I have just started working for a company (4 weeks ago) who are intent on storing their production servers off site. I don't have a problem with that, it's just the time-scale that worries me. It's in 5 days time! The problem here is that the move should be fairly straight-forward but I have some issues that need clarifying please, as my superiors think that the servers should be moved en-mass and then switched back on! I disagreed and offered a piece-by-piece solution followed by rigorous testing of each component system before moving on.
We have a main site (let's call it Site A) this has multiple subnets 10.10.1.x & 10.10.10.x & 10.11.1.x WAP
A firebox(1) sits on the LAN (this is the DHCP server as well) with an external address of 22.214.171.124 (internal Address 10.10.1.254).
There are 2 DC's , DC1 & DC2 on the 10.10.1.x subnet
There is an additional DC on the 10.10.3.x subnet for our counterparts in Asia (call it site C) this points at a gateway of 10.10.3.252 a VPN connector (thru a firewall) and uses 10.10.1.9 as alternative DC.
customers connect through the VPN connector allocated and use the terminal server on the DMZ at 126.96.36.199. there are other servers on this DMZ but don't need to discuss yet.
The ISP we are with, supplies the Internet connection (call it site B) and we will be moving the kit to them anyway. We intend to retain the internal adresses of the kit we are moving (10.10.1.x) so in real terms we are just relocating it all by moving servers over with the current firebox(1) as well.
The company wants to create a VPN connection between Site A and B which is probably the easy part - the ISP have no problem with that, however the remaining servers that are still at site A still are addressed as 10.10.1.x subnets. All servers will be eventually moved to site B as I want to make sure everything works before I move another bunch of hardware!
For site A the picture has now changed. I need to get an external address of (let's say) 188.8.131.52 as the (now moved exchange servers have their mx record pointing at the 184.108.40.206) and the new firebox(2) should have an DHCP internal address range of 10.10.2.x and the servers resubnetted to that 10.10.2.x. The first to move (I think) are DC2, the FE & 2 BE mail servers, a terminal server for customers to connect to and current firebox1 . This move allows users to connect to email through OWA and Asia (site C) to connect as normal using their Outlook clients through VPN.
What I need to do is get my head around the IP subnet structure and planning.
Currently users dial in through SSL VPN connection to Site A, I can easily transfer some of the config from the Firebox(1) to Firebox(2) with the new external address, to allow clients to connect as usual to site A, but I need to be able to create a route from firebox1 at site B to firebox 2 at site A.
212.87.51.x Site A ---VPN------Internet-----VPN-----Site B 212.87.50.x
| | |
| VPN |
| | |
| 196.211.119.x |
| | |
DMZ 212.85.40/29 ---- F/W 2 F/W F/W 1 --DMZ 220.127.116.11/29
| | |
10.10.2.x Internal Internal 10.10.3x Internal 10.10.1.x
Fileshares Site C Exchange+Term Servers etc
DC1 DC3 DC2
1. Need to enable a 2 way VPN tunnel from A to B VPN tunnel exist between A + C already. Users need
to connect from C to B and C to A to connect to email and fileshares.
2. Re-subnet Site A servers to 10.10.2.x until moved, however, DFS server is remaining on site A
re-config the new firewall2 to route all IP to subnet 10.10.2.x.
3. Is it better to leave a DC on each site or move DC1 to site B as well?
4. All the DC's must be able to authenticate to each other (obviously!).
5. I need to be able to connect through a virtual KVM to site B to administer at console level. What is a
fairly good IP switch to use?
Now bearing in mind I've just been handed this infrastructure with no input from anyone.. Am I being given a limited but doable task in such a short time?