RE: An Alternative Solution VS SBS on one Physical Server

  • From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 12 Jan 2005 06:55:48 -0800

Roy,

The first thing you have to realizes is that there is no such thing as
"no compromise of security" if your server is not disconnected,
unplugged and buried in a vault 20 feet underground.
This is especially true of any "one-box-fits-all" scenario.  SBS is
designed, built, tested and delivered to be the best compromise (pay
attention here; I said COMPROMISE) between secure, cheap and easy to
manage.  Trust me; placing all that along with an ISA in a VM will NOT
improve the situation...

You asked for opinions; you got them.  Take them or leave them; it's
your choice.
This is your customer and their needs / $$, as well as your experiences
and predilections will dictate what you deploy and why.
You have to manage this environment, not me. 

TANSTAAFL, bro...

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!
 
 

-----Original Message-----
From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] 
Sent: Tuesday, January 11, 2005 11:21 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: An Alternative Solution VS SBS on one Physical
Server

http://www.ISAserver.org

Jim,

Anyway what I am tryin to do is to have one physical server
to provide comprehensive service with no comprosming of
security. Have physical server per each core service is
the best option, but it looks hard for small scale company
to maintain several physical servers too.


----- Original Message ----- 
From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, January 11, 2005 12:45 PM
Subject: [isalist] RE: An Alternative Solution VS SBS on one Physical
Server


> http://www.ISAserver.org
>
> Still looks like the hard way.
> Use of technology for its own sake isn't worth the paper its printed
on.
> Adding ISA to a domain for "management convenience" is equivalent to
> making all users local admins for "convenience".
>
>
>  Jim Harrison
>  MCP(NT4, W2K), A+, Network+, PCG
>  http://isaserver.org/Jim_Harrison/
>  http://isatools.org
>  Read the help / books / articles!
>
>
>
> -----Original Message-----
> From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> Sent: Monday, January 10, 2005 5:41 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: An Alternative Solution VS SBS on one Physical
> Server
>
> http://www.ISAserver.org
>
> Jim,
>> - ISA does not need to be on the same machine as the DC to be a
domain
>> member.
> Agree!
>
>> - ISA 2004 does not need to be a domain member for web traffic
> control;
>> what non-HTTP/FTP traffic do you intend to allow?
>
> Put ISA 2004 in a domain is  for management convinience!
>
>> 1 - Lose the host OS ands all other servers die a horrible death as
>> well, including ISA
> With good backup solution, it must be okay!
>
>> 2 - The host is not protected by ISA; what are you doing to keep the
> bad
>> guys out?
> Host can't be access by Wan because no TCP/IP protocol bundled, Wan
> access is through virtual bridged NIC (to physical Wan NIC) in guest
ISA
> Box
>
> Make Sense?
>
> Roy Tsao
> ----- Original Message ----- 
> From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Monday, January 10, 2005 10:23 PM
> Subject: [isalist] RE: An Alternative Solution VS SBS on one Physical
> Server
>
>
>> http://www.ISAserver.org
>>
>> - ISA does not need to be on the same machine as the DC to be a
domain
>> member.
>> - ISA 2004 does not need to be a domain member for web traffic
> control;
>> what non-HTTP/FTP traffic do you intend to allow?
>>
>> There are some serious issues you're missing out on here; for
> instance:
>> 1 - Lose the host OS ands all other servers die a horrible death as
>> well, including ISA
>> 2 - The host is not protected by ISA; what are you doing to keep the
> bad
>> guys out?
>>
>> There are practical limits to virtualization; the least of which is
> $$.
>>
>>  Jim Harrison
>>  MCP(NT4, W2K), A+, Network+, PCG
>>  http://isaserver.org/Jim_Harrison/
>>  http://isatools.org
>>  Read the help / books / articles!
>>
>>
>>
>> -----Original Message-----
>> From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
>> Sent: Sunday, January 09, 2005 9:42 PM
>> To: [ISAserver.org Discussion List]
>> Subject: [isalist] RE: An Alternative Solution VS SBS on one Physical
>> Server
>>
>> http://www.ISAserver.org
>>
>> Amy,
>>
>> Your suggestion "put ISA on one box, Windows 2003 with VMware and the
>> guest
>> servers on this box" can't fit the requirement to put ISA box join
>> the DC, ISA box needs to be a domain memember for traffic control!
>>
>> Roy
>> ----- Original Message ----- 
>> From: "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
>> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
>> Sent: Monday, January 10, 2005 1:25 PM
>> Subject: [isalist] RE: An Alternative Solution VS SBS on one Physical
>> Server
>>
>>
>> http://www.ISAserver.org
>>
>> The VMware license cost is one additional cost, but the cost of the
>> additional server licenses vs. SBS is still quite significant.
>>
>> If the main concern is to minimize physical servers and maximize
>> security then put ISA on one box, Windows 2003 with VMware and the
> guest
>> servers on this box.
>>
>> Amy
>>
>>
>>
>>
>> -----Original Message-----
>> From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
>> Sent: Sunday, January 09, 2005 10:59 PM
>> To: [ISAserver.org Discussion List]
>> Subject: [isalist] RE: An Alternative Solution VS SBS on one Physical
>> Server
>>
>> http://www.ISAserver.org
>>
>> What I am trying to do is to minimized cost of taking
>> addtional units of physical servers while both security
>> and function shall not be compromised. For SBS, it is
>> of course a 1st option but in our envirnoment, we need
>> more function more than SBS, that's why I want to uprise
>> such a solution VS SBS.
>> As for license charge, I merely regards the Vitual server
>> as actual one, it means we must pay for it for any server
>> need to install, and then disgard comparision of charge
>> with SBS.
>>
>> Thanks,
>>
>> Roy Tsao
>> ----- Original Message ----- 
>> From: "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
>> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
>> Sent: Monday, January 10, 2005 6:05 AM
>> Subject: [isalist] RE: An Alternative Solution VS SBS on one Physical
>> Server
>>
>>
>> http://www.ISAserver.org
>>
>> I think that it is a good idea but it is a whole lot more expensive
> than
>> 1 SBS Premium license at $1,450. How deep are your pockets? Is the
> extra
>> cost worth it, in terms of function or security? These are the
> questions
>> yet to be answered.
>>
>> Amy
>>
>>
>>
>> -----Original Message-----
>> From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
>> Sent: Sunday, January 09, 2005 10:49 AM
>> To: [ISAserver.org Discussion List]
>> Cc: Jim@xxxxxxxxxxxx
>> Subject: [isalist] An Alternative Solution VS SBS on one Physical
> Server
>>
>> http://www.ISAserver.org
>>
>>
>> In my past post, I want to implement a more wider service
>> Like ISA/SQL/DC etc. on one phsical server. For security
>> Concern, so far the recommendation from ISAServer forum
>> Is to use SBS. However we could have one more idea by utilizing
>> Vmware GSX server like below for my network:
>>  - Host OS: Windows Server 2003 (two NICs)
>>             External NIC: any but no DG IP
>>             Internal NIC: 192.168.0.2/255.255.255.0
>>  - two Guest Server (Through Vmware GSX):
>>             1) Windows Server 2003 running as DC (one vitual NIC)
>>                IP: 192.168.0.3/255.255.255.0
>>                (bridged to Host Internal NIC)
>>
>>             2) Windows Server 2003 running as ISA2K4 (one vitual
>> NIC)
>>                IP: 192.168.0.1/255.255.255.0
>>                (bridged to Host Internal NIC)
>>  Network frame:
>>    Wan connection: ADSL PPOE connection through Guest Server 2)
>>                    Host Server and other Lan PC's connection to
>>                    Wan through Gateway 192.168.0.1 like a physical
>>                    ISA2K4 Box
>>
>>    Lan connection: Guest Server 1) as DC/DNS/DHCP server
>>
>>    Firewall protectiont o Host Server from External NIC:
>>      enable firewall protection, close up all communication port
>> through
>>      TCP/IP
>>
>> Dear Jim and other cool guys, is that a good idea suppose the host
>> server
>> Has engouth CPU capacity and RAM?
>>
>> Thanks for your suggestion in advance!
>>
>> Roy Tsao
>>
>>
>>
>> ------------------------------------------------------
>> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>> ------------------------------------------------------
>> Other Internet Software Marketing Sites:
>> World of Windows Networking: http://www.windowsnetworking.com
>> Leading Network Software Directory: http://www.serverfiles.com
>> No.1 Exchange Server Resource Site: http://www.msexchange.org
>> Windows Security Resource Site: http://www.windowsecurity.com/
>> Network Security Library: http://www.secinf.net/
>> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
>> ------------------------------------------------------
>> You are currently subscribed to this ISAserver.org Discussion List
as:
>> amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
>> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> Report abuse to listadmin@xxxxxxxxxxxxx
>>
>> ------------------------------------------------------
>> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>> ------------------------------------------------------
>> Other Internet Software Marketing Sites:
>> World of Windows Networking: http://www.windowsnetworking.com
>> Leading Network Software Directory: http://www.serverfiles.com
>> No.1 Exchange Server Resource Site: http://www.msexchange.org
>> Windows Security Resource Site: http://www.windowsecurity.com/
>> Network Security Library: http://www.secinf.net/
>> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
>> ------------------------------------------------------
>> You are currently subscribed to this ISAserver.org Discussion List
as:
>> roy_tsao@xxxxxxxxxxxx
>> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> Report abuse to listadmin@xxxxxxxxxxxxx
>>
>>
>> ------------------------------------------------------
>> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>> ------------------------------------------------------
>> Other Internet Software Marketing Sites:
>> World of Windows Networking: http://www.windowsnetworking.com
>> Leading Network Software Directory: http://www.serverfiles.com
>> No.1 Exchange Server Resource Site: http://www.msexchange.org
>> Windows Security Resource Site: http://www.windowsecurity.com/
>> Network Security Library: http://www.secinf.net/
>> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
>> ------------------------------------------------------
>> You are currently subscribed to this ISAserver.org Discussion List
as:
>> amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
>> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> Report abuse to listadmin@xxxxxxxxxxxxx
>>
>> ------------------------------------------------------
>> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>> ------------------------------------------------------
>> Other Internet Software Marketing Sites:
>> World of Windows Networking: http://www.windowsnetworking.com
>> Leading Network Software Directory: http://www.serverfiles.com
>> No.1 Exchange Server Resource Site: http://www.msexchange.org
>> Windows Security Resource Site: http://www.windowsecurity.com/
>> Network Security Library: http://www.secinf.net/
>> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
>> ------------------------------------------------------
>> You are currently subscribed to this ISAserver.org Discussion List
as:
>> roy_tsao@xxxxxxxxxxxx
>> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> Report abuse to listadmin@xxxxxxxxxxxxx
>>
>>
>> ------------------------------------------------------
>> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>> ------------------------------------------------------
>> Other Internet Software Marketing Sites:
>> World of Windows Networking: http://www.windowsnetworking.com
>> Leading Network Software Directory: http://www.serverfiles.com
>> No.1 Exchange Server Resource Site: http://www.msexchange.org
>> Windows Security Resource Site: http://www.windowsecurity.com/
>> Network Security Library: http://www.secinf.net/
>> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
>> ------------------------------------------------------
>> You are currently subscribed to this ISAserver.org Discussion List
as:
>> jim@xxxxxxxxxxxx
>> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> Report abuse to listadmin@xxxxxxxxxxxxx
>>
>> All mail to and from this domain is GFI-scanned.
>>
>>
>> ------------------------------------------------------
>> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>> ------------------------------------------------------
>> Other Internet Software Marketing Sites:
>> World of Windows Networking: http://www.windowsnetworking.com
>> Leading Network Software Directory: http://www.serverfiles.com
>> No.1 Exchange Server Resource Site: http://www.msexchange.org
>> Windows Security Resource Site: http://www.windowsecurity.com/
>> Network Security Library: http://www.secinf.net/
>> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
>> ------------------------------------------------------
>> You are currently subscribed to this ISAserver.org Discussion List
as:
>
>> roy_tsao@xxxxxxxxxxxx
>> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:

> roy_tsao@xxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx 


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 01-2005