Network Segmentation (Windows SharePoint Services 2.0)

  • Article

As shown in Figure 1, the network of this deployment consists of three segments:

  • Internet Space network

  • Front End network

  • Back End network

The Internet Space network provides Internet access and uses registered domain names and public network addresses. A Cisco Systems router and a pair of fail-over F5 BIG-IP controllers connect this network segment to the rest of the network.

The BIG-IP controllers are also members of the Front End network, where front-end Web servers running Windows SharePoint Services, the Simple Mail Transfer Protocol (SMTP) and Domain Name System (DNS) server, and the terminal services, debugging, and administration server reside. All servers in the Front End segment have Internet access. Because F5 BIG-IP controllers have Network Address Translation (NAT) functionality, the Front End network servers are configured to use private Internet addresses and to use NAT to access the Internet.

Two 100 megabits per second (Mbps) network interface cards (NICs) are used for each server connected to the Front End network. It is recommended that you switch to the 100 Mbps/duplex NIC setting to ensure that each server uses 100 Mbps.

The SQL Server clusters, domain controllers, Microsoft Operations Manager (MOM) server, backup server, and imaging and installation server reside on the Back End network and are connected to a Cisco switch. Each server running SQL Server has a 1 gigabit per second (Gbps) NIC connected to the Back End network to ensure that SQL Server operations have enough bandwidth. The front-end Web servers and SMTP and DNS server are dual-homed to both the Front End and Back End networks. The Back End network carries authentication and data storage traffic. To help maintain a high level of security, the domain controllers and severs running SQL Server do not have Internet access, and the Back End network uses private IP addresses. With additional routing control, the Back End network can be connected to an edge network for managing servers.

The Cisco Systems router is configured with an IP access list to allow only pre-defined incoming Hypertext Transfer Protocol (HTTP) and Secure Sockets Layer (SSL) requests. To be more secure, you can connect the Front End and Back End network by using a router or firewall, instead of using dual-homed servers across the two networks. If you use a router or firewall, the following ports should be open between the Front End and Back End networks:

  • Microsoft Directory Service traffic (Transmission Control Protocol (TCP) Port 445, User Datagram Protocol (UDP) Port 445)

  • Kerberos authentication protocol (TCP Port 88, UDP Port 88)

  • Lightweight Directory Access Protocol (LDAP) PING (UDP Port 389)

  • Domain Name System (DNS) (TCP Port 53, UDP Port 53)

  • SQL Server (TCP Port 1433; open on the Back End network only)

For more information about controlling ports, refer to the documentation for your router or firewall hardware and software.

For more security, install a firewall in front of the Internet Space network to granularly control the traffic to your site. Ports 80 and 443 must be open on that firewall.

For the private Internet network addresses allocation, see RFC 1918.