Steve's TS2 Insider

Q: (from John)

Steve:

Perhaps you remember me asking you a question after your presentation in the Philadelphia “Heroes Happen” partner meeting. You asked that I send you this email so you can find out what you can about my concern for a possible limitation affecting the forthcoming SBS 2008.

My company, Trilon, provides outsourced IT support to small businesses in Eastern Pennsylvania and North/Central New Jersey. Many of our clients use Microsoft SBS 2003 as their only server in the main office. All such offices use SBS 2003’s two-network-interface configuration, which allows the SBS to share a single static IP address to the Internet on one interface with all the office workstations connected through a network switch to the other SBS network interface.

The two-network-interface SBS 2003 configuration uses the built-in RRAS-based NAT and Basic Firewall to share the single Internet connection. I have heard rumors that the new SBS 2008 will only support a single network configuration. Thus, we’ll need another server (like a Microsoft ISA server), or some network-sharing appliance, or hey—why not some sort of Unix-based box? And then, guess what? We can also run a mail server, DNS, DHCP, and  file & printer sharing all from a single server again! And it doesn’t even cost as much as one SBS server! At least, that’s the observation I’m afraid my clients are going to make. I’m going to have to justify the additional cost for buying (and monthly cost to maintain) another thing (server or network appliance) after they upgrade to SBS 2008. They’ll ask why the upgrade to SBS 2008 can’t do what SBS 2003 did.

I really hate those cheesy NAT boxes that cost under $100 that everyone is throwing into their home offices because they always crash and need to be power cycled every week or so to restore service. My clients are all used to the rock-solid network sharing services provided by SBS 2003. And we have never had a problem remotely accessing SBS 2003 servers, even when their configuration needed adjusting. My experience with network-sharing appliances tells me that if they aren’t crashed, they’re certainly not going to respond to remote management! To achieve the same level of reliable network-sharing we had with SBS 2003, we’ll need to recommend some pricey box from Cisco, or a second machine running Microsoft ISA server—both of which are much more powerful than they really need. But we’ll still have to recommend them, since I don’t know of a cheaper, yet still reliable, solution.

I can understand the decision not to allow ISA server to run on SBS 2008; heck, we already don’t use it for any of our clients. But to take away the basic network sharing and firewall services of SBS 2003 is going to pose a real opportunity for my clients to rethink their server choice.

One final word regarding your presentation in Philadelphia: I find it very distressing that functions and features being taken away by SBS 2008 are not highlighted in the slides and addressed by your talk. Microsoft doesn’t have to sell us on the virtues of SBS—we already know it’s a good product, and we want to see it deployed to our clients’ sites. However, we’re supposed to be on the same team, so we need to know the good news along with the bad news. That way, we can begin to make plans and prepare proposals that will succeed. As it stands now, if I’m right that SBS 2008 will only support a single network interface configuration, I guess I’m expected to find that out when I try to install it the first time! Why not tell me now what’s changing so we can all be prepared! Hey, even better—shouldn’t Microsoft tell us that it’s thinking about removing such a key component, and ask us for feedback before just silently removing the feature?

A: (from Peter Gallagher)

For the dual nic scenario, SBS2k3 STANDARD fully supported 2 nics and used RRAS (component of Win2k3) as the firewall.  In SBS2k8, the wizards will support a single nic install.  If you have a partner that wants/needs 2 nics, make sure the customer understands the “80/20” rule where SBS out of the box fits (and was designed for) most customer’s networks.  When the network starts falling into the “20” category, they need to look long and hard at why they are in the “20” category and be mindful of the “gotchas” when they start falling out of the design parameters.

Back to the original question about 2 nics:  Will it support 2 NICs?  YES but you gotta know what you are doing!  Will the wizards support it?  NO, manual config is required. Will it support NAT, the short answer is NO.

A more detailed posting about the "why" can be found here:

http://sbs.seandaniel.com/2008/05/preparing-your-network-for-small.html

Q: (from John)

Peter says "When the network starts falling into the “20” category, they need to look long and hard at why they are in the “20” category and be mindful of the “gotchas” when they start falling out of the design parameters."

The reason my clients would "be in the '20' category" and "start falling out of the design parameters" is because Microsoft pushed them, causing them to "fall out" and land "in the '20' category". 100% of my small business clients use SBS 2003’s two-NIC scenario to connect, share, and guard against the Internet. Since the two-NIC was included as one of the three scenarios supported by the SBS 2003 wizard, I would think my clients were in the 80%.  What changed?

When customers who were in the "80" category wake up one morning and find themselves in the "20" category, Microsoft needs to look long and hard at why "improvements" to their products have the effect of marginalizing their customers. Remember, my clients didn’t change, it’s Microsoft who’s changing SBS 2008. Some of my clients use five year old server hardware and wish they could have a little more disk space and/or perhaps a little quicker response from their existing server. We all expect that buying new hardware for SBS 2008 would naturally include new faster/larger disks and processors. It’s hard to explain to my clients that when they get SBS 2008 and five year newer, faster hardware, they’ll need yet more equipment to connect their LAN and server to the Internet because Microsoft has declared them unfit for full support.

Steve, here’s the real test: did Microsoft decide that it would be best to take out support for two-NIC setups because very few sites wanted the feature, or did Server 2008 (which SBS 2008 is based on) drop support for components needed by SBS for two-NIC functions? If it’s the later, the argument put forth by Peter is just an attempt to justify the change, rather than an explanation for the decision. That is, the SBS team didn’t decide to take out support for a two-NIC scenario even though it would take effort to remove the feature; instead, they decided not to do the work necessary to put it back in when Server 2008 failed to include the necessary components to do it the same way it was provided with SBS 2003.

A: (from Steve)

As you pointed out in your last email Windows Server without RRAS looses the ability to provide NAT services and that’s where your “rant” comes in. The choice to remove the RRAS capability by the Windows Server team impacts what is available to the base SBS product. The SBS team then had to decide if they were going to replace that functionality separately. Since they were already on the track of removing SBS from the firewall role, the decision was to not replace the NAT functionality. I apologize for pushing your customers from the 80% to the 20% (really to the 0% since it can’t be done) but I also appreciate the internal consistency of the new approach; if we have been harangued about SBS (Active Directory, file & print, Exchange, Windows SharePoint Services, etc) not being robust enough to also play the role of a firewall with ISA; why would we let the box play a similar role with a less robust security technology (RRAS)? This is why we are recommending that you transition your customers to using an external firewall/NAT device either based on ISA or a 3^rd party technology.