locked
New Network Plan RRS feed

  • Question

  • Is it the right place to ask for a new network plan? I just need to build a new netwok with 10 servers and want's to discus it with ppl of a good experience and knowledge to avoid feature problems.

    Discussions will be much software technical than hardware, using Windows 2008 enterprise + exchange2010 + TMG2010 + Lync2010

    can anybody help? I will post my idea and we can discus it if this is the right place. just need help in security issues and how stuff arranged and done the perfect way which can utilize the major power of those applications.

    Thanks.

    Friday, April 8, 2011 10:44 AM

Answers

  • Hi Reborn,

    I'm quite happy if you want to bounce ideas off me, but if you have a budget for ten servers, shouldn't you really be getting some professional consulting assistance? Just a thought.

    Anthony Steven

     


    Anthony Steven

    Principal Technologist

    Content Master, a division of CM Group

    Blog: http://cm-bloggers.blogspot.com/ 

    • Proposed as answer by Alex Cohen Monday, April 11, 2011 5:25 PM
    • Marked as answer by Kevin Remde Tuesday, April 12, 2011 11:46 AM
    • Unmarked as answer by Reborn360 Monday, April 25, 2011 6:23 AM
    • Unproposed as answer by Reborn360 Monday, April 25, 2011 6:24 AM
    • Proposed as answer by Soh.M Sunday, May 1, 2011 1:46 AM
    • Unproposed as answer by Reborn360 Sunday, May 1, 2011 8:28 AM
    • Marked as answer by Reborn360 Thursday, May 5, 2011 6:51 AM
    Sunday, April 10, 2011 7:01 PM
  • yes, I was referring to any devices that are outside the TMG. move those inside. No need for DMZ, because TMG can emulate DMZ and you dont have to worry about complex physical architectures.

     

    You should go from TMG to ASA. Thats it. Anything else is asking for long nights.

    Nothing wrong with mentioning 3rd party products here. its just not the place to get support for them, or start voicing opinions about it. But, its part of almost everyone's network. So, its MS products job to integrate properly.

     

    I am not an Exchange expert, so I have to leave this to other folks. Maybe a post to the Exchange forum may be good. Personally, I think one Exchange server is fine. You dont have that many users, and if you get the right Spam Solution, you dont have to worry about load. And you have TMG/ISA in the mix and that will make sure that it is perfectly protected. My two cents for what its worth.

    SANs work great. I agree they are more work, but provide much more flexiblity. In your case, I can see a NAS working out great. Question is, what systems will attach to it. I prefer to run SQL and Exchange on SAN, out of the two. Nothing beats direct attached.

     

    Good luck with all of this Reborn. You certainly have the right idea, and a good starting plan.


    *alex
    • Marked as answer by Reborn360 Thursday, May 5, 2011 6:53 AM
    Wednesday, May 4, 2011 6:15 PM

All replies

  • Hi Reborn,

    I'm quite happy if you want to bounce ideas off me, but if you have a budget for ten servers, shouldn't you really be getting some professional consulting assistance? Just a thought.

    Anthony Steven

     


    Anthony Steven

    Principal Technologist

    Content Master, a division of CM Group

    Blog: http://cm-bloggers.blogspot.com/ 

    • Proposed as answer by Alex Cohen Monday, April 11, 2011 5:25 PM
    • Marked as answer by Kevin Remde Tuesday, April 12, 2011 11:46 AM
    • Unmarked as answer by Reborn360 Monday, April 25, 2011 6:23 AM
    • Unproposed as answer by Reborn360 Monday, April 25, 2011 6:24 AM
    • Proposed as answer by Soh.M Sunday, May 1, 2011 1:46 AM
    • Unproposed as answer by Reborn360 Sunday, May 1, 2011 8:28 AM
    • Marked as answer by Reborn360 Thursday, May 5, 2011 6:51 AM
    Sunday, April 10, 2011 7:01 PM
  • Not just because of the budget Anthony. This also tells me that there will be various functions and roles taht these servers will play (Potentially). So, if there is complexity involved, it should be handled professionally.

     

    Alex


    *a
    • Proposed as answer by Alex Cohen Monday, May 2, 2011 6:25 PM
    • Unproposed as answer by Reborn360 Thursday, May 5, 2011 6:50 AM
    Monday, April 11, 2011 5:27 PM
  • Alex is right, it's not just a reguler nework with 10 servers, it's going to be a real network with many applications which will use the real servers power but it's a private,

    Ok then I'll post it here in the few comming hours when I back to work.

    Thanks to all.

    Saturday, April 16, 2011 10:48 AM
  • Ok here we go!

    I have 10 servers but still I don’t know what is the best way to configure them form networking side, I have many ideas but thought to share u here..

    and this is the 1<sup>st</sup> thing I want to discuss about before going further.. (how to build it the best way)

    Everybody feel free to change any running role on any server if it’s in the wrong place or it will make problems later and has to be somewhere else..

    and about budget no worries, perfect secure plan is the most important  ;)

    1         = AD + DC + DNS + Print server

    2         = MS Exchange 2010 (Hub)

    3         = MS Exchange 2010 (Mail)   >> btw do I really need two Exchange if I’m facing the internet?

    4         = MS TMG2010 + Some 3<sup>rd</sup> Party security applications (3-leg (front end))

    5         = MS TMG2010 (Backend)

    6         = Anti-Virus Server

    7         = File Server

    8         = Web Server

    9         = MS Lync2010

    10       = SQL 2008 R2

    - All are Window Server 2008 ent.

    - two gigs switchs and one router for the internet.

    So the 1<sup>st</sup> thing - what is the best way to link all those together reaching the maximum security?

    While ..

    -          Lync2010, Exchange and File Server accessible from the internet by knowing users.

    -          Users can log from the internet as they are on the same LAN an can join the domain without  (Hardware VPN) .

    Thanks.

    Saturday, April 16, 2011 7:12 PM
  • Here are a few pointers:

     

    1) not everything needs to be Enterprise Edition (save money there)

    2) Exchange Roles: You do not need 2 servers unless your capacity requires it - i.e. how many users are you supporting?

    3) Same for TMG as in Exchange

    4) I am not sure why you need a server dedicated to only Anti-Virus. My recommendation is that you have an admin or utility server and place all similar roles (i.e. backup server)

    5) Did not see backups included in this list

    6) You will need two servers (minimum) with the Domain Controller, and Network Services on them - AD, DHCP, DNS, etc.

     

    Just to start.


    *a

    • Edited by Alex Cohen Monday, April 18, 2011 6:25 PM typo
    • Proposed as answer by Alex Cohen Tuesday, April 19, 2011 3:07 PM
    • Unproposed as answer by Reborn360 Monday, April 25, 2011 6:24 AM
    • Proposed as answer by Alex Cohen Monday, May 2, 2011 6:25 PM
    • Unproposed as answer by Reborn360 Thursday, May 5, 2011 6:50 AM
    Monday, April 18, 2011 6:24 PM
  • Hi Reborn,
    Can you please tell me how many users you have for this infrastructure?
    Also, have you considered virtualization? 
    As Alex points out, Enterprise edition isn't really necessary for most of those roles and a single Exchange server should be fine for a few hundred users.
    I would be inclined to make the File server run AD DC + DNS server (plus DHCP if required). In line with Alex's recommendation, the anti-virus server can be the backup server.
    I assume the web server is in the perimeter network.

    Anthony Steven

    Principal Technologist

    Content Master, a division of CM Group

    Blog: http://cm-bloggers.blogspot.com/

    Tuesday, April 19, 2011 4:30 PM
  • In agreement with Anthony here. One exception, they are using TMG - so doesnt have to be perimeter, unless there is a real need.


    *a
    Tuesday, April 19, 2011 5:46 PM
  • Ok umm it's a private so there is not that really big amount of users, they well be around 100 to 150 Max and need to be very fast and very secure .. budget is open!

    ok I liked all what u were saying except virtualization .. nope sorry were are not after that, I thought of it but if that server went down we will lose alot since that network will be running 24/7 none-stopping.

    ok let me go deep with it.. so here we go:

     

    The plan is to connect 7 remote locations with the main location which is the servers main location, so it's going to me a lan network accessed by 7 other remote lans !

    The 7 lans they have just a router to connect to the main lan.

    so I though of 2 TMGs to be one to manage the 7 lans and one to manage the main lan, then connect the 2 TMGs togather so the main lan can access the 7 lans !

    (I know I can do it via VPN Routers such us cisco 5530) but this is my last option if my idea failed because TMGs is easier to use and upgrade and can customize better pluse u can add lots of plugins with it.

    anyway and thought of 2 exhcange so one 4 the 8 lans and 1 for the internet so that we can access to other emails ! (I'm confused on this part because lots are giving me wired plans 4 exchange)

    Anti viruse, i agree that it should not be alone but I was looking for speed and dont want to disturbe other servers scanning the network because we are planning autoscan from a centeral location to our clients.

    Backup .. good point but again some ppl told me to use tape backups .. so what do u think about it .. i didnt use that be4

    this is what i can say for now so we dont go far .. i'm still confusing

     

    Thanks  

    Wednesday, April 20, 2011 12:08 PM
  • anybody ?
    Sunday, May 1, 2011 8:30 AM
  • Hi Reborn,

     

    Do you have a planned architectural diagram? If so, can you please email it to anthonys (at) contentmaster.com? 

    You don't have to identify your organization or anything like that.

    It's a bit tricky to work out what you are trying to do from just a description.

     

    Anthony Steven


    Anthony Steven Principal Technologist Content Master, a division of CM Group Blog: http://cm-bloggers.blogspot.com/
    Tuesday, May 3, 2011 8:51 AM
  • Great that's good with me, I'm going to send it very soon after some small security small adjustments I've made recently.

     

    Thanks Anthony Steven

    Tuesday, May 3, 2011 12:07 PM
  • Reborn, there is no wrong answer here. I think you have a solid starting point. The only thing I would encourage you to consider moving forward is suportability. In other words, no matter what you end up with - can you fully support it. Otherwise, n matter how good your plan - the *perception* will be that its not a good solution. Think about this.

     

    One example if the VPN using TMG instead of Cisco VPN - I am not a Cisco guy, but I am an ISA guy. And I would never task myself with maintaining everything in TMG or ISA. Thats best handled by Cisco equipment. ISA/TMG is nothing more than a great, if not the best, *application* layer firewall and proxy.

     

    I think you have a good starting point. You have to either filter out the stuff you are comfortable with and just ask specifically what is missing. Or, just proceed with your plan. And as long as you can support it, you can always adapt it over time. That is the life we all live. Nothing is perfect from making all the right decisions up front.


    *a
    Tuesday, May 3, 2011 7:33 PM
  • Thanks alex wait tell I upload the test topology and tell me what u think :)
    Tuesday, May 3, 2011 8:16 PM
  • No problem...waiting... ;)
    *a
    Tuesday, May 3, 2011 8:43 PM
  • Ok .. for all who wants to see the topology diagram it's here http://postimage.org/image/qgkv2o5g/ , I've just done uploading, this is a test lab topology which I will going to build after hearing what u think about and what changes I can make to make it better, easier, faster and secure.

    I'm working on a smaller test lab which had lots routing problems so I'm changing the plan to this one hoping to avoid problems and make a smooth to run..

     

    I want to know..

    I'm doing it the right way?

    What security problems I might face..?

    What routing issues I might end up with..?

    Is it a bad way to connect those stuff or there is a better way ?

    Can remote users join this network this way ??? (I need the remote users to be on the same network as if they were on the main location!!)

    so waiting ur comments.. Thanks :)

    Wednesday, May 4, 2011 8:38 AM
  • Reborn, I love the fact that your network diagram is detailed. Lots of folks take shortcuts here, only to regret it later. I can tell you are laboring over a good design for your environment. Very professional, very well done!

     

    This topology would work. The only two things that stick out right now are...you are placing devices outside of the TMG gateway, adn I think you are missing the point with TMG. You can place it internally, and use reverse proxy. This way, its all internal and fully managed. Otherwise, you have an extra physical hop that may not be worth it. I recommend an industry firewall appliance, even if just a basic one.

     

    Second, I would add a second switch just for the SAN and plug that in to a secondary Server NIC. If you cannot afford it as such, that is fine...you can still get plenty of bang for the buck. But definitely put it on its own switch.

     

    Thats it for now. I will review once more if you make any additional edits.


    *a
    Wednesday, May 4, 2011 1:29 PM
  • Thanks for the replay Alex...

     

    >This topology would work. The only two things that stick out right now are...you are placing devices outside >of the TMG gateway, adn I think you are missing the point with TMG. You can place it internally, and use >reverse proxy. This way, its all internal and fully managed. Otherwise, you have an extra physical hop that >may not be worth it.

    Which devices u mean ? Local Printers? if so it's just for a security reasone so that these devices physical wall ports can be monitored and cannot be directly accessed by laptops. in other words I dont want anyone to access by his laptop using printer or IP phone port directly behind my firewall to the servers!

    Reverse proxy is a good idea but sort of hard for me to test because I never used it before.

     

    >I recommend an industry firewall appliance, even if just a basic one.

    Yes I'm thinking of Cisco ASA 5540 but since this site for microsoft I didnt want to discuss it here so I dont get against the rules :p

     

    >Second, I would add a second switch just for the SAN and plug that in to a secondary Server NIC. If you >cannot afford it as such, that is fine...you can still get plenty of bang for the buck. But definitely put it on its >own switch.

     

    Well.. lots of ppl are talking about SAN, But I'm after NAS I think it's better, not sure but I believe that it's easier and more freindlly to other devices than SAN, dont u think so?

     

    I want to know something, what do u say about my Exchanges? is it ok like this ? (note that I have two)

    Can I send and recieve emails this way through internet as well from local users? or mail going to stuck somewhere due to (too many) routing issues! :s

    I know drawing a topology is so easy, but trying to make it real it's a hard way especially with routes and going through firewalls, I'm just a bit worry about routing problems.. 

     

    Thanks for ur replay again

     

     

     

     

     

     

     

     

     

     

    Wednesday, May 4, 2011 5:02 PM
  • yes, I was referring to any devices that are outside the TMG. move those inside. No need for DMZ, because TMG can emulate DMZ and you dont have to worry about complex physical architectures.

     

    You should go from TMG to ASA. Thats it. Anything else is asking for long nights.

    Nothing wrong with mentioning 3rd party products here. its just not the place to get support for them, or start voicing opinions about it. But, its part of almost everyone's network. So, its MS products job to integrate properly.

     

    I am not an Exchange expert, so I have to leave this to other folks. Maybe a post to the Exchange forum may be good. Personally, I think one Exchange server is fine. You dont have that many users, and if you get the right Spam Solution, you dont have to worry about load. And you have TMG/ISA in the mix and that will make sure that it is perfectly protected. My two cents for what its worth.

    SANs work great. I agree they are more work, but provide much more flexiblity. In your case, I can see a NAS working out great. Question is, what systems will attach to it. I prefer to run SQL and Exchange on SAN, out of the two. Nothing beats direct attached.

     

    Good luck with all of this Reborn. You certainly have the right idea, and a good starting plan.


    *alex
    • Marked as answer by Reborn360 Thursday, May 5, 2011 6:53 AM
    Wednesday, May 4, 2011 6:15 PM
  • Thanks Alex.. I liked ur replay so I'll write ur points to think them and mix them with the plan.

    I'm waiting Anthony Steven to see what he will say too.. so I can post my final decision to u.

     

    Wednesday, May 4, 2011 7:22 PM
  • One important thing.. There should be at least 2 domain controllers. Most of the applications (e.g. Exchange) are tightly integrated with AD. So, the hardware failure that hosts DC role will impact all such applications if only 1 DC is set up.

    Consider having 2 servers for Exchange setup as well for High Availability.

     

    Cheers

    Sree

    Thursday, May 26, 2011 11:33 AM
  • Thanks mylittlebrain

     

    Friday, May 27, 2011 1:38 PM