Semp-lld005 - Lan Services v0.1

Commercial In Confidence

SEMP - LAN Services

Low Level Design

Document Reference: SEMP-LLD005

Current Version: 0.1

Version Date: 2007/09/28

Status Draft

Author: Sachin Ganpat

SEMP - LAN Services Low Level Design

Version: 0.1 Page 2 of 21 Project: MOE-SEMP Date: 2007/09/28 Document Ref: SEMP-LLD005 Commercial In Confidence

Copyright © Fujitsu Transaction Solutions

Table of Contents

1 Document Control ................................................................................................................................................ 3 1.1 Authorisation ................................................................................................................................................... 3 1.2 Document Control/Change History ................................................................................................................. 3 1.3 Documents References .................................................................................................................................. 3 1.4 Distribution List ............................................................................................................................................... 3 1.5 Terms and Abbreviations ................................................................................................................................ 3

2 Introduction .......................................................................................................................................................... 5 2.1 Purpose of document ...................................................................................................................................... 5 2.2 Background ..................................................................................................................................................... 5 2.3 Assumptions ................................................................................................................................................... 5 2.4 Risks ............................................................................................................................................................... 5 2.5 Dependencies ................................................................................................................................................. 5 2.6 Issues & unknowns ......................................................................................................................................... 6 2.7 Constraints (Standards, Policies, Guidelines) ................................................................................................ 6 2.8 Glossary .......................................................................................................................................................... 6

3 IP Addressing detailed design ............................................................................................................................ 8 3.1 IP Addressing Scheme selection .................................................................................................................... 8

4 Ethernet Switch detailed design ......................................................................................................................... 9 4.1 Product selection ............................................................................................................................................ 9 4.2 Physical placement of component .................................................................................................................. 9 4.3 Configuration information ................................................................................................................................ 9 4.4 Configuration Sequence ................................................................................................................................. 9

5 Wireless Access Point detailed design............................................................................................................ 11 5.1 Product selection .......................................................................................................................................... 11 5.2 Physical placement of component ................................................................................................................ 11 5.3 Configuration information .............................................................................................................................. 11 5.4 Configuration Sequence ............................................................................................................................... 11

6 IAS and Certificate Services detailed design .................................................................................................. 13 6.1 Product selection .......................................................................................................................................... 13 6.2 Physical placement of component ................................................................................................................ 13 6.3 Configuration information .............................................................................................................................. 13 6.4 Configuration Sequence ............................................................................................................................... 13

7 Wireless Client detailed design ........................................................................................................................ 15 7.1 Product selection .......................................................................................................................................... 15 7.2 Physical placement of component ................................................................................................................ 15 7.3 Configuration information .............................................................................................................................. 15 7.4 Configuration Sequence ............................................................................................................................... 15

8 Printer detailed design ...................................................................................................................................... 17 8.1 Product selection .......................................................................................................................................... 17 8.2 Physical placement of component ................................................................................................................ 17 8.3 Configuration information .............................................................................................................................. 17 8.4 Configuration Sequence ............................................................................................................................... 18

9 Firewall detailed design..................................................................................................................................... 19 9.1 Product selection .......................................................................................................................................... 19 9.2 Physical placement of component ................................................................................................................ 19 9.3 Configuration information .............................................................................................................................. 19 9.4 Configuration Sequence ............................................................................................................................... 19

10 DHCP detailed design ........................................................................................................................................ 21 10.1 Product selection .......................................................................................................................................... 21 10.2 Physical placement of component ................................................................................................................ 21 10.3 Configuration information .............................................................................................................................. 21 10.4 Configuration Sequence ............................................................................................................................... 21




1 Document Control

1.1 Authorisation Authorised by :

Date :

1.2 Document Control/Change History Version Date Comment Editor

0.1 2007/06/21 Initial Draft Sachin Ganpat

1.3 Documents References Title Date Version

SEMP-TEC003 Solution Overview 2007/06/06 2.0

SEMP-HLD003 Network High Level Design 2007/06/04 0.1

MOE SEMP Naming and IP Addressing 2007/07/30 1.0

SEMP-SBI003 – Network Solution Build Instructions 2007/07/30 0.2

1.4 Distribution List Title Date Version

Jason Cardenas – Programme Director

Ian Howard – Integration Manager

Glen Ragoonanan – Solutions Architect

Shodhan Ragoonanan – Project Manager

Wayne Sheppard – Quality and Process Improvement

Patrick Zimmer – Solutions Architect

Michael Thompson – Staging Manager

0.1

1.5 Terms and Abbreviations Term/Abbrev Definition

AD Active Directory

ADSL Asymmetric Digital Subscriber Line

AP Access Point

BoM Bill of Materials

CA Certificate Authority




CHAP Challenge Handshake Authentication Protocol

CPU Central Processing Unit

DHCP Domain Host Configuration Protocol

DNS Domain Name Service

DSL Digital Subscriber Line

EAP Extensible Authentication Protocol

GB Gigabyte

IAS Internet Authentication Service

ISP Internet Service Provider

LAN Local Area Network

NIC Network Interface Card

PEAP Protected EAP

RADIUS Remote Access Dial-In User Service

TLS Transport Layer Security

URL Uniform Resource Locator

UTP Un-shielded Twisted Pair

VLAN Virtual LAN

WAN Wide Area Network

WAP Wireless Access Points

WEP Wired Equivalent Privacy

WPA WiFi Protected Access




2 Introduction

2.1 Purpose of document This document gives the low level LAN design for the Ministry of Education Secondary Education Modernisation Program (SEMP) project to place computers and network infrastructure in one hundred and thirty three (133) secondary schools throughout Trinidad and Tobago.

This document will show the design and configuration for the LAN infrastructure that includes the wired and wireless network elements.

2.2 Background The Ministry of Education is seeking to implement PCs in selected secondary schools (133) across Trinidad and Tobago and to provide students and teachers with access to these resources. As part of this, access to file and print services will also be required.

2.3 Assumptions The following are assumed:

1. Only authorised personnel will have physical access to servers and network devices.

2. A static Internet IP address will be provided by MoE SEMP for the firewall at each school.

3. Students may not access the wireless network using personal devices.

4. Each device on the network will require only one (1) IP address.

2.4 Risks The following are risks to the project:

1. Availability of Static IP addresses from TSTT for all secondary schools.

2. Firewall appliances provided by CP006 for Managed Services may not be available and delivered in time.

3. Complications with connecting clients to wireless network may require the authentication method to change, for example, from 802.1X and WPA (also called WPA-Enterprise) to WPA Pre Shared Key (WPA-PSK also called WPA-Personal).

2.5 Dependencies The following are required to ensure a successful project completion

1. All preparatory work required for network, server and computer installation is completed prior to installation of said devices.

2. Availability of staff members during site installation and attendance to training courses.

3. The customer provides Internet connectivity to the server room

4. All equipment delivered in time.

5. Availability of LAN DHCP and DNS services (Covered in SEMP-HLD001 - MOE SEMP Servers HLD).




6. Availability of Certificate Services Server (Covered in SEMP-HLD001 - MOE SEMP Servers HLD).

2.6 Issues & unknowns The following are issues to the design:

1. Wireless printers only support WPA-PSK (WiFi Protected Access – Pre Shared Key).

2. Teachers or staff logging onto a student workstation on a wired network will be placed into the student network with no access to his/her resources on the staff server.

2.7 Constraints (Standards, Policies, Guidelines) The following are constraints to the design:

1. Teacher data must be adequately protected from student access.

2. RFC 1918 – Address Allocation for Private Internets

3. Wireless Deployment Recommendations and Best Practices (Microsoft)

4. RADIUS Protocol Security and Best Practice (Microsoft)

2.8 Glossary

Access Point An internetworking device that seamlessly connects wired and wireless networks.

Active Directory Used by Microsoft Windows 2000 and 2003 Servers to provide central authentication and authorization services for Windows based computers.

Advanced Encryption Standard

An encryption algorithm that implements symmetric key cryptography. AES provides very strong encryption using a completely different ciphering algorithm to TKIP and WEP.

Basic Service Set A set of 802.11-compliant stations and an access point that operate as a fully-connected wireless network.

Content filter An application that acts either on the content, the information contained in the message, or on the headers, to either classify, accept or reject the message.

Egress Tagging Allows multiple VLANs to be transmitted over a link using 802.1Q VLAN tags.

Extended Service Set

More than one wireless cell can be configured with the same Service Set Identifier to allow mobile users can roam between different cells with the Extended Service Set.

Extensible Authentication Protocol

An authentication protocol used to authenticate network clients. EAP is combined with IEEE 802.1X port authentication and a RADIUS authentication server to provide “mutual authentication” between a client, the access point, and a RADIUS server.

Power over Ethernet

A specification for providing both power and data to low-power network devices using a single Category 5 Ethernet cable.

RADIUS An IETF-defined protocol for administering and controlling access to a network.




Roaming A wireless LAN mobile user moves around an ESS and maintains a continuous connection to the infrastructure network.

Service Set Identifier

An identifier that is attached to packets sent over the wireless LAN and functions as a password for joining a particular radio cell; that is, Basic Service Set (BSS).

Shared key A shared key can be used to authenticate each client attached to a wireless network.

Simple Network Management Protocol

The application protocol in the Internet suite of protocols that offers network management services.

Virtual Access Point

Multiplies the number of Access Points present within the RF footprint of a single physical access device. With Virtual AP technology, WLAN users within the device footprint can associate with what appears to be different access points and their associated network services. All the services are delivered using a single radio channel, enabling Virtual AP technology to optimize the use of limited WLAN radio spectrum.

Virtual Local Area Network. A method of creating independent logical networks within a physical network.

VLAN Trunk Denotes a network link carrying multiple VLANs between 2 switches or between a switch and a router, through the use of a trunking protocol. The VLANs maintain their separation in this link using VLAN tagging where the traffic destined for a particular VLAN is tagged.

WPA Wi-Fi protected access. Employs 802.1X as its basic framework for user authentication and dynamic key management to provide an enhanced security solution for 802.11 wireless networks.

WPA Pre-shared Key

Usually used for small office networks that do not have the resources to configure and maintain a RADIUS server. WPA-PSK provides a simple operating mode that uses just a pre-shared password for network access.




3 IP Addressing detailed design

3.1 IP Addressing Scheme selection IP addresses should be scalable and allow for growth, but at the same time be efficiently used and assigned. The student networks shall use IP addresses subnetted from the RFC1918 network 10.0.0.0/8. The network shall be subnetted using a 25 bit mask. The first network address will be 10.0.1.0/25. The staff networks shall use IP addresses subnetted from the RFC1918 network 172.16.0.0/12. The network shall be subnetted using a 26 bit mask. The first network address will be 172.16.0.0/26.

Table 1 IP Address Scheme Description Address

Stud

ent V

LAN

Student LAN 10.xxx.yyy.0 Student Mask Bits 25 Student LAN Mask 255.255.255.128 Firewall VLAN1 10.xxx.yyy.1 Student Server 10.xxx.yyy.2 Management Server 10.xxx.yyy.3 Server Reservation 10.xxx.yyy.4-5 Printers 10.xxx.yyy.6 - 20 Student Clients 10.xxx.yyy.21 - 126

Sta

ff V

LAN

Staff LAN 172.16.xxx.0 Staff Mask Bits 26 Staff LAN Mask 255.255.255.192 Firewall VLAN2 172.16.xxx.1 Staff Server 172.16.xxx.2 Server Reservation 172.16.xxx.3-5 Switches 172.16.xxx.6 - 8 WAPs 172.16.xxx.9 - 11 Wireless Bridges 172.16.xxx.12 - 15 Miniature Switch 172.16.xxx.16 Network Device Reservation 172.16.xxx.17-20 Staff Clients 172.16.xxx.21 - 62

Note that not all locations will have the number of network devices catered for in Table 1. Where a device may not exist, e.g. Wireless Bridges, skip those IP assignments. Those IPs would then act as reserve addresses for network devices. IP addresses for each location are defined MOE SEMP Naming and IP Addressing V1.0.xls.




4 Ethernet Switch detailed design

4.1 Product selection • Nortel 24 Port Business Ethernet Switch 1010 (BES1010-24T) • Software Version: 1.1.0.002

4.2 Physical placement of component All Type A schools will have three switches while Type B & C schools will have two.

Within Type A schools, two switches will be placed in the Main Distribution Frame (MDF) and one in the Intermediate Distribution Frame (IDF).

Within Type B and C schools, one switch is in the MDF and one in the IDF.

The MDF is at all times the server rack, while the location of the IDF may change according to the results of the site assessment.

4.3 Configuration information IP Addresses for the switches are as defined in the IP Addressing detailed design above. Switches in the MDF shall be assigned first then the switch at the IDF.

All switches will be configured for two VLANs, Student and Staff.

VLAN ID 1 will be set as the Student VLAN and VLAN ID 2 will be set as the Staff VLAN.

All switches will be configured as shown in Table 2.

Table 2 MDF Switch Port Configuration Ports Configuration 1 – 4 VLAN 1 and VLAN 2 with Egress Tagging

enabled.

5 - 20 VLAN 1

21 - 24 VLAN 2

Ports 1-4 are trunk ports and as such require Egress Tagging (VLAN Tagging).

SNMP settings should be set as indicated in Appendix A.

Administrative passwords should be set as indicated in Appendix A.

Remote Access filtering is utilised to prevent unauthorised access by limited access only from the servers. Once Managed Services come on-stream, access can then be modified to allow access from the RIM.

4.4 Configuration Sequence The following is an outline of the configuration sequence for the switched; the switch configuration is detailed in SEMP-SBI003 – Network Solution Build Instructions.

1. Configure System Information.

2. Configure SNMP Settings. SNMP Community strings are specified in Appendix A.

3. Create Student VLAN (VLAN ID 1) and Staff VLAN (VLAN ID 2).




4. Specify Ports 1-4 VLAN Egress Tagging as “ON”.

5. Specify Ports 1-20 as VLAN 1.

6. Specify Port 1-4 and 21-24 as VLAN 2.

7. Change Management VLAN from VLAN 1 to VLAN 2.

8. Change IP Address as per MOE SEMP Naming and IP Addressing.

9. Change Administrative Password as indicated in Appendix A.

10. Configure “Remote Access” IP filters to a source IP of both the student and staff networks and a mask of “255.255.255.252”, which will give a block of four IPs; however, two of the IPs will be unusable as one will be the network address, and the other will be the Firewall IP.




5 Wireless Access Point detailed design

5.1 Product selection • Nortel Business Access Point 120 • Software Version 4.3.3.4b01

5.2 Physical placement of component There will be at least one WAP in all schools, as all staff rooms in each school will be wireless. Schools will have additional WAPs to cover the computer labs in Type B and C schools, which will be wireless, and in some cases the Administration Office.

The WAP will be connected to a trunk port on the Ethernet switch.

5.3 Configuration information The WAPs will all be given an IP address as per MOE SEMP Naming and IP Addressing.

All WAPs support IEEE 802.11A/B/G and will have both the IEEE 802.11A and IEEE 802.11B/G radios enabled.

The WAPs also support Virtual Access Points (VAP) which allow the single access point to act as multiple virtual APs, in this instance as four separate APs for each radio, thus can act as eight separate APs.

One VAP (VAP 0) on both the A and B/G radios will act as the main AP and will both will broadcast the same SSID which will have the format of “<DOMAIN NAME>_WL”. This VAP will utilise 802.1X port authentication against a RADIUS server, which in this case are the two domain controllers.

An additional VAP (VAP 1) on the B/G radio will act as the AP for the Wireless printers. This VAP will broadcast the SSID of “<DOMAIN NAME>_PRN”. This VAP will utilise WiFi Protected Access V1 Pre-Shared Keys (WPA-PSK) as the Dell printers do not support 802.1X. The Pre-Shared Keys are specified in MOE SEMP Naming and IP Addressing and will be unique for each school.

The WAP will dynamically associate clients with a VLAN based on RADIUS attributes. Students will be placed in VLAN 1 and Staff will be placed in VLAN 2.

VLAN classification will be based on computer authentication only, that is, regardless who logs on, once the computer is a Student computer, it will remain in the Student VLAN, if it is a Staff computer, it will remain in the Staff VLAN.

5.4 Configuration Sequence The following is an outline of the configuration sequence for the WAP; the configuration is detailed in SEMP-SBI003 – Network Solution Build Instructions.

1. Upgrade the Firmware version to 4.3.3.4b01.

2. Set the system information.

3. Configure the RADIUS Servers; the Primary RADIUS server is the Staff DC and the Secondary RADIUS server is the Student DC.

4. Configure the VAP 0 radio setting for the A radio with the SSID as <DOMAIN NAME>_WL and 802.1X as required. Also configure that both Authentication and Encryption are required, and authentication type as WPA/WPA2 mixed mode.




5. Configure the VAP 0 radio setting for the G radio the same as the VAP 0, A radio.

6. Configure the VAP 1 radio setting for the G radio with the SSID as <DOMAIN NAME>_PRN. 802.1X must be disabled. Select both Authentication and Encryption as required, and authentication type as WPA-PSK.

7. Enable VLAN classification.

8. Change management VLAN to VLAN 2.

9. Change IP address as per document MOE SEMP Naming and IP Addressing.

10. Change SNMP settings as per Appendix A.

11. Change Administrative Passwords as per Appendix A.




6 IAS and Certificate Services detailed design

6.1 Product selection • Windows Server 2003 R2 Standard Edition • Service Pack 2 • Internet Authentication Services (Microsoft RADIUS) • Certificate Services

6.2 Physical placement of component IAS and Certificate Services will be installed on both Domain Controllers – the Staff Server and the Student Server.

6.3 Configuration information The Staff Server will be installed as an Enterprise Root Certificate Server. The Student Server will be installed as an Enterprise Subordinate Certificate Server.

Certificate Services will be installed and configured on the servers using the “SEMPInstallCA.wsf” script.

IAS will be installed with the identical configuration on both the Staff Server and Student Server.

IAS will be installed and configured on the servers using the “SEMPInstallIAS.wsf” script.

IAS will be first configured on the Staff server and the setting exported to and imported into the Student Server.

Group policies will be used to allow automatic enrolment of the computer certificate.

6.4 Configuration Sequence The following is an outline of the configuration sequence for the Certificate Services and IAS; the configuration is detailed in SEMP-SBI003 – Network Solution Build Instructions.

1. Start with the Staff Server.

2. Add Certificate Services and Internet Authentication Services from the Add/Remove Windows Components Wizard.

3. Specify the CA Type as “Enterprise Root”.

4. Specify the common name as “<DOMAIN NAME>CA”.

5. On the Student Server, specify the CA Type as “Enterprise Subordinate CA”.

6. Specify the common name as “<DOMAIN NAME>SUBCA”.

7. Reboot both servers. This ensures that the servers enrol for the certificate.

8. Open the IAS Management Console from Administrative Tools on the Staff Server.

9. Add a Remote Access policy for Students and specify the Access Type as wireless and the Access Group as “Group_Student_Computers”.

10. Add another Remote Access Policy for Staff and specify the Access Type as wireless and the Access Groups as “Group_Staff_Computers” and “Group_All_Staff”.

11. Select the Authentication Method as Protected EAP (PEAP).




12. Configure the advanced settings for the policies.

a. Specify the Session Timeout to be 720 Minutes. This allows a client to be disabled and thus be disconnected from the network after the session expires.

b. Specify the strongest encryption (MPPE 128).

c. Add the following RADIUS Attributes:

Table 3 RADIUS Attributes Name Vendor ValueTermination-Action RADIUS Standard RADIUS-Request Tunnel-Medium Type RADIUS Standard 802 (Includes all 802 media…) Tunnel-Pvt-Group-ID RADIUS Standard 1 for Student, 2 for Staff Tunnel-Type RADIUS Standard Virtual LANs (VLAN) Ignore-User-Dialin-Properties Microsoft True

13. Configure the IAS RADIUS clients for every AP on the network. The secret key is specified in the MOE SEMP Naming and IP Addressing document.

14. Export the settings using the “Netsh aaaa show” command.

15. On the Student server, import the exported settings using the “Netsh exec” command.




7 Wireless Client detailed design

7.1 Product selection • Windows Vista Business Edition • Windows Server 2003 R2 Standard Edition with SP2

7.2 Physical placement of component Group policy is configured on Domain Controllers.

Windows clients are placed throughout the network.

7.3 Configuration information No configuration required on clients already on domain. Clients will retrieve information from Group Policies. However, clients need to be built using a wired network and must retrieve the group policies before being able to access the wireless network.

Group policy called “WiFi Policy” will contain the settings for the wireless configuration. The settings will include:

• The SSID

• Root Certificate Server

• Authenticate as computer only

• Always use 802.1X EAPOL

7.4 Configuration Sequence The following is an outline of the configuration sequence for the Wireless Group Policy; the configuration is detailed in SEMP-SBI003 – Network Solution Build Instructions.

• Open the Group Policy Management Console on any Domain Controller.

• Create a new policy called “WiFi Policy”.

• Create a new Wireless Network policy.

• Create a new preferred network and specify the settings:

o The SSID name which should be “<DOMAIN NAME>_WL”

o The Wireless network key utilises WPA network authentication and AES encryption.

o EAPOL Start Message set as Transmit per IEEE 802.1X so that the station does not wait for a EAPOL message from the WAP before negotiating the IEEE 802.1X.

o EAP Type is Protected EAP (PEAP). EAP settings should be set as:

Server certificate should be validated.

The Certificate server name for the domain should be checked from the list of Trusted Root Certification Authorities.

Users should not be prompted to authorise new servers or trusted certificate authorities.

Authentication Type will be EAP-MSCHAP V2.




o Computer Authentication is “Computer only”. This ensures that the authentication to the wireless is done using the computer account only regardless of user. This will ensure that the VLAN assignment is based on the group that the computer belongs to and not the user.

• Install Windows Vista on clients using a wired network.

• After clients have joined the domain, ensure that the group policies have been applied using the “GPUPDATE /FORCE” command.

• Clients should be joined to the wireless network.




8 Printer detailed design

8.1 Product selection • HP Black & White Laserjet P3005 wired printer with HP 625N Internal Gigabit

Ethernet Print Server. • HP Deskjet 9800 Printer wireless printer with HP EW2400 802.11 b/g Wireless

Print Server. • Dell 1710 Black & White Laser Printer wireless printer with Dell Wireless Print

Adapter 3300.

8.2 Physical placement of component All staff rooms with have three Dell 1710 Black & White Laser wireless printers with Dell Wireless Print Adapter 3300 and one HP Deskjet 9800 wireless printer with HP EW2400 802.11 b/g Wireless Print Server.

All administration rooms will have one Dell 1710 Black & White Laser wireless printer with Dell Wireless Print Adapter 3300.

All libraries will have two HP Black & White Laserjet P3005 wired printers with HP 625N Internal Gigabit Ethernet Print Server.

All Type A labs will have two HP Black & White Laserjet P3005 wired printers with HP 625N Internal Gigabit Ethernet Print Server.

All Type B and C labs will have two Dell 1710 Black & White Laser Printers with Dell Wireless Print Adapter 3300.

8.3 Configuration information All printers will reside in the Student VLAN. All printers will be configured with an IP Address from the Student VLAN and will have the last IP octet and Name as shown below.

The names will be of the form “<Location>-<Model>-<Number>”.

Printer Name Printer Location Printer IP Address Last Octet

TYPE

A

"Library-HPLJ3005-01" Library 6


"CompLab-HPLJ3005-01" Computer Lab 10

"CompLab-HPLJ3005-02" Computer Lab 11

"StaffRm-Dell1710-01" Staff Room 15


"StaffRm-HPDJ9800-01" Staff Room 17

"AdminRm-Dell1710-01" Administration Room 18

TYPE

B &

C "Library-HPLJ3005-01" Library 6


"CompLab-Dell1710-01" Computer Lab 10

"CompLab-Dell1710-02" Computer Lab 11






"StaffRm-HPDJ9800-01" Staff Room 17

"AdminRm-Dell1710-01" Administration Room 18

All wireless printers will utilise WPA-PSK with WEP encryption. The SSID shall be “<DOMAIN NAME>_PRN”>.

The Dell wireless printer servers will utilise the Dell utility software application to configure the settings.

The HP wireless printer servers will utilise the HP utility software application to configure the settings.

The HP wired printer server will be configured from the printer.

8.4 Configuration Sequence The configuration sequence of the printers is detailed in SEMP-SBI003 – Network Solution Build Instructions.

All WAPs must be configured and brought online before configuring wireless printers.

Configuration of the printer shares on the servers are done using one of the After AD scripts, “installprn.vbs”. It does not matter whether the script or the printer configuration is done first.




9 Firewall detailed design

9.1 Product selection • Checkpoint UTM EDGE VPN-1 Industrial Appliance • Version 7.0.45a (upgraded from 7.0.27)

9.2 Physical placement of component The Firewall will be placed logically at the edge of the networks between each network at the Internet.

The Internet connection from the Internet Service Provider will be connected to the WAN interface.

The Staff Network will be connected to Port 3 of the Firewall, which will be VLAN 2 on the firewall.

The Student Network will be connected to Port 2 of the Firewall, which will be VLAN 1 on the firewall.

Port 2 of the Firewall will be connected to Port 20 of the MDF switch.

Port 3 of the Firewall will be connected to Port 24 of the MDF switch.

9.3 Configuration information Firewall rules will have the following:

• All traffic from the Staff network to the Student network is allowed.

• All traffic between Domain Controllers is allowed.

• All traffic between the Management Server and client machines are allowed.

• DNS traffic from the domain controllers to the Internet is allowed.

• HTTP, HTTPS and FTP traffic is allowed from only the Staff, Student and Management servers to the Internet.

• SMTP traffic is allowed only from the Management Server to the Internet.

• NTP traffic is allowed from the domain controllers to the Internet.

• All other traffic is denied.

• Standard Stealth Rule and Cleanup Rule.

9.4 Configuration Sequence The following is an outline of the configuration sequence for the Firewall Appliance; the configuration is detailed in SEMP-SBI003 – Network Solution Build Instructions.

Appliances utilise a web interface for initial configuration.

• Use the setup wizard to configure Internet Connection using DHCP.

• Keep default settings for other settings except the “Service Center” which should be de-selected.

• Configure networks for Staff and Student VLANs as well as assign the IP addresses for the Firewall interfaces.




• Configure Port 2 for Student Network and Port 3 for Staff Network.

All appliance firewalls rules will be configured using Checkpoint SmartCenter UTM Power.

• Add appliance gateway in SmartCenter Server.

• Configure rules as required and push rules to appliance.




10 DHCP detailed design

10.1 Product selection • Windows Server 2003 R2 SP 2

10.2 Physical placement of component Dynamic Host Configuration Protocol (DHCP) is primarily used to configure IP addresses in a network environment. It is also used to configure other aspects of a host such as domain name, DNS servers and WINS servers.

DHCP will be installed on both DCs – STF01 and SDT01.

10.3 Configuration information DHCP is configured using the “SEMPInstallDHCP.wsf” script with is part of the After AD scripts. All network IP and host IP ranges are detailed in the document “MOE SEMP Naming and IP Addressing V1.0.xls”

This script adds the following settings to DHCP:

• IP scope of the network being served (Staff or Student)

• IP range of host IPs being served

• Router IP (Option Value 3)

• DNS Servers (Option Value 6)

• DNS Domain Name (Option Value 15)

• Automatic Proxy Configuration (Option Value 252)

• Conflict Detection for a maximum of 3 retries

10.4 Configuration Sequence The script is run as part of the after AD scripts and will install DHCP and configure as required.