Small Biz Network help/suggestions

[PeterG81]

Hi All,

I'm helping my dad revamp their small business network which is 10+ years old. I have experience with basic linux servers and basic networking so I hope my questions and statements are detailed enough to give the community some good stuff to go off of. Please let me know if you have any questions and thanks in advance for the help.

This small business network is very old and in dire need of upgrading. Their network still runs off of a Cat5 ethernet hub with manual IP configurations done at each and every computer around the office. There's no firewall other than the basic one built into the company's T1 modem (also old). The company also has a windows server that's only purpose is to host their accounting software and allow for multiple logins (so people can be entering invoices/checks, etc at the same time). What I want to do is this:

1. Replace the hub with a smart switch (24 or 26 port should be plenty)
2. Add in a router that can handle DHCP for the wired connections and act as a firewall between the WAN and LAN (I'm thinking of setting up a basic computer with ClearOS but maybe I should just buy a basic hardware router--what does community think?)
3. Add in a wireless access point off the switch that the router (above) will manage and will force certain restrictions over (for example, guests logging into wireless can use the internet but not access the server)
4. Update the server to a new tower that runs Windows Server 2012 Standard and does a number of things for the LAN that the company never implemented before, such as:
a. Create an active directory that manages the logins of all the client computers (all windows machines) on the network
b. Setup a VPN to allow remote access to the server from the interwebs
c. Setup both some local "server" backups onto USB HDDs that are plugged in, and setup network backups to certain client computers around the network
d. Setup the accounting software server and allow access for both LAN clients and internet VPN logins to access the accounting software


The way the company is set up now basically has no access control and no active directory. The server sits on the network and as long as a LAN computer types in the network IP and maps the server's HDD to a letter (such as the "H:\" for example) that computer has read/write access to the server. Then, these computers install the client accounting software and just configure the client software to the directory of the server files on the server. Then the client accounting program allows them to make changes, work, etc.

Here's my questions:

How much should I have the router manage and how much should Windows server manage? Should I let the router be the WAN firewall and the DHCP server for the LAN? I probably shouldn't have windows server be the router in addition to being the server, but how do I configure the router to maintain the IPs and do DHCP but then have the windows server manage the active directory and manage the staff logins and determine permissions for each of the staff? How do I define to the windows server that it only needs to manage the active directory, and to listen to the router's naming of which computers are on which IPs?

How do the windows clients know that the server is acting also as the access control manager and to listen to the windows server when trying to log into the network?

How do I set up wired guest accounts to give some computers (or some logins) internet access without server access?

If I set up a wireless access point, how do I configure it to listen to the router and again, do I let windows server also manage active directory on the wireless?

If I install carbonite or a similar backup service on the server, is that recommended? What does the community think of options like that?

Will ClearOS play nice with windows server 2012 and can I successfully define what responsibilities ClearOS has versus windows server 2012?

I realize a lot of these questions go beyond community suggestions, so if anyone has recommendations on where I can find out more about windows work domains and active directories, etc, I'd absolutely appreciate it. Thanks all!!

 

[Emerald]

What OS are the client computers? What flavor of the OS (Home, Pro, Ultima)?

What kind of accounting software? Will it work on newer OS?

 

[choucove]

Emerald hit some of the big questions that first come to my mind as well. Server 2012 is a wonderful OS, but is your software compatible with it? Are there updates to your software that will need to be installed (read: purchased) to get it compatible? What kind of computer systems do you have as your individual user workstations? I'd highly recommend using only Windows 7 Professional or Windows 8 Professional for this sort of network.

So lets look at the network side first. For simplicity (and cost) I'd probably suggest looking at a pre-built network security appliance instead of building your own when looking at this sort of network. Yes, there's a lot of options out there for do-it-yourself firewalls on some very efficient and highly customizable linux servers, such as pfsense, but when it comes to support, it's going to be worth it to buy a unit that has plenty of documentation and an organization of technicians and customer support staff available to help if you need assistance or replacements. A sonicwall TZ 105 is not very expensive, usually less than $300, and can do everything that you are looking at. Multiple network ranges and interfaces or VLANs, firewall access control, VPN at the network level, etc. If you are going to have to put in a router anyways, this is a great option for the cost.

Next you will want to find a switch that is manageable and supports VLANs. Since you talked about separating guest and private networks, the best way to do this with a single access point is to utilize VLANs. A single quality AP like the Ubiquiti UniFi access points can operate multiple SSIDs and even multiple VLAN tagging to keep all of the network traffic separated. You could achieve the same thing with using individual wireless access points (one for each SSID/VLAN) but if you wish to run more than two, it starts getting messy and complex compared to just utilizing VLANs. I've had great luck with the HP ProCurve 1810 series of switches. They come in a wide range of ports and speed from 8-port 10/100, gigabit, to 48 port gigabit. However, if you need something with PoE capabilities, you're going to need to step up in the lines to something like the HP ProCurve 2530 which is going to be more expensive.

You can set up a DHCP server on the router which will hand out IP addresses to all computers connecting to the device (except any which explicitly have set a static IP address.) One thing specifically you wish to set if you are going to make a domain, is the Primary DNS Server Address should be set to the IP address of your domain controller (which should be set as a static IP address.) This makes it so all of the computers in your network will communicate back to your domain controller for internet access. You can then join the individual workstations to the domain (they will become members and will utilize the user accounts created within your domain controller.)

There are two ways to control access to network resources or shared data. The first is at the network level, and this is what I was talking about before with VLANs. In this situation, like with a guess network, they are entirely separate networks. This means that Private LAN may have an IP address network of 192.168.1.0 and your Public LAN may have an IP address network of 192.168.2.0. You can completely block network traffic between these two network zones within your sonicwall using the firewall access control. You can even allow access to specific resources, such as a network printer residing on a specific IP address within the Private LAN while blocking all others. The other part to user account access restriction is with user account control on your domain controller or the network shares. This is for people logged into the SAME VLAN (such as a user logging into your workstation in the Private VLAN.) You can set up their individual user account with access to only specific policies (such as disabling control panel, etc.) as well as not allowing them access to certain shared folders (which is actually done in the shared permissions of individual shared folders.)

Let's talk then quickly on the server. Unfortunately I don't know exactly how much system resources you may need or the amount of storage space you will need. Determining the requirements of your software is the first step, and seeing if you will have to upgrade your software to meet with compatibility is also important. Running a domain controller isn't too resource-intensive, but I would highly recommend looking into virtualization for your server. The newest version of Windows Server 2012 Essentials R2 fits your needs quite well. It will allow you to license installing in one physical server, add the Hyper-V role for virtualization, and run one virtual machine of Windows Server 2012 Essentials R2 (using the same license key) to do all of your actual services including domain controller, backup server, and application server. The backup utility built into WS2012 Essentials is quite nice and can back up all of your end workstation computers as well automatically. However, this will require quite a bit more storage space on your server of course.

Once we have a better idea of the type of system resources and storage capacity you need for your server, I might be able to help with more details on system requirements and recommendations for your primary server, but be warned, this isn't something you can do cheap! I've warned many small business owners that skimping on their business server will greatly jeopardize reliability, expandability, or the server's longevity and can cost them even more in the long run.

Utilizing off-site online-hosted backup solutions can be kind of iffy for financial information. If your accounting software records any sort of credit card or personal information from a customer or employee, then you really can't push that data off-site to a cloud-hosted backup solution unless it's a very specific solution designed for that sort of data which can ensure the right encryption and limiting access.

 

[PeterG81]

Emerald hit some of the big questions that first come to my mind as well. Server 2012 is a wonderful OS, but is your software compatible with it? Are there updates to your software that will need to be installed (read: purchased) to get it compatible?

Hey guys this is great thank you for all the suggestions. Let me answer your questions and I have a few more of my own.

The last I checked this business only had about 15 computers on the network including the server. Its 50% Windows 7 Pro, 50% Windows XP pro. I can update them all to 7 pro or ultimate. No Linux, no mac.

The last supported server version of their accounting software though is 2008 r2. That could be an issue I'll call the company and check.

But that makes me wonder. Could I have some virtualization run a 2008 or 2003 environment to host the accounting software? Within the 2012 server? I think there could be some advantages to doing that. I'm not up to speed on hyper v but this is a very basic environment I'd imagine.

What if we did this?: They already have a basic but robust home designed netgear wifi router. What if I assigned that to be the router for the wan plus the wireless access point. But reserved all domain controlling dhcp dns etc to the 2012 server and implemented security policies active directory vpn and other network features through it. The net gear will have a basic firewall and the server will implement everything I write above and additional security policies. Would this be possible? That way the server 2012 environment can control everything but there will still be a basic firewall at the wan level.

Now what is need to do is take the existing network and remove the client computers' current policy which is nothing more than manual ip entry. Establish a domain. Get all those computers on the domain and get them to listen to the server as the dhcp and active directory source or controller. I need to figure out how to do that to computers that already have a basic ms workgroup setup and already have local user accounts. Switch it over so those local accounts need to be dependent on the domain the server controls.

Then once the domain is up I need to establish the vpn server on the server and allow some of those active directory users permission to login via vpn. I know little about vpn tech I'll need to learn more about it.

I like the idea of the vlan too. The netgear supports it but maybe I could have the windows server also deploy a vlan for the wireless users. Not sure about the way to implement that. In other words, I could have the netgear run on WPA2 and request a password, but once that's granted have the windows server machine either grant it guest/vlan ips or, in order to get onto the "main" network, request domain login credentials. Maybe that's asking for too much though I'm not sure VLANs are built to do that.

Okay I know that's a ton of stuff but I really appreciate all the help. I look forward to continuing the discussion thank you!

 

[choucove]

I'll try to go through this in pieces, but I apologize in advance if I leave something out or miss one of your questions!

So given what you are wanting to do with your server, I'd probably suggest now looking into Server 2012 Standard instead of Server 2012 Essentials. It's more expensive, but it gives you more virtualization rights and here's why: Instead of creating one virtual machine which does all of your DHCP/DNS/Active Directory/Shared Folders/Accounting Software/ and everything else in your network, compartmentalize these and create two separate virtual machines. Set up one Server 2012 VM to run as your DNS/DHCP/Active Directory and shared storage. Then create a separate VM for your application server. This way if you want you can utilize an older server OS like 2008 R2 running alongside the newer Server 2012 VM for your domain services - the best of both worlds. The added benefit here as well is the flexibility to work on components independently of one another. For example, if you need to perform maintenance, upgrades, or installations to your primary accounting software which may require the VM to be taken offline or restarted, you aren't also having to take your primary domain controller and shared storage offline. Vice versa, changes to your domain controller will not affect in any other way your application server.

Joining computers to a domain is pretty simple, and there are MANY great guides and videos online that show the steps to prepare and to join computers to a domain, just do a quick google search for "Join a Windows computer to a domain." The most difficult part of this process will be migrating user account information and settings. This can be done through registry editing and manual configuration of parameters in the user profiles on each computer and such, but I personally tend to just copy and paste the necessary files and things from the old (local) user account to the new (domain) user account for each user that's necessary on that given workstation. For a small network office this isn't too big of a deal but any larger than that and it would be a real headache!

A home wireless router will not support VLANs, as this is something of an enterprise-level feature. What is the model of your wireless router? Also, Windows Server doesn't configure and run VLANs, this is specifically something at the network hardware level, not the application layer, so would have to be supported on your routers and switches. Windows Server 2012 does support features for creating remote-to-site VPN connections, but personally I have never used them. One problem with this is you are creating a VPN connection back to the server only, but it's not a network-level VPN, so really a remote user only has access to the server and that's it. It's usually more ideal to allow for a network-level VPN connection where a user is connected to the entire network (that they should normally have access to) which means they could also have access to their own computer such as remote desktop, or even network shared printers or other devices, etc.

Think of VLANs as completely separate physical networks. This means that, using standard home wireless routers, you'd have to have two separate wireless routers, one for each wireless network signal. One would be for a public network, one would be for a private network. These two networks would not be connected or controlled in any way by the domain controller because, again, VLANs work at the network hardware level and not at the application layer, so it is a much lower (and secure) level of operation. You can use a single access point device to broadcast both wireless network simultaneously if your access point supports multiple SSIDs and VLAN tagging and trunking. Guest users would log into the guest wireless network and would have access to the internet, but generally are not in any way going to have access to the server. These computers aren't even joined to the domain, they're in a completely separated isolated network. The staff computers would join to the private network and could be joined to the domain with a domain user account.

It sounds like, perhaps, what you are instead meaning is to have one singular wireless network with domain-controlled user accounts, but some of those user accounts would just have limited access. You can do this, but I really need to clarify something with this: Do you intend to allow general public and strangers onto your wireless network, or would this be solely for staff? If you wish to allow for public access, whether through their own devices or your own, then you should NOT put it together on the same network as your domain controller. This is opening you up at the application layer to possible access to restricted resources. A person messing around (or knowing what their doing) can sign in to your "guest" network and even if they don't have any server permissions, because they are on the same physical network now, could infiltrate and gain access to your server resources and shared data pretty easily. This is the reason for two SEPARATE and protected VLANs.

 

[PeterG81]

I'll try to go through this in pieces, but I apologize in advance if I leave something out or miss one of your questions!

This is really excellent information thank you so much! I do have a few more details and questions for you, though if you don't mind.

I agree on the setup you suggest. I think I should put server 2012 standard on the hardware and have be the local, hardware-run OS. Instead of making two VMs though, what about having the installed 2012 server act as the domain controller and the file server, and have a hyper-v session run server 2008 with the needed network applications such as the accounting software? In other words, the native machine manages the network and hosts the file server, and the hyper-v session runs the server-side applications?

To answer your question I believe the current company wireless access point is a netgear I believe a WNDR4300 or similar. It's a fine router but has minimal vlan configuration and no VPN.

So how about, in addition to the 24 port switch we're going to upgrade to (no PoE necessary) we get something like a cisco RV215WAK9NA. This has some VLAN ability and a nice VPN setup on the network level.

I know this is a newbie question but I'm still having a bit of trouble wrapping my head around the job of the router versus the job of the windows server domain controller and other similar domain management features in windows server. I admit I've never administered a network from windows server, only a very small network from CentOS so a lot of this stuff conceptually is a bit new to me.

So the router is going to setup and admin 2 or 3 of these LANs or VLANs I think. We have the LAN for all the plugged in computers--these computers are going to require a windows login and the server will determine how much access each account will have. What else will the router do versus the windows server? Come to think of it, if the server is broadcasting the domain then all the wired computers are going to run from the switch right to the server, right? I assume we want to give the server (not the router) DHCP control, so the server determines which computers are on the network and knows what IPs they are (it even assigns the IPs). Then there's the active directory controls also coming from the server. What does the router do for this LAN? It doesn't assign the IPs, it doesn't I don't think control too much traffic. It does allow all of these computers outside/internet access as it's hooked in from the switch's uplink port. What cars in my train of thought am I missing here?

Because the router houses the wireless access point I have a better idea of what it does. We can set up 2 VLANs here, one running on WPA2 that will be for the company staff. This VLAN can, perhaps, follow the same rules that the wired network--require a windows domain login, and grant the same access permissions as the users who log on via ethernet, because they're of course the same users. Come to think of it this might not be a VLAN at all, it's the exact same LAN that I describe above just with a wireless portion of it open. Is that possible? If that leaves the network too unsecure, then perhaps we do a VLAN that is separate from the wired LAN but grants similar permissions to the users as if they were on the wired-portion of the LAN.

Then we broadcast another SSID on a VLAN not the same as either of the ones I describe above that's for guests. It's also WPA2 and will require a password but grants very little access to the LAN I describe above. No printers, no file servers, etc. Just internet access. This is easy for the larger staff too who want to connect their cell phones to the wifi but have no interest in the intranet.

The router can handle those things. But can the router direct the "staff/LAN" wireless SSID to the windows server so, like the wired computers, their permissions can be managed in a similar way?

The other thing that the router will manage is the network-level VPN which is great. I think of the 10 staff who need to be on the domain while at work, only 2 will need VPN access so I think this should be easy. But again, once they get into the VPN will their network access and permissions follow the same domain procedures as their local, wired computers/logins? Once in the VPN how do they communicate with the windows domain controller and server?

It's funny, I'm starting to understand how all the details of this work as I type it out. I'm sure a lot of these settings are established in the cisco router (for example, set wired computers to go to the DNS IP that the 2012 server has running (setup the windows DNS and DHCP servers first), have the windows server set the router's IP for the gateway, etc) -- assuming the router can do what I suggest above, it can direct the staff wireless SSID to let successful clients be directed toward the server's DNS, and the guest SSID head out to the internet only.

I guess my only other question is figuring out (and I'm sure this is a quick guide/google search) how to put the hyper-v session on the network. I can have 2012 server give it its own IP right? I've seen other networks have this sort of thing established. Then I assume I have 2012 manage that hyper-v server ("add other servers to manage") and dole out its permissions and accesses to various clients/logins.

Thanks again for listening and for direction. I'm starting to piece everything together here in my head. Any other thoughts or suggestions I would absolutely appreciate. Thanks again!

 

[choucove]

I think you really need to first look at what LAYERS these devices work at to know what areas they are going to manage. Your Windows server cannot tell your router what its default gateway address is. The default gateway address has to be set by the router. A DHCP server can be set up to run within Windows, but it may be a little confusing at this point for you to try and incorporate that.

Here's how I would do it personally. Let all of your NETWORK equipment handle the NETWORK, and your server and domain controller manage your users, permissions, and shares. I haven't used the Cisco router that you described so I honestly can't tell you anything about it for recommendations. In the past we've always used Sonicwall firewalls so that's about the only thing I can go off of to compare with your situation here and recommend. Also, while you can get firewall routers with wireless included, I usually don't recommend this! First, your firewall router isn't always ideally located for wireless signal, and it may also not be very powerful or highly configurable. You can use your existing wireless router as a wireless access point (it would just not do any routing) but that would only be able to operate a single SSID and VLAN, meaning you'd need a second one for your other wireless network. Alternatively, utilize an actual business wireless access point which is designed and capable of broadcasting multiple SSIDs and doing VLAN tagging.

So the network topology would look something like this. Your internet will come in either to a modem or directly to the WAN port on your firewall. One of the configurable LAN ports on your firewall is going to be set up as the Default Gateway (192.168.1.1) for your Private VLAN (we'll call this VLAN101.) A second configurable LAN port is going to be set up as the Default Gateway (192.168.2.1) for your Public VLAN (this will be VLAN102.)

Your switch will handle VLAN tagging different ways depending upon the brand, so you may have to do some research on that. But basically you will have to set up the VLAN101 and VLAN102 on your switch, and all end computers plugged into ports on your switch that belong to VLAN101 will be UNTAGGED for VLAN101. This also includes the ports connecting your switch back to the proper default gateway port on your firewall. You will have to set up a UNTAGGED port for VLAN102 that will connect your switch to your firewall going to the proper default gateway port for VLAN102. Finally, set up a TAGGED port for BOTH VLAN101 and VLAN102 that will go from your switch to your wireless access point. THIS WILL BE DIFFERENT IF YOU UTILIZE SEPARATE WIRELESS ROUTERS.

Your firewall router will then have two DHCP pools configured, one for VLAN101 (your Private LAN) and another for VLAN102. It will hand out the IP address info, default gateway, and DNS. So it's going to look something like this:

VLAN101 DHCP Pool:
IP Address Range: 192.168.1.100 - 150
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.1.1
DNS Server: 192.168.1.2 (this is your domain controller IP address)
Secondary DNS Server: 8.8.8.8 (or the DNS address provided by your ISP)

VLAN102 DHCP Pool:
IP Address Range: 192.168.2.100 - 150
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.2.1
DNS Server: 8.8.8.8 (Your public network will not be able to reach your domain controller, so utilize your ISP DNS server address.)

Now, quickly I wanted to address your questions on your server. I would HIGHLY recommend virtualizing ALL of your server roles. Do not use the physical install for anything but running your virtual machines. If something happens to your physical machine, you can move your VMs to any other computer, irregardless of hardware, running Windows 8 Pro or Windows Server 2012 and bring them up in Hyper-V and you're up and running. However, if your physical server is running those roles, you have to have that same physical hardware to bring any backup up again. If you're running a virtualization environment, leave only the Hyper-V role on the physical system and virtualize everything for your actual services.

There are so many ways to set up and configure VPNs, many of them can be really effective, but can also be very complex to get set up. If your firewall supports VPN connectivity (such as L2TP remote user logins) then it's connecting at the network level. Think of it this way. When a user out at their house or elsewhere connects back to the office through the remote VPN connection, it should basically just function as if that computer was suddenly connected to the network back at the office. If settings are done properly in the VPN addresses and everything, you should be able to connect to shared folders using the same domain usernames and passwords as if you were back at the office, and you could have access to any other shared network resource you might need such as network printers. I know that some VPNs set up and run directly from a server will not operate at the network level and operate connecting only to the server. This means they might get access to the server shared files for THAT server, they're not going to have access to anything else in the network, such a printers, other servers, or if they needed even to remote desktop or access another computer in the local network.

Hyper-V handles network connectivity for virtual machines through a virtual switch manager. This can be confusing to comprehend at first til you start actually playing with it, but I find Windows Hyper-V much easier to understand and work with than any others when it comes to virtual switch management.

To understand it best, consider that your server has two ethernet ports, not just one (and most true servers will have at least two if not more.) You are going to set up one of those ethernet ports as your "management" port which will have the IP address for your physical machine. You will then set your second ethernet port as the virtual switch for your Hyper-V machines. Each of your virtual machines will have a virtual NIC (yes, you can even configure multiple virtual NICs, but lets keep this simple.) Each virtual NIC will "appear" on that second physical NIC just as if there were an imaginary switch being run by the operating system connecting that one physical port out to your network and several internal ports to each of your virtual machines. This is the simplest configuration and often the most efficient, but there's so much customization you can do with this for improving throughput or management if you have multiple NICs on your server.

 

[PeterG81]

Choucove, you rock. This is excellent help I really appreciate you taking your time to help me (and I hope the community too!). I have just a few more questions and comments for you, but I think I'm in good shape/know what to do here.

I think you really need to first look at what LAYERS these devices work at to know what areas they are going to manage. Your Windows server cannot tell your router what its default gateway address is. The default gateway address has to be set by the router. A DHCP server can be set up to run within Windows, but it may be a little confusing at this point for you to try and incorporate that.

Yes I agree. I'll set up the router to refer all computers over do the server (or a AD DS hyper-v session) as the primary DNS and use google or their ISP's DNS as a secondary. That way if the server has to go down for whatever reason at least the office has internet access. While there are some benefits to having windows be the DHCP server it's probably largely unnecessary at this time, let's let the router be the DHCP server and let the windows server be the AD DS and the primary DNS for the LAN.

I suppose if I wanted to get extra safe I could employ a small computer or a second (or third, even though this won't work on 2012 standard) hyper v session to be a redundant DNS+AD DS as well. I know most larger offices do that in case they need to bring one down for maintenance or updates. That said, because this office is so small (only 10 computers on the domain) I don't think it will be a problem.

You can use your existing wireless router as a wireless access point (it would just not do any routing) but that would only be able to operate a single SSID and VLAN, meaning you'd need a second one for your other wireless network. Alternatively, utilize an actual business wireless access point which is designed and capable of broadcasting multiple SSIDs and doing VLAN tagging.

I think I only need to create two separate VLANs: one for all wired PCs (meaning the switch only needs to handle one LAN, one subnet--this is managed by the router's LAN1 port as you explain and will direct to the AD DS) and one for the wireless (which, as you explain, bypasses the domain controller and the whole wired subnet and just sends successfully authenticated WPA2 logins to the internet--the router's LAN2 port will manage the wireless). I don't believe they need their wireless users to join the domain. I think that should make that portion of the setup easy.

Now, quickly I wanted to address your questions on your server. I would HIGHLY recommend virtualizing ALL of your server roles. Do not use the physical install for anything but running your virtual machines. If something happens to your physical machine, you can move your VMs to any other computer, irregardless of hardware, running Windows 8 Pro or Windows Server 2012 and bring them up in Hyper-V and you're up and running. However, if your physical server is running those roles, you have to have that same physical hardware to bring any backup up again. If you're running a virtualization environment, leave only the Hyper-V role on the physical system and virtualize everything for your actual services.

Yeah I agree that's a good idea though I haven't had a lot of time to play around with hyper v so I'm unfamiliar with the setup. With 2 possible sessions in server 2012 standard, I could do the AD DS, DNS and file folder shares on one deploying 2012, and a 2008 deploying the application server for the accounting software.

There are so many ways to set up and configure VPNs, many of them can be really effective, but can also be very complex to get set up. If your firewall supports VPN connectivity (such as L2TP remote user logins) then it's connecting at the network level.

Yes this is very helpful, thank you. I think using IPSec is a little too complex for their office, they aren't doing any site-to-site hookups, it's only outside users dialing in to be on the network to access their local stuff. The router I'm looking at allows up to 5 at once VPN connections which is more than enough (I think 2 at one time is the max). Some kind of SSL full tunnel is probably the best way to implement it, I think. Then we'll just make sure their VPN-ready computers are also a part of the domain so the AD can give each user their appropriate access.

Hyper-V handles network connectivity for virtual machines through a virtual switch manager. This can be confusing to comprehend at first til you start actually playing with it, but I find Windows Hyper-V much easier to understand and work with than any others when it comes to virtual switch management.

Yeah I do need to play around with it but this does make sense. The benefits of using the two different actual server NICs (on the motherboards) are so the one "real" nic will allow for dial in or VNC access, and the other to distribute the services? What are the other benefits of using the one nic for the actual server and the other nic for the virtual switch for the services?

Thanks again!!

 

[choucove]

The purpose in designating a single separate NIC just for the physical server is so that, even if you make changes or additions to your other NICs, or make modifications to the IP address settings of your virtual switch network (which can also be helpful if you wish to set up a third, completely separate and isolated Management LAN) it will not conflict with or cause you to lose connection with your host server.

It's possible to set up a single NIC to have the management server access as well as allow access through for your virtual machines, but due to throughput bottlenecks and configuration flexibility, it's highly recommended to at least have two NICs and separate out your traffic, one ethernet port for the management of the physical server, one ethernet for your virtual machines.