4

Background - "Extranet"

We have about a dozen users that are on what I would call an Extranet. It is an air-gapped LAN that is physically in the same location as our primary LAN. We share the Extranet LAN with a sister agency which is in another building and while we own the equipment they administratively manage the actual routers and switches. Once the connection leaves our building it travels through our sister agency's infrastructure where our user's traffic is mingled with with their user's traffic. Finally it is routed out to a financial institution's network via a dedicated circuit so all of our users can do financial stuff. We have informal and formal agreements in place with both our sister agency and the financial institution which include these restrictions:

  1. To limit Internet usage of our users to a reasonable amount since they are using our sister agency's Internet connection when doing general web stuff
  2. That we never under any circumstance permit packets to be routed from our primary LAN to the Extranet LAN.

Lack of Manageability: Extranet or Extra Headache?

The Extranet computers are on what is more or less an air-gapped DMZ, they are not managed with Active Directory and get their file, printer and WSUS services from a standalone rackmount server. This limits the manageability of their computers. Restriction #2 requires us to go to some contortions to perform backups and general administrative work. This was all well and good when that division had IT staff but now they do not (YAY! Budget Cuts!). My supervisor and I agree the best way to move forward would be to move them over to our existing platform/s wherever possible so we are only maintaining one system and not two or three.

There is an additional Disaster Recovery and Business Continuity concern. The standing plan is essentially to take a LTO tape containing backups and go somewhere and then recover the data and away we go. My supervisor and I both agree there is some detail that is missing from this plan before it is workable. It would be nice to address this concern along with the file services at the same time.

Last but not least... financial stuff is time sensitive and important. As in millions of dollars worth of important. Standardization, reliability and security of their computers and the Extranet LAN is a requirement, even more so now that we do not have IT staff that can be on-site during the initial hours of their shift who could immediately respond to an issue.

The technical requirements of our Extranet users is pretty mundane: Windows 7 workstations, file, print and update services, internet access and a few 3rd party applications provided by our financial partner.


Goals

I want to accomplish the following:

  • Eliminate their standalone server and provide file, print and update services through another methodology
  • Get some kind of warm standby file services for DR/BC purposes
  • Increase our visibility and manageability of their machines
  • Do all this without violating our agreements with our sister agency and financial partner

The Actual Question

What kind of combination of technologies and architecture would work for this?

While I know this sounds suspiciously like a shopping recommendation I am doing my best to frame it as an architectural question and avoid the X/Y trap, please feel free to edit as appropriate.



File / Print Services

I can see a number of solutions for the file and print services - I believe that we can just extend the Extranet as a VLAN onto our virtulization platform and then we can eliminate the rackmount server and associated equipment. Unfortunately this does not cover the DR/BC services - I am looking at things like Azure File Storage, an Azure-based Virtual Machine that we use as a DFS target or even OneDrive for Business. I just cannot figure out how to glue these technologies together to address our requirements.

Ideally we could just use some kind "cloud" service for file access but I am concerned with internet usage (restriction #1) and the lack of ability of having a local copy on-network in case of a service outage. I feel like there is "have my cake and eat it too" solution here but I just do not see it.

Visibility and Management

I would, love, love, love to have these computers joined to our Active Directory domain but I cannot see a way to do that considering restriction #2. I have started looking at Active Directory in Azure but admittedly I do not really understand it and it seems just limited to Single Sign-On services. What I really want is a way to get GPOs to those machines and have a central authentication store. I am further limited in that our Active Directory domain is managed by another group so any proposal to "extend it" would be politically and bureaucratically difficult but not impossible. Our AD team is working on an organization-wide Office 365 tenancy which will implement a DirSync of some kind but I cannot see what that would buy me other than OneDrive for Business (which could address file services but not configuration management).

I am currently working on implementing Internet-based Configuration Management which if I can manage the bandwidth issues (restriction #1), I will get some visibility with Hardware Inventory, Windows Updates and 3rd Party Application deployments. Configuration Items are a pretty hacky way to replace Group Policy but I suppose, push comes to shove that would work.


We have a lot stuff available to try an address this problem. A pretty beefy virtualization environment (Cisco UCS, vSphere and NetApp), SCCM, Microsoft Azure, Office 365 (hopefully soon) and just about any Microsoft technology out there we should already be licensed for.

Maybe you guys can see something that I missed.

Community
  • 1
  • Could you use point-to-site VPNs from your win7 machines to Azure? – CtrlDot May 02 '16 at 01:08
  • Restriction #1 is not clear. 'General Web Stuff' is pretty much everything in today's world. What is the purpose of limiting usage? 1) To not impact other users because of limited bandwidth or 2) to limit the security risk of surfing the wild wild web? – Mark Arnott Jul 31 '16 at 20:15

2 Answers2

0

Eliminate their standalone server and provide file, print and update services through another methodology

Get some kind of warm standby file services for DR/BC purposes

There isn't much gluing together that needs to happen to make a good solution.

Your suggestion of virtualizing the server and extending the VLAN is a good option. It can completely address your DR needs, depending on your hyper-visor, if you turn the rack mount server into a replication target for the VM. Hyper-V supports this, and VMWare probably does too. Or, like you said, replicate to an Azure VM.

As for backups, I agree and would look into an offsite backup service such as Azure Backup. Recovery is simple, space is cheap, and it will reduce your administrative overhead. It can operate with a single agent installed on the machine (as opposed to a full blown server/infrastructure solution), and backs up everything over standard HTTPS. The backups run overnight and they are fairly small, as all backups after the initial are incremental only.

Increase our visibility and manageability of their machines

In this case, if they are not already on an Active Directory domain, I would push to get them on one. Then, create a trust relationship between the two agencies that allows your administrators to manipulate the directory. This will even simplify access for YOUR users by enabling them to reuse the same account.

Note that this is not "Extending" your Active Directory environment so much as creating a pathway for communicating permissions between two environments. You have fairly granular control, including whether to allow users from one forest to log on to another.

Do all this without violating our agreements with our sister agency and financial partner

The above solutions don't require any intermingling of packets, or even sharing of data. If your user logs onto their network with the same user name, it doesn't in any way imply that your companies data will be accessible on the sister company's network.

Jonathon Anderson
  • 288
  • 1
  • 3
  • 10
0

Promote your existing Windows Server on the extranet to a Domain Controller, as a new, independent domain. Promoting a second Window Server (on different hardware) to Domain Controller would allow for failover and redundancy.

You can use DFS Namespaces and replication for the file services. And now you can use the GPOs for your security requirements.

Groups, Users, and Group Policies here would also be independent from other systems; is there any benefit to having trust relationship with others?

I'll defer to the other answers for offsite backups and systems management.

DNS is one area some cooperation may be useful. Naming your Windows domain affects your DNS domain, so think about being a sub-domain of their DNS, even though your Windows Domain is independent.

axus
  • 322
  • 1
  • 12