locked
Creating Seperate Networks RRS feed

  • General discussion

  • Hi,

    I am not entirely sure if the NPS and NAP thing can address this scenario, so please forgive me if I have posted in the wrong forum.

    we have a requirement to create two separate networks, we have a corporate network, and would like to introduce a training and development network. we have a small number of virtual servers all hosted on one physical server. everything we have goes through the same switches (but these do not have a web interface and cant set any kind of VLAN stuff on them), we have a draytek router which connects to the internet and this has 4 wired ports which we could configure in VLAN. I am wondering if it is possible to use NPS (or what would I use???) to allow us to create a secondary network which is completely isolated from our corporate servers. we currently use AD, DNS, DHCP and all the rest of it, and we would like to have another server which has those roles on it, but configured for the training network, using a completely fictitious domain name, like contoso.com or whatever.

    can someone please advise how I would best be able to implement this without the purchase of new hardware, is it possible to create this scenario purely by installing more windows servers and configuring them?

    many thanks

    Steve

    Thursday, February 28, 2013 1:00 PM

All replies

  • Hi,

    What type of virtual server are you using? The simplest method is to just to access this virtual server from the corporate network and (while logged onto this server) you can configure and manage the VMs.

    The virtual network on the virtual server can be connected to your corporate network if you wish, in which case it uses one of the physical network adapters on the virtual server. In this case, you could access the VMs directly using remote desktop. If you don't want this, and prefer that the virtual network is completely isolated then don't attach the virtual network on the virtual server to any physical adapters. Each VM can still be connected to a network, but the network will be internal to the virtual server. As long as all the VMs are connected to the same internal virtual network, they will see each other. You won't be able to access them however without logging onto the virtual server first and using whatever management interface it has (Hyper-V for example).

    -Greg

    Thursday, February 28, 2013 5:13 PM
  • Ok thanks for that, gives me....sort of an idea of what goes on....

    just to provide more information:

    we have 1 physical host server (this is the only machine which runs in workgroup mode)

    2 virtual servers running on top which runs our Exchange, SQL, AD, DNS, DHCP, Automated OS and Software deployment and so on...

    we utilise 1 of two physical network adapters, the other NIC is unplugged at the moment

    this NIC connects to a switch and is all connected to Router through one of the 4 ports (the router can be configured as a VLAN but is currently not)

    the business side of the network is domain joined and uses a mix of wired and wireless connections to the virtual servers (going through a switch or WAP)

    what our aim is, is to have a set of training machines set up in another room that will hook into their own server completely isolated from the business virtual servers - BUT we would love it if they can be run as VM's on top of the existing physical server... so I was wondering if any NPS plays a role in this configuration or whether I should use the hyper-v with virtual networking and the secondary NIC (we may well require the learners to log into the virtual server using RDP for those VM's responsible for managing the learning network in the name of training purposes, if the VM's are damaged during the learning process they can be recovered by backups - this is the whole point of our learning network from both servers and clients, to experiment and learn)

    so what do you think is best for me?

    Friday, March 1, 2013 11:36 AM
  • Hi Steve,

    NPS doesn't play any role in what you've described. NPS just receives requests for network access and either approves or denies them. It can't segment the network per se, except by helping to apply VLAN tags.  NPS just receives credentials and evaluates them.

    If you plug the other network adapter into the switch and assign it an address that is separate from your corporate network, then create another virtual network in Hyper-V and attach it to this adapter, you should be able to add more VMs to the same server and place them on this new, separate network. You also have the option of allowing people to RDP directly to these VMs if they are able to route to the Hyper-V server's newly plugged in adapter.

    For example, say the new adapter is assigned a static address of 172.16.0.1. You create a virtual network called "test network" and associate it to the 172.16.0.1 physical adapter. You add a VM and assign a static address of 172.16.0.10.

    Now pretend that you create another virtual network on the Hyper-V server called "internal test network" and you don't associate this to any physical interface on the server. You add a VM to this network and configure a static address of 192.168.0.10.

    In this situation, the 192.168.0.10 VM can only be accessed by RDP to the Hyper-V server (over the Hyper-V server's corporate interface) and using the Hyper-V manager console. However, the 172.16.0.10 VM could be accessed directly by RDPing directly to it's IP address. For this to happen, you will need to configure routing to and from the 172.16.0.0 subnet, or use computers in the same subnet range and connect them physically to Hyper-V server using a switch or hub. If you enable routing from the corporate network to 172.16.0.0 then this network is no longer isolated from your corporate network - so you probably don't want to do this. However, you can always configure routing from a different network that is also isolated from the corporate network.

    The point I'm trying to make here is that if you decide to use the other network interface on the Hyper-V server, you should probably allow RDP directly to the VMs. If you don't then there is no use in plugging that interface in. Just be careful if you decide to dual-home the Hyper-V server and not enable routing on the other interface. If your server registers both interfaces in DNS you might have name resolution problems. You can always disable "Register this connection's address in DNS" on the alternate interface.

    -Greg

    Saturday, March 2, 2013 10:26 PM
  • Ok cheers for that, this seems to be a way forward...

    what I am not too sure about is how IP address assignment will work. we have 1 switch where the cables go into from the patch panel which in turn go to the wall sockets for both corporate side and the training room.... if all these devices go in through that same switch (which will also be connected to BOTH network adapters on the Hyper-V host) then how does a corporate machine know to contact the corporate DHCP and the training rooms machines know to contact the training server's DHCP? am I going to have to buy a separate switch for this to work or is there any way I can make the corporate and training client machines contact the appropriate DHCP server using the hardware I currently have?

    thanks

    Steve

    Monday, March 4, 2013 12:04 PM