Share via

Internet Space Network (Windows SharePoint Services 2.0)

  • Article

To conserve Internet IP addresses, the Internet Platform and Operations group used a subnet of class C network with a net mask of 28 bits, which provided four host address bits and 14 (2 4 -2) usable public registered addresses.

All IP addresses in this paper are fictitious and are listed as examples only; they are not the actual addresses used in this deployment. For the purposes of this paper, the following are IP addresses in the Internet Space network:

  • Network: 200.100.1.0

  • Subnet mask: 255.255.255.240

  • Subnet number: 200.100.1.16

  • Subnet broadcast address: 200.100.1.31

  • Available network addresses: 200.100.1.17 - 200.100.1.30

The network address assignment is as follows:

  • Cisco Router Internal Interface: 200.100.1.17

  • NAT Public IP: 200.100.1.18

  • BIG-IP External Virtual IP (VIP): 200.100.1.19

  • BIG-IP External Dedicated IP (DIP) 1: 200.100.1.20

  • BIG-IP External DIP 2: 200.100.1.21

  • HTTP VIP: 200.100.1.22

The pair of F5 BIG-IP controllers forms a fail-over cluster, so they need a VIP in addition to the DIPs on each of their NICs.

A VIP is created for the HTTP traffic for load balancing Web traffic to the front-end Web servers in the Front End network. The Internet Platform and Operations group registered a wildcard DNS entry with the Public DNS server for iponet.net zone so that all sites resolve to the same IP address.

*.stsbeta.iponet.net resolves to 200.100.1.22

The NAT solution saves public IP addresses and provides an extra level of protection because the servers running Windows SharePoint Services are not exposed to the Internet directly. To further secure the network, the Internet Platform and Operations group applied an outbound IP access list on the Fast Ethernet Interface of the Cisco Systems router to allow only incoming HTTP and SSL (HTTPS) traffic.

Note

The traffic coming from the Internet to the network goes through the router before it gets to the network, so this access control list must be applied to outbound traffic.

The following is an example of an IP access list that allows only HTTP and SSL traffic into the network.

Example IP access list

ip access-list extended EXAMPLE
permit tcp any any gt 1023 established
permit tcp any host 200.100.1.22 eq 80
permit tcp any host 200.100.1.22 eq 443