Archive for February, 2011

What inbound ports do I need to open on my firewall for SBS 2011 Essentials?

Friday, February 25th, 2011

Small Business Server 2011 Essentials (SBS 2011 Essentials) is a little different from previous versions of SBS that we’ve all come to know and appreciate.  SBS 2011 Essentials does not have an on premise mail server, or Sharepoint Companyweb.  As a result it requires fewer ports open than SBS 2011 Standard or previous versions of SBS.

If you have a uPnP router then all the hard work is done for you by the Internet Address Management Wizard that you run during configuration of the server.  It will automatically open port 80 and 443 which is all you need.

If however you are like me and want to control the router/firewall directly then you will need to manually configure the following ports to be open and forwarded to your SBS 2011 Essentials server.

Port 80 – does NOT need to be open at all in reality.  It’s there to provide an easy redirect for our users when they go to access the Remote Web Access feature of SBS 2011 Essentials.  Having this port open allows the user to type in remote.mycompany.com into a web browser which will then go direct to our server.  The server will immediately redirect the user to https://remote.mycompany.com/remote so that all traffic is encrypted.  You can safely close this port to reduce your attack profile but you will need to train your users to type in the full URL of https://remote.mycompany.com/remote. My advice is to train your users  – put this URL on the back of a business card for them to make it easy to handle.

Port 443 – this is a mandatory one.  This needs to be open and forwarded to your SBS 2011 Essentials server to allow access to the Remote Web Access website.  All traffic over this connection is encrypted so it’s safe and secure. If this is not open then none of these functions will work outside your office.

That’s it really – SBS 2011 Essentials, due to it’s reduced on premise functionality requires fewer ports to be opened on your firewall and an easier configuration all round.

Tags: , , , ,
Posted in FAQs | 1 Comment »

How can I display my users and their mailbox sizes on SBS 2008?

Thursday, February 24th, 2011

In SBS 2003 or Exchange 2003 you could do this easily via the Exchange management console.  However on SBS 2008 or Exchange 2007, you can’t see that same information there. 

To be able to display your users mailbox sizes you need to use some powershell scripts to do that.

  1. Logon to the SBS 2008 server as your administrator account.
  2. Open the Exchange Management Shell from the Exchange 2007 program group
  3. Run the following command get-mailboxstatistics | sort-object totalitemsize -descending |ft displayname,totalitemsize,itemcount
  4. It will display your users, their mailbox size and the number of items in their mailbox as per the sample below.

DisplayName                TotalItemSize                              ItemCount
———–                ————-                              ———
Wayne Small                6405451283B                                   146801
Wayne Archive              2701259499B                                   344795
sbsadmin                   343827053B                                       621
MSPSS                      321101808B                                       576
Wayne Small – Smallfamily  192929645B                                      4317
Accounts                   87181801B                                        845
Administrator              8326865B                                        1206
SystemMailbox{1B8F90DE-… 369231B                                          402
Microsoft System Attendant 0B                                                 0

Tags: ,
Posted in FAQs | 1 Comment »

MVP Nation – I’m presenting!

Wednesday, February 23rd, 2011

Later this week I’m flying to Seattle for a couple of conferences.  One of them is a public conference called MVP Nation.  Organised by SMB maestro Harry Brelsford, this even will link together MVPs, The community and vendors across a variety of topics. You can find out more here

I’m involved in 3 sessions there across a number of “How To” topics and I’m really looking forward to it.

 

HT2: How To Be A Speaker/Trainer Who Excites Audiences And Exceeds Expectations
Successfully stand and deliver impactful presentations that fully deliver on your presentation potential. Learn how to promise upfront what you’ll say, say it and then confirm that you’ve kept your promise. Audience engagement is a function of credible content, trust and delivery. Think of this as “Toastmasters” for MVPs and other potential speakers.
Kevin Royalty | Matt Makowicz | Wayne Small

 

HT6: How To Work With Vendors, OEMs, ISVs!
Amy, Andy, Wayne, Greg and Julian are all successful communicators. As VAR’s Amy, Andy and Wayne have worked closely with vendors to produce extraordinary results for their clients and the user base of the vendor’s products. As Vendors, Hewlett Packard and GFI have engaged MVP’s and partners at very deep levels in their company to help drive the direction of product development. Why do they invest their time do to this? How can you as an MVP or IT Pro have meaningful influence with your vendors? How can vendors engage MVPs and partners in a way that creates positive results for the product line? In this panel session the secret to successful vendor/partner relationships will be revealed and examples provided on how these great communicators get value for themselves, for the community and for their companies by investing the time to build a two-way street of open communication.
Amy Babinchak | Andy Goodman | Greg Starks | Julian Waits | Wayne Small

 

HT9: How To Work With Other MVP Product Groups
Remember that the intent of MVP Nation focuses on helping MVPs become better MVPs. This impactful session focuses on connecting different MVP product groups to work together. Historically, MVPs received their award for one product area. Many MVPs are unaware of the other MVP groups and how to reach out and connect with these groups. Simply stated – we’re better together and the reality is that Microsoft solutions now cross several product stacks.
Wayne Small

Tags: ,
Posted in Blog | No Comments »

What inbound ports do I need to open on my firewall for SBS 2011 Standard?

Tuesday, February 22nd, 2011

Small Business Server 2011 Standard (SBS 2011 Standard) needs to have a few ports open on your firewall router to allow specific traffic to flow into your SBS 2011 server for proper operation.  You can use the uPnP protocol to automatically configure your firewall if you permit it.  To do so ensure that uPnP is enabled on your firewall and run the Internet Address Management Wizard – it will do the rest.  If however you, like me are more security conscious, you will want to manually make any changes to your firewall settings and you will want to disable uPnP.  I do this routinely as I’ve had scenarios where a user on the network has loaded a third party application and that application has then redirected critical ports such as port 443 to it and therefore breaking remote access to applications o the SBS 2011 server.

So if you are going to control things manually you will need to have the following ports open.  Note that you do NOT have to have them ALL open – but you need to open them IF you wish to use that functionality.  Certain ports such as port 25 and 3389 may well need additional configuration to secure them in the best manner.

Port 25 – is required for all SMTP inbound mail.  If you have no external email filtering or antispam software then you will need to leave this open for all external IPs.  If however you are using something like ExchangeDefender or Trend IMHS then you will need to lock down the external IPs that this port can talk to.  If this port is NOT open then you will not be able to receive external email. 

Port 80 – does NOT need to be open at all in reality.  It’s there to provide an easy redirect for our users when they go to access the Remote Web Access feature of SBS 2011.  Having this port open allows the user to type in remote.mycompany.com into a web browser which will then go direct to our server.  The server will immediately redirect the user to https://remote.mycompany.com/remote so that all traffic is encrypted.  You can safely close this port to reduce your attack profile but you will need to train your users to type in the full URL of https://remote.mycompany.com/remote

Port 443 – this is a mandatory one.  This is the secret behind SBS 2011 and over this encrypted channel you will be able to access Remote Web Access (RWA), Outlook Web Access, Activesync for your mobile devices and Outlook Anywhere.  If this is not open then none of these functions will work outside your office.

Port 987 – this port is used for SSL encrypted access to the CompanyWeb.  It uses the same SSL certificate as the one you installed with the Certificate Wizard and will provide external access to Companyweb.  If this port is not open then you will not have external access tom Companyweb at all.

Port 1723 – is an optional port.  You will need this open if you wish to use VPN to access the network remotely.

Port 3389 – DOES NOT NEED TO BE OPEN at all.  May people believe they need this open to access the server from remote locations – that is incorrect. Having this port open to the Internet without restriction is a security issue as it then gives remote people direct console access to attempt to penetrate your server.  If you must have it open for remote support purposes then install a two factor authentication agent like AuthAnvil or lock the port down so it’s accessible from your remote IP only.

So in a nutshell, you only really need port 25 and 443 open to the Internet on your firewall to allow MOST of the functionality of SBS 2011 and it’s Remote Web Access.

Tags: , , , ,
Posted in FAQs | 3 Comments »

Do not disable IPv6 in SBS 2011

Saturday, February 19th, 2011

I posted a few weeks back about how there is no good reason to disable IPv6 on SBS 2008 and how I was pretty sure that you should not do the same on SBS 2011 either.  Well Microsoft’s SBS support team have posted that indeed you should not do it.  Their blog post here lists some of the problems that can be had if you disable IPv6 on SBS 2011.  They also show how to disable it correctly if you have to do it.

I’m yet to have anyone give me a reason as to why you should disable it on either SBS 2008 or SBS 2011.

Tags: , , ,
Posted in Blog | 3 Comments »

How can I avoid large incremental backups with Trend Micro WFBS and StorageCraft ShadowProtect ?

Tuesday, February 15th, 2011

In Trend Micro Worry-Free Business Security 6.0 and higher, Trend have implemented new technology that reduces the size of pattern files distributed to the client machines.  This combined with other architecture changes means that there is quite a lot of disk activity and change at certain times during the day.  The disk activity is really a reorganisation of the pattern files and the database itself and is not actually an increase in the amount of data being stored.  In itself this is not a problem because a backup taken once a day with your favourite backup program will only record the differences between that point in time and the last backup which is fairly small.  However if you backup more often than that you might run into a problem with having very large incremental backups.  This article talks about why that happens and shows how to avoid it.

Any image based backup software such as SBS 2008/SBS2011 inbuilt backup, or third party backup programs such as StorageCraft ShadowProtect have the ability to backup very fast and multiple times a day – as much as every 15 minutes in the case of ShadowProtect.  This is great from a disaster recovery perspective as it allows you to minimise the data lost due to a system failure to a very small time window.  The way these work is to take a base image one time only and then take some form of incremental backup from that point forward.  Windows / SBS Backup automatically consolidates these into it’s backup file which is a VHD.  ShadowProtect takes these as incrementals and then ImageManager consolidates these based on various settings.

Now if we look at one of the features of StorageCraft ImageManager called replication – this replication feature allows the incremental images to be sent over a LAN/WAN to another server or via FTP to a remote server.  This is a cool feature because it means as soon as an incremental image is created, it can be shipped offsite quickly and efficiently.  This however relies on the incrementals being able to be small enough that they can be pushed out quickly to the remote location.  Factors such as limited internet bandwidth really come into play here.

Ok – let’s tie this all together now to see the ramifications.

We have Image based backup software that can snapshot the changes made in the last 15 minutes – if there is a program such as WFBS that makes large amounts of disk change in that 15 minutes then the incremental image will be quite a bit larger than normal.  It can be that you will get a few Gigabytes of changes in a short period of time.  These incrementals are fundamental to restoring the server to that specific point in time and therefore we can’t do anything about them per se.

It’s worthwhile noting that programs such as disk defragmentation utilities can also cause large amounts of disk change in short period of time.  Such programs should only be run outside of hours and periodically to minimise the change and therefore backup sizes.  There may well be other programs like this that I’ve not specifically called out – be aware of them if you see things like the large incremental backups and investigate to find out the root cause of the problem.

So how do we get around this problem so that we can have the ability to minimise our backup sizes and give us the power to replicate our incrementals quickly?  It’s actually quite simple.  The solution is to NOT backup these sections of the system every 15 minutes.  Now you can’t do that specifically, so what is really needed is for you to create a partition for Utility programs such as this and install those programs to that partition.  You can backup the rest of your server every 15minutes if that is what you want, but with this partition, simply back it up once a day.  You will find that the REAL amount of data change from the start of the day to the end of the day may only be a few hundred MB at most which can easily be replicated outside of business hours.  Now – the inbuilt SBS backup can’t do this – only third party programs such as ShadowProtect or Acronis can have multiple backup jobs scheduled.

Given you now have a utility partition, you might want to think about moving other such programs or databases to it – things that are not updated frequently include WSUS – it typically will synchronise once a day and hand out patches during the day.  In a disaster recovery scenario, it typically won’t be an issue to restore the main server from say 4pm today and the utilities partition from 10pm last night.

In my testing, I need to highlight that the problems of large incrementals are not unique to ShadowProtect – when running Trend WFBS on my server with the SBS backup, and 30 minute backup intervals, I observed large incrementals as well – they are just hidden inside the backup itself so it’s not as obvious.  The same happened when I ran a defragmentation on my disk drive using SBS backup as well.  The moral to that is that it’s very easy to blame one product for another products “working by design”.

I hope this helps you understand the issue and ways to work around it.

Tags: , , , , , , , ,
Posted in FAQs | 2 Comments »

Happy Birthday Correct Solutions!

Monday, February 14th, 2011

image14 years ago today, Correct Solutions was born.  Since then I’ve been so very proud of how the baby has grown, learnt to crawl, stumble and get up again and finally run so very very well.  Correct now has a staff of 21 people and 3 offices in the Sydney area.  With partners across Australia, there’s very little that Correct cannot do in terms of network infrastructure.

For those out there that have been running your own business for more than a few years, you will realise just how easy it is…. NOT!  Things like this don’t happen as a fluke – they happen as a result of good people, both inside the business and outside the business.  I have been so very fortunate to have many good people along the way to help me when it was me alone, and later meeting Ryan Spillane and the energy and huge influence he has in how the business has grown.  One cannot ask for a better business partner and friend.

To the team @ Correct – keep on doing all the great things that we are doing.

Tags: ,
Posted in Blog | 1 Comment »

SBS 2011 – From 50,000 feet to ground level and back again

Saturday, February 12th, 2011

I’m visiting the US later this month and as part of that trip, I’ll be visiting Phoenix, AZ.  While I’m there I’ll be presenting a session I’m putting together on SBS 2011.  This will be a technical presentation, not a sales and marketing one, and I’m packing it full of great tips and tricks from the products that I use in my SBS installations.

The event is on March 7th from 2pm onwards at the Microsoft Tempe Office

The new SBS 2011 family brings new technology with it that gives the SMB IT Professional many more options for their client’s business requirements. This session will cover from the basics of the new stable of products, as well as many of the deeper, unknown things that will help you get the best out of them for your clients. This is a technical session focused on how to make it work best for you.

Wayne Small will cover everything from setup and installation through to configuration, migration and integration techniques. He will also cover the companion products such as StorageCraft and Trend Micro.

The first 25 registrations for each event will qualify to receive SBSC store gift voucher at the event!

You can register for the event here

Tags: , ,
Posted in Blog | 1 Comment »

Outsourcing my transport – a different angle on productivity

Thursday, February 10th, 2011

2011 is for me a year of change.  I’m trying to change a few things in my life to improve myself.  One of those is the number of hours that I work.  Before Christmas, using RescueTime, I found I was tracking an average of 120 hours a week working… that’s 18 hours a day for 7 days a week.  That is just insane, but I did it because I had to… no – not a good reason at all.

Over Christmas, I’ve taken time to look at the things I do and try to see what / how I can do things differently.  One of the things I’m doing now is to outsource my transportation to work.  No – I’m not talking about some chauffeur driven car or anything flash like that, I’m talking about using public transport – more specifically the train to get to the office.  You see – I work 4 days of my week in North Sydney – that’s about 35km from home.  If I drive in, it can take me an hour or more depending on traffic.  Add to that the fact that they have just started some major roadworks on the M2 Freeway which is the main road I user to get there and you can see I will end up spending even more time in my commute to the office each day. 

Anyway – the cost of the train is cheaper, and the stations I get on and off at are at either ends of the line, so I normally get a seat too.  Add to that the journey is a fairly constant 1hour and 5 minutes with SOMEONE ELSE driving means I can actually get some work done in solitude…  Ok – so I’ve taken 2 hours of time that was previously wasted in driving myself and moved it over to potential work time.  Cool – that gives me the ability to NOT work as much at home now.  In fact more specifically I’ve now got an hour in the morning before I leave to do some fitness or just sleep in a little.  I also have an hour extra in the evening when I get home that I can just switch off and relax.  So – outsourcing my transport so far is working for me – we’ll see how long it works and what issues I have over the coming months Smile

Oh – I wrote this while I was on the train too ad also posted it – gotta love technology.

Have you tried to look at things from a different angle?  Why not? What successes have you had? Share them please!

Tags: , ,
Posted in Blog | 1 Comment »

Why are people disabling IPv6 on SBS 2008?

Wednesday, February 9th, 2011

It’s interesting to hear feedback from the SBS support team at Microsoft in Las Colinas, TX about the issues that they see when supporting the product.  One of the common ones that they see, and I hear out there in the community is around IPv6 being evil or bad on SBS 2008.  Some people experience connectivity issues on SBS 2008 (and potentially SBS 2011) ad they do some googling.  They find “similar” issues where others not on SBS have disabled IPv6 and it’s resolved it.  However when they go to disable IPv6, they just remove the tick from the binding of the protocol on the Network card – this is not good enough.  This does NOT properly disable IPv6 at all.

What I think they fail to do is to use the inbuilt SBS 2008 “Fix My Network” wizard that is on the Network tab of the SBS 2008 console.  This wizard would in most cases find and resolve most connectivity issues that users themselves have often caused.

If you MUST disable IPv6, then do it correctly.  You can find documentation on how do disable IPv6 correctly here on the SBS team blog.

Tags: , ,
Posted in Blog | 3 Comments »