As an Information Technology analyst, I act, upon my mandate, to provide a network solution for XYZ LLC. The proposed network will ensure high connectivity, secure access and scalability for future expansion. Already, a WAN connectivity is in place with ample bandwidth to deliver excellent connectivity.
PROPOSED SOLUTION
businesses competitive edge lies in its ability to develop regional and global presence while offering and maintaining best services at par or better than rivals. In an attempt to control a larger market share in solar panel manufacturing and distribution, XYZ has three branches, Los Angeles, Dallas and Houston. Remote users in Los Angeles need to relay near real time information to offices in Houston with much ease. This will also apply to members of the executive and management who need to communicate managerial roles to branches without much travelling. This can be done through teleconference or other relevant mediums. In the same context, circulars and directives from the headquarters need to be relayed to every branch office in the same time so that strategic plans can be implemented quickly for the business to gain competitive advantage. The medium of communication is the paramount consideration for the success of any company with the major determinants being speed, location and security.
The success of corporate business lies in the corporate network. The efficiency of a corporate network is measured on the support of traditional business determinants. These determinants include voice and data together with additional trends such as videoconferencing dictates how far the business in its quest for regional and global dominance.
This proposal is based on Windows Server 2012 operating system. Any feature proposed should be tailored around Windows Server 2012 implementation. Not all branches will be managed in the same manner. Houston and Dallas hold the main staff while sales personnel will be located at Los Angeles. This is because each of the three locations will require different IT resources and policies to manage itself effectively. A solution that gathers for them all is necessary. For example, sales personnel in Los Angeles need to seamlessly relay information and access resources from Houston branch. At the same time, Houston holds critical information such as patents and copyrights which are critical to business success.
In this respect, I recommend a Virtual Private Network. A VPN for XYZ will allow employees and organization’s management to, seamlessly connect to the headquarters. They will, then, be able to access pool of network resources which could not have been otherwise accessed. A VPN solution is accessed via the internet and is highly secured to allow an organization to carry out its business operations without worrying about security. In this proposal, the following concepts will be considered in respect to VPN.
DNS configuration
Configuring DNS is one of the basic steps in setting up a VPN in XYZ. Configuring DNS will go on with other important features such as Active Directory, server roles among others. DNS configuration for XYZ is proposed to be http://(branchname)/xyz.org. A domain name need to be specified and will also serve as the name of the forest. If the name of the server is XYZ server, the domain name will be something like SERVER- XYZ.SE. IPv6 name resolution mechanism is adopted to provision the server address on the VPN client side either using DNS-based or Windows-based mechanisms. IP addressing will be allocated to the DNS based servers on the VPN client side using static configuration. However, a dynamic technique could be adopted so that handshake can be dynamically allocated through IKEv2-based virtual reconnection.
Active Directory Controls
The preceding versions of Windows Servers exhibited some issues in respect to file access, multiple server access and overall network performance. Windows Server 2008 became unbearably slow when accessed by multiple clients at the same instance. This impacted on file transfer and critical backup functionalities especially when a file is capriciously detached from multiple servers at the same time. An active directory site topology represents users in physical users given on a per-forest basis. Using the network connection data, it generates connection objects that provide important replication and fault tolerance schemes. The primary channel of communication in Active Directory is starting with users located in the same site. Site links are handy to connect networks with low bandwidth or unreliable network connection.
Implementation of active directories on Windows Server 2012 VPN has solved all these issues as network administrators have enhanced capacity to monitor all the network components including remote users, mobile users, on-site access and printer sharing.
Active directories are top-to-bottom hierarchical model that comprise of a forest at the top. The forest comprises of all computing resources utilized by an organization for day to day operation. Just below the forest are domains which comprises of all the organizational elements unto which users and their resources are grouped. In the context of XYZ, these are the departmental units (sales, production, R$D, marketing) in the three locations, Houston, Dallas and Los Angeles. Three domains are derived from XYZ network, Houston, Dallas and Los Angeles consecutively. VPN deployment in Windows Server 2012 introduces three technologies that make it easy to manage active domains.
DFS Namespace
This is a technique where a network administrator arranges publicly-shared folders on different servers into a single logical entity. This entity is viewable to users as single folder with multiple subfolders. Windows server 2012 has introduced Windows Powershell cdmlets for management of DFS namespace.
The namespace contains millions of files sourced from different servers and locations. It operates in such a manner that when a user searches for a file in the namespace, DFS namespace locates the file in their source server and directs the user to that suffer to retrieve it. For remote users, namespace has site awareness functionality that learns websites accessed from and direct personnel to where the company resources are through Direct Access.
DFS Replication
Replication is a phenomenon that involves efficient multiplication of folders in multiple locations and sites. The advantage with replication mechanism is that it delivers data uniformity across the entire organization. Any change made at a single location is repeated across all servers. It is, therefore, is recommended that backup be conducted on a single point of entry probable at the headquarters in Houston.
When a file’s content is changed slightly, DFS automatically detects the changes and updates only the changed contents through Remote Differential Compression method. Windows Server 2012 has a data duplication mechanism that functions in parallel with DFS duplication by saving storage requirements without affect it. Human resource personnel who, for instance, who adds, delete, or modify employee particulars will have all the changes effected in all the servers without exhausting storage needs or DFS functionality. There is no loss of data when one server fails since Windows Server 2012 creates fault tolerance on other servers such that even if the server is dysfunctional, files located in virtual namespaces as well as those on the networks are unaffected. Through Remote Differential Compression, bandwidth lag is eliminated. Servers located on a single branch will appear local to those branches while the rest appear to users at their locations in the same manner. In order to conserve bandwidth, data that have been altered alone are replicated while the rest maintains their states.
In respect to XYZ, geographically based domain with two master domains is created. One will serve Houston while the other will handle Dallas. Los Angeles will connect to the Houston headquarters. XYZ has two namespaces, xyz.com and xyz.net. Local domains located in one state uses xyz.net while an international domain uses xyz.com. The top level placeholder domains are dallas.xyz.net and Houston.xyz.com and controls domain user accounts, corporate resources and groups. Los Angeles is located under Houston domain. Network traffic generated by AD replication from the forest top should be replicated without impacting on bandwidth. Thus, routers are configured together with DNS, domain controllers and configuring registry keys.
Group Policy
Group file policy in Windows Server 2012 based VPN is achieved through Group Policy Preferences. The configurations are handled by the network administrator and assigns computer resources to users. Remote users are assigned a group policy such that they can only access the network by logging through their groups. Group policies are managed by administrators and accessed via Group Policy and Group Policy Preferences in an Active Directory Domain Service, in the Group Policy Management Console. Windows Server 2012 based VPN provide additional features under a group policy such as event logging and policy caching. Event logging is an analytical tool that includes information on the duration of sign in process. On the other hand, policy caching updates the policy version stored in the local store from the domain controller. This is done so that, in case of regular log-ins, the most recent downloadable policy is processed. This saves time for accessing policies in asynchronous modes.
As outlined above, file sharing is achieved via DFS replication and namespace. These two techniques also provide a mechanism to back up data in a redundant manner.
Remote access
A Virtual Private Network is an extension of a private network that involves links across shared or public networks such as the internet. VPN users are able to send data securely between two locations in the network in a manner that is similar to point-to-point private link. A remote client will initiate and get connected to a private network. This is because the VPN server acts like a router that provide access to the entire network for which the VPN server is attached. Through a mutual authentication process, the VPN client authenticates itself to the server and the server to the client. XYZ employees and managers will access network resources remotely via intranet-based and extranet-based virtual private networks. Intranet-based access is applicable to users located internally and will access files and other resources located on computers in the company.
Windows Server 2012 comes with a Network Access Protection functionality. This is used to control health certificates of the organization’s IPsec peer authentication intranet tunnels. NAP is controlled by the Health Registration Authority which issues certificates with a System Health Object Identifier after satisfying all the policies. NAP health checks selects the users that are allowed into the network and those that are denied via Remote Access Setup Wizard. Extranet-based connections are applicable for remote and telecommuting users who are always on the move and require XYZ resources to execute their functions effectively. Extranet-based resources are extended to groups projects where personnel working on a project are located at different locations of the continent. For, instance, XYZ staff involved in product research, development, and design could liaise with their counterparts engaged in production and sale representations, based in Los Angeles, to deliver a custom product demanded by a customer in real time. Though the three departments are located far from each other in different states, product design, development and assembly is taking place almost in real time as information is exchanged, seamlessly, every day.
Before a user’s is authenticated to a VPN network, credentials are exchanged based on administrator provided information. Administrators have a role of defining group object policies based on user’s needs and priorities. Telecommuting personnel such as sales representatives will have their communication equipments installed with security patches, antimalware programs and other custom-made applications to deter security threats. Configuration of forward facing IP addresses together with access privileges are provided via Direct Access functionalities in GPO.
WSUS
Windows Server 2012 is the latest offering from Microsoft that came into effect in 2012. It is best described by its innovative user interface, Active Directory Controllers, DFS Namespace and DFS Replication system, strong remote management tools among other features. Windows Server Standard is preferred for implementation with VPN. Standard version will accommodate sufficient levels of virtualization the company may be considering, and basing on future predictions, the organization has the choice to upgrade to Data centre or other versions that fully support virtualization and cloud deployment.
The potentiality of cloud computing is undisputed in the future, and as many organizations prepare to shift to the clouds to cut on operational cost and access services no matter the location, time and device, XYZ should factor it in its future expansion plans. XYZ will deploy its applications in Houston in a centralized manner to be accessed by all users. This will consequently lead to the overall cost of ownership and a high degree of economies. When applications are consolidated on a single location and accessed by multiple users from disparate locations, organizations derive economies of scale. This is what VPN offers when deployed with Windows Server 2012 OS. XYZ will develop an application centre in Houston and Dallas to host business critical services. Enterprise class servers are recommended to be installed in these locations; a primary server in Houston and a failover in Dallas. They will act as gateways for XYZ employees requesting and using applications running on their workstation.
Los Angeles office will be designed to link seamlessly with Houston to allow sales representatives to relay their sales data in real time at the same time ask for details, order levels, and any other relevant information. This approach consolidates XYZ computing capability, consequently reducing the number of application servers deployed in each location and saving on cost while throughput and service delivery are not compromised.
WSUS is an enhanced capability from Microsoft Windows operating system. It allows technology administrators to deploy the latest product updates to workstations that are running their operating systems. By using WSUS functionality, administrators will sufficiently manage distribution of updates released via Microsoft updates to computers in their networks. In a distributed environment, WSUS servers also referred as the upstream suffer act as an update source for all the other servers within the organization. The primary server located in Houston is connected with Microsoft Update. This connection provides available update information while allowing the administrator to determine how many servers are allowed to connect to update.
WSUS will be used to control the deployment and maintenance of software applications into the production department. Any software or updates that are introduced into a production environment is vetted for operational efficiency, security vulnerabilities and stability. By maintaining a known level of trust within the operating system, and applications, XYZ will eradicate a number of security vulnerabilities. If these vulnerabilities were to be explpoited, it will lead to compromise of intellectual property and financial losses. WSUS allow minimization of vulnerabilities through automated and controlled installation of the latest recommended software updates.
Windows Server Update Service is available as a built-in server role that can be added or removed by the server manager, comes with a Windows Powershell cmdlets for management of numerous essential administrative features, provides the capability to add SHA256 hash capability for additional security and separates clients from the server. Windows Powershell functionality is an increasingly important feature in the management of WSUS because it gives administrators the much needed automation tools for their day-to-day operations. Apparent benefits include increased productivity, a flattened learning curve for new tools and reduced errors due to consistency across similar operations.
CONCLUSION
Having successfully proposed a VPN solution for XYZ and depicted how the solution will be implemented, it is notable that if adopted, the organization will stand to benefit immensely. VPN is a point-to-point private connection that is delivered via public networks such as the Internet. In order to serve its clients effectively in Los Angeles, Dallas and Houston, XYZ needs a secure network that is highly available without performance limitations. VPN is a perfect match as it will deliver the required connectivity without compromising security. Data in VPN is encapsulated and encrypted for confidentiality. Even if packets are intercepted along the public network, it is indecipherable without the encryption keys. VPN also provide data replication - a sufficient way to back it up as well as automatic updating on all servers. It is my belief that the proposal will be helpful to XYZ.
References
(CCIE.), M. L. (2006). Comparing, Designing, and Deploying VPNs. Adobe Press.
(CCIE.), M. L. (2006). Comparing, Designing, And Deploying Vpns. Adobe Press.
Alex Shneyderman, A. C. (2003). Mobile VPN: Delivering Advanced Services in Next Generation Wireless Systems. John Wiley & Sons.
Hooper, H. (2012). CCNP Security VPN 642-648 Official Cert Guide. Cisco Press.
Syngress, D. L. (2006). Firewall Policies and VPN Configurations. Syngress.
