jump to navigation

EBS 2008 Firewall Configuration May 27, 2009

Posted by Steve in EBS, Networking.
Tags: ,
comments closed

Essential Business Server 2008 (EBS 2008) automatically installs and configures most of the components required to provide remote access. Details can be found in my EBS 2008 Remote Access article.

Forefront TMG is automatically configured during installation to allow the ports listed below to access services in the EBS 2008 environment. If you have an external router or firewall you will need to forward the following ports from that device to the WAN Adapter of the EBS 2008 Security Server:

  • Port 25 TCP – SMTP
  • Port 80 TCP – HTTP (EBS 2008 redirects inbound HTTP to HTTPS)
  • Port 443 TCP – HTTPS (RWW, OWA and TS Gateway)
  • Port 987 TCP – External secure Windows SharePoint Services intranet access
  • Port 1723 TCP – PPTP (VPN) – optional as RRAS is not configured by default

Note that RDP access to server consoles is done via Terminal Services Gateway (over port 443) so do not allow inbound connections on port 3389 as it is a security risk.

Forefront TMG with EBS 2008 overview April 25, 2009

Posted by Steve in EBS.
Tags: , ,
comments closed

The second server installed during the EBS 2008 installation process is the security server. This server is the gateway between the internal LAN and the internet. The server requires two network cards and a minimum of 2GB of RAM and 40GB of disk space.

Forefront Threat Management Gateway (TMG) is the product formerly known as ISA. TMG is included as a component of EBS 2008 Server and installs on to the Security Server. TMG runs on a 64bit edition of Windows 2008 where ISA only supports 32bit environments. TMG is only available with EBS 2008 currently or as a beta version for other server versions. Small Business Server (SBS) 2003 included ISA 2004, however this option has been removed from SBS 2008.

EBS 2008 automatically installs Forefront TMG a part of the security server installation process. Anyone who is familiar with ISA 2004 or ISA 2006 will instantly recognise the console and be able to find the key areas without too much trouble. The installation automatically creates rules, configures web listeners and assigns the self-signed certificate generated during the installation. Network sets are correctly defined based on a couple of questions asked during the installation process.

I found that I only needed to make a couple of minor changes to the default configuration to allow my environment to function properly. The first was turning off strict RPC checking to allow the Data Protection Manager (DPM) agent to install and then allow traffic to and from the DPM server. Interesting that RPC compliance is not conformed to by DPM. The second change was creating a custom rule to allow TCP 3101 outbound for Blackberry (an additional server in this environment was running Blackberry), achieved by running a wizard that is almost identical to that in ISA 2006.

The first obvious change I noticed in TMG rules is the option to scan traffic for malware. End users see this when downloading files from the internet, a webpage appears showing the attachment scanning process before the user can save the file to disk. Other area’s of improvement include seperate tabs for Firewall rules and Web rules making it easy to manage both rule types. Many of the publishing aspects of TMG are improved e.g. Exchange 2007 support and Sharepoint publishing. VPN functionality is improved in many areas including support for a variety of third party IPSEC solutions, stateful packet inspection and VPN quarantine.

TMG as an incremental improvement to ISA 2006 with most of the improvements focused on the latest generation of Microsoft server products and a move to 64bit.

A full list of features can be found here: Microsoft Forefront TMG features

Essential Business Server 2008 overview April 19, 2009

Posted by Steve in EBS.
Tags: , , , , ,
comments closed

In November 2008 Microsoft released a new server software bundle aimed at businesses with up to 300 users. I recently deployed my first Essential Business Server 2008 (EBS 2008) and was instantly impressed. EBS 2008 mixes proven technologies like Windows 2008 Server and Exchange 2007 with new technologies Forefront and management tools like System Centre Essentials. The combination of products works well together and has the potential to save a lot of time both during the initial install and over the lifetime of the system.

What is EBS 2008?

EBS 2008 deploys onto 3 servers. It is supported on both Physical and Virtual environments. The Premium edition adds a forth Windows 2008 standard server (with 1 free Virtual License included) and SQL 2008 Standard Edition.

Following the installation you get environment with these roles / features:

  • 2 Domain Controllers (Management and Messaging servers)
  • System Centre Essentials 2007
  • Exchange 2007
  • Forefront for Exchange
  • Forefront TMG (next generation ISA)
  • Remote Web Workplace
  • Terminal Services Gateway
  • Windows 2008 standard edition (premium edition)
  • SQL 2008 (premium edition)
  • WSS 3.0 (free download)

The 3 standard servers require 64bit hardware. The premium server can be either 32bit or 64bit.

Installation

A preparation tool is provided to examine an existing environment or help you design a new one. Once this is complete it is simply a matter of putting the first DVD into your server (make sure the hardware meets the system requirements) and following the prompts until the 3 servers that make up the EBS 2008 environment are installed. The standardised installation removes many common configuration issues and helps build a core network that will perform well and work with very little tweaking.

Some of the more difficult parts of a typical network installation where positively simple with EBS 2008. Exchange 2007 installed perfectly with only a few simple questions, Forefront TMG (the replacement for ISA 2006) also installed perfectly and Remote Web Workplace’s TS Gateway options just worked.

Management

Once EBS 2008 is installed, System Centre Essentials agents can be deployed to other Windows based servers and PC’s in the domain giving enterprise style management of your network from a single point. Common tasks like installing Windows updates, ensuring antivirus software is install and up to date, deploying software and producing an inventory of hardware and software can be done with minimal effort.

The EBS Management Console supports third party plug-ins and provides a nice management dash board SysAdmins will love.

Managing licenses is simplified too. Microsoft sell two different EBS Client Access Licenses (CAL). The standard CAL includes Windows 2008 CAL and Exchange 2007 CAL. The premium CAL adds a SQL CAL. It is simple to assign either standard or premium licenses to specific users and report on usage. The CAL pricing also provides a good saving over purchasing individual user CAL’s.

Gripes

I don’t have many gripes about EBS 2008 but it does have some room for improvement. Forefront for Exchange seems a little bit ‘clunky’. Additional Forefront client licenses are required and while pricing is was difficult to get information from Microsoft about this (in New Zealand at least).  Microsoft don’t include a backup solution other than Windows Backup which doesn’t support Exchange or SQL.

I also found that many vendors either don’t know what EBS 2008 is or don’t have upgrade options for software from Small Business Server.

Conclusion

EBS 2008 is a excellent solution for those who have either out grown Small Business Server or are moving from Windows 2000 or 2003 server and have less than 300 users. The time savings for management alone make this bundle well worth considering.