Sysadmins I feel your pain

From an earlier post made in December 2005 elsewhere...

This past Saturday’s festivities proved to be a challenge ultimately ending in failure. You see, we attempted to migrate our crusty old Linux Mail/Web/Nat/Firewall/File server to a shiny new Windows Server 2003 machine doing all the same stuff.

We have used Linux for this task in the past, but since we are largely a Microsoft shop and our clients are also largely Microsoft in their own infrastructures we decided that perhaps it was time to eat our own dog food as it were. My one reservation was using Exchange for messaging (read EMAIL).

After setting up server 2003 on a new dell server class machine in-house and configuring that system for exchange, (Making it a domain as a requirement because exchange appears to need Active Directory, so we are a tiny company with Active directory setup oh the joys of that are indescribable -cough. In order to be a domain you need to configure the machine to also be a DNS server, never mind that your have your DNS potentially hosted elsewhere windows wants to be everything, so you allow it to at least think its the authoritative DNS which it really isn't)

At this point exchange is configurable and we can seemingly get attached to it via Outlook or should I call it LOOKOUT!. So on the morning of the migration we start copying email from our old SENDMAIL server via IMAP to the pristine exchange server via LOOKOUT. I should say moving mail because LOOKOUTS default is to copy then remove the message from the source, by the time we discover this little ditty its to late for some high profile mail accounts like the presidents. (Before you go blasting me YES I have a backup but that’s not the point).

On putting the server in place we set out to configure the firewall and NAT features. Numerous documents tell you various conflicting things but it appears that we need the full ISA version of the Microsoft firewall product, in order to be able to get exchange access remotely without requiring the remote site to connect to a VPN. In fact we also need the ISA for the full VPN class anyway so we go about setting up ISA product. Here is where we begin to get into trouble. Seems that ISA product pretty much takes over the machines IP/PORT traffic. The web server no longer responds and the DHCP server on this machine is no longer handing out leases. We futz about for some time and manage to get NAT happening again via the Wizards in the ISA product. We solve the DHCP issue by getting an internal database server to also hand out leases. The web server is however another matter The ISA product is clobbering port 80 traffic and there is no document that we can find that points out how to allow 80 to pass through. What we do find is three different accounts on how to move the IIS server to some nonstandard port like 8080 and then bridge 80 to it via a custom rule and a TCP listener. Ok we get we happening but when you attempt to connect to the web exchange client the 8080 redirect cause traffic to round trip back to your web browser and back to the server at 8080 where ISA blocks its because 8080 is not configured and you cant find how to configure a port to just pass through. I am sure the problem would not even exist if you did not attempt to have the one box running web server and firewall; Microsoft’s answer to all stability issues appears to be, add another server. I already said we were a small firm and 4 servers to support Mail, Nat/Firewall, Web and File/Print are out of the question. Don’t even get me started on the mass of contradictory documentation available from Microsoft in a number of their sanctioned places. I can say that nothing we read from the firm was conclusive and correct all day. The most valuable resources for us were third party accounts from what I am sure are forcefully balding others of our ilk who after navigating the same waters we were in to some form of safety, felt compelled to recount their own tales of woe in the hope that some other poor souls might be saved.

For all of you out there who helped with your writings, I thank you. I hope the hair plugs work for your newfound baldness. We on the other hand were forced to turn back. I realize that were are not true Sysadmins. I also realize that we were definitely in over our heads with this setup, but the poor documentation and general attitude of you should NOT be doing all this in one BOX does seem to preclude the companies products in very small operations like ours. Don't get me wrong I Love much of Microsoft's offerings. Visual Studio .Net is perfect for us and its result are perfect for our clients. Their infrastructure stuff however leaves me under-whelmed. Now, where are those Mail backups...