none
Server / Network Configuration Advice Needed (VPN/Firewall/User Control/Internet Access/etc)

    General discussion

  • Description

    I am a novice when it comes to server and network configuration, and trying to learn as much as I can. I know there must be many ways to achieve what I want to do. The way I land up doing it will more than likely not be ideal, but I am looking for a solution that is "good enough" for me with my limited resources. I have a small business and I need to set up my servers to cater for the following:

    • VPN Access from outside - when connected, users should still be able to browse unrestricted internet which is not channeled through the VPN
    • User access control - to control who can access certain network drives/folders etc. (currently I have configured as workgroup, and not domain)
    • File server - to have a central repository for simple document storage
    • Gateway / firewall - to protect the private network from public attack. All internet access provided from within the private network should be routed through a gateway so that traffic can be monitored, web filtering etc.
    • Hyper-V - I have a few virtual servers running various applications

    So the question is, how many server instances will I need, or can I do everything on one instance? (e.g. do I need a dedicated VPN server, file server, AD server, firewall server, etc? or can I have all these features on one server?)

    Environment

    1 physical desktop PC used as server

    8GB ram

    Windows Server 2008 R2 Standard SP1

    Intel Core  2 Quad 2.5Ghz

    Currently set up as workgroup

    2 network cards

    2 wireless modem/routers (one can be used as an access point)


    My current setup is as follows:

    Internet ==> Firewall Router ==> Private Workgroup Network -->Host Server / VPS1 / VPS2 / VPS3 / Laptops / etc.

    Once the VPN is set up none of the servers must be exposed directly to the public internet.


    I will highly appreciate any feedback given.

    Thanks

    • Changed type Tiger Li Thursday, April 19, 2012 9:35 AM
    Tuesday, April 17, 2012 6:25 PM

All replies

  • I would suggest:

    • VPN Access from outside - when connected, users should still be able to browse unrestricted internet which is not channeled through the VPN

    Separate server for RRAS to configure for VPN access. To allow the VPN client to have unrestricted access, in the client side Windows VPN connection, uncheck the box that says "Use remote gateway.

    Note: RRAS should not be installed on a DC.

    .

    • User access control - to control who can access certain network drives/folders etc. (currently I have configured as workgroup, and not domain)

    Ideally, you would rather have a domain dfor these requirements. It's a mess to do it with a workgroup. If you want to stick with a workgroup, then you have to either create identical user accounts on the server and the workstations, or provide instructions to use credentials to map a drive to the server, or printers, etc. However, people may pass the credentials around to each other. With AD, that possibility is vastly minimized, and you have central control.

    .

    • File server - to have a central repository for simple document storage

    See response to question above

    .

    • Gateway / firewall - to protect the private network from public attack. All internet access provided from within the private network should be routed through a gateway so that traffic can be monitored, web filtering etc.

    Your router/firewall should be sufficient, however you can't get web traffic usage, and it will be difficult to control inappropriate sites. You have two options, install a separate server and use TMG to control all access to the internet. There are third party add-ons to enhance web control, reports, etc. Note: TMG should not be on a DC.

    The other poor-man's option (using the term loosely), is to use OpenDNS servers for your DNS Forwarders (www.opendns.com). You can generally control what websites is accessible or that you want blocked, and create reports, etc, but you can't control or watch individual internal users. TMG can.

    .

    • Hyper-V - I have a few virtual servers running various applications

    The server you have should be sufficient. I would recommend to use Enterprise Edition, which the license will allow you with the same DVD, to install it as a HyperV host and up to 4 HyperV guests, all part of the license. 

    .

    Also, I would like to add, that for your needs with all this, except TMG, that I would honestly sduggest to look into Small Business Server. For the small amount of money it costs, you get A LOT with it. And it has RRAS/VPN and other features all part of it with a simple and easy to use wizard. Read more on the Essentials and Premium Add ON versions:
    http://www.microsoft.com/en-us/server-cloud/windows-small-business-server/default.aspx

    .

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, April 18, 2012 2:29 AM
  • Hi David,

    Thanks for posting here.

    After read you post I believe our “Small Business Server” Standard all-in-one solution is just suitable to all the goals we are going to achieve.

    It is not just contain all these features we want but also quite easy to configure and maintain, just take look the introductions in the links below:

    http://www.microsoft.com/en-us/server-cloud/windows-small-business-server/default.aspx

    Windows Small Business Server 2011 Standard

    http://technet.microsoft.com/en-us/library/gg490793.aspx

    We can also get good suggestions form SBS forum:

    http://social.technet.microsoft.com/Forums/en/smallbusinessserver/threads

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    Thursday, April 19, 2012 9:35 AM
  • Thanks guys,

    I will look into SBS, but I am also finding it useful to learn about all of this by doing it myself, since we have large expansion plans ahead and I want to plan for great things :)

    Saturday, April 21, 2012 7:11 AM