That will depend on how much safety you realistically need, what you want to invest, and what the customer will allow.
Jassim Rahma wrote:but what's the best way to do it.
Life can be good if you physically "own" the server. Lock it in a box, add a seal, done.
If the server-software is running on hardware that you do not control, than a dongle would be a good idea. The clients might not need one. Not only does that cut some cost and some mucking with keys, but also makes support a bit easier. If the servers' webservice is blocked, then the client should simply refuse to work. If someone sabotages the things that the software needs, simply exit the app - a client is kinda useless without a server. As long as the server is secure, all is well.
Ultimately, having dongles on the clients gives you some more control over how much of those are out there. We used a HASP 4[^], later seen Hardlock in use at another company. I've tested it for a day, downloading all kind of "hacks" claiming to be able to break it. Didn't work then, and seems the dongles have even learned some new tricks by now.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]