First off sorry if this is posted in the wrong Group. A client of mine has SBS2003 server in a small office environment (11 Client PC's). Randomly some users can not access the internet, they still have full access to all network shares and printers. The rest of the office have normal internet access.
I spent a fruitless day on site with them testing networks switches and Firewall router. I have now ruled out everything but the SBS2003 server (it handles DHCP & DNS).
One thing I did notice just at the end of the day, one PC that had been on line stopped accessing the internet and one that had been "blocked" started working. I do not know if this was a coincidence but I could find no settings or limits on the server to explain.
This is an inherited system and was set up before I took it over. However, the office only recently got broadband (in the last 2 years) but have been up and running many years before that. So I would imagine that is the reason the server is handling DHCP.
Also from what I have been told everyone could access the internet to begin with.
it's an ASA 5505 I've checked the Cisco site and sure enough it's true. As to why they limit outbound connections I do not know. I can understand incoming VPN connections being limited, but there you go :-)
SBS2003 is an all in one complete solution for small/medium sized companies to be able to utilize the expensive corporate features of large companies with corporate servers without the price tag associated with it. DHCP and DNS is done on the SBS Server because so many services/features are tightly intertwined together.
Cisco limits outbound connections so that they can either up-sell you to the next higher model to ensure their performance is on par with what they and customers come to expect from them or you can purchase additional seats/CALs to allow more users with the existing equiptment. I've encountered this sort of situation with multiple clients who are very "cheap" and want the best stuff but want it at consumer equiptment prices.
One way around this, at least temporarily would be to get a "regular (like linksys)" router behind this device, If you have all 11 machines that need to be accessing the SBS network, then you set this router to the DMZ and hook these other devices up behind the second router so there is no network segmentation.
But if you have a couple of computers that are guests or not part of the SBS domain, you can simply plug those devices into/behind this router and what it will do is cause the Cisco firewall to only see the router and anything behind it as a single device. Double NAT is not an ideal situation but you can still benefit from the cisco firewall rules or VLAN if used or if you do not have/use any packet inspection/firewall rules.