When your business is small and your IT personnel resources
are limited, having your ISP or an off-site hosting service handle your Web
site makes sense; it’s easy and cost-effective. However, as the company grows,
you’re likely to want more control over your Web server(s) and as your IT
department grows, you’ll have full-time staff on hand to manage the Web servers
and their applications. The time to plan for scalability is when you set up
your first on-site Web server.

What not to do

If your company is still relatively small when you set up
your Web servers, there is a great temptation to save money by running Web
services on a server that is already doing something else (a file server,
e-mail server or even a domain controller). While consolidating multiple roles
on a single server can indeed save you the cost of buying additional hardware
and licensing another copy of the server operating system (and such
consolidation is the basic premise of products such as Microsoft’s Small
Business Server), it’s not the way to go if you’re looking ahead to future
growth, and it can also pose security challenges.

Web services that are available to the Internet should never
be run on a domain controller. Web services are a common point of attack, and
running Microsoft’s Internet Information Services (IIS) or another Web server program
on a particular server gives intruders another avenue of attacking that server.
You shouldn’t expose any critical server (including file servers containing
important company data) to an increased attack service, and you especially
don’t want to expose your DC.

Dedicate your Web server(s)

The best security practice is to disable Web services on any
server that’s not a dedicated Web server. Creating a dedicated Web server also
gives you the opportunity to place it outside your local area network, in a DMZ
or perimeter network.

A firewall separates the DMZ from the internal network and a
firewall also separates the DMZ from the Internet (this can be two separate
firewall devices creating what’s called a “back to back” DMZ, or it can be a
single firewall device that supports multi-networking). This protects the
internal network, so that even if an attacker penetrates the Web server in the
DMZ, he won’t have access to the computers on the LAN.

Creating dedicated Web servers also makes it much easier to
later expand your Web services as the company grows. Eventually, you will want
to separate Web services from other functions anyway (especially if you move
into e-commerce), so if you do so from the beginning it won’t be necessary to
start all over in order to accomplish that.

One way to reduce the cost of licensing another instance of
the server OS in a Microsoft shop is to use Windows Server 2003’s Web Server
edition for your Web servers; it is significantly less costly than the
standard, enterprise and data center editions of the OS.

Server consolidation the right way

There is a form of server consolidation that can be used
effectively and safely for growing your Web services. That’s consolidating
multiple domains with different IP addresses on the same Web server. IIS and
other Web services allow you to create different Web sites as virtual servers.

Another way to further separate your Web servers, while
running them all on the same physical machine, is to use virtualization
software such as VMWare or Microsoft’s Virtual
PC/Virtual Server to run multiple instances of an OS with each running Web
services. However, be aware that you are still required to get a license for
each instance of the operating system that you run in a VM, even though they
are all installed on the same hardware.

Server farming

As your Web sites grow in scope and popularity, you may find
that performance is slowed because of the number of hits you’re getting. This
is a good thing, in that it usually means your company is becoming successful,
but it requires some upgrading. One way to handle this is to add Web servers in
a load balancing cluster (multiple servers that work together to share the
processing load). This is sometimes called a Web farm.

Another advantage of a Web farm is fault tolerance. If one
of the servers goes down, your site doesn’t because the other server(s) can
take over the downed server’s share of the load. This is especially important
if your site is used for sales transactions or to provide support to your
customers. You have centralized control over the servers in the farm, making it
easier to manage.

Planning your scalable Web solution

With your Web services, as with other aspects of your IT
infrastructure, it’s important to consider scalability at the very beginning.
This means considering hardware based on its upgradeability
— Web server appliances may be easy to implement but in many cases it’s
difficult to add a processor or more memory without buying a whole new

Even though you only need a single processor machine for
your site now, it makes sense to buy a machine with a multi-processor
motherboard so one can be added later if more processing power is needed, just
as it makes sense to get a machine with empty RAM slots. And if, as a small
business, you’re considering buying a refurbished or closeout computer, be sure
that it’s still upgradeable. For instance, there are some outlet companies
selling older model Dell Precisions that are great deals. We found a dual Xeon machine with a gig of RAM for a little over $600 — but
it uses Rambus, which is almost impossible to find
now and costs a fortune if you do find it. For a workstation that probably won’t
ever need more memory, it’s a steal. For a server that most likely will, it’s
not the best solution.

Think ahead: your server must not only be able to run
today’s operating system and Web software, you just might want to upgrade to
more powerful (and more resource-hungry) software down the road.

Putting a little extra thought into your
initial choices and using “what if?” thinking (“What if we need
to have more than one Web domain later on? What if we decide to start
selling directly over the Web?”) can save you time, effort and money in
the long run.