November 2004 - Posts
Recently, I surveyed several of the SBS MVP's to find out which router(s) they use or recommend with their SBS installations. Their answers are listed below (no names, to protect the innocent!). As with many things, there were different opinions. If you have your own personal favorite, please add it as a feedback.
MVP #1: I’m using low end routers (DLink DI-604) along with the Basic firewall because these clients (under 15 users; no heavy Internet activity) normally don’t need a router that has all the high end features of VPN, SPI or extensive logs. The DLink is really cheap, but it gets the job done. VPN works, basic logging and it appears to keep the bad boys at bay. None of my sites require multiple simultaneous VPNs at this point.
MVP #2: I've used low end SOHO stuff too - mostly D-Link, but moving more towards MultiTech for the more wealthy clients.
MVP #3: I use cheap routers, Netgear mostly. The only client that requires multiple VPNs have a Linksys RV082 (which is quite good). I also have a Cisco which I don’t manage (don’t know how either J).
MVP #4: If we're providing the router, we usually go low end - D-Link DI-604. They're cheap and work great. We don't have any sites with need for multiple simultaneous VPN tunnels or the like. We do have a handful of clients that have ISP-provided Cisco routers. As a result, I was forced to familiarize myself with the Cisco CLI.
MVP#5: Using Netgear mostly, and some D-Link (although not by preference).
MVP #6: I have a very specific dislike of DLink. They’re gear looks cheap, feels cheap and has caused me more grief than I care to remember.
MVP #7: The DLinks certainly don’t have the look and feel of a $300+ router, but I’ve had very few problems with the DI-604. It’s a little long in the tooth but has been a workhorse. Just had a client replace his defunct Sonicwall with one of these and he says his Internet downloading is faster now (not sure I could quantify that). Occasionally the PPTP passthrough needs to be reset and the router rebooted, but that’s about all. I had some issues with Linksys and VPN a year or so ago. And haven’t had the need to venture out into wireless routers yet (other than playing with them for home use).
MVP #8: For a low end unit the DI-604 has woked well for me with 0 failures so far. Linksys used to be my product of choice but lately their QC seems to have dropped.
MVP #9: I acknowledge that this is a high level of overkill, but I use a SonicWall TZ170. I had to replace my Linksys since I needed a device that supported more VPN connections. Since I had to spend money anyway, I decided to get the SonicWall under the Susan Bradley layered security theory. We have a mountain of confidential client docs on our Intranet, and we're appropriately paranoid for that reason. FWIW, it works well in all respects.
MVP #10: I have used a bunch. I like SMC since they give you the option of saving the configuration to a file. They are also quite easy to use and configure. Adding other features like VPN, Netgear has been good to me. 3Com and Nortel are good in the high side.
MVP #11: I let the isp supply me with a connection I can use. Cisco router that they administer is fine. Westel or Netgear router that they supply that I can configure if I need to is fine. If for some reason they supplied just a dsl modem then I will get a Linksys, Belkin or Netgear router. I do not really sweat a router as a first line of defense. Heck, some isps give you a router wide open. You are on your own to configure ISA to do its job. I am more worried about people contaminating their own machines than someone hacking in.
MVP #12: Most of our sites use NetGear. The older models are better than the newer. We’re actually disappointed with the operation of several newer models. When we had to have something with VPN capability, we found the Netgear FVS we bought was a piece of junk (there’s a later model with a different mobo in it, much improved). We found SnapGear Lite or Lite+ good - they’re now called CyberGuard and the model is SG300. Good thing about them, they can act as VPN endpoint but don’t interfere with passthrough. We’re having a problem with one unit locking up occasionally though.
Our newer sites using ADSL we’re putting Netcomm combined ADSL modem and router into, not sure of model nb1300? Or relying on whatever the ISP can supply, we’re finding that having an ISP supplied router/modem combo is helping from the support angle, something going wrong with internet the ISP is responsible up to our external interface.
If we were putting Standard in (which we very seldom do) we’d like something like a WatchGuard Firebox. We have one site with a Firebox III, it’s a decent device. Not to be confused with the Firebox SOHO which was already in place when we took over another site, a capable unit but we’re glad it’s got ISA behind it. The most reliable device for Australian cable (BigPond) is the Compex NetPassage 15. It was the first unit to be available in AU with builtin login client. No other router has a login client as robust as this unit.
MVP #13: For my own office I use a SonicWALL SOHO TZW. I'm paranoid about having my client data at risk, so I've used a Watchguard SOHO and then a SonicWALL Tele 3, and now the TZW. For client sites I place them either behind a SonicWALL and then use Netgear or Linksys switches on the LAN, or I use ISA (SBS Premium) and place it directly behind their broadband device. ISA only goes into offices that I don't intend to have site to site VPNs in and I use a straight CEICW install. If site to site VPNs are going to be happening, then I deploy SonicWALLs and do IPSec box-to-box connections between the offices. For home users not running a server, they normally end up running a Linksys or D-Link because they are easy to get at the local office store.
We get a lot of posts complaining of slow file transfers from workstation to the SBS server. The first suggestion we make is to disable SMB signing, which is properly described at www.smallbizserver.net. The other thing we suggest is to switch your NIC card away from autosense/autodetect.
I've had a server that has had the same 'slow file transfer' symptoms for two weeks, and yet nothing I did fixed the problem. Finally, tonight, I had a chance to 'google' through this newsgroup looking for other ideas. I found a post from Chad Gross (in August) saying that with Dell servers in particular, that he had to set the NIC card back to autosense to fix the slow file transfer problem.
Well, I connected up, switched the server NIC back to autosense, and reran an 80mb file transfer that previously took 11 minutes to complete. This time it took 30 seconds!
Thanks, Chad! Thanks, Google! Thanks, Dell (not!)
A tip of the hat to Merv for this information!
A frequent question on the NG is: can I use Ghost to make copy of my SBS system drive, and if so, which version of Ghost should I use?
Merv's answer is: You can use Ghost 2003 (or later).
1. Install the Ghost 2003 software on a Win2K or WinXP workstation (not the server) and then make a set of Ghost Boot floppies using MSDOS as your operating system on the floppies (requires a MS DOS bootable disk or CD to copy the files from this to your Ghost Boot Floppies).
2. If you don't have a Win98 boot disk, try this site: http://www.bootdisk.com/bootdisk.htm
3. Reboot the server and make sure there are no errors in the Event Logs and that all services are started and running properly.
4. Shut down the server.
5. Install the new drive in the server as SCSI 1 (set jumpers on drive if necessary) and use Disk Management to format it (or Disk Administrator, depending on your operating system) --- do a Full format (not a Quick format) as NTFS.
6. Shut down the server
7. If the original and the new drives are vitually the same size, remove the new drive as it can be confusing determining which disk you need to image when using the Ghost DOS interface
8. Boot the server from the Ghost Boot Floppies and image the original drive to an external USB drive or a spare IDE drive in the server. *
9. Shut down the server
10. Remove the original drive and install the new drive as SCSI 0 (set jumpers on drive if necessary)
11. Boot the server from the Ghost Boot Floppies and then restore the image o the new disk.
12. Reboot and "exercise" the new drive to make sure that everything works a it should and there are no errors in the event logs.
* I find it better to use the "Partition to Image" method to create the image (selecting all partitions on the original disk) and then use the "Disk from Image" method to restore the image to the new drive. This will allow you to resize the partitions on your new drive during the restore process,
if that's desirable.
This process keeps your original drive intact in case there's any problem with the image restore.
Merv Porter [SBS MVP]
Recent problem posted on the NG:
We do not have a static IP. Our ISP requires that we forward mail to their SMTP server on port 1025 instead of port 25. When I look at the SmallBusiness SMTP connector there does not appear to be a choice for the SMTP port. Is there a way to specify port 1025 for just their smarthost?
The answer (provided by Henry Craven) was:
1. Shut down the Exchange services
2. Go to: %systemroot%\system32\drivers\etc\services file
3. Edit the contents for the smtp service to specify another port number
smtp 25/tcp mail #......
and change it to:
smtp 1025 /tcp mail #.....
4. save the file then restart the Exchange services.
If you are running Sharepoint with SQL (not WMSDE), you're supposed to be able to perform full text searchies. If searching is not working for you, make sure it's enabled. Here's how:
1. Click Start > Administrative Tools > Sharepoint Central Administration.
2. Scroll down to the Component Configuration section
3. Click on the Configure full text search link
4. Click the box to enable full text search
5. Click OK, and then wait several seconds while it updates.
The following question was recently asked on the NG:
“Does anybody know how to allow the Video/Audio in MSN6.2 through ISA firewall. I have tested it OK between 2 laptops over the internet, but when I return one back to our SBS2003 LAN and try a video conf, I get the message: Your computer, Internet provider or network may not support audio conversations or video conversations.
Any Ideas ?????
Steve Foster replied as follows:
You will not get MSN Messenger video/audio to work through ISA. I don't think ISA2004 will support it either.
The problem is that the audio/video connections are built dynamically, on random ports, directly between the two ends of the IM conversation, without going through the MSN IM servers. Both ends need to allow incoming connections on those random ports.
Many firewalls don't support MSN Messenger audio/video.
This is one of the [self-inflicted] problems where uPnP helps (as it allows the client to reconfigure the firewall on demand). Personally, I don't want my firewalls dynamically reconfigured, thank you very much...
Steve Foster [SBS MVP]
Often it is asked how to create a batch frile to map network drives for users at logon. Here's how I did it at one site where I had a small number of users, but each user had a different set of mapped drives they needed to access.
Note, in this posting, “sbs1“ is the name of my SBS server. Substitue your SBS server name accordingly!
Location of script: The default SBS login script is located at c:\windows\sysvol\sysvol\sbs1\scripts and the script file is SBS_LOGIN_SCRIPT.bat.
Note: a quick way to get to this directory is to click Start > Run, and then enter \\sbs1\netlogon - and you will be right there, with no further drilling down any subdirectories!
1. First thing you want to do is to make a backup copy of the .bat file - just in case!
2. Next, edit the contents of the default .bat file so it looks like this, and then save it.
Rem Default SBS Login Script for users
3. I then created a new .bat file for each user. The name of the .bat file explicitly matched their actual logon name. So, if you logged on as JohnDoe, then the batch file was named JohnDoe.bat
Here is the content of one such user batch file:
Rem Batch File for user John Doe
NET USE Q: \\sbs1\Quickbooks
NET USE S: \\sbs1\SharedCompany
NET USE T: \\sbs1\Access
So, what happens is that when John Doe logs in, the default SBS script is started and immediately starts up the script file johndoe.bat, which has the various mapped drives to be declared.
4. Now, all you need to do is to create a new batch file for each user - no need to mess with the default SBS script any more. And no need to modify the name of the startup login script from within AD.
Add a new user? Simply add a new batch file!