Solved

Network move to remote site.

Posted on 2008-10-06
2
248 Views
Last Modified: 2010-04-21
Hello,

I have just started working for a company (4 weeks ago) who are intent on storing their production servers off site. I don't have a problem with that, it's just the time-scale that worries me. It's in 5 days time! The problem here is that the move should be fairly straight-forward but I have some issues that need clarifying please, as my superiors think that the servers should be moved en-mass and then switched back on!  I disagreed and offered a piece-by-piece solution followed by rigorous testing of each component system before moving on.

We have a main site (let's call it Site A) this has multiple subnets 10.10.1.x & 10.10.10.x & 10.11.1.x WAP
A firebox(1) sits on the LAN (this is the DHCP server as well) with an external address of 212.87.51.56 (internal Address 10.10.1.254).
There are 2 DC's , DC1 & DC2 on the 10.10.1.x subnet
There is an additional DC on the 10.10.3.x subnet for our counterparts in Asia (call it site C) this points at a gateway of 10.10.3.252 a VPN connector (thru a firewall) and uses 10.10.1.9 as alternative DC.
customers connect through the VPN connector allocated and use the terminal server on the DMZ at 212.87.51.49. there are other servers on this DMZ but don't need to discuss yet.


The ISP we are with, supplies the Internet connection (call it site B) and we will be moving the kit to them anyway. We intend to retain the internal adresses of the kit we are moving (10.10.1.x) so in real terms we are just relocating it all by moving servers over with the current firebox(1) as well.
The company wants to create a VPN connection between Site A and B which is probably the easy part - the ISP have no problem with that, however the remaining servers that are still at site A still are addressed as 10.10.1.x  subnets. All servers will be eventually moved to site B as I want to make sure everything works before I move another bunch of hardware!

For site A  the picture has now changed. I need to get an external address of (let's say) 212.87.50.56 as the (now moved exchange servers have their mx record pointing at the 212.87.51.56) and the new firebox(2) should have an DHCP internal address range of 10.10.2.x and the servers resubnetted to that 10.10.2.x.  The first to move (I think) are DC2, the FE & 2 BE mail servers, a terminal server for customers to connect to and current firebox1 . This move allows users to connect to email through OWA and Asia (site C) to connect as normal using their Outlook clients through VPN.

What I need to do is get my head around the IP subnet structure and planning.
Currently users dial in through SSL VPN connection to Site A, I can easily transfer some of the config from the Firebox(1) to Firebox(2) with the new external address, to allow clients to connect as usual to site A, but I need to be able to create a route from firebox1 at site B to firebox 2 at site A.

                               212.87.51.x   Site A ---VPN------Internet-----VPN-----Site B 212.87.50.x
                                                           |                            |                                   |
                                                           |                          VPN                               |
                                                           |                            |                                   |
                                                           |               196.211.119.x                          |
                                                           |                            |                                   |
                  DMZ 212.85.40/29 ---- F/W 2                     F/W                            F/W 1 --DMZ  212.87.51.40/29
                                                           |                            |                                   |
                         10.10.2.x              Internal                 Internal 10.10.3x        Internal  10.10.1.x
                                                     Fileshares               Site C                Exchange+Term Servers etc
                                                          DC1                     DC3                             DC2
                                                                               
                           

Need:
1. Need to enable a 2 way VPN tunnel from  A to B VPN tunnel exist between A + C already. Users need
    to connect from C to B and  C to A to connect to email and fileshares.
2. Re-subnet Site A servers to 10.10.2.x until moved, however, DFS server is remaining on site A
    re-config the new firewall2 to route all IP to subnet 10.10.2.x.
3. Is it better to leave a DC on each site or move DC1 to site B as well?
4. All the DC's must be able to authenticate to each other (obviously!).
5. I need to be able to connect through a virtual KVM to site B to administer at console level. What is a  
    fairly good IP switch to use?


Now bearing in mind I've just been handed this infrastructure with no input from anyone.. Am I being given a limited but doable task in such a short time?

Thanks,




0
Comment
Question by:Wheelsup
2 Comments
 
LVL 4

Accepted Solution

by:
ckozloski earned 125 total points
ID: 22652581
1. Need to enable a 2 way VPN tunnel from  A to B VPN tunnel exist between A + C already. Users need to connect from C to B and  C to A to connect to email and fileshares.
This should be easy enough to accomplish. I would set this up first and get it working with some test equipment behind it before moving anything. In order to do that though, you might consider using your 10.10.2.x on the side you are moving to instead of re-ip'ing your existing. network. Another thing to keep in mind here is that you will need to make sure that you include all of your subnets in your protected ranges so that each of the three sites has the ability to talk to each other.

2. Re-subnet Site A servers to 10.10.2.x until moved, however, DFS server is remaining on site A re-config the new firewall2 to route all IP to subnet 10.10.2.x.
Again, I would rather re-ip the servers at the new location they are moving to. This way you can set up test equipment on the new subnet and test all of your network functionality first. Once you move the servers, you can re-ip and make DNS changes as you see fit. This would also allow you to move in stages as you wished to do in the first place.

3. Is it better to leave a DC on each site or move DC1 to site B as well?
This really doesn't matter. The only thing that you really have to watch for is if you are using roaming profiles and redirected folders. Depending on your config, splitting up the servers could give you some slow login issues. Also, remember that the machines are going to authenticate to the first server they find. So some auth's may hit the Site A and some may the server at Site B. I would leave your GC at Site A and save them for last.

4. All the DC's must be able to authenticate to each other (obviously!).
As long as your tunnels are configured properly and your protected ranges allow for communcation, this shouldn't be a problem.

5. I need to be able to connect through a virtual KVM to site B to administer at console level. What is a  fairly good IP switch to use?

IP Switch or KVM switch?
 
As far as this being limited but doable...I don't think it's really limited or doable. You an still stage it and accomplish the task at hand. And you could accomplish this in a relatively short timeframe. Although, with any project like this, there will be some bumps in the road. Hope this helps.
0
 

Author Closing Comment

by:Wheelsup
ID: 31503401
Thanks for the info, I did the move. It turned out it was an attempt to get the  kit off site before the official receiver comes as they announced that they were insolvent this morning. I was suckered there.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Transparency shows that a company is the kind of business that it wants people to think it is.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now