Setting Up a Firewall for SBS 2008

I have been selling, and supporting Microsoft Small Business Server since the first version (v4.0) back in 1997. One of the killer features it had was it provided Internet access for all the computers in the network. Sounds like no big deal now, but back then dial-up was state of the art. If users wanted Internet access, they had to fight over who had access to the phone line. Only one user at a time could access the Internet over a given phone line. Small businesses were not anxious to give everyone their own dedicated modem phone line. But with SBS 4.0, the server would have the modem and would allow everyone on the network to access the Internet simultaneously through only one phone line. That was huge! Then came broadband access and the server still filled the function of being the Internet gateway for the network. The primary feature that made all this work was originally Proxy Server and then with SBS 2000 and SBS 2003 Premium, Internet Security and Acceleration Server (ISA). ISA not only provided Internet access but was the firewall for the entire network. And a fine firewall it was. And as part of SBS, it made SBS a super deal. But being a sophisticated firewall, it did require a little bit of knowledge to use. Actually only a little bit as the CEICW (Configure E-mail and Internet Connection Wizard) in SBS pretty much configured it with little effort. But apparently most purchasers of SBS 2003 (the first version to split off the ISA and SQL portions into a ‘Premium’ Edition) bought the Standard Edition without ISA or SQL. So the SBS development team decided to remove ISA from SBS 2008. There are a few technical reasons as well which I will touch on here. So if you are going to have an SBS 2008 server and network, you will need a separate firewall of some sort.

In preparation for migrating to SBS 2008 on my own network, I’ve decided to load ISA on a separate dedicated server to be my firewall. My original plan was to install Windows Server 2008 Core and install ISA 2006 on it to be the firewall for my network. While installing W2k8, I did a Google search and found that ISA 2006 (and all other versions) is NOT compatible with Windows Server 2008. Not just Core, but W2k8 in general. Seems to be a conflict with the Windows firewall on W2k8 which can’t be disabled. This is likely one of the technical reasons why SBS 2008 doesn’t come with ISA.

The replacement for ISA is Threat Management Gateway. I’m not sure whether TMG is available yet but it will only run on Windows Server 2008 — 64bit! My server isn’t 64 bit so that’s out.

My final solution is to configure my server with Windows Server 2003 and load ISA 2006 on that. I will have to configure my current SBS 2003 server, as well as all my workstations, to use the new ISA server as the network gateway to the Internet. My ISA ‘server’ by the way is an OLD workstation that I’m loading W2k3 on. It is an old AMD K7, 550 MHz, with 768 MB RAM. Wouldn’t want to run much more that ISA on it, but it should work fine as my firewall. My ISA MVP friend, Amy Babinchak, told me so :-).

SMB Nation 2008 – A Short Recap

I just returned from SMB Nation 2008 fall conference in Seattle. Actually the conference was held over the October 4th weekend but my wife and I took advantage of the trip to take a short vacation and tour southern Washington state and Oregon. Oregon is beautiful, as is Washington. Lots of wineries!

The main take away from the conference was some tips and cautions on moving to SBS 2008. Looks like SBS 2008 will have plenty of WOWs but they are offset by some gotchas when moving to it from SBS 2003. Jeff Middleton, SBSMigration, gave a great presentation on the pitfalls of migrating to SBS 2008. Seems the Microsoft migration takes quite a long time because it has to do a MOVE on each Exchange mailbox from SBS 2003 to 2008. It also changes the original SBS 2003 box so there is no roll back in case there is a ‘problem’. The SBS MVPs attended a week long deep dive training on SBS 2008 just before the conference and the consensus was allow 4 days for the migration.

Amy Babinchak, ISA MVP, gave a great presentation on choosing a firewall since ISA will no longer be included with SBS. The take away here was to decided what solution best fits your client and present that, and only that. You are the trusted technical advisor. You make the decision, don’t make the client try to decided other than whether to purchase your solution or not.


Susan Bradley, SBS Diva, and Ofer Shimrat gave a presentation on the Gotchas of SBS 2008. They were introduced by Australian honorary MVP Ken Gareoux (see picture). Big take aways here are be sure to have plenty of hardware. EVERYTHING starts on the C: drive. You can move it later but it starts on C: so have a big C: drive. Also have LOTS of RAM. 4 GB is the minimum. The more the better. Obviously a good fast CPU(s) is (are) best. They gave us a lot more but you would have to be there…

The second day was dominated by presentations on EBS (Essential Business Server). It appears to be a great product for the mid-sized company with an IT person on staff.

It was once again a great conference. If you have the chance to go to SMB Nation 2009, go. Harry puts on a great show. Great parties, great venue (right on the water). It was great to see many old friends, MVPs and otherwise, and to make new ones. Hope to see you there next year.