Solved

Network design for 50 branch offices

Posted on 2012-03-24
25
1,148 Views
Last Modified: 2012-03-27
I need to connect 50 branch offices to my Head office. All of those branch offices will have an IP MPLS connection in place, which is unmanaged. Most of the branch offices have their own remote offices, which also need to be connected, but are not having MPLS.

In total, there needs to be arround 300 locations which needs to have connectivity to main offices Application servers to reach either web services or web applications.

On top of that, I need to provide VPN remote access server for additional 300 pharmacies, which will also need access to web services application servers.

I have vSphere infrastructure in place in Main Office, and IP MPLS connection, plus direct symmetric Internet connection. I have a CISCO 2811 router, and a CISCO ASA 5505.

I would appreciate some advice about following:

1. How to design IP addressing scheme, since every workstation needs to be uniquely identifiable to Main office. As addition to that, in the main office Application servers need to be on a separate network, from the others?

2. How to connect remote locations to branch offices?

3. What would be the best solution for external access from pharmacies via VPN remote access?

4.  Any idea how to size up the bandwidth for leased lines and MPLS connections on branch offices and Head office?

5. What would be good solution for endpoint security?
0
Comment
Question by:slakic
  • 13
  • 7
  • 3
  • +2
25 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 37761162
-->  .... pharmacies ....

Um, do you need to worry about HIPPA?

--> 4. Any idea how to size up the bandwidth for leased lines and MPLS connections on branch offices and Head office?

You need to understand what they are doing.  Figure out what the minimum bandwidth needed to do their required functions and then add a bit of overhead.

Are all locations in the same country?  If so, with so many locations, I would work with major vendor networking vendor that can supply the connections to all sites and provide a VPN solution.
0
 
LVL 10

Expert Comment

by:Netty
ID: 37762021
Maybe you'd better contact the system integrator?
0
 
LVL 6

Author Comment

by:slakic
ID: 37764529
Maybe I need to clarify this a bit,

This project is still in very early phase, so I need some general ideas for solutions.
I am the person who needs to make decision of general direction in which all of this would be made.

One of the main limiting factors is of course the budget, and working with major vendor would be too expensive, and would create dependency, which is something we would like to avoid.
0
 
LVL 10

Expert Comment

by:mat1458
ID: 37764532
As you see in the first post your questions raise other questions. In my opinion you definitly should look for professional help since the design of a 50 node network with remote access for 300+ users is not easily done with a few questions in a forum.

Your hardware is not ready for the amount of traffic you have to expect. There must be a good analysis of all applications you want to run in your network. The daily traffic patterns have to be studied. The sizing of the network bandwidth is dependent on the expectations you/your company has in terms of price/availability. Existing hardware/software at your offices and the pharmacies have to be taken in account.

So you see there is a lot of questions that have to be answered and that's not easily done in a forum. I am pretty sure that you won't be happy with your network if you build it that way because people in the forum do not have the full picture of your situation. A consultant or an integrator company has the expertise to ask the right questions at the right time.
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37765096
To help you with your objectives, a few things need to be answered first.

1) How many total branch offices?
Current number is 300, correct?  I assume this number could grow, and if so how much more?  When you architect your network infrastructure you need to plan for current and future needs.

2) Approximately, how many users per branch office?  

3) How many users at the corporate/main office?

4) Estimate how many total internal users and network devices (as well as types thin clients, workstations, printers, VOIP phones, etc...) that you will be supporting?

When defining these numbers always factor in current and future growth.

5) Will the pharmacies be accessing application other than web based applications such as in house or third-party thick-client type application?

If so, I would highly recommend a Citrix XenApp and possible XenDesktop environment where applicable.  A Citrix solution would help you in many ways and eliminate the need for VPN.  You would be able to internal and externally (via Citrix Netscaler or Citrix Access Gateway) provide access to any device (thin clients, PCs, MACs, iPADs, etc...).  

In my environment, you could affectively take a thin client, that's configured in the office, home and plug into a network with an Internet connection and access our Citrix environment over SSL as if you were in the office.  The only difference is how you are prompted for username and password.  Otherwise, it's very harmonious, flexible/dynamic, environment that has greatly simplified how users of any type access published Citrix XenApp (with Microsoft App-V application streaming) and/or XenDesktop resources.  The s

This
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37765101
FYI...  The Citrix solution conforms to HIPPA standards.
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37765285
Additional questions:

What infrastructure technologies are you supporting?

1) Window 2008 R2 Active Directory or other
2) Microsoft Exchange 2010 or other
3) File Server(s) and windows file server version, and are you using DFS or DFSR technologies or not?
3) VMware (what version 3.x, 4.x, 5.x Standard, Enterprise, etc...)
4) SAN, NAS, etc... (how many TBs?). Also, what storage connectivity are you usingiSCSI, FC, FCOE, or direct attached?
5) Blade Center and/ or Server infrastructure (Brand/ Model - HP, Dell, IBM, etc..) what's being used for VMware?
6) do you have a DR site or secondary site for data replication?
7) What brand and model are your core switches and routers?  Are you supporting any 10Gb technology?
8) what is your current network topology?
9) VLAN usage/structure for main office and remote sites?
10) How many MPLS remote sites and how many piont-to-point sites?
11) What resources, if any, do you plan to have at your remote Branch offices (AD, File, Print, DHCP, DNS, WINS, etc...)?
12) What type of traffic is expected to run between the Main and Branch offices?

FYI.... For an IP addressing scheme I have always used 10.SITE.VLAN.HOST structure (which I picked up as a Cisco Network Consultant many years ago) and then a 10.0.SITE.HOST for router infrastructure between sites.  Given your initial count of remote offices (300) neither of these structures will be a good fit.  Once you answer some of the questions then we can see how we can adjust it to scale for your environment.
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37765302
Since you have remote sites connecting directly to Branch Offices and the back to the Msin office, what resources are they connecting to the Branch office to receive.  A network diagram would great to have to help better layout the network, resources, and technologies.
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37765344
Sorry for all the questions and other details, but it helps to get a better understanding.  

Another question:

How is your Active Directory Architected?  (Site(s), Forest(s), AD domain(s)/sub-domain(s), Trust relationships, etc... given the topology)?

I just need a high level view of your AD topology.. I just need to get a rough idea.

Your current Internet connection is fir how many users and what bandwidth?

The unmanaged MPLS for Branch offices is private to connect directly to the Main Office or goes to the Internet for each site?

I recommend to centralize as much resources as possible at the Main Office in order to better control your costs and simplify your management of your supported technologies.
0
 
LVL 6

Author Comment

by:slakic
ID: 37765356
Thanks gsmartin,

Here are some answers

1) Window 2008 R2 Active Directory or other
I have windows 2008 RS Active directory in the main office, and only one branch office, and they both are two difrerent domain forests.
2) Microsoft Exchange 2010 or other
There is no any MS Exchange server in place at the moment, but, at some point in the future, I would like to have it all integrated into one system.
3) File Server(s) and windows file server version, and are you using DFS or DFSR technologies or not?
File servers are strictly local, and probably, if there is any need for centralized file server, it would be in the main office, but the intended use of files servers is limited.
3) VMware (what version 3.x, 4.x, 5.x Standard, Enterprise, etc...)
There´s vSphere v.4.1 Enterprise infrastructure in place on HP c3000 blade system on 3 BL465c G6 hosts. This will probably be upgraded to 5.0.
4) SAN, NAS, etc... (how many TBs?). Also, what storage connectivity are you usingiSCSI, FC, FCOE, or direct attached?
HP MSA2312fc fibre channel storage with 4 TB
5) Blade Center and/ or Server infrastructure (Brand/ Model - HP, Dell, IBM, etc..) what's being used for VMware?
See under No.3
6) do you have a DR site or secondary site for data replication?
DR site in place with One server hosted in a DataCenter. VMWare ESXi 5.0 installed on it and Windows 2008 R2 database server replication with database production server, and file server, connected over the IPSEC site-to-site VPN.
7) What brand and model are your core switches and routers?  Are you supporting any 10Gb technology?
Currently we only have CISCO 2690 and CISCO 2811 for the core equipment
8) what is your current network topology?
network topology is non existing at the moment, apart from the network in the main office, and standalone networks in the branch offices. There are couple of the offices connected over IPsec VPN tunnels, but with basic routing and ACL´s in place.
9) VLAN usage/structure for main office and remote sites?
There isn’t any VLAN configurations
10) How many MPLS remote sites and how many piont-to-point sites?
There should be arrount 55 MPLS remote sites, and arround 10 point to point sites
11) What resources, if any, do you plan to have at your remote Branch offices (AD, File, Print, DHCP, DNS, WINS, etc...)?
There shouldn’t be any of such services present on the branch offices, they should be at the best be able do authenticate at the AD DC’s at the branch offices.
12) What type of traffic is expected to run between the Main and Branch offices?
We are expecting mainly web traffic, either to access web based applications, or web services on the main office. There should be some SQL replication traffic as well
0
 
LVL 6

Author Comment

by:slakic
ID: 37765362
One correction

There shouldn’t be any of such services present on the remote branch offices, they should be at the best be able do authenticate at the AD DC’s at the branch offices.
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37765449
I apologize for getting ahead of myself in some of my questions.  

What is the requirement for having remote offices connect to the Branch Offices vs all directly connect to the main office?  If you don't have this currently in place as well as the resources they will be connecting to then I would suggest all site to connect directly to the main office, unless you have a specific need to do otherwise; for better control and easier and management of Technologies and resources.  

For End-point Security, I recently switched off of Cisco ASA and McAfee Secure Firewall (Secure Computings SideWinder) to Palo Alto Networks, which is the pioneer of the Next Generation Firewalls; using App-ID, Content-ID, and User-ID filtering vs traditional UTM solutions.  It also provides in-depth Layer 7 Anti-virus/Malware, URL Content/Application filtering, IPS, VPN, and many other capabilities.  Pali Alto Networks is on the forefront of NG Firewalls, which was founded by an ex-CheckPoint and Juniper UTM Firewall developer, among other things.  He has an extensive background beyond those companies.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 57

Expert Comment

by:giltjr
ID: 37765474
gsmartin has some great questions and points.

Assuming your application is not web based, Citrix would be a great solution.  As he pointed out, it meets HIPPA requirements, allows secure remote access from just about anywhere, and typically requires very little network bandwidth.  

Citrix does typically require higher performing servers.  But that is the trend these days.  Consolidate and virtualize on bigger servers that can share resources easier and better.  In the end it less expensive.
 

Just a few quick points while I review the recent posts

--> One of the main limiting factors is of course the budget, and working with major vendor would be too expensive .....

It only seems expensive.  Unless you have the expertise in-house, in the long run it will be cheaper.  You have no clue how expensive this could get if proper planning is not done and you have to redo it two or three times.

-->  and would create dependency, which is something we would like to avoid.

It's only a dependency if you don't get proper hand off and you don't understand everything about the solution.
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37765477
So, the remote office authenticated to AD from the Branch Office and then?  What resources do they need to access and where?
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37765553
Based in your answers, I am assuming users have their individual workstations with some locally installed applications such as Microsoft Office and then they access your production web applications from where ever they are located?  If so, how is the local hardware and software managed?  

Sorry, I am going off on a tangent about centralizing resources and management.  I just spent the last three years plus re-doing my entire infrastructure from the ground up.  

Since you may have systems current managed locally at each site you can slowly bring things in, but it truly depends on your budget.

Do you have a rough idea what your budget is?   How much, if you don't mind saying?
0
 
LVL 6

Author Comment

by:slakic
ID: 37765751
As I said, the project is still in very early phase,

For branch offices and remote branch offices, local administration would be done by local administrator, but on the low level. Their main business app is now desktop based, and it is the same at the every branch office.

The plan is to replace that desktop application with web based one, which would run on the application server (Microsoft IIS) in the Head office location.

We need to come up with the solution to make that server accessible to every location in the system, preferably via secured connections. That's why we were thinking about MPLS. But even if we connect all branch offices, the MPLS in the remote branch offices is out of the question because of the cost/benefit ratio (i'm coming from the country with poorly developed infrastructure, and unreasonable prices of such things), so probably we will have to find a solution to have remote branch offices connected to branch offices via local VPN network, preferably some open source solutiona (like OpenVPN).

We are at the phase where we need to get a rough idea about the budget, and act accordingly.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 37766049
Can we choose terms instead of "branch offices" and "remote branch offices"?

A branch office is by definition remote, so saying "remote branch office" is a bit redundant and is getting me confused.

Can we say "tier 1 remote" and "tier 2 remote"?

Can you then define the requirments of each tier?  Something like:

Tier 1 would have more users, may need access multiple applications, need access to non-web based applications, need higher bandwidth requirements, and possible a more secure connection.

Tier 2 would have few users, only need access to web based applications, need low bandwidth requirements and HTTPS provides all the security needed.

Tier 1 I would assume would be the 50 locations you are talking about.
Tier 2 I would assume would be the 300 locations you are talking about.
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37768531
It sounds like the issue you have is high Telco costs, and given the costs you are trying to come up with ways to go around the high prices.

Since all sites need to access the web application you can leverage a secured connection such as SSL encryption with Username/Password protection.  Could this work for you or do you require a higher degree of security?  You won't get much more with VPN. This is not much different than using Citrix with SSL over an Access Gateway.  Going this direction may reduce your need for MPLS or point-to-point unless you want to better security for the sites and control by internalizing all there traffic and resources?    Using SSL would be the cheapest and simpliest solution; and doesn't require the difficults of managing VPN networks.  

I personally, prefer more control over the entire network infrastructure and I would go toward centralizing as much as possible.

Otherwise, if you prefer the MPLS and point-to-point route couldn't the remote offices connect via VPN directly to the main office vs directly to the Branch Offices?
0
 
LVL 6

Author Comment

by:slakic
ID: 37768666
I thinik it would be useful to refer to these offices as Tier 1 and Tier 2 to avoid confusion.

My initial plan was to have all Tier 1 offices connected through MPLS, and all Tier 2 offices concentrated on the central VPN server (I was thinking about OpenVPN Access Server, which is $5 per concurrent connection).

I believe it will handle 300 connections easily.

Now, Tier 1 remote would have more users and hosts, and Tier 2 remote would in most cases be just a couple of hosts and maybe 5-6 users.

To avoid spreading too much micro administration, I was planning to centralize as much of the administration as I could, and with OpenVPN Access server in place, that would move things in that direction.

My only concern in this scenario would be endpoint security.
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37768721
"My only concern in this scenario would be endpoint security."  

In what sense?  What are your questions on End point Security?
0
 
LVL 6

Author Comment

by:slakic
ID: 37770030
Well mostly I am concerned about the number of hosts accessing through VPN, I need to have some way to force certain security standards.

But the most important concern would be eventual bandwidth clutter, if I get a number of hosts infected with a virus which would broadcast on VPN interface, even if I block that traffic at the VPN server, I still have bandwidth usage to deal with.
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37773236
Providing VPN connectivity for various parts of your organization can be managed, isolated, and controlled to prevent out-breaks.  Unfortunately, it may be impossible to prevent 100% of Viruses, Trojans, worms, malware, spyware, etc… from infiltrating your network.  However, it's imperative to implement preventative measures in protecting your company.  

Anti-Virus/Anti-Malware Security Measures:

1)      Host (Client/Server): Real-time Anti-virus/Anti-Malware scanning

Note:  Use a different scanning engine vendor than engine used on your End-point filtering appliance.

2)      End-Point (Firewall/Content Filter): Implement Reputable Next-Generation Firewall with Anti-virus/Anti-Malware scanning to protect against Web 2.0 vulnerabilities.

Note: Recommendation Palo Alto Networks (PAN) Next-Gen Firewall.  PAN Firewall enables you to see and control application, content, and user traffic; providing better visibility and management/control.  

3)      E-Mail Protection: Implement either an internal mail filtering appliance or External filtering service (i.e. Microsoft Online Hosted Filtering or Google's Postini) too actively due real-time anti-virus/Anti-malware scanning.  

Note: Recommendation is to not waste internal resources in supporting an internal solution best to outsource this task.

4)      Restrict non-company laptops and other devices from accessing the network at all times through company policies and other internal security measures.

5)      Restrict, manage, and monitor USB removable storage devices from accessing systems through GPO settings and other means (i.e. Trigeo, etc...)

6)      Don’t allow iPhones, iPads, Android devices, and other misc mobile devices on the inside of your network.  If you provide them Wi-Fi access it’s recommend to either put them on isolated VLANs with strict ACLs (allowing Internet Access only) or on Guest Wi-Fi and placed outside of your network or off of the DMZ of your Firewall.

These are all important measure to reduce the risk of Viruses, Trojans, worms, malware, spyware, from infiltrating or infecting your internal network.
0
 
LVL 8

Accepted Solution

by:
gsmartin earned 500 total points
ID: 37773355
"Well mostly I am concerned about the number of hosts accessing through VPN, I need to have some way to force certain security standards."

Palto Alto Networks has a licensed feature that you can add called Global Protect, which has features like SSL-VPN Secure Remote Access, Stop threats and unauthorized file/data transfer, Secure Application Enablement, and more that will most likely address your End-Point Security Standards and concerns.

SSL-VPN Secure Remote Access
GlobalProtect enables remote users to access the corporate network by automatically establishing either an SSL or IPSec-based VPN connection depending on location and configuration. The remote access connection is authenticated through one of several mechanisms (local DB, RADIUS, LDAP, Active Directory and Smartcards) and once the secure remote connection is established, users are protected by the same security policies as corporate users.

Secure Application Enablement
The increased visibility into applications, users and content can help simplify the task of determining which applications are traversing the network, who is using them, the potential security risk. Armed with these data points, administrators can apply secure enablement policies with a range of responses that are more fine-grained than the traditional allow or deny.

Balancing protection and enablement with fine-grained policy enforcement.
  Allow or deny
  Allow based on schedule, users, or groups
  Apply traffic shaping through QoS
  Allow certain application functions such as file transfer within instant messaging
  Allow, but scan for viruses and other threats
  Decrypt and inspect
  Apply policy-based forwarding
  Any combination of the above


Palo Alto Networks Firewall Features:
  Application Visibility
  Decryption
  Policy Control
  Device Management
  GlobalProtect
  App-ID
  User-ID
  Content-ID
  IPS
  Antivirus
  Modern Malware Protection
  Data Filtering
  URL Filtering
  Networking
  VPN
  Virtual Systems
  Redundancy & Resiliency
  Centralized Management

http://www.paloaltonetworks.com/products/index.html
http://www.paloaltonetworks.com/products/features/globalprotect.html
http://www.paloaltonetworks.com/products/features/policy-control.html
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37773403
"But the most important concern would be eventual bandwidth clutter, if I get a number of hosts infected with a virus which would broadcast on VPN interface, even if I block that traffic at the VPN server, I still have bandwidth usage to deal with."

What options do you have for Internet Bandwidth?

Your problem with VPN is that you are enabling various traffic to flow between the sites.  This is no different then when using MPLS.  Now, if you only allow them to access the web application over SSL then you significantly reduce the bandwidth consumption.  You can allow VPN to pass-through on select service ports to help reduce the risk of an out-break.  If you allow all ports then you run the risk of opening yourself up to high bandwidth consumption,  virus out breaks, and many other things.  Only provide them with the resources/service ports they need and block all unnecessary miscellaneous traffic (firewall ports/services) .
0
 
LVL 6

Author Closing Comment

by:slakic
ID: 37775181
Thanks gsmartin,

you provided me with more than enough information to start with planning, which was my original idea with this question.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now