Author Topic: Domain Server or Vlan or is it a combination of all and many others  (Read 2194 times)

toto850

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +0/-0
  • The unexamined life is not worth living
    • View Profile
All,

Could you please advise the best way tackling the issue we have best way, currently I am planning to setup a network for different application within a small user environment.

The network will consist of 6 different applications, these are

a)   Normal Domain controller users with Printers and file sharing facility. (IP address range will be
        10.10.x.x/16 )

b)   VoIP system for the above users currently there is a PBX box which servers all Telephone routing, so
        the users only need an IP to be issued from the above server different to PC applications, all connection
        it requires will only be outside facing Internet communication with pre-defined open ports for VoIP
        communications. (IP address range will be 10.20.x.x/16 )

c)   Media Centre, this will have access to server dependant on the type of machine which is connected to
        the server, if the machine which is connected to the system is like TV then the server will only assign it
        with IP address, if in other hand the machine which is connected is PC type then it will be assigned
        network share folder drive. (IP address range will be 10.30.x.x/16 )   

d)   CCTV system, this will be connected to the same system, again like the VoIP it will be assigned with
        different IP address to any other system, the assignment of this will only have access to the outside
        Internet only and will not be allowed to see any internal network systems. (IP address range will be
        10.40.x.x/16 )

e)   Closed system for application and systems where internet access not provided and not required, this
        access will allow any machine or user connected to this will only be assigned an internal IP address
        where they will not be able to see any of the outside world, at the same time they will not be assigned
        any shared drive also. (IP address range will be 10.50.x.x/16 )

f)   Dirty system, this as the name suggest it will used for any guest wanting access to Internet for
        temporary bases, they will be put outside the firewall facing the public. (IP address range will be
        10.60.x.x/16 )

g)   The last point in this setup will be, none of the above should be able to cross talk, e.g any equipment
        which is connected VoIP LAN must not see CCTV, Closed, Normal DC or Dirty IP address or PING to it.

Now there are many suggestions I was considering based on the above brief,

1)   The 1st solution I had in mind was to create every IP address with in the firewall and serve it in VLan
        arrangements Layer 2 switch, this will cut down the number of servers it is required to run and
        manage. This is similar to the old ISA and Domain server arrangement in old Windows 2008 R2, as
        currently Microsoft is no longer providing ISA server any longer hence the above arrangement.

2)   If the above route is considered or taken, then LDAP and other certificates will be required to manage
        users and machines access and egress by synchronizing it with the firewall system. Thus this will lead
        us to have one Domain Controller server to manage and maintain.

3)   The other option would be to have a number of servers within Primary Domain Controller (PDC) and
        add as many tree or child server to generate and manage all areas apart from Normal Domain as this   
        will be server by the PDC, the others we mean by such as CCTV, HiFi etc… will be managed by their
        allocated child server.

4)   I am sure there are more than one way to skin the cat, if anyone can think even a better way than   
        what I have listed, I am open for any suggestions.


Once again many thanks for all your comments in advance.

vmb

  • Zen Apprentice
  • *
  • Posts: 46
  • Karma: +5/-0
    • View Profile
Hi, I just thought I would let you know that this is a community site and a lot of us just don't have the time to read long wordy descriptions of system configurations and then try to visualise them. This is probably why you haven't had any replies yet.

My tips for getting responses from others on your configuration:

1. Create an easy to understand diagram of your config, hand drawn or in Visio, Dia, whatever. Get it into a PNG file format and upload it with your post as an attachment.
2. Don't fill your posts with lots of questions. One question at a time will get responses.
3. Make sure your subject line refers to the question topic to attract those that can answer to do so.
4. You can make as many separate posts as you like.

So without really spending any time at all to try visualising your configuration without a diagram my advice to you is as follows:

  • Don't use Zentyal as a firewall/router, use pfSense instead. Use Zentyal only as a replacement for MS Exchange.
  • Don't use any version of Zentyal earlier than v4.2, upgrade to the next version when it is released on a test server in a separate test network before upgrading the live server.
  • If you are using Samba anywhere else than in Zentyal, make sure that it is at least version 4.3 or newer.
  • Have separate dedicated domain controllers. It's OK to have DNS and NTP on the dc, but don't use them for file serving or print serving. I often use repurposed thin client terminals for Samba domain controllers as they are cheap, powerful enough for the task, and don't use much power.
  • VLAN's are great for segmentation but be smart with their use. Don't put a WAN side VLAN on the LAN side backbone. Use a separate network for WANs

toto850

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +0/-0
  • The unexamined life is not worth living
    • View Profile
Hello vmb,

Many thanks for the guide, it is greatly accepted in the future I will try not over complicate things.

your guide also to use separate firewall and Vlan configuration is a very good advise to consider and to implement, the only area I am not sure from your response is to use Zentyal as MS Exchange, do you mean this server then not upto the task to work as just as Domain Controller?

all other advise you had in your post will be okay to implement.

Once again many thanks for the replay.

T