So I’m reading Dana’s blog and he’s ranting that SBS doesn’t allow ISA server to “work” unless there are two network cards on the server.  If you only have one server, as you run the wizard it won’t set up ISA [or RRAS on the Standard SBS] to be a firewall and you must be dependent on an external hardware firewall.  I’ll be the first to admit that I run at the office with two firewalls, my outside little non beefy, no where near like ISA Server, hardware firewall and THEN I run ISA server.  Why?  For one thing I like to have two walls, one to thin out the log files and then I want ISA server.  A firewall integrated with active directory, so much logging that it gives my auditor background happy, and on a platform that with a push button I can patch.  I can’t do that with my hardware firewall.  And these days with the Secunia web site throwing out as many firewall vulnerabilities as operating system, the idea that the software on a hardware box is more secure is silly unless it’s like as someone said the base of OpenBSD right after boot up when you have a command line prompt and nothing else.  We add on the cutesy wutsey GUI to make people like me happy and you start introducing vulnerabilities.

The knowledge base article that talks about two network cards is here:

825763 – How to configure Internet access in Windows Small Business Server 2003:    A two-network-adapter configuration connects one adapter to the local area network and connects the other to the Internet. A one-network adapter configuration connects a single network adapter to the local area network.

Then in this KB it clearly states

323387 – How To Connect Your Company to the Internet by Using an ISA Firewall with Windows Server 2003:
Install the ISA Server

To install an ISA firewall, you need a computer with two network adapters. You must connect one of these adapters to your internal network and the other adapter to your Internet service provider (ISP). Your ISP can help you make this connection. A firewall acts as a security barrier between your internal network (or intranet) and the Internet by preventing outside users on the Internet from gaining access to the confidential information on your intranet or your computer.

Thus you need two network cards to enable the ISA firewall.  Dana responds to my comments that any firm that is doing a virtual firm would want this setup.  He may have a point, but I’ll refer back to the first time Dana posted into the community newsgroup and was like “Dana Epp, THE security blogger Dana Epp? You aren’t the normal “SBS“ customer“.  And beleive me, I mean that in the MOST complementary way.  Dana is not the normal SBSer and the wizards are built for the rest of the 99.99999999% of the marketplace.  SBS is flexible, but this is where the Enterprise folks say they don’t like the wizards… because they force the “best“ practice or the “best“ balance.  As I’ve blogged before, the wizards leave behind an audit trail.  They do the heavy lifting for you.  They want to help you make the best choices…. like…. two network cards.

Hmmmm… a virtual organization SBS network.  Interesting…. we are certainly doing more and more things “virtually“ rather than physically these days.  I know I’ve been collaborating with other folks from around the world and we certainly get a lot done without physically being in the same room.  I think I’ll email Dana’s blog post to some folks that just might be interested in that.



6 Responses to You know how I said Dana was not the “normal” SBSer?

  1. Dana Epp says:

    I’m not sure if I ticked you off, or if you’re happy I am pushing SBS to its "default configuration" limits 🙂

    Thanks for the all the information. Its been quite enlightening. As you know… I figured how to get around the issue by using a virtual adapter via a loop back interface. The box is locked down tight, and I will now slowly release the constriction to get a security best-practices system in place limiting packet traversal throuh ISA.

    Actually, I have found a couple of interesting ways to use ISA for pre authorization to provide another level of protection for OWA on a SBS box. As I work all this out I will document it on my blog so other SBSers can take advantage of my experiences.

    Susan, you are a SBSer with passion. Never let that stop.

  2. Susan says:

    Nah… you keep pushing. I’ll keep reading your blog [as I hope others do too.

    My philosophy is that it’s not the OS that makes you secure, it’s the person driving the box. Stick that SBS box in 5th gear Dude! 🙂

  3. Geoff says:

    Have done what Dana was attempting but did not see the point in worrying about whether the server had to have another NIC or not to get the Wizards working proberly, at $20 for a sacrifical internal NIC its not worth my time to play with workarounds and loopbacks. I used the server for remote access users only as there aren’t any internal users for this company.

    I am revisiting this, as an interesting point SBS 2003 licensing would indicate that I can create a Web Server with unlimited external access, just wondering if that extends to the use of the SQL server as well for data storage for the Web sites.

  4. Susan says:

    The EULA won’t let us host web sites for clients [as in an ISP].

  5. Geoff says:

    But what if I was setting up a store front for my business the cost of using IIS/SQL standalone is quite a bit more expensive than say a sbs server in my dmz hosting my eBusiness.

  6. Susan says:

    But you can’t sell websites to customers like an ISP. Think of which is where this blog is at. They couldn’t run SBS 2003 as their platform. You can’t host "web sites for others" but you CAN for yourself.