First SMB network install in many years

[occsean]

I posted in here a few months ago to get some ground rule ideas and got some great feedback. I have a small accounting firm I support that will be moving to a new office next month and I am charged with setting up the network. A very very long time ago I used to do this kind of work but it has been many years so I've had to do a ton of reading, asking questions, etc. It's been great to learn new stuff. I think I have it dialed in for this set up but wanted to take this opportunity to present it to my more knowledgeable peers and see if my thought process makes sense and passes the litmus test.

There will be a total for now of 7 users. 2 of them are partner members and 5 are staffers. There is no server. Light file sharing is being done via a 2TB RAID 1 NAS which also houses full image backups of the partner machines. The NAS has an external 2.5" 2TB USB drive backing it up and is rotated weekly offsite

ISP--Comcast 50/15 modem purchased by me. Arris SB6183
UTM--NexGen NG-Mini with Untangle FW Complete 25 devices..UTM will have static IP on exernal interface
Unifi 24 port POE managed switch (US-24-250w) which will have two VLANS for the AP
Unfi Lite AP connected via POE
24 port patch panel already in place--18 drops throughout office
NAS into switch on same LAN
Rest of network will be workstations and shared wired printers/MFD's
Unifi cloud controller connected directly to switch

AP will have two LAN's:
One for employees personal devices with no access to network resources like NAS or workstations
One for guests on a different subnet than other LAN's

OPEN VPN module on UTM will be used to provide RDP for partners to work from home

All equipment mounted in a Navepoint 9U Deluxe IT wall-mount locking rack

I haven't completely decided which of the modules of the UTM I will utilize but for certain the anti spam, virus blocker (in addition to workstation AV), intrusion detection, and ad blocker. I am up in the air about content and application blocking as it is such a small office and I don't really feel the need to block 7 adults as if they were children when they have never demonstrated childish behavior to me.

I know this is pretty basic stuff at it's core. But it really has been quite some time since I have worked with even SMB level networking equipment. Last time I was involved at this level we barely had stacking switches, used Windows Proxy Server at the edge, and fast internet was a T1 circuit.

In any event, I very much appreciate any one who takes the time to read through this and leaves any insight, comments, or suggestions that my customer would benefit from.

Thanks!!

 

[YeOldeStonecat]

It's looking fairly well thought out.
Got a battery UPS for the NAS/network distro? One with decent nut since you have a POE switch.
Re: the Unifi AP...not knowing the size/layout of the office, a second might be worth considering...having a couple of low TX power to cover an office is better than 1 trying to do higher power. If running additional cables is a pain, consider the data jack wall mounted APs (they go where the CAT5 wall plates go). They just released the AC versions of those (2.4 and 5.0)...so if taking that route I'd wait for them...versus picking up the prior gen 2.4 only ones. Hard to say..might be a physically small office so the single AP would suffice. Maybe if going single..upgrade to an LR.

What are they doing for e-mail now? Many if not most business e-mail hosts already do spam filtering. I generally try to avoid having multiple SPAM filter services...too many black holes to try to keep up with. But if their current mail host does no spam filtering, than the pro package of Untangle does a great job. Only thing I suggest is beefing up the hardware platform..as spam filtering adds a load. For an office of over half a dozen, and probably using a lot of hosted online apps...I'd already consider the Mini appliance too small on a Comcast pipe. I'd want to bump up to a larger appliance with 4 gigs of RAM and an SSD. I still run the web filter...even if I'm not cranking up categories for filtering. It still helps in blocking malicous sites...in addition to the phish blocker. Both AV scanners. Bandwidth control is EXCELLENT. Adblocker...you have to keep updating this a few times a year, and I put googleadservices.com in the whitelist. IDS takes up horsepower too...don't run that on 2 gig or less sytems.

Happy to help with Untangle if you need any.

 

[occsean]

It's looking fairly well thought out.
Got a battery UPS for the NAS/network distro? One with decent nut since you have a POE switch.
Re: the Unifi AP...not knowing the size/layout of the office, a second might be worth considering...having a couple of low TX power to cover an office is better than 1 trying to do higher power. If running additional cables is a pain, consider the data jack wall mounted APs (they go where the CAT5 wall plates go). They just released the AC versions of those (2.4 and 5.0)...so if taking that route I'd wait for them...versus picking up the prior gen 2.4 only ones. Hard to say..might be a physically small office so the single AP would suffice. Maybe if going single..upgrade to an LR.

What are they doing for e-mail now? Many if not most business e-mail hosts already do spam filtering. I generally try to avoid having multiple SPAM filter services...too many black holes to try to keep up with. But if their current mail host does no spam filtering, than the pro package of Untangle does a great job. Only thing I suggest is beefing up the hardware platform..as spam filtering adds a load. For an office of over half a dozen, and probably using a lot of hosted online apps...I'd already consider the Mini appliance too small on a Comcast pipe. I'd want to bump up to a larger appliance with 4 gigs of RAM and an SSD. I still run the web filter...even if I'm not cranking up categories for filtering. It still helps in blocking malicous sites...in addition to the phish blocker. Both AV scanners. Bandwidth control is EXCELLENT. Adblocker...you have to keep updating this a few times a year, and I put googleadservices.com in the whitelist. IDS takes up horsepower too...don't run that on 2 gig or less sytems.

Happy to help with Untangle if you need any.

I'd be lying if I didn't say I hoped you jumped in on this thread. Any suggestions on battery UPS that will fit that rack? Office is 2400 sq ft. Going with two AP's sounds like a good idea. Mail is Office 365. And all apps are local, nothing hosted. Still think I should look at the mini if the firm is lookining towards future growth?

Thanks for the input.

 

[YeOldeStonecat]

To be honest I'd skip the spam filter module if they're using O365. Just crank up the settings in O365s filtering. Since you're doing the Complete package, if they think too much spam is coming through O365's filters..you can always turn on Untangles filter. I just don't like 2x filtering services...you have 2 places to hunt for MIAs..and 2 places to do your whitelists and blacklists...and 2x different places to check for F/P's or quick reviews...(confusing for clients)

Accounting firm with no online apps, all local, and no Windows server? What apps are they running? All accounting clients we have, those apps need a Windows server NAS isn't an option.

If Jim still have a few "special builds" for sale...go for those. It was basically an NG-50 in a full NG-100 chassis...and he included 4 gigs of RAM and a Sammy SSD. They were going for around 650 bucks. It's an older Atom D525 CPU but performance wise against the newer Atom in the mini..they're about the same...1.8something and 4x cores. Plus....a big bonus.....you get all those additional interfaces which allow you to unleash the incredible flexibility and power of Untangle. By the time you take that mini appliance and add more RAM and upgrade to an SSD...you're at the same price! I don't like Untangle under 4 gigs of RAM, I shoot for 8 on larger networks (like around 100 nodes)

I just checked on his site, he still had it up so I'm guessing he still has some in stock.
https://nexgenappliances.com/ng-fir...250_gb_samsung_evo_s/ram-4gb_ddr3_ram_standar

Re: APs...while you likely could get away with 1, yeah it's just more solid to go with 2 and lower TX. Especially if they're running local apps over the wireless (which I'd try to discourage with accounting apps).

Doing RDP right to each workstation via the VPN tunnel?

 

[occsean]

RDP straight through the tunnel to respective workstatiom via tunnel

They run Practice CS, various flavors of Quickbooks, and for the life of me I cannot remember the name of the other application but it is a local install to each workstation with shared data on the NAS.

Thanks for the advice on the spam filter and I will go take a look at the special build they have up on the site. I reached out to them via phone the other day. Can't remember the guys name I spoke with but he was really laid back and it was obvious he knew what he was talking about. Convinced me to order from NexGen over the Untangle appliance.

The wifi will not be running any apps.All workstations are wired desktops. The wifi is reallly only there for the occasional client in the waiting area and the employees personal devices.

 

[YeOldeStonecat]

A single AP prolly OK then.
Rob or Jim are the 2 guys. Rob is very active on Untangles forums. Probably Jim you spoke with if you thought the person was laid back. Both good guys.
We purchase hardware from NexGen, but we get Untangle licenses direct from Untangle....we've been signed up as resellers since...version 5 days. So our margins are very very good.

 

[occsean]

I should buy my license from you. LOL. I was going to bundle both with NexGen to take advantage of the coupon code they gave me. 10% is 10%. I'll take it

 

[YeOldeStonecat]

It's up to you...if you're getting back in the game and will be doing more and more SMB networks, and selling more Untangle licenses down the road, I encourage you to sign up with Untangle direct. We're at 35 or 40% margin..I forget which. So once you get 20 or 30 or 40 Untangle installs out there, with most of them being on paid packages...annual renewals, turns into nice gravy recurring revenue throughout the year.

 

[occsean]

Forgot to ask you if you had a suggestion for a battery UPS that would fit that rack?

 

[tek9]

2 questions for stonecat:
1. Why do you exclude googleadservices from the adblocker?
2. I have a client on o365 with the Untangle Spam Blocker turned on but it doesn't seem to be scanning anything. I was under the impression that it can only scan port 25 even with the SSL inspector enabled. How can I make it scan o365 and gmail traffic as well, at least for testing purposes?

 

[YeOldeStonecat]

We got too many complaints from clients that the top results from a Google search were always blocked when they click on them. Like..you do a Google search..and then you get your list of results. Usually the top 3 or 4 or whatever are "paid" bumps with Google..and then the 4th or 5th on down are the organic results. But clients love clicking on the top results. Granted...AdBlocker is technically doing its job since those top results are technically advertisements, but...clients are just happier when I white list those.

For Office 365....Untangles spam filter sits BEFORE the mail server. Having it in between Outlook connected to the Exchange server is not where you place Untangles spam filter. The MX record points to Untangle...and then Untangle routes to an SMTP service which forwards the clean mail onto the clients mail server. Untangle cannot scan in between an Outlook client connected to Exchange...that's a dynamic MAPI encrypted connection starting on port 145 but changing after that. So way back when we had clients with on-prem Exchange..the MX record pointed to our office...our spam filtering "washed" the mail, and then a connector forwarded to the clients Exchange. So back years ago when O365 first came out, we just flipped the forwarding connector to <clientsdomain>.mail.protection.outlook.com. But we soon realized O365s filtering was pretty decent once you adjust it a bit, and that our filtering was just adding un necessary complication.

 

[occsean]

More good info man. Thanks...

I installed untangled onto an old dual core box I had sitting around last night and placed it into my home/shop network exactly the way I am going to be doing for my customer. I had only read about untangle, mainly here in technibble to be honest.

I was anticipating a few hours of reading, banging my head against a wall and dealing with stupid archaic old school firewall rules all night. I am amazed at how easy untangle is to deploy and configure. It was a snap. I mean I realize there are some advanced settings and configs I didn't touch but I had a fully functional 20 device network, with an AP, that was hardened against viruses, had a content filter, was filtering spam, and had a vpn server fully configured within 90 minutes. Oh and then I discovered I didn't even have to sit in front of the box. Or even be in the same country as it. There is a command center to manage it all. This product is awesome!! Glad I dove in...

 

[fencepost]

My main comment popping in late is to stick with just one AP, particularly since the AP is strictly for two "Guest" networks (one for staff devices, one for actual guests). If no "business" devices are going to be on WiFi, then the AP is a courtesy not really a business need.

 

[occsean]

I agree with it not being a business need for the time being, but it is a direct client request so I want to make sure that it is operational and functioning as well as it can. I think the one AP should cover it. If not, I'll get one of the wall units that YeOldStonecat recommended.