Planning Your SBS Network on Windows® Small Business Server 2011

  • 5/15/2011
By designing your network infrastructure, naming conventions, and network security before you actually implement them, you’ll save costly reconfiguration later.

Before you actually start installing Windows Small Business Server 2011 Standard, you should spend some time and thought planning what your network will look like. Time spent now, before you actually start installing anything, will save you time, energy, and complications later. By designing your network infrastructure, naming conventions, and network security before you actually implement them, you’ll save costly reconfiguration later.

Planning the Network Infrastructure

The first tasks in designing a network for your company are

  • Evaluating the computing needs of the organization

  • Choosing an Internet connection method and local network type

  • Selecting network devices

  • Choosing server hardware

  • Choosing client hardware and software

Servers Use Network Operating Systems

Because SBS 2011 has to supply services to as many as 75 users, and you’re depending on it to run your business, a high-powered, robust operating system and highly reliable hardware are essential. When your users rely on a server to get their work done and keep your business running, you certainly don’t want frequent failures—you don’t even want to reboot!

In addition to supplying print, file, or other services, the network operating system has to provide network security. Different businesses and organizations have varying security needs, but all must have some level of data protection. Therefore, the system must offer a range of configurable security levels, from the relatively nonintrusive to the very stringent.

Clients Use Workstation Operating Systems

Like other computers, client computers on a network need an operating system. However, a client operating system doesn’t need to manage the resources for other computers or manage security for the network. Rebooting a workstation can be an annoyance for the user but doesn’t usually disrupt anyone else’s work.

On a Windows Small Business Server network, clients can run Microsoft Windows XP Professional (including Windows XP Tablet PC Edition and Windows XP Professional x64 Edition) and business editions of Windows Vista or Windows 7. However, for best performance and security, Windows Vista SP1 or Windows 7 should be deployed on clients.

Determining Your Needs

Before designing a network, decide which features of SBS 2011 your business needs; doing so helps ensure that the network design is dictated by business needs rather than by fancy technology. Key needs to consider include

  • Centralized user account management

  • Centralized update management

  • Web and email access for employees

  • File sharing and centralized file storage

  • Database storage using Microsoft SQL Server

  • Printer sharing

  • Centralized backup

  • Centralized fax server

  • Remote access to the internal network via the Internet, including remote access directly to the user’s desktop from the web

  • Management of remote computers

  • Collaboration and document management (SharePoint Foundation 2010)

You also must decide how important the following factors are, as well as what resources are available to support your choices:

  • Performance

  • Reliability

  • Security

Choosing an Internet Connection

To choose an Internet connection method, you must balance an organization’s bandwidth needs and budget against the available Internet connection methods. The following sections discuss how to do this, as well as how to choose an Internet service provider (ISP).

Determining Bandwidth Needs

First, determine the baseline level of bandwidth you require. You can then balance this against the organization’s budget and performance goals. Allow for 100 kilobits per second (Kbps) of download bandwidth and 50 Kbps of upload bandwidth for each simultaneous user of email and the web. If remote access is important, allow for a minimum of 100 Kbps of upload bandwidth for each simultaneous remote access user. Table 3-1 lists various Internet connection speeds and the number of users supported for each speed, assuming that users will be browsing the web and using email. This table does not include requirements for remote connections.

WARNING

IMPORTANT Running an Internet-accessible web server on your network requires at least 50 Kbps or more of upload bandwidth per simultaneous visitor, depending on the size of images or files. This can quickly swamp your Internet connection, which is one reason most small businesses pay for web hosting.

Table 3-1. Bandwidth requirements for web browsing and email

DOWNLOAD/UPLOAD SPEED

NUMBER OF USERS

256/128 Kbps

1–5

512/256 Kbps

1–5

1024/512 Kbps

5–10

3072/768 Kbps

10–20

5120/1024 Kbps

15–30

Types of Internet Connections

To choose an Internet connection method, you need to know which methods are available as well as their performance characteristics. Table 3-2 lists the most common connection methods and their speeds.

Table 3-2. Internet connection types

TYPE OF CONNECTION

DOWNLOAD SPEED

UPLOAD SPEED

NOTES

Dial-up

28.8–53 Kbps

28.8–40 Kbps

Analog telephone line. Sometimes referred to as Plain Old Telephone Service (POTS).

ISDN (Integrated Services Digital Network)

64–128 Kbps (one channel or two)

64–128 Kbps (one channel or two)

Must be within 50,000 feet of a telephone company central office (CO). Connection is dial-up (not persistent).

ADSL (Asynchronous Digital Subscriber Line)

256 Kbps–8 Mbps

128 Kbps–1 Mbps

Must be within 18,000 feet of a CO.

IDSL (DSL over ISDN)

128–144 Kbps

128–144 Kbps

Works at greater distances from a CO than other DSL variants.

SDSL (Synchronous DSL)

128 Kbps–2.3 Mbps

128 Kbps–2.3 Mbps

Must be within 20,000 feet of a CO.

Cable

128 Kbps–15 Mbps

128 Kbps–1 Mbps

Must have access to broadband cable service; speed can fluctuate depending on the number of users on a given cable loop.

Microwave wireless

256 Kbps–10+ Mbps

256 Kbps–10+ Mbps

Must be in line of sight to the ISP’s antenna; maximum distance 10 miles.

Frame relay/T1

56 Kbps–1.54 Mbps

56 Kbps–1.54 Mbps

Good availability; very reliable; consistent throughput; expensive.

802.11b (WiFi)

Up to 11 Mbps

Up to 11 Mbps

Speed decreases with increasing distance from access point.

802.11g or 802.11a

Up to 54 Mbps

Up to 54 Mbps

Speed decreases with increasing distance from access point.

802.11n

Up to 540 Mbps

Up to 540 Mbps

Speed decreases with increasing distance from access point.

Geosynchronous satellite

150 Kbps–3 Mbps

33.6 Kbps–128 Kbps

Requires line of sight to satellite (southern sky in North America). Unsuitable for real-time multimedia because of high latency.

Ethernet

10 to 1000 Mbps

10 to 1000 Mbps

Limited availability. Backbone connection might be DSL or T1, limiting actual bandwidth.

Choosing ISPs

After determining the preferred connection type and bandwidth, it’s time to actually find ISPs. Two websites to check are http://www.cnet.com/internet-access and http://www.dslreports.com. In addition to speed and cost, look for the following features:

  • Static IP address To host any kind of Internet-accessible service such as email, Microsoft Outlook Anywhere, remote access, or websites, you need a static IP address or an ISP that supports the Dynamic DNS service, or you need to manage your external DNS with a DNS service that supports dynamic updates, such as http://www.zoneedit.com. SBS 2011 includes support for tzo.com dynamic DNS if you use the built-in wizards to register or transfer your domain name.

  • Terms of service and ports Many ISPs have terms of service (TOS) on consumer-grade accounts that prohibit hosting email servers, or they have a policy that blocks specific ports such as port 25. You need to ask before you buy.

  • Transfer limitations If the ISP has a monthly data transfer limit, make sure the limit isn’t lower than your anticipated usage—charges for going beyond the limit can be significant.

  • Web hosting If you want the ISP to host the organization’s Internet website, look for virtual hosting (so that your organization can use its own domain name) with enough disk space on the ISP’s web servers.

  • Backup Internet connection If your business is dependent on always being connected to the Internet, choose a secondary Internet connection with sufficient bandwidth to allow you to maintain minimal service in case the primary Internet connection fails. This second Internet connection should use a different ISP and a different connection technology. You can use a dual WAN router to use both connections simultaneously.

Choosing a Network Type

The next step in designing a network is to choose a network type. (See Table 3-3.) Start by looking at where your computers are physically located. If you can easily run cable between all computers, the choices are simple: Gigabit Ethernet (GigE) or Fast Ethernet (100BaseT). Choose GigE if your wiring supports it; otherwise, stick to Fast Ethernet. If you’re installing new cabling, hire a professional cabling expert. Spending money on good wiring now can save you a lot of problems in the future.

If the computers are widely scattered or mobile, consider including some wireless access points (APs). These are network devices that permit wireless clients access to a wired network. Even Fast Ethernet is virtually as fast as the real-world speeds of the fastest current wireless standard (802.11n), while being far more reliable, more secure, and cheaper as well. For these reasons, use wireless networks to supplement wired networks, not to replace them.

WARNING

SECURITY ALERT All wireless technologies have the potential to introduce security risks. When using wireless networking, always use appropriate security measures, such as Wireless Protected Access (WPA), 802.11i (WPA2), or 802.1x. For more information, see the section Planning for Security later in this chapter.

Table 3-3. Common network types

TECHNOLOGY

SPEED

SPEED (REAL WORLD)

CABLING

MAXIMUM DISTANCE

OTHER HARDWARE REQUIREMENTS

Fast Ethernet

100 Mbps

94 Mbps

Cat 5, Cat 5e, Cat 6

328 feet from hub or switch

Fast Ethernet hub or switch

Gigabit Ethernet

1000 Mbps

327 Mbps

Cat 5e or Cat 6

328 feet from hub or switch

Gigabit hub or switch

802.11b (WiFi)

11 Mbps

4.5 Mbps

Wireless

1800 feet (60–150 feet typical indoors)

802.11b or 802.11g access point (AP), 32 users per AP

802.11a

54 Mbps

19 Mbps

Wireless

1650 feet (50–100 feet typical indoors)

802.11a AP, 64 users per AP

802.11g

54 Mbps

13 Mbps

Wireless

1800 feet (60–150 feet typical indoors)

802.11g AP, 32 users per AP

802.11n

540 Mbps

130 Mbps

Wireless

7200 feet (100–500 feet typical indoors)

802.11n AP, 32 users per AP

Choosing the Right Network Cable

Choosing the right cable for a wired Fast Ethernet (100 Mbps) network is easy—Cat 5 cable. However, there are exceptions to this rule that pertain to existing installations and new construction.

Cables in an existing network might not be usable. 10-megabit Ethernet equipment might be usable for small networks until it can be replaced, but expect to replace it soon—you’ll find it slow. Coaxial (thinnet) Ethernet and Cat 3 Unshielded Twisted Pair (UTP) cables are unreliable and slow and should be replaced.

New construction should run several strands of Cat 5e or, ideally, Cat 6. Although Cat 5 cable can be used with Gigabit Ethernet, it is marginal at best. Cat 5e and Cat 6 cables are more reliable and provide headroom for possible 10-Gigabit Ethernet standards. Cables should converge at a reasonably clean, centrally located wiring closet with adequate power, ventilation, and security for all servers and network devices. (Be sure to leave room for future growth.)

Shielded Cat 5, Cat 5e, and Cat 6 cables are available for situations that potentially involve high levels of electromagnetic interference (such as antennas). You should use plenum-grade cable any time wiring is placed in a drop ceiling. (Before running cable in a drop ceiling, talk to the building manager.)

Choosing a Wireless Standard: 802.11a/b/g/n

Currently, you can choose from four wireless standards: 802.11b, 802.11a, 802.11g, and 802.11n. Here’s what you need to know about each (also refer to Table 3-3):

  • 802.11b 802.11b was the first widely deployed standard, though the speed was limited (11 Mbps theoretical; 5 Mbps or even less in the real world). 802.11b supports a maximum of 32 users per AP, and a maximum of 3 simultaneous channels in use in the same location. Channels separate wireless networks, with each channel providing 11 Mbps of bandwidth. You should not buy new equipment that supports only 802.11b, and if you currently have 802.11b equipment, you should upgrade it to 802.11n. There are serious security considerations with older wireless hardware that preclude it from being deployed in a business environment.

  • 802.11g 802.11g is faster than 802.11b (54 Mbps theoretical; 13 Mbps real-world) and backward-compatible with 802.11b. 802.11g supports a maximum of 32 users per AP, and a maximum of 3 simultaneous channels in use in the same location.

  • 802.11a 802.11a is faster than 802.11g (54 Mbps theoretical; 19 Mbps real-world) and is more tolerant of microwave interference and network congestion because it uses the 5 GHz frequency band. 802.11a supports a maximum of 64 users per AP, and a maximum of 8 channels in use simultaneously in the same location. 802.11a is not compatible with either 802.11b or 802.11g.

    If you decide to use 802.11a network devices, stick with devices from the same vendor and consider a tri-mode 802.11a/b/g device that will allow other devices, such as laptops with built-in 802.11b/g connectivity, to work on the wireless network. (This strategy also permits the highest network density, with 11 channels available simultaneously for wireless networks.)

  • 802.11n 802.11n is faster than 802.11g (up to 540 Mbps theoretical; 100–130 Mbps real-world) and backward-compatible with 802.11g and 802.11b. Most 802.11n equipment is in the same frequency band (2.4 GHz) as 802.11b/g, but the standard supports dual-band equipment that can also use the 5-GHz range of 802.11a. This dual-band equipment provides the greatest flexibility and compatibility and is especially good at avoiding interference from other equipment. Choosing dual-band equipment from a single OEM is the safest choice for compatibility at the highest speeds. If you’re buying new wireless equipment, we strongly recommend 802.11n and prefer dual-band 802.11n where possible.

Choosing Network Devices

After selecting a network type and Internet connection method, create a network diagram to visually show which network devices are needed. Then select the necessary devices for the network, such as switches, wireless access points, firewalls, and network adapters.

Diagramming the Network

Creating a diagram of the network can quickly show which devices you need and where they should be located, as shown in Figure 3.3.

Figure 3.3 A network with the Windows Small Business Server computer connected directly to the Internet

Use the following list as a guide when creating the network diagram:

  • Internet connection The Internet connection usually comes in the form of a telephone or coaxial cable that connects to a DSL or cable router. It is traditionally represented by a cloud at the top of the drawing and a line that connects to the router or firewall.

  • DSL or cable modem The Internet usually enters the organization in the form of a telephone or cable line that plugs into a DSL or cable modem.

  • Firewall The DSL or cable modem is then plugged into the firewall, which should be a router or firewall. Some modems are combined with built-in routers that have basic firewall capabilities. Consumer routers or DSL modems are not sufficient protection for a business network.

  • Perimeter network This is an optional area of the network between the DSL or cable modem and the firewall, where low-security devices such as wireless access points can be placed.

  • Internal network The internal network includes the SBS computer, the client computers, and any network-connected devices, such as printers.

Choosing a Network Switch

Ethernet networks use the star network topology (also known as hub and spoke), which means that all network devices must be plugged into a central hub or switch. Choosing the right switch requires evaluating the following factors:

  • Switch or hub Don’t buy a hub unless you have a specialized need and understand why you’re doing it. Get a switch instead. Switches are inexpensive, provide additional performance, and facilitate mixing 10 Mbps, 100 Mbps, and 1 Gbps devices on the same network segment.

  • Number of ports Make sure that the switch provides more than enough ports for all computers, access points, network printers, and Network Attached Storage (NAS) devices on the network, along with spare ports for expansion or to use in the event of a port failure.

  • Speed Fast Ethernet (100/10 Mbps) switches offer basic performance for small businesses, but GigE (1000/100/10 Mbps) switches are hardly different in price and provide extra bandwidth for improved performance of file servers and high-quality streaming video where the network cabling will support it.

  • Management Managed switches provide the ability to view the status of attached devices from a remote connection, which can be useful for off-site technicians. In general, save the cash and stick with an unmanaged switch unless the cost difference is slight or the organization uses an off-site consultant who wants the ability to remotely administer switches.

Choosing Wireless Access Points

As you learned earlier in the chapter, wireless access points permit clients to wirelessly connect to a wired network. Access points are often integrated into routers, but they are also available as stand-alone devices that must be plugged into a switch like any other network device. Avoid wireless “gateway” or router products for connecting to your internal network—they will complicate your network management and TCP/IP configuration. They’re fine for externally connected wireless access points. Some wireless routers can be reconfigured to be simple access points.

Note

Business-grade access points are more expensive than consumer-oriented access points; however, they are usually more reliable and full-featured.

When choosing an access point, consider the following features:

  • Routers with built-in access points are often no more expensive than stand-alone access points and are useful when creating a perimeter network. But be sure they can be used as a pure access point—many can function only as a router, which will complicate your network setup.

  • Access points should support 802.11i (WPA2). WEP is simply not acceptable for any wireless device connected to your internal network, and even WPA should not be considered sufficient protection for an internally connected access point.

  • Access points should support 802.1x (RADIUS) authentication if you want to provide the highest level of security and ease-of-use to a wireless network.

    WARNING

    SECURITY ALERT Two “features” that some suggest to improve wireless security are disabling of SSID broadcasts and Media Access Control (MAC) address filtering. Don’t bother. They are a significant and ongoing administrative burden, and a hacker with a port scanner can easily defeat them anyway.

  • Some access points have two or more antennas that can be adjusted for better coverage; others support external antennas that can be mounted on a wall for better placement.

  • Stand-alone wireless bridges (often referred to as wireless Ethernet bridges) and some access points provide the ability to wirelessly bridge (connect) two wired networks that can’t be connected via cables. There are a number of different types of bridging modes, including Point-to-Point and AP Client. Point-to-Point uses two wireless bridges to link two wired networks. AP Client uses an AP on the main network (to which wireless clients can connect) and a wireless bridge in AP Client mode on the remote network segment, acting as a wireless client.

    Clients on the other side of a wireless bridge will experience slower performance to the main network segment because of the shared wireless link, so use wireless bridges with discretion, and always use bridges and APs made by the same manufacturer.

  • Don’t include “turbo” or other high-speed modes offered by some manufacturers in your buying criteria. They provide little performance gain, if any, in the real world and can have a deleterious effect on compatibility.

Choosing a Firewall Device or Router

SBS 2011 is designed to connect directly to a firewall and does not provide any direct protection for the rest of the SBS network. This is a major change from earlier versions of SBS that acted as the gateway between the Internet and the internal network when SBS was deployed with two network cards (NICs). Windows Small Business Server 2011 Standard includes the new Windows Firewall that is part of Windows Server 2008 R2 to protect the server, but it should be protected by an additional, separate firewall that will also act to protect the computers on the internal network.

You should look for the following features on your network firewall device:

  • Packet filtering Firewalls should support inbound packet filtering and Stateful Packet Inspection (SPI).

  • Protection from specific attacks Firewalls should support protection from the denial-of-service (DoS) attacks and other common attacks such as Ping of Death, SYN Flood, LAND Attack, and IP Spoofing.

  • Network Address Translation (NAT) NAT is the backbone of most firewall devices, providing basic security and Internet connectivity to internal clients.

  • IPv6 Support As IPv6 becomes more pervasive, and as our pool of available IPv4 addresses approaches exhaustion, the need to directly support IPv6 for our Internet connection becomes more compelling. Choosing a firewall device that fully supports IPv6 now will save money and time later.

  • VPN pass-through To permit properly authenticated Internet users to establish VPN connections with a Windows Small Business Server computer behind a firewall, the firewall must support VPN pass-through of the desired VPN protocol (PPTP, L2TP, and/or IPSec).

  • VPN tunnels Some firewall devices provide direct support for establishing VPN connections. If you do choose to use a firewall device to establish VPN connections with clients and servers in remote offices, make sure the firewall supports the necessary number of simultaneous VPN tunnels.

  • UPnP support Windows Small Business Server can automatically configure firewalls that support Universal Plug and Play (UPnP) to work with Windows Small Business Server services such as Exchange Server and remote access (by opening the necessary ports on the firewall). UPnP support can be found in most consumer firewall devices as well as in some business firewalls.

  • Dual-WAN support Some firewalls come with support for two WAN connections to increase speed and reliability, which is a great solution for networks looking for a reliable Internet connection. Other firewalls provide a serial port so that an external dial-up modem can be used as a backup connection, but this connection is much slower.

  • RADIUS support RADIUS support on your firewall will enable additional functionality and security, including easily integrating Two Factor Authentication (TFA) into your remote access configuration.

  • Content filtering Most firewalls make blocking certain websites possible, such as websites containing specified keywords. Many businesses use this feature to reduce the employees’ ability to visit objectionable websites, although most content filters are largely ineffective.

  • Built-in wireless access point Firewalls with built-in access points and switched, GigE, wired ports combine several functions and can be a cost-effective solution. However, their primary function is to protect the network, and that should be the first and most important evaluation criterion.

Choosing Server Hardware

If you have a server that can meet the capacity needs of the network or can be upgraded to do so while allowing for future growth, by all means use this server. But realistically, because there is no in-place upgrade to Windows Small Business Server 2011 Standard, you should plan on buying a new server as part of your migration plan.

When evaluating server hardware, see Table 3-4, which lists the effective minimum configurations necessary for adequate performance at different load levels.

Table 3-4. Minimum server configurations for different load levels

COMPONENT

LIGHT LOAD

MEDIUM LOAD

HEAVY LOAD

CPU

Quad core Intel or AMD processor

Quad core or greater Xeon or Opteron processor

Dual Xeon or Opteron processors, with at least four cores each

Memory

10–12 GB

12–16 GB

12–32 GB

Storage

Two or more hard drives in hardware mirror (RAID-1) with 200 GB available for Windows Small Business Server 2011 Standard

Four-drive, hardware-based RAID using SATA or SAS drives

Four-drive (or more), hardware-based SCSI or SAS RAID

LAN Network Adapter

100/10 Mbps PCI card

1000/100/10 Mbps PCI card

1000/100/10 Mbps PCI-x or PCIe card

Backup

Two or more external USB hard drives

Two or more external eSATA or USB hard drives

Two or more external eSATA or USB hard drives

Choosing Client Hardware and Software

When selecting client computers for use on a network, choose systems that are fast enough to perform adequately when running Windows7 Professional. (See Table 3-5 for recommended configurations.) Other operating systems—such as Windows XP, Mac OS X, and Linux—can be made to work on an SBS 2011 network; however, they won’t provide full support for many features of SBS.

Table 3-5. Recommended client computer configurations

COMPONENT

MINIMUM CONFIGURATION

BETTER CONFIGURATION

Operating System

Windows XP Professional SP3

Windows 7 Professional or Enterprise

CPU

Pentium 4, 2.0 GHz or faster

Dual-core processor, 2.0 GHz or faster

RAM

256 MB

2 GB

Hard drive

30 GB

100 GB

Network Adapter

Fast Ethernet or 802.11g

GigE, 802.11n

Display

15-inch monitor running at 800 x 600 resolution

17-inch monitor running at 1024 x 768 resolution