Help with Network Design (SharePoint)

wedge1988

Hi All,

Ive just finnished my design for our network. Ive never done anything like this before, and i wanted people with experience to tell me what thay think. Id appreciate a bit of feedback too!

Here was the last post (Which i talked about sharepoint with) Basically this is a sharepoint network design, and i need to get it as secure as possible. Like i said, i hope its the best i can do, else opinions / suggestions please!

http://www.techexams.net/forums/mcsa-mcse-windows-2003-general/44047-fqdn-nightmare-s.html

see image of my design:

http://img269.imageshack.us/img269/3733/designh.png

HeroPsycho

Not quite, but close.

A more secure design would be an additional NIC off the ISA server, and publish the "front end" Sharepoint server. Like...

Net
|
Linux Firewall
|
ISA -- Front End servers
|
Internal network

With your current design, you're not taking advantage of application layer filtering to protect your front ends, when you could.

wedge1988

So at least ive designed it properly then

What sort of advantages are there to having an ISA server between the linux firewall and the perimiter network? (Other than adding an additional layer of security?)

HeroPsycho

Application layer filtering, even within an encrypted SSL tunnel if you deploy it right.

wedge1988

right, so basically it inspects packets data rather than the packet type. With this i could set up a 3-way solution, but i just dont have the money or resources to implement one.

Other than this, have i designed it correctly? or like i said, any ideas on what i could improve (Not hardware wise)

cheers.

dynamik

HeroPsycho wrote: »

Application layer filtering, even within an encrypted SSL tunnel if you deploy it right.

*sexy*

I'll be taking my ISA 2006 exam soon. It's definitely been an interesting experience. You should check out the Syngress books on it.

dynamik

wedge1988 wrote: »

right, so basically it inspects packets data rather than the packet type. With this i could set up a 3-way solution, but i just dont have the money or resources to implement one.

Other than this, have i designed it correctly? or like i said, any ideas on what i could improve (Not hardware wise)

From my experience, trying to arrange a 3-way solution has indeed been an expensive proposition. Wait, nevermind...

Seriously though, adding another NIC is a deal-breaker?

wedge1988

Dynamik, your not on about a 3-legged perimiter are you? the ISA server would have 3 NICS rather than 2?

This seems like a smarter solution. Is this what you mean?

(See attatchment)

EDIT:

What i actually meant by 3-way was this:

Net
|
Linux Firewall
|
ISA -- Front End servers
|
DMZ
|
Back-End ISA Firewall
|
Internal network


But thats probably a 3 zone scenario.

dynamik

Like the bottom part in your attached image, and the way Hero diagrammed.

HeroPsycho

wedge1988 wrote: »

Dynamik, your not on about a 3-legged perimiter are you? the ISA server would have 3 NICS rather than 2?

This seems like a smarter solution. Is this what you mean?

(See attatchment)

EDIT:

What i actually meant by 3-way was this:

Net
|
Linux Firewall
|
ISA -- Front End servers
|
DMZ
|
Back-End ISA Firewall
|
Internal network


But thats probably a 3 zone scenario.

I'm pretty sure I said to do that...

wedge1988

lol. Just saw it. Thanks guys.

Got a couple of questions. Ill be using the following:

2x 146GB 15k SAS drives (RAID 1)
1x Quad core xeon @ 2.66
1x Quad Network Card
2x 2GB RAM 1333mhz

Whats your opinion of this? Does ISA server even use this max spec? what will it go up to?

I use a dell optiplex 330 at the moment, which is:

1x SATA 7200rpm
1x Dual Core Pentium Processor
2x 1gb port NICs
1x 2GB ram.

Will this suffice? Any ideas? Im looking up the specs now but is the extra power any difference? I could do a true setup otherwise

dynamik

I know I've asked before, but you have detailed the number of users, types of connections, etc. If you're using it as a caching server as well (why wouldn't you?), you'd probably want to bump up the disk space and memory (assuming you have a decent number of users). You'd probably want to put the cache on a different volume for performance reasons as well.

wedge1988

So you cant have any more than 2GB ram with the standard edition anyway. And the spec of that other server i have is easily over the spec of the reccommendations.

If i can squeeze another hard drive and licence out of my bosses then i should be able to use it as a further front firewall. Is it worth it though? I only have an exchange front end and sharepoint web server at the front?

dynamik

Didn't know you were using standard, I guess I missed that. You should put a fast hardware firewall at the edge then let ISA do application-layer filtering on the traffic that goes through that.

wedge1988

might find out how much it is for the enterprise upgrade. I thought ISA mainly relied on the processor for packets and that ram wasnt as much of an issue?

dynamik

Like I said, it depends on what you want to do with it. The more of the cache you load into memory, the better it will perform. The more memory you have, the more you can load. You may decide you don't want to use caching, or that just retrieving from disk is sufficient for your environment. It totally depends on your needs.

wedge1988

Maybe you could tell me why the last time i enabled caching, google kept appearing with its customised view on peoples workstations? lol.

I might enable it, not sure yet.

One thing i can say is that getting ISA server 2006 to work as a proxy server only is a right bi**h lol.

wedge1988

Im assuming this, but id imagine i can use domain.local on the internal network and domain.com on the extranet (and route the data across fro both exchange and sharepoint)???

dynamik

Of course. It completely depends on how you have DNS setup.

You really need to go through this or something similar: Amazon.com: Dr. Tom Shinder's ISA Server 2006 Migration Guide: Thomas W Shinder, Debra Littlejohn Shinder, Adrian F. Dimcev, James Eaton-Lee, Jason Jones, Steve Moffat: Books

No offense, but if you're struggling with these basic concepts, this project is going to be an absolute disaster for you. You really need to lab this scenario in advance.

wedge1988

Thats ok, i have my labs set up now.

I just needed to make sure. I do understand it, ive just never done this in a production so i didnt know if it was possible with the net etc.

Anyways, glad i can, now i can start setting my lab up!