| Home | Register | Members | Search | Links |
 |
| Thread Tools | Display Modes |
|
AnthonyE
Guest
Posts: n/a
|
Hi Everyone,
I request some help from the community about an architecture design a bit tricky. Our client desires to change his network infrastructure and he’s asking my company to validate the system side and potential consequences to it. CONTEXT: Today, his entire network is based on a private range (10.x.x.x). Two Datacenters host servers as Domain Controllers AD2003, DNS, Exchange and other services for the whole company. Users are separated in one big headquarter and 58 small offices. Each small office hosts a member server for DHCP, DNS caching, file sharing etc… The users on these small offices are authenticating directly to one of the 4 domain controllers located in the Datacenters. All sites (HQ, Datacenters and small offices) are interconnected by a MPLS network. So far, so good, everything works fine. But here we go: this company is part of a larger group and is requested to be part of the WAN network of the Group to connect their small offices to the Datacenters, in order to save cost, gain speed and increase security. This means changing IP ranges ; the small offices will be migrated to the new range but the headquarter is too complicated to migrate so they will keep their private IP range (10x.x.x.x) and NAT will be used to connect the Datacenters to the Group WAN network. This way, the small offices will use new IP addresses to access their business application, the IP translation being done by Firewalls at the Datacenters. The private range 10.x.x.x will be unknown for the small sites and non routable. For info, we will try to recommend to the client to add Firewalls at every small offices to use NAT in order to keep the private IP range on each site but due to the cost of 58 FW’s, this will be probably rejected. That would have resolved all our issues because the migration to the new network would have been totally transparent for the actual system infrastructure. PROBLEM: In this new situation, we know that business services like telnet, Intranet (web) won’t have any issue working through that NAT environment. But, our concerns are about the DNS / Active Directory infrastructure now ‘hidden’ behind the NAT. All the servers in the Datacenters will have a corresponding and unique ‘external address’ on the new WAN cloud, and known by the firewall for IP translation. But how services like DNS and AD will react behind the NAT? Indeed, by default, DNS, when requested, will send a resolved answer specifying the ‘private’ IP address of the searched host, instead of the external one, necessary for the small offices. Some firewalls like Cisco or apparently Checkpoint seem to offer functionalities as DNS Doctoring, translating the IP inside the DNS response but I would like to be sure this works in an AD/DNS environment. If not, what are the other options to make this works? Also, about Kerberos: once the small office desktops have the correct external IP address of a DC in the Datacenter, will they still be able to authenticate through the NAT? I didn’t read anything saying No, but hasn’t read anything saying Yes either :-) So what do you think? is there anyone with experience on such a case involving AD/DNS in a NAT environment ? What are your suggestions? Thanks in advance. Anthony E. |
|
|
|
|
|||
|
|||
|
|
|
| |
|
Phillip Windell
Guest
Posts: n/a
|
You don't do NAT for any of this. That is the last thing in the world you
would want. Effectively you are just changing/adding subnets. Geography is totally irrelevant,...you handle Routing (*as* routing, not NAT) the same way as if the subnets were all in the same room. Geography and Line Technology (like MPLS) is completely irrelevant. Routing is still just routing. I could offer more but lack to much information. Much of the details in your post don't really matter as far as I can tell. Basically the Layer 1, 2, &3 Topology and the Subnetting scheme are the only thing that matters. -- Phillip Windell www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. ----------------------------------------------------- "AnthonyE" <(E-Mail Removed)> wrote in message news:b1347c7a-9749-4b39-ab14-(E-Mail Removed)... Hi Everyone, I request some help from the community about an architecture design a bit tricky. Our client desires to change his network infrastructure and he’s asking my company to validate the system side and potential consequences to it. CONTEXT: Today, his entire network is based on a private range (10.x.x.x). Two Datacenters host servers as Domain Controllers AD2003, DNS, Exchange and other services for the whole company. Users are separated in one big headquarter and 58 small offices. Each small office hosts a member server for DHCP, DNS caching, file sharing etc… The users on these small offices are authenticating directly to one of the 4 domain controllers located in the Datacenters. All sites (HQ, Datacenters and small offices) are interconnected by a MPLS network. So far, so good, everything works fine. But here we go: this company is part of a larger group and is requested to be part of the WAN network of the Group to connect their small offices to the Datacenters, in order to save cost, gain speed and increase security. This means changing IP ranges ; the small offices will be migrated to the new range but the headquarter is too complicated to migrate so they will keep their private IP range (10x.x.x.x) and NAT will be used to connect the Datacenters to the Group WAN network. This way, the small offices will use new IP addresses to access their business application, the IP translation being done by Firewalls at the Datacenters. The private range 10.x.x.x will be unknown for the small sites and non routable. For info, we will try to recommend to the client to add Firewalls at every small offices to use NAT in order to keep the private IP range on each site but due to the cost of 58 FW’s, this will be probably rejected. That would have resolved all our issues because the migration to the new network would have been totally transparent for the actual system infrastructure. PROBLEM: In this new situation, we know that business services like telnet, Intranet (web) won’t have any issue working through that NAT environment. But, our concerns are about the DNS / Active Directory infrastructure now ‘hidden’ behind the NAT. All the servers in the Datacenters will have a corresponding and unique ‘external address’ on the new WAN cloud, and known by the firewall for IP translation. But how services like DNS and AD will react behind the NAT? Indeed, by default, DNS, when requested, will send a resolved answer specifying the ‘private’ IP address of the searched host, instead of the external one, necessary for the small offices. Some firewalls like Cisco or apparently Checkpoint seem to offer functionalities as DNS Doctoring, translating the IP inside the DNS response but I would like to be sure this works in an AD/DNS environment. If not, what are the other options to make this works? Also, about Kerberos: once the small office desktops have the correct external IP address of a DC in the Datacenter, will they still be able to authenticate through the NAT? I didn’t read anything saying No, but hasn’t read anything saying Yes either :-) So what do you think? is there anyone with experience on such a case involving AD/DNS in a NAT environment ? What are your suggestions? Thanks in advance. Anthony E. |
|
|
|
|
|||
|
|
|||
|
Phillip Windell
Guest
Posts: n/a
|
Ok, I've got a little more time to look at this and think about it. The
phone was ringing and people were wanting right in the middle of my last post. I can tell you up front you I will be suggesting changes to your existing "working" setup, even if you don't think there is anything wrong with it, if I don't think it is optimal or suitable to add the extra functionality you want. I'll insert comments "along the way",...Continued... "AnthonyE" <(E-Mail Removed)> wrote in message news:b1347c7a-9749-4b39-ab14-(E-Mail Removed)... ------------------------------------------ CONTEXT: Today, his entire network is based on a private range (10.x.x.x). Two Datacenters host servers as Domain Controllers AD2003, DNS, Exchange and other services for the whole company. Users are separated in one big headquarter and 58 small offices. Each small office hosts a member server for DHCP, DNS caching, file sharing etc… The users on these small offices are authenticating directly to one of the 4 domain controllers located in the Datacenters. All sites (HQ, Datacenters and small offices) are interconnected by a MPLS network. ------------------------------------------- Ok. I need to know the real details of the 10.x.x.x. I cannot troubleshoot or "plan" things with x's. I need a list, or at least a partial list of the sites with the Net ID they use and how they are connected (VPN, Private Leased Line, etc), and the Network relationship to the other sites and HQ (routed or NATed) so that I can have some kind or "map" to work from. Then...before you even begin...you current existing system needs to be: 1. There should be a DC at each location (required for AD Sites). 2. Each location needs to be a different subnet (required for AD Sites) 3. Each location needs to be in a "routed" relationship to the other locations (required for AD Sites) 4.You need to make use of Active Directory Sites Objects in order to regular the AD Replication over the WAN links. This means there will be at least one DC within each AD Site Object ------------------------------------------- But here we go: this company is part of a larger group and is requested to be part of the WAN network of the Group to connect their small offices to the Datacenters, in order to save cost, gain speed and increase security. ------------------------------------------- Ok. "How" they get connected is the key. ------------------------------------------- This means changing IP ranges ; the small offices will be migrated to the new range but the headquarter is too complicated to migrate so they will keep their private IP range (10x.x.x.x) and NAT will be used ------------------------------------------- I see no reason at all to change IP Ranges. None at all. ------------------------------------------- For info, we will try to recommend to the client to add Firewalls at every small offices to use NAT in order to keep the private IP range on each site but due to the cost of 58 FW’s, this will be probably ------------------------------------------- Forget Firewalls and forget NAT. Answering "How" they are going to be connected will clarify how to deal with this. ------------------------------------------- PROBLEM: In this new situation, we know that business services like telnet, Intranet (web) won’t have any issue working through that NAT environment. But, our concerns are about the DNS / Active Directory infrastructure now ‘hidden’ behind the NAT. ------------------------------------------- You can't use NAT. ------------------------------------------- All the servers in the Datacenters will have a corresponding and unique ‘external address’ on the new WAN cloud, and known by the firewall for IP translation. But how services like DNS and AD will react behind the NAT? ------------------------------------------- They won't work with NAT involved. Even if someone suggests some "convoluted" way of involving NAT (and there probably is some convoluted way out there somewhere) I just won't go along with it. In that case they will just have to take over and I will drop out. I am only interested in doing things the correct, dependable, solid, flexable, scaleable, and straight-forward way that will actually work the way it is supposed to when you are finished. Anyway,...combined with the 4 points I mentioned above at the beginning as a foundation,...this is what I have in mind: 1. I am assuming for the moment that the sites are connected by Site-to-Site VPNs with dedicated VPN Devices or existing Firewalls that are capable of doing so. But if it is private leased Lines it is still handled the same way for the most part. 2. For Sites that are in the same Windows Domain you place a DC of that Domain at each site. The DC will be part of that AD Site Object which is determined by the Subnet. All DCs within a Forest (even with multiple domains) are already "aware" of each other's contents via the AD Replication that is handled by the AD Sites Object. 3. For Sites that are not part of the same Windows Domain you would have to set up a Zone Transfer between the Site's DC and a DC for the Domain(s) so that the DNS naming works properly accross sites. 4. Local user's machines all use their own local DNS for their DNS and none other (that's critical). The local DCs then has their own ISP's DNS listed in the Forewarder's List in the DNS MMC on thier local DNS. 5. Routing. Sites of only one subnet will not have a LAN Router so the VPN Device will fulfill that Role. If the VPN Device is also the Firewall then the Firewall will fulfill that Role. So whatever fulfills that Role has to be the Default Gateway of all the local LAN's machines,...this device then needs to be smart enough to know what to do with traffic destined for the other Sites and also needs to know what to do with Internet traffic. If the role is handled all by a single Firewall/VPN device that should be almost automatic. If you dealing with multiple devices then it is not all that hard but it would difficult for me to explain it without knowing all the details of what is going on,...I can't do it with a "blindfold" on. 6. Security/Access Controls. Access Control is handled by the central VPN Device (or Router when using leased Lines). The HQ will be the logical "center",..like a hub-spoke model, and will control what traffic can pass between Sites and between the Sites and the HQ itself. Each Site can also do some of the same things for their own individual location by using their own VPN Device in the same manner if they want,...but if they do it is up to them to do it right. People are wanting me again,...I gotta go.. -- Phillip Windell www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. ----------------------------------------------------- |
|
|
|
|
|||
|
|
|||
|
Bill Grant
Guest
Posts: n/a
|
"AnthonyE" <(E-Mail Removed)> wrote in message news:b1347c7a-9749-4b39-ab14-(E-Mail Removed)... Hi Everyone, I request some help from the community about an architecture design a bit tricky. Our client desires to change his network infrastructure and he’s asking my company to validate the system side and potential consequences to it. CONTEXT: Today, his entire network is based on a private range (10.x.x.x). Two Datacenters host servers as Domain Controllers AD2003, DNS, Exchange and other services for the whole company. Users are separated in one big headquarter and 58 small offices. Each small office hosts a member server for DHCP, DNS caching, file sharing etc… The users on these small offices are authenticating directly to one of the 4 domain controllers located in the Datacenters. All sites (HQ, Datacenters and small offices) are interconnected by a MPLS network. So far, so good, everything works fine. But here we go: this company is part of a larger group and is requested to be part of the WAN network of the Group to connect their small offices to the Datacenters, in order to save cost, gain speed and increase security. This means changing IP ranges ; the small offices will be migrated to the new range but the headquarter is too complicated to migrate so they will keep their private IP range (10x.x.x.x) and NAT will be used to connect the Datacenters to the Group WAN network. This way, the small offices will use new IP addresses to access their business application, the IP translation being done by Firewalls at the Datacenters. The private range 10.x.x.x will be unknown for the small sites and non routable. For info, we will try to recommend to the client to add Firewalls at every small offices to use NAT in order to keep the private IP range on each site but due to the cost of 58 FW’s, this will be probably rejected. That would have resolved all our issues because the migration to the new network would have been totally transparent for the actual system infrastructure. PROBLEM: In this new situation, we know that business services like telnet, Intranet (web) won’t have any issue working through that NAT environment. But, our concerns are about the DNS / Active Directory infrastructure now ‘hidden’ behind the NAT. All the servers in the Datacenters will have a corresponding and unique ‘external address’ on the new WAN cloud, and known by the firewall for IP translation. But how services like DNS and AD will react behind the NAT? Indeed, by default, DNS, when requested, will send a resolved answer specifying the ‘private’ IP address of the searched host, instead of the external one, necessary for the small offices. Some firewalls like Cisco or apparently Checkpoint seem to offer functionalities as DNS Doctoring, translating the IP inside the DNS response but I would like to be sure this works in an AD/DNS environment. If not, what are the other options to make this works? Also, about Kerberos: once the small office desktops have the correct external IP address of a DC in the Datacenter, will they still be able to authenticate through the NAT? I didn’t read anything saying No, but hasn’t read anything saying Yes either :-) So what do you think? is there anyone with experience on such a case involving AD/DNS in a NAT environment ? What are your suggestions? Thanks in advance. Anthony E. I have a few general comments. 1. Although the current setup is not ideal, it works. The proposed scheme looks like a recipe for disaster. 2. NAT is a one-way address translation process. Either the branch machines can make connections to the data centre or the data centre machines can make connections to the branches (depending on which way you set up NAT). With NAT you can't do both. That should give you an indication of the effect NAT has on AD! 3. Who made the decision that it was too complicated to change the IP addressing scheme at headquarters? Was any evaluation done on the cost of doing so compared to the hair-brained scheme proposed to get around the problems caused by not doing so? |
|
|
|
|
|||
|
|
|||
|
Phillip Windell
Guest
Posts: n/a
|
"Bill Grant" <not.available@online> wrote in message news:usDn$(E-Mail Removed)... > 3. Who made the decision that it was too complicated to change the IP > addressing scheme at headquarters? Was any evaluation done on the cost of > doing so compared to the hair-brained scheme proposed to get around the > problems caused by not doing so? I don't even see a reason to re-address in the first place. Unless two or more Sites are using the same IP Range there is no reason to do so,...and there has been no indication that this is true. -- Phillip Windell www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. ----------------------------------------------------- |
|
|
|
|
|||
|
|
|||
|
|
|
| |
|
| Thread Tools | |
| Display Modes | |
|
|
Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc. |
Linear Mode
