Network Segmentation

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

As shown in Figure 1, the network of this deployment consists ofthree segments:

  • Internet Space network

  • Front End network

  • Back End network

The Internet Space network provides Internet access and usesregistered domain names and public network addresses. A CiscoSystems router and a pair of fail-over F5 BIG-IP controllersconnect this network segment to the rest of the network.

The BIG-IP controllers are also members of the Front Endnetwork, where front-end Web servers running Windows SharePointServices, the Simple Mail Transfer Protocol (SMTP) and Domain NameSystem (DNS) server, and the terminal services, debugging, andadministration server reside. All servers in the Front End segmenthave Internet access. Because F5 BIG-IP controllers have NetworkAddress Translation (NAT) functionality, the Front End networkservers are configured to use private Internet addresses and to useNAT to access the Internet.

Two 100 megabits per second (Mbps) network interface cards(NICs) are used for each server connected to the Front End network.It is recommended that you switch to the 100 Mbps/duplex NICsetting to ensure that each server uses 100 Mbps.

The SQL Server clusters, domain controllers, MicrosoftOperations Manager (MOM) server, backup server, and imaging andinstallation server reside on the Back End network and areconnected to a Cisco switch. Each server running SQL Server has a 1gigabit per second (Gbps) NIC connected to the Back End network toensure that SQL Server operations have enough bandwidth. Thefront-end Web servers and SMTP and DNS server are dual-homed toboth the Front End and Back End networks. The Back End networkcarries authentication and data storage traffic. To help maintain ahigh level of security, the domain controllers and severs runningSQL Server do not have Internet access, and the Back End networkuses private IP addresses. With additional routing control, theBack End network can be connected to an edge network for managingservers.

The Cisco Systems router is configured with an IP access list toallow only pre-defined incoming Hypertext Transfer Protocol (HTTP)and Secure Sockets Layer (SSL) requests. To be more secure, you canconnect the Front End and Back End network by using a router orfirewall, instead of using dual-homed servers across the twonetworks. If you use a router or firewall, the following portsshould be open between the Front End and Back End networks:

  • Microsoft Directory Service traffic (Transmission ControlProtocol (TCP) Port 445, User Datagram Protocol (UDP) Port445)

  • Kerberos authentication protocol (TCP Port 88, UDP Port88)

  • Lightweight Directory Access Protocol (LDAP) PING (UDP Port389)

  • Domain Name System (DNS) (TCP Port 53, UDP Port 53)

  • SQL Server (TCP Port 1433; open on the Back End networkonly)

For more information about controlling ports, refer to thedocumentation for your router or firewall hardware andsoftware.

For more security, install a firewall in front of the InternetSpace network to granularly control the traffic to your site. Ports80 and 443 must be open on that firewall.

For the private Internet network addresses allocation, see RFC1918.