All,
Could you please advise the best way tackling the issue we have best way, currently I am planning to setup a network for different application within a small user environment.
The network will consist of 6 different applications, these are
a) Normal Domain controller users with Printers and file sharing facility. (IP address range will be
10.10.x.x/16 )
b) VoIP system for the above users currently there is a PBX box which servers all Telephone routing, so
the users only need an IP to be issued from the above server different to PC applications, all connection
it requires will only be outside facing Internet communication with pre-defined open ports for VoIP
communications. (IP address range will be 10.20.x.x/16 )
c) Media Centre, this will have access to server dependant on the type of machine which is connected to
the server, if the machine which is connected to the system is like TV then the server will only assign it
with IP address, if in other hand the machine which is connected is PC type then it will be assigned
network share folder drive. (IP address range will be 10.30.x.x/16 )
d) CCTV system, this will be connected to the same system, again like the VoIP it will be assigned with
different IP address to any other system, the assignment of this will only have access to the outside
Internet only and will not be allowed to see any internal network systems. (IP address range will be
10.40.x.x/16 )
e) Closed system for application and systems where internet access not provided and not required, this
access will allow any machine or user connected to this will only be assigned an internal IP address
where they will not be able to see any of the outside world, at the same time they will not be assigned
any shared drive also. (IP address range will be 10.50.x.x/16 )
f) Dirty system, this as the name suggest it will used for any guest wanting access to Internet for
temporary bases, they will be put outside the firewall facing the public. (IP address range will be
10.60.x.x/16 )
g) The last point in this setup will be, none of the above should be able to cross talk, e.g any equipment
which is connected VoIP LAN must not see CCTV, Closed, Normal DC or Dirty IP address or PING to it.
Now there are many suggestions I was considering based on the above brief,
1) The 1st solution I had in mind was to create every IP address with in the firewall and serve it in VLan
arrangements Layer 2 switch, this will cut down the number of servers it is required to run and
manage. This is similar to the old ISA and Domain server arrangement in old Windows 2008 R2, as
currently Microsoft is no longer providing ISA server any longer hence the above arrangement.
2) If the above route is considered or taken, then LDAP and other certificates will be required to manage
users and machines access and egress by synchronizing it with the firewall system. Thus this will lead
us to have one Domain Controller server to manage and maintain.
3) The other option would be to have a number of servers within Primary Domain Controller (PDC) and
add as many tree or child server to generate and manage all areas apart from Normal Domain as this
will be server by the PDC, the others we mean by such as CCTV, HiFi etc… will be managed by their
allocated child server.
4) I am sure there are more than one way to skin the cat, if anyone can think even a better way than
what I have listed, I am open for any suggestions.
Once again many thanks for all your comments in advance.