Dealing with what’s different in Small Business Server 2008
SBS 2008 has some long-awaited features, including Exchange Server 2007, and it’s far simpler to set up, but it also drops features like firewalling, VPN and some backup options. What do you gain, what do you lose and what do you need to do about it?
The changes in Small Business Server 2008 run deep; this is the biggest development
in the product since at least SBS 2000.
Key differences include:
- SBS 2008 is 64-bit only, and supports up to 32GB RAM.
- ISA Server 2006, Microsoft’s firewall and proxy server, is not included. This means the end of the classic ‘server-with-two-network-cards’ familiar to SBS consultants.
- The Premium edition includes a licence for a second server. You can use this in various ways, including hosting SBS in a virtual machine.
- NTBackup is gone, and with it any built-in support for tape backup systems.
- The POP3 connector no longer supports a global mailbox.
These changes mean that there is no in-place upgrade from SBS 2003, and in many cases both the network and the backup system will have to be redesigned. Microsoft’s official guide talks about migration rather than upgrades and that reflects the level of changes you need to be prepared for.
An SBS 2008 network means a server with one network card, connected to an external firewall and router. The SBS server still runs a DHCP server. In the simplest configuration, you can use a single router/firewall device. When you run the Connect to the Internet wizard in SBS, it will attempt to configure the router via uPnP (Universal Plug and Play). This is a service that allows applications on the internal network to configure the router automatically, but represents an obvious security risk in the case where a rogue application succeeds in running behind the firewall. You can either configure the router manually, or else enable uPnP in the router temporarily in order to let the wizard run. The manual approach is not difficult. Disable the DHCP server on the router (this is normally on by default).
Set the LAN IP address on the router to 192.168.x.1 ( where x is between 0 and 254).
Open the following ports on the router and redirect them to the SBS server:
- Port 25: SMTP email
- Port 80: HTTP Web traffic, if required.
- Port 443: HTTPS Web traffic, if required.
- Port 987: HTTPS Web traffic for WSS (Windows SharePoint Services) through Remote Web Workplace, if required.
- Port 1723: PPTP VPN if required.
The connection wizard will assign the server’s IP address.
Note that with ISA Server out of the picture, there is less reason to use Microsoft’s PPTP (point to point tunnelling protocol) for the VPN. Instead, you can have the router or firewall device handle the VPN.
Choosing a Firewall
SBS 2008 still has a Windows Firewall installed and running; but don’t be confused: this is protection for the server, and does nothing to secure your network. Therefore, there must be a security device between the local network and the Internet. What is a suitable firewall?
The answer depends on what level of security and services you need. Even a budget router will perform NAT (Network Address Translation) duties, allowing network traffic out but throwing away any incoming traffic that is not specifically redirected. A dedicated firewall device adds additional features. At a minimum, you can expect stateful packet inspection (even the budget devices do this to some extent), denial of service and intrusion detection, plus VPN support. Other features may include (sometimes at extra cost) spam blocking and quarantine, virus and spyware detection, URL and content filtering, email security such as blacklists, whitelists, SPF (Sender Policy Framework) and attachment checking, bandwidth management, advanced logging and reporting.
Firewall vendors call this Unified Threat Management (UTM). Some of the features overlap with what
is in SBS 2008 itself. For example, Exchange 2007 has decent anti-spam filtering built in. Still, only a device that, unlike SBS 2008, sits between the internal and external network can perform gateway checking. There is also an advantage in having a non-Windows device protecting a Windows network, since it is harder for malware to compromise. Popular choices for SBS 2008 include the SonicWall TZ series (www.sonicwall.com) or WatchGuard Firebox X Edge e-Series (www.watchguard.com); or in a smaller organisation all-in-one devices such as those from DrayTek and ZyXel. Another idea is to run an open source firewall such as Untangle (www.untangle.com) on a PC between your Internet connection and internal switch.
To VPN or not to VPN
Remote access is now expected as part of most SBS setups. SBS 2008 has a VPN Connection Wizard which you access through the Admin Console > Network > Connectivity. This configures the server for PPTP connections. PPTP is convenient because the client has been part of Windows for years, but it is vulnerable to dictionary-based password attacks and therefore should only be used with strong passwords.
Alternatives to PPTP include IPSec and Secure Socket Tunneling Protocol (SSTP), though SSTP requires clients running Vista SP1 or higher. Consultant Brian Reid has a guide to setting up SSTP on SBS 2008 at www.c7solutions.com. Most firewall and router devices also have VPN features. These are generally more secure than PPTP but may be more complex to deploy to clients.
The NTBackup utility has been around as long as its name implies. It was primarily intended for tape streamers, though it was also able to back up to a file, and was loved and hated in equal measure. It was loved, because it was free, it worked, it could do both online and offline Exchange backups, and performed nicely once you found the right combination of obscure command-line switches. It was hated because the GUI did not expose all the options, and because it worked in tandem with the counter-intuitive Removable Storage Service, and because it occasionally failed with error messages that gave little clue about what was actually wrong.
In Windows Server 2008, NTBackup is no more. Its disappearance represents a change in Microsoft’s backup philosophy, which is now geared towards disk image backup, also known as block-level backup to removable drives, rather than file backup to tape. The image is not a complete clone of the drive, but includes the blocks that contain relevant files and data. The idea is that you supply a stack of five or ten USB drives and use them like tapes, rotating them daily and moving some backups off-site for security. SBS will wipe all other data from the drives, so they must be dedicated to this purpose. Tape backup is still possible, but requires a third-party solution.
Leo Chang, CEO of BackupAssist (www.backupassist.com), whose utilities supplement rather than replace the built-in backup in both Windows Server 2003 and 2008 believes the new system, called Windows Server Backup, is much improved in a crucial area: restoring to different hardware after theft or failure of the original machine. “We have done extensive testing on the restore procedures for bare-metal restore and we’ve had no problems restoring to dissimilar hardware. We have done restores from physical to virtual, virtual to physical, Intel to AMD, single processor to dual processor, to quad core, we’ve tried really hard to break it, and every single test it comes up trumps.” That said, Microsoft still advises restoring to similar hardware.
Another advantage of the block-level backup is that after the first backup on a disk, it makes incremental backups, which are much quicker. This means you can schedule more frequent backups, reducing the amount of data that can be lost, though running a backup does impact performance.
It sounds good, but there are a few snags. One is with Hyper-V. There is no problem with backing up the parent, complete with running guests, but it is tricky to back up from the guests since there is no support for USB within the virtual machine. This will be fixed in Hyper-V R2, now in beta (www.microsoft.com/do..). It is possible to back up to a second virtual hard drive, but it is hard to achieve seamless rotation of backup drives without the assistance of a utility like BackupAssist, or writing scripts using the command-line interface to Windows Server Backup, called wbadmin. The command reference for wbadmin is at http://technet.mic.., and as with NTBackup, the command line is more flexible than the GUI.
The alternative is to rely on your backups of the host machine. The Hyper-V integration services include support for VSS (Volume Shadow Copy Service), and when the host machine performs a backup, it instructs VSS in the guests to preserve the integrity of data for running applications. Unlike plain Windows Server 2008, the SBS edition includes a VSS plug-in for Exchange, so when backing up the host you are doing an Exchange-aware backup that will even correctly truncate the logs in the guest. That said, Microsoft recommends backing
up from within guests as well as from the host, a complication being that you should not do these simultaneously as to do so confuses VSS.
Third parties with products for SBS 2008 include Symantec Backup Exec (www.symantec.com/busi...) and StorageCraft ShadowProtect (www.storagecraft.com/p...), as well as the aforementioned BackupAssist which has utilities to extend the built-in backup engine.
Changes in the pop3 connector
The SBS POP3 connector was intended as a transitional tool, for organisations that are migrating from POP3 mailboxes to direct delivery via SMTP. In some cases, the ‘transition’ has proved indefinite, even though the POP3 connector has disadvantages like slower mail delivery and a habit of duplicating messages. SBS 2008 makes it even less satisfactory, since the global mailbox option is removed. This option in SBS 2003 and earlier, combined with a catch-all address on the POP3 server, meant that messages to anyone at the email domain would be delivered if the address existed. Now you have to assign each POP3 address to a specific mailbox. This also means that the catch-all technique at the ISP no longer works. In order to continue using POP3 successfully, you need to maintain separate mailboxes at the ISP, increasing the administrative effort when users join or leave the organisation.
This means that the POP3 connector is no longer a sensible long-term option, if indeed it ever was.
The SBS Internet Connection wizard sets up the server to accept mail by SMTP, but there are three further steps to follow.
- Publish port 25 on the router, if you do not allow the wizard to do this via UPnP.
- Configure DNS at the ISP so that the MX records point to the SBS server. You must have a fixed public IP address.
- Arrange a backup SMTP server with the ISP so that mail is received if your server is offline, and redelivered when it becomes available. !