Tuesday, 6 September 2011

TCP/IP Configuration Settings in any network


The following table summarizes many of the configuration settings for a TCP/IP network.
Parameter
Purpose
IP address
Identifies both the logical host and logical network addresses.
Subnet mask
Identifies which portion of the IP address is the network address.
Default gateway
Identifies the router to which packets for remote networks are sent.
Host name
Identifies the logical name of the local system.
DNS server
Identifies the DNS server that is used to resolve host names to IP addresses.
WINS server
Identifies the WINS server that is used to resolve host names to IP addresses.
MAC address
Identifies the physical address. On an Ethernet network, this address is burned in to the network adapter hardware.
Keep in mind the following regarding TCP/IP configuration:
  • All computers must be assigned a unique IP address.
  • Hosts on the same physical network should have IP addresses in the same address range.
  • The subnet mask value for all computers on the same physical network must be the same.
  • Configure the default gateway value to enable internetwork communication.
  • The default gateway address must be on the same subnet as the host's IP address.




Choosing the Addressing Method
The table below lists options for assigning IP addresses.
Method
Uses
Static (manual) assignment
Small number of hosts.
Network will not change or grow.
Hosts that must have the same address each time.
For small networks (if the administrative time and cost is acceptable).
For non-DHCP hosts (hosts that cannot accept an IP address from DHCP).
To reduce DHCP-related traffic.
APIPA
Single-subnet network.
No DNS services.
Automatic configuration of IP address and subnet mask only.
Small, non-subnetted networks.
Implementation for which you do not need to customize the default address range.
DHCP
Small, medium, or large networks.
Automatic configuration.
Automatically deliver additional configuration parameters (such as default gateway, DNS servers).
Alternate
A single computer connects to two networks, one without a DHCP server.
A computer is connected to a network using DHCP, but you want it to be properly configured when the DHCP server is unavailable.

You should know the following facts about IP address assignments:
  • By default, all Windows computers try to use DHCP for TCP/IP configuration information.
  • APIPA is used to automatically generate an IP address if the DHCP server is unavailable and if no alternate address is configured.
  • The APIPA range is 169.254.0.1 to 169.254.255.255 with a mask of 255.255.0.0.
  • If the computer assigned itself an IP address (using APIPA), this means the computer could not contact a DHCP server.
  • When you configure a static IP address, you disable DHCP and APIPA.
  • Use an alternate IP address to use DHCP on one network and static addressing on another without reconfiguring the connection.
  • When you configure an alternate IP address, APIPA is no longer used when the DHCP server can't be contacted.
  • You can rely on APIPA for your IP addressing solution, but only for a network with a single subnet. APIPA does not set the default gateway or name server address.
IP Addressing Facts
The following table lists the default IP addressing classes and masks:
Class
Address Range
Default Mask
A
1.0.0.0 to 126.255.255.255
255.0.0.0
B
128.0.0.0 to 191.255.255.255
255.255.0.0
C
192.0.0.0 to 223.255.255.255
255.255.255.0
D
224.0.0.0 to 239.255.255.255
(multicast addresses)
E
240.0.0.0 to 255.255.255.255
(experimental addresses)
You should also know the following address ranges that are reserved for private addresses. Use these addresses on a private network that is connected to the Internet through a network address translation (NAT) router.
  • 10.0.0.0 to 10.255.255.255
  • 172.16.0.0 to 172.31.255.255
  • 192.168.0.0 to 192.168.255.255
Keep in mind the following facts about IP addresses:
  • The first address in a range on the subnet is the subnet address. Typically, this address is not assigned to hosts.
  • The last address in a range on the subnet is the broadcast address. Typically, this address is not assigned to hosts.

Troubleshooting TCP/IP
Use the following tips to troubleshoot TCP/IP:
  • Use Ipconfig /all to verify your IP address, subnet mask, default gateway, and other IP configuration values.
  • If the IP address is in the APIPA range (169.254.0.0 to 169.254.255.254), the computer could not contact a DHCP server. Use Ipconfig /renew to try contacting the DHCP server again.
  • Use Ping (Packet Internet Groper) to send small packets to a computer to see if the computer responds. Microsoft recommends the following use of Ping:
    1. Ping the loopback address (127.0.0.1). This verifies that the TCP/IP protocol stack has been properly installed.
    2. Ping the local IP address assigned to the machine. This verifies communication to the NIC.
    3. Ping the default gateway. This verifies connectivity to the default gateway or to another machine on the local network. This verifies that the local network is accessible.
    4. Ping a remote host. This checks the connectivity between the default gateway and the remote host.
  • Use Tracert to see the route packets take through an internetwork between two devices.
  • Use Pathping to view the route of the connection and the connectivity response time. This can help identify where communication latency occurs.
  • Use the Arp -d * command to remove all dynamic ARP entries from the ARP list. (Arp -d clears the ARP cache.)
  • Use the Windows system logs to track DHCP service startup and shutdown as well as critical errors. 
Posted by I.T Engineer at 02:38 0 comments

Network Monitor and System Monitor in server 2003


Two common tools, Network Monitor and System Monitor, are useful in monitoring your system. While both can be used to gather some information related to network performance, Network Monitor is the tool you will use most often to analyze network traffic and gather information about communication between two computers. The following table compares the features of Network Monitor and System Monitor.
Characteristic
Network Monitor
System Monitor
Data collected
Captures packets (or packet fragments) and their contents.
Reports statistics about network traffic.
Monitors system statistics, producing counters and charts of system performance.
Monitors local system components including disk, processor, memory, and network statistics.
Data reports
View contents of sent and received packets.
View network traffic statistics.
View graphs of system performance and counters.
Event tracking
Configure triggers to stop capture or execute a command based on a specific network traffic event (or packet type).
Configure alerts to log an entry, send a message, or run a program when a counter reaches a specific threshold.
Identifying captured data
Configure filters to capture only specific packets or to display only certain packets.
Select objects and counters to identify the statistics you want to track.
You should know the following facts about Network Monitor:
  • The free version of Network Monitor that comes with Windows can only monitor traffic to and from the local computer.
  • To capture all network packets, use the SMS version of Network Monitor.
  • Even when using the SMS version, you cannot capture packets sent to other computers on other segments through a switch. (Switched traffic is only sent to the segment where the destination computer sits.)
  • Use Dedicated Capture mode with Network Monitor to ensure you capture all packets. 
Posted by I.T Engineer at 02:37 0 comments

Monday, 28 March 2011

Remote Access Design Guidelines in Server 2003 Network Infrastructure


You should know the following facts about remote access:
  • The ability to connect to a remote access server is controlled through remote access policies.
  • Remote access policies are stored on each remote access server. If you have multiple remote access servers, you must configure each server with the appropriate remote access policies.
  • If you have multiple remote access servers, you can centralize policies by using a RADIUS solution. IAS (Internet Authentication Server) is Microsoft's RADIUS solution. With RADIUS:
    • Each remote access server is configured as a RADIUS client.
    • Remote access policies are configured only on the RADIUS server.
    • Remote access servers pass authentication requests on to the RADIUS server.
You should know the following facts about remote access policies:
  • Authorization for access to resources is determined by three steps:
    1. Check the connection for a match in the policy conditions.
    2. Check either the Active Directory user account or the policy for permissions.
    3. Check the profile settings for additional restrictions on the connection.
  • Incoming connections are compared to the conditions found in a policy.
  • If the connection does not match the conditions in the first policy, the next policy in order is checked.
  • When a match is found, that policy will be used for the connection (no other policies will be checked).
  • If the connection does not match any conditions in any policy, the connection will be refused.
  • After a matching policy is found, permissions are checked. If the permissions deny the connection, no other policies are checked.
  • Permissions identified in the user account override permissions set in the policy (unless Control access through Remote Access Policy is selected).
  • If the permissions grant access, the policy profile is checked for additional conditions.
  • If all profile conditions match, the connection is granted. If not, it is refused.
VPN Design Guidelines
If you must allow Internet traffic inside your inner firewall and into the private network, implement a VPN solution. Using a VPN server, only clients that can establish a secure connection with the VPN server can access resources on the private network. The following graphic shows one way to configure a firewall to accomodate VPN traffic.


In this example, the DMZ contains an FTP and DSN server available to the public as well as the VPN server. Allow the following traffic to pass through the external firewall, rejecting all other traffic:
  • FTP traffic sent to 135.41.11.1
  • DNS traffic sent to 135.41.11.2
  • VPN traffic sent to 135.41.11.3 (the protocol type allowed depends on whether L2TP or PPTP is used for the tunneling protocol)
Note: With a VPN connection, incoming VPN traffic is encapsulated and is sent to the VPN server, even if the final destination is on the private network. The outer firewall will inspect the incoming VPN traffic and find it addressed to the VPN sever, not to the private network. For this reason, the outer firewall should not allow incoming traffic directed to network 192.168.1.55.
To complete the configuration, configure the following items on the VPN server.
  • Configure the VPN server with the appropriate VPN tunneling protocol.
  • Configure addressing on the VPN server for clients. When a VPN connection is initiated, the remote client gets an IP address on the private network so it can communicate with hosts on the private network. You can configure the VPN server to assign IP addresses in one of two ways:
    • Configure the VPN server to get IP addresses for clients from a DHCP server on the private network. Wehn using DHCP, DHCP traffic does not pass through the external firewall because all communication between private hosts and the VPN server appears as VPN traffic to the firewall.
    • Configure the VPN server with a range of IP addresses that it can assign.
In this example, the VPN server will pass out IP addresses from the 192.168.1.0 network.
  • If the private network has more than one subnet, configure static routes on the VPN server. This allows external clients to access all subnets in the private network.
Services Facts
You should know the following facts about auditing:
  • To audit a domain controller, you can apply a GPO to the Domain Controller OU. That affects all Domain Controllers in the OU.
  • To view audit logs, look at the local Event Viewer logs.
You should know the following facts about DFS:
  • DFS roots can be either standalone DFS roots or domain DFS roots. A stand-alone DFS server does not use Active Directory, cannot have root-level replicas, and can have only a single level of DFS links.
  • Domain DFS roots integrate DFS with Active Directory, adding fault tolerance and site-awareness. Configure sites to ensure that users get data from local copies of replicas.
  • DFS data is automatically replicated to other servers when replicas are created.
You can deploy SUS in the following ways:
  • The SUS server approves the updates. Clients contact the SUS server for update approvals then retrieve the updates from the Windows Update server. This requires a great deal of bandwidth.
  • The SUS server approves and synchronizes the updates. SUS stores the updates locally for clients to retrieve. Reduces bandwidth demands since only the SUS server contacts the Windows Update server.
  • The SUS servers in various locations would be responsible approving and synchronizing updates and then contacting the Windows Update server.
Use a "master" SUS server to approve and synchronize updates from the Windows Update server. The child SUS servers synchronize updates from the master. If WAN bandwidth between the master and child servers is poor, you may decide against this structure. 
Posted by I.T Engineer at 23:57 0 comments

DMZ Design Guidelines in Server 2003 Network Infrastructure


A demilitarized zone (DMZ), or screened subnet, protects your private network from attacks coming from the Internet. It consists of two firewalls: the outer firewall screens traffic coming from the Internet, while the inner firewall controls the traffic that is allowed inside the private network. Following are some guidelines for designing your DMZ.
  • Put publicly accessible services (such as Web and FTP servers) inside the DMZ.
  • Use firewall filters to control traffic allowed inside or out of the DMZ.
  • Restrict all traffic except what is required to communicate with services inside the DMZ.
  • On the outer firewall, allow traffic directed to the public servers (HTTP, FTP, e-mail).
  • Use a VPN server to secure traffic directed to the private network. Allow VPN traffic in the outer firewall.
  • Never allow traffic inside the outer firewall that claims it is coming from the private network.
  • On the inner firewall, allow common Web traffic out.
As you design the firewall settings, you need to carefully consider all necessary traffic and allow the minimum amount of traffic through each firewall. For example, the following graphic shows how firewall settings allow DNS traffic through both the inner and outer firewalls.



Given this design, Internet hosts are allowed to request DNS from the public DNS server. The internal DNS server is also configured to forward requests to the public DNS server inside the DMZ. Packet filters must allow DNS traffic to get to the public DNS server. However, DNS requests from the Internet should not be allowed to pass through the inner firewall to the private DNS server.
Sometimes servers in DMZ need to communicate with servers on the internal network. In this example, a Web server retrieves data from a SQL server to retrieve customer and order data. Notice that the SQL server is protected inside the private network, it is not placed in the DMZ.


To design the necessary firewalls for this example, allow HTTP and HTTPS traffic in the outer firewall. Then allow only SQL traffic coming from the Web server to pass through the inner firewall (do not allow all SQL traffic in the inner firewall).
NAT and Router Design Guidelines
You should know the following facts about NAT design:
  • Use the following address ranges for internal private IP addresses:
    • 10.0.0.0 /8
    • 172.16.0.0 /12
    • 192.168.0.0 /16
    • 169.254.4.4 (Comes from APIPA)
  • NAT supports only IP. It cannot perform address translation for the following:
    • SNMP (Simple Network Management Protocol)
    • LDAP (Lightweight Directory Access Protocol)
    • COM (Component Object Model)
    • DCOM (Distributed Component Object Model)
    • Kerberos version 5
    • RPC (Microsoft Remote Procedure Call)
  • Domain controllers cannot replicate through a NAT server. This is because Active Directory uses Kerberos version 5.
  • Windows Server 2003 supports L2TP/IPSec VPN connections with NAT.
  • To redirect external requests for internal resources (a Web server, for example), you can use address mapping or port mapping.
    • With address mapping, you associate a registered IP address with a specific private IP address.
    • With port mapping, you redirect traffic sent to specific ports (such as port 80 for HTTP) to a specific IP address.


You should know the following facts about router placement:
  • Routers do not pass broadcasts by default. You can reduce broadcast traffic by breaking up the network into smaller pieces with routers.
  • Routers can be used to subnet a network.
  • Routers can be used to create a secure, internal network.
  • Configure packet filters on routers to allow or deny specific types of network traffic.
·         Internet Connectivity Solutions
·         Use the following table as a guide to selecting an Internet connection method.
Select...
To meet these requirements...
Routing
Small to large networks
All hosts must be able to respond to Internet-initiated requests
Maximum flexibility in network design and implementation
All hosts that require Internet access are running TCP/IP
Internet Connection Sharing (ICS)
Small network (10 or fewer hosts) with a single subnet
Automatic address assignment
All hosts that require Internet access are running TCP/IP
At least one Windows 2000/XP/2003 or Windows 98 system exists on the network (for the shared connection)
You do not provide DHCP or DNS services on the private network
Network Address Translation (NAT)
Small- to medium-sized network (approximately 5000 hosts or less)
Automatic address assignment
Few hosts that need outside-initiated contact
All hosts that require Internet access are running TCP/IP
Proxy server/Internet Security and Acceleration Server (ISA)
Small to large networks
Hosts that require Internet access are running a variety of protocols
The ability to restrict Internet access or contact by user or site
Caching of Internet or Web server content
Posted by I.T Engineer at 23:52 0 comments

IP Addressing Facts in Designing Network Infrastructure


The following table lists the default IP addressing classes and masks:
Class
Address Range
Default Mask
A
1.0.0.0 to 126.255.255.255
255.0.0.0
B
128.0.0.0 to 191.255.255.255
255.255.0.0
C
192.0.0.0 to 223.255.255.255
255.255.255.0
D
224.0.0.0 to 239.255.255.255
(multicast addresses)
E
240.0.0.0 to 255.255.255.255
(experimental addresses)
You should also know the following address ranges that are reserved for private addresses. Use these addresses on a private network that is connected to the Internet through a network address translation (NAT) router.
  • 10.0.0.0 to 10.255.255.255
  • 172.16.0.0 to 172.31.255.255
  • 192.168.0.0 to 192.168.255.255


Keep in mind the following facts about IP addresses:      
  • The first address in a range on the subnet is the subnet address. Typically, this address is not assigned to hosts.
  • The last address in a range on the subnet is the broadcast address. Typically, this address is not assigned to hosts.
Use the table as a shortcut guide to subnetting. Tip: Look for patterns in the table so you can easily reproduce the table at any time.
Masked Bits
Mask Value
Number of Subnets*
Number of Hosts/Subnet**
Approximate*** Number of Hosts/Subnet
/20
255.255.240.0
N/A
4096
4000
/21
255.255.248.0
N/A
2048
2000
/22
255.255.252.0
N/A
1024
1000
/23
255.255.254.0
N/A
512
500
/24
255.255.255.0
1
256
250
/25
255.255.255.128
2
128
125
/26
255.255.255.192
4
64
60
/27
255.255.255.224
8
32
30
/28
255.255.255.240
16
16
15
*The number of subnets value is important when you need to subdivide a Class C address range into multiple subnets.
**Remember to subtract two from these numbers to arrive at the total number of addresses that can be assigned to hosts (subtract one for the subnet address and one for the broadcast address.
***Use this number as a quick estimate of the number of possible hosts.
DHCP Design Guidelines
In a network with multiple subnets, a major concern is answering DHCP broadcast requests from all subnets. There are three ways to configure DHCP to allow clients on all subnets to get an IP address from a DHCP server.
Method
Considerations
Place a DHCP server on each subnet
The local DHCP server answers DHCP requests for its local subnet only.
This solution could increase costs as you must configure a DHCP server for each subnet.
Enable BootP forwarding
Use this method if you choose to have only one DHCP server on the routed network.
Place the DHCP server on the subnet with the most hosts.
Use relay agents
Configure a relay agent on each subnet that does not have a DHCP server to forward DHCP broadcasts to the remote DHCP server.
To provide fault tolerance and improve DHCP performance, you can:
  • Configure split scopes. In a split scope, two DHCP servers service each subnet.
    • Configure the full range of addresses in the scope on both DHCP servers.
    • Exclude different ranges of addresses on each server. With both servers on the same subnet, exclude 50% of the addresses on each server. With one DHCP server on the local network, exclude addresses using the 80/20 (or 75/25) rule (exclude 80% on the remote server).
    • Add relay agents to allow DHCP broadcasts to travel to remote subnets in case the local DHCP server goes down.
  • Implement a DHCP cluster. Windows Server 2003 DHCP is cluster-aware. When one server goes down, the other server(s) can take over.
To decrease the time that the DHCP server takes to respond to client requests, consider the following to improve performance:
  • Create a multihomed DHCP server. By doing so, the DHCP server services multiple subnets without forwarding DHCP requests through the router. A multihomed server will decrease router traffic and decrease the time it takes for clients on the remote subnet to receive their IP addresses.
  • Upgrade DHCP server components. Upgrading the CPU, RAM, and network cards all affect DCHP performance, but because DHCP is a disk-intensive service, the most important upgrade is to improve disk access.
  • Add additional DHCP servers. By doing so, you spread the workload between two computers.
  • Modify lease lengths. Increasing the lease time means clients will not request an address as often. This reduces network traffic due to lease broadcasts, and reduces the workload on the DHCP server.
Members of the Enterprise Admins group can authorize DHCP servers (members of the Domain Admins group can administer, but not authorize, DHCP servers).
Posted by I.T Engineer at 23:44 0 comments
Subscribe to: Posts (Atom)