APPENDIX B Understanding Your Network
Platí pro: Windows SBS 2003
Small businesses require an efficient and effective way to share files, folders, and resources for activities such as faxing and printing. Small businesses want e-mail for communication amongst employees and with their customers. Many small businesses need a way to easily collaborate on the same document. In addition, most small businesses need to easily monitor and manage their networks, access the Internet, and protect networks from unauthorized access. Microsoft® Windows® Small Business Server 2003 is specifically designed to meet the needs of small businesses. Before installing and using Windows Small Business Server, it is helpful to understand basic network concepts that relate to setting up your network.
Windows Small Business Server Network Basics
Windows Small Business Server 2003 is based on specific network concepts commonly used in small business networks.
Peer-to-Peer vs. Server-based Network
A network can be defined as either a peer-to-peer network (also referred to as a workgroup) or a server-based network (also referred to as a client/server network).
In a peer-to-peer network (see Figure B.1), a group of computers are connected together to allow users to share resources and information. There is no central location for authenticating users, storing files, or accessing resources, which means that users must remember which computers in the workgroup have the shared resource or information.
In most peer-to-peer networks, it is difficult for users to keep track of where information is located because data is generally stored on multiple computers. This makes it difficult to back up critical business information and often results in small businesses not completing backups. For some peer-to-peer networks, the small business uses one computer running a client operating system, such as Microsoft® Windows® 98 or Windows 2000 Professional, as the designated "server" for the network. Although this helps with saving data to a central location, it does not provide a robust solution for many of the needs of a small business, such as collaborating on documents.
Figure B.1 Peer-to-peer network
In a server-based network, the server is the central location for users to share and access network resources (see Figure B.2). This dedicated computer also controls the level of access users have to shared resources. Each of the computers that connect to the network are referred to as client computers. In a server-based network configuration, users must have a user name and password.
Figure B.2 Server-based network
Windows Small Business Server 2003 is installed and configured as a server-based network. The server provides a central point for user authentication, secured access to resources, and secured information storage.
Internet vs. a Local Network
When a group of computers are connected together within a relatively small area, it is referred to as a local area network (LAN). If a LAN is available only to certain people (such as employees of the company), it is classified as a private or local network. The Internet, visible and accessible to many users and computers from different networks, is a public network. The Windows Small Business Server network, as shown in Figure B.3, serves as a local network that still allows you to connect to the Internet.
Figure B.3 Windows Small Business Server network
You can physically secure your small business network by configuring your hardware and/or software so that the server acts as a gateway to the Internet. A gateway is a combination of hardware and software connecting two different types of networks, in this case a private network and a public network. A gateway requires that two network adapters be installed, one to connect to the Internet (ISP network adapter) and the other to connect to the private or local network (local network adapter), as shown in Figure B.3.
However, if you are using a dial-up connection to the Internet, you do not need a second network adapter for the server to be the gateway to the Internet. If your server has only one network adapter and you have a broadband connection to the Internet that uses a router, the router is the gateway. For more information about connecting to the Internet with this configuration, see "Connect to the Internet," later in this appendix.
You can logically configure your small business network by using private IP addresses and separating your local domain from your Internet domain, as discussed in the next section. If you follow the recommended practice of assigning private IP addresses to your local network, they must be translated to public IP addresses using network address translation (NAT). This is because private IP addresses are non-routable on the Internet. Using a firewall, you can then protect your local network from unauthorized access.
In Windows Small Business Server, routing and NAT services are provided with the Routing and Remote Access service. Thus, the server becomes a secure gateway.
If you are upgrading from Microsoft® Small Business Server 2000 and decide to continue using ISA Server as your firewall, ISA Server will provide the routing services.
If you purchased your computer preinstalled with Windows Small Business Server 2003 from an original equipment manufacturer (OEM), the upgrade option does not apply. In this case, the Basic Firewall service provided with the Routing and Remote Access service provides the firewall for your Windows Small Business Server network.
Public vs. Private IP Addressing
In addition to configuring your server to serve as a secure gateway to the Internet, it is recommended that you separate your local network from the Internet logically through the use of your IP addressing scheme. An IP address is a unique numerical value used to identify a computer on a network.
There are two kinds of IP addresses, public (also referred to as globally unique IP addresses) and private.
Public IP addresses are those assigned by the Internet Assigned Numbers Authority (IANA). They are guaranteed to be globally unique and reachable on the Internet, which prevents multiple computers from having the same IP address.
An Internet service provider (ISP) obtains a range of public IP addresses from IANA and then assigns them to customers to use when they connect to the Internet through the ISP network.
Public IP addresses are routable on the Internet, which means that a client computer with a public IP address is visible to hosts on the Internet.
Private IP addresses cannot be used on the Internet. A private IP address space is defined as three sets of IP addresses set aside by the Internet Assigned Numbers Authority (IANA) not to be used on the global Internet. Private IP addresses are used for networks that do not directly connect to the Internet (such as a private network) yet still require Internet Protocol (IP) connectivity. Since private IP addresses are not routable on the Internet and must be routed using NAT, your small business network is more secure. For more information about NAT, see "Routing and Network Address Translation Services" later in this appendix.
A private IP address is within one of the following blocks of addresses:
The 192.168.0.0/16 private network allows the following range of valid IP addresses: 192.168.0.1 to 192.168.255.254.
The 172.16.0.0/12 private network allows the following range of valid IP addresses: 172.16.0.1 to 172.31.255.254.
The 10.0.0.0/8 private network allows the following range of valid IP addresses: 10.0.0.1 to 10.255.255.254.
For more information about private IP address numbering for private networks, see RFC 1819, "Address Allocation for Private Internets" at http://go.microsoft.com/fwlink/?LinkID=16424.
Web addresses can change, so you might be unable to connect to the Web site mentioned here.
Most small businesses prefer to use private IP addresses for the local network because ISPs generally charge a fee for each public IP address used by the small business. As a result, using public IP addresses on your local network is costly. Rather than purchasing a globally unique IP address for each client computer on your local network, you can purchase one globally unique IP address that is used by the router interface used to connect to your ISP.
In most cases, Windows Small Business Server Setup recommends a private IP address of 192.168.16.2 as the IP address of the local network adapter.
Local Domain vs. Internet Domain
A local domain is a way to manage access to resources on your network (for example, user accounts, client computers, shared folders, or printers). Local domain information is also used by tools and applications, such as Microsoft® Exchange Server 2003 or Windows® SharePoint® Services. The local domain, or internal domain, for your Windows Small Business Server 2003 network is created automatically as part of Setup using a default value of organization_name.local. An Internet domain name is a friendly name used to identify your company on the Internet. An Internet domain name is registered for use on the Internet through an Internet registrar and uses the extension such as .com, .net, and .biz.
Setup creates your local, or internal domain, by installing and configuring the Active Directory® directory service. Setup uses the default value of .local for the last label of the internal domain name because the .local label is a more secure configuration as it is not registered for use on the Internet. This also separates your internal domain from your public Internet domain name. Additionally, using the extension of your registered Internet domain name can result in name resolution issues.
Routing and Network Address Translation
In order for computers that use private IP addresses to access the Internet, you must use network address translation (NAT) and routing. NAT allows you to connect client computers using private IP addresses to the Internet using one public IP address. This requires that there are two interfaces (or network adapters) to separate the local network (that uses private IP addresses) and the Internet network (that uses public IP addresses). The two interfaces are required so that requests between the two networks must be passed through a router service or device. When a router receives the requests, it forwards them to and from the two interfaces. The NAT service assists by translating IP addresses to the correct address from the source network to the destination network.
For example, when a client computer makes a request for an Internet resource, the router device receives the request on the local network, and the private IP address of the client computer is then translated to the public IP address and routed to the external interface so that the request can then be sent to the Internet. When the response is received from the Internet on the external interface, NAT then translates the public IP address back to the client computer's private IP address and routes the response to the local interface. In this way, routing and NAT services provide filtering, which improves network security.
Windows Small Business Server uses the routing and NAT services provided with the Routing and Remote Access service. The routing service forwards incoming traffic to the local network and outgoing traffic to the Internet. Alternatively, if you have a broadband connection to the Internet that uses a router and you have only one network adapter installed on the server, the router device will provide the routing and NAT services for your small business network. If you are using a router device for routing and NAT, you must ensure the device is properly configured for your small business network. For more information, see Appendix C, "Network Configuration Settings."
If you are upgrading from Small Business Server 2000 and decide to continue using ISA Server as your firewall, ISA Server will provide the routing service. If you purchased your computer preinstalled with Windows Small Business Server from an original equipment manufacturer (OEM), the upgrade option does not apply. In this case, the Basic Firewall service provided with the Routing and Remote Access service provides the firewall for your Windows Small Business Server network.
A firewall is hardware and/or software used to prevent unauthorized outside access to a local (private) network.
When you connect computers on a local network to the Internet, it is recommended that you configure a firewall to protect the local network from unauthorized Internet access. The main function of a firewall is to filter incoming network traffic to protect the local network. By using a firewall you can:
Prevent unauthorized communication to the local network from the Internet.
Log traffic to and from the local network.
Hide information from the Internet, such as computer names, network topology, and network device types.
The Basic Firewall service in the Routing and Remote Access service provides the firewall for Windows Small Business Server. However, if you have a broadband connection to the Internet that uses a router and you have only one network adapter in the server, the firewall provided with Windows Small Business Server 2003 cannot be configured. In this case, you must provide a firewall device on the network to protect your local network. In many cases, router devices used to connect to the Internet include a firewall service. Check your manufacturer's documentation for more information.
If you are using a router device for your broadband connection, you must ensure the device is properly configured for your small business network. For more information, see Appendix C.
If you are upgrading from Small Business Server 2000 and decide to continue using ISA Server as your firewall, ISA Server will provide the firewall service. Additionally, using ISA Server you can allow/deny access by users on the local network to the Internet. If you purchased your computer preinstalled with Windows Small Business Server from an original equipment manufacturer (OEM), the upgrade option does not apply.
Many small businesses have the need for users to be able to remotely access network resources. For example, some users may travel with laptops and need to securely access resources on the small business network. Users who travel may want to check e-mail while at an airport Internet kiosk, without needing to set up their laptops. Some users may want to be able to connect from their home computers to information they have on their office computers by using their existing home Internet connections.
Windows Small Business Server provides remote access options that meet the needs of many different types of remote users. For users on the Internet that do not want to configure their remote client computers, they can connect to Web-based services using the Remote Web Workplace. Users also have the option of connecting to the server through a virtual private network (VPN) or dial-up access.
To allow access to Web-based services on the server, use the Configure E-mail and Internet Connection Wizard. The following Web-based services can be configured for secure access using the wizard:
Outlook® Web Access. Allows users to access their e-mail from the Internet using a Web browser.
Remote Web Workplace. Allows designated users to connect to the small business network from the Internet using a Web browser to access Outlook Web Access, create a direct Remote Desktop Connection to client computers on the local network, view monitoring reports, use the Windows SharePoint Services intranet site, or download Connection Manager to configure the remote client computer for remote access. Additionally, connecting to the Remote Web Workplace from the Internet does not require users to create a virtual private network (VPN) connection.
Performance and usage reports. Allows administrators to access performance and usage reports to view the overall health of the server and collect statistics about how server resources are being used.
Outlook® Mobile Access. Allows users to access their e-mail from a mobile device, such as a cell phone or Personal Digital Assistant (PDA).
Windows SharePoint Services intranet site. Allows users to access the intranet Web site created by Windows SharePoint Services during Setup from the Internet using a Web browser.
To configure your server to allow client computers to remotely access the local network through a VPN or dial-up connection, run the Remote Access Wizard. After you have configured your server for remote access, you must assign users the necessary permissions, and then deploy the Connection Manager configuration package to configure the settings necessary for connecting mobile and remote client computers. This allows users to connect from a client computer at a remote location to resources on the small business network.
Most small businesses that purchase Windows Small Business Server use Exchange Server 2003 for Internet e-mail. By running the Configure E-mail and Internet Connection Wizard, you can configure both a Simple Mail Transfer Protocol (SMTP) connector and the Microsoft Connector for POP3 Mailboxes to retrieve Internet e-mail.
Simple Mail Transfer Protocol (SMTP) is the standard protocol for transferring e-mail from server to server over the Internet. It defines how a message is formatted for delivery and also provides the delivery mechanism over connection-based protocols, such as Transmission Control Protocol/Internet Protocol (TCP/IP). Exchange uses SMTP to send and receive e-mail. In addition, POP3 clients use SMTP to send e-mail over the Internet.
The advantages of using an SMTP-based mail server include:
Server-based rules, which dictate how a message is handled when the server receives it.
Multiple mail accounts so that each employee can have their own e-mail account.
Messages are stored on the server rather than on the individual client computers.
Post Office Protocol 3 (POP3) is a messaging protocol commonly used to receive personal e-mail through an Internet service provider (ISP). When e-mail messages are sent to an individual with a POP3 mailbox, the messages reside on the mail server until the individual retrieves them using a POP3 e-mail client. Because POP3 is a messaging protocol designed for retrieval only, it must work in conjunction with a protocol capable of sending messages, such as SMTP.
Limitations of POP3 e-mail include:
Messages are not received in real time.
After messages are downloaded, they are deleted from the server.
Downloaded messages are stored on the local client computer.
Many small businesses that purchase Windows Small Business Server have one or many existing POP3 e-mail accounts. To help with the transition to using SMTP e-mail, Windows Small Business Server provides the Microsoft Connector for POP3 Mailboxes. Using this connector you can download e-mail from a POP3 mailbox account to Exchange, which then delivers the e-mail to the corresponding Exchange user account. This means that e-mail for a user can be delivered to a single mailbox rather than the users having to check e-mail for Exchange and for POP3 separately. Also, since POP3 e-mail is delivered to an Exchange mailbox, it can now be accessed using Outlook Web Access or Outlook Mobile Access when users are away from the office.
E-mail Name Resolution
When configuring Internet e-mail, it is important to understand how e-mail names are resolved. For an SMTP-based mail server (Exchange) to receive e-mail from another SMTP-based mail server (such as your ISP mail server) you must have a registered e-mail Internet domain name, such as microsoft.com. You must also request that your ISP create a DNS mail exchange (MX) resource record and a DNS address (A) resource record for the server. SMTP relies on DNS MX records to direct e-mail for a particular domain name to the correct destination.
To configure e-mail settings for Windows Small Business Server 2003, run the Configure E-mail and Internet Connection Wizard. Running the wizard enables you to properly configure your Internet e-mail for both SMTP and POP3 using information that you obtain from your ISP.
Connecting to the Internet
To properly configure your network, firewall, secure Web site, and e-mail settings for connecting to the Internet, use the Configure E-mail and Internet Connection Wizard. The wizard is designed to support multiple types of connections to the Internet using either a broadband device or a dial-up modem.
This connection type requires a high-speed connection to the Internet. The broadband connection has three options for connecting to your Internet service provider (ISP):
A local router
This broadband connection type requires a router, such as a dial-on-demand router or ISDN router. An IP address is supplied by your ISP for the external interface (the interface that connects to the Internet) of the router. For this connection type, your server can be configured with either one or two network adapters.
If your computer uses one network adapter, the local router is the gateway and firewall to the Internet, as shown in Figure B.4. As a result, the firewall provided with Windows Small Business Server 2003 cannot be used to secure your local network from unauthorized Internet access. To secure your local network, you must use a firewall device. If the firewall device supports the UPnP framework, you can still use the Configure E-mail and Internet Connection Wizard to configure firewall settings on the device. If the device does not support the UPnP framework, you must manually configure the settings. For more information about firewall settings, see Appendix C, "Network Configuration Settings."
Figure B.4 - Router connection and one network adapter
If your broadband connection to the Internet uses a router device and a PPPoE connection, you must configure the PPPoE settings on your router, even if the device supports the UPnP framework.
If your computer has two network adapters, it is the default gateway to the Internet, as shown in Figure B.5. In this configuration you can use the firewall provided with Windows Small Business Server 2003 to secure your local network. However, if you already have a device on the network that provides firewall services, you will have to either disable the service or manually configure the necessary firewall settings on the device.
Figure B.5 - Router connection and two network adapters
A broadband connection that requires a user name and password
Also known as Point-to-Point Protocol over Ethernet (PPPoE). This broadband connection requires authentication information and uses a networking device, such as a cable modem or DSL modem. Two network adapters are required for this broadband connection, as shown in Figure B.6. One network adapter is used to connect your computer to the Internet and the other is used to connect your computer to the local network (and client computers). If your broadband connection uses authentication information, but your connection uses a router, you must use the router option as your broadband connection type.
Figure B.6 - PPPoE connection
In this configuration, your computer becomes a gateway to the Internet so the firewall provided with Windows Small Business Server 2003 can be used to secure the local network from unauthorized Internet access.
A direct broadband connection
This broadband connection type requires a network device, such as a cable modem or DSL modem. An IP address is not assigned to the actual Internet connection device. Additionally, two network adapters are required, as shown in Figure B.7. One network adapter is used to connect your computer to the Internet and the other is used to connect your computer to the local network (and client computers).
Figure B.7 - Direct broadband connection
In this configuration, your server is the gateway to the Internet. To protect your local network from unauthorized Internet access, it is highly recommended that you also enable the firewall provided with Windows Small Business Server 2003.
This connection type requires a dial-up connection to the Internet using either a modem or terminal adapter, as shown in Figure B.8. You can enable the firewall to protect your local network from unauthorized Internet access.
Figure B.8 - Dial-up connection