Download presentation
Presentation is loading. Please wait.
Published byElinor Welch Modified over 8 years ago
1
Module 13: Networking Service Designs
2
Overview Evaluating the Existing Configuration Identifying the Essential Design Decisions Providing Security Enhancing the Availability and Performance
3
The networking services in Microsoft® Windows® 2000 provide the foundation to solve connectivity and protocol requirements for organizations. You can integrate the networking services to be able to design networking solutions that establish a network foundation, provide access to public networks, include connectivity for remote users and locations, and support network-based applications and authentication methods. In this module, you will design a networking solution for an investment firm and address the basic functionality, security, availability, and performance features of the solution. When combined with Microsoft Proxy Server and Internet Information Services (IIS), the networking services in Windows 2000 can provide complete solutions for the investment firm.
4
At the end of this module, you will be able to: Identify the characteristics of the scenario that influence the design decisions. Describe the essential design decisions required to provide networking services. Describe the design decisions for securing the networking services. Describe the design decisions for improving the availability and performance of the networking services.
5
Evaluating the Existing Configuration Current Project Status Design Requirements and Limitations
6
To design a solution for the investment firm, you must identify the information that influences the design. Based on that information, you make decisions about which networking services to include, along with which specifications to select for each service. To identify the information that influences the design, you must: Examine the current project status. Examine the design requirements and limitations.
7
Current Project Status New York Router 4 London Tokyo 200 Hosts 150 Hosts 100 Hosts 75 Hosts 175 Hosts Router 1Router 3 Router 2 Router 5 3 Hosts 250 Hosts
8
Current Project Status … Many investment firms are increasing their presence on the Internet because of electronic trading and online investments. These firms also connect branch offices by using public networks such as the Internet. In addition, many of the brokers and agents within investment firms require remote access to their confidential client information. Networking Service Designs
9
A well-established investment firm is expanding operations to include a larger online presence, and to provide remote access to broker and client information. The existing connectivity between the New York, Tokyo, and London locations is provided by: Dedicated routers at each location. 56 kilobits per second (Kbps) dedicated lease-lines between locations.
10
The following table lists the project milestones completed to date, and the reason these milestones were completed. Activity So that the Upgrading the physical networkPrivate network can support additional traffic generated by the broker and trading applications Replacing Routers 1 and 3 with higher- performance routers Routers can support the additional traffic generated by the broker and trading applications Upgrading Internet connections to T1 connections Internet connections can support the traffic between the locations Testing for the approved computer hardware architecture Compatibility and performance of the approved computer hardware architecture is confirmed. Recording performance statistics for the approved computer hardware architecture. Number of computers required to support the networking services can be determined.
11
Design Requirements and Limitations New York Router 4 London Tokyo 200 Hosts 150 Hosts 100 Hosts 75 Hosts 175 Hosts Router 1Router 3 Router 2 Router 5 3 Hosts 250 Hosts
12
An investigation of the current network, user traffic patterns, and future network requirements reveals the following additional information that you consider when making your design decisions.
13
Applications The investment firm uses a number of applications to conduct the day-to-day operations. To create a solution for the investment firm, your design must provide: Support for a mission-critical Web-based application that manages investment firm customers and their stock portfolios. Support for a mission-critical Web-based application that allows customers to check their stock portfolios and to perform investment trading over the Internet. Private network access to all shared folders and Web-based applications from the New York, Tokyo, and London offices. Performance response times to allow a stock trade transaction to occur within three seconds. Administration of private network resources by using a directory services infrastructure. Authentication of users by using a directory services infrastructure. Support for all mission-critical applications to be available 24-hours-a-day, 7- days-a-week.
14
Connectivity The applications used by the investment firm require connectivity between the offices. When creating the design for the investment firm, remember that your design must provide: Simultaneous access to private network resources for approximately 200 brokers connecting through the Internet by using a variety of operating systems. Simultaneous access to Web-based applications for approximately 1,500 brokers and customers who are connecting through the Internet by using a variety of operating systems. Access to management aspects of the Web-based applications that are restricted to brokers and administrative staff. Access to the Internet from all locations for all private network users. Control of Internet access through a single path of connectivity through the New York headquarters. Isolation of the firm's network from the Internet.
15
Identifying the Essential Design Decisions Identifying the Appropriate Networking Services Providing Networking Services at the New York Location Providing Networking Services at the Tokyo Location Providing Networking Services at the London Location
16
As you begin designing the networking solution for the investment firm, you must identify which networking services to include in the network design. Based on the networking services, you must identify where to place servers to provide essential support for the solution. You can select the networking services for your network design based on the types of clients, applications, connectivity between locations, and connectivity for remote users. You must place the servers within the organization based on the number of clients, the geographic locations, and the amount of traffic between network segments.
17
To provide the essential networking services for the investment firm, you must: Identify the networking services that are required at each location. Determine the networking server placement and design options for New York. Determine the networking server placement and design options for Tokyo. Determine the networking server placement and design options for London.
18
Identifying the Appropriate Networking Services New York Router 4 London Tokyo 200 Hosts 150 Hosts 100 Hosts 75 Hosts 175 Hosts Router 1Router 3 Router 2 Router 5 3 Hosts 250 Hosts
19
You must identify the networking services for a network design to ensure that the appropriate foundation exists for supporting the users and applications. In addition, you must also identify any networking services that can provide the capabilities for future growth.
20
The following table lists the networking services that you need to include in the network design, and the reason you must include them. Include this service To provide Transmission Control Protocol/ Internet Protocol (TCP/IP) A common protocol between clients and Internet connectivity. DHCPAutomatic IP configuration for clients. DNSName resolution for Web-based applications. Support for the Active Directory™ directory service. WINSName resolution for Microsoft Windows 95, Microsoft Windows 98, and Microsoft Windows NT® version 4.0 clients. Microsoft Proxy ServerIsolation between the private network and the Internet. Different levels of security by creating screened subnets. Caching of Internet requests. Routing and Remote Access Connectivity between the various geographic locations within the organization. Connectivity for the brokers who connect to private network resources through a virtual private network (VPN) connection over the Internet. Isolation between the private network and the Internet.
21
Providing Networking Services at the New York Location Router 1 Router 3 WINS DHCP DNS Proxy Server Router 2 Internet Subnet A 175 Hosts Subnet C 250 Hosts Subnet E 3 Hosts Subnet B 7 Hosts Firewall VPN Remote Access Subnet D 2 Hosts
22
For the New York location, determine where to place the servers and the options necessary to support your design.
23
Placing Servers That Run the Networking Services The following table lists the placement criteria for servers at the New York location. Place On Subnet(s) So that DHCPBDHCP traffic travels across the minimum number of network segments while protecting the server. DNSBDNS traffic travels across the minimum number of network segments while protecting the server. WINSBDNS traffic travels across the minimum number of network segments while protecting the server. RouterB, EPackets are routed between the screened subnet and the private network while protecting private network resources. VPN remote access DRemote access is provided while protecting private network resources. Proxy Server B, EHTML and FTP traffic is filtered through the Proxy Server while protecting private network resources.
24
Specifying Networking Services Design Options There are several options that you need to specify in your network design for each of the servers in the New York location.
25
Providing Networking Services at the Tokyo Location Subnet F 100 Hosts Internet WINS DHCP DNS Subnet G 75 Hosts Firewall Router 4
26
After the New York location design is completed, you need to decide where to place the servers within the Tokyo location. For each networking service that you place in the Tokyo location, you must determine the networking service design options to include in your design.
27
Placing Servers That Run the Networking Services The following table lists the servers that are placed within the Tokyo location, the subnets on which the servers are placed, and why the servers are placed on the respective subnet within your design. Place On Subnet(s) So that DHCPFDHCP traffic travels across the minimum number of network segments while protecting the server. DNSFDNS traffic travels across the minimum number of network segments while protecting the server. WINSFDNS traffic travels across the minimum number of network segments while protecting the server. RouterF, GPackets are routed between the screened subnet and the private network while protecting private network resources. Note: The DHCP, DNS, and WINS servers were placed on Subnet F because Subnet F contains the majority of client computers at the Tokyo location.
28
Specifying Networking Services Design Options For each of the networking services servers that you place within the Tokyo location, you must specify the design options for the service.
29
The following tables list the related design options by networking service, and the reason for specifying the options in your design. DHCP SpecifyTo DHCP scope for Subnets F and G Provide automatic IP configuration for the DHCP clients on Subnets F and G. DHCP Relay Agent on Router 4 Enable the forwarding of DHCP packets between Subnets F and G. DNS updatesRegister new DHCP clients with DNS.
30
DNS SpecifyTo Active Directory integrated zone Use the existing Active Directory infrastructure, and to act as the repository for the DNS zone information. Dynamic updates from the DHCP server Authorize the DHCP server to perform updates within the DNS zone.
31
WINS SpecifyTo Burst handlingRespond to a large number of simultaneous WINS registration requests. Replication with the New York server Ensure WINS resolution and registration between locations.
32
Router SpecifyTo Static RoutingProvide routing between locations. OSPFAutomatically update routing table information with existing routers. IPSec tunnelEncrypt data between locations and to authenticate the router
33
Providing Networking Services at the London Location Subnet H 200 Hosts Internet WINS DHCP DNS Subnet I 150 Hosts Firewall Router 5
34
After the designs for the New York and Tokyo locations are completed, you need to decide where to place the servers within the London location. For each networking service that you place in the London location, you must determine the networking service design options to include in your design.
35
Placing Servers That Run the Networking Services The following table lists the servers that are placed within the London location, the subnets on which the servers are placed, and why the servers are placed on the respective subnet within your design. Place On Subnet(s) So that DHCPHDHCP traffic travels across the minimum number of network segments while protecting the server. DNSHDNS traffic travels across the minimum number of network segments while protecting the server. WINSHDNS traffic travels across the minimum number of network segments while protecting the server. RouterH, IPackets are routed between the screened subnet and the private network while protecting private network resources. Note: The DHCP, DNS, and WINS servers were placed on Subnet H because Subnet H contains the majority of client computers at the London location.
36
Specifying Networking Services Design Options For each of the networking services servers that you place within the London location, you must specify the design options for the service.
37
The following tables list the related design options by networking service, and the reason for specifying the options in your design. DHCP SpecifyTo DHCP scope for Subnets H and I Provide automatic IP configuration for the DHCP clients on Subnets H and I. DHCP Relay Agent on Router 5 Enable the forwarding of DHCP packets between Subnets H and I. DNS updatesRegister new DHCP clients with DNS.
38
DNS SpecifyTo Active Directory integrated zone Use the existing Active Directory infrastructure, and to act as the repository for the DNS zone information. Dynamic updates from the DHCP server Authorize the DHCP server to perform updates within the DNS zone.
39
WINS SpecifyTo Burst handlingUse the existing Active Directory infrastructure, and to act as the repository for the DNS zone information. Dynamic updates from the DHCP server Authorize the DHCP server to perform updates within the DNS zone.
40
Router SpecifyTo Static RoutingProvide routing between locations. OSPFAutomatically update routing table information with existing routers. IPSec tunnelEncrypt data between locations and to authenticate the router
41
Providing Security Identifying Potential Security Risks Preventing Potential Security Risks
42
To secure the networking solution, you must identify the potential security risks and how to prevent those risks from occurring. You identify the security risks based on the confidentiality of the data and the number of users that have access to the data. You prevent unauthorized access to confidential data by encrypting the data, and authenticating users or devices that transmit the data.
43
To provide security for the investment firm solution, you must: Identify the potential security risks for the confidential data. Identify the strategies for preventing the potential security risks at each location.
44
Identifying Potential Security Risks Internet New York Router 4 London Tokyo 200 Hosts 150 Hosts 100 Hosts 75 Hosts 175 Hosts Router 1Router 3 Router 2 Router 5 3 Hosts 250 Hosts
45
When your network design includes confidential data that is transmitted on a private network or over public networks, the data is at risk. Therefore, your network design must ensure that each user who requires access to the confidential data is authenticated.
46
The following table lists the security risks and why the data is at risk. Data is at risk Because there is a possibility that Within each locationBrokers can access other brokers' clients. Customers may connect to the network while in the branch office and access others' accounts. Network administrative staff can access any of the firm's accounts and records. Between locationsConfidential data is transmitted between locations over public networks. From the Web-based application Brokers and customers can transmit confidential data over the Internet. Servers that host the Web-based applications are accessible from the Internet. From brokers accessing the private network remotely Brokers can transmit confidential data over public networks.
47
Preventing Potential Security Risks Internet New York Router 4 London Tokyo 200 Hosts 150 Hosts 100 Hosts 75 Hosts 175 Hosts Router 1Router 3 Router 2 Router 5 3 Hosts 250 Hosts
48
After you identify the security risks, you need to decide how to prevent the security risks from occurring at any location. For each location where there is a security risk, you must prescribe a response that prevents access to the confidential data.
49
Within Each Location You can prevent the security risks within each location by: Encrypting (by using IPSec) all confidential data transmitted within the private network. Authenticating all brokers by using Active Directory authentication. Authenticating all customers when they access the Web-based application while connecting to the network within each location. Requiring HyperText Transmission Protocol Secure (HTTPS) for all transactions on the Web-based application.
50
Between Locations You can prevent the security risks between locations by: Requiring the routers that connect locations transmit all data through a VPN tunnel. Encrypting the data by using 56-bit Data Encryption Standard (DES), which is the strongest level of encryption that can be exported outside the U.S. and Canada. Authenticating the routers by using MS-CHAP v2 and IPSec.
51
Web-based Application You can prevent the security risks for the Web-based application by: Authenticating all customers when they access the Web- based application. Requiring HTTPS for all transactions on the Web-based application. Placing the Web-based application servers on screened subnets within the location.
52
Remote Access by Brokers You can prevent the security risks when the brokers remotely access the private network by: Encrypting all confidential data transmitted within the private network by using VPN tunnels with Microsoft Point-to-Point Encryption(MPPE). Authenticating all brokers by using Active Directory authentication.
53
Enhancing the Availability and Performance Identifying the Essential Networking Services Enhancing the Availability and Performance at the New York Location Enhancing the Availability and Performance at the Tokyo Location Enhancing the Availability and Performance at the London Location
54
After you improve the availability and performance at the New York location, you must prevent outages and improve the performance of the networking services in the Tokyo location. In most instances, the same method that you implement will also improve the availability and performance of a networking service. Note: In many instances, the existing networking service is sufficient for the number of users in the Tokyo location. However, the additional server has the added benefit of improving performance for the networking service.
55
Identifying the Essential Networking Services Internet New York Router 4 London Tokyo 200 Hosts 150 Hosts 100 Hosts 75 Hosts 175 Hosts Router 1Router 3 Router 2 Router 5 3 Hosts 250 Hosts
56
In your design, any mission-critical applications that are dependent upon networking services require these services be highly available and perform within specifications. When these networking services are offline, your mission-critical applications fail. When these networking services respond slowly, your mission-critical applications perform below specifications.
57
Support for Web-based Trading The following table lists the networking services that are required to support the Web-based trading applications in the investment firm. Web-based trading applications require To provide DHCPAutomatic IP configuration for brokers who connect through VPN remote access. DNSName resolution for servers that host the application. Proxy ServerPrivate network isolation. Screened subnets to protect the servers that host the application. Routing and Remote Access Private network isolation. VPN remote access for brokers. Routing between private network locations.
58
Support for Private Network-based Applications The following table lists the networking services that are required to support the private network-based applications in the investment firm. Web-based trading applications require To provide DHCPAutomatic IP configuration for users within the private network. DNSName resolution for servers that host the applications. WINSName resolution for servers that host the applications from Windows 95, Windows 98, and Windows NT clients. Routing and Remote Access Private network isolation. VPN remote access for brokers. Routing between private network locations.
59
Enhancing the Availability and Performance at the New York Location Router 1 Router 3 DHCP Proxy Array Internet Subnet A 175 Hosts Subnet C 250 Hosts Subnet E 5 Hosts Subnet B 12 Hosts Firewall VPN Remote Access Subnet D 4 Hosts WINS DNS Router 2 Router 6
60
After you have identified the essential networking services for the solution, you must prevent outages and improve the performance of these services in the New York location. In most instances, the same method that you implement will also improve the availability and performance of a networking service. Note: In many instances, the existing networking service is sufficient for the number of users in the New York location. However, the additional server has the added benefit of improving performance for the networking service.
61
DHCP Improve the availability of DHCP within the New York location by: Specifying that the existing DHCP server belongs to a server cluster. Adding another server to the server cluster, to act as a backup in the event of a server failure. Note: Because only one instance of DHCP is running within the cluster, DHCP performance is not improved.
62
DNS Improve the availability and performance of DNS within the New York location by: Placing an additional DNS server with an Active Directory integrated zone on Subnet B. Specifying that the clients on Subnet A use the original DNS server and the clients on Subnet B use the additional DNS server to distribute DNS queries between the two DNS servers.
63
WINS Improve the availability of WINS within the New York location by: Specifying that the existing WINS server belongs to a server cluster. Adding another server to the server cluster, to act as a backup in the event of a server failure. Note: Because only one instance of WINS is running within the cluster, WINS performance is not improved.
64
Routing Improve the availability and performance of routing within the New York location by: Placing an additional router between Subnets B and E. Specifying that the original router is the lowest cost path to the Tokyo location and the highest cost path to the London location. Specifying that the additional router is the lowest cost path to the London location and the highest cost path to the Tokyo location
65
Proxy Server Improve the availability and performance of Proxy Server within the New York location by: Specifying that the existing proxy server belongs to a proxy array. Adding another proxy server to the proxy array to act as a backup in the event of a server failure. Specifying that both proxy servers use Network Load Balancing to distribute traffic between the servers.
66
VPN Remote Access Server Improve the availability and performance of VPN remote access within the New York location by: Adding another VPN remote access server on Subnet D. Specifying that both VPN remote access servers use Network Load Balancing to distribute traffic between the servers.
67
Enhancing the Availability and Performance at the Tokyo Location Subnet F 100 Hosts Internet Firewall DHCP Router 4 Router 7 DNS WINS Subnet G 75 Hosts DNS
68
After you improve the availability and performance at the New York location, you must prevent outages and improve the performance of the networking services in the Tokyo location. In most instances, the same method that you implement will also improve the availability and performance of a networking service. Note: In many instances, the existing networking service is sufficient for the number of users in the Tokyo location. However, the additional server has the added benefit of improving performance for the networking service.
69
DHCP Improve the availability of DHCP within the Tokyo location by: Specifying that the existing DHCP server belongs to a server cluster. Adding another server to the server cluster, to act as a backup in the event of a server failure. Note: Because only one instance of DHCP is running within the cluster, DHCP performance is not improved.
70
DNS Improve the availability and performance of DNS within the Tokyo location by: Placing an additional DNS server with an Active Directory integrated zone on Subnet G. Specifying that the clients on Subnet F use the original DNS server, and the clients on Subnet G use the additional DNS server, to distribute DNS queries between the two DNS servers.
71
WINS Improve the availability of WINS within the Tokyo location by: Specifying that the existing WINS server belongs to a server cluster. Adding another server to the server cluster, to act as a backup in the event of a server failure. Note: Because only one instance of WINS is running within the cluster, WINS performance is not improved.
72
Routing Improve the availability and performance of routing within the Tokyo location by: Placing an additional router between Subnet F, Subnet G, and the Internet. Specifying that the original router is the lowest cost path to the New York location and the highest cost path to the London location. Specifying that the additional router is the lowest cost path to the London location and the highest cost path to the New York location.
73
Enhancing the Availability and Performance at the London Location Subnet H 200 Hosts Internet DHCP DNS Subnet I 150 Hosts Firewall DNS Router 8Router 5 WINS
74
After you improve the availability and performance at the New York and Tokyo locations, you must prevent outages and improve the performance of the networking services in the London location. In most instances, the same method that you implement will improve the availability and performance of a networking service. Note: In many instances, the existing networking service is sufficient for the number of users in the London location. However, the additional server has the added benefit of improving performance for the networking service.
75
DHCP Improve the availability of DHCP within the London location by: Specifying that the existing DHCP server belongs to a server cluster. Adding another server to the server cluster, to act as a backup in the event of a server failure. Note: Because only one instance of DHCP is running within the cluster, DHCP performance is not improved.
76
DNS Improve the availability and performance of DNS within the London location by: Placing an additional DNS server with an Active Directory integrated zone on Subnet I. Specifying that the clients on Subnet H use the original DNS server and the clients on Subnet I use the additional DNS server to distribute DNS queries between the two DNS servers.
77
WINS Improve the availability of WINS within the London location by: Specifying that the existing WINS server belongs to a server cluster. Adding another server to the server cluster to act as a backup in the event of a server failure. Note: Because only one instance of WINS is running within the cluster, WINS performance is not improved.
78
Routing Improve the availability and performance of routing within the London location by: Placing an additional router between Subnet H, Subnet I, and the Internet. Specifying that the original router is the lowest cost path to the New York location and the highest cost path to the Tokyo location. Specifying that the additional router is the lowest cost path to the Tokyo location and the highest cost path to the New York location.
79
Lab A: Creating Networking Solutions
80
Objectives After completing this lab, you will be able to: Evaluate an existing scenario to design a networking services solution. Design a networking services solution for the given scenarios.
81
Prerequisites Before working on this lab, you must have: Knowledge of the design decisions required to create a networking services design. Knowledge of strategies to enhance the security, availability, and performance of a networking services solution.
82
Exercise 1: Designing an Insurance Firm Solution In this exercise, you are presented with the task of designing a networking services solution for an insurance firm. This insurance firm has a central office, six regional offices, and two types of insurance agent offices. Review the scenario, the design requirements, and the diagram for your assigned location. Follow the instructions to complete the exercise.
83
Scenario An insurance firm is evaluating their existing network in preparation for the deployment of Windows 2000. As a consultant to the firm, you have been assigned the task of evaluating and redesigning the current network. The insurance firm has a central office that handles billing and accounting for the firm. In addition, the firm has six regional offices that support the insurance agents within each region. The insurance agent offices are independently owned and operated. The agent offices consist of an individual agent or a group of agents working at a single location.
84
Design Limitations and Requirements An investigation of the current network, user traffic patterns, and future network requirements, reveals additional information that must be considered when making your design decisions.
85
Applications The insurance firm uses a number of applications to conduct the day-to-day operations. To create a solution for the insurance firm, your design must provide: Support for a mission-critical Web-based application that manages customers and their policies. Support for a mission-critical Web-based application that allows customers to check the status of claims and historical claim payment information over the Internet. Private network access to all shared folders and Web-based applications from the central office and regional offices. Internet access from the central office and the regional offices. Support for all mission-critical applications to be available 24-hours- a-day, 7-days-a-week.
86
Connectivity The applications used by the insurance firm require connectivity between the central office, regional offices, and agent offices. When creating the DNS design for the insurance firm, remember that your design must provide: Support for the regional offices to connect to the central office by using dedicated connections over the Internet. Support for the agent offices that consist of multiple agents to connect to the regional offices by using dedicated connections over the Internet. Support for the agent offices that consist of an individual agent to connect to the regional offices by using dial-up connections over the Internet. Isolation of the central office, the regional offices, and the agent offices from the Internet.
87
Review Evaluating the Existing Configuration Identifying the Essential Design Decisions Providing Security Enhancing the Availability and Performance
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.