Documentation
for Computer Networks
(client)
Window and Door
I. Overview
Computer network design
Transition and upgrade histories
back to documentation Start Page
A.
Computer network design
1.
The (client) computer network is a combination LAN/WAN
architecture currently spanning three branch offices along the Colorado Front
Range. The offices in Boulder (home office), Englewood, and Ft. Collins are
joined via a Virtual Private Network (VPN) under a security-controlled
workgroup named “SGWD”. The inter-network communication channel operates over
DSL connections to the Internet, and are accessed via DSL access accounts at
each location from three separate provider services. Englewood’s access is via
telephone-based DSL, Ft. Collins’ access is via direct cable hookup to an
independent provider, and Boulder’s access is via wireless DSL through
satellite transmission. Primary sentry points exist at each location’s router
for WAN security, and at each location’s file server for internal user
security.
B.
Significant network transition and upgrade histories within
last 2-year period
1.
April, 2002
a)
Conversion from Novell Netware to Redhat Linux based network
b)
Implementation of Linux-based Samba Server as the workgroup
security controller and as the “network share” converter from Linux (server) to
Microsoft Windows (client)
c)
Conversion from standard SpeedStream network routers to
Linksys DSL VPN routers
d)
Implementation of Redhat Linux operating system software to
store company data, manage user rights, and control printing in place of Novell
Netware operating system
e)
Conversion from server-based email hosting to remote hosting
under “(client).com” domain name, and connected by Outlook Express email
client software
f)
Installed AVG Anti-Virus on workstations with scheduled
automated virus-definition updates
2.
August, 2003
a)
Upgrade from Redhat Linux 7.2 to 9.0
b)
Re-connection of SCSI tape backup drives and implementation of
Linux-based software tape backup operations
c)
Upgraded the firmware on the Linksys Router
d)
Fine-tuned the security firewall
e)
Implementation off SSH (Secure Shell) remote access for
support stabilization of outstanding user rights issues on data files
II. Operational
Flow
Wide-area network operations
Local-area network operations
File and print servers
Workstations
User Rights
Daily server tape backups
back to documentation Start Page
A. Wide-area network operations
1.
Each branch connects to their respective DSL provider by a DSL
bridge-type router (also known as a DSL modem). Data is converted at that entry
point to an Ethernet data stream, and sent directly to a network router. The
routers provide security, network identification numbering, and inter-LAN
communications via a virtual private network (VPN).
2.
The VPN operates via Internet tunneling between the routers at
each branch, as well as to client computers outside of the workgroup that pass
authentication. The VPN unites multiple network subnets into locally-accessible
servers. Resources on these servers, primarily data shares, are then accessed
as if they were locally-based.
B.
Local-area network operations
1.
Each branch is centered around an 8-port intelligent network
concentrator (hub). Connections to the hub include all LAN workstations, one
file and print server, and a WAN line from the network router.
2.
All workstations receive authentication services to the
network from their own Windows-based control service (Client for Microsoft
Windows), but data share authentication is provided by the file server.
Internet connection is routed directly to the network gateway (the network
router) via the hub.
3.
Workstation unique network identification (DHCP services) is
assigned by each branch’s network router
4.
Each branch includes one network printer. They are physically
connected directly to the server, which provides print-job queuing and
management services.
C.
File and print servers
1.
All servers function under the Redhat Linux operating system.
General hardware configurations include Dell server machines with two 10gb SCSI
hard drives, internal SCSI tape drive, two 10-100 NIC adapters, and a UPS unit.
2.
User-accessed data shares are managed and secured by the Samba
Server Linux program. Samba also functions as the access services converter from
Linux (server) to Microsoft Windows (client)
3.
Tape backup operations are performed on the server, and
controlled by Linux-based tape management commands. Specific backup job
configurations are managed by the Storix software program.
4.
Remote access programs reside on the server for remote support
and management. Linux-based SSH Server provides encrypted authentication for
multiple-user console access to Linux. VNC-server provides graphical real-time
emulation of the user Linux interface. It can be encrypted for security either
via SSH or by the prevailing VPN security overlay.
D.
Workstations
1.
Typical software applications installed
a)
Quattro-Pro DOS
b)
Semco quote system
c)
Marvin quote system
d)
Hurd PowerBids
e)
Adobe Acrobat Reader
f)
AVG Anti-Virus
g)
Standard applications included in Windows 98
h)
Monitoring utility for Windows updates
2.
Typical startup operations and applications
a) AVG
Anti-Virus app does a simple memory and boot-sector virus check before the
Windows interface is loaded
b)
Upon Windows booting, the username and password is supplied to
the Windows 98 “Client for Microsoft Windows” interface
c)
The Windows version of AVG Anti-Virus is started to monitor
email messages for viruses
d)
A server-based script is started to process the username and
password information that was already supplied into a usable format for secure
network connections
e)
A workstation-based script is started to authenticate and
provide drive-mapped connections to network data shares
(1)
The general data files area of the local server
(2)
The user’s Home storage area on the local server
(a)
User data files normally stored in the local “My Documents”
folder are re-mapped to the users’ server-based home directory “H:”, which is
backed-up to tape with daily server backups
(3)
The Masters directory of invoice and bid spreadsheets on the
local server
(5)
The network printer, including local port redirection for
DOS-based programs
(6)
The clock of the workstation is matched to the time of the
clock of the local server. The server’s clock is periodically corrected via an
Internet connection to a primary time-keeping service.
f)
A server-based script is started to begin the daily
“Semco-Marvin” backup. A utility monitors its execution to limit the number of
possible starts to once per calendar day.
(1)
All Semco and Marvin data files are erased from the users’
server-based home directory
(2)
All existing Semco and Marvin data files located in designated
workstation directories are then copied into the home directory.
(3)
The users’ email address book, plus all Internet Explorer
favorites are also copied to the home directory
(4)
Outlook Express is started
E.
User Rights (Linux Permissions)
1.
Settings in Samba Server create file and directory permissions
for shared data files on server.
a)
File Creation and modification settings
(1)
User: creator
(2)
Group: same as owner of directory created in
b)
Special directory group settings
(1)
All branches
(a)
Individual user directories under “Users”
·
Group Users: read only
(b)
“M”
·
Group Users: read only
·
Group Admin: read/write
(c)
“Invoices”
·
Group Users: read/write
(2) Boulder
(a)
Selected directories under “M\PO” and “M\Purchase”
·
Group Users: no access
·
Group Admin: read/write
·
Group
Lisa-Shawn: read/write
F.
Daily server tape backups
1.
A standard tape backup job has been created by Linux-based
Storix software.
a)
The job backs-up the entire Linux root partition
b)
It then rewinds and ejects the tape
2.
A Linux-based “Cron” script handles tape backups nightly
Monday thru Friday.
a)
At 9pm, the Linux “MT” command is issued to erase the tape
inserted in the drive
b)
At 11pm, Storix’s “Strunjob” command is issued to perform the
above-described tape backup job
III. Maintenance
Wide-area network
File server maintenance
Adding a user workstation
Changing or adding a printer
back to documentation Start Page
A.
Wide-area network
1.
Since the DSL connections are an always-on service, no ongoing
maintenance is required for network connection. This includes the VPN, which is
continually maintained between branch routers.
a)
Occasionally due to DSL service interruptions, the
branch-to-branch VPN connection is broken. However, when a workstation at a
branch either automatically attempts to map a VPN-based data share, or when a
mapped drive is opened on the client desktop, it usually sends a signal to the
routers to re-establish the connection. On rare occasions where this method is
not successful, a direct “Reconnect” selection from the router’s administrative
interface is necessary.
b)
Remote connections to a branch via separate VPN tunnels are
always disconnected unless and until a remote client computer attempts to
establish a connection. Once the client disengages access, the tunnel is broken
and remote security is insured.
B.
File server maintenance
1.
Due to the robust stability of the Linux operating system,
server re-starts are rarely required.
2.
System and application updates are applied remotely from a
remote web interface to the Redhat Network website. After updates are applied,
server re-starts are still not necessary
3.
The only requirement for “downing” an operating Linux-based
server is when internal hardware should happen to malfunction, such as a NIC
adapter or the tape drive.
C.
Adding a user workstation
1.
A workstation is built either by manually installing a Windows
system, or by restoring a computer manufacturer’s system partition from a CD.
2.
Once Windows is functional, all required business applications
must be installed. Optionally, a “ghosted” partition file can be built for
similar hardware configurations that would include the Windows
3.
O.S., hardware drivers, and typical applications
4.
Build the network client
a)
Install typical Windows network applets, including “Client for
MS Windows” and the TCP/IP protocol
b)
Create a physical connection to the network with a live cable
between the hub and the computer’s NIC card
c)
Locate the server either through the built-in networking app,
or by specifically finding the server via Windows’ “search for computer” app.
Either the server name, i.e."\\BLDR", or the server’s
IP address can be entered.
d)
Once the server is found, the data shares become visible. Open
the share called “Login”, which is not password-protected and provides access
only to the server’s login scripts
f)
Copy “mapping.bat” from “\Login” on the server to “C:\”
(1)
Edit the batch file to specify which branch VPN shares to
connect to, and to specify that Outlook Express only opens if the designated
user for the particular machine is the user logging-in
5.
Saving user files to server: “My Documents” Windows folder is
re-mapped to the users’ server-based home directory with these steps
a)
Copy any existing data files from “My Documents” to “h:\”
b)
Edit registry key
(1)
HKEY_USERS
(2)
DEFAULT
(3)
Software
(4)
Microsoft
(5)
Windows
(6)
CurrentVersion
(7)
Explorer
(8)
User Shell Folders
(9)
Personal
(a)
Edit the string:
·
Change “C:\My Documents” to “H:\”
c)
Close registry
d)
Restart the computer in MS-DOS Mode
e)
Type: “Deltree C:\MyDocu~1”
f) Type: “Exit”
6.
Re-start the workstation. Then login with an existing network
username and password.
D.
Changing or adding a printer
1.
Connect the printer’s cable to the server’s port, either
parallel (LPT) or USB
2.
Open the server’s Linux graphical interface desktop
3.
Open the “Printer” app and make appropriate changes
Router problems
Hub Problems
Printer problems
Server problems
back to documentation Start Page
1.
Router problems: reset the power switch
2.
Hub problems: check cable connections, and reset the power
switch if necessary
3.
Printer problems: If the printer is correctly configured on
the server, the problem is typically physically on the printer itself. Initiate
repairs there, but if irresolvable it may require professional support for the
server configuration.
4.
Server problems
a)
Special commands to execute from a Linux Command Shell
(1)
Starting “VNC Server” for remote server desktop viewing
(a)
vncserver
:1 -geometry 800x600 -name Admin
(2)
Necessity to copy entire contents of first SCSI harddrive to
the backup harddrive
(a)
Dd
if=/dev/sda of=/dev/sdb
V. Specifications
LAN Workgroup name
Hardware devices
Software license numbers
File Server settings
Workstation settings
Miscellaneous other settings
Visual Network Diagram
back to documentation Start Page
A.
LAN Workgroup name: SGWD
B.
Hardware devices
1.
All branches
a)
Internal server tape drives
(1)
SCSI-2; 4mm DDS3 tapes
b)
Network router
(1)
Linksys BEFVP41 Etherfast Cable/DSL VPN Router
2.
Boulder
a)
DSL Bridge for Sprint Wireless model no. WBR-60-231B
(a)
User:
root
(b)
Password:
highpost
(7) VPN
tunnel specs
3.
Englewood
a)
Cisco 67x DSL modem
b)
Linksys DSL VPN Router configurations, including WAN settings
(a)
User:
root
(b)
Password:
Hurdb1D
(7) VPN
tunnel specs
4.
Ft. Collins
a)
DSL Bridge: Speedstream 5851
b)
Linksys DSL VPN Router configurations, including WAN settings
(1)
Security access
(a)
User:
root
(b)
Password:
FTCLb1d
(7)
VPN tunnel specs
C.
Software license numbers
1.
“Ghost” disk imaging app license no.: C217489F9B2C
D.
File Server settings
1.
All branches
c)
Linux “Cron” file contents for automated daily tape backups:
1)
MAILTO=[manager account]@(client).com
0 21 * * 1-5 mt -f /dev/st0 erase
0 23 * * 1-5 /usr/bin/strunjob 000001
d)
User logon files
e)
Linux permissions via Samba (user file rights)
(1)
File mode: 0664
(2)
Directory mode: 6664
(3)
All directories and files have “GID” bit set
2.
Boulder:
(2) Gateway
address: 192.168.1.254
(4)
Network user names and passwords
(a)
Usernames
and passwords
·
(omitted)
(b)
User/Group
list
3.
Englewood
a)
Root password: Hurdb1D
c) Network
settings
(2) Gateway
address: 192.168.2.254
(3) Network
Printer: HP Laserjet 4
(4) Network
user names and passwords
(a)
Usernames
and passwords
·
(omitted)
4.
Ft. Collins
a)
Root password: FTCLb1d
c)
Network settings
(2)
Gateway address: 192.168.3.254
(3)
Network Printer: HP Laserjet 5L
(4)
Network user names and passwords
(a)
Usernames
and passwords
·
(omitted)
E.
Workstation settings
1.
AVG Antivirus
a)
Control Center
(1)
Resident Shield
(a)
Disable
Resident Shield
(2)
Email Scanner
(a)
Check
all boxes
(3)
Update Manager
(a)
Allow
scheduled updates
·
Start: 8:40am
·
Update if database older than 7 days
·
Not successful:
repeat in 1 day
·
Download
server: www.grisoft.com
(4)
Scheduler
(a)
No
check in the box
2.
Outlook Express
a)
User accounts and passwords
(1)
Boulder
(2)
Englewood
(3)
Ft. Collins
b)
Check the box: “Server requires authentication”
3. Web
access to hosted email to administrate or remotely check messages
b) Admin
access
(2) Password:
universe
c) User
access:
(1) Name:
[username (no underscore)]@(client).com
(2)
[user email password]
4. Remote
graphical access to server screen
a)
Settings for VNC client software: 192.168.$.1:1
5.
Settings for file “Shortcut to login.bat.pif” located in the
Startup folder
a)
Shortcut points to: \\192.168.$.1\Login\login.bat
6.
File “mapping.bat” located in “C:\”
F.
Miscellaneous other settings
1.
Boulder
a)
Sprint DSL service
(1)
Tech support contact no.: 888-996-0001
2.
Englewood
a)
Qwest DSL service
(1)
Tech support contact no.: 888-777-9569
(3)
DSL modem access
(a)
Login:
swdoor
(b)
Password:
VfrXRU7h
3.
Ft. Collins
a)
RockyNet DSL user account name: (client)
4.
Settings for hosted website account
a)
FTP host name is ftp.(client).com,
or 63.99.209.66
b)
username is (client)
c)
password is universe
5.
Redhat Network website registered entitlement login info:
a)
Username: (client)
b)
Password: 58233
6.
SSH Sentinel Remote VPN access software configurations
a)
If accessing remotely behind a network firewall: forward the
following TCP ports on the router to the remote computer’s internal IP address:
500, 1723, 47, 50, 51
b)
Boulder
(a)
Shared
Secret: highpost
(2) Security
Policy tab
(b)
Remote
Network: BLDR
·
IP: 192.168.1.0
·
Subnet Mask: 255.255.255.0
(c)
Authentication Key: BLDR
(d)
Proposal
Template: legacy
(e)
Settings
·
IKE proposal
(a)
Encryption Algorithm: 3DES
(b) Integrity
Function: MD5
(c)
IKE Mode: Main Mode
(d) IKE
Group: MODP 768
·
IPSec proposal
(a)
Encryption Algorithm: 3DES
(b) Integrity
Function: HMAC-MD5
(c)
IPSec mode:
tunnel
(d) PFS
Group: MODP 768
c)
Englewood
(1)
Key Management tab
(a)
Shared
Secret: Hurdb1D
(2)
Security Policy tab
(b)
Remote
Network: ENGL
·
IP: 192.168.2.0
·
Subnet Mask: 255.255.255.0
(c)
Authentication Key: ENGL
(d)
Proposal
Template: legacy
(e)
Settings
·
IKE proposal
(a) Encryption
Algorithm: 3DES
(b) Integrity
Function: MD5
(c) IKE
Mode: Main Mode
(d) IKE Group:
MODP 768
·
IPSec proposal
(a) Encryption
Algorithm: 3DES
(b) Integrity
Function: HMAC-MD5
(c) IPSec
mode: tunnel
(d) PFS Group:
MODP 768
d)
Ft. Collins
(1)
Key Management tab
(a)
Shared
Secret: FTCLb1d
(2)
Security Policy tab
(b)
Remote
Network: FTCL
·
IP: 192.168.3.0
·
Subnet Mask: 255.255.255.0
(c)
Authentication Key: FTCL
(d)
Proposal
Template: legacy
(e)
Settings
·
IKE proposal
(a) Encryption
Algorithm: 3DES
(b) Integrity
Function: MD5
(c) IKE
Mode: Main Mode
(d) IKE Group:
MODP 768
·
IPSec proposal
(a) Encryption
Algorithm: 3DES
(b) Integrity
Function: HMAC-MD5
(c) IPSec
mode: tunnel
(d) PFS
Group: MODP 768