DHCP/VMware question?

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hey guys, In my classroom we have a few weeks to design a network for a small fictional company with around 100 users. Basically what we NEED to do is create one server that functions as DC,DHCP,DNS,IIS,Exchange server. However our group of three took it upon us to create a little more advanced project with seperate lan's to increase security and a isa firewall (all servers need to be based on win2k3). We also threw in some subnetting and a dhcp relay server (the firewall) instead of just making the firewall the dhcp server.

Now we are designing the network in a classroom that is a VLAN in our school (172.16.240.0/24). Our group has been assigned the range to use: 192.168.0.0 -> 192.168.4.255, so basically we have 5 class C ranges at our disposal.

We are recreating this on VMWare workstations on multiple pc's. Now basically I want to know what I can do to make sure that:
1) Our DHCP server gets chosen over the one from school
2) That a XP workstation that is supposed to be in 192.168.3.0/24 will actually gets a ip from that range.

I suppose if it's possible to let this work it's gotta be by the use of different VMNet's, however I'm not sure how I should set these vmnets up in order to make sure they work on the network but only in the range they are supposed to work in.

Here is a visio diagram of our network: (Let me know if you find any flaws in the network setup or potential problems)

 

Doesnt Security > Simplicity? I understand what you are saying however. What I dont understand is why there cannot be a single exchange server in a dmz? If you set the appropriate settings in your ISA server the mail server should be both reachable from inside the network as out no?

As for the exercise it's not meant to be completely realistic, off course otherwise things would be done slightly different, it's to show our teacher what we have learned and that we can implement it, I suppose we could make the change to only 3 nics just for our practical showings.

edit: Been thinking further, basically what I'm looking for if something like a setting in VMWare where you can tell the VMNet on which network it's supposed to be and stay. I think there must be this possibility in the Virtual Network Editor but I'm no VMware expert and I'm sure someone can tell me if it's possible or not.

 

No dont need a whole class C subnet for only a few workstations. The idea is just so that they are all seperate lans and to gain a extra layer of security where each lan cannot connect to the other without express permission, if ISA is integrated with AD it's maybe better to set these permissions based on users then on lan?

 

Security in terms of making it easy for instance in allowing one LAN to not access the internet, while the other can etc, so in terms of ISA setup, for instance there is one subnet where the direction and it staff is located on and I can just give that subnet more permissions then others, it's deployed solely on vmware workstation so sadly vlans for this deployment are out of the window. Since ISA supports ip ranges aswell as users it should be possible with ISA aswell to tell who can logon the domain from which network segment.

 

Nice network diagram, however I would make a few changes:

1. As Sparky has said either deploy a front end exchange server into a DMZ behind the current firewall and then a backend exchange server behind another firewall with the rest of your network.

2. Reduce the number of subnets, you have 12 machines per subnet, the reasons behind subnetting are to reduce broadcast and collision traffic for usability as well as security. I would recommend changing this to co-inside with perhaps the Users roles e.g.

Subnet 1 - 25 Developers require access to Internet and have more advanced permissions.
Subnet 2 - 50 Office Works, require access to email and not Internet and have locked down permissions.

3. Throw a curve ball in and have a RRAS Server for some home workers.

Subnet 3 - 25 Home Workers, who dial into a RRAS Server which via L2TP IPSec\PPTP using MSCHAP 2 Encryption which uses Port Forwarding and various Filters to connect to the domain.

Also another reason for reducing the subnets is cost.

Anyways its looks like that you have put alot of thought into this and for that I applaud you

 

Thanks for that input, that seems like a good idea to implement. Since we are a bit limited on the amount of servers we use, is it viable to use our webserver and fe mail server also as RAS server (I've readed RAS is best for security in a DMZ, correct me if wrong). And then our DC1 also as be mailserver? So that in this way we dont use any more virtual servers. Or does this pose any serious security flaws apart from just lower performance of the servers. (Performance isnt a issue since it's crap anyway, our school lets us create labs on machines with only 1gb physical ram )

 

Yep, you can use a Front End Server as a RRAS Server as well. I wouldn't have recommended it on a Back End Server due to the security implications.

I'm assuming that DC1 is going to have the 5 FSMO Roles in your environment? and DC2 is mainly being used for fault tolerance?

If this is the case then I would tweek the setup as follows:

Mail & Web Server - Front End Exchange Server, RRAS Server & Web Server
DC1 - DC 5 FSMO Roles, Active Directory Integrated DNS Secure Dynamic Updates, 80% DHCP Scope and File Server
DC2 - DC, Active Directory Integrated DNS Secure Dynamic Updates, 20% DHCP Scope and Back End Exchange Server

This way you are your main DC1 does what it does best which is run your environment and then you have all the Users Mailbox Stores etc on DC2 and you have a high amount of Fault Tolerance (your backup solution should cover the File Server part).

Ideally, it would be good to have a seperate Back End Exchange Server, but I think the above will achieve good security, as you can implement IP Address, Protocol and Port Filtering on your Firewalls and also on your Routers as well (as per my comments in relation to what your users will be doing) to enhance the security.

Would be great to see your final network layout

 

This is what I cooked up now, had done it before this last reply of you but in my initial draft I still had the file server on dc2 & be exchange on dc1, I just switched those 2 quickly around before posting.

I have to admit that the way our group is approaching this class based assesment is alot beyond the scope of what we have learned in the class. I know what a RAS server is and what it is used for but anything beyond that we havent even touched. Same goes for ISA/Exchange for which we only have spent a few hours each in the classroom being a basic installation. For the DC's we havent seen how to use 2 domain controllers so FSMO is a completely new concept for me aswell. I just googled a bit about FSMO and I understand what it does but how do I set it up, or will those tasks automatically be assigned to the 1st domain controller deployed in the domain?

Here is my next draft following your suggestions which were very nice and still kept my initial ideas intact although simplifying it.

 

Looks good John, however please stick another Firewall in between the Internet and the Front End Server so it looks like this

Internet > Firewall > DMZ for Web/Exchange/RRAS Server > Firewall > Into your Network

The reason for this is then you have two control points, the External Firewall and Internal Firewall. Apologies for not using Visio, haven't got round to installing it yet.

The FSMO roles are installed automatically on your first DC.

I think someone is going to get a Gold Star

 

@craigie: What additional security would a:

have over a dmz that is setup as (how is this setup called in networking?):

and arent both viable options? Specially since we are limited on hardware to work on.

The server in the drawings is the DMZ, the host and switch is the LAN

@sparky: actually yes we need a print server on one of the machines that are currently in the network, however even though that might be the most simple task of all I havent wrapped my head around that yet on how & where I would place the print server.

 

They are both viable options, however based on your first post which was about security this is a much better option.

Think of it this way:

If you only have one firewall and someone gets through you are buggered. If you have two firewalls you can lock down the internal firewall so that users can continue to work as per normal but without web access.

Dang it I'm meant to be studying

 

Ah ok, well its cost & security like always (the fictional company is rather small and teacher wants us not to overdo it with to many servers), I dont think I'm going to push it this hard but I think I'll make a lab in your setup just to see if I can get it running using 2 firewalls.

edit: Another question, isnt it security wise always better to put your servers on a seperate network segment? Cause in this design both the servers and the developers are in the same segment. If so I could potentially give the 2 servers a seperate network segment and put the developers & office workers together on a /23 network and make the internet access permission completely user based when isa is integrated with active directory.

 

Dont you set this network connectivity up on ISA when the dc's are on a seperate segment? And then give the IT staff full access to the domain controllers and the rest only access on ports that are essential. At least that was my thought on it, when they are on the same segment the workstations can connect to any port on the servers no matter what their isa permissions are etc.

edit:

Did you meant lockdown the external firewall? If you lockdown the internal one wouldnt you stop the functioning of the lan, while locking down the external firewall will just block all internet traffic