Looking for Suggestions: Small Business (Charity) Server Setup

K

Kuromizu

Gawd
Joined
Apr 1, 2008
Messages
717
I am looking into setting up a small business network for a local charity. They want to be able to access files remotely and backup files automatically to/from a server inside their office. It's a budget projected that needs to be done at minimal cost to the charity for this to be viable.

They have about 8-9 computers total, a mix of windows PCs from 7 to 10. Each of which would need to be able to access the server and retrieve files. The files may contain some confidential business information that should be protected by a firewall and various security measures.

They currently use Spectrum for their internet service provider and receive 60mbps down / 10mbps up speeds.

Here's what I came up with:

Used Xeon server (dell refurbished or something) from the last 2-3 years with 4gb ram and raid support. I would use 2x2TB hard drives in a Raid 1 config. I would run Ubuntu server 16.04 on the server.

I would set up OPEN VPN and URBACKUP to allow people to remotely access the files and storage from outside the office and automatically have their files backed up.

I'm not exactly sure what to do about security.

Do you think that's a good start and what kind of security should I ad?
 
Why not use a public SaaS like GDrive or Dropbox? Then you can just set up a perimeter firewall at each location for IPS/IDS, AV, VPN, etc. This would really simplify it.
 
You're right, that would have worked. I talked to them today and they threw a small wrench in things. They want to keep a quickbooks database on the server so it can be accessed by multiple people and remotely. I don't know if that would work with GDrive or Dropbox.
 
Fair enough... I hope you're able to come up with a simple, yet effective solution.

Quickbooks has a web version as well. For this type of environment, operational expenses tends to be more manageable anyways, and you don't need to worry about where the data resides and granting access to remote systems, etc. I don't mean to sound like I'm dictating, just trying to prevent yourself from overengineering the solution and you can't break yourself free from the headaches of what you put in place for them.

For perimeter firewalls, you could either look at setting up a pfSense box, or snag up an inexpensive Fortigate. You could get a 30E w/ a 3-year 8x5 support agreement with UTM services for under $1k - http://www.avfirewalls.com/FortiGate-30E.asp
 
Who is providing support for them after you set this up? What about hosting it all in the cloud? Not sure if non profits get any better pricing...
 
Kuromizu said:
. The files may contain some confidential business information that should be protected by a firewall and various security measures.

I'm not exactly sure what to do about security.

Do you think that's a good start and what kind of security should I ad?
Click to expand...

  • UPNP is a plague. Have everything behind a strict firewall, no services should be reachable unless the person is on site or connected via a VPN. This greatly limits your exposure surface for any type of vulnerability. This is one of the biggest things you can do.
  • Do they have any type of wifi? if so this traffic should be on a separate network / VLAN. Allowing wireless clients to access local resources is generally a bad idea, especially if it's just protected by a simple wireless key.
 
Cloud options are proving too expensive for them. I'll probably end up being the one to support this setup once it's installed, but it's such a low load and simple use case that I doubt they will need much support.

Can I have the firewall built into the server (software) or does it need to be an external system?

Can I separate the wi-fi from the wired network and still have them access internet through the same cable modem / router?

They do have wi-fi ( you probably guessed by now) and use a few laptops on it regularly. Those laptops would have to connect through the VPN to access the files even though they are physically local right? That would be fine with me/them.
 
Cmustang87 said:
Fair enough... I hope you're able to come up with a simple, yet effective solution.

Quickbooks has a web version as well. For this type of environment, operational expenses tends to be more manageable anyways, and you don't need to worry about where the data resides and granting access to remote systems, etc. I don't mean to sound like I'm dictating, just trying to prevent yourself from overengineering the solution and you can't break yourself free from the headaches of what you put in place for them.

For perimeter firewalls, you could either look at setting up a pfSense box, or snag up an inexpensive Fortigate. You could get a 30E w/ a 3-year 8x5 support agreement with UTM services for under $1k - http://www.avfirewalls.com/FortiGate-30E.asp
Click to expand...

A cloud based quickbooks might be the best way to go.
 
Before you break yourself trying to be overly charitable to this organization, take a closer look at the salary their CEO is paid and what their administrative staff are driving.
You might find they have more money than they are letting on and that might help you steer them into an appropriately funded solution.
Edit: or you might not find that at all. But you will at least know the landscape.
 
vr. said:
Before you break yourself trying to be overly charitable to this organization, take a closer look at the salary their CEO is paid and what their administrative staff are driving.
You might find they have more money than they are letting on and that might help you steer them into an appropriately funded solution.
Edit: or you might not find that at all. But you will at least know the landscape.
Click to expand...

Their CEO and entire board of directors is completely unpaid. They only have two paid employees for the entire operation. The vast majority of people involved are all volunteer.
 
There are a lot of options for a vpn router/firewall.
However you are not going to run the local server version of quickbooks directly over a vpn with any success. You will run into corrupt databases and connection count errors.
They will have to rdp over vpn to a local computer or VDI to run it.
 
What you are wanting sounds like it could be accomplished with Windows Server Essentials. Follow me for a sec.
You have:
Windows clients
The need to backup files presumably on clients
Need to manage user permissions
Need to have remote access
Need VPN
If they are a legit charity should be able to get reduce licensing.

Windows Server Essentials role covers this, it provides an RD gateway for remote access to PCs on the lan. Client machines can be backed up, can even add WSUS role and manage windows updates. Add cloud backup and you should be golden.

In a small org I DO NOT see linux as a viable fit for anything other than 'dumb' file server or router. EVERYTHING runs on WINDOWS that the business uses(QuickBooks, Sage, etc). If you are not in the picture and they need support, who can help them? Use off the shelf products with proven track record and specifically built for the use case, IMO.

Before you cloud backup ensure you know what you are doing, Intuit should have a KB on cloud backups for their products. If I had a $ for every time someone created their own issues after the introduction of cloud backup...SQL 9001 error? File locked? ;)

In my line of work the neckbeards make everything exceptionally harder and more painful, if you must neckbeard leave good notes but realize ultimately you may be setting them up to fail if you're not around any longer. I've inherited someones 'mess' more than once which is generally overly complex for anyone in the office to Helen Keller their way through when it stops working(and it will stop working one day).
 
Last edited by a moderator:
Don't bother trying to manage their security, let someone else do it.
Set all the pc's to power on after power failure, or put them on inexpensive UPS.
Set them up with gotomypc.com or logmein.com access back to their pc's.
 
You must log in or register to reply here.
Back
Top