Lab Implementation

April 20, 2019 | Author: Al | Category: Computer Network, Domain Name System, Operating System, Active Directory, Server (Computing)

Share Embed Donate

Report this link

Short Description

Lab Implementation...

Description

Windows Server System Reference Architecture

Lab Implementation

Published: July 2005 For the latest information, please see http://www.microsoft.com/wssra

Abstract

Windows er!er ystem" #eference $rchitecture %W#$& deli!ers architectural 'uidance on enterprise () infrastructure. *rucial to the credibility of this 'uidance is the testin' and pro!in' of the 'uidance to ensure the e+pected !alue can be deri!ed from it when desi'nin' and implementin' () infrastructure based on icrosoft- products and technolo'ies. )his document describes the process followed to use the Reference Blueprints by inectin' a fictitious scenario and then buildin' and testin' the resultant desi'n.

Information in this document, document, including URL and other Internet Web Web site references, references, is subject to change without notice. The entire risk of the use or the results of the use of this document remains with the user. The example companies, organiations, products, domain names, e!mail addresses, logos, people, places, and e"ents depicted herein are fictitious. #o association with an$ real compan$, organiation, organiation, product, domain name, email address, logo, person, places, or e"ents is inte nded or should be inferred. %ompl$ing with all applicable cop$right laws is the responsibilit$ of the user. Without limiting the rights under cop$right, no part of this document ma$ be reproduced, reproduced, stored in or introduced into a retrie"al s$stem, or transmitted in an$ form or b$ an$ means &electronic, mechanical, photocop$ing, recording, recording, or otherwise', or for an$ purpose, without the express written permission of (icrosoft %orporation. %orporation. (icrosoft ma$ ha"e ha"e patents, patent applications, trademarks, cop$rights, or other intellectual propert$ rights co"ering subject matter in this document. )xcept as expressl$ pro"ided in an$ written license agreement from (icro (icrosoft, soft, the furnishing of t his document does not gi"e $ou an$ license to these patents, trademarks, cop$rights, or other intellectual propert$. propert$. * +- (icrosoft %orporation. ll rights reser"ed. (icrosoft, cti"e /irector$, /irector$, 0roject, 0roject, Windows, Windows Windows 1er"er, 1er"er, and Windows Windows 1er"er 1$stem are either registered trademarks or trademarks of (icrosoft %orporation in the United 1tates and2or other countries. The names of actual companies and products mentioned herein ma$ be the trademarks of their respecti"e owners. (icrosoft %orporation %orporation 3 4ne (icrosoft Wa$ Wa$ 3 Redmond, W W 56-+!7855 3 U1 

)able of *ontents *on tents EXECUTIVE

SUMMARY............................................................................................................................1

INTRODUCTION..........................................................................................................................................2

EAD THIS DOCUMENT.........................................................................................................2 WHO SHOULD R EAD K  NOWLEDGE PREREQUISITES..................... ............................... ..................... ..................... ..................... ..................... .................... ..................... ....................................2 .........................2 ARCHITECTURE ARCHITECTURE DRIVEN DESIGN............. DESIGN....................... ..................... ..................... .................... ..................... ..................... .......................................3 .............................3

DESIGN STRATEGY........................................................................................................................................3 DESIGN PROCESS..................... ............................... ..................... ..................... ..................... ..................... .................... ..................... ..................... ............................................3 ..................................3 DESIGN SCENARIO..................... ............................... ..................... ..................... ..................... ..................... .................... ..................... ..................... ..........................................5 ................................5 NETWORK  D DESIGN..................... ............................... ..................... ..................... ..................... ..................... .................... ..................... ..................... ..................... ................................6 .....................6 NAMING STANDARDS....................................................................................................................................7 BUILD

STRATEGY.....................................................................................................................................13

BUILD PROCESS..................... ................................ ..................... .................... ..................... ..................... ..................... ..................... .................... ............................................13 ..................................13 BUILD SEQUENCE........................................................................................................................................14 %onfigure %onfigure and 1ecure the #etwork............. #etwork....................... .................... ..................... ..................... ..................... ..................... .......................................9: .............................9: %onfigure %onfigure the /e"ices................ /e"ices.......................... ..................... ..................... .................... ..................... ..................... ..................... ..................... ...................................9.........................9 /eplo$ the 4perating 4perating 1$stem........... 1$stem...................... ..................... .................... ..................... ..................... ..................... ..................... .................... ..................... ...................9........9 ;uild the TEST

STRATEGY.......................................................................................................................................19

TEST OBJECTIES........................................................................................................................................1! TEST PROCESS .............................................................................................................................................1! TEST METHODOLOGY.................... .............................. ..................... ..................... ..................... ..................... .................... ..................... ..................... ....................................23 ..........................23 T$pes of Testing......................................................................................................................................+8 Test 1e=uence................ 1e=uence.......................... ..................... ..................... ..................... ..................... .................... ..................... ..................... ..................... ......................................+...........................+Test %$cle...............................................................................................................................................+7 TEST SCOPE.................................................................................................................................................27 R ELEASE TESTING.................... .............................. .................... ..................... ..................... ..................... ..................... .......................................27 .............................27 ELEASE CRITERIA "OR  T 0ass2ce Ty%e

:>ce Si?e

AT!

Atlanta, @A ;SA

Sales o>ce

94

6$!

6arcelona, S%ain

Sales o>ce



6EI

6eiBing, $hina

Sales o>ce



6@!

6angalore, India

Research and develo%ment

8

6!/

6loomington, I! ;SA

InsuranceC *  $

9,44

6:N

6onn, @ermany

Telecommunications

3,44

6RS

6russels, 6elgium

@overnment sales, Euro%ean ;nion location

9

$AI

$airo, Egy%t

Sales o>ce



$6/

$am#ridge, /A ;SA

Education

85

$DR

$edar Ra%ids, IA ;SA

Sales o>ce



$!@

$algary, $anada

Sales o>ce

9<

$:*

$o%enhagen, Denmark

Sales o>ce

9

$R

$aracas, ene?uela

Sales :>ce

9

DA!

Dallas, TF ;SA

*etroleum

34

DEN

Denver, $: ;SA

Sales o>ce

94

D;6

Du#lin, Ireland

Research and develo%ment

944

1 6Windows er!er ystem #eference $rchitecture

$ode

!ocation

:>ce Ty%e

:>ce Si?e

D;A

Du#ai, ;nited Ara# Emirates

Sales o>ce



ED6

Edin#urgh, Scotland

Research, develo%ment and sales o>ce

ce



:D

ouston, TF ;SA

Develo%ment de%artment's%ecic

NA

:;

ouston, TF ;SA

Airlines

9,44

RT

art0ord, $T ;SA

ealthcare

3,44

Gakarta, Indonesia

Sales :>ce

<

7;!

7uala !um%ur, /alaysia

Research and develo%ment and Regional site

H

!:N

!ondon, ;nited 7ingdom

Research, develo%ment, sales o>ce and regional site

34

/EF

/exico $ity, /exico

Sales :>ce

8

/IA

/iami, -! ;SA

Sales o>ce and regional site

4

/RS

/arseille, -rance

Research, develo%ment and sales o>ce

8

/;N

/unich, @ermany

Sales o>ce



N)N

Newark, NG ;SA

Sales o>ce and regional site

9

N$

New ork, N ;SA

Securities

5,444

:DS

:dessa, Russia

*etroleum locationJ research and develo%ment



*IT

*itts#urgh, *A ;SA

Sales o>ce



RD;

Raleigh, N$ ;SA

Sales o>ce



R:/

Rome, Italy

Sales o>ce



SAT

San Antonio, TF ;SA

$om%uters, :>ce E&ui%ment

8, phase, because most of the tass in >"on-gure the ;evices> phase do not re/uire the networ. "on-guring and securing the networ before anything else enabled the other services to be installed as if the environment was in a production mode.

%on&gure the Devices This phase comprised tass from the )omputing Devices Build Guide and Storage Devices Build Guide. ;3"?> section in the "et#or$ Services Build Guide were used to build the ;3"? service on a server failover cluster. ;8S> tass. Immediately following the >;3"?> tass, the tass in the >WI8S> section in the "et#or$ Services Build Guide were used to build the WI8S service on the same server failover cluster as the ;3"? service. The >WI8S> tass were performed after the >;3"?> tass because the >;3"?> tass built the cluster. With the internal corporate %ctive ;irectory domain created, the internal pro!y servers were built using the tass in the >Internal ?ro!y Servers> section in the %ire#all Services Build Guide . These tass were performed in parallel with the ;8S, ;3"?, and WI8S because they were not dependent on these services. ab (mplementation

5

%t this point, the networ was built and secured, the S%8 storage was con-gured and ready for servers to wor with, all computers had the operating system installed, the %ctive ;irectory domains were built, the -rewalls and pro!y servers were built, and ;8S, ;3"?, and WI8S were built.

$uild the Remaining Services With the foundational services built, the rest of the services were installed and con-gured. The se/uence of the discussion below is appro!imately how the rest of the services were installed. )ost of the remaining services were built in parallel4 however, some services were dependent on the build of other services. 5nless noted in the discussion below, each of the services were built in parallel. 











The tass in the Infrastructure *anagement Services Build Guide were performed to build the management servers in the interior and perimeter (ones. Installing these servers prior to the other services allowed the remote management functions to be available for the other services9 build tass. The tass in the >0ile Service> and >?rint Service> sections in the %ile and Print Services Build Guide were followed to build the -le and print services on their associated server failover clusters. These two services were built in parallel after their foundation services &directory service and S%8 storage' were complete. The tass in the Data Services Build Guide were followed to build the data service for each of the various con-gurations. ;uring the data service installation on the 5nisys computers, the remaining tass for building the #)" S%8 storage device were performed. The tass in the +e, Application Services Build Guide were followed to build the internal corporate and e!ternal perimeter Web servers. These tass only built the service to a point where it was ready to support Web sites. The Web sites used for testing were built as part of the testing scenarios. The tass in the *iddle#are Services Build Guide were followed to build the internal corporate and e!ternal perimeter middleware application servers. These tass only built the service to a point where it was ready to support middleware applications. The applications used for testing were installed as part of the testing scenarios. The tass in the )erti-cate Services Build Guide were followed to build the root, intermediate, and issuing certi-cation authority &"%' servers for the corporate (one and the root:issuing "% server for hardware router devices. and >#!ternal ?ro!y Servers> sections in the %ire#all Services Build Guide , which will complete securing the networ. . ?erform all the tass in the Directory Service Build Guide. O. ?erform the remaining tass in the >3? S%8 Storage ;evices> section in the Storage Devices Build Guide . P. ?erform the tass in the >;8S> sections in the "et#or$ Services Build Guide . Q. ?erform the tass in the >;3"?> sections in the "et#or$ Services Build Guide. JG. ?erform the tass in the >WI8S> sections in the "et#or$ Services Build Guide. JJ. ?erform the tass in the >Internal ?ro!y Servers> section in the %ire#all Service Build Guide. ab (mplementation



JH. ?erform all the tass in the Infrastructure *anagement Services Build Guide . JF. ?erform the tass in the >0ile Service> sections in the %ile and Print Services Build Guide. JN. ?erform the tass in the >?rint Service> sections in the %ile and Print Services Build Guide. JK. ?erform all the tass in the Data Services Build Guide. In addition, complete the remaining tass in the >#)" S%8 Storage ;evices> section in the Storage Devices Build Guide. J. ?erform all the tass in the +e, Application Services Build Guide. JO. ?erform all the tass in the *iddle#are Services Build Guide. JP. ?erform all the tass in the )erti-cate Services Build Guide . JQ. ?erform all the tass in the Remote Access Services Build Guide . HG. ?erform all the tass in the Bac$up and Recovery Build Guide . HJ. ?erform all the tass in the *essaging Services Build Guide.

1 6Windows er!er ystem #eference $rchitecture

Test Strategy This section provides a test plan overview of the -rst prescriptive implementation of WSS$% that was built and tested in )icrosoft test labs. This section describes test ob+ectives, strategy, and methodology and identi-es the test scope and the de-ning release criteria that were used to determine successful completion of the testing phase.

Test 'b*ectives WSS$% tests are designed to reduce or eliminate uncertainty in the performance and capabilities of the services provided by WSS$% to support both )icrosoftoriginated solution oerings and customi(ed solutions developed for individual customers. This results in direct time and cost savings to WSS$% documentation users because they can more easily debug their implementations nowing that fundamental environmental issues have already been solved. The speci-c test ob+ectives for the testing eorts were7 

To validate the documentation /uality by ensuring that the content of the guidance was clear, accurate, consistent, easy to use, and met the re/uirements of de-ned customer scenarios. "ustomers should be able to rely on the documentation to design, implement, and operate data center instantiations based on WSS$%.



To verify that the architecture for each service met design re/uirements for availability, security, manageability, recoverability, and usability. The architecture should provide the highest degree of system and networlevel security without interfering with the ability of any system to carry out its ey functions. %ll systems in the architecture should be manageable both locally and remotely without any security riss.



To ensure that all the services wored together concurrently in the integrated WSS$% environment. System integration testing was used to uncover any coe!istence issues between the mi! of )icrosoft and third party services and components used in the test lab instantiation.



To describe performance levels of ey networ and operating system services both on a servicebyservice basis and as an integrated whole without tuning or optimi(ation.

Test rocess The test team began by formulating highlevel plans, schedule estimates, and stratagems based on the pro+ect scope document, customer scenarios, initial services lists, and e!isting architectural and design documentation. %s the pro+ect progressed, these plans were ad+usted to meet updated technical information, scope changes, and operational realities.

ab (mplementation

7

The test team used nowledge gained from their involvement in reviewing all stages of architectural and design development as well as their e!perience from previous releases to derive initial test case speci-cations. @ater, planning documentation was evaluated to determine what claims were being made and which of those claims would re/uire speci-c testing by the test team. The following -gure depicts a de-ned process.

1 20Windows er!er ystem #eference $rchitecture

%igure . !urning Speci-cations Into !est )ases

ab (mplementation

2

This process is supported by the following templates, which are available in the !esting folder of the Deployment Kit7 

)laims Document / !emplate.doc



Relevant )laims Document / !emplate.doc



!est Design Speci-cations Document / !emplate.doc

These templates were used to e!tract and develop relevant claims into re-ned test case speci-cations, which were then used to create test cases in a test case management tool. The process of deploying the test lab was used to ensure the /uality of prescriptive guidance. It began with veri-cation of the labRs hardware as assembled, raced, and wired compared against the )on-guration*atri0.0ls -le &available in the Deployment Kit'. =nce it was established that the lab hardware was conformant, the test team built the lab from the ground up following the build guidance e!actly as wrien. This allowed testers to uncover errors in se/uencing, omissions, and accuracy of the build guidance at the earliest stage in the test process. =nce the lab system was built, short con-guration audits and simple build veri-cation tests &ce client workstations to securely connect to the $ontoso internal network remotely over I*Sec through a NAT+ Note that this *N tunnel may #e initiated #y either the #ranch o>ce or the site'to'site *N and the tunnel will only #e authori?ed i0 the remote site has a valid authentication certicate+

*erimeter Remote Access tierP9

6ranch :>ce, *u#lic

44

ISA7/*

;D*

To allow the site'to'site *N to use ISA7/* to #uild the secure tunnel 0or I*Sec *Ns+ Note that this *N tunnel may #e initiated #y either the #ranch o>ce or the site'to'site *N+

*erimeter /anagement tierP9

$or%orat e /anage ment

88H=

RD*

T$*

To allow administrators to remotely administer the %erimeter management servers through Terminal Services or Remote Deskto% $onnection+ :nce logged in using Terminal Services, the administrator can connect to other *erimeter servers directly attached to the $*6 !AN+

*erimeter /anagement tierP9

$or%orat e /anage ment

H4

TT*

T$*

To allow TT* tra>c to traverse #etween the %erimeter and internal management servers 0or intercommunication, such as S:A* (see also %ort H944"+

*erimeter /anagement tierP9

$or%orat e /anage ment

c to transit #etween the internal servers and the management servers+ This undened high %ort is used #y the management so0tware+

*erimeter 6acku% tierP9

$or%orat e /anage ment

Hc to ow #etween the read'only S1! Server com%uters and the %erimeter a%%lication servers 0or content+

S1!

*erimete r A%%licati on tierP3

H4

TT*

T$*

To allow TT* tra>c to traverse #etween the read'only S1! Server com%uters 0or intercommunication, such as S:A* (see also %ort H944"+

S1!

*erimete r A%%licati on tierP3

c to traverse #etween the cor%orate )e# server and the a%%lication servers 0or intercommunication, such as S:A* (see also %ort H944"+

$or%orate )e# Services

Internal A%%licati on tierP9

c through the rewall, s%ecic %orts must #e s%ecied 0or $A tra>c+ -or more details, re0er to the 0ollowing ;R!C

$or%orate In0rastructure tierP9

External *roxies tierP3

H4, H4H4

TT*

T$*

To allow TT* tra>c to traverse #etween the internal and external %roxy servers 0or intercommunication, such as S:A* (see also %ort H944"+

$or%orate In0rastructure tierP9

External *roxies tierP3

c to the #ack' end inter0ace o0 the internal )e# server+ This s%ecic !AN segment is isolated 0or data#ase tra>c only to ooad the tra>c 0rom the 0ront'end !AN segment+

Internal S1!

Internal A%%licati ons tierP3

9c only to ooad the tra>c 0rom the 0ront'end !AN segment+

$or%orate Data#ase, $or%orate /anagement, $or%orate In0rastructure

Internal )e# tierP3

H4

TT*

T$*

To allow TT* tra>c to traverse #etween the cor%orate servers and the internal )e# server 0or intercommunication, such as S:A* (see also %ort H944"+

$or%orate Data#ase, $or%orate /anagement, $or%orate In0rastructure

Internal )e# tierP3

c #etween the internal S1! Server com%uters and the internal cor%orate servers+

$or%orate In0rastructure, $or%orate /anagement, $or%orate

Internal S1! tierP9

$om mon %roto col set

'

T$*P;D*

Re0er to Ta#le 93 in the Network  Architecture Blueprint 0or a list o0 commonly allowed %rotocols+

ab (mplementation

3

Source one

Destinat ion one

*ort O

*rotocol

T$*P;D*

*ur%ose

$or%orate Data#ase, $or%orate In0rastructure, $or%orate Internal A%%lications, $or%orate )e# Services

Internal /anage ment tierP9

H4

TT*

T$*

To allow TT* tra>c to traverse #etween the cor%orate servers and the internal management servers 0or intercommunication, such as S:A* (see also %ort H944" and #asic conguration+

$or%orate Data#ase, $or%orate In0rastructure, $or%orate Internal A%%lications, $or%orate )e# Services

Internal /anage ment tierP9

c to transit #etween the internal servers and the management servers+ This undened high %ort is used #y the management so0tware+

$or%orate Data#ase, $or%orate In0rastructure, $or%orate Internal A%%lications, $or%orate )e# Services

Internal /anage ment tierP9

$om mon %roto col set

'

T$*P;D*

Re0er to Ta#le 93 in the Network  Architecture Blueprint 0or a list o0 commonly allowed %rotocols+

$or%orate Data#ase, $or%orate /anagement, $or%orate Internal A%%lications, $or%orate )e# Services

-ile and *rint tierP9

9

*rint s%ooler

;D*

To su%%ort %rint s%ool tra>c to the %rint servers+

$or%orate Data#ase, $or%orate /anagement,

-ile and *rint tierP9

94=

;nassign ed registere d %ort

;D*

To allow s%ecic le and %rint tra>c to transit #etween the internal servers and the le and %rint servers+

Internal A%%lications, $or%orate )e# Services

1 33Windows er!er ystem #eference $rchitecture

Source one

Destinat ion one

*ort O

*rotocol

T$*P;D*

*ur%ose

$or%orate Data#ase, $or%orate /anagement, $or%orate Internal A%%lications, $or%orate )e# Services

-ile and *rint tierP9

$om mon %roto col set

'

T$*P;D*

Re0er to Ta#le 93 in the Network  Architecture Blueprint 0or a list o0 commonly allowed %rotocols+

$or%orate Access

*N tierP3

9H93 '98

RADI;S

;D*

Return RADI;S authentication tra>c 0or veri0ying credentials 0or *N tunnel+

$or%orate Access

*N tierP3

$om mon %roto col set

'

T$*P;D*

Re0er to Ta#le 93 in the Network  Architecture Blueprint 0or a list o0 commonly allowed %rotocols+

$or%orate In0rastructure

External *roxies tierP3

34' 39

-T*

T$*

Allow -T* tra>c through the external %roxy server to the Internet only when initiated 0rom internal cor%orate servers+

$or%orate In0rastructure

External *roxies tierP3

8

DNS

T$*

To allow DNS &ueries 0rom internal $or% servers through the external %roxy server out#ound to the Internet+

$or%orate In0rastructure

External *roxies tierP3

H4

TT*

T$*

To allow TT* tra>c to traverse #etween the cor%orate servers and the external %roxy servers 0or intercommunication, such as S:A* (see also %ort H944" and #asic conguration+

$or%orate In0rastructure

External *roxies tierP3

c to traverse #etween the clients and the internal a%%lication servers 0or intercommunication+

$lient

Internal )e# tierP9

ce or the site'to'site *N and the tunnel will only #e authori?ed i0 the remote site has a valid authentication authentication certicate+

949

;D*

To allow the #ranch o>ce to initiate the *N tunnel as re&uired to allow remote #ranch o>ce client

1 36Windows er!er ystem #eference $rchitecture $rchitecture

'

Source one

Destinat ion one

*ort O

*rotocol

T$*P;D*

*ur%ose

workstations to securely connect to the $ontoso internal network remotely over a *N using !3T*+ Note that this *N tunnel may #e initiated #y either the #ranch o>ce or the site'to'site *N and the tunnel will only #e authori?ed i0 the remote site has a valid authentication certicate+ 6ranch :>ce

*N tierP9

ce to initiate the *N tunnel as re&uired to allow remote #ranch o>ce client workstations to securely connect to the $ontoso internal network remotely over I*Sec through a NAT+ Note that this *N tunnel may #e initiated #y either the #ranch o>ce or the site'to'site *N and the tunnel will only #e authori?ed i0 the remote site has a valid authentication certicate+

6ranch :>ce

*N tierP9

44

;D*

To allow the #ranch o>ce to use ISA7/* to #uild the secure tunnel 0or I*Sec *Ns+ Note that this *N tunnel may #e initiated #y either the #ranch o>ce or the site'to'site *N+

Ta#le 9+ one and Tier $ommunications 0or the $D$ Scenario "oteC /essaging services ?one congurations are included in the Messaging Services Planning Guide and the Messaging Services Build Guide+

ab (mplementation

37

Appendi- ./20"etwor# Architecture Tier De&nitions This appendi! provides the detailed information on the tier de-nitions that were used for the ";" scenario in the test lab. Tier

Tier Descri%tion

Services and osts It $ontains

/em#er o0 !oad' Security 6alancing one Techni&ue

!oad'6alancing -unctional Re&uirements

-irewall (un' trusted"

External inter0ace on the 6order -irewall #etween the *u#lic and 6order *u#lic ?one

-irewall servers

6order *u#lic

Determinis tic

igh availa#ility

-irewall (un' trusted"

Internal inter0ace o0 the 6order -irewall #etween the 6order *u#lic and *erimeter In0ormation Services and *erimeter Name Services ?one

-irewall servers

6order *u#lic

Round Ro#in (internal"

igh availa#ility

-irewall (Semi' trusted"

6order -irewall #etween the *u#lic and *erimeter Remote Access ?one

-irewall services on *N servers

6order *u#lic

Determinis tic

igh availa#ility

-irewall (Semi' trusted"

6order -irewall #etween the *u#lic and *erimeter *roxy Services ?one

-irewall services on %roxy servers

6order *u#lic

NPA

None

*erimeter A%%lication

A%%lication servers 0or %u#lic access

A%%lication servers

*erimeter In0ormation Services

!east connected

Session %ersistenceJ igh availa#ility

*erimeter )e#

)e# services availa#le to the %u#lic

)e# servers

*erimeter )e# Services

!east connected

Source I*PSSP;R! %ersistence, SS! terminationPooadi ng, downstream service availa#ility awareness

1 50Windows er!er ystem #eference $rchitecture

Tier

Tier Descri%tion

Services and osts It $ontains

/em#er o0 !oad' Security 6alancing one Techni&ue

!oad'6alancing -unctional Re&uirements

*erimeter DNS

DNS services availa#le to the %u#lic 0or &ueries

DNS servers

*erimeter Name Services

!east connected

igh availa#ility

*erimeter Directory

Domain $ontroller

Domain $ontroller

*erimeter In0ormation In0rastructu re

A%%lication s%ecic

None at network layerJ Active Directory %rovides inherent load #alancing when &ueried, as %art o0 the Active Directory architecture

and Directory services availa#le 0or the %u#lic *erimeter 6acku%

6acku% services availa#le 0or the %u#lic

6acku% servers

*erimeter In0ormation In0rastructu re

NPA

None

*erimeter /anagement

/anagement services availa#le 0or the %u#lic

/anagemen t servers

*erimeter In0ormation In0rastructu re

NPA

None

External *roxies

*roxy and recursive DNS services 0or out#ound client tra>c

*roxy services on %roxy servers

*erimeter *roxy Service

Round Ro#in

igh availa#ilityJ Session %ersistence

*N

*N services 0or client and site'to'site connections

*N services on *N servers

*erimeter Remote Services

Determinis tic

igh availa#ility

Internal S1!

/icroso0t S1! Server 0or internal clients

Data#ase servers

*rivate S1!

NPA

None

S1!

/icroso0t S1! Server 0or *erimeter and Internal access

Data#ase servers

$or%orate Data#ase

-astest

igh availa#ility

Internal Directory

Active Directory 0or internal use

Domain controllers

$or%orate In0rastructu re

NPA

None at network layerJ Active Directory %rovides inherent load #alancing when &ueried as %art o0 the Active Directory architecture

Internal Access

IAS services 0or RADI;S authenticatio n on *N clients

IAS servers

$or%orate Access

NPA

None

ab (mplementation

5

Tier

Tier Descri%tion

Services and osts It $ontains

/em#er o0 !oad' Security 6alancing one Techni&ue

!oad'6alancing -unctional Re&uirements

Internal *roxy

*roxy services 0or internal use

*roxyP$A servers

$or%orate In0rastructu re

Round Ro#in

igh availa#ilityJ Session %ersistence

-ile and *rint

-ile and *rint services 0or internal use

-ile and *rint servers

$or%orate In0rastructu re

NPA

None 

Internal Name Services

DNS and )INS services 0or internal name resolution

DNSP)INS servers

$or%orate In0rastructu re

Determinis tic

igh availa#ility

Internal 6acku%

6acku% services 0or internal use

6acku% servers

$or%orate /anageme nt

NPA

None

Internal /anagement

/anagement services 0or internal use

Network and A%%lications /anagemen t serversJ De%loyment servers

$or%orate /anageme nt

NPA

None

Internal A%%lications

A%%lication services 0or internal use

A%%lication servers

$or%orate Internal A%%lication s

!east connected

Session %ersistenceJ igh availa#ility

Internal )e#

)e# services 0or internal use

)e# servers

$or%orate )e# Services

!east connected

Source I*PSSP;R! %ersistence, SS! terminationPooadi ng, downstream service availa#ility awareness

6ranch :>ce

$or%orate remote o>ces

Deskto%s, la%to%s

6ranch :>ce

NPA

None

$lient

$lient access devices

Deskto%s, la%to%s

$lient

NPA

None

Ta#le 9+ Tier Denitions 0or $ontoso 3"ote4 These servers are clustered 0or 0ailover and not 0or load #alancingJ there0ore, they have no im%act on the network design+ I0 multi%le server hosts need to #e clustered together to %resent themselves as one host to the network, the service administrator should s%eci0y the ty%e o0 load #alancing re&uired+

1 52Windows er!er ystem #eference $rchitecture

Appendi- ./50"etwor# Segment De&nitions for the %D% This appendi! provides a detailed e!planation of the segments created as part of the ";" networ architectural design process. Segm ent ID

*ur%ose

*hysical or !ogical

Destinatio n Segments

S9

$onnectivi ty

*hysical+ This connecti on is 0rom the Internet to a $ontoso edge device, so a %hysical segment is necessar y+

S3, SH, and S=

To make %olicy routing and multihomed IS* connectivity exi#le, a #order router device is %re0erred in this location+ Security #etween the *u#lic and *erimeter ?ones will #e en0orced with a device that %rovides the *erimeter -irewall Services role and the a%%lication'layer %roxy rewall 0unction and that device also %rotects S3 0rom the *u#lic ?one+ Segments SH and S= are connected directly to this #order router #ut the host services on these segments (%roxy and *N" are hardened+ This solution oMered higher %er0ormance and ena#led the organi?ation to %lan 0or growth #y adding more segments on the device %er0orming the 6order Routing role+

S3

$onnectivi ty and Security

!ogical+ The connecti on is #etween two devices that $ontoso owns+ It is re&uired to minimi?e the num#er o0 devices to #e managed in the enter%ris e+

S9 and S8

To allow tra>c to ow 0rom the device that %er0orms the 6order Routing role to the device that %er0orms the *erimeter -irewall Services role+ It is a highly secure device that %rotects the *erimeter ?one 0rom unauthori?ed tra>c 0rom the *u#lic ?one and #locks any out#ound connection initiated #y the *erimeter hosts+ The $ontoso enter%rise security %olicy mandated that the %hysical device that %er0ormed the *erimeter -irewall Services role also %er0orms the 0unction o0 a%%lication'layer %roxy rewall to control tra>c #etween the *u#lic and *rivate security ?ones+

S8

$onnectivi ty and Security

S9 and S=

To allow tra>c to ow 0rom the device that %er0orms the 6order Routing role to the device that %er0orms the *erimeter -irewall Services role 0or the external *N and %roxy servers+ This rewall service is a logical service running on the *N and %roxy servers+ In#ound tra>c is restricted to re%lies to conversations initiated #y the *erimeter or

!ogical

Reason 0or $reation

ab (mplementation

5

Segm ent ID

*ur%ose

*hysical or !ogical

Destinatio n Segments

Reason 0or $reation

Internal ?ones conversations, or to secure *N tunnel tra>c 0rom trusted authenticated sources+ :ut#ound tra>c can #e sourced 0rom Internal $lient or $or%orate ?ones+ S<

$onnectivi ty and Security

!ogical

S3, S, S5, and S

To allow tra>c to ow 0rom the device %er0orming the *erimeter -irewall Services role to the *erimeter DNS, *erimeter A%%lication, and *erimeter )e# tiers through the device that %er0orms the *erimeter Switching role+ The organi?ationUs security %olicy mandated that the device that %er0orms the Internal Switching role must #e %hysically se%arate 0rom the device that %er0orms the *erimeter Switching role+

S

Security

!ogical

Sc #etween the device that %er0orms the *erimeter -irewall Services role and the *erimeter A%%lication tier (allowing %u#lic access to the tier"+ To allow tra>c to ow #etween the *erimeter )e# tier and the *erimeter A%%lication tier+ To allow devices in the *erimeter /anagement tier to connect to the servers in the *erimeter A%%lication tier to remotely administer them+

S5

Security

!ogical

Sc to ow #etween the device that %er0orms the *erimeter -irewall Services role and the *erimeter )e# tier (allowing *u#lic access to the tier"+ To allow tra>c to ow #etween the *erimeter )e# tier and the *erimeter A%%lication tier+ To allow devices in the *erimeter /anagement tier to connect to the servers in the *erimeter )e# tier to remotely administer them+

S

Security

!ogical

S< and S93

To allow tra>c to ow #etween the device that %er0orms the *erimeter -irewall Services role and the *erimeter DNS tier (allowing a *u#lic access to the tier"+ To allow devices in the *erimeter /anagement tier to connect to the servers in the *erimeter DNS tier to remotely administer them+

SH

Security or $onnectivi ty

!ogical

S93 and S9<

To allow tra>c to ow #etween *erimeter In0ormation In0rastructure ?one and the Internal -irewall deviceJ the lters allow s%ecic tra>c to ow to the *erimeter A%%lication, )e#, and DNS tiers 0or directory services, #acku%s, and management+ Restricted communication is re&uired #etween the *erimeter In0ormation In0rastructure ?one and s%ecic devices in the Internal ?one, which are handled #y the Internal -irewall device+

S=

Security

!ogical

S8, S94,

To allow out#ound tra>c to ow 0rom the

1 53Windows er!er ystem #eference $rchitecture

Segm ent ID

*ur%ose

*hysical or !ogical

Destinatio n Segments

Reason 0or $reation

S99, and S98

$lient ?one to the *u#lic ?one+ To allow in#ound tra>c 0rom the *u#lic ?one (authori?ed #y a certicate" 0or *N tunnel creation and initiate communication to the Internal Access ?one+ To %rovide 0or client and site'to'site *N connectivity+ To allow tra>c initiated 0rom the Internal *roxy tier+ No in#ound initiated communication is allowed 0rom the *u#lic ?one+

S94

S99

Security or $onnectivi ty

!ogical

Security or connectivi ty

!ogical

S= and S98

To allow tra>c to ow 0rom internal $lient ?one to the *erimeter *roxy Services ?one (out#ound initiated only"+ To allow tra>c to ow #etween the internal clients and the tiers in the $or%orate Data#ase, $or%orate In0rastructure, $or%orate Internal A%%lications, and $or%orate )e# Services ?ones+

S= and S98

To allow tra>c to ow 0rom Internal 6ranch :>ce ?one (connected through a *N secure tunnel" to the *erimeter *roxy Services ?one (out#ound initiated only"+ To allow tra>c to ow #etween the Internal $lients and the tiers in the $or%orate Data#ase, $or%orate In0rastructure, $or%orate Internal A%%lications, and $or%orate )e# Services ?ones+ Note that this segment is a virtual segmentJ the #ranch o>ces are connected %hysically through the $D$ )AN #ut are connected logically through the *N tunnel as a semi'trusted client, which %rovides 0or the most reasona#le connection+

S93

$onnectivi ty

!ogical

S, S5, S, SH, and S9<

To allow tra>c to ow #etween the device that %er0orms the *erimeter *u#lic Switching role and the device that %er0orms the Internal -irewall Services role+ All servers in the *erimeter DNS and *erimeter )e# tiers route tra>c through the device that %er0orms the *erimeter Routing and Switching role i0 they need to communicate with systems in the $or%orate ?one+ This segment also allows inter'?one tra>c #etween the *erimeter services through the *erimeter Switching role+

S98

$onnectivi ty

!ogical

S=, S94, S99, and S9<

To allow tra>c to ow #etween the device that %er0orms the *erimeter semi'trusted Switching role and the device that %er0orms the Internal -irewall Services role+ All client and #ranch o>ce tra>c to cor%orate services as well as cor%orate communication to the *erimeter *roxy Services and Remote Access ?ones will transit this segment+

ab (mplementation

55

Segm ent ID

*ur%ose

*hysical or !ogical

Destinatio n Segments

Reason 0or $reation

The $ontoso enter%rise security %olicy mandated that a device that %er0orms at least the 0unction o0 state0ul %acket ins%ection rewall control network tra>c #etween the *erimeter and Internal ones+ In addition, it mandated that the device that %er0orms the Internal -irewall Services role #e a dedicated device 0or this %ur%ose and is %hysically se%arate 0rom the device that %er0orms the *erimeter -irewall Services role+ S9<

$onnectivi ty

!ogical

S93, S98, S9, S95, S9, S9H, and S9=

To allow tra>c to ow #etween the device %er0orming the Internal -irewall Services role and the device that %er0orms the Internal Switching role+ This will include tra>c #etween the *erimeter and the Internal ?ones+ Note that the $ontoso enter%rise security %olicy mandated that the device that %er0orms the Internal Switching role must #e %hysically se%arate 0rom the device that %er0orms the *erimeter Switching 0unction+

S9

$onnectivi ty

!ogical

S9c to ow #etween the device that %er0orms the Internal Switching role and the tiers in the $or%orate Data#ase ?one+ This segment services two ?ones ' $or%orate Data#ase and *rivate S1!+ It is a single !AN that has services that re&uire single host' #ased security lters+

S95

Security or $onnectivi ty

!ogical

S9c to ow #etween the device that %er0orms the Internal Switching role and the $or%orate /anagement ?one+

S9

Security or $onnectivi ty

!ogical

S9c to ow #etween the device that %er0orms the Internal Switching role and the $or%orate In0rastructure ?one+ This segment carries the ty%ical client tra>c to this ?one and carries the certication and authentication tra>c 0or the *erimeter Remote Access ?one+ This segment services two ?ones'$or%orate In0rastructure and $or%orate Access+ It is a single !AN that has services that re&uire single host'#ased security lters+

S9H

Security or $onnectivi ty

!ogical+ The connecti on is #etween two devices that $ontoso owns+ It is

S9c to ow #etween the device that %er0orms the Internal Switching role and the $or%orate Internal A%%lications ?one+

1 54Windows er!er ystem #eference $rchitecture

Segm ent ID

*ur%ose

*hysical or !ogical

Destinatio n Segments

Reason 0or $reation

re&uired to minimi?e the num#er o0 devices to #e managed in the enter%ris e+ S9=

Security or $onnectivi ty

!ogical+ The connecti on is #etween two devices that $ontoso owns+ It is re&uired to minimi?e the num#er o0 devices to #e managed in the enter%ris e+

S9c to ow #etween the device that %er0orms the Internal Switching role and the $or%orate )e# Services ?one+

Ta#le 9+ Network Segmentation In0ormation 0or the $D$ Scenario

ab (mplementation

5

Appendi- ./60Address Allocation Information for the %D% This appendi! provides details of the segments created as part of the ";" networ architecture. Network Segment O

*u#lic or *rivate

)hy )as the $hoice /adeV

S9

*u#lic

6order router needs to #e accessi#le #y a %u#lic address 0or Internet connectivity+

S3

*u#lic

6order %u#lic rewall should #e accessi#le #y a %u#lic address and attached to the #order router+

S8

*u#lic

6order semi'trusted rewall needs to #e accessi#le #y a %u#lic address and attached to the #order router+

S<

*rivate

No direct routing to the Internet was necessary 0or these devices #ecause they connect to the Internet through a NAT device (rewall"+ *rivate addressing was su>cient+

S

*rivate

*rivate segment was needed without direct %u#lic addressa#ility+

S5

*rivate

*rivate segment was needed without direct %u#lic addressa#ility+

S

*rivate

*rivate segment was needed without direct %u#lic addressa#ility+

SH

*rivate

*rivate segment was needed without direct %u#lic addressa#ility+

S=

*rivate

No direct routing to the Internet was necessary 0or these devices #ecause they connect to the Internet through a NAT device (rewall"+ *rivate addressing was su>cient+

S94

*rivate

*rivate segment was needed without direct %u#lic addressa#ility+

S99

*rivate

*rivate segment was needed without direct %u#lic addressa#ility+

S93

*rivate

*rivate segment was needed without direct %u#lic addressa#ility+

S98

*rivate

*rivate segment was needed without direct %u#lic addressa#ility+

S9<

*rivate

*rivate segment was needed without direct %u#lic addressa#ility+

S9

*rivate

*rivate segment was needed with out direct %u#lic addressa#ility+

S95

*rivate

*rivate segment was needed without direct %u#lic addressa#ility+

S9

*rivate

*rivate segment was needed without direct %u#lic addressa#ility+

S9H

*rivate

*rivate segment was needed without direct %u#lic addressa#ility+

S9=

*rivate

*rivate segment was needed without direct %u#lic addressa#ility+

Ta#le 9+ Address Allocation In0ormation 0or the $D$ Scenario

1 56Windows er!er ystem #eference $rchitecture

Appendi- ./70 $uild Se!uence Details This appendi! provides the detailed tas se/uence that was used to build the ";" and S

Lab Implementation

Short Description

Description

Comments

We need your help!