Server provisioning for the future


Recommended Posts

My work place is looking to adopt a wide range of data protection policies regarding the secure use and transfer of data, i've had a quick scan through and a lot of them we can't adopt simply because we don't have the hardware in place. We use Office365 which doesn't give us the monitoring capabilities and control as an Exchange server, so we'll want that.. we may also want a VPN (or some secure remote logging in system?) with RSA authentication and we currently have 2 servers at the moment so it could quite quickly turn into a mess.

 

I must admit i'm not 100% clued up on virtualisation or best practices when it comes to something of this size so i'd like to have a bit more reading under my belt for when the data manager starts asking questions.

 

I believe i be looking at something like hyper-v (although i dont know much about it) with a view to bring down the number of physical servers and run the DC, Exchange, VPN, etc.. all off the same physical hardware just isolated by OS?

 

Is this a more cost efficient method? what sort of spec are you looking at to run a DC(data/users), exchange, remote login (VPN?) with token access (RSA?).

 

Any advice appreciated :)

Link to comment
Share on other sites

A single server solution would likely work for your environment but it would probably be better to get (2) and have a decent backup scenario so in case of a failure of one of the servers you are not entirely down. You can restore from backup and move everything to the other server.

 

How big is your environment? How many users? What data protection policies do you have in mind?

 

This would help determine your requirements. But with the details or lack of details I'd assume this is a small environment and (2) physical servers running all of your loads or even a single server would probably be sufficient.

 

2 x Domain Controllers w/ Claims based authentication enabled if this will be Server 2012 (This will give you some advanced data protection management and rights management beyond the basic share and ntfs permissions)

1 x Exchange running all roles

1 x RAS/VPN/Direct Access Server (DA is likely out for your scenario and VPN likely simpler way)

1 x File / Print server with FSRM (This will give you some advanced features for moving data around / archiving it  and in combination with Claims based classification some automation for classifying files and who can access them and tagging files with particular content in particular ways automatically.)

Link to comment
Share on other sites

The biggest question, as pup pointed out, is how big is your environment? Also what for? If you're an IT company that is a whole different ball game. If you're running a service company, or anything like that, then what I'm about to say should apply. Also what is your role? To advise? or to deploy/manage?

 

If you're a small company i would STRONGLY suggest following the principles of KISS (Keep It Simple, Stupid). If you're a large company, I would still keep it as simple as possible, but you're going to need more of a "large scale" deployment like pup suggested.

 

Without knowing more information all i can really say for sure is this:

 

1. Keep it simple

2. Farm out as much as possible - e.g. having your emails on Office365 behind a SLA is a lifesaver!

 

Edit: Consider effort/reward ratio.

Link to comment
Share on other sites

Thanks for the replies.. good shout with a backup server i didn't consider this.

 

To go into more detail.. we are a school with around 60 members of staff who at the moment have no enforcement of policies regarding emails, removing data around, removable media and all the rest of it... it may not seem like a big deal but it's quite a big risk when it involves children's personal data (i.e child protection) if something was to be leaked we could be fined thousands.

 

We use Office365 for emails, our local authority does NOT consider this a secure method of communication and would not send any confidential files to us via these channels. As far as i know 365 doesn't give us the facility to monitor emails, this is something included in the new policy. It goes quite in depth about what users should and shouldn't be doing, yet we have no way to monitor it should we wish to do so if we have a concern or legal requirement.

 

The second issue is the use of removable media, staff have no issues throwing everything on USB sticks, unencrypted and they're losing them, leaving them lying around... we want to eliminate this by offering remote access via what i believe is VPN using leased encrypted laptops from our establishment so that they can access their data on a secure connection... if they need local access to data it should be transferable to the secure laptop.

 

Our data manager has the idea that staff can obtain those RSA token keys, does this auth method require a server/vm of it's own? or is this something the company is likely to implement/manage.

 

We definitely want to keep it simple

Link to comment
Share on other sites

Direct Access is basically a VPN that is created automatically on the client, but there is more setup involved on the server side.

 

This doesn't address the secure method part, but you can use an external Service such as Office 365 and have it run through an archiving system before hitting the server, which would in turn give you monitored email.  Our state ISP has an archiving service which is inexpensive, but does require a subpoena.  I think Gaggle.net can archive email, also, like I mentioned.  I don't know if they work with all services, but I know they do with Google Apps.

 

If you're using Office 365, why not use Skydrive instead of flash drives?

Link to comment
Share on other sites

I will ask some questions and you will need to answer them for me to even start a build for you

 

Do you want redundancy? 

How do you want your mail setup/how secure do you want it? (this can consist of 3 or more servers physically seperated by networks, creating a front end web, a seperate client access server, and a seperate database server and if you want redundacy on the database a clustered database server.....this complicates things severely and I would not recommend doing this yourself)

 

Spam solution?  Internal or External? 

 

Do you want to use an encrypted email solution?  If you did you can use your 365 solution you have now btw, it would leave your mail client encrypted sit on the zix gateway encrypted until someone gets to it to decrypt it, but if you have no control to see the messages on the mail server side you have no way to prove it.  Cisco has its own encryption solution built into their spam solution, a few others do this too.

 

Firewall/VPN?  Do you want a all in one solution firewall/vpn solution, do you plan on going with the built in microsoft solution, do you plan on going with a specific vpn appliance or software?

 

Backups...Backups are an issue in themselves.  How you want to backup will come into the cost of the backup.  Many backups are ala carte, meaning what you want to backup will be an additional cost to you, just because you buy the main software at say 1000 doesn't give you the ability to backup and restore a exchange server or a sql server or even another server, each other server you want to backup is an additionally price of 500.  O you want hyper v or vmware raw backups, another 500-1000 please, O you want to make the most out of your space you have, another 1000 please....it adds up quick.  

Link to comment
Share on other sites

I will ask some questions and you will need to answer them for me to even start a build for you

 

Do you want redundancy? 

How do you want your mail setup/how secure do you want it? (this can consist of 3 or more servers physically seperated by networks, creating a front end web, a seperate client access server, and a seperate database server and if you want redundacy on the database a clustered database server.....this complicates things severely and I would not recommend doing this yourself)

 

Spam solution?  Internal or External? 

 

Do you want to use an encrypted email solution?  If you did you can use your 365 solution you have now btw, it would leave your mail client encrypted sit on the zix gateway encrypted until someone gets to it to decrypt it, but if you have no control to see the messages on the mail server side you have no way to prove it.  Cisco has its own encryption solution built into their spam solution, a few others do this too.

 

Firewall/VPN?  Do you want a all in one solution firewall/vpn solution, do you plan on going with the built in microsoft solution, do you plan on going with a specific vpn appliance or software?

 

Backups...Backups are an issue in themselves.  How you want to backup will come into the cost of the backup.  Many backups are ala carte, meaning what you want to backup will be an additional cost to you, just because you buy the main software at say 1000 doesn't give you the ability to backup and restore a exchange server or a sql server or even another server, each other server you want to backup is an additionally price of 500.  O you want hyper v or vmware raw backups, another 500-1000 please, O you want to make the most out of your space you have, another 1000 please....it adds up quick.  

 

Redundancy; potentially yes, it doesn't need to be bullet proof but it would be nice to have a backup server that could take over should the other fail.

 

The mail server possibility you suggested seems over kill... i would grade security of data transfer much higher than data loss, although data loss is definitely a bad thing, a backup or separate server to replace an offline server would be sufficient... but yeah we will need a web front end for outside access.

 

Spam; i never thought about this and not sure of the options available.

 

Encrypted email; this is something my boss would love.. we're not sure how it works but is something that was mentioned, at present documents are zipped with WinZIP, encrypted, passworded and then sent, the password is sent in separate emails.. nightmare. if documents could be directly attached and encrypted that would be amazing.

 

Firewall; not sure this is a concern for us as we are protected externally.

 

Backups; absolutely critical that we back up the server so that it can be quickly restored in the event of a server failure... at the minute we use tape drives to backup a server but thats it.

Link to comment
Share on other sites

Depending if you want traditional redundancy or not. Traditional will require duplicate hardware and software with a package from double take. This is extremely costly as you are doubling the hardware and software costs. IMO, get a unitrends appliance to try, it will cost the same as replacing you backup solution with a fully licensed Symantec solution.

Exchange 1 exchange server it will do everything you need. Spam will be a little harder, barracuda is expensive but one of the best in house solutions out there. There are some free ones but I would suggest a supported solution for when you get in a bind.

Firewall, what do you mean externally protected? You will need to have control of your firewall to poke holes into your network for mail traffic to come in.

You will need a static ip from ISP to best serve your mail solution.

Lastly you will need a ssl cert for your exchange server.

As it stands now get a trial of zix. They offer a free trial.

This whole project could be well over 100k possibly 200k usd depending on what you want. I have no clue what type of budget we are working with.

When I did a redundant mail server solution in 2008 it was about 90k. No zix, no firewall, no backup, no dr. About 35k was software and licensing, the rest was hardware and labor.  I tell you this so that you aren't going to get a sticker shock when you start looking into this solution....people go with office365 or google docs because of their initial cost out of pocket, it gets expensive to bring this in house.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.