PDA

View Full Version : Small business server check!




Foogoofish
Jun 12, 2011, 06:54 AM
Hi guys!

As you may have noticed, I am new to the forums, and am looking for some advice. Having lurked around in the background for a long, long time looking at the rumours front page and occasionally the forums, I am in need of some advice from those in the know!

I am building a small business server setup, and am in the planning stage at the moment. We have pretty much decided in general on the hardware that we are going to be using, and I was hoping someone may be able to check my network diagram to make sure that it would be viable. While I have been a Mac user for almost 15 years, this is the first time I have been relied on to make sure the business can be running from day 0, and I don't want to let anyone down!

There are a few questions I have as far as the setup goes, mainly revolving around using the AirPort Extreme in a 'Bridge Mode' to allow for the router between the Modem and Switch to hand out IP Addresses. Is this required to maximise speed, or is it possible to allow the AirPort Extreme to handle the entire traffic? I plan on using the switch for hard wired ethernet going to any workstations, so there is no problem with how many ports are available to use on the back of the Extreme.

Secondly, is the placement of the Firewall in the right place? Part of me thinks that it should be Modem -> Firewall -> Router, but every guide I have seen gives an example of a combined router/firewall, so that is of very little help! If anyone were to have a diagram to hand it would be greatly appreciated!

Lastly, my main concern is the recent news that the supply levels of the servers are running low. I know that rumours are rumours, but with the whole idea of 'any Mac can be a server', I don't really want to have to start with a .0, .1 or .2 build of Lion if it is as buggy as Leopard server appears to have been at the beginning. On the other hand there is no way to say that they wont bring out a new more 'Pro' line of servers. Love speculation!

Thanks for any help, advice, or slapping if I have missed anything big! Oh, and I pondered the best place for this thread to go, so sorry if I got it wrong!

G



thankins
Jun 12, 2011, 10:13 AM
Lets see if I can lend some help - I setup a complete mac mini server and network at a small business about a year back.




1. Not sure what ISP you are using but I would put the AEBS in transparent mode and let it handle all the traffic. You would just enter your info from your ISP into its settings and then turn transparent mode on in the modem supplied by your ISP. This way you don't have someone making changes in the modem thinking that is where the change is suppose to be made.

2. May I ask why the need for the firewall? The AEBS will block all ports incoming that aren't open - of course it won't block outgoing connections but not sure you would need that


Also why the wireless? AEBS could handle that as well.

Foogoofish
Jun 12, 2011, 10:28 AM
Lets see if I can lend some help - I setup a complete mac mini server and network at a small business about a year back.




1. Not sure what ISP you are using but I would put the AEBS in transparent mode and let it handle all the traffic. You would just enter your info from your ISP into its settings and then turn transparent mode on in the modem supplied by your ISP. This way you don't have someone making changes in the modem thinking that is where the change is suppose to be made.

2. May I ask why the need for the firewall? The AEBS will block all ports incoming that aren't open - of course it won't block outgoing connections but not sure you would need that


Also why the wireless? AEBS could handle that as well.

Well I see where you are coming from with the use of the AEBS handling the traffic - that was the conclusion I was coming to. It would also negate the need for the extra router. I guess what I was aiming at was if the company were to upgrade to say 20-30 client machines (the diagram is just an example of a couple) then would the AEBS be happy dealing with that many connections though the network switch, as well as the possibility of having 10-20 wireless connections?

If it clears anything up, then the server is going to be used for an Engineering Consultancy dealing with Structural and Civil, so therefore while most of the data will be opened on the server such as .doc/.pdf, there is also the potential for large CAD to be edited using the connection with a file that is still based on the server. This is why I ask, as I know the AEBS will not be handling the data itself, but is it likely to come into any issues with this many clients connecting?

The firewall is more of a prevention rather than a necessity. The company is Hong Kong based, and while very little of the data is FBI level security, much of what is being used is highly confidential and to do with Government Projects as well as high level companies that are having work designed for them. The idea of the firewall was a 'just in case' one, as I know that while the Mac OS X software security and firewall is good, it is not foolproof. If the hardware firewall is indeed overkill, what would you recommend as a software based alternative that could be distributed like normal over ARD3?

Thanks again!

G

Edit: Sorry, missed a couple of things. It will be a standard business ISP out in Hong Kong with usual static IP. And the wireless in the diagram is actually the AEBS, I just didn't want to confuse the two when I made it (Router vs. AEBS).

Eddyisgreat
Jun 12, 2011, 11:51 AM
Depending on what and the speed of the clients (i.e. all 802.11n clients pushing video or all 802.11b clients surfing the web) the airport extreme should be fine.

In a simple network such as this having the router hand out IP address would be fine. The modem in an ideal world should not hand out IP addresses because it may not be possible (have you check this?).

The firewall placement is incorrect. The only time you'll want to have a router connected before a firewall is when you have servers in the DMZ, at which point you'll have
ISP -> Modem -> Router (Or Firewall if you want increased protection) -> DMZ -> Firewall -> Internal Network.

In your case i'd switch the firewall and the router, setup the modem as transparent bridge to NOT hand out DHCP, configure firewall as the gateway via dhcp for the clients. You can also have OS X server do all of these functions. I run it @ home and run Windows servers @ Work and I say each are rock solid but OS X is especially easy to work with, so if you want it to handle internal DNS, DHCP, file sharing and open directory than i'd trust it on uptime.

Foogoofish
Jun 12, 2011, 12:35 PM
Depending on what and the speed of the clients (i.e. all 802.11n clients pushing video or all 802.11b clients surfing the web) the airport extreme should be fine.

In a simple network such as this having the router hand out IP address would be fine. The modem in an ideal world should not hand out IP addresses because it may not be possible (have you check this?).

The firewall placement is incorrect. The only time you'll want to have a router connected before a firewall is when you have servers in the DMZ, at which point you'll have
ISP -> Modem -> Router (Or Firewall if you want increased protection) -> DMZ -> Firewall -> Internal Network.

In your case i'd switch the firewall and the router, setup the modem as transparent bridge to NOT hand out DHCP, configure firewall as the gateway via dhcp for the clients. You can also have OS X server do all of these functions. I run it @ home and run Windows servers @ Work and I say each are rock solid but OS X is especially easy to work with, so if you want it to handle internal DNS, DHCP, file sharing and open directory than i'd trust it on uptime.

Thanks for your help Eddy. I have actually put a new thread in the Server forum (woops sorry about double posting, found that later) here! (http://forums.macrumors.com/showthread.php?t=1168968)

I agree with you on the DHCP matter, I was just worried that the AEBS would not be able to handle an expanded client base after a while, but I guess we can come to that if there are any real problems - it would be embarrassing for Apple if they couldn't cope with 20 users on their top of the range router / wireless! I was not planning on having the modem do much more than the basics, my knowledge lies in routers, not modems! Actually spent a long time about 4 years ago sorting something like this out with Apple and it was down to the modem - will try and avoid it like the plague!

Also, upgrade to Lion Server with bugs or stick with Leopard?

Thanks again! :D

G

Foogoofish
Jun 12, 2011, 12:46 PM
New updated diagram with thanks to Thankins and Eddy!

Any more ideas? Thanks again,

G

thankins
Jun 12, 2011, 01:42 PM
New updated diagram with thanks to Thankins and Eddy!

Any more ideas? Thanks again,

G

That looks much better!!

And then i would have your Mac server handle DNS and you should be set.

I think the firewall is a good idea in your situation. I highly recommend you check out the SonicWall tz200's they are great and I use them of all my clients.


EDIT: Oh and saw your thread over in the other section. Stick with SL Server. Never a great idea to push out a server product until a few updates have been made. At least wait till 10.7.2 before you go down the Lion Server path.

Foogoofish
Jun 12, 2011, 04:33 PM
Brilliant! I think we are almost there, but just on the subject of the SonicWall, I have done a fair amount of research, but I may just be being tired / a bit silly when I ask:

Is the wireless version providing a wireless signal (i.e. as well as AEBS), or is it needed to enable WLAN connectivity in conjunction with the AEBS? The ~$150 price tag difference between the two models makes me ask this.

I am also a bit worried about trying to stay with 10.6 server, as I have a feeling my client is not going to feel that the $500 price tag is worth paying for compared to just using Lion server as is. I am rather persuasive, but are there likely to be crippling bugs a month after release? I read a lot that Lion is still buggy as hell, but for what I am doing, will it really be worth paying that increased software cost? I guess they are not going to be lowering the price on 10.7 release...!

Thanks again,

G

thankins
Jun 12, 2011, 07:26 PM
Brilliant! I think we are almost there, but just on the subject of the SonicWall, I have done a fair amount of research, but I may just be being tired / a bit silly when I ask:

Is the wireless version providing a wireless signal (i.e. as well as AEBS), or is it needed to enable WLAN connectivity in conjunction with the AEBS? The ~$150 price tag difference between the two models makes me ask this.

I am also a bit worried about trying to stay with 10.6 server, as I have a feeling my client is not going to feel that the $500 price tag is worth paying for compared to just using Lion server as is. I am rather persuasive, but are there likely to be crippling bugs a month after release? I read a lot that Lion is still buggy as hell, but for what I am doing, will it really be worth paying that increased software cost? I guess they are not going to be lowering the price on 10.7 release...!

Thanks again,

G


You are correct - the wireless versions of the SonicWalls provide a wireless signal. I don't care for the wireless in the SonicWalls but damn are their firewalls good. I would just stick with the SonicWall minus the wireless feature.


As for Snow Leopard Server vs Lion. There are always bugs with it - hell there are even bugs in SL Server still. I think you explain to your client that your time and energy spent fixing or dealing with the bugs that could arise is Lion is probably gonna cost more then their cost of getting SL Server.

Also check your PM

rpenzinger
Jun 12, 2011, 07:56 PM
Why are you having aebs as the DHCP? I would think having the server assign IPs is a more standard and reliable approach.

thankins
Jun 12, 2011, 09:56 PM
Why are you having aebs as the DHCP? I would think having the server assign IPs is a more standard and reliable approach.

It is actually best practice to have them separated as in this diagram.

BushyRS
Jun 13, 2011, 03:04 AM
Couple of questions as i am about to embark on a similar project

If you use time capsule as access point (left over from previous set up), well actually due to wireless issues i have two TC have i got any firewall within this or should i be looking at a separate option?

Do i use TC to issue DCHP and then the SLS to do DNS, is that what we are saying?

Many thanks

Ap0ks
Jun 13, 2011, 03:45 AM
I personally would stick the wireless in it's own VLAN or network section so that access can be controlled by the firewall, at the moment if anybody hacks the WiFi password they're straight onto your internal network :eek:

thankins
Jun 13, 2011, 09:00 AM
Couple of questions as i am about to embark on a similar project

If you use time capsule as access point (left over from previous set up), well actually due to wireless issues i have two TC have i got any firewall within this or should i be looking at a separate option?

Do i use TC to issue DCHP and then the SLS to do DNS, is that what we are saying?

Many thanks

That is exactly what I am doing at a handful of clients. TC does DHCP and SLS does DNS>

BushyRS
Jun 13, 2011, 04:04 PM
and have you implemented a hardware firewall?

Foogoofish
Jun 13, 2011, 05:02 PM
I personally would stick the wireless in it's own VLAN or network section so that access can be controlled by the firewall, at the moment if anybody hacks the WiFi password they're straight onto your internal network :eek:

So put it on the other side of the firewall? I agree that the AEBS creates a problem if it is indeed hacked - would it be best to have it coming off of one on the ports from the firewall itself? That way the firewall could monitor all traffic coming in and out of that specific port. This seems like it should logically mean more secure wireless - am I wrong?

Thanks,

G

Like this....?

BushyRS
Jun 14, 2011, 12:43 AM
I had a similar windows set up and used the UPS to keep the cable modem and hub powered as power outages are short here so i could still get server access for say 30 minutes?

Ap0ks
Jun 14, 2011, 03:16 AM
That revised diagram looks better :)

I don't know what the power situation will be, and whether you'll have many laptop users, but you'll probably want to get more of the central devices on a UPS too. That way if the power goes down for a second or two, everything will continue to work (with the UPS alarm sounding) so people can save and shutdown rather than losing work abruptly.

Foogoofish
Jun 14, 2011, 05:47 AM
That revised diagram looks better :)

I don't know what the power situation will be, and whether you'll have many laptop users, but you'll probably want to get more of the central devices on a UPS too. That way if the power goes down for a second or two, everything will continue to work (with the UPS alarm sounding) so people can save and shutdown rather than losing work abruptly.

Yes I was starting to think that too, from also translating the rather cryptic previous comment too! So would you recommend getting a multi output UPS to run the firewall / AEBS and switch off as well? I am sure that it would not require a huge amount to power these for a couple of minutes! I guess the main focus will be to make sure that the server powers down properly, and from then we can focus on making sure that the other areas are sorted. I think though that there are not many problems with the power, so would it be an all or nothing situation, or would a UPS on the server be better than nothing, and a UPS on all parts the best? (I hope that actually makes sense!)

Thanks again,

G

Ap0ks
Jun 14, 2011, 06:54 AM
It really boils down to what the company needs and how much money downtime/data loss will cost them.

As a starting point the Server and NAS should be on a UPS so they can be shutdown cleanly to prevent data loss. If you wanted to go further, the next step would be to get the switch and user machines (for wifi users that would mean the firewall and AEBS too) on a UPS so they can save data to the server and shutdown in the event of a power cut.

The firewall and modem don't really need to be on UPS, it would be nice, but not really necessary.

Foogoofish
Jun 14, 2011, 07:02 AM
It really boils down to what the company needs and how much money downtime/data loss will cost them.

As a starting point the Server and NAS should be on a UPS so they can be shutdown cleanly to prevent data loss. If you wanted to go further, the next step would be to get the switch and user machines (for wifi users that would mean the firewall and AEBS too) on a UPS so they can save data to the server and shutdown in the event of a power cut.

The firewall and modem don't really need to be on UPS, it would be nice, but not really necessary.

You make some very good points, and I think that in a city such as Hong Kong where my client has said that in 20 years of living and working there, that there have not been any power cuts. This is all great of course until one day the power goes and screws the NAS. I think therefore that having the MacPro and the NAS on the UPS then would be the best idea, as I like to think that in my experience people are quite good these days at saving regularly. Indeed not foolproof, but to be honest I think that having all the hardwired client machines (iMac's) UPS'd would be a bit over kill - especially the more and more I read about their mammoth power consumption!

The only question I have on this though, is if the power goes out (so let's say that this leaves the MacBook Pro's + Server + NAS), then would a VNC client such as ARD be able to access the server from the MBP in order to switch it off without having to have a monitor, keyboard and mouse attached? Or would the loss of the AEBS supplying DHCP screw the whole thing up?

Thanks,

G

Ap0ks
Jun 14, 2011, 02:09 PM
There are a couple of possibilities in that case, if you have enough capacity on the UPS you could add the switch, firewall and AEBS to the UPS. Alternatively you could add just the switch to the UPS and if the worst did happen you could plug into the switch (if not already), assign yourself a static IP, and connect as normal (providing the server is also statically assigned) via VNC.

cosmos
Jun 15, 2011, 03:19 AM
Ap0ks pretty much covered everything that I can think of in your described situation. Certainly covered the setup of the firewall and network connectivity for the number of users you described.

Certainly different scenarios that you have to plan for vs. when I was working at one of my employers. Their the whole infrastructure was handled by different teams responsible for each piece. The only time I regularly had to deal with the network for servers was with Port Security on the Catalyst switches and the added complexity of working with VLANs.

I didn't have to worry about UPS requirements as the whole Data Center was covered by multiple racks of large batteries to handle the load until the five generators (each 16 cylinder diesels used in locomotives) got fired up in the event of a power failure. Each generator produced 1500KW IIRC which was certainly something to hear when all were running! I certainly would not want to pay for the diesel bill running those beasts over a prolonged outage.

I was shown a primary fuse for the Data Center by one of the electricians. It was literally the size of a loaf of bread with blades about an inch thick. IIRC it had a rating of 4000 amps.

Whatever the rating, the main breakers had to be pumped with a handle first before remotely closing them due to the amperage of the circuit. I know that I would hate to pay the power bill for even an hour. Often I miss being back there, but not the stress.

Foogoofish
Jun 15, 2011, 09:58 AM
Wow! Amazing cosmos, shows how much companies value being able to run in a blackout!

With concern to the Mac Pro running off of a UPS, I have read a lot that the power supply required is rather massive. I am looking into getting this APC one, or something along the lines of it. I hope I'm on track here...!

APC SC1500i (http://www.apc.com/resource/include/techspec_index.cfm?base_sku=sc1500i)

Thanks again,

G