Questions about Exchange in SBS.

[gjvrieze]

i'm glad this thread has developed...normally people get a bit shitty when threads are so-called 'hijacked'...me, i enjoy the conversation - i've already learnt a ton of extra stuff that i hadn't even planned on learning, and all thanks to this thread!

I was actually going to ask if you minded my posts, if was an issue, i would delete them, but the way I see, we are all here to have fun and learn!!!

 

[atomiser]

Ideas on what? It sounds like everything is working. It may not be how you want it to be, but it sounds exactly how I thought it was in my first post. mail.example.com isn't supposed to resolve to a local address since there's no way for it to actually *get* to the local address (the networks aren't routed to each other).

i understand how name resolution work, thanks. the point i was trying to get over was proof that they hadnt bodged the internal dns to make it look like it was actually going internally using the xp file server as some rudimentary router between the two networks on-site.

perhaps i should put it another way...

in my test environment i have a vanilla install of sbs sat behind an internet router. it has a static public ip address and all the mx records etc are setup, ports forwarded blah blah and. on a test client connected to the sbs network, incoming/outgoing mail is working as you would expect. this is how 99% of the company it setup and working perfectly. on this same sbs server i have also created some vanilla test users to mimic the three additional accounts in use by the seperate workgroup network.

if i then setup a mimic of the workgroup network they have on-site by taking a vanilla xp workstation and placinng it behind another internet router, install outlook, configure it for pop/smtp using the user/pass of the test accounts created abeove on the sbs server, punch in the public dns record for the sbs server for the pop/smtp server values. as has been done by the previous people.

so...i have, in theory, a setup as similar as possible to theirs...the pc on the mimic of the workgroup fails to send and receive mail. this is how i would expect it to behave...someone completely outside my sbs network being able to use my sbs/exchange setup would be a complete security no-no...! perhaps if the workgroup network had a static public ip that everything was nat'd behind and i could setup a restricted incoming firewall rule and an incoming policy on exchange...then maybe...still sounds like a bad idea!

what i'm trying to ascertain is what the previous consultant has bastardised on the sbs setup to make this work?! your damn right with "it's not how i would like it to be setup" because it's a freakin nightmare that should have never been implemented!

 

[atomiser]

I was actually going to ask if you minded my posts, if was an issue, i would delete them, but the way I see, we are all here to have fun and learn!!!

you carry on matey - the more the merrier from my perspective!

everyone else: apologies if i seem a bit shitty - i'm just tearing my hair out on this one trying to understand wtf has been done!!!!!!

 

[pigster]

also, if you could spare a small amount of time for a chat (msn maybe?) about solidworks in general i would be seriously grateful!

check your PM

 

[Gambit]

so...i have, in theory, a setup as similar as possible to theirs...the pc on the mimic of the workgroup fails to send and receive mail. this is how i would expect it to behave...someone completely outside my sbs network being able to use my sbs/exchange setup would be a complete security no-no...! perhaps if the workgroup network had a static public ip that everything was nat'd behind and i could setup a restricted incoming firewall rule and an incoming policy on exchange...then maybe...still sounds like a bad idea!

That's entirely *not* how I would expect it to work. You said on the "main" test network, you had ports forwarded from the router to the appropriate ports on the SBS server. If that's correct, the test workgroup should be able to connect to the SBS server, so long as they can get on the internet.

Perhaps we're aiming for different things here, but from what I'm reading in the above paragraph suggests that you want to restrict what IP addresses (from the internet) can connect to your exchange server... which I don't think is the best idea. I have a feeling I'm reading it wrong though.

 

[atomiser]

That's entirely *not* how I would expect it to work. You said on the "main" test network, you had ports forwarded from the router to the appropriate ports on the SBS server. If that's correct, the test workgroup should be able to connect to the SBS server, so long as they can get on the internet.

Perhaps we're aiming for different things here, but from what I'm reading in the above paragraph suggests that you want to restrict what IP addresses (from the internet) can connect to your exchange server... which I don't think is the best idea. I have a feeling I'm reading it wrong though.

thanks for your perseverance with me!

imagine, if you will, that the sbs network and the workgroup network were infact at completely different sites, maybe even in different cities, and there were no communication setup between the networks - i.e. no vpn, nothing...the only common thing being that both offices had a connection to the internet. and that at the site with the sbs network - the internet router, from a mail perspective, only had port 25 and 110 forwarded to the sbs server. (jn reality it also has owa, rww, vpn, etc also forwarded).

are you suggesting that, by default, if i were to create a user on the sbs network and then i were to head over to the other office...that i should just be able to setup a client machine with xp and outlook, configure it to connect to pop3/smtp, punch in the email address associated with the account on the sbs network, punch in the user/pass for the account, and punch in either the public ip address of the internet connection at the other office where the sbs server resides (or a public dns name that resolves to the same address, whichever) that it should be able to collect messages from the mailbox using pop3 and send mail via the smtp server?

 

[Gambit]

thanks for your perseverance with me!

And thank you for your patience with me as well. I can sometimes come off as arguementative and it's not intentional

To answer your question, yes, if you have the appropriate ports forwarded, the smtp / pop servers running, I see no reason why you shouldn't be able to do that. That's actually what we did when we switched over to Exchange at my place of work.

Originally, we had our e-mail hosted by a third party which (TBH) was doing an *extremely* poor job of managing spam and the e-mail system in general. That, along with the features that Exchange offered (calendars, contacts, etc) and the fact that *we* would be managing it lead us to host it ourselves. Of course, it came up how do we change everyone over? Really, it was have them turn off their e-mail service (so the e-mails would bounce back to the sender) and we would take over the domain (mail.example.com). E-Mail worked just as it should, the only difference was we had to change a lot of passwords for users, but that's more of a side effect of changing systems from one company to another.

Having said all that, so long as you have the ports forwarded correctly, the only IP addresses you *SHOULDN'T* allow are those from known spam addresses... which is much more easily done with Exchanges built in spam filter or a spam appliance such as a Barracuda than to filter individual IPs. The problem with filtering IP addresses is that you never know where incoming e-mail will be coming from or outgoing e-mail going to. Unless you're allowing e-mail exchanges from only particular domains, I *highly* suggest you not go that route.

From the diagram of your network


the workgroup computers have to (and should be) go to the internet and back in to get their e-mail. It's not the way I would do it, as all of those computers should be on the same LAN and be able to talk to each other. As cobbled together as it may seem, it does look like it's cobbled together correctly... if that makes sense.

 

[atomiser]

And thank you for your patience with me as well. I can sometimes come off as arguementative and it's not intentional

To answer your question, yes, if you have the appropriate ports forwarded, the smtp / pop servers running, I see no reason why you shouldn't be able to do that. That's actually what we did when we switched over to Exchange at my place of work.

Originally, we had our e-mail hosted by a third party which (TBH) was doing an *extremely* poor job of managing spam and the e-mail system in general. That, along with the features that Exchange offered (calendars, contacts, etc) and the fact that *we* would be managing it lead us to host it ourselves. Of course, it came up how do we change everyone over? Really, it was have them turn off their e-mail service (so the e-mails would bounce back to the sender) and we would take over the domain (mail.example.com). E-Mail worked just as it should, the only difference was we had to change a lot of passwords for users, but that's more of a side effect of changing systems from one company to another.

Having said all that, so long as you have the ports forwarded correctly, the only IP addresses you *SHOULDN'T* allow are those from known spam addresses... which is much more easily done with Exchanges built in spam filter or a spam appliance such as a Barracuda than to filter individual IPs. The problem with filtering IP addresses is that you never know where incoming e-mail will be coming from or outgoing e-mail going to. Unless you're allowing e-mail exchanges from only particular domains, I *highly* suggest you not go that route.

hmmm, that's very interesting... i wasnt aware the whole pop3/smtp connectivity from outside was enabled by default...

when i do the basic 'test account settings' in outlook it seems to think smtp works ok, but pop3 comes up with a very non-specific error message where it suggests checking ssl settings...not sure if this is important or not...

going to back to the fact that outlook seems to think the smtp part is correct, if i send a message it says it's sent but it doesn't ever arrive at the recipient.

this brings about an interesting question...from inside the domain i was under the impression there wasn't any authentication on the smtp server. but i also thought that the sbs wizards didn't configure exchange to be an open relay? this brings about the question of why on earth would it accept a request from outside to send a message? unless it recognises the senders address as being from the domain? but surely this could easily be spoofed and is therefore a vulnerability of the system?

moving forward...i'm prepared to accept that by default the pop/smtp functionality is there and enabled...so as the install on both server and client is 'vanilla' i must be doing something wrong...!

pointers of where to go from here are greatly received!!!

 

[atomiser]

It's not the way I would do it, as all of those computers should be on the same LAN and be able to talk to each other. As cobbled together as it may seem, it does look like it's cobbled together correctly... if that makes sense.

Getting all the machines onto the same network is exactly where I'm headed, along with everyone only then having one machine instead of two! Greedy buggers!

I'm just still a bit of a noob (as you can no doubt tell!!!) when it comes to messaging...so whilst it ultimately doesn't really matter if I get to the bottom of this 'issue' because it will soon be banished by virtue of the above piece of work...I still really want to try and get to the bottom of it to satisfy my own curiousity and so I can learn!!!

edit: and also, medium to long term i want to get our exchange server behind a smart host - at which point i will certainly want to lock down the exchange server to only accept incoming mail from just the smarthosts servers as an extra level of security. common practice so i am lead to believe.

 

[YeOldeStonecat]

Instead of Outlook POP3....consider Outlook via HTTP? That way you only have port 443..which you already have for OWA 'n RWW..instead of most daring port 110.

And ultimately..the smart SMTP host is my preferred method also...this way you only have port 25 open to your smart SMTP hosts range of mail servers..and not the rest of the world.

 

[Gambit]

hmmm, that's very interesting... i wasnt aware the whole pop3/smtp connectivity from outside was enabled by default...

Hmm... good point there. I'm not positive it's configured by default. You can check if they're running by opening Exchange System Manager (ESM), expanding your server under Administrative Groups, look under Protocols and see if the POP and SMTP servers are running. I believe you'll have to have SMTP running so you can actually recieve e-mail. POP only needs to be enabled if you want that functionality (which isn't required if Outlook is connected with Exchange accounts and your users access their accounts with OWA or Exchange accounts from the outside world). I'll get a pic up in a sec.

when i do the basic 'test account settings' in outlook it seems to think smtp works ok, but pop3 comes up with a very non-specific error message where it suggests checking ssl settings...not sure if this is important or not...

going to back to the fact that outlook seems to think the smtp part is correct, if i send a message it says it's sent but it doesn't ever arrive at the recipient.

Hmm... well, you could have a few issues here. Are you sure POP is configured correctly? Are you sure it's not arriving ok and you're not just having trouble retrieving it?

this brings about an interesting question...from inside the domain i was under the impression there wasn't any authentication on the smtp server. but i also thought that the sbs wizards didn't configure exchange to be an open relay? this brings about the question of why on earth would it accept a request from outside to send a message? unless it recognises the senders address as being from the domain? but surely this could easily be spoofed and is therefore a vulnerability of the system?

By default I don't believe Exchange does user authentication for SMTP. The reason for this is actually a security risk. If you authenticate users, it's possible to determine (although a lengthy process) of what users there are on the system, as well as slowing down the server as it authenticates everyone. By allowing any incoming mail, this is avoided and the spam just gets filtered as usual... basically it's less system intensive to filter the spam than continously authenticate.

As for "why would it accept messages from anyone" well, it should if you're not doing authentication. Being an open relay refers to bouncing messages from one server to the next. For instance imagine there's 3 servers, S1, S2 and S3. If S2 is configured for relaying messages, S1 can connect to S2 and tell it to send a message to S3. Just because your server accepts messages from anyone, doesn't mean it's an open relay.

I also agree with StoneCat with his comments. For the internal network, look into getting Outlook configured with actual Exchange accounts which is better for numerous reason, push notification being one of them. This also lays the groundwork for RPC over HTTP for the outside world (so if someone takes one of the laptops out of the building, they can still access all of their exchange data on the server) and not needing POP access outside of the buliding at all.

 

[brons2]

Run GB Ethernet between the groups.
GB to the switch then 100 to the computers x2
Figure 2 ports on the switch per computer for future expansion.
You don't need managed switches for this small a network
Get a duel wan link router and hook both Internet connections to it.

So you need:
duel WAN router
8 port GB switch
48port 100 with 1 or 2 1GB ports switch.
16port 100 with 1 or 2 1GB ports switch. or a 16 port GB switch.

put all the servers in your server room.
Having servers all over the place is a very bad idea.

if you had a managed switch for this network it would be a way more elegant solution, using multiple VLANs rather than multiple switches. I know they're expensive tho...

 

[brons2]

Hmm... good point there. I'm not positive it's configured by default. You can check if they're running by opening Exchange System Manager (ESM), expanding your server under Administrative Groups, look under Protocols and see if the POP and SMTP servers are running. I believe you'll have to have SMTP running so you can actually recieve e-mail. POP only needs to be enabled if you want that functionality (which isn't required if Outlook is connected with Exchange accounts and your users access their accounts with OWA or Exchange accounts from the outside world). I'll get a pic up in a sec.



Hmm... well, you could have a few issues here. Are you sure POP is configured correctly? Are you sure it's not arriving ok and you're not just having trouble retrieving it?



By default I don't believe Exchange does user authentication for SMTP. The reason for this is actually a security risk. If you authenticate users, it's possible to determine (although a lengthy process) of what users there are on the system, as well as slowing down the server as it authenticates everyone. By allowing any incoming mail, this is avoided and the spam just gets filtered as usual... basically it's less system intensive to filter the spam than continously authenticate.

As for "why would it accept messages from anyone" well, it should if you're not doing authentication. Being an open relay refers to bouncing messages from one server to the next. For instance imagine there's 3 servers, S1, S2 and S3. If S2 is configured for relaying messages, S1 can connect to S2 and tell it to send a message to S3. Just because your server accepts messages from anyone, doesn't mean it's an open relay.

I also agree with StoneCat with his comments. For the internal network, look into getting Outlook configured with actual Exchange accounts which is better for numerous reason, push notification being one of them. This also lays the groundwork for RPC over HTTP for the outside world (so if someone takes one of the laptops out of the building, they can still access all of their exchange data on the server) and not needing POP access outside of the buliding at all.

You can restrict non-authenticated SMTP by IP address as well in the ESM. That's how we've got ours set up. It does not do authentication, but only accepts from the IP addresses corresponding to other Exchange servers and the smart hosts.

I know Atomiser mentioned smart hosts in a previous post, we run Linux with Postfix as our smart hosts. We also have the Spam Assassin snap-in for Postfix and some other RBL's as well. Also have ClamAV installed into Postfix as well for an additional layer of AV against email borne viruses. The 2 smart hosts live in the DMZ whereas Exchange lives on the internal network. Cuts down on SPAM/Viruses/Worms quite a bit. We are intercepting about 1,000,000 pieces of SPAM a week on our 330 user network.

 

[YeOldeStonecat]

if you had a managed switch for this network it would be a way more elegant solution, using multiple VLANs rather than multiple switches. I know they're expensive tho...

That's the approach I'd take. And they're not expensive these days.

 

[marley1]

here is, very roughly, what the network is going to look like...



at least if i can get to them to this it will be a solid base on which they can then grow and bring online additional technology. it's going to be sooo much easier to manage too!

i dont get the point of the two firewalls? couldn't 1 firewall wiht load balancing be the way to go? also why xp firewall? if the cad people are really have that much demand, keep their files ona different server then what the other people keep the files on, but in a proper network that shouldn't be a problem.

i would get a single firewall with load balancing or just a faster single connection all together, a single 48 port switch all home runs if possible, the servers, and yeah some backup.

long thraed tho i missed a few posts.

 

[atomiser]

Instead of Outlook POP3....consider Outlook via HTTP? That way you only have port 443..which you already have for OWA 'n RWW..instead of most daring port 110.

And ultimately..the smart SMTP host is my preferred method also...this way you only have port 25 open to your smart SMTP hosts range of mail servers..and not the rest of the world.

this is definately the approach i would have taken if i were setting something like this up from scratch...although i would have never ever entertained splitting the networks up like has been done, so in theory this 'problem' wouldnt have ever even existed! (it's sort of been a good learning experience though!)

 

[atomiser]

Hmm... good point there. I'm not positive it's configured by default. You can check if they're running by opening Exchange System Manager (ESM), expanding your server under Administrative Groups, look under Protocols and see if the POP and SMTP servers are running. I believe you'll have to have SMTP running so you can actually recieve e-mail. POP only needs to be enabled if you want that functionality (which isn't required if Outlook is connected with Exchange accounts and your users access their accounts with OWA or Exchange accounts from the outside world). I'll get a pic up in a sec.

Hmm... well, you could have a few issues here. Are you sure POP is configured correctly? Are you sure it's not arriving ok and you're not just having trouble retrieving it?

By default I don't believe Exchange does user authentication for SMTP. The reason for this is actually a security risk. If you authenticate users, it's possible to determine (although a lengthy process) of what users there are on the system, as well as slowing down the server as it authenticates everyone. By allowing any incoming mail, this is avoided and the spam just gets filtered as usual... basically it's less system intensive to filter the spam than continously authenticate.

As for "why would it accept messages from anyone" well, it should if you're not doing authentication. Being an open relay refers to bouncing messages from one server to the next. For instance imagine there's 3 servers, S1, S2 and S3. If S2 is configured for relaying messages, S1 can connect to S2 and tell it to send a message to S3. Just because your server accepts messages from anyone, doesn't mean it's an open relay.

I also agree with StoneCat with his comments. For the internal network, look into getting Outlook configured with actual Exchange accounts which is better for numerous reason, push notification being one of them. This also lays the groundwork for RPC over HTTP for the outside world (so if someone takes one of the laptops out of the building, they can still access all of their exchange data on the server) and not needing POP access outside of the buliding at all.

thanks for this, i'll take a look into your suggestions!

 

[atomiser]

if you had a managed switch for this network it would be a way more elegant solution, using multiple VLANs rather than multiple switches. I know they're expensive tho...

the one redeeming feature of the previous people was that they installed a decent switch! they have a really nice hp procurve 2650 giving them 48x10/100 copper ports and 2x10/100/1000 copper or 2xmini-gbic ports. i would love to use the one switch with vlans...though i will never hear the end of it if the three 'special cases' lose the gigabit to their desktop connectivity that they believe they need! even if it is provided by a fairly poor 16 port netgear! plus if i were using multiple vlans i would need to double check what layer-3 capabilities this switch has.

 

[atomiser]

You can restrict non-authenticated SMTP by IP address as well in the ESM. That's how we've got ours set up. It does not do authentication, but only accepts from the IP addresses corresponding to other Exchange servers and the smart hosts.

I know Atomiser mentioned smart hosts in a previous post, we run Linux with Postfix as our smart hosts. We also have the Spam Assassin snap-in for Postfix and some other RBL's as well. Also have ClamAV installed into Postfix as well for an additional layer of AV against email borne viruses. The 2 smart hosts live in the DMZ whereas Exchange lives on the internal network. Cuts down on SPAM/Viruses/Worms quite a bit. We are intercepting about 1,000,000 pieces of SPAM a week on our 330 user network.

thanks for this. that sounds like a pretty sweet setup you guys have over there. at the moment i do not have anywhere near the amount of exposre to linux that i would need to setup something like that, let alone support it. for us, at the moment, it is just going to be soooo much easier to offload it to a s-a-a-s provider.

 

[atomiser]

i dont get the point of the two firewalls? couldn't 1 firewall wiht load balancing be the way to go? also why xp firewall? if the cad people are really have that much demand, keep their files ona different server then what the other people keep the files on, but in a proper network that shouldn't be a problem.

i would get a single firewall with load balancing or just a faster single connection all together, a single 48 port switch all home runs if possible, the servers, and yeah some backup.

long thraed tho i missed a few posts.

the 'firewalls' are really just the 'business' adsl routers that are provided by their isp. the three special cases use software that contains regular, large, service packs and updates. the connection at the top is only 3 meg down with 448k up so it's not enough to sustain the entire company with that sort of activity going on on-top. the bottom connection, for the time being, keeps the peace, daft as this sounds! further down the road they have acknowledged that they need to sort their internet provision out so were looking at still keeping two connnections, but taking on a proper leased line solution for mission critical things such as mail, vpn and in the future - videoconferencing. leased line isp charges are eyewateringly expensive over here though! i know they are a necessity as they have no contention, have proper support and an sla etc - no need to remind me of that, i'm well aware! i'm just trying to nudge this customer slowly in the right direction. the second connection will just be the faster of the two adsl lines which will remain, and this will be to provide 'basic' internet connectivity to the general user population. i'm not a huge fan of a single load-balancing router, i actually like the flexibility that having two seperate gateways gives me. i know it's an extra box to support, but i dont mind.

 

[stormy1]

Bringing data that's already in outlook into Exchange? I've done it and it's *very* easy.

Basically, as it is now, their e-mail is (or is likely) in a personal folder (PST file). When you connect to Exchange, you'll get a new main tier folder titled "Mailbox - username" but you'll also have the personal folder available. From there, just drag the folders over from the PST to the Mailbox, same thing with the Calendar, Tasks, Contacts and Notes.

If you need / want me to get a picture tutorial together, I can. Really though, it's just clicking and dragging the e-mail / folders from one place to another.

disconnect the pst file from outlook once exchange is set as default then use file import is about 2x as fast as dragging folders in outlook 2003.
even faster:
If you have a huge pst file to import look into using exmerge on the server after copying the pst file to the server. (or a removable drive attached to the server)
I love using esata drives for this if the computer and server both have esata ports.
The trick is naming the pst file.
Use exmerge to export the new account to pst then rename the real pst file the same name and import it.

 

[stormy1]

if you had a managed switch for this network it would be a way more elegant solution, using multiple VLANs rather than multiple switches. I know they're expensive tho...

And likely slower unless you spend some $$$$ for the higher end stuff.
The low cost managed switches are generally pretty slow.
I am a strong believer in KISS for small networks.


Since everything goes to the same room I would go with 2 switches.
The procurve and a GB switch with enough ports for everything else.
From the diagram I incorrectly assumed the 2nd switch was remote from the first.

 

[stormy1]

What are they using for backup?
Generally when the network is a mess the backup is too.

What I like to do is run a separate small server with a sata raid1 setup then backup to it then backup to tape from that server daily rather than running a tape drive in every server.

 

[Gambit]

disconnect the pst file from outlook once exchange is set as default then use file import is about 2x as fast as dragging folders in outlook 2003.
even faster:
If you have a huge pst file to import look into using exmerge on the server after copying the pst file to the server. (or a removable drive attached to the server)
I love using esata drives for this if the computer and server both have esata ports.
The trick is naming the pst file.
Use exmerge to export the new account to pst then rename the real pst file the same name and import it.

That's true, it is faster, but he's working with a total of ~20 machines. Yeah, I suppose he could create a share on the server and copy the pst's there with the appropriate username as the filename, then do one big exmerge. I suppose it really depends on how much mail each user has. If it's not much, you'll be at the computer anyway to set up the Exchange accounts.

 

[atomiser]

What are they using for backup?
Generally when the network is a mess the backup is too.

What I like to do is run a separate small server with a sata raid1 setup then backup to it then backup to tape from that server daily rather than running a tape drive in every server.

the backup for the new sbs server is a dell rd1000 unit twinned with 300gb carts.

i'm seriously impressed with the above solution, so it's likely it will be come the de-facto standard for backups to be fair - even if it means retrofitting it to non-dell oem solutions.

 

[brons2]

And likely slower unless you spend some $$$$ for the higher end stuff.
The low cost managed switches are generally pretty slow.
I am a strong believer in KISS for small networks.


Since everything goes to the same room I would go with 2 switches.
The procurve and a GB switch with enough ports for everything else.
From the diagram I incorrectly assumed the 2nd switch was remote from the first.

I haven't found the Procurve 2xxx series to be lacking in performance. Well ok maybe in synthetic benchmarks compared to Cisco and Extreme gear, but that stuff costs a lot more anyways. We picked up some 2800s for not much more than $1K, they're all Gigabit.

Now the Procurve 1xxx series, they are not so hot, but I do have an 8 port 1800 in my office that has 5 VLANs trunked to it, that way I can test things on different networks.

But maybe my opinion on cheap diverges from small offices...my capital budget for network hardware is $77,000 per fiscal year...

 

[marley1]

the backup for the new sbs server is a dell rd1000 unit twinned with 300gb carts.

i'm seriously impressed with the above solution, so it's likely it will be come the de-facto standard for backups to be fair - even if it means retrofitting it to non-dell oem solutions.

rd1000 sounds good, i make way too much money reselling the Mozy so I continue to do that. the one client that I have that uses tapes is using a new LTO3 drive, when I compared pricing for rd1000 + 5 300gb tapes and software vs LTO3 and 5 tapes and software, the LTO3 won.

But gotta sell what makes money. Alot of my server clients cant be bothered with swapping a tape so they get mozy, but biggest client i got is like 60-70GB

 

[brons2]

the backup for the new sbs server is a dell rd1000 unit twinned with 300gb carts.

i'm seriously impressed with the above solution, so it's likely it will be come the de-facto standard for backups to be fair - even if it means retrofitting it to non-dell oem solutions.

When you say "twinned", are you writing separate information to both tapes at once, or making two copies of the same information - one onsite, one offsite?

We spin recent backups to disk and then retain them for 15 days, after things are written to disk they are then dumped to LTO and taken offsite. That way the recent backups are on disk and that encompasses 90%+ of our restore requests.

Of course, we also have a 3TB disk array hooked to the backup server that allows us to do this. With the cost of disk today being so cheap, this is a solution that is very accessible.

 

[marley1]

i think he simply meant paired. like rd1000 with 300gb carts =)

 

[atomiser]

yeah i did...their current backup solution (euggh) is usb attached hard drives, full backup every night, swap the media once a week...gash, i know.. the new solution is, in the first instance, rd1000 + 3x300gb carts, full backup every day, swap the media every day...this is to get them into the habit of swapping media over each day and to ensure that they do always have a proper backup properly off-site at all times. in the not too distant future we will expand on the 3 tapes so they have a more 'mature' set of backups. for the time being this is sufficient for their needs.

whilst i'm not 'against' online backup, it's simply not practical for them at the moment because of a) the amount of data they have, b) the rate of change of the data, and c) the fact that the upload speed on their internet pipe(s) is abysmall. what i would say, however, is that for *absolute* mission critical data (i'm talking about the sql backups of a couple of hundred meg using maintenance plans etc here) then it would make absolute sense to not only include these in the daily backup to rd1000 on the server but to also bolster this with secure storage online also.

edit: yeah, the 300gb carts weren't cheap...but at the same time they are now coming down in price simply because the 500gb carts are out!

edit: also, i've seen you talk about mozy quite a bit, and im not sure if this is appropriate as i am over in the uk, but if you want to pm me some information about it then i would be certainly happy to talk about this offline in more detail... always good to make contacts!

 

[gjvrieze]

rd1000 sounds good, i make way too much money reselling the Mozy so I continue to do that. the one client that I have that uses tapes is using a new LTO3 drive, when I compared pricing for rd1000 + 5 300gb tapes and software vs LTO3 and 5 tapes and software, the LTO3 won.

But gotta sell what makes money. Alot of my server clients cant be bothered with swapping a tape so they get mozy, but biggest client i got is like 60-70GB

Does Mozy have a good resellers program, or do you make your $$ off of the setup?

 

[marley1]

yup good reseller program, make money both off gb stored and setup.

 

[stormy1]

But maybe my opinion on cheap diverges from small offices...my capital budget for network hardware is $77,000 per fiscal year...

4 year lease on 1 or 2 servers + $5000-$7000 a year on hardware + consulting/support is a more likely budget for a company with 20-30 workstations here.
I try to get them to do a 2 year rotation on cad or heavy use workstations then move the old ones down the line for use for 2 more years but most wont do so.

 

[YeOldeStonecat]

the backup for the new sbs server is a dell rd1000 unit twinned with 300gb carts.

i'm seriously impressed with the above solution, so it's likely it will be come the de-facto standard for backups to be fair - even if it means retrofitting it to non-dell oem solutions.

Those ROCK...I love those units. FAST! Long lasting! SBS integrated backup works great with them. I use them for HP Proliants also...with a Belkin PCI SATA controller card that has Windows Server 2003 drivers. I actually found the OEM (from a thread on this forum) that makes them for Dell...you can purchase them cheaper through reseller channels.

Online backups are good for some clients that wish for additional, redundant backup of select mission critical data. We built our own backup server and NAS using RBackup....which we use for some of our clients. But for the one and only backup...I'd never want to support a server with only online for backup. Come restore time might as well take a tent and sleeping bag with you.

 

[atomiser]

Those ROCK...I love those units. FAST! Long lasting! SBS integrated backup works great with them. I use them for HP Proliants also...with a Belkin PCI SATA controller card that has Windows Server 2003 drivers. I actually found the OEM (from a thread on this forum) that makes them for Dell...you can purchase them cheaper through reseller channels.

Online backups are good for some clients that wish for additional, redundant backup of select mission critical data. We built our own backup server and NAS using RBackup....which we use for some of our clients. But for the one and only backup...I'd never want to support a server with only online for backup. Come restore time might as well take a tent and sleeping bag with you.

yeah, imation rdx aren't they? or did they just jump on the same bandwagon as dell by 'rebranding' them too?

i'm completely with you on the online storage, i'm certainly interested in it for supplementary backup of controlled amounts of mission critical data.

assuming you have the internet bandwidth of course.

 

[YeOldeStonecat]

yeah, imation rdx aren't they? or did they just jump on the same bandwagon as dell by 'rebranding' them too?

i'm completely with you on the online storage,.assuming you have the internet bandwidth of course.

Tandberg is the name I saw them under...I didn't bother to dig into any relationship between the Tandberg and Imation name.

I remember Imation came out with a competitor to the Iomega Zip drive a long time ago....it looked more like a 3.5" floppy drive....called it a Superdrive I think? Really only got picked up by Gateway back in the Windows 95 days.