RE: An Alternative Solution VS SBS on one Physical Server

From: "Roy Tsao" <roy_tsao@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Date: Thu, 13 Jan 2005 11:42:05 +0800

Jim,

I would like to trust you, then the answer of captioned subject
is SBS Win!
So far it is just in case study of network deployments, I will
need to study again about what SBS can give me!

Thanks,

Roy Tsao ----- Original Message ----- From: "Jim Harrison" <Jim@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, January 12, 2005 10:55 PM Subject: [isalist] RE: An Alternative Solution VS SBS on one Physical Server

http://www.ISAserver.org

Roy,

The first thing you have to realizes is that there is no such thing as
"no compromise of security" if your server is not disconnected,
unplugged and buried in a vault 20 feet underground.
This is especially true of any "one-box-fits-all" scenario.  SBS is
designed, built, tested and delivered to be the best compromise (pay
attention here; I said COMPROMISE) between secure, cheap and easy to
manage.  Trust me; placing all that along with an ISA in a VM will NOT
improve the situation...

You asked for opinions; you got them.  Take them or leave them; it's
your choice.
This is your customer and their needs / $$, as well as your experiences
and predilections will dictate what you deploy and why.
You have to manage this environment, not me.

TANSTAAFL, bro...

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://isaserver.org/Jim_Harrison/
 http://isatools.org
 Read the help / books / articles!

-----Original Message-----
From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
Sent: Tuesday, January 11, 2005 11:21 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: An Alternative Solution VS SBS on one Physical
Server

http://www.ISAserver.org

Jim,

Anyway what I am tryin to do is to have one physical server
to provide comprehensive service with no comprosming of
security. Have physical server per each core service is
the best option, but it looks hard for small scale company
to maintain several physical servers too.

----- Original Message ----- From: "Jim Harrison" <Jim@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, January 11, 2005 12:45 PM Subject: [isalist] RE: An Alternative Solution VS SBS on one Physical Server

http://www.ISAserver.org

Still looks like the hard way.
Use of technology for its own sake isn't worth the paper its printed

on.

Adding ISA to a domain for "management convenience" is equivalent to
making all users local admins for "convenience".


 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://isaserver.org/Jim_Harrison/
 http://isatools.org
 Read the help / books / articles!

-----Original Message-----
From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
Sent: Monday, January 10, 2005 5:41 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: An Alternative Solution VS SBS on one Physical
Server

http://www.ISAserver.org

Jim,

- ISA does not need to be on the same machine as the DC to be a

domain

member.
Agree!
- ISA 2004 does not need to be a domain member for web traffic
control;
what non-HTTP/FTP traffic do you intend to allow?
Put ISA 2004 in a domain is  for management convinience!
1 - Lose the host OS ands all other servers die a horrible death as
well, including ISA
With good backup solution, it must be okay!
2 - The host is not protected by ISA; what are you doing to keep the
bad
guys out?
Host can't be access by Wan because no TCP/IP protocol bundled, Wan
access is through virtual bridged NIC (to physical Wan NIC) in guest

ISA

Box
Make Sense?
Roy Tsao ----- Original Message ----- From: "Jim Harrison" <Jim@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Monday, January 10, 2005 10:23 PM Subject: [isalist] RE: An Alternative Solution VS SBS on one Physical Server
http://www.ISAserver.org
- ISA does not need to be on the same machine as the DC to be a

domain

member.
- ISA 2004 does not need to be a domain member for web traffic

control;

what non-HTTP/FTP traffic do you intend to allow?
There are some serious issues you're missing out on here; for

instance:

1 - Lose the host OS ands all other servers die a horrible death as
well, including ISA
2 - The host is not protected by ISA; what are you doing to keep the

bad

guys out?
There are practical limits to virtualization; the least of which is

$$.


 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://isaserver.org/Jim_Harrison/
 http://isatools.org
 Read the help / books / articles!

-----Original Message-----
From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
Sent: Sunday, January 09, 2005 9:42 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: An Alternative Solution VS SBS on one Physical
Server

http://www.ISAserver.org

Amy,

Your suggestion "put ISA on one box, Windows 2003 with VMware and the
guest
servers on this box" can't fit the requirement to put ISA box join
the DC, ISA box needs to be a domain memember for traffic control!

Roy ----- Original Message ----- From: "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Monday, January 10, 2005 1:25 PM Subject: [isalist] RE: An Alternative Solution VS SBS on one Physical Server


http://www.ISAserver.org

The VMware license cost is one additional cost, but the cost of the
additional server licenses vs. SBS is still quite significant.

If the main concern is to minimize physical servers and maximize
security then put ISA on one box, Windows 2003 with VMware and the

guest

servers on this box.

Amy


-----Original Message-----
From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
Sent: Sunday, January 09, 2005 10:59 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: An Alternative Solution VS SBS on one Physical
Server

http://www.ISAserver.org

What I am trying to do is to minimized cost of taking
addtional units of physical servers while both security
and function shall not be compromised. For SBS, it is
of course a 1st option but in our envirnoment, we need
more function more than SBS, that's why I want to uprise
such a solution VS SBS.
As for license charge, I merely regards the Vitual server
as actual one, it means we must pay for it for any server
need to install, and then disgard comparision of charge
with SBS.

Thanks,

Roy Tsao ----- Original Message ----- From: "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Monday, January 10, 2005 6:05 AM Subject: [isalist] RE: An Alternative Solution VS SBS on one Physical Server


http://www.ISAserver.org

I think that it is a good idea but it is a whole lot more expensive

than

1 SBS Premium license at $1,450. How deep are your pockets? Is the

extra

cost worth it, in terms of function or security? These are the

questions

yet to be answered.

Amy

-----Original Message-----
From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
Sent: Sunday, January 09, 2005 10:49 AM
To: [ISAserver.org Discussion List]
Cc: Jim@xxxxxxxxxxxx
Subject: [isalist] An Alternative Solution VS SBS on one Physical

Server


http://www.ISAserver.org


In my past post, I want to implement a more wider service
Like ISA/SQL/DC etc. on one phsical server. For security
Concern, so far the recommendation from ISAServer forum
Is to use SBS. However we could have one more idea by utilizing
Vmware GSX server like below for my network:
 - Host OS: Windows Server 2003 (two NICs)
            External NIC: any but no DG IP
            Internal NIC: 192.168.0.2/255.255.255.0
 - two Guest Server (Through Vmware GSX):
            1) Windows Server 2003 running as DC (one vitual NIC)
               IP: 192.168.0.3/255.255.255.0
               (bridged to Host Internal NIC)

            2) Windows Server 2003 running as ISA2K4 (one vitual
NIC)
               IP: 192.168.0.1/255.255.255.0
               (bridged to Host Internal NIC)
 Network frame:
   Wan connection: ADSL PPOE connection through Guest Server 2)
                   Host Server and other Lan PC's connection to
                   Wan through Gateway 192.168.0.1 like a physical
                   ISA2K4 Box

   Lan connection: Guest Server 1) as DC/DNS/DHCP server

   Firewall protectiont o Host Server from External NIC:
     enable firewall protection, close up all communication port
through
     TCP/IP

Dear Jim and other cool guys, is that a good idea suppose the host
server
Has engouth CPU capacity and RAM?

Thanks for your suggestion in advance!

Roy Tsao

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List

as:

amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit