Solved

CALs question on Win2003 server products

Posted on 2003-10-31
4
316 Views
Last Modified: 2010-03-19
we have 25 users, and are going to setup 1 file server, 1 Exchange Server and 1 SQL server

Here is what we are gonna do, pls let me know if this is right.

1. On file server, we purchase Win2003 Server 25 CALs
2. On Exchange Server, we purchase Win2003 Server 25 CALs and Exchange Server 2003 25 CALs
3. On SQLServer, we purchase Win2003 Server 25 CALs and SQLServer 2003 25 CALs

pls correct me if i am wrong

thx
0
Comment
Question by:techcity
  • 3
4 Comments
 
LVL 9

Accepted Solution

by:
cooledit earned 20 total points
ID: 9662470
seems like an okay act put together.

Since you are on the right track already then pls consider to put the Exchange on a DMZ zone for security reasons then you wont get surprises later on.

I know its a small platform 25 users but I'll recommend if you want to run DHCP from your scenario then make a scope of maybe 45 clients split the scope up (2 DHCP servers) on the File Server + SQL server split with maybe 60 procent of the addresses on the File Server (SQL would be nicer but dont know how many SQL Cals quereries you expect).

If you want to Virus protect yourself on the Exchange this is extreem but usefull, you could implement that if the attachment is not zipped then it is rejected its a feature in the 5.5 + 2000 Exchange then tell all the costumers to send only zipped files also make an Administrator message to the sender if the file is not zipped that only allowed zips get through to receiver (that will help you in cases where new viruses are out and there are no fix for them). You wouldn't receive CVS´+ all the attachment that people normaly open.

Hope it can be used
0
 
LVL 1

Author Comment

by:techcity
ID: 9665278
to: Cooledit
thx for the reply.

1. RE: "DMZ" zone.
If we do not use Outlook Web Access, do we still need to put Exchange Server in DMZ zone?
To my understanding, a server in DMZ zone is for public access from the internet, and Outlook Web Access is the only reason for an Exchange Server to be public to the internet.

By the way, what firewall do you use or suggest?

2. RE: DHCP server
Can 2 DHCP coexist? If yes, how can a client to decide which DHCP server it will use?

Why you suggest 2 DHCP servers?

3. RE: Zipped files
Sorry, i donot get you on this part.
Any advantages when you send an zipped attachment file?

4. On the Exchange Server, can we buy Windows 2003 Server 5 CALS and ExchangeServer 25 CALs? Because on this server, we only use Exchange.

Thanks and more points will be considered.




0
 
LVL 9

Expert Comment

by:cooledit
ID: 9665683
Hi Techcity

the DMZ zone suggestion if for your security reasons (when having a Exchange server) or WWW server your network = weak security. I'll show you how to. Anyway if your not protecting your Exchange you could be closed by the Internet laws for having an open SMTP relay.

Examples:
Internet cloud 0.0.0.0 0.0.0.0
here your WAN address 62.45.128.10/24
here is your LAN address 62.45.129.1/24 the address you get from ISP
your server exchange server 62.45.129.5/24

It is not only for the WEB access from the clients but putting your Exchange in a DMZ protects you from external hacking. If it was my client I would surely make a scenario like this:

Internet 0.0.0.0 0.0.0.0
WAN interface on router 62.45.128.10/24
here is my LAN interface 192.255.248.0/27 = 255.255.255.224 I then got 8 subnets + 30 host on each more than enough.

I make my router capable to do NAT outside for the address
then I'll create a DMZ for the the Exchange either on putting in a switch or an additional card on a server to create the DMZ. The DMZ then equals to 192.255.224.1 one of the subnet calculated out this address I assign to the additional card (NIC) if it resides on a server. It is better to make a subinterface on the router with the assigned address. Now having a DMZ zone of 192.255.224.1 I can then create a IP address between 192.255.224.1 - 192.255.224.30 in between here pick an address or use another address for the WWW server.

My client could then use the 192.255.192.1 - 192.255.192.30 range then you could make a DHCP Scope of 192.255.128.1 - 192.255.192.30 using 2 subnets. you could then split the scope in 2 DHCP servers.


Like I tried to say it maybe seem like a lot of efford for 25 clients but if one server hangs at least the users get an IP from the DHCP.

For the firewall purposes I could use a PIX 501 Cisco this one is efficient for 25 users + capable of doing VPN connections. In the firewall you must forward the port 25 to the 192.255.224.x from what IP address you choosed to your Exchange server, you can do the same with your DNS server port forwarding + WWW or other kind of services you want to run.

The ZIP attachment is usefull for reasons be on our control as administrators. Most of the viruses developed today is made in scripting CVS, Macro's, Worms + other specific theories. The common thing is they expect to be opened but relies in the header + when a virus spread it does not use Zipped attachment it is already opened in the mail header. Here is where I see potential protection when only accepting Zipped attachment, your mails wont get the firestorm. When accept any attachment the possibilities of getting the virus is big. When denying the attachment when not zipped the most common even new viruses will not affect you.

have a look at:
http://support.ca.com/Download/patches/ilitnt/excav122.html

going to see if i can find that registry key settings in the exchange server
0
 
LVL 9

Expert Comment

by:cooledit
ID: 9666612
http://support.microsoft.com/default.aspx?scid=kb;EN-US;214816#2
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q224/4/93.asp&NoWebContent=1


To do this, just edit the URLScan.ini file found in the \winnt\system32\inetsrv\urlscan folder. Find the [DenyExtensions] setting, and comment out the .com entry by placing a semi-colon in front of it. This is shown below:
[DenyExtensions]
;
; Extensions listed here either run code directly on the server,
; are processed as scripts, or are static files that are
; generally not intended to be served out.
;
; Note that these entries are effective if "UseAllowExtensions=0"
; is set in the [Options] section above.
;
; Deny executables that could run on the server
.exe
.bat
.cmd
;.com

Then find the [AllowExtensions] section, and add the .com entry to it as follows:

[AllowExtensions]
;
; Extensions listed here are commonly used on a typical IIS server.
;
; Note that these entries are effective if "UseAllowExtensions=1"
; is set in the [Options] section above.
;
.com
.asp
.cer
.cdx

I'm not having a Exchange server here in front of me so cannt check it out but there should be some valuable links.

http://support.microsoft.com/?kbid=318515
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B259514
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q265/4/41.ASP&NoWebContent=1

seems like all I can find for the moment
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Article by: IanTh
Hi Guys After a whole weekend getting wake on lan over the internet working, I thought I would share the experience. Your firewall has to have a port forward for port 9 udp to your local broadcast x.x.x.255 but if that doesnt work, do it to a …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now