Help with Network Design (SharePoint)

wedge1988wedge1988 Member Posts: 434 ■■■□□□□□□□
Hi All,

Ive just finnished my design for our network. Ive never done anything like this before, and i wanted people with experience to tell me what thay think. Id appreciate a bit of feedback too!

Here was the last post (Which i talked about sharepoint with) Basically this is a sharepoint network design, and i need to get it as secure as possible. Like i said, i hope its the best i can do, else opinions / suggestions please!

http://www.techexams.net/forums/mcsa-mcse-windows-2003-general/44047-fqdn-nightmare-s.html

see image of my design:

http://img269.imageshack.us/img269/3733/designh.png
~ wedge1988 ~ IdioT Certified~
MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese

Comments

  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    Not quite, but close.

    A more secure design would be an additional NIC off the ISA server, and publish the "front end" Sharepoint server. Like...

    Net
    |
    Linux Firewall
    |
    ISA -- Front End servers
    |
    Internal network

    With your current design, you're not taking advantage of application layer filtering to protect your front ends, when you could.
    Good luck to all!
  • wedge1988wedge1988 Member Posts: 434 ■■■□□□□□□□
    So at least ive designed it properly then :);)

    What sort of advantages are there to having an ISA server between the linux firewall and the perimiter network? (Other than adding an additional layer of security?)
    ~ wedge1988 ~ IdioT Certified~
    MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    Application layer filtering, even within an encrypted SSL tunnel if you deploy it right.
    Good luck to all!
  • wedge1988wedge1988 Member Posts: 434 ■■■□□□□□□□
    right, so basically it inspects packets data rather than the packet type. With this i could set up a 3-way solution, but i just dont have the money or resources to implement one.

    Other than this, have i designed it correctly? or like i said, any ideas on what i could improve (Not hardware wise)

    cheers.
    ~ wedge1988 ~ IdioT Certified~
    MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    HeroPsycho wrote: »
    Application layer filtering, even within an encrypted SSL tunnel if you deploy it right.

    *sexy*

    I'll be taking my ISA 2006 exam soon. It's definitely been an interesting experience. You should check out the Syngress books on it.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    wedge1988 wrote: »
    right, so basically it inspects packets data rather than the packet type. With this i could set up a 3-way solution, but i just dont have the money or resources to implement one.

    Other than this, have i designed it correctly? or like i said, any ideas on what i could improve (Not hardware wise)

    From my experience, trying to arrange a 3-way solution has indeed been an expensive proposition. Wait, nevermind...

    Seriously though, adding another NIC is a deal-breaker?
  • wedge1988wedge1988 Member Posts: 434 ■■■□□□□□□□
    Dynamik, your not on about a 3-legged perimiter are you? the ISA server would have 3 NICS rather than 2?

    This seems like a smarter solution. Is this what you mean?

    (See attatchment)

    EDIT:

    What i actually meant by 3-way was this:

    Net
    |
    Linux Firewall
    |
    ISA -- Front End servers
    |
    DMZ
    |
    Back-End ISA Firewall
    |
    Internal network


    But thats probably a 3 zone scenario.
    ~ wedge1988 ~ IdioT Certified~
    MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Like the bottom part in your attached image, and the way Hero diagrammed.
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    wedge1988 wrote: »
    Dynamik, your not on about a 3-legged perimiter are you? the ISA server would have 3 NICS rather than 2?

    This seems like a smarter solution. Is this what you mean?

    (See attatchment)

    EDIT:

    What i actually meant by 3-way was this:

    Net
    |
    Linux Firewall
    |
    ISA -- Front End servers
    |
    DMZ
    |
    Back-End ISA Firewall
    |
    Internal network


    But thats probably a 3 zone scenario.

    I'm pretty sure I said to do that... icon_lol.gif
    Good luck to all!
  • wedge1988wedge1988 Member Posts: 434 ■■■□□□□□□□
    lol. Just saw it. Thanks guys.

    Got a couple of questions. Ill be using the following:

    2x 146GB 15k SAS drives (RAID 1)
    1x Quad core xeon @ 2.66
    1x Quad Network Card
    2x 2GB RAM 1333mhz

    Whats your opinion of this? Does ISA server even use this max spec? what will it go up to?

    I use a dell optiplex 330 at the moment, which is:

    1x SATA 7200rpm
    1x Dual Core Pentium Processor
    2x 1gb port NICs
    1x 2GB ram.

    Will this suffice? Any ideas? Im looking up the specs now but is the extra power any difference? I could do a true setup otherwise :)
    ~ wedge1988 ~ IdioT Certified~
    MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    I know I've asked before, but you have detailed the number of users, types of connections, etc. If you're using it as a caching server as well (why wouldn't you?), you'd probably want to bump up the disk space and memory (assuming you have a decent number of users). You'd probably want to put the cache on a different volume for performance reasons as well.
  • wedge1988wedge1988 Member Posts: 434 ■■■□□□□□□□
    So you cant have any more than 2GB ram with the standard edition anyway. And the spec of that other server i have is easily over the spec of the reccommendations.

    If i can squeeze another hard drive and licence out of my bosses then i should be able to use it as a further front firewall. Is it worth it though? I only have an exchange front end and sharepoint web server at the front?
    ~ wedge1988 ~ IdioT Certified~
    MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Didn't know you were using standard, I guess I missed that. You should put a fast hardware firewall at the edge then let ISA do application-layer filtering on the traffic that goes through that.
  • wedge1988wedge1988 Member Posts: 434 ■■■□□□□□□□
    might find out how much it is for the enterprise upgrade. I thought ISA mainly relied on the processor for packets and that ram wasnt as much of an issue?
    ~ wedge1988 ~ IdioT Certified~
    MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Like I said, it depends on what you want to do with it. The more of the cache you load into memory, the better it will perform. The more memory you have, the more you can load. You may decide you don't want to use caching, or that just retrieving from disk is sufficient for your environment. It totally depends on your needs.
  • wedge1988wedge1988 Member Posts: 434 ■■■□□□□□□□
    Maybe you could tell me why the last time i enabled caching, google kept appearing with its customised view on peoples workstations? lol.

    I might enable it, not sure yet.

    One thing i can say is that getting ISA server 2006 to work as a proxy server only is a right bi**h lol.
    ~ wedge1988 ~ IdioT Certified~
    MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese
  • wedge1988wedge1988 Member Posts: 434 ■■■□□□□□□□
    Im assuming this, but id imagine i can use domain.local on the internal network and domain.com on the extranet (and route the data across fro both exchange and sharepoint)???
    ~ wedge1988 ~ IdioT Certified~
    MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Of course. It completely depends on how you have DNS setup.

    You really need to go through this or something similar: Amazon.com: Dr. Tom Shinder's ISA Server 2006 Migration Guide: Thomas W Shinder, Debra Littlejohn Shinder, Adrian F. Dimcev, James Eaton-Lee, Jason Jones, Steve Moffat: Books

    No offense, but if you're struggling with these basic concepts, this project is going to be an absolute disaster for you. You really need to lab this scenario in advance.
  • wedge1988wedge1988 Member Posts: 434 ■■■□□□□□□□
    Thats ok, i have my labs set up now.

    I just needed to make sure. I do understand it, ive just never done this in a production so i didnt know if it was possible with the net etc.

    Anyways, glad i can, now i can start setting my lab up!
    ~ wedge1988 ~ IdioT Certified~
    MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese
Sign In or Register to comment.