1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DHCP/VMware question?

Discussion in 'Networks' started by John Neerdael, Feb 7, 2009.

  1. John Neerdael

    John Neerdael Nibble Poster

    80
    0
    26
    Hey guys, In my classroom we have a few weeks to design a network for a small fictional company with around 100 users. Basically what we NEED to do is create one server that functions as DC,DHCP,DNS,IIS,Exchange server. However our group of three took it upon us to create a little more advanced project with seperate lan's to increase security and a isa firewall (all servers need to be based on win2k3). We also threw in some subnetting and a dhcp relay server (the firewall) instead of just making the firewall the dhcp server.

    Now we are designing the network in a classroom that is a VLAN in our school (172.16.240.0/24). Our group has been assigned the range to use: 192.168.0.0 -> 192.168.4.255, so basically we have 5 class C ranges at our disposal.

    We are recreating this on VMWare workstations on multiple pc's. Now basically I want to know what I can do to make sure that:
    1) Our DHCP server gets chosen over the one from school
    2) That a XP workstation that is supposed to be in 192.168.3.0/24 will actually gets a ip from that range.

    I suppose if it's possible to let this work it's gotta be by the use of different VMNet's, however I'm not sure how I should set these vmnets up in order to make sure they work on the network but only in the range they are supposed to work in.

    Here is a visio diagram of our network: (Let me know if you find any flaws in the network setup or potential problems)

    [​IMG]
     
    WIP: MCTS: 70-640
  2. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    If the setup has to be realistic and not just a lab exercise on how to subnet then it is far to complex for one you are trying to do.

    A few things you may want to consider changing.

    *You cant just place a single Exchange server in a DMZ. For that kinda setup a frontend server can be placed in a DMZ and the backend one will be on the LAN. Some techs even debate the merits of even placing the front end Exchange server in a DMZ.

    *Ditch most of the subnets. Go for an ISA server with three interfaces.

    *Public
    *Private
    *DMZ

    *Ditch the relay agent and place a DHCP scope on a DC. If you want split the scope over two DCs for fault tolerance.


    Rule 1 in networking: Keep it simple. :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  3. John Neerdael

    John Neerdael Nibble Poster

    80
    0
    26
    Doesnt Security > Simplicity? I understand what you are saying however. What I dont understand is why there cannot be a single exchange server in a dmz? If you set the appropriate settings in your ISA server the mail server should be both reachable from inside the network as out no?

    As for the exercise it's not meant to be completely realistic, off course otherwise things would be done slightly different, it's to show our teacher what we have learned and that we can implement it, I suppose we could make the change to only 3 nics just for our practical showings.

    edit: Been thinking further, basically what I'm looking for if something like a setting in VMWare where you can tell the VMNet on which network it's supposed to be and stay. I think there must be this possibility in the Virtual Network Editor but I'm no VMware expert and I'm sure someone can tell me if it's possible or not.
     
    WIP: MCTS: 70-640
  4. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    Well for a start all the PCs on the LAN need to talk to the Exchange Server to get access to the mailboxes. Also Exchange integrates heavily with AD so you will need to open up ports between the DMZ and your LAN. The more ports you open the less security you have and the whole concept of the DMZ goes out the Window.

    As for the security side of things is there any particular reason why you need a full class C subnet with only 12 PCs on it?


    Can help with the VMware stuff Im afraid but there are a few peeps on here that use it so hopefully someone else can help. 8)
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  5. John Neerdael

    John Neerdael Nibble Poster

    80
    0
    26
    No dont need a whole class C subnet for only a few workstations. The idea is just so that they are all seperate lans and to gain a extra layer of security where each lan cannot connect to the other without express permission, if ISA is integrated with AD it's maybe better to set these permissions based on users then on lan?
     
    WIP: MCTS: 70-640
  6. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    If a PC is on another LAN what stops me logging onto it if I have a username and password for an account on the domain? :biggrin

    If you want security (just looking at it from the point of view of subnets) then you might want to go for VLANs with access control lists, Cisco kit supports this.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  7. AJ

    AJ Administrator Administrator

    6,771
    102
    221
    So does HP Procurve kit. I knows coz I doz it :D
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Looking at doing ..................
  8. John Neerdael

    John Neerdael Nibble Poster

    80
    0
    26
    Security in terms of making it easy for instance in allowing one LAN to not access the internet, while the other can etc, so in terms of ISA setup, for instance there is one subnet where the direction and it staff is located on and I can just give that subnet more permissions then others, it's deployed solely on vmware workstation so sadly vlans for this deployment are out of the window. Since ISA supports ip ranges aswell as users it should be possible with ISA aswell to tell who can logon the domain from which network segment.
     
    WIP: MCTS: 70-640
  9. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    You also have the option to do this in AD, you can control which users can logon to what computers. This is common in situations where you just want training accounts to log onto PCs in the training room for example.

    In regard to ISA controling web access you can do this as you can run it as a proxy server with Integrated Windows authentication so you dont have to worry about where the user logs on from.

    I would still ditch the majority of the subnets you have listed, ISA is difficult enough at the best of times.:biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  10. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    Nice network diagram, however I would make a few changes:

    1. As Sparky has said either deploy a front end exchange server into a DMZ behind the current firewall and then a backend exchange server behind another firewall with the rest of your network.

    2. Reduce the number of subnets, you have 12 machines per subnet, the reasons behind subnetting are to reduce broadcast and collision traffic for usability as well as security. I would recommend changing this to co-inside with perhaps the Users roles e.g.

    Subnet 1 - 25 Developers require access to Internet and have more advanced permissions.
    Subnet 2 - 50 Office Works, require access to email and not Internet and have locked down permissions.

    3. Throw a curve ball in and have a RRAS Server for some home workers.

    Subnet 3 - 25 Home Workers, who dial into a RRAS Server which via L2TP IPSec\PPTP using MSCHAP 2 Encryption which uses Port Forwarding and various Filters to connect to the domain.

    Also another reason for reducing the subnets is cost.

    Anyways its looks like that you have put alot of thought into this and for that I applaud you :D
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  11. John Neerdael

    John Neerdael Nibble Poster

    80
    0
    26
    Thanks for that input, that seems like a good idea to implement. Since we are a bit limited on the amount of servers we use, is it viable to use our webserver and fe mail server also as RAS server (I've readed RAS is best for security in a DMZ, correct me if wrong). And then our DC1 also as be mailserver? So that in this way we dont use any more virtual servers. Or does this pose any serious security flaws apart from just lower performance of the servers. (Performance isnt a issue since it's crap anyway, our school lets us create labs on machines with only 1gb physical ram :( )
     
    WIP: MCTS: 70-640
  12. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    Yep, you can use a Front End Server as a RRAS Server as well. I wouldn't have recommended it on a Back End Server due to the security implications.

    I'm assuming that DC1 is going to have the 5 FSMO Roles in your environment? and DC2 is mainly being used for fault tolerance?

    If this is the case then I would tweek the setup as follows:

    Mail & Web Server - Front End Exchange Server, RRAS Server & Web Server
    DC1 - DC 5 FSMO Roles, Active Directory Integrated DNS Secure Dynamic Updates, 80% DHCP Scope and File Server
    DC2 - DC, Active Directory Integrated DNS Secure Dynamic Updates, 20% DHCP Scope and Back End Exchange Server

    This way you are your main DC1 does what it does best which is run your environment and then you have all the Users Mailbox Stores etc on DC2 and you have a high amount of Fault Tolerance (your backup solution should cover the File Server part).

    Ideally, it would be good to have a seperate Back End Exchange Server, but I think the above will achieve good security, as you can implement IP Address, Protocol and Port Filtering on your Firewalls and also on your Routers as well (as per my comments in relation to what your users will be doing) to enhance the security.

    Would be great to see your final network layout :)
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  13. John Neerdael

    John Neerdael Nibble Poster

    80
    0
    26
    This is what I cooked up now, had done it before this last reply of you but in my initial draft I still had the file server on dc2 & be exchange on dc1, I just switched those 2 quickly around before posting.

    I have to admit that the way our group is approaching this class based assesment is alot beyond the scope of what we have learned in the class. I know what a RAS server is and what it is used for but anything beyond that we havent even touched. Same goes for ISA/Exchange for which we only have spent a few hours each in the classroom being a basic installation. For the DC's we havent seen how to use 2 domain controllers so FSMO is a completely new concept for me aswell. I just googled a bit about FSMO and I understand what it does but how do I set it up, or will those tasks automatically be assigned to the 1st domain controller deployed in the domain?

    Here is my next draft following your suggestions which were very nice and still kept my initial ideas intact although simplifying it.

    [​IMG]
     
    WIP: MCTS: 70-640
  14. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    Looks good John, however please stick another Firewall in between the Internet and the Front End Server so it looks like this

    Internet > Firewall > DMZ for Web/Exchange/RRAS Server > Firewall > Into your Network

    The reason for this is then you have two control points, the External Firewall and Internal Firewall. Apologies for not using Visio, haven't got round to installing it yet.

    The FSMO roles are installed automatically on your first DC.

    I think someone is going to get a Gold Star :D
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  15. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    Much better mate. :thumbleft

    Do you have anything else to consider in this design? Do you need a file server or print server?
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  16. John Neerdael

    John Neerdael Nibble Poster

    80
    0
    26
    @craigie: What additional security would a:
    [​IMG]
    have over a dmz that is setup as (how is this setup called in networking?):
    [​IMG]
    and arent both viable options? Specially since we are limited on hardware to work on.

    The server in the drawings is the DMZ, the host and switch is the LAN

    @sparky: actually yes we need a print server on one of the machines that are currently in the network, however even though that might be the most simple task of all I havent wrapped my head around that yet on how & where I would place the print server.
     
    WIP: MCTS: 70-640
  17. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    They are both viable options, however based on your first post which was about security this is a much better option.

    Think of it this way:

    If you only have one firewall and someone gets through you are buggered. If you have two firewalls you can lock down the internal firewall so that users can continue to work as per normal but without web access.

    Dang it I'm meant to be studying :D
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  18. John Neerdael

    John Neerdael Nibble Poster

    80
    0
    26
    Ah ok, well its cost & security like always (the fictional company is rather small and teacher wants us not to overdo it with to many servers), I dont think I'm going to push it this hard but I think I'll make a lab in your setup just to see if I can get it running using 2 firewalls.

    edit: Another question, isnt it security wise always better to put your servers on a seperate network segment? Cause in this design both the servers and the developers are in the same segment. If so I could potentially give the 2 servers a seperate network segment and put the developers & office workers together on a /23 network and make the internet access permission completely user based when isa is integrated with active directory.
     
    WIP: MCTS: 70-640
  19. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    It depends on what the role of the server is. If its a webserver then yes, put it on its own network (DMZ).

    However if its a domain controller then you it is best for the clients to be on the same network segment for network connectivity. If security is a concern there are certain templetes you can apply to the server to reduce the amount of services running etc.

    http://support.microsoft.com/kb/816585

    P.S do me and cragie get a reference in your final report? :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  20. John Neerdael

    John Neerdael Nibble Poster

    80
    0
    26
    Dont you set this network connectivity up on ISA when the dc's are on a seperate segment? And then give the IT staff full access to the domain controllers and the rest only access on ports that are essential. At least that was my thought on it, when they are on the same segment the workstations can connect to any port on the servers no matter what their isa permissions are etc.

    edit:
    Did you meant lockdown the external firewall? If you lockdown the internal one wouldnt you stop the functioning of the lan, while locking down the external firewall will just block all internet traffic
     
    WIP: MCTS: 70-640

Share This Page

Loading...