Firewall/Proxy

A proxy server is a server that sits between a client application, such as a Web browser, and a real server. It intercepts all requests to the real server to see if it can fulfill the requests itself. If not, it forwards the request to the real server.

A firewall is a system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

Most firewalls also have the capability to provide proxy services.

You could use SBS to provide proxy services but I would definately not recommend it for firewall services.  

For a firewall you could go out and purchase a hardware firewall or use FreeBSD on an old PC.  FreeBSD has a very good filewall implementation and the software is free.

Good luck.

Chapo's solution is good, as long as you have FreeBSD skills. A hardware firewall is an overkill and I doubt there is a budget for it.

Since you are using Windows 2000, you can implement ISA (Internet Security and Acceleration) Server. It is based on Checkpoint-1 firewall which is a de facto industry standard. It also incorporates proxy services nad integrates comlpetely with W2K.

the best answer i can give is setup a dmz.
yes, you may only be providing a single service in the way of exchange...but it sounds like you could be expanding that at some point...it will also save you heartache when a get-by solution causes complete compromise of your systems.

Nenadic, What makes you think that ISA is based on FW-1?

You could use some kind of a Hardware router/firewall with the server as a DMZ and let the router do NAT to firewall the rest of the boxes. I assume you just want Internet access for the users. LInksys, Netgear, Asante make low end routers or look at Cisco

MS Proxy includes packet filtering, which makes it a firewall.  I don't know if Microsoft would be my first choice for a security product, though.

You could run proxy, Exchange, etc. all on one server, but even Microsoft doesn't recommend that.

What I have done (on MS's recommendation) is set up Proxy on one machine, either PDC of its own domain or a member server (not DC) of your existing domain.  Then harden it by disabling unnecessary services (OK, everyone, stop laughing at the idea of "hardened" Windows).  Put the Exchange server behind it, and use reverse hosting to have the Proxy server pass traffic to it.

To enable the Exchange server to exchange mail with the Internet, you'll also have to do server proxying: install WinSock Proxy Client on it and do a little configuration as outlined in
http://www.windowsitlibrary.com/Content/272/2.html

But if you're using Win2k, then as mentioned above, ISA might be a better option.  I haven't used ISA, so I can't comment on it.  My understanding is that it's just an upgraded Proxy, so the configuration ought to be similar.

For security and stability reasons, I wouldn't run anything but Proxy on my proxy server if at all possible.

For such a small network, how about a Cobalt Qube?  It has a basic proxy on it....

Actually ISA is now a full fledged stateful firewall with some application proxies.  It performs pretty well, but if you don't need Active Directory integration I would probably opt for a hardware solution like SonicWall or Watchguard.  They are easier to configure and trouble shoot.

If you want to have the best firewall, go into Linux!
Else, just use a simple router (hardware).

No matter how you slice it, you should have your proxy/firewall on a separate device.  So I'll second geoffryn's comment; your life will be easier if that device is an appliance instead of a Windows server.  And it might be more secure....

First, do not "upgrade" to sbs.  This product is notorious for it's problems and has been since it's inception.  Linux isn't a good firewall choice as most people don't know how to configure it and it may be hard to get support.  I suggest a hardware device.  There are many soho devices on the market that may be good for you.  I sell mostly the cisco pix.  The 506 model is less money than a pc and is dummy proof.  It will translate for your exchange web box and will protect your entire network.  Do NOT put exchange on the public network.  It will be most likely hacked in hours unless you know how to secure it and then it's still not too secure.  Remember that although proxy does offer some protection, it was developed to speed up internet access via caching for shops with slow links.  In my experience most software firewalls are more expensive and harder to work with than a dedicated firewall device.  The checkpoint is great if you have an extra server and 10 grand.  I have heard good things about the sonic wall devices although I'm no expert on them.  I have done what your asking with the pix for dozens of clients, but I'm sure that most sub 1500$ devices would do the same thing.
Hope this helps.
Bob

I agree with bseaman. I am running Linux for Apache, ftp, and am setting up email. I have multiple Virtual Hosts set up. I had linux running as a firewall then realized that a hardware device meant the network stayed up as I was restarting the Linux Box. If linux was the firewall it put a lot more heat on me to keep it up 24/7 while I was learning. I've used Linksys, Netgear, and Asante routers for DSL and been pretty pleased (the $100-$200 price tag is pretty painless). Most have the option of setting up one internal IP address as a DMZ where that computer appears from the internet side is exposed. Then you have NAT for the rest plus you can forward specific ports to specific computers. I've considered going with a higher end router but am not sure what the differences would be nor the costs.