Use the Windows EBS Planning Wizard
Applies To: Windows Essential Business Server
The Planning Wizard guides you through the process of identifying your current network topology, deciding how to implement network security in Windows EBS, and planning the names and the network addresses for the computers running Windows EBS.
After you make these decisions and enter information into the tool, you save and print the data to apply during the Windows EBS software installation. You must complete the Planning Wizard before you can install Windows EBS.
Note
The Planning Wizard does not change anything in your environment. It helps you collect important data about your current environment that you use during Windows EBS installation.
An overview of the information that is collected in the Planning Wizard is provided in the following sections. Additional planning considerations are explained later in this guide.
Network topology
The Planning Wizard helps you identify what kind of network topology you are using and how you want to deploy Windows EBS into that topology. This helps you utilize Windows EBS to monitor and manage servers, network devices, and user accounts throughout your network.
Your network topology describes how to organize and connect your servers, client computers, and other network devices. A simple topology consists of servers and client computers within a single location and connected within a single subnet. More complex topologies may involve several subnets, remote locations, and site-to-site virtual private networks (VPNs).
Based on the information about the subnets in your network, which you provided in the Preparation Wizard, the Planning Wizard identifies one of the following topologies:
Single subnet network All of the computers and network devices are connected on single subnet.
Routed network with multiple subnets One or more routers create multiple subnets that connect your computers and network devices. Subnets may span multiple business units or locations that are in the same Active Directory forest.
Network with site-to-site VPN A VPN connects two or more office branches. Computers and network devices at each branch are connected on a single subnet.
Routed network including site-to-site VPN A VPN connects two or more office branches. One or more of the locations uses routers to create additional subnets.
For more information about the network topologies that are supported by Windows EBS, see the Product Overview at the Microsoft Web site (https://go.microsoft.com/fwlink?LinkId=123027).
If the network topology that is identified by the Planning Wizard appears to be out of date or incorrect, you should correct the information before you continue the wizard. To do this, close the Planning Wizard, and then run the Preparation Wizard again to provide the settings for your subnets. Then start the Planning Wizard to resume your planning steps.
Migration from Windows Small Business Server
The Preparation Wizard and the Planning Wizard detect whether you are running Windows Small Business Server (SBS) 2003 or Windows SBS 2003 R2. If you are running Windows SBS in your environment, migration to Windows EBS requires additional preparation and planning steps, including the following:
If your environment includes Microsoft Internet Security and Acceleration (ISA) Server, plan to export your firewall rules before you install Windows EBS. After you install Windows EBS, you can import the rules into Microsoft® Forefront™ Threat Management Gateway on the Security Server.
If you are using Windows SharePoint Services in Windows SBS, plan to back up your SharePoint data for later migration to Windows EBS.
For more information about migrating Windows SBS to Windows EBS and decommissioning Windows SBS, download the migration guide from the Microsoft Web site (https://go.microsoft.com/fwlink?LinkId=117276).
Important
After you install Windows EBS and complete the procedures to migrate data, you must turn off your server that is running Windows SBS or remove it from the network. You must complete the migration process within 21 days of installing Windows EBS.
Firewall options
Firewall protection for your current network may be provided by a dedicated hardware device or a router that provides firewall capabilities. Your environment may also include a software-based solution.
In Windows EBS, the Security Server is designed to function as a network firewall by using Forefront TMG. Through regular updates, Forefront TMG (formerly called Internet Security and Acceleration (ISA) Server) helps protect IT environments from Internet-based threats while providing users with policy-based remote access to applications and data.
If your network already has a dedicated firewall or a router that provides firewall capabilities, you can replace it by using the Security Server as the network firewall, or you can deploy the Security Server behind your existing firewall. In many cases the simpler deployment option is to replace your existing firewall with the Security Server.
As an advanced option, you can retain your existing firewall and configure the Security Server as a back-end firewall for the existing device. This is an appropriate deployment option in cases where it is necessary to retain the existing firewall, including the following:
You have requirements for a perimeter network (also known as DMZ, demilitarized zone, and screened subnet).
You require a network gateway that is provided as a managed service by an outside organization or service provider.
Your existing firewall devices at branch locations are not compatible with Forefront TMG.
Important
If your network includes a managed firewall device or a managed switch, contact your Internet service provider to help plan your installation of Windows EBS. When you schedule your installation of Windows EBS, ensure that your service provider is available to make any configuration changes that you need.
Depending on how you choose to deploy the Security Server, the Planning Wizard helps you collect the network address settings and firewall rules that you need later to integrate the Security Server into your network and to restore network connections. Guidance for performing the appropriate configuration steps is provided in the Installation Wizard and the Configuration and Migration Tasks checklist in Windows EBS.
Warning
If you retain your existing firewall, you will usually have more configuration tasks when you deploy Windows EBS. This choice requires you to maintain a more complex network topology that includes coordinated firewall settings in your existing firewall device and the Security Server. The added complexity of maintaining two firewalls can increase the potential for disrupted network services (for example, caused by mismatched firewall settings) and make troubleshooting more difficult.
Firewall address settings in Windows EBS
To integrate the Security Server into your network, you configure specific network address settings and connect the Security Server to your network hardware. The settings depend on whether you are replacing your existing gateway or firewall device or retaining it. In the Planning Wizard, you collect the network address settings that you need.
Procedures for configuring the network adapters on the Security Server and connecting the server to your network hardware are provided in the Windows EBS Installation Guide at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=108903).
Replacing the existing firewall
When you replace your existing gateway or firewall, by default the Security Server uses the internal network address settings of the existing device. The Planning Wizard saves these address settings for you to refer to later. During installation, the internal network adapter on the Security Server is configured with the existing gateway IP address, and you can configure the external network adapter with the external address of the firewall device. If you currently use a DHCP server to assign the external IP address of the firewall, you can also assign the external IP address of the Security Server dynamically.
As an advanced option during the installation of Windows EBS, you can type a new address for the internal network adapter that is on the Security Server. This address then becomes the new default gateway for your network. To ensure that the client computers in your network can make proper network connections after you install Windows EBS, you must update the client computers to point to the new default gateway. If the client computers obtain IP addresses from a DHCP server in your environment, you can update the DHCP scope in your DHCP Server service to use the new router (default gateway) address.
Note
If your existing firewall device has failover capabilities, make sure that you plan to decommission the secondary device at the same time that you replace the firewall device.
The following diagram illustrates the network topology before and after the Security Server is integrated.
.gif "Replace firewall with the Security Server")
Retaining the existing firewall device
In this configuration, your existing gateway or firewall device is retained, and it continues to function as before, with the added capabilities of Windows EBS. To accommodate using the existing firewall device and the Security Server, a new subnet is created between them.
The following diagram illustrates the network topology before and after the Security Server is integrated.
.gif "Security Server integration with existing gateway")
To integrate the Security Server you need the following information:
Your existing gateway IP address. The internal network adapter on the Security Server will be configured with this address.
A new IP address for your existing gateway device. You will reconfigure your gateway device with this new address during integration of the Security Server. You will configure this IP address as the default gateway address on your Security Server external network adapter.
At this time, you may also find it helpful to review the manufacturer's instruction for reconfiguring your gateway device.
VPN options
If your network topology includes a site-to-site VPN and you are planning to retain your existing firewall device, you can plan to terminate your VPN at the Security Server in Windows EBS instead of at your existing device. In businesses with up to 300 users or computers, it may be a simpler option to pass your VPN connection through your existing device and to manage the VPN connection by using Forefront TMG on the Security Server.
As an advanced option, you may choose to continue terminating your VPN at your existing firewall device. This may be an appropriate option in some cases, such as when your device or VPN is managed by an outside organization or service provider.
The Planning Wizard helps you collect the VPN access rules that you need later to restore network connections to the remote subnets. After you install Windows EBS, you will configure these settings by using Forefront TMG on the Security Server.
Remote access in Windows EBS
In Windows EBS, you can configure remote access to e-mail and to network resources. For example, with Remote Web Workplace, users can read and manage e-mail messages, access client computers, and access shared folders or Windows SharePoint Services sites from offsite locations.
To plan for remote access, you should choose a URL for Remote Web Workplace that is easy to recall, such as remote.adventure-works.com. You will provide this URL to set up Remote Web Workplace when you install Windows EBS.
Note
You need to configure the remote name in the public DNS to allow your users to access your network from remote computers. After you install Windows EBS, you are guided to perform this task.
You should also plan to obtain a public Secure Sockets Layer (SSL) certificate for this URL from a trusted certificate issuer. After you install Windows EBS, you are guided to configure Remote Web Workplace with this public certificate instead of the private certificate that is issued by default by Windows EBS. In many businesses with up to 300 users or computers organizations, this is a security best practice. If you already have a wildcard certificate for your domain, you can configure Remote Web Workplace with that certificate.
Storage area network support in Windows EBS
In the Planning Wizard you indicate whether you will use a storage area network (SAN) to store applications data from the servers for Windows EBS. The application data files include databases and log files that are used by the technologies for Windows EBS.
If you plan to use a SAN with Windows EBS, you need to choose temporary data storage volumes (usually on the servers for Windows EBS) when you run the Windows EBS Installation Wizard. After you install Windows EBS, you are guided to configure your SAN storage and to relocate the data files for Windows EBS.
Note
Depending on your SAN configuration, you may need to perform preliminary steps to configure the SAN and to provision the storage. For more information, see the documentation from your SAN provider.
Additional information about options for data storage in Windows EBS is provided later in this guide.
Server names and addresses in Windows EBS
In the Planning Wizard, you plan a name and a static IP address for each of the servers that are running Windows EBS.
You should name your servers with unique names that are easily identifiable on the network. The names that you provide are concatenated with your network domain name to build unique fully qualified domain names (FQDN) for each server for DNS resolution.
Note
A FQDN (in the form, {server name}.{network domain name}) cannot exceed 64 characters.
Important
When you run the Windows EBS Installation Wizard, the names are assigned permanently to the servers running Windows EBS. You cannot rename the servers later.
When you install Windows EBS into an existing environment, you assign a static IP address for each network adapter on each server running Windows EBS. Each server running Windows EBS has one network adapter that connects to your internal network. When you assign the static IP addresses for each of the internal network adapters, you can use any valid IP address that is compatible with your current network addresses.
Note
It is recommended that you plan to locate the Management Server and the Messaging Server in the same subnet, because these computers will replicate data from Active Directory Domain Services. If you choose to locate these servers in different subnets, verify that there is a high-speed connection between the subnets.
Save planning data
After you complete the Planning Wizard, you save and print the data that you collected in a customer report. You will refer to this report to configure settings during the Windows EBS software installation and when you complete the configuration and migration tasks.
If you are planning to join Windows EBS to an existing Active Directory domain, the wizard also stores the information you collected in Active Directory. The data is retrieved when you connect to the domain when you run the Windows EBS Installation Wizard.
If you are setting up a root domain in a new forest in Windows EBS, you must save the planning data from the Planning Wizard as an .xml file. You choose the location and name of the file. It is recommended that you copy the .xml file to an external storage device, such as a USB drive, for later use. You provide this file when you install Windows EBS.