGERS story line and explore:
Hardware-Based Firewall
Yes, Virginia, there is native SBS 2003 support for hardware-based firewalls. It’s kosher as well and you’ll be accepted in the open and affirming SBS community. Best of all, when you select the router option in the EICW as you set up the network connection (see the third screen regarding connection type in the EICW), you’ll be able to take advantage of a really cool SBS 2003 feature: It automatically configures hardware-based routers as part of its wizardry! Say what? This isn’t a misprint. What occurs is this. If your hardware-based firewall is Universal Plug and Play (UPNP) compliant (this is an industry standard) and you provide sufficient credentials (that allow you to configure the hardware-based firewall itself), then the EICW will open the correct ports to support the services you’ve selected that need access from the Internet.
Dual-Firewall
Another popular configuration with SBS 2003 is to implement a dual firewall. In this case, you’d use the built-in firewall capability in SBS 2003 and then supplement that on the network border with an additional firewall. Note this additional firewall is typically hardware-based, but could very well be a software-based firewall from another vendor. A view of a dual firewall scenario is shown in Figure 5-12.
Figure 5-12
This is your road map for implementing a dual-firewall scenario with SBS 2003.
BEST PRACTICE: You could implement a dual firewall scenario with either SBS 2003 standard edition (with the RRAS NAT/Basic Firewall) or SBS 2003 premium edition (with ISA Server 2000 discussed later in Chapter 13).
What Is a VPN?
No, this isn’t a trick question. Many readers of this book might not actually know what a VPN is. Don’t believe me? Then you should have been there during the filming of an SBS setup video at Microsoft Studios on 158th Ave NE in Redmond the day we forgot to define VPN in the script. An important marketing manager discovered this omission and we had to play some Hollywood magic to splice in a short lecture on VPN connectivity in the post production phase. Needless to say, this drove up the video costs and since that day, I’ve never forgotten to add this lecture in any chapter where it makes sense.
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
Here is the official definition of a VPN taken from the online help system in SBS 2003: The extension of a private network that encompasses encapsulated, encrypted, and authenticated links across shared or public networks. VPN connections can provide remote access and routed connections to private networks over the Internet client computers. However, computers that are part of a private network will not be able to detect computers outside of the private network, and computers that are not part of the private network will not be able to detect computers that belong to the private network.
Relating VPN connectivity to security is the next step. You might be saying “Who cares?” at this point. Both you and I care. When the shoe fits, establishing a VPN connection using either the point-to-point tunneling protocol (a poor man’s encryption method) or layer-two tunneling protocol (a rich man’s encryption method that requires a certificate authority) creates a secure link between a remote computer and the SBS 2003 network. Essentially, you can compute with less worry from afar.
BEST PRACTICE: I’ll touch on VPN connectivity in Chapter 8 again with step by step procedures. And don’t forget you actually configured server-side VPN connectivity in Chapter 4 when you completed the Configure Remote Access link. Be advised much deeper discussion is beyond the scope of this introductory SBS 2003 volume. Look for richer VPN discussion in my advanced SBS 2003 text due in mid-2004.
harrybbbb
Harry Brelsford ceo at smb nation www.smbnation.com
###
Defining Basic Firewall/NAT
Meanwhile, back in the lecture hall, it’s time to lay one down on you about NAT and the Basic Firewall. You can use Basic Firewall to help secure your network from unsolicited public network traffic, such as traffic sent from the Internet. People who send such traffic might be trying to access your network without your permission. You can enable Basic Firewall for any public interface, including one that also provides network address translation (also known as NAT, an Internet Protocol (IP) translation process that allows a network with private addresses to access information on the Internet for your network).
How Basic Firewall Works
First of all, what is a firewall? Quoting directly from the online help system in SBS 2003: A firewall is a combination of hardware and software that provides
Visit www.smbnation.com for additional SMB and SBS book, newsletter and conference resources.
a security system, usually to prevent unauthorized access from outside to an internal network or intranet. A firewall prevents direct communication between network and external computers by routing communication through a proxy server outside the network. The proxy server determines whether it is safe to let a file pass through to the network. Also called a security-edge gateway.
Next, the Basic Firewall provided via RRAS in SBS 2003 is a stateful firewall which combines dynamic packet filtering of network traffic with a set of static packet filters. Said Basic Firewall monitors traffic that travels through the interface for which Basic Firewall is enabled. If the interface is configured for private network traffic only, Basic Firewall will route traffic among the computers on the private network only. The Basic Firewall will route traffic between a private network and virtual private network (VPN). I define a VPN below in the advanced section.
If the interface is configured for private network traffic and to provide NAT, each packet’s source and destination addresses are recorded in a table. All traffic from the public network is compared to the entries in the table. Traffic from the public network can reach the private network only if the table contains an entry that shows that the communication exchange originated from within the private network. In this way, Basic Firewall prevents unsolicited traffic from a public network (such as the Internet) from reaching a private network. This is a key point, pardner: We’re keeping the bad guy out here.
Service Accessibility
Perhaps you noticed earlier in this RRAS section that adding the additional services by name and port was as easy as dropping beneath the hood and simply selecting from the bevy of services contained on the Services and Ports screen (which you observed in the last step-by-step procedure above). The services on the Services and Ports screen are listed here.
• FTP Server
• Internet Mail Access Protocol Version 3 (IMAP3)
• Internet Mail Access Protocol Version 4 (IMAP4)
• Internet Mail Server (SMTP)
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
• IP Security (IKE)
• IP Security (IKE NAT Traversal)
• Post-Office Protocol Version 3 (POP3)
• Remote Desktop
• Secure Web Server (HTTPS)
• Telnet Server
• VPN Gateway (L2TP/IPSec - running on this server)
• VPN Gateway (PPTP)
• Web Server (HTTP)
And if you insist, you can always add different services via the Add button on the Services and Ports tab just like you could back in the EICW.
Get Certified!
A cool feature that is managed by the Web Server Certificate page in the EICW is the ability to easily install a self-signed certificate on your SBS 2003 server machine.
BEST PRACTICE: Note the self-signed certificate is not the same as installing and configuring Certificate Services to create a certificate authority. (You can see via Control Panel, Add/Remove Programs, Windows Components that Certificate Services HAS NOT BEEN INSTALLED and configured after the Web Server Certificate page in the EICW is complete.) As author Roberta Bragg put it to me, it’s “kool” but it’s not Certificate Services. This is important to understand and perhaps you’d want to proceed to install Certificate Services for other purposes such as e-commerce. That suggestion begs the next point.
So, do you need to continue to pay the SSL King (Verisign) his ransom in the world of SBS 2003? The answer is perhaps not if you were using Certificate Services as your certificate authority. So, save those dollars to be spent on something more meaningful like taking your spouse/partner out to dinner (a real nice dinner in Vegas with your Verisign savings!).
Real world speaking, this self-signed Web certificate will be most noticeable in two ways to users. First, the address in a Web browser (known as the URL) will start with the prefix HTTPS. Second, you’ll typically need to approve the certificate when a security dialog box appears as a user commences a Web session on the SBS 2003 server. And how do you explain this to the same real-world users? Tell them this is akin to logging on to their bank (e.g., Wells Fargo) or brokerage firm (e.g., ETrade).
BEST PRACTICE: The Web Server Certificate page in the EICW is dramatically reducing the number of keystrokes you had to perform in the SBS 2000 time frame to achieve the “nearly” same kind of security-related functionality (granted, I’m comparing apples to oranges here for a few minutes, but go with it). Again, a self-signed certificate and Certificate Services are not the exact same thing.
In my now retired Advanced SBS 2000 Workshop, I demonstrated the keystrokes necessary to (1) install Certificate Services from Control Panel, Add/Remove Programs, Windows Components, (2) create a self-signed certificate, (3) apply the certificate to the appropriate locations (e.g., root of the default Web site in SBS 2003 that houses OWA), and (4) apply the SSL setting to child objects (e.g., the Public folder under IIS). Note these steps, in the SBS 2000 time frame, were documented in the following documents:
• a white paper titled “Step-by-Step Guide for Setting Up a Certificate Authority”
• the following KBase article: “Turning on SSL for Exchange 2000 Server Outlook Web Access” (Q320291)
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
• KBase article: “How to Force SSL Encryption for an Outlook Web Access 2000 Client” (Q279681)
This kinda stuff is now handled via the Web Server Certificate page in the EICW (at least as far as the typical SBS network is concerned). Note the enterprise security folks reading this book would of course beg to differ and point out huge differences in a self-signed certificate and Certificate Services, such as the ability to issue certificates for IPSec (which our little ol’ self-signed certificate can’t do). Enough said.
Advanced SBS Security Topics
No chapter worth its security salt could be devoid of a few advanced security topics even though said topics are beyond the scope of this introductory volume on SPRINGERS! While my future advanced SBS 2003 text will delve deeper and fly further on a single tank of gas, try on a few of the following advanced security topics for size. Security is of such importance that this is one time we can clearly take a respite from the SPRINGERS story line and explore:
Hardware-Based Firewall
Yes, Virginia, there is native SBS 2003 support for hardware-based firewalls. It’s kosher as well and you’ll be accepted in the open and affirming SBS community. Best of all, when you select the router option in the EICW as you set up the network connection (see the third screen regarding connection type in the EICW), you’ll be able to take advantage of a really cool SBS 2003 feature: It automatically configures hardware-based routers as part of its wizardry! Say what? This isn’t a misprint. What occurs is this. If your hardware-based firewall is Universal Plug and Play (UPNP) compliant (this is an industry standard) and you provide sufficient credentials (that allow you to configure the hardware-based firewall itself), then the EICW will open the correct ports to support the services you’ve selected that need access from the Internet.
Dual-Firewall
Another popular configuration with SBS 2003 is to implement a dual firewall. In this case, you’d use the built-in firewall capability in SBS 2003 and then supplement that on the network border with an additional firewall. Note this additional firewall is typically hardware-based, but could very well be a software-based firewall from another vendor. A view of a dual firewall scenario is shown in Figure 5-12.
Figure 5-12
This is your road map for implementing a dual-firewall scenario with SBS 2003.
BEST PRACTICE: You could implement a dual firewall scenario with either SBS 2003 standard edition (with the RRAS NAT/Basic Firewall) or SBS 2003 premium edition (with ISA Server 2000 discussed later in Chapter 13).
What Is a VPN?
No, this isn’t a trick question. Many readers of this book might not actually know what a VPN is. Don’t believe me? Then you should have been there during the filming of an SBS setup video at Microsoft Studios on 158th Ave NE in Redmond the day we forgot to define VPN in the script. An important marketing manager discovered this omission and we had to play some Hollywood magic to splice in a short lecture on VPN connectivity in the post production phase. Needless to say, this drove up the video costs and since that day, I’ve never forgotten to add this lecture in any chapter where it makes sense.
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
Here is the official definition of a VPN taken from the online help system in SBS 2003: The extension of a private network that encompasses encapsulated, encrypted, and authenticated links across shared or public networks. VPN connections can provide remote access and routed connections to private networks over the Internet client computers. However, computers that are part of a private network will not be able to detect computers outside of the private network, and computers that are not part of the private network will not be able to detect computers that belong to the private network.
Relating VPN connectivity to security is the next step. You might be saying “Who cares?” at this point. Both you and I care. When the shoe fits, establishing a VPN connection using either the point-to-point tunneling protocol (a poor man’s encryption method) or layer-two tunneling protocol (a rich man’s encryption method that requires a certificate authority) creates a secure link between a remote computer and the SBS 2003 network. Essentially, you can compute with less worry from afar.
BEST PRACTICE: I’ll touch on VPN connectivity in Chapter 8 again with step by step procedures. And don’t forget you actually configured server-side VPN connectivity in Chapter 4 when you completed the Configure Remote Access link. Be advised much deeper discussion is beyond the scope of this introductory SBS 2003 volume. Look for richer VPN discussion in my advanced SBS 2003 text due in mid-2004.
Friday, July 11, 2008
RRAS Unplugged in SBS 2003 [book excerpt]
TGIF! Harry Brelsord, author of Windows Small Business Server 2003 Best Practices here and just posting up for free a few pages of my book each day for your pleasure. I hope to have the darn thing completely posted up by the time SBS 2008 SHIPS!
Today we continue chapter five on security and go with RRAS unplugged....yee-haw!~
harrybbbbb, a Microsoft Small Business Specialist (SBSC)
Harry Brelsford, ceo at smb nation, www.smbnation.com
###
RRAS Unplugged
So now that you’re all patched and updated, let’s do some meat and potatoes. That is, let’s delve into the firewall component of SBS 2003 standard edition: RRAS’s NAT/Basic Firewall. I’ll essentially repeat Lab 7 from the afternoon of the USA SBS 2003 hands on lab tour that I both wrote and delivered in fall 2003. The intent of the lab was this: After a long day together of SBSing, some folks had unanswered questions about security and exactly what voodoo do you do when you complete a native SBS Wizard. Oops - I went Ragin’ Cajun on you for a moment there. What I meant to say was SBSers sometimes wonder what real settings they affect when the complete a pretty wizard.
It’s important, before proceeding, to remember that you completed both the EICW and the Remote Access Wizard in the prior chapter in order to maintain the sanctity of our SPRINGERS methodology. So, in effect, you’ve already implemented the security related to firewall protection in SBS 2003 standard edition.
The key pages in the EICW that relate specifically to the security we’ll discuss in this chapter (and future chapters) are EICW page 7 (the Firewall screen where you enable the firewall), EICW page 8 which relates to services that will be accessible across the Internet (see Services Configuration in Figure 5-9), EICW page 9 (Web Services Configuration that I really discuss more in Chapters 8 and 10) and EICW page 10 (Web Server Certificate) that I discuss more in the next section.
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
Figure 5-9
Revisiting the Services Configuration page.
BEST PRACTICE: You’ll increasingly learn and be comfortable with your own situation best. Remember that the SPRINGERS methodology is a pass across SBS 2003 using a story line that works. On the Services Configuration page as part of SPRINGERS, we made some selections in the last chapter.
But what if your real-world needs are slightly different? Perhaps you’ll need to allow some other services, read port openings, be accessible via the Internet. How would you do that in Figure 5-9? Just click the Add button and type in the service name and port information.
In the next procedure, you’ll not only see where your Service Configuration settings are implemented, but you’ll get a peek at the additional services you could select from. Please be advised that the following procedure, which is
basically a look and see, is here so you can appreciate where some of the security settings you select in the EICW are truly “set.”
1 Log on to SPRINGERS1 as Administrator with password Husky9999!.
2 Click Start, Server Management, Advanced Management, Computer Management, and Services and Applications.
3 Select Routing and Remote Access, IP Routing followed by NAT/ Basic Firewall.
4 Right click on Network Connection and select Properties from the secondary menu, (and then see my figures).
5 Observe the NAT/Basic Firewall tab sheet (Figure 5-10) that depicts the selections for NAT and Basic Firewall. These were selected when you enabled the firewall on page 7 of the EICW. I’ll discuss the concept of NAT and Basic Firewall in just a second.
6 Click the Services and Ports tab. Observe the services that you can select.
Figure 5-10
This is where the NAT and Basic Firewall selections are made.
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
Figure 5-11
This is where the Internet-accessible services were selected.
7. Click OK.
Today we continue chapter five on security and go with RRAS unplugged....yee-haw!~
harrybbbbb, a Microsoft Small Business Specialist (SBSC)
Harry Brelsford, ceo at smb nation, www.smbnation.com
###
RRAS Unplugged
So now that you’re all patched and updated, let’s do some meat and potatoes. That is, let’s delve into the firewall component of SBS 2003 standard edition: RRAS’s NAT/Basic Firewall. I’ll essentially repeat Lab 7 from the afternoon of the USA SBS 2003 hands on lab tour that I both wrote and delivered in fall 2003. The intent of the lab was this: After a long day together of SBSing, some folks had unanswered questions about security and exactly what voodoo do you do when you complete a native SBS Wizard. Oops - I went Ragin’ Cajun on you for a moment there. What I meant to say was SBSers sometimes wonder what real settings they affect when the complete a pretty wizard.
It’s important, before proceeding, to remember that you completed both the EICW and the Remote Access Wizard in the prior chapter in order to maintain the sanctity of our SPRINGERS methodology. So, in effect, you’ve already implemented the security related to firewall protection in SBS 2003 standard edition.
The key pages in the EICW that relate specifically to the security we’ll discuss in this chapter (and future chapters) are EICW page 7 (the Firewall screen where you enable the firewall), EICW page 8 which relates to services that will be accessible across the Internet (see Services Configuration in Figure 5-9), EICW page 9 (Web Services Configuration that I really discuss more in Chapters 8 and 10) and EICW page 10 (Web Server Certificate) that I discuss more in the next section.
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
Figure 5-9
Revisiting the Services Configuration page.
BEST PRACTICE: You’ll increasingly learn and be comfortable with your own situation best. Remember that the SPRINGERS methodology is a pass across SBS 2003 using a story line that works. On the Services Configuration page as part of SPRINGERS, we made some selections in the last chapter.
But what if your real-world needs are slightly different? Perhaps you’ll need to allow some other services, read port openings, be accessible via the Internet. How would you do that in Figure 5-9? Just click the Add button and type in the service name and port information.
In the next procedure, you’ll not only see where your Service Configuration settings are implemented, but you’ll get a peek at the additional services you could select from. Please be advised that the following procedure, which is
basically a look and see, is here so you can appreciate where some of the security settings you select in the EICW are truly “set.”
1 Log on to SPRINGERS1 as Administrator with password Husky9999!.
2 Click Start, Server Management, Advanced Management, Computer Management, and Services and Applications.
3 Select Routing and Remote Access, IP Routing followed by NAT/ Basic Firewall.
4 Right click on Network Connection and select Properties from the secondary menu, (and then see my figures).
5 Observe the NAT/Basic Firewall tab sheet (Figure 5-10) that depicts the selections for NAT and Basic Firewall. These were selected when you enabled the firewall on page 7 of the EICW. I’ll discuss the concept of NAT and Basic Firewall in just a second.
6 Click the Services and Ports tab. Observe the services that you can select.
Figure 5-10
This is where the NAT and Basic Firewall selections are made.
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
Figure 5-11
This is where the Internet-accessible services were selected.
7. Click OK.
Saturday, July 5, 2008
Attach Client Computer PROCEDURE in SBS 2003 [book excerpt]
Good saturday to u. I am harry brelsford, the author of Windows Small Business Server 2003 Best Practices (the purple book). Each day I am posting up several pages of this tome until SBS 2008 ships.
Today we complete the a--important client computer connection process at the procedural level in SBS 2003!
enjoy the read....harrybbbbb
Harry Brelsford, Microsoft Small Business Specialist (SBSC)
CEO at smb nation, www.smbnation.com
###
Attaching the Client Computer
So now for one of the more interesting updates in the SBS 2003 time frame: adding the client computer. In prior SBS releases, you’d use a client computer setup diskette (e.g., Magic disk) at each workstation to configure it for an SBS network. Word is that the diskette not only went the day of the dinosaur, but somehow didn’t pass Microsoft’s internal security audit of the SBS 2003 product (as part of Microsoft’s internal security code review).
You will now launch your client computer from a power on state (that is, turn on the computer!). Assuming the computer is physically attached to the local area network that houses the SBS server machine (and receives it IP address dynamically), then follow these steps:
1 Log on to the client computer (this would be a local logon).
2 Launch Internet Explorer from your Start menu. Type http:// springers1/connectcomputer in the Address field. It is this URL address that will display a Web page that allows you to connect the client computer.
3 The Network Configuration screen appears as seen in Figure 4-27. Click Connect to the network now.
Notes:
Figure 4-27
The new and very cool client computer setup process commences right here. Read the screen carefully about receiving a security warning notice (which you would approve to continue).
1 The User Account and Password Information page appears in the Small Business Server Network Configuration Wizard. Type Administrator in the User name field and Husky9999! in the Password field. Click Next. This step is necessary to provide domain-level administrator credentials to allow the machine to be joined to the domain (we need a God-like account to configure the machine, which makes sense).
2 On the Assign users to this computer and migrate their profiles page, select Administrator and NormH under Available Users. Click Add and these two user names should appear under Users assigned to this computer as seen in Figure 4-28. Click Next.
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
BEST PRACTICE: Three points to surface here.
(A) This step is effectively adding the user as a local administrator in order to install software on the local machine. At the Worldwide Partner Conference hosted by Microsoft in New Orleans in October 2003, CEO Steve Ballmer entertained a question from a concerned attendee that this seemed like a case of very generous security to grant a mere mortal (agreed!).
(B) At a future date, if you want to add more users (such as new users) as being assigned to this machine, you’ll need to do it manually. So one attendee in the October 2003 hands-on lab in New York City (Sharon Tirosh, who is well known on the SBS Yahoo! Group) suggested that you manually add a security group (e.g., from the domain to the local machine) to the local machine and then put the additional users in that security group. Note that you CAN NOT do this security group addition trick from the Assign users to the computer and migrate their profiles page. So, this is not native to SBS 2003, but can be performed under the hood.
(C) Click the More Information in Figure 4-28 and learn more about the ability to migrate profiles from existing workstations. This capability invokes a process that searches the local machine for existing profiles (e.g., a local profile in an existing peer-to-peer network scenario) and displays the found profiles in a drop-down under Current User Settings. You would then select one of the profiles (obviously the profile that is the best fit) to migrate that profile to the domain membership for a user and preserve his settings. In lecture, I typically refer to this as the grandchild capability wherein the business user can arrive Monday (Humor Zone: That’s Tuesday in Australia, as they are one day ahead of the US!) and still see the grandchild’s photo that is the local machine desktop. Hell hath no fury like a user who can’t see her grandkid’s photo after joining an SBS network!
Note: I’ll investigate these above points in greater detail in my advanced SBS 2003 book in mid 2004.
Figure 4-28
Assigning users to the local machine. Note that you aren’t creating domain user account here (this was accomplished earlier on the server machine via the Add User Wizard).
1 On the Computer Name page, select PRESIDENT and click Next.
2 On the Completing the Network Configuration Wizard page, click the here link and proceed to save the configuration on the local machine (much like you’ve created your network notebook on the server machine). Click Finish to start the network configuration process. A reboot will occur immediately to join the machine to the domain.
3 After the first reboot and automatic logon, additional domain joining activity occurs and there is a second reboot.
4 After the second reboot, log on as NormH with the password Purple3300.
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
10. Then the client computer configuration process continues when you click Start Now on the Client Setup Wizard.
11. Click Next on the Welcome to the Client Setup Wizard page.
12. The Application Setup Process page appears and the core SBS client-side applications are installed (Outlook 2003, Shared Fax client, operating system updates). This is shown in Figure 4-29.
Figure 4-29
Observe the setup of the applications.
13. The machine reboots (again!) and you will log on as NormH again (password is Purple3300). The setup process is now complete and you’ve officially added a client computer in our beloved SPRINGERS methodology.
BEST PRACTICE: If for some reason the client computer applications, such as Outlook 2003, didn’t completely install correctly, there is a manual workaround. Simply navigate to \\SPRINGERS1\ClientApps (this is the UNC path back to the SBS server machine) and launch
the appropriate native setup routine (e.g., setup.exe) for the
applications you want to install on the client machine.
Today we complete the a--important client computer connection process at the procedural level in SBS 2003!
enjoy the read....harrybbbbb
Harry Brelsford, Microsoft Small Business Specialist (SBSC)
CEO at smb nation, www.smbnation.com
###
Attaching the Client Computer
So now for one of the more interesting updates in the SBS 2003 time frame: adding the client computer. In prior SBS releases, you’d use a client computer setup diskette (e.g., Magic disk) at each workstation to configure it for an SBS network. Word is that the diskette not only went the day of the dinosaur, but somehow didn’t pass Microsoft’s internal security audit of the SBS 2003 product (as part of Microsoft’s internal security code review).
You will now launch your client computer from a power on state (that is, turn on the computer!). Assuming the computer is physically attached to the local area network that houses the SBS server machine (and receives it IP address dynamically), then follow these steps:
1 Log on to the client computer (this would be a local logon).
2 Launch Internet Explorer from your Start menu. Type http:// springers1/connectcomputer in the Address field. It is this URL address that will display a Web page that allows you to connect the client computer.
3 The Network Configuration screen appears as seen in Figure 4-27. Click Connect to the network now.
Notes:
Figure 4-27
The new and very cool client computer setup process commences right here. Read the screen carefully about receiving a security warning notice (which you would approve to continue).
1 The User Account and Password Information page appears in the Small Business Server Network Configuration Wizard. Type Administrator in the User name field and Husky9999! in the Password field. Click Next. This step is necessary to provide domain-level administrator credentials to allow the machine to be joined to the domain (we need a God-like account to configure the machine, which makes sense).
2 On the Assign users to this computer and migrate their profiles page, select Administrator and NormH under Available Users. Click Add and these two user names should appear under Users assigned to this computer as seen in Figure 4-28. Click Next.
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
BEST PRACTICE: Three points to surface here.
(A) This step is effectively adding the user as a local administrator in order to install software on the local machine. At the Worldwide Partner Conference hosted by Microsoft in New Orleans in October 2003, CEO Steve Ballmer entertained a question from a concerned attendee that this seemed like a case of very generous security to grant a mere mortal (agreed!).
(B) At a future date, if you want to add more users (such as new users) as being assigned to this machine, you’ll need to do it manually. So one attendee in the October 2003 hands-on lab in New York City (Sharon Tirosh, who is well known on the SBS Yahoo! Group) suggested that you manually add a security group (e.g., from the domain to the local machine) to the local machine and then put the additional users in that security group. Note that you CAN NOT do this security group addition trick from the Assign users to the computer and migrate their profiles page. So, this is not native to SBS 2003, but can be performed under the hood.
(C) Click the More Information in Figure 4-28 and learn more about the ability to migrate profiles from existing workstations. This capability invokes a process that searches the local machine for existing profiles (e.g., a local profile in an existing peer-to-peer network scenario) and displays the found profiles in a drop-down under Current User Settings. You would then select one of the profiles (obviously the profile that is the best fit) to migrate that profile to the domain membership for a user and preserve his settings. In lecture, I typically refer to this as the grandchild capability wherein the business user can arrive Monday (Humor Zone: That’s Tuesday in Australia, as they are one day ahead of the US!) and still see the grandchild’s photo that is the local machine desktop. Hell hath no fury like a user who can’t see her grandkid’s photo after joining an SBS network!
Note: I’ll investigate these above points in greater detail in my advanced SBS 2003 book in mid 2004.
Figure 4-28
Assigning users to the local machine. Note that you aren’t creating domain user account here (this was accomplished earlier on the server machine via the Add User Wizard).
1 On the Computer Name page, select PRESIDENT and click Next.
2 On the Completing the Network Configuration Wizard page, click the here link and proceed to save the configuration on the local machine (much like you’ve created your network notebook on the server machine). Click Finish to start the network configuration process. A reboot will occur immediately to join the machine to the domain.
3 After the first reboot and automatic logon, additional domain joining activity occurs and there is a second reboot.
4 After the second reboot, log on as NormH with the password Purple3300.
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
10. Then the client computer configuration process continues when you click Start Now on the Client Setup Wizard.
11. Click Next on the Welcome to the Client Setup Wizard page.
12. The Application Setup Process page appears and the core SBS client-side applications are installed (Outlook 2003, Shared Fax client, operating system updates). This is shown in Figure 4-29.
Figure 4-29
Observe the setup of the applications.
13. The machine reboots (again!) and you will log on as NormH again (password is Purple3300). The setup process is now complete and you’ve officially added a client computer in our beloved SPRINGERS methodology.
BEST PRACTICE: If for some reason the client computer applications, such as Outlook 2003, didn’t completely install correctly, there is a manual workaround. Simply navigate to \\SPRINGERS1\ClientApps (this is the UNC path back to the SBS server machine) and launch
the appropriate native setup routine (e.g., setup.exe) for the
applications you want to install on the client machine.
Friday, July 4, 2008
Configure Fax, Monitoring, Backup in SBS 2003 [book excerpt]
Happy 4th of July! Iam harry brelsford, the author of Windows Small Business Server 2003 Best Practices and a Microsoft Small Business Specialist (SBSC). I am posting up a few pages from this*purple book* each day until SBS 2008 ships!
Today we wrap up some of the SBS Management Console\To DoList items. Whew!
cheers…harrybbbbb
Harry Brelsford, ceo at smb nationm www.smbnation.com
###
Configure Fax
This selection will launch the wizard for Fax Configuration Wizard. Over the course of several steps you will complete in Chapter 9, you will configure the Shared Fax Service to benefit SPRINGERS.
Configure Monitoring
The Monitoring Configuration Wizard is launched from this link on the To Do List. This will implement the awesome monitoring capability in SBS 2003 and will be discussed in detail in Chapter 12.
Configure Backup
The Backup Configuration Wizard is launched from this link and commences the configuration of the massively improved backup process. More on this in the SBS administration chapter later in the book.
BEST PRACTICE: Because the last two To Do List items have only been discussed and not completed here, be sure you do not select the Done checkbox for these items. That wouldn’t make sense as you’ve not completed the tasks. Later, once the relevant work is completed, you’ll mark these tasks as done.
BEST PRACTICE: You can print out the To Do List which makes for a nice checklist to work with as you run around as an SBSer. Simply click the Print button in the lower right.
Today we wrap up some of the SBS Management Console\To DoList items. Whew!
cheers…harrybbbbb
Harry Brelsford, ceo at smb nationm www.smbnation.com
###
Configure Fax
This selection will launch the wizard for Fax Configuration Wizard. Over the course of several steps you will complete in Chapter 9, you will configure the Shared Fax Service to benefit SPRINGERS.
Configure Monitoring
The Monitoring Configuration Wizard is launched from this link on the To Do List. This will implement the awesome monitoring capability in SBS 2003 and will be discussed in detail in Chapter 12.
Configure Backup
The Backup Configuration Wizard is launched from this link and commences the configuration of the massively improved backup process. More on this in the SBS administration chapter later in the book.
BEST PRACTICE: Because the last two To Do List items have only been discussed and not completed here, be sure you do not select the Done checkbox for these items. That wouldn’t make sense as you’ve not completed the tasks. Later, once the relevant work is completed, you’ll mark these tasks as done.
BEST PRACTICE: You can print out the To Do List which makes for a nice checklist to work with as you run around as an SBSer. Simply click the Print button in the lower right.
Thursday, July 3, 2008
Workstation Installation Procedure for SBS2003
Happy July 3rd everyone - I am harry brelsford, author of Windows Small Business Server 2003 Best Practices and I enjoy posting a few pages of my book per day for your reading pleasure. I hope to have the entire book posted up by the time SBS 2008 ships!
Today we look at the keystrokes to add a workstation to the SBS 2003 network!
cheers and Happy 4th of July!
harry brelsford, ceo at smb nation, www.smbnation.com (I am also a Microsoft Small Business Specialist! aka SBSC)
###
SBS Workstation Setup Process
The SBS workstation setup approach is a four-step process, and compared to the SBS server machine installation, it is relatively simple. Another interesting point is that, whereas you perform the SBS server machine setup only once, you perform the SBS workstation setup multiple times. I’ve found that such repetition breeds familiarity; your comfort level increases with this process.
Of the four steps, the first two (running the Add User Wizard and then the Set Up Computer Wizard) are performed on the SBS server machine via the To Do List. The last two steps are performed on the SBS workstation. Run the setup program over the wire via a Web browser and install the client applications. This process is detailed in Figure 4-21.
A quick SBS 2003-specific comment for you: If you have worked with SBS in the past, say SBS 4.5, you will be very pleased to see that SBS 2003 has greatly simplified the add user and computer processes. This was accomplished in part by adding the bulk entry capability, using user account templates, and eliminating the “magic” setup diskette. All this and more will be displayed and discussed in a moment.
Figure 4-21
SBS Workstation setup process.
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
The step-by-step process for adding users and client computers commences right here, right now!
1 Again, assuming you’re logged on as the Administrator at the server machine SPRINGERS1, you will click the Add Users and Computers link from the To Do List.
2 Click Next at the Welcome to the Add User Wizard.
3 On the Template Selection screen, pick Power User Template, as
seen in Figure 4-22 and click Next. Figure 4-22
There are several templates to select from, including the new Mobile User Template.
BEST PRACTICE: There is an interesting design feature in the bulk add capability that relates to the Template Selection screen in Figure 4-22 above. If you look closely, the language clearly states that the selected template will be applied to all users. Furthermore, each user inherits the templates settings (as you would expect). But, we’ve got a slight problem if you were lead to believe that, using the bulk addition capability, we could add all of the SPRINGERS
users all at once. Such is not the case, because if you revisit the User List in Chapter 2, you see that two users are “power users” and the rest of the users are “users.” This translates into the following: You will need to run the Add User Wizard twice in the SPRINGERS methodology in order to add users that fall into two template categories.
Oh - and fear not that I’m ignoring the Mobile User Template. I elevate a user’s template-based permissions to that level in Chapter 11 using a cool new role transfer wizard.
BEST PRACTICE: You may look at the specific properties for each of these user templates to answer any questions you have. Such questions are often focused on exactly what settings are being invoked by selecting one template as compared to another template. However, viewing these properties can only be done when running the Add User Wizard in single-user mode (not bulk-add mode, which is the default from the To Do List). So you would click the User object under Standard Management in the Server Management console followed by a click on Add a User. Then select Display selected template’s default settings in the wizard checkbox on the Template Selection screen. You should do this while adding at least one of your users, so you better understand the background process that is occurring.
Interestingly, you can create your own user templates for use in SBS. This would make sense where you want to model a particular group of users around an application or function. For example, you might want to give users in the bookkeeping department access to the shared folder containing the data. This is done by selecting the Add Template button on the Template Selection screen (this button appears in the Add User Wizard in both single user and bulk add mode). The Add Template Wizard will commence. To learn more about adding a template and even importing and exporting templates between SBS server networks (e.g., multiple SBS customer sites),
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
click User Templates under Standard Management on the Server Management console.
Finally, just when you’d have enough template talk, I draw your attention to the fact that you are not required to use a template at all when running the Add User Wizard in single-user mode (select Do not use a template to define user settings on the Template Selection screen). When running the Add User Wizard in bulk-add mode, you must select a template (there is no option for bypassing template usage).
1 On the User Information screen, select Add. Complete the Specify the user information dialog box that appears in Figure 4-23. Click OK.
2 Click Add again on the User Information screen and complete the Specify the user information dialog box for Bob Easter in a manner similar to the above step. Click OK when complete.
Figure 4-23
Adding the first power user, Norm Hasborn.
1 Click Next after you’ve completed the entry of the two power users on the User Information page.
2 Select Set up computers now on the Set Up Client Computers page. Click Next.
3 Add the computer names PRESIDENT and CAREFEED01 by typing one name at a time in the Client computer name field on the Client Computer Names page and clicking Add. Click Next.
4 Accept the default selection of all client applications being selected on the Client Applications page. Select the After Client Setup is finished, log off the client computer checkbox as shown in Figure 4-24. Click Next.
Figure 4-24
Accepting all of the settings on the Client Applications page.
10. Click Next on the Mobile Client and Offline Use page. Although this functionality isn’t part of the SPRINGERS methodology, you might consider these capabilities in the real world (functionality described under More Information). Click Next.
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
11. On the Completing the Add User Wizard page, be sure to click the here link and name the configuration page Add Users1.htm as part of your network notebook exercise. Click Finish.
BEST PRACTICE: Speaking of documenting the SBS 2003 network, there are a two other logs you would want to know about right now. These are located in \%System Drive%\Program Files\Microsoft Windows Small Business Server\Support\
*add_user_wizard.log. This log documents how users were added to the SBS 2003 network.
* scw.log. This log documents how client computers where configured for the SBS 2003 network.
A more technical log, SBSClientApps.log, can be viewed at \%System Drive%\Program Files\Microsoft Windows Small Business Server\Tools\. This log reports on internal application execution milestones.
Notes:
12. CAREFULLY read the Finishing Your Installation dialog box and
click OK. This is shown in Figure 4-25. Figure 4-25
A dialog box that hints at a next step you will perform on a client computer.
BEST PRACTICE: When you read the dialog box in the step above, you’ll note that you’re not being asked to actually go to the URL of http://SPRINGERS1/ConnectComputer at this time. Rather, the dialog box is telling you to go to a client computer and perform this action. I’ve seen people read this information far too rapidly and launch Internet Explorer on the SBS server machine and type in the URL to connect the computer. This happened repeatedly in the SBS 2003 hands-on lab tour in the US in the fall of 2003. You can not successfully run the connect computer command on the server machine, because the server is already connected to the network.
13. Click Close. Now repeat the above steps to add the remaining SPRINGERS users (listed in Chapter 2 in the User List) in one more pass using the User Template (this is the common template for all of these users). You will answer Yes when asked if you want to run the Add User Wizard again to add more users. Figure 4-26 displays the User Information screen you should have as part of this process.
Notes:
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
Figure 4-26
Now you can really see the “bulk-add” capabilities in the Add User Wizard with all of these names displayed!
BEST PRACTICE: Note an interesting tidbit as you add all of the users for SPRINGERS. When you get to the Client Computer Names screen, there will be many client computers listed that have already been auto-named for you. This is typically the user name followed by “01” (e.g., BarryM01). Of course, this isn’t what we intend for the workstation naming with SPRINGERS (the User List in Chapter 2 provides that names), so you will use the Remove button to remove those names and then add the proper client computer names (SPRINGERS names computers by job function and then places 01 at the end).
So, let’s finish discussing the To Do List and then proceed to attach the client machine to the SBS network.
Today we look at the keystrokes to add a workstation to the SBS 2003 network!
cheers and Happy 4th of July!
harry brelsford, ceo at smb nation, www.smbnation.com (I am also a Microsoft Small Business Specialist! aka SBSC)
###
SBS Workstation Setup Process
The SBS workstation setup approach is a four-step process, and compared to the SBS server machine installation, it is relatively simple. Another interesting point is that, whereas you perform the SBS server machine setup only once, you perform the SBS workstation setup multiple times. I’ve found that such repetition breeds familiarity; your comfort level increases with this process.
Of the four steps, the first two (running the Add User Wizard and then the Set Up Computer Wizard) are performed on the SBS server machine via the To Do List. The last two steps are performed on the SBS workstation. Run the setup program over the wire via a Web browser and install the client applications. This process is detailed in Figure 4-21.
A quick SBS 2003-specific comment for you: If you have worked with SBS in the past, say SBS 4.5, you will be very pleased to see that SBS 2003 has greatly simplified the add user and computer processes. This was accomplished in part by adding the bulk entry capability, using user account templates, and eliminating the “magic” setup diskette. All this and more will be displayed and discussed in a moment.
Figure 4-21
SBS Workstation setup process.
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
The step-by-step process for adding users and client computers commences right here, right now!
1 Again, assuming you’re logged on as the Administrator at the server machine SPRINGERS1, you will click the Add Users and Computers link from the To Do List.
2 Click Next at the Welcome to the Add User Wizard.
3 On the Template Selection screen, pick Power User Template, as
seen in Figure 4-22 and click Next. Figure 4-22
There are several templates to select from, including the new Mobile User Template.
BEST PRACTICE: There is an interesting design feature in the bulk add capability that relates to the Template Selection screen in Figure 4-22 above. If you look closely, the language clearly states that the selected template will be applied to all users. Furthermore, each user inherits the templates settings (as you would expect). But, we’ve got a slight problem if you were lead to believe that, using the bulk addition capability, we could add all of the SPRINGERS
users all at once. Such is not the case, because if you revisit the User List in Chapter 2, you see that two users are “power users” and the rest of the users are “users.” This translates into the following: You will need to run the Add User Wizard twice in the SPRINGERS methodology in order to add users that fall into two template categories.
Oh - and fear not that I’m ignoring the Mobile User Template. I elevate a user’s template-based permissions to that level in Chapter 11 using a cool new role transfer wizard.
BEST PRACTICE: You may look at the specific properties for each of these user templates to answer any questions you have. Such questions are often focused on exactly what settings are being invoked by selecting one template as compared to another template. However, viewing these properties can only be done when running the Add User Wizard in single-user mode (not bulk-add mode, which is the default from the To Do List). So you would click the User object under Standard Management in the Server Management console followed by a click on Add a User. Then select Display selected template’s default settings in the wizard checkbox on the Template Selection screen. You should do this while adding at least one of your users, so you better understand the background process that is occurring.
Interestingly, you can create your own user templates for use in SBS. This would make sense where you want to model a particular group of users around an application or function. For example, you might want to give users in the bookkeeping department access to the shared folder containing the data. This is done by selecting the Add Template button on the Template Selection screen (this button appears in the Add User Wizard in both single user and bulk add mode). The Add Template Wizard will commence. To learn more about adding a template and even importing and exporting templates between SBS server networks (e.g., multiple SBS customer sites),
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
click User Templates under Standard Management on the Server Management console.
Finally, just when you’d have enough template talk, I draw your attention to the fact that you are not required to use a template at all when running the Add User Wizard in single-user mode (select Do not use a template to define user settings on the Template Selection screen). When running the Add User Wizard in bulk-add mode, you must select a template (there is no option for bypassing template usage).
1 On the User Information screen, select Add. Complete the Specify the user information dialog box that appears in Figure 4-23. Click OK.
2 Click Add again on the User Information screen and complete the Specify the user information dialog box for Bob Easter in a manner similar to the above step. Click OK when complete.
Figure 4-23
Adding the first power user, Norm Hasborn.
1 Click Next after you’ve completed the entry of the two power users on the User Information page.
2 Select Set up computers now on the Set Up Client Computers page. Click Next.
3 Add the computer names PRESIDENT and CAREFEED01 by typing one name at a time in the Client computer name field on the Client Computer Names page and clicking Add. Click Next.
4 Accept the default selection of all client applications being selected on the Client Applications page. Select the After Client Setup is finished, log off the client computer checkbox as shown in Figure 4-24. Click Next.
Figure 4-24
Accepting all of the settings on the Client Applications page.
10. Click Next on the Mobile Client and Offline Use page. Although this functionality isn’t part of the SPRINGERS methodology, you might consider these capabilities in the real world (functionality described under More Information). Click Next.
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
11. On the Completing the Add User Wizard page, be sure to click the here link and name the configuration page Add Users1.htm as part of your network notebook exercise. Click Finish.
BEST PRACTICE: Speaking of documenting the SBS 2003 network, there are a two other logs you would want to know about right now. These are located in \%System Drive%\Program Files\Microsoft Windows Small Business Server\Support\
*add_user_wizard.log. This log documents how users were added to the SBS 2003 network.
* scw.log. This log documents how client computers where configured for the SBS 2003 network.
A more technical log, SBSClientApps.log, can be viewed at \%System Drive%\Program Files\Microsoft Windows Small Business Server\Tools\. This log reports on internal application execution milestones.
Notes:
12. CAREFULLY read the Finishing Your Installation dialog box and
click OK. This is shown in Figure 4-25. Figure 4-25
A dialog box that hints at a next step you will perform on a client computer.
BEST PRACTICE: When you read the dialog box in the step above, you’ll note that you’re not being asked to actually go to the URL of http://SPRINGERS1/ConnectComputer at this time. Rather, the dialog box is telling you to go to a client computer and perform this action. I’ve seen people read this information far too rapidly and launch Internet Explorer on the SBS server machine and type in the URL to connect the computer. This happened repeatedly in the SBS 2003 hands-on lab tour in the US in the fall of 2003. You can not successfully run the connect computer command on the server machine, because the server is already connected to the network.
13. Click Close. Now repeat the above steps to add the remaining SPRINGERS users (listed in Chapter 2 in the User List) in one more pass using the User Template (this is the common template for all of these users). You will answer Yes when asked if you want to run the Add User Wizard again to add more users. Figure 4-26 displays the User Information screen you should have as part of this process.
Notes:
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
Figure 4-26
Now you can really see the “bulk-add” capabilities in the Add User Wizard with all of these names displayed!
BEST PRACTICE: Note an interesting tidbit as you add all of the users for SPRINGERS. When you get to the Client Computer Names screen, there will be many client computers listed that have already been auto-named for you. This is typically the user name followed by “01” (e.g., BarryM01). Of course, this isn’t what we intend for the workstation naming with SPRINGERS (the User List in Chapter 2 provides that names), so you will use the Remove button to remove those names and then add the proper client computer names (SPRINGERS names computers by job function and then places 01 at the end).
So, let’s finish discussing the To Do List and then proceed to attach the client machine to the SBS network.
Tuesday, July 1, 2008
Houston WPC - Here I come!
Howdy y'all...
I am writing this as I drive across Washington state uising my tablet PC andverizon aircard. I am with my family starting the LONG drive to Crested Butte Colorado to be followed by my flight to Houston TX. I will be presenting on the public sector panel on SMB Day (next Monday) and then having much fun as a media member at the larger WPC conference. Needless to say - I will be very busy BUT I always enjoy BSing with like-minded SBSers and SMB consultants....so pull up a chair and shout hello....I would love ot find out what you think (even how you think!)
With that said - I will post my bloggage from thecar over the next few daysenroute to Colorado. Be safe out there!
harrybbbbbbb
Microsoft Small Business Specialist (SBSC), author of Windows Small Business Server 2003 Best Practices and ceo atsmb nation (www.smbnation.com).
I am writing this as I drive across Washington state uising my tablet PC andverizon aircard. I am with my family starting the LONG drive to Crested Butte Colorado to be followed by my flight to Houston TX. I will be presenting on the public sector panel on SMB Day (next Monday) and then having much fun as a media member at the larger WPC conference. Needless to say - I will be very busy BUT I always enjoy BSing with like-minded SBSers and SMB consultants....so pull up a chair and shout hello....I would love ot find out what you think (even how you think!)
With that said - I will post my bloggage from thecar over the next few daysenroute to Colorado. Be safe out there!
harrybbbbbbb
Microsoft Small Business Specialist (SBSC), author of Windows Small Business Server 2003 Best Practices and ceo atsmb nation (www.smbnation.com).
Monday, June 30, 2008
SBS 2003 Management Tasks and Adding a Printer
Hello!
I am Harry Brelsford, the author of Windows Small Business Server 2003 Best Practices (purple book). Each day - I am posting up several pages from my book for your pleasure and reading!
Today we discuss - management tasks and adding a printer to a Windows SBS 2003 network
Thanks mates!
harrybbbb, sbsc, mcse, mct, cne, clse, cnp and mba
Harry Brelsford CEO at SMB Nation www.smbnation.com
###
Management Tasks
The SBS development team drew a demarcation line between network tasks and management tasks to delineate the type of work you perform on the To Do List. Whereas the tasks performed above tend to be one-time in nature, the tasks that follow in this section, such as adding users and computers, might be repeated. Thus, the SBS development team created a “management” category.
Add a printer
What can I say. Adding a printer is all about adding the physical printer and publishing it to Active Directory. We’ll do so now because you might remember from Table 2-4 in Chapter 2 that SPRINGERS has a HP Color LaserJet 5M laser printer (with the share name of HP5).
1 Assuming you are still logged on as Administrator on the server machine SPRINGERS1, select Add a Printer from the To Do List.
2 Click Next at the Welcome to the Add Printer Wizard.
3 On the Local or Network Printer page, accept the default setting of Local printer attached to this computer. But please deselect Automatically detect or install my Plug and Play printer (in the real world, you might very well select that automatic detection option,
but under the SPRINGERS approach, let’s face it, we’re kinda playing make-believe here to learn the product). Click Next.
4. Select LPT1: (Recommended Printer Port) in the Use the following port: field on the Select a Printer Port page. Click Next.
5. On the Install Printer Software page, select HP under Manufacturer and HP Color LaserJet 5M under Printers. Click Next.
6. On the Name Your Printer page, type HP5 in the Printer name field. Click Next.
7. Accept the default share name of HP5 on the Printer Sharing screen and click Next. This name was obviously extracted from the Name Your Printer page and in all cases has the 15-character NetBIOS naming limit.
8. Type Main Office in the Location field on the Location and Comment page and click Next.
9. Select No when asked if you want to print a test page on the Print Test Page. Click Next.
10. Click Finish on the Completing the Add Printer Wizard page. Note that there is no “here” link to add this information to your SBS network notebook I’m encouraging you to complete. Why, you ask? Because the Add Printer Wizard is not a native SBS wizard and thus doesn’t incorporate that functionality.
Add Users and Computers
Now for the good stuff. We’re going to add all of the users for SPRINGERS, using the new bulk capability to add users. This is different from SBS 2000 when users were added in a linear, one at a time fashion. Time is a wastin’, so let’s get started by first reviewing the time-tested tasks of preparing the workstation to be added to the network. After that, you’ll perform the actual step-by-step tasks to add users and computers and connect the client computer to the SBS 2003 network.
I am Harry Brelsford, the author of Windows Small Business Server 2003 Best Practices (purple book). Each day - I am posting up several pages from my book for your pleasure and reading!
Today we discuss - management tasks and adding a printer to a Windows SBS 2003 network
Thanks mates!
harrybbbb, sbsc, mcse, mct, cne, clse, cnp and mba
Harry Brelsford CEO at SMB Nation www.smbnation.com
###
Management Tasks
The SBS development team drew a demarcation line between network tasks and management tasks to delineate the type of work you perform on the To Do List. Whereas the tasks performed above tend to be one-time in nature, the tasks that follow in this section, such as adding users and computers, might be repeated. Thus, the SBS development team created a “management” category.
Add a printer
What can I say. Adding a printer is all about adding the physical printer and publishing it to Active Directory. We’ll do so now because you might remember from Table 2-4 in Chapter 2 that SPRINGERS has a HP Color LaserJet 5M laser printer (with the share name of HP5).
1 Assuming you are still logged on as Administrator on the server machine SPRINGERS1, select Add a Printer from the To Do List.
2 Click Next at the Welcome to the Add Printer Wizard.
3 On the Local or Network Printer page, accept the default setting of Local printer attached to this computer. But please deselect Automatically detect or install my Plug and Play printer (in the real world, you might very well select that automatic detection option,
but under the SPRINGERS approach, let’s face it, we’re kinda playing make-believe here to learn the product). Click Next.
4. Select LPT1: (Recommended Printer Port) in the Use the following port: field on the Select a Printer Port page. Click Next.
5. On the Install Printer Software page, select HP under Manufacturer and HP Color LaserJet 5M under Printers. Click Next.
6. On the Name Your Printer page, type HP5 in the Printer name field. Click Next.
7. Accept the default share name of HP5 on the Printer Sharing screen and click Next. This name was obviously extracted from the Name Your Printer page and in all cases has the 15-character NetBIOS naming limit.
8. Type Main Office in the Location field on the Location and Comment page and click Next.
9. Select No when asked if you want to print a test page on the Print Test Page. Click Next.
10. Click Finish on the Completing the Add Printer Wizard page. Note that there is no “here” link to add this information to your SBS network notebook I’m encouraging you to complete. Why, you ask? Because the Add Printer Wizard is not a native SBS wizard and thus doesn’t incorporate that functionality.
Add Users and Computers
Now for the good stuff. We’re going to add all of the users for SPRINGERS, using the new bulk capability to add users. This is different from SBS 2000 when users were added in a linear, one at a time fashion. Time is a wastin’, so let’s get started by first reviewing the time-tested tasks of preparing the workstation to be added to the network. After that, you’ll perform the actual step-by-step tasks to add users and computers and connect the client computer to the SBS 2003 network.
Sunday, June 29, 2008
SBS 2003: Activate Your Server and Add CALs
hi there - I am harry brelsford, author of the infamous SBS 2003 purple book and I am posting up a few pages per day until SBS 2008 ships.
Today we activate the SBS 2003 and add Client Access Licenses (CALs) - all from the amazing To DO List
cheers...harrybbb harry brelsford, ceo at smb nation, www.smbnation.com
###
Activate Your Server
In the real world, you would now click the Activate Your Server task on the To Do List and complete it. Because you are creating an imaginary network for SPRINGERS, let’s not do that and say we did! Seriously, when you make a second pass at your SBS network, you will, of course, complete this task.
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
Server activation can occur online or via the telephone. Server activation is required because your server will otherwise become inoperable 14 days after creation if it isn’t activated.
Add Client Licenses
Here again, in the real world, you’d likely add more client access licenses (CALs) in order to support the full staff at your small business site. Earlier I spoke to licensing and its improvements (purchase online, device and user CALs, etc.).
In the case of SPRINGERS, we’re gonna keep it simple and not dig deeper into your hip pocket to make you purchase CALs. Remember, this is a sample network to learn SBS 2003. Later, when you’re “live,” you’ll proceed to purchase the required CALs you need.
BEST PRACTICE: Now select the Done checkbox on the To Do List
for the two tasks discussed immediately above.
Today we activate the SBS 2003 and add Client Access Licenses (CALs) - all from the amazing To DO List
cheers...harrybbb harry brelsford, ceo at smb nation, www.smbnation.com
###
Activate Your Server
In the real world, you would now click the Activate Your Server task on the To Do List and complete it. Because you are creating an imaginary network for SPRINGERS, let’s not do that and say we did! Seriously, when you make a second pass at your SBS network, you will, of course, complete this task.
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
Server activation can occur online or via the telephone. Server activation is required because your server will otherwise become inoperable 14 days after creation if it isn’t activated.
Add Client Licenses
Here again, in the real world, you’d likely add more client access licenses (CALs) in order to support the full staff at your small business site. Earlier I spoke to licensing and its improvements (purchase online, device and user CALs, etc.).
In the case of SPRINGERS, we’re gonna keep it simple and not dig deeper into your hip pocket to make you purchase CALs. Remember, this is a sample network to learn SBS 2003. Later, when you’re “live,” you’ll proceed to purchase the required CALs you need.
BEST PRACTICE: Now select the Done checkbox on the To Do List
for the two tasks discussed immediately above.
Friday, June 27, 2008
Configure Remote Access in SBS 2003 [Windows Small Business Server 2003 Best PRactices book excerpt]
Happy Friday readers! Harry Brelsford here, author of the infamous purple book! I am posting up a few pages per day of this book until SBS 2008 ships!
Today we discuss configuring remote access from the SBS 2003 TO DO LIST (what a computing paradigm eh?)
cheers...harrybbbb
harry brelsford, ceo at smb nation, www.smbnation.com
PS - check out our huge three-day fall conference in Seattle at the above URL
###
Configure Remote Access
Welcome back. Time for more step-by-step.
1 Click on the Configure Remote Access link.
2 Click Next at the Welcome to the Remote Access Wizard.
3 Verify that Enable remote access is selected and VPN access is
checked as shown in Figure 4-19. Click Next. Figure 4-19
This is the magic moment for facilitating VPN remote access.
4. On the VPN Server Name page, the Server name field is automatically populated with springers1.springersltd.com (this information was extracted from the EICW). After confirming you screen looks like Figure 4-20, click Next.
BEST PRACTICE: So, do you always have to VPN in via the FQDN you’re entering in Step 4 above? No! You can also ring up the SBS server machine by simply typing in the wild-side IP address to commence a VPN session. In the case of SPRINGERS, this would be
207.202.238.215.
Figure 4-20
You are defining the FQDN that allows access to the server over the Internet.
5. Click the “here” link on the Completing the Remote Access Wizard and save the configuration as VPN.htm in the My Documents folder (similar to the steps you undertook at the end of the EICW). Click Finish. After a few minutes the remote access configuration process will be completed, at which time you will click Close.
BEST PRACTICE: Before you and I become forgetful, please select the Done boxes on the To Do List for the Connect to the Internet and Configure Remote Access tasks.
Today we discuss configuring remote access from the SBS 2003 TO DO LIST (what a computing paradigm eh?)
cheers...harrybbbb
harry brelsford, ceo at smb nation, www.smbnation.com
PS - check out our huge three-day fall conference in Seattle at the above URL
###
Configure Remote Access
Welcome back. Time for more step-by-step.
1 Click on the Configure Remote Access link.
2 Click Next at the Welcome to the Remote Access Wizard.
3 Verify that Enable remote access is selected and VPN access is
checked as shown in Figure 4-19. Click Next. Figure 4-19
This is the magic moment for facilitating VPN remote access.
4. On the VPN Server Name page, the Server name field is automatically populated with springers1.springersltd.com (this information was extracted from the EICW). After confirming you screen looks like Figure 4-20, click Next.
BEST PRACTICE: So, do you always have to VPN in via the FQDN you’re entering in Step 4 above? No! You can also ring up the SBS server machine by simply typing in the wild-side IP address to commence a VPN session. In the case of SPRINGERS, this would be
207.202.238.215.
Figure 4-20
You are defining the FQDN that allows access to the server over the Internet.
5. Click the “here” link on the Completing the Remote Access Wizard and save the configuration as VPN.htm in the My Documents folder (similar to the steps you undertook at the end of the EICW). Click Finish. After a few minutes the remote access configuration process will be completed, at which time you will click Close.
BEST PRACTICE: Before you and I become forgetful, please select the Done boxes on the To Do List for the Connect to the Internet and Configure Remote Access tasks.
Thursday, June 26, 2008
MS Response POint SP1 released to manufacuring
Hey - it's on the way in early\mid-july!
This from MS itself:
Response Point SP1 RTM'ed today
When we started RP, our vision was simple: to provide a telephony solution so easy to use that every small business customer can set it up like connecting
When we started RP, our vision was simple: to provide a telephony solution so easy to use that every small business customer can set it up like connecting a printer to the PC. Today, we are moving one step closer to realize our vision by releasing to manufacturing Response Point Service Pack 1. Our OEM partners will bring SP1 to market next month.
SP1 not only improved RP 1.0's performance/quality but also added some very cool features such as VOIP gateway, Click to Call, and Call Presence etc. Never before was PBX this easy to manage.
cheers...harrybbbb
harry brlesford ceo smb nation www.smbnation.com
This from MS itself:
Response Point SP1 RTM'ed today
When we started RP, our vision was simple: to provide a telephony solution so easy to use that every small business customer can set it up like connecting
When we started RP, our vision was simple: to provide a telephony solution so easy to use that every small business customer can set it up like connecting a printer to the PC. Today, we are moving one step closer to realize our vision by releasing to manufacturing Response Point Service Pack 1. Our OEM partners will bring SP1 to market next month.
SP1 not only improved RP 1.0's performance/quality but also added some very cool features such as VOIP gateway, Click to Call, and Call Presence etc. Never before was PBX this easy to manage.
cheers...harrybbbb
harry brlesford ceo smb nation www.smbnation.com
MS Research seeking Managed Services test subjects in Redmond
Call for Managed Service Providers
Microsoft User Research is looking for individuals from companies who provide proactive, outsourced IT services for multiple businesses; these services could include backing up data, installing patches, keeping AV software up-to-date, and management of other IT assets.
It is important for you to know that you do not need to prepare anything to participate. We want to learn from you, the experts, to determine what needs to be improved in our software. We highly value your feedback and will be offering you a gratuity option in appreciation of your time and participation.
If you are interested or know someone who could be interested in participating, please email us at itusable@microsoft.com and include MSP in the subject line. For information on other studies and to learn more about Microsoft's User Research program email us.
cheers...harrybbbb
harry brelsford, ceo at smb nation, www.smbnation.com
Microsoft User Research is looking for individuals from companies who provide proactive, outsourced IT services for multiple businesses; these services could include backing up data, installing patches, keeping AV software up-to-date, and management of other IT assets.
It is important for you to know that you do not need to prepare anything to participate. We want to learn from you, the experts, to determine what needs to be improved in our software. We highly value your feedback and will be offering you a gratuity option in appreciation of your time and participation.
If you are interested or know someone who could be interested in participating, please email us at itusable@microsoft.com and include MSP in the subject line. For information on other studies and to learn more about Microsoft's User Research program email us.
cheers...harrybbbb
harry brelsford, ceo at smb nation, www.smbnation.com
CEICW completion in SBS 2003
Hello loyal readers - today we complete the CEICW in SBS 2003. Thanks for reading.
Harrybbbbbb, author of Windows Small Business Server 2003 Best Practices
Harry Brlesford SMB Nation www.smbnation.com
###
11. On the Web Server Certificate, select Create a new Web server certificate and complete the Web server name field by typing springers1.springersltd.com. Your screen should look similar to Figure 4-11.
Figure 4-11
Creating the full Internet name for external clients to receive security certification.
BEST PRACTICE: What you’ve done in Figure 4-11 is provide the fully qualified domain name (FQDN) that can be accessed directly over the Internet. Remember, you’ll need a resource record (“A” record) registered in the DNS at your ISP which points to the IP address of your wild side network adapter card to make the FQDN functional in this scenario. In the case of SPRINGERS, the IP address
207.202.238.215 would point to springers1. springersltd.com via an A record at the ISP. Whew!
Oh - another war story. Perhaps you completed the original online SBS 2003 hands-on lab that was released in mid-July 2003 with the release candidate software (microsoft.granitepillar.com/partners). In that hands-on lab, there was an exercise where you completed the EICW. On the Web Server Certificate page of the EICW, you configured the Web server name field with Denver.woodgrovebank.local. So what’s wrong with that picture? The *.local domain extension as part of your FQDN entry can’t be referenced externally. So that would be a mistake. One way that you could satisfy your own curiosity about this matter would be to click the More Information button. The first sentence that describes the first option (Create a new Web server certificate) spells it out clearly by saying “...access your server from the Internet.”).
12. Select Enable Internet e-mail on the Internet E-mail page and click Next.
13. Select Use DNS to route e-mail on the E-mail Delivery Method page and click Next. This is the most common setting when using Simple Mail Transport Protocol (SMTP)-based e-mail, and it is indeed part of the SPRINGERS story line.
Notes:
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
14. On the E-mail Retrieval Method page, select Use Exchange and verify that E-mail is delivered directly to my server. Click Next. This is shown in Figure 4-12.
Figure 4-12
In the case of SPRINGERS and in the real world, you typically have your e-mail delivered directly to the SBS server machine.
Notes:
15. On the E-mail Domain Name page, type springersltd.com in the E-mail domain name field. This is shown in Figure 4-13.
BEST PRACTICE: Here again, if you took the online SBS 2003 hands-on lab available after mid-July 2003 (microsoft.granitepillar.com/ partners), you might recall that you were instructed on the E-mail Domain Name screen to enter a third-tier domain name (e.g., denver.woodgrovebank.com). There is a problem with this instruction in that you only want to enter a second-tier domain name (e.g., woodgrovebank.com).
Figure 4-13
Enter springersltd.com for the register Internet e-mail domain name.
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
16. On the Remove E-mail Attachments page, confirm that Enable Exchange Server to remove Internet e-mail attachments that have the following extensions. Then observe that all of the file name extensions are selected. This is shown in Figure 4-14. Click Next.
Figure 4-14
This is a really cool new feature in SBS 2003: the ability to block harmful e-mail attachments!
BEST PRACTICE: Exactly what are these harmful e-mail attachments, anyway? And how are they blocked? Are the attachments blocked on POP3 e-mail in addition to SMTP e-mail? The answers to all your questions can be found by clicking the More Information button on the Remove E-mail Attachments page. Take a moment to do that now.
17. On the Completing the Configure E-mail and Internet Connection Wizard page, click the link at the bottom titled here. You will proceed to create a network notebook.
18. As seen in Figure 4-15, a Web page displaying the EICW configuration information appears when you select the “here” link in the prior step. Select File, Save As and save the file as EICW Configuration.htm in the default location (My Documents). Click Save.
BEST PRACTICE: A few comments about this “network notebook” capability in the SBS 2003. First, major hats off to the SBS development team for adding this capability, because every SBS and SMB consultant I know worth their salt has always wanted to do a better job of documenting their network! More important, if you’re the second SBS consultant at a customer’s site, you’ll be mighty appreciative if your predecessor had taken the time to perform this type of documentation.
Second, at the end of any native SBS 2003 wizard, you are presented with a “here” link to facilitate the creation of this network notebook. So, no excuses for not taking an extra moment to literally click “here” and document that network!
Third, look at the default naming in Figure 4-15 below. Notice it’s a sorta hokey looking file name. That’s why you rename the file to be more descriptive in Step 18 above. Fourth, you’re going to plop all of these network notebook files in a folder that becomes your de facto notebook binder.
Oh - you can still follow my advice from my prior book (Small Business Server 2000 Best Practices) and simply select the configuration information via your mouse on the completion page (Step 17) by typing CTRL-C to copy it to the operating system clipboard and then selecting CTRL-V to paste it into a text document (say in WordPad).
Notes:
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
Figure 4-15
Displaying network configuration information.
19. Close the Web page displaying the configuration information and click Finish back on the completion page. The EICW configuration process will take several minutes. Click Close at the end of the configuration process.
20. A dialog box will appear notifying you that password policies have not been enabled on the network. Let’s go ahead and do that now, so click Yes.
Notes:
21. Select all checkboxes on the Configure Password Policies dialog
box (Figure 4-16) and click OK. Figure 4-16
Implementing meaningful password policies reflects security improvements in SBS 2003.
22. Click OK when notified that your server is connected to the Internet and immediately apply the latest critical and security updates. This is a great reminder and much appreciated. In the real world, you would do exactly what is being suggested (with SPRINGERS, I’m assuming you’re building this on a test network possibly without a real Internet connection, so please make the necessary adjustments). When you click OK, Internet Explorer will attempt to connect to the Microsoft update site. In the case of SPRINGERS (assuming you aren’t truly connected to the Internet) simply close the Web page. I discuss the updating process in Chapter 5.
BEST PRACTICE: By the way (BTW), if you launch Internet Explorer on the SBS 2003 server machine (SPRINGER1) prior to launching and completing the EICW, you will see the Web page displayed in
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
Figure 4-17. Interestingly, it is a Web page describing the process of
how to complete the EICW.
Figure 4-17
Internet Explorer encourages you to complete the EICW when you first launch it on an SBS 2003 server machine.
Notes:
After your run the EICW, the default Web page programmatically changes to CompanyWeb, as seen in Figure 4-18. Note that it’ll take a moment the first time you launch Internet Explorer post-EICW, as some background page-building activity will occur.
Figure 4-18
Post-EICW, the default Web page becomes CompanyWeb.
It’s been a long haul so far in this chapter, and we’ve got a long way to go. Take a break and I’ll see you back here after a cup of coffee.
Harrybbbbbb, author of Windows Small Business Server 2003 Best Practices
Harry Brlesford SMB Nation www.smbnation.com
###
11. On the Web Server Certificate, select Create a new Web server certificate and complete the Web server name field by typing springers1.springersltd.com. Your screen should look similar to Figure 4-11.
Figure 4-11
Creating the full Internet name for external clients to receive security certification.
BEST PRACTICE: What you’ve done in Figure 4-11 is provide the fully qualified domain name (FQDN) that can be accessed directly over the Internet. Remember, you’ll need a resource record (“A” record) registered in the DNS at your ISP which points to the IP address of your wild side network adapter card to make the FQDN functional in this scenario. In the case of SPRINGERS, the IP address
207.202.238.215 would point to springers1. springersltd.com via an A record at the ISP. Whew!
Oh - another war story. Perhaps you completed the original online SBS 2003 hands-on lab that was released in mid-July 2003 with the release candidate software (microsoft.granitepillar.com/partners). In that hands-on lab, there was an exercise where you completed the EICW. On the Web Server Certificate page of the EICW, you configured the Web server name field with Denver.woodgrovebank.local. So what’s wrong with that picture? The *.local domain extension as part of your FQDN entry can’t be referenced externally. So that would be a mistake. One way that you could satisfy your own curiosity about this matter would be to click the More Information button. The first sentence that describes the first option (Create a new Web server certificate) spells it out clearly by saying “...access your server from the Internet.”).
12. Select Enable Internet e-mail on the Internet E-mail page and click Next.
13. Select Use DNS to route e-mail on the E-mail Delivery Method page and click Next. This is the most common setting when using Simple Mail Transport Protocol (SMTP)-based e-mail, and it is indeed part of the SPRINGERS story line.
Notes:
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
14. On the E-mail Retrieval Method page, select Use Exchange and verify that E-mail is delivered directly to my server. Click Next. This is shown in Figure 4-12.
Figure 4-12
In the case of SPRINGERS and in the real world, you typically have your e-mail delivered directly to the SBS server machine.
Notes:
15. On the E-mail Domain Name page, type springersltd.com in the E-mail domain name field. This is shown in Figure 4-13.
BEST PRACTICE: Here again, if you took the online SBS 2003 hands-on lab available after mid-July 2003 (microsoft.granitepillar.com/ partners), you might recall that you were instructed on the E-mail Domain Name screen to enter a third-tier domain name (e.g., denver.woodgrovebank.com). There is a problem with this instruction in that you only want to enter a second-tier domain name (e.g., woodgrovebank.com).
Figure 4-13
Enter springersltd.com for the register Internet e-mail domain name.
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
16. On the Remove E-mail Attachments page, confirm that Enable Exchange Server to remove Internet e-mail attachments that have the following extensions. Then observe that all of the file name extensions are selected. This is shown in Figure 4-14. Click Next.
Figure 4-14
This is a really cool new feature in SBS 2003: the ability to block harmful e-mail attachments!
BEST PRACTICE: Exactly what are these harmful e-mail attachments, anyway? And how are they blocked? Are the attachments blocked on POP3 e-mail in addition to SMTP e-mail? The answers to all your questions can be found by clicking the More Information button on the Remove E-mail Attachments page. Take a moment to do that now.
17. On the Completing the Configure E-mail and Internet Connection Wizard page, click the link at the bottom titled here. You will proceed to create a network notebook.
18. As seen in Figure 4-15, a Web page displaying the EICW configuration information appears when you select the “here” link in the prior step. Select File, Save As and save the file as EICW Configuration.htm in the default location (My Documents). Click Save.
BEST PRACTICE: A few comments about this “network notebook” capability in the SBS 2003. First, major hats off to the SBS development team for adding this capability, because every SBS and SMB consultant I know worth their salt has always wanted to do a better job of documenting their network! More important, if you’re the second SBS consultant at a customer’s site, you’ll be mighty appreciative if your predecessor had taken the time to perform this type of documentation.
Second, at the end of any native SBS 2003 wizard, you are presented with a “here” link to facilitate the creation of this network notebook. So, no excuses for not taking an extra moment to literally click “here” and document that network!
Third, look at the default naming in Figure 4-15 below. Notice it’s a sorta hokey looking file name. That’s why you rename the file to be more descriptive in Step 18 above. Fourth, you’re going to plop all of these network notebook files in a folder that becomes your de facto notebook binder.
Oh - you can still follow my advice from my prior book (Small Business Server 2000 Best Practices) and simply select the configuration information via your mouse on the completion page (Step 17) by typing CTRL-C to copy it to the operating system clipboard and then selecting CTRL-V to paste it into a text document (say in WordPad).
Notes:
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
Figure 4-15
Displaying network configuration information.
19. Close the Web page displaying the configuration information and click Finish back on the completion page. The EICW configuration process will take several minutes. Click Close at the end of the configuration process.
20. A dialog box will appear notifying you that password policies have not been enabled on the network. Let’s go ahead and do that now, so click Yes.
Notes:
21. Select all checkboxes on the Configure Password Policies dialog
box (Figure 4-16) and click OK. Figure 4-16
Implementing meaningful password policies reflects security improvements in SBS 2003.
22. Click OK when notified that your server is connected to the Internet and immediately apply the latest critical and security updates. This is a great reminder and much appreciated. In the real world, you would do exactly what is being suggested (with SPRINGERS, I’m assuming you’re building this on a test network possibly without a real Internet connection, so please make the necessary adjustments). When you click OK, Internet Explorer will attempt to connect to the Microsoft update site. In the case of SPRINGERS (assuming you aren’t truly connected to the Internet) simply close the Web page. I discuss the updating process in Chapter 5.
BEST PRACTICE: By the way (BTW), if you launch Internet Explorer on the SBS 2003 server machine (SPRINGER1) prior to launching and completing the EICW, you will see the Web page displayed in
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
Figure 4-17. Interestingly, it is a Web page describing the process of
how to complete the EICW.
Figure 4-17
Internet Explorer encourages you to complete the EICW when you first launch it on an SBS 2003 server machine.
Notes:
After your run the EICW, the default Web page programmatically changes to CompanyWeb, as seen in Figure 4-18. Note that it’ll take a moment the first time you launch Internet Explorer post-EICW, as some background page-building activity will occur.
Figure 4-18
Post-EICW, the default Web page becomes CompanyWeb.
It’s been a long haul so far in this chapter, and we’ve got a long way to go. Take a break and I’ll see you back here after a cup of coffee.
Subscribe to:
Posts (Atom)
