Saturday, 18 October 2008

SBS 2008 - The built-in DDNS service Canadian considerations

Susan draws attention to the new Dynamic DNS setup in SBS 2008: Dynamic DNS service on SBS 2008 under the hood.

Essentially, for those who have worked with or our favourite, the Dynamic DNS (DDNS) service will "automatically" redirect a DNS A record to a dynamic IP no matter what the ISP assigned IP is. Thus the name "Dynamic DNS".

A number of years back these services were very common and used a lot as ISPs back then only offered static IPs with their very expensive business class services.

Around the same time in Canada, ISPs began to flush businesses out of consumer grade service plans into business grade service plans. At the business plan entry level, things were essentially the same as the consumer grade plan, but the ISP could charge more for the service. Static IP plans were still not the norm and quite a bit more expensive.

In the last couple of years, Canadian ISPs have been offering "Server" class plans with one or more static IPs assigned to the customer at a very reasonable rate.

So, in our case, we migrated our clients over to our favourite ISP Nucleus to get a true static IP setup, some pretty good upload/download speeds, and great service.

With the advent of high volumes of spam being spewed from compromised consumer systems, people running servers on dynamic IPs, and other reasons our Canadian ISPs have moved to block all inbound traffic to those customers with dynamic IPs.

What does that mean? It means that all of the standard ports for inbound traffic are unavailable:
  • SMTP port 25
  • HTTP port 80
  • HTTPS port 443
  • POP3 port 110
  • TELNET port 23
  • FTP port 21
  • SSH port 22

Gone are the days where people would run FTP and HTTP servers on their consumer grade Internet connection.

ISPs have even gone as far as limiting business "server" grade services to residences without proof of business operations.

So, what does this mean for us? It means that part of setting up a client's SBS 2003/2008 office is to do due diligence with the ISP they may already have, or potential ISP if it is a new office or business.

Verify if the ISP does indeed block critical services inbound traffic on the ISP's service plan the client may be on or want to sign up to.

The ISP may also restrict outbound traffic for the various server services, especially e-mail SMTP. Make sure to investigate the ISP's policy on outbound traffic too.

At least in Canada we know that if we sign our clients up with ISPs that have a "server" class service no restrictions are in place.

Also, keep in mind that services like PPPoE may cause headaches with inbound traffic.

Also, one of our national ISPs here, there may be others, use a MAC address registration system to "secure" their networks. If there is a need to bind more than 1 static IP to the same NIC on your gateway server or appliance make sure to verify that your client's ISP uses true static IPs and not DHCP reservations with no ability to bind more than 1 IP to a NIC.

The MAC address situation has been a plan buster many a time due to an inability to move to another ISP.

As always, "Buyer Beware" ... due diligence is necessary to guarantee things will work as they should.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

No comments: