7

I'm the de-facto system administrator for a small law office. I'm looking for help to setup the network in a good way. Here's the basic layout/requirements:

Windows based.

The Server: A headless windows vista machine accessed by VNC from my workstation. Every workstation needs to be able to access, edit and delete the files stored on this server.

The Workstations: From WinXP to Win7, about 6 computers throughout the office.

Access from Home: It would be nice, but not necessary, to be able to securely access the files on the server from home. Does anyone know a good piece of software for this? Assume a very low level of competence in the users. They are smart, but not tech savvy, and not easily trained.

Back-up: The files on the server are critically important and cannot be lost. I'm looking at using StorageCraft's ShadowProtect Desktop for an incremental back-up scheme. Any advice on how to set this up for optimal space, effort and protection would be great

That's it. It's a simple network. I'm asking here if anyone has any pointers and/or warnings about pitfalls that I might run into that I'm not currently anticipating. Do you advise using anti-virus software on the workstations? etc.

Any advice will be appreciated. Just throw me what would come to mind for you if your job was to administer this network.

Thanks!

edit: A number of the comments are warning against using a desktop computer as the server. Why? I had a sense of trepidation about it, but (with my very limited system administration knowledge) I can't think of a reason why it's bad. Can someone explain to me what the dangers and downfalls are?

JoshuaD
  • 225
  • 1
  • 7
  • 5
    If you want warnings, don't use a PC as a server. It's just not designed for it. – Ben Pilbrow Sep 18 '10 at 18:11
  • What's the company growth look like in the next 5 years? – JakeRobinson Sep 18 '10 at 18:31
  • The company is going to be about this size for as long as it exists. It's a single attorney law firm, and he likes it that way. We definitely cap out at 8-10 employees. – JoshuaD Sep 18 '10 at 18:40
  • I recommend the HP ProLiant ML115 G5 pedestal server, or whatever G6 model that has replaced it. They are very cheap for what you get. I got a 100% rebate on the Lights-Out remote access card for mine. – paradroid Sep 18 '10 at 22:09
  • Using a PC as a server? That's Super User stuff. – John Gardeniers Sep 19 '10 at 00:11
  • Can you expand a little on "securely access the files on the server from home" too? In your context, "securely" can mean a few things as it's possible to secure the connection whilst having practically no control over what folks can do over it. If you were to look into a basic server with SBS it comes with basic remote access functionality built in, or if you want "network level" connectivity look at a router/firewall that has a built in VPN server. – flooble Sep 19 '10 at 11:23

4 Answers4

7

For what it's worth, here is my advice:

  1. Don't use a PC as a server. Neither the hardware nor the OS is suitable for the job. If that office is always going to be small, get yourself a smallish tower server and a license for Windows Small Business Server. If the office is going to get larger over time or is a satellite office to a larger company, then consider a normal Windows Server 2008 Edition with half a dozen client access licenses (CALs). You will need DHCP and DNS: these can be provided by the server or by your gateway device (read more below).

  2. For access from home, I would recommend OpenVPN. There is a Windows appliance available from here, you can use self-generated keys and the clients work like a charm (there are clients for Linux, Windows and Max OS X). We have several dozen people on it, and I never hear anything about it. It just works. We use keys and the clients build a SSL tunnel to the office network. That's effectively the same security you have on a HTTPS website. As far as I know OpenVPN also supports IPSec/IKE tunnels, if you prefer that.

  3. For backups I would probably use bacula, but that's because I am mainly a Linux man. There are tons of suitable packages. The most important thing is that the backups are automated and that you have off-site backups. This can be done by spooling the backups onto a USB drive and taking the drive home, or multiple USB drives (I am trying to come up with solutions that won't cost you an arm and a leg). If money is not a problem, go for a small tape drive in the tower server.

Now for some more general advice. A lot of small companies set up their internal LAN on 192.168.0.x/24, because that's sort of the default. Don't do that. Use any other number, such as 192.168.10.0/24 or 192.168.13.0/24. Makes life a lot easier when you have to connect to supplier/customer networks, as most likely they are not using the same IP range and you don't have to do any fancy footwork with NAT.

Get yourself a decent switch. Doesn't have to be fully managed, but if you can afford to spend around £200, you already get switches with web interface, for monitoring, and fault detection.

Use decent quality cable and connectors. Or insist on them if contractors do the wiring. And make them check out every single connection. I have spent hours doing fault finding on new cabling, only to find out that the contractors used lousy hardware or got their wiring schemes mixed up.

Rather use 1 good quality networked printer than half a dozen cheap ones. You'll have much less trouble that way. Plus: you actually get to enjoy lower print costs, since the cost per page on the bigger printers is generally better. My personal favourite is HP, but Xerox and Brother also make very decent printers. Stay away from Lexmark, nothing but trouble.

Spend a bit of money on a decent gateway device that does firewall, routing, and the like. NO need to spend hundreds of pounds there, but don't use the cheap shit from PCWorld and the likes, that stuff is made for SOHO, but in reality it breaks if you keep it running 24/7/365. For around £100 pound you can get some decent stuff. If you are happy to explore other avenues, you could use a Linux box and put smoothwall or monowall on it (but don't do that if you are not comfortable with Linux).

Can't think of more, but I am sure you have questions. Just fire away.

wolfgangsz
  • 8,767
  • 3
  • 29
  • 34
  • Thank you for the answer, that was great. 1) What are the practical, real problems with using the Vista Machine? My boss will give me a good deal of leeway, but I'll need to give him good reasons. 2) Switch: Same as above. We're currently using a wireless system and a simple wireless router. It's definitely not my ideal, but it works. What's the upside to going wired and getting a switch rather than a simple router? 3) We have a Rico Printer/Scanner/Copier/Fax Machine that is amazing. It's too expensive, but it's really, really good. – JoshuaD Sep 18 '10 at 19:00
  • 1
    1) Vista doesn't provide you with DHCP or DNS, neither does it have any other proper services. You also won't be able to set up a local domain and administer users centrally. 2.) Switch: if you have any faulty devices on the network, a switch with a web interface will help you figuring out what's wrong and where. Wireless can work fine, but you need to watch your security settings (i.e. for a law firm you definitely want to use WPA and not WEP). Plus, wifi cannot match wired networks in performance. – wolfgangsz Sep 18 '10 at 19:32
  • Unless you use the expensive access points (which negates the supposed savings from using a wireless network) then your network will certainly be slower and perhaps less reliable over wireless than it would be over wired links. Obviously it costs more to do these things at the start but I believe they are shown to be better investments over time. For example, your Rico (Ricoh?) printer/scanner/copier is a better investment instead of a bunch of those cheap printers where a new ink cartridge costs more than a new printer, even though the cheap printers don't cost as much at first. – Rob Moir Sep 18 '10 at 20:01
  • 2
    Honestly, wireless is great when it's needed, but in an office environment, and especially with cheaper consumer wireless kit, I'd stick with wired unless there's a really good reason to use wireless - a good quality switch won't cost you much at all and it will make your like a lot easier (I think the key thing that's coming across in many of the answers/comments here is that making your life easier is the intention, not just "getting by"). – flooble Sep 18 '10 at 20:06
  • +1 Hutch. Anyone can "just get by" with something. We're talking about what it takes to build something that will do a decent period of service without being a constant niggle or drain on time and money. Workstations as servers as a money saving measure stop being funny when you have to pay someone like me my "weekend rate" for a SQL server or Exchange server database recovery. Cheap home routers for the business stop saving the business money the first time you lose a client because it breaks down the day of a tight deadline to submit something online for them. – Rob Moir Sep 18 '10 at 21:36
  • +1 It is a good guide, but, if going for Windows Server, the Windows VPN is VERY good and a heavily under used feature. I wrote a guide on getting it working in less than five minutes and I would highly recommend anyone tried it before trying out other VPN solutions -http://blog.williamhilsum.com/2010/09/how-to-configure-windows-vpn-in-less.html – William Hilsum Sep 18 '10 at 23:07
  • @Wil: don't get me wrong please. I think that Win SBS will provide a lot of the stuff he needs. But: I am not in favour of using Windows VPN, because in the past I have found that typically MS VPN solutions only work with MS clients. You are, of course, welcome to prove me wrong. – wolfgangsz Sep 18 '10 at 23:15
  • @Wolfgangsz - it uses bog standard IPsec and PPTP. I haven't tested but I am pretty sure it is actually quite open. I can use the built in Windows VPN client to connect to Linux IPsec/PPTP servers fine and I would assume at worst case scenario, it would take a couple of changes on the server to allow Linux clients to connect in... I will test it right now on a spare box. – William Hilsum Sep 19 '10 at 00:19
  • @Wolfgangsz - Works fine! Tried it on Ubuntu Live CD, took me seconds to set it up, but about 10 minutes to work out where the connection icon was! the only change needed was to enable encryption as it is off by default (I circled this), but it all works out the box just fine - just typed address, username, password, one tick for encryption and done! http://imgur.com/xPIMo.png – William Hilsum Sep 19 '10 at 01:57
2

My advice:

  • Get a proper, albeit entry level, server. Using a workstation as a server is false economy.
  • Don't use a 'workstation OS' as the server, especially if you want to set up things like home access, etc. There are (legal) ways to get cheaper copies of Windows server OSes if it must be Windows, and there's always Linux for the server too (not a panacea of course but you can't argue with the price if the budget is tight).

If the files on the server are critical as you say then its worth the extra money for a server class system to ensure their availability and improve your options for things like remote access, volume shadow copies, backing them up, etc.

Rob Moir
  • 31,664
  • 6
  • 58
  • 86
  • What's the danger in using a Workstation OS as a server? I was concerned this might be bad, but with my limited knowledge of system administration, I couldn't find a reason why. – JoshuaD Sep 18 '10 at 18:43
  • 1
    It's not so much about "danger" as "best practise", and at some point you'll want to do something that a workstation OS won't support (DHCP/DNS is a good example). I'd look at what Dell or HP can offer in the way of an entry level server with something like Windows Foundation Edition. – flooble Sep 18 '10 at 19:52
  • As Hutch says, less "danger" as "best practice". A Server OS will typically have better support for remote management and monitoring. And Windows Server, for example, comes with a plethora of tools that will work better for your file store and remote access when compared to Windows workstation. – Rob Moir Sep 18 '10 at 19:54
  • 2
    Have a look at tape backup too. You said the data absolutely cannot be lost - perhaps I'm a bit old fashioned but backup to disk is great for speed/ease of recovery, but for "lock it in a safe and know it will work when I need it" I'd go tape every time (not sure if you have compliance/retention laws to meet if it's legal stuff?). – flooble Sep 18 '10 at 20:07
1

One advantage of a server OS is that it isn't just best practice for its own sake, in general it makes meeting best practices in a variety of areas (e.g., auditing, centralized authentication, scalability, recovery, etc.) easier as you set up your network. Most of these are things that can be done without the server OS, but the process and result will generally not be as easy, reliable, or maintainable.

It's also worth noting that you'll probably want to look into the regulatory/compliance requirements for your industry and locale, and keep those in mind as you build even a small network. Any such rules or requirements would likely overlap to a large degree with best practices, but this will be worth paying attention to up front.

Apart from that, I agree with the OpenVPN recommendation, and if you use pfSense as your gateway/firewall it has an OpenvPN server built in. pfSense is very feature-rich, has very low hardware requirements -- runs on most any old beige box you have lying around, is incredibly easy to install and configure, and has a very intuitive web interface. Best of all, it's free.

nedm
  • 5,610
  • 5
  • 30
  • 52
1
edit: A number of the comments are warning against using a desktop computer as the server. Why? I had a sense of trepidation about it, but (with my very limited system administration knowledge) I can't think of a reason why it's bad. Can someone explain to me what the dangers and downfalls are?

The main reason I'd hesitate using desktop-grade hardware for a server in a business is that most desktop-grade hardware is not really suited for 24/7 operation and tends to fail quickly in such an environment ("quickly" here is in the 9-18 months span, whereas I'd expect 3-5 years of useful life out of server-grade hardware). It's mostly disk and PSU issues, rather than CPU/motherboard/RAM that I've seen problems with in the past.

Vatine
  • 5,390
  • 23
  • 24