To do this, we are essentially completing the tasks in the home screen of the Windows SBS Console, which should look like the following screenshot.
I’m assuming that you understand the concepts of firewalls and ports; otherwise, you will struggle to safely configure your network.
I’m also aware that OneCare, for servers, only provides an introductory offer for anti-malware and another product will be required; however, it is easier to describe the installation of one product rather than trying to answer for all products, so I’m using OneCare as a template. You will, however, need an anti-malware product that is server aware, or need to exclude server product locations such as the exchange data stores and other locations.
Network security configuration
There are a few areas where we can improve the security of the network. They are around the firewall, reducing the traffic that arrives at the SBS 2008 server, and the security certificate that is used to secure and identify the server communications.
Configuring the firewall ports
You will need the following ports configured on your firewall to direct traffic to SBS 2008:
If you were using SBS 2003, then you can close down ports 444 and 4125, which might have previously been open.
Loading a third-party security certificate
SBS 2008 creates a security certificate to secure its communications. Certificates are only valuable if everybody seeing them trusts the system that issues the certificate. All computers that are part of the SBS 2008 network trust the SBS 2008 server, so trust is achieved in this way. For those that are not part of the SBS 2008 network, a special certificate must be loaded onto those machines so they will trust SBS 2008, else they will provide warnings to users about the integrity of the communication.
There are organizations called Certificate Authorities who have established trust in the marketplace and most IT systems trust the certificates they issue. If you wish to have a more publically trusted certificate, then you will need to purchase one of these.
One area where third-party certificates are often needed is when using mobile devices, to enable the loading of the SBS 2008 certificate onto the phones. Without the certificate on the phone, synchronization of Outlook information to the phone cannot take place.
Importing a certificate
If you already have a certificate or have purchased one and have been sent a file containing the certificate including the private keys, then you should follow this process.
There are two steps to follow:
- Importing the certificate into the Local Computer Certificate store
- Assigning the certificate using the SBS Console
Importing the certificate
Start Windows SBS Console (Advanced Mode) from the Start menu and click on the Network tab and then the connectivity button. As this is the advanced console, you will see extra tasks available on the righthand side.
Click on the Manage certificates task—if this is not present, check you are running the Advanced Mode console: it will say so in the title bar. This will run a management console with the certificates for your computer made visible. Expand the Personal tree and right-click on Certificates and select Import from the All Tasks menu item.
Click Next to pass through the welcome screen for the Certificate Import Wizard and then click on the Browse button to locate the certificate. Then, click on Next to continue.
You will now be required to enter your Password to enable access to the key. I would put a check mark in the two remaining check boxes to Mark the key as exportable to enable you to export the certificate should you need to in the future and include the extended properties. Then, click on Next.
You will be required to confirm the location, which should be Personal and again click on Next. If it is not set to Personal, click on the Browse button and change the Certification store to Personal.
Now click on Finish to complete the process and you will see a message stating that The import was successful.
Close the Certificates Management console.
Assigning the certificate
In the Windows SBS Console, click the task Add a trusted certificate to start the process. Click on Next to skip past the introduction.
If you have assigned a certificate before, you will be told that A valid trusted certificate already exists and you have the choice of renewing your existing certificate or replacing it. Select I want to replace the existing certificate with a new one and click on Next. If you have not added a trusted certificate before, then you will not see this screen.
On the Get the certificate page, select the option to use a certificate already installed on the server and click on Next.
The certificate that you installed will show in the list with a Type of Trusted, while the certificates issued by SBS 2008 will show as Self-issued. Select your Trusted certificate and click on Next.
Click on Next to start the process and then Finish to exit the wizard.