Port Forwarding, RDP, & Trusts

DerekAustin26

Hello all,

I use to work for EDS and the were an Enterprise Organization. All over the world. In Tulsa, OK we had Class C IP's.. Which interested me because for a huuge enterprise like EDS (now HP) that would only allow 255 IP's for our local site.

I damn well know for sure that company had way more than 255 users. So maybe we had multiple networks at the same site, and even the whole world.

So this brings up a few questions? When we RDP into a client's website who works for the same company who lives on the other side of the world, how is this RDP getting through if it's a seperate network? Port Forwarding?
Okay now, if it isnt a seperate network, yet we are on the same networks yet geographically distanced, same rule apply? Port Forwarding?

Since EDS(HP) has lans all over the world, are each of these sites just setup as "Trusts" so that way they allow RDP's from remote "trusted sites" into each other's networks?

tiersten

DerekAustin26 wrote: »

In Tulsa, OK we had Class C IP's.. Which interested me because for a huuge enterprise like EDS (now HP) that would only allow 255 IP's for our local site.

You would have had a small class C network for your department, office, building or whatever. These small networks would be connected together to form the company intranet. You don't want a massive single class A that covers the entire company throughout the world.

DerekAustin26 wrote: »

I damn well know for sure that company had way more than 255 users. So maybe we had multiple networks at the same site, and even the whole world.

It isn't a maybe. They will do.

DerekAustin26 wrote: »

So this brings up a few questions? When we RDP into a client's website who works for the same company who lives on the other side of the world, how is this RDP getting through if it's a seperate network? Port Forwarding?

The various networks are most likely routable at least within the organisation. I highly doubt that they're going to be using NAT which would require port forwarding.

DerekAustin26 wrote: »

Since EDS(HP) has lans all over the world, are each of these sites just setup as "Trusts" so that way they allow RDP's from remote "trusted sites" into each other's networks?

The domains will be linked in some manner.

Without more information it is difficult to speculate about their internal network structure. Look at some of the network lab manuals for an example of a company network and how they're structured.

DerekAustin26

Each site would have at least 1 Core Router.

Now if the entire company took out NAT (which explains the whole RDP question & port forwarding confusion), then how would they hide their private IP's so that their not exposed to the internet?

chrisone

All the company's internal networks should be routed/connected to each other. The 255 your referring too is perhaps the private IP address of a class C. Routers have a routing table that know how to get to other networks within ones company or outside of the company.

Maybe this will clear things up, yes they are in the same enterprise network, but that doesnt mean they are on the same subnet.

tiersten

DerekAustin26 wrote: »

Now if the entire company took out NAT (which explains the whole RDP question & port forwarding confusion), then how would they hide their private IP's so that their not exposed to the internet?

NAT isn't meant to be a security mechanism and shouldn't be relied to do such things. NAT breaks many protocols and has security issues itself. If you're relying on it to secure your network then you've got problems.

You can put restrictions at the border routers to prevent incoming/outgoing traffic from the internal machines and only allow specific servers or proxies to have internet access. If all internet traffic goes via one of those specific proxies then you can have internal non routable addresses and not deal with the screw up that is NAT.

DerekAustin26

Well every site would have a Core Router, which would be the Border Routers.. Hence the name "backbone" and each Core Router would interface with the Intranet WAN/Internet.

The Cores are the culprit between Internet or WAN/ LAN - So since each site has one, there would have to be NAT so they wouldnt be wasting IP's, and wasting money on public IP's and exposing their internal IP's to the internet (Granted, you dont need NAT for protection, but it saves money, who wants to pay for a chunk of Public IP's , especially for a company with that many employees when they can simply use NAT?

chrisone

DerekAustin26 wrote: »

(Granted, you dont need NAT for protection, but it saves money, who wants to pay for a chunk of Public IP's , especially for a company with that many employees when they can simply use NAT?

Many companies purchase bulks of public IPs. The performance of 255 users NATing to one public IP would be disastrous! It is very difficult to help you when you dont even know the topology or network design of the network in question. All we can do is try to give you answers on a theory you came up with. Sorry bud

blackninja

These "Core" routers are usually called CE routers (Customer Edge) that connect to a Provider Edge router (PE router). It may be a VPN over the internet, but for most "huuge enterprise"s they have some form of IP-VPN from a provider like Cable & Wireless ( who I work for ).

Yes, if the internal network uses private addresses then NAT must be used. As previously stated NAT is not used for security only to conserve IP addresses.

tiersten

DerekAustin26 wrote: »

Well every site would have a Core Router, which would be the Border Routers.. Hence the name "backbone" and each Core Router would interface with the Intranet WAN/Internet.

A core router isn't the same thing as a border router. If your network infrastructure is big enough that you need more than 1 router then the distinction between core, edge and border routers becomes significantly more important.

DerekAustin26 wrote: »

The Cores are the culprit between Internet or WAN/ LAN - So since each site has one, there would have to be NAT so they wouldnt be wasting IP's, and wasting money on public IP's and exposing their internal IP's to the internet

You're assuming that each site is setup as you would a standalone home or office network where it is a self contained network with only a connection to the internet.

DerekAustin26 wrote: »

(Granted, you dont need NAT for protection, but it saves money, who wants to pay for a chunk of Public IP's , especially for a company with that many employees when they can simply use NAT?

Each machine doesn't need to have a public IP. It may be on a non routable network but they can avoid using NAT by using proxies on servers which do have a public IP. I'd be surprised if there was any large organisation that gave you internet access that didn't go through some sort of proxy.

mikem2te

DerekAustin26 wrote: »

Well every site would have a Core Router, which would be the Border Routers.. Hence the name "backbone" and each Core Router would interface with the Intranet WAN/Internet.

The Cores are the culprit between Internet or WAN/ LAN - So since each site has one, there would have to be NAT so they wouldnt be wasting IP's, and wasting money on public IP's and exposing their internal IP's to the internet (Granted, you dont need NAT for protection, but it saves money, who wants to pay for a chunk of Public IP's , especially for a company with that many employees when they can simply use NAT?

I would say most companies would use private IP address ranges internally, like you say using public routable IP addresses expensive / not very common.

Multiple sites of a company would typically be connected together using a combination of private leased lines/IPSec VPNs/MPLS, so in effect all sites would be a part of one big network, each site would have a small subnet alloocated to it. Any site could then communicate with any other site as needed, they are all part of one big virtual network.

NAT on the other hand in my experience is a 'small company' thing. Larger enterprises may not employ NAT at all or very limited for exposing services on to the internet such as SMTP or HTTP servers. Many companies use alternative security measures including NOT allowing internal users direct access to the internet. Typically Proxy servers would be used to allow internal users access to the internet, these allow much better control of what useers can do than a NAT router can do, such as blocking peer 2 peer, adult web sites etc. These would also have logging facilities so management can keep an eye on what the workforce is upto on the web. Oh, another thing they can do is cache web pages to make better use of internet bandwidth.

DerekAustin26

tiersten wrote:

Each machine doesn't need to have a public IP. It may be on a non routable network but they can avoid using NAT by using proxies on servers which do have a public IP. I'd be surprised if there was any large organisation that gave you internet access that didn't go through some sort of proxy.

Proxy yes! EDS did use Proxy, but our IP's were private which can only mean one thing. We had to of been using NAT.

So can you send me a diagram of where the "Border Routers" come into play? What that looks like?

I dont see how WANS can have access to each other and the internet at the same time, use Private IP's and not use NAT.

Even if they dont use NAT, what I dont understand is how do WANS know they are apart of the same Network if they are on Seperate Networks? Example. Las Angeles Network is 192.168.0.1 while New York's Network is 146.146.10.1 & Chicago's is 172.10.0.1 though they are all on the same Company Wide WAN. I dont understand that.

networker050184

DerekAustin26 wrote: »

Proxy yes! EDS did use Proxy, but our IP's were private which can only mean one thing. We had to of been using NAT.

So can you send me a diagram of where the "Border Routers" come into play? What that looks like?

I dont see how WANS can have access to each other and the internet at the same time, use Private IP's and not use NAT.

Even if they dont use NAT, what I dont understand is how do WANS know they are apart of the same Network if they are on Seperate Networks? Example. Las Angeles Network is 192.168.0.1 while New York's Network is 146.146.10.1 & Chicago's is 172.10.0.1 though they are all on the same Company Wide WAN. I dont understand that.

They probably have their own private WAN circuits or are using some sort of VPN like an MPLS VPN. That way they can route the public and private addresses into one "cloud." I know its kind of hard to wrap your head around when you are just starting out, but it will all become clear in time.

blackninja

So you can visualise what a WAN looks like. Here's ours, we use the 192.168.X.X and 172.16.X.X - 172.30.X.X all across our own network. To route to the internet we use a number of proxies.

My boss emailed me this on my first day - probably to try and intimidate me.

DerekAustin26

I understand what a WAN is.

I just dont understand how 2 geographically different located LANS know they are on the same WAN if they have different NETWORK ID's. How ?

mikem2te

DerekAustin26 wrote: »

So can you send me a diagram of where the "Border Routers" come into play? What that looks like?

I can do a quick diagram of the last network I worked with tomorrow if you're still confused.

DerekAustin26

mikem2te wrote: »

I can do a quick diagram of the last network I worked with tomorrow if you're still confused.

I'd appreciate that! Can you be sure to point out the Border Routers?

blackninja

DerekAustin26 wrote: »

I understand what a WAN is.

I just dont understand how 2 geographically different located LANS know they are on the same WAN if they have different NETWORK ID's. How ?

Simplest terms: Think of our WAN (see pic above) as a big LAN, with our own routers moving traffic between different sub-networks. If you did need to access the internet, you'd get routed to a proxy(say 172.16.3.3) (which used NAT) then to the internet( say 192.160.0.1-100).

tazdevil

HP has several Class A networks, which they have acquired through mergers, over the years, with Digital (DEC), Compaq, Tandem, EDS, and then HP.

Check to see what address you end up with when your connected, a friend of mine told me he has a public IP from the office, or from home when the VPN is connected.

daveccna

His problem is that he's mixing up issues with subnets and WANs.

I assume that you know that you could have differing subnets within a building that communicate if you have a router.

If one machine pings one on another subnet it'll end up messaging it's gateway which will check its routing table.

You also know that in order to get out of your building onto the internet you need a connection to an ISP which will have layer 3 equipment that as far as you need to know at this point can route to other buildings external IPs, your own connection will have one or more external (public IPs) also.

In order to bring disparate sites with different external IPs onto the same WAN so as to address internal subnets at remote sites you might use something like a static VPN.

EDIT: regarding trusts and sites you are wandering into the area of microsoft server. recommend you check articles on (but not limited to)

Domain forests and trusts
DNS
Active Directory
Sites and services

The content falls under 70-290 I think.

mikem2te

DerekAustin26 wrote: »

I'd appreciate that! Can you be sure to point out the Border Routers?

I have done a quick picture in Visio of the topology I last worked with. It’s is simplified a fair bit, I’ve not bothered with the DMZs, voice links, SMTP servers, WEB servers and a couple of other bits and pieces.

There are about 125 sites, site A is the central site, site B is the major distribution site, sites C and D are regional distribution centres (small) and Sites 1 to 120 are small but identical remote sites. All sites can talk to each other using various methods.

Sites A and B not to far apart so they have two redundant private links to each other, a microwave wireless link and a Leased Ethernet Service / LAN Extension Service. The circuit providers installed RJ45 sockets in each site and we just plugged that into the core switch. Basically the two sites are a part of the same LAN, we don’t actually know how the packets get from site A to site B, all we know is the circuit providers provide a virtual private link somehow through their infrastructure.

Site A also has two links to the internet via two different ISPs, the ISPs installed their own hardware in our comms rooms to which we connected firewall routers and a proxy server. I have coloured the links with public internet IP address RED while the private LAN links are BLACK. So as you can see the routers and proxy server both have an internet and a LAN connection.

Sites C, D and Sites 1 to 120 have similar topology to each other, although with various routers and connection methods to the internet. To connect C, D and Sites 1 to 120 back to the head office Site A we created virtual private networks (IPSec), this in effect joins all the sites together into one big network. So Sites C and D have a virtual private network back to Border Router 1 in the head office while Sites 1 to 120 have a virtual private network back to Border Router 2.

So how does the traffic move around the network? A previous post on this thread mentioned ROUTING TABLES. If a host in head office needs to send a packet to a host in Site C it gets it’s IP Address then looks at its routing table to discover where to send it (Border Router 1), Border Router 1 then sends the packet to the Border Router in Site C. Job done. Although the packet does get sent over the internet, it never leaves the protection of the VPN link created between those two sites, as far as the two hosts are concerned the two sites are connected together in one large private network.

So for internet access, all the hosts in the network were configured to send any internet requests to the Proxy server, this would then in turn send the request out to the internet on the hosts behalf. When the web page comes back in from the internet the proxy server would relay the page back to the original host. This may not have been the most efficient way for internet access as all sites would connect via head office – accountants are the enemy of IT!!! There is no NAT going on anywhere in the network. The only link between the companies network and the internet was via the proxy server.

mikem2te

DerekAustin26 wrote: »

I understand what a WAN is.

I just dont understand how 2 geographically different located LANS know they are on the same WAN if they have different NETWORK ID's. How ?

Routing tables. As far as all hosts in one site are concerned, all other networks are remote and would therefore use a router to connect to them. The router would then look at the destination IP address then route the traffic, depending on the table it could route the traffic to a remote site using a leased line, vpn of some other technology.

DerekAustin26

mikem2te wrote: »

I have done a quick picture in Visio of the topology I last worked with. It’s is simplified a fair bit, I’ve not bothered with the DMZs, voice links, SMTP servers, WEB servers and a couple of other bits and pieces.

There are about 125 sites, site A is the central site, site B is the major distribution site, sites C and D are regional distribution centres (small) and Sites 1 to 120 are small but identical remote sites. All sites can talk to each other using various methods.

Sites A and B not to far apart so they have two redundant private links to each other, a microwave wireless link and a Leased Ethernet Service / LAN Extension Service. The circuit providers installed RJ45 sockets in each site and we just plugged that into the core switch. Basically the two sites are a part of the same LAN, we don’t actually know how the packets get from site A to site B, all we know is the circuit providers provide a virtual private link somehow through their infrastructure.

Site A also has two links to the internet via two different ISPs, the ISPs installed their own hardware in our comms rooms to which we connected firewall routers and a proxy server. I have coloured the links with public internet IP address RED while the private LAN links are BLACK. So as you can see the routers and proxy server both have an internet and a LAN connection.

Sites C, D and Sites 1 to 120 have similar topology to each other, although with various routers and connection methods to the internet. To connect C, D and Sites 1 to 120 back to the head office Site A we created virtual private networks (IPSec), this in effect joins all the sites together into one big network. So Sites C and D have a virtual private network back to Border Router 1 in the head office while Sites 1 to 120 have a virtual private network back to Border Router 2.

So how does the traffic move around the network? A previous post on this thread mentioned ROUTING TABLES. If a host in head office needs to send a packet to a host in Site C it gets it’s IP Address then looks at its routing table to discover where to send it (Border Router 1), Border Router 1 then sends the packet to the Border Router in Site C. Job done. Although the packet does get sent over the internet, it never leaves the protection of the VPN link created between those two sites, as far as the two hosts are concerned the two sites are connected together in one large private network.

So for internet access, all the hosts in the network were configured to send any internet requests to the Proxy server, this would then in turn send the request out to the internet on the hosts behalf. When the web page comes back in from the internet the proxy server would relay the page back to the original host. This may not have been the most efficient way for internet access as all sites would connect via head office – accountants are the enemy of IT!!! There is no NAT going on anywhere in the network. The only link between the companies network and the internet was via the proxy server.

First question I have is... Why dont all the sites have Border Gateways? Why is it just Site A & C ?

2nd - Howcome Site A's Proxy Server doesnt have a Border Gateway Router in front of it.. It's directly connected to the ISP's Router as if it's a Router... I never knew a Server could interface with an ISP Router? I always thought Routers talk to only Routers.. (other than their local nodes attached to it) But there, the Proxy Server is using the ISP router like it's a Local Router..??

3rd. What is a Microwave Cloud?

4th. What is an NTL Cloud?

5th - Do Sites 1 - 120 have to manually VPN into Site A as if they are "Remote home users"? Or is this something configured that happens automatically?

6th - What is the "LES" Link at the bottom? And is this a private WAN Link?

mikem2te

Wow, loads of healthy questions

DerekAustin26 wrote: »

First question I have is... Why dont all the sites have Border Gateways? Why is it just Site A & C ?

For this purpose I guess all the routers in the other sites could be called border gateways.

DerekAustin26 wrote: »

2nd - Howcome Site A's Proxy Server doesnt have a Border Gateway Router in front of it.. It's directly connected to the ISP's Router as if it's a Router... I never knew a Server could interface with an ISP Router? I always thought Routers talk to only Routers.. (other than their local nodes attached to it) But there, the Proxy Server is using the ISP router like it's a Local Router..??

It doesn't need one. A proxy server can act as a router in that it can have an external/WAN and internal/LAN interfaces and pass traffic between them. Infact Microsoft Windows has had "routing and remote access services" for years allowing it to act as a router.

DerekAustin26 wrote: »

3rd. What is a Microwave Cloud?

It is a link using radio waves, like wifi on steroids. Not sure of the details but I believe the service provider created a mesh of radio stations between various buildings in the locality, we had small radio dishes atached to the two sites joining the two sites to the mesh. Basically it joined the two buildings together as if they were o the same LAN.

DerekAustin26 wrote: »

4th. What is an NTL Cloud?

NTL is a service provider in the UK.

DerekAustin26 wrote: »

5th - Do Sites 1 - 120 have to manually VPN into Site A as if they are "Remote home users"? Or is this something configured that happens automatically?

The VPNs are site to site VPNs in that the remote router itself will initiate a VPN link back to head office. Therefore all clients inside the remote sites can access any host in the head office as if they are on the same network

DerekAustin26 wrote: »

6th - What is the "LES" Link at the bottom? And is this a private WAN Link?

Yeah, it is a private WAN link between the two sites.

DerekAustin26

mikem2te wrote: »

NTL is a service provider in the UK.

First off, i wanna say thanks for helping!

Now howcome Sites 1-120 and Site D dont go through their Provider? Or should I assume the "internet Cloud" is including an ISP?

mikem2te

DerekAustin26 wrote: »

First off, i wanna say thanks for helping!

Now howcome Sites 1-120 and Site D dont go through their Provider? Or should I assume the "internet Cloud" is including an ISP?

NTL is an ISP like any other, It's in the diagram because the link between the HO and site C are both connected to the same ISP so hopefully the traffic remains inside the NTL network rather than breaking out and traversing the internet at large.

The other sites are connected to various ISPs using cheap as chips broadband.

DerekAustin26

mikem2te wrote: »

NTL is an ISP like any other, It's in the diagram because the link between the HO and site C are both connected to the same ISP so hopefully the traffic remains inside the NTL network rather than breaking out and traversing the internet at large.

The other sites are connected to various ISPs using cheap as chips broadband.

Well howcome you cannot access the internet through the NTL Cloud? It's an ISP like any other? Thats a big misunderstanding im having..

mikem2te

DerekAustin26 wrote: »

Well howcome you cannot access the internet through the NTL Cloud? It's an ISP like any other? Thats a big misunderstanding im having..

Yes it's an ISP like any other and we could have used it for web access but we decided to use it only for remote site links.

We did not want web traffic to affect the remote sites.

DerekAustin26

mikem2te wrote: »

Yes it's an ISP like any other and we could have used it for web access but we decided to use it only for remote site links.

We did not want web traffic to affect the remote sites.

Okay it sounds like what saying is that you have to have at least 2 ISP's to seperate your "Intranet" & your "internet" links?

Otherwise, why not just take out the NTL Cloud and use the "internet Cloud" for both.

mikem2te

DerekAustin26 wrote: »

Okay it sounds like what saying is that you have to have at least 2 ISP's to seperate your "Intranet" & your "internet" links?

Otherwise, why not just take out the NTL Cloud and use the "internet Cloud" for both.

No, one link to the internet is sufficient for both internet access and running virtual private networks for the remote sites.

Poeple choose more ISPs for many reasons. In our case it was redundancy and balancing the load a bit.

If the link from the head office to one of the ISPs failed (which was quite frequent during recent redevelopment building work going on in the city - they kept on digging up the cables!!!) we could reconfigure the remote sites to come into the head office using the other border router in the head office and hence the other ISP connection at head office.

The other reason, sometimes the performance of the remote sites would drop off during times when people would be browsing the web, usually duringn lunch time. Splitting web access off to another ISP would allow the remote sites to continue working well.

DerekAustin26

So if a PC on Site A wants to access Site C, whats stopping it from traversing the Internet first?

mikem2te

DerekAustin26 wrote: »

So if a PC on Site A wants to access Site C, whats stopping it from traversing the Internet first?

The VPN linking the two sites is configured between two routers. So the VPN can form the router in site C is configured with the public IP address of the border router in site A, and in a mirror image, the router in Site A is configured with the public IP address of the router in site C. This allows them to negotiate the vpn tunnel between themselves.

When a host in site A sends a packet to site C it looks in its routing table to find where to send it. It then sends it to the correct router which will in turn look in its routing table to see if it has a specific route to site C. It does - the VPN.

The router will then send the packet to the ISP, it's up to the ISP which route it goes then. Eventually it will get to the border router in site C which will then forward the packet to the correct host.

The routing table is the key to controlling where packets are sent.