Upload
morgan-burns
View
221
Download
0
Embed Size (px)
Citation preview
© 2007 Infoblox Inc. All Rights Reserved.
Infoblox IPAM for MicrosoftInfoblox IPAM for Microsoft
Expert Session Workshop
© 2007 Infoblox Inc. All Rights Reserved.
Infoblox IPAM for Microsoft
A new offering from Infoblox available on Infoblox appliances that: Replaces Excel sheets with real IPAM Monitors and manages of Microsoft DNS and DHCP services Provides network discovery
© 2007 Infoblox Inc. All Rights Reserved.
Architecture – Infoblox IPAM WinConnect
• 1 connector for 15 MS Servers• 1 DNS server is enough in each AD• Discovery to detect all IP
© 2007 Infoblox Inc. All Rights Reserved.
Product – Infoblox IPAM WinConnectAdvantages
Advantages over the native MS configuration consoles:– Simple
• DNS, DHCP and IP Address management from a single centralized console• Intuitive Graphical and hierarchical representation of the IP plan• Extra IPAM info fields (device type, location, owner, custom fields…)• Easy insight in Historic and current IP usage• Easy Discovery of existing IP devices
– Secure• Granular Role Based Administration for delegation, • Audit log for follow-up of admin activities• Secured communication
– Reliable• Winconnect runs on hardened appliance• Centralised backup and restore
© 2007 Infoblox Inc. All Rights Reserved.
On-demand and automatic discovery (discovery jobs) Full discovery:
– ICMP sweep to get active IP– Netbios discovery (nbtscan) to get hostname/MAC of Windows hosts– Nmap discovery on 12 standard services (telnet, HTTP…) to get remaining hosts
Discovery behind firewalls:
Architecture – Infoblox IPAM WinConnectDiscovery
© 2007 Infoblox Inc. All Rights Reserved.
Product – Infoblox IPAM WinConnectHierarchical view by location
Get control of your IP address scheme•Logical containers to manage multiple IP number plans, even with overlapping subnets•Browse locations, networks and subnets
Subnet by location
Subnet with no location
Low-impact discovery of all IP devices
© 2007 Infoblox Inc. All Rights Reserved.
Product – Infoblox IPAM WinConnectAt-a-glance overview of subnet utilization
Get control of your IP addresses•Real-time and up-to-date IP directory synchronized with MS DNS/DHCP and discoveryDHCP lease history, IP address usage historySubnet utilization thresholds and alerts
Clear and conciserange status
Automatic gatheringof IP properties
© 2007 Infoblox Inc. All Rights Reserved.
Product – Infoblox IPAM WinConnectDHCP server/pool view
Get control of your Microsoft DHCP•Monitoring and configuration of your DHCP services•Delegation with granular role based administrationDHCP utilization thresholds and alerts
Pool utilization withautomatic alerts
Real-time service statuswith automatic alerts
DHCP configurationfunctions
© 2007 Infoblox Inc. All Rights Reserved.
Product – Infoblox IPAM WinConnectIP address pool management
Get control of your Microsoft DHCP•Monitoring and configuration of your DHCP scopes•DHCP lease history
Automatic gatheringof IP properties
DHCP configurationfunctions
© 2007 Infoblox Inc. All Rights Reserved.
Product – Infoblox IPAM WinConnectDNS server/zone view
Get control of your Microsoft DNS•Monitoring and configuration of your DNS services•Delegation with granular role based administration
Real-time service statuswith automatic alerts
DNS configurationfunctions
© 2007 Infoblox Inc. All Rights Reserved.
Product – Infoblox IPAM WinConnectDNS records view
Get control of your Microsoft DNS•Management and configuration of your DNS records•Filter, sort and search through your DNS records
Monitor and configureDNS records
© 2007 Infoblox Inc. All Rights Reserved.
Infoblox IPAM for Microsoft – Phase 1: Stand-Alone
• Real-time monitoring of DNS and DHCP data on Microsoft servers• Easy-to-use Web GUI• Granular, delegated management of Microsoft DNS & DHCP• Automatically synchs with any changes made via Microsoft MMC• Non-invasive integration – no agent software required on Microsoft DNS/DHCP servers
DEDICATED HARDWARE PLATFORM
Infoblox NIOS™ SoftwareMA
NA
GE
ME
NT Infoblox IPAM for MS Module
© 2007 Infoblox Inc. All Rights Reserved.
Infoblox IPAM for Microsoft – Phase 2: Integrated
CONFIDENTIAL
• Optional software add-on module available in combination with other Infoblox protocols and services
• Native Infoblox IPAM module provides a complete view of all DNS and DHCP data whether on MS servers or Infoblox appliances
DEDICATED HARDWARE PLATFORM
INFOBLOX NIOS™ SOFTWARE
bloxSDB™ Database
bloxHA™ Failover
bloxSYNC™ Data Assurance
DN
S
DH
CP
IPA
M
RA
DIU
S
TF
TP
HT
TP
NT
P
AP
I
MA
NA
GE
ME
NT
Vit
alQ
IP
NA
C
MS
Co
nn
ecto
r
© 2007 Infoblox Inc. All Rights Reserved.
Infoblox IPAM for Microsoft - Value Proposition
Replace your spreadsheet
• On demand and automatic discovery of IP devices
• Real-time and dynamic IP address repository
• Pull IP information from existing Microsoft DNS and DHCP servers
Implement Easily
• Non-intrusive: No agent installed on Microsoft DNS/DHCP servers
• Uses a non-invasive connector (connector can be configured in read only mode)
Improve Control
• Provides strong reporting capabilities
• Keeps history on IP assignment (SoX compliance)
Share Access & Delegate
• User-friendly and intuitive Web GUI
• Management of user profiles (reader, operator, administrator)
• Delegate 1st-level, day-to-day tasks (support, DNS Entry set-up, DHCP pool monitoring)
© 2007 Infoblox Inc. All Rights Reserved.
Products Pricing: Phase 1
$3k to $6kProducts Pricing Company Size IPAM CostsReturn on
Investment
Infoblox-250
IPAM for MS $3,000 to
$6,000*
Up to 1,500 employees
(2,000 nodes)$ 8,000 / year 9 months
Infoblox-550
IPAM for MS $5,000 to
$11,000*
Up to 4,000 employees
(5,000 nodes)$20,000 / year 6 months
Infoblox-1050
IPAM for MS $10,000 to
$20,000*
Up to 8,000 employees
(10,000 nodes)$40,000 / year 6 months
Infoblox-1550
IPAM for MS $15,000 to
$55,000*
Up to 40,000 employees
(50,000 nodes)$200,000 / year 3 months
*Assumes base price for appliance licensed with a base number of IPs, then $2/IP for additional IPs
© 2007 Infoblox Inc. All Rights Reserved.
Product - Competitors
Vendor
Software IP Control V 3.0 (software)
IP Control Sapphire V 3.0 (appliances),
Men & Mice Suite V. 5.5 (software)
Features IP Address Management DNS / DHCP Management (ISC and Microsoft) DNS/ DHCP Appliances,
IP Address Management Module DNS Management Module DHCP Management Module Analyzing and monitoring Module
Agents needs to be installed on every server– Risk: agent installed on AD/DC servers is not latest– Responsibility: MS Team will never allow network team to install agents on MS DNS/DHCP servers
DNS/DHCP-management-oriented vs IPAM:– MMC is working fine no need to have a solution to manage MS DNS/DHCP servers
Other:–No friendly Web GUI
© 2007 Infoblox Inc. All Rights Reserved.
Infoblox IPAM for MicrosoftInfoblox IPAM for MicrosoftProduct demo and labsProduct demo and labs
SE Workshop
© 2007 Infoblox Inc. All Rights Reserved.
Introduction
Infoblox IPAM for MS is a tool for managing IP address spaces and native MS AD environments.
Major features:
Real time and dynamic IP Addresses repository, On demand and automatic discovery of IP devices, Pull IP information from existing DNS and DHCP services, Configure DNS and DHCP servers, User-friendly and intuitive Web GUI, Management of user profiles, Reporting, Import/Export CLI
© 2007 Infoblox Inc. All Rights Reserved.
Architecture
HelpdeskNetwork Admin
ReadAdminImport
Local Admin
Operator
Infoblox IPAM for Microsoft
Security
Rea
d
DHCP Microsoft 2000/2003
DNS Microsoft 2000/2003
XML protocol/SSL
ManageWMI
Manage
WMI
DNS/DHCP Connector
Di sco
v ery
© 2007 Infoblox Inc. All Rights Reserved.
Architecture
Infoblox IPAM for Microsoft:– Appliance for the server modules
– Postgres DB, Apache/PHP web service, C++ code
MS DNS/DHCP & AD connectors:– Run on Windows 2000/2003 servers, also Win2000, XP, Vista with Admin
Pack
– 1 instance can manage servers in 5 different AD domains, or 20 DNS/DHCP in the same AD
Protocols:– HTTP/HTTPS to access to the GUI
– XML protocol, can be SSL secured
– WMI for MS management
© 2007 Infoblox Inc. All Rights Reserved.
Architecture
Advantages over the native MS management tools:– IPAM/DNS/DHCP from a single and central console
– Graphical and hierarchical representation of the IP address scheme, can easily see what is where
– Extended IP properties (asset tag, object class, customized fields…)
– IP history
– Discovery of all IP devices
– Higher granularity to manage user privileges, can setup rights on different subnets within the same DNS zone or DHCP server. Operator profile for basic admin tasks (IP provisionning, DNS RR…)
– Follow-up of user activities to know who has done what
– Easy to backup and restore as everything is in the DB
© 2007 Infoblox Inc. All Rights Reserved.
Product components
IPAM Discovery MS DNS/DHCP connector MS AD connector Import/Reporting Labs
As described in phase roll-out some components will become NIOS modules.
© 2007 Infoblox Inc. All Rights Reserved.
Component: IPAM
Several containers (organizations) in the DB to manage several IP address scheme, even with overlapping subnets
Browse networks/locations Contacts, documents Device classification DHCP lease history, IP history Used, unused, static, dynamic Searching, find IP address from the search, then go to Filter on device type, location, subnet DHCP and subnet utilization threshold IP extended attributes
© 2007 Infoblox Inc. All Rights Reserved.
Component: Discovery
On-demand and automatic discovery (discovery jobs) Full discovery:
– ICMP sweep– Netbios discovery (nbtscan)– Nmap discovery on 12 standard services
Discovery behind firewalls:
CLI/Discovery
OrgA OrgB
CLI/Discovery
Infoblox IPAM for Microsoft
© 2007 Infoblox Inc. All Rights Reserved.
Component: Discovery
Integration with CiscoWorks LMS to get additional information for each IP address:
– Automatic creation of subnets and VLAN information– Extended atributes:
• Switch
• Port
• Phone number (IP phone)
• …
– Nothing is required on the CiscoWorks side, agentless solution. We only need an account in CW and HTTP/HTTPS access to its export servlet.
© 2007 Infoblox Inc. All Rights Reserved.
Component: MS DNS/DHCP Connector
Connector to read and configure MS DNS/DHCP servers Can be installed locally on each server or on a remote Windows
machine with Admin Pack Connector runs as a Windows service and needs DNS/DHCP
admin rights Communication with the central server uses 1 TCP port, which can
be configured and secured with SSL Communication with remote MS DNS/DHCP uses WMI Several timers to configure synchronization of configs, leases and
zones Connector processes data locally and sends a diff to central DB
© 2007 Infoblox Inc. All Rights Reserved.
Component: MS AD Connector
Logs AD events in the central DB Associates AD events with IP events: you know which user is
connected on which IP address Same architecture than the MS DNS/DHCP connector
© 2007 Infoblox Inc. All Rights Reserved.
Component: Import/Reporting
Import of initial data with CSV files:– Organizations
– Locations
– Contacts
– Subnets
– Object class
– IP
Reporting:– IP address/subnet/location/contact/class…
– Subnets, including statistics
– DHCP scopes, including statistics
– History reporting
– Schedule reporting jobs
© 2007 Infoblox Inc. All Rights Reserved.
Component: Import/Reporting
Reporting, sample reports:
– IP address:
– IP history:
© 2007 Infoblox Inc. All Rights Reserved.
Component: CLI
Import/Reporting Discovery with 4 modes:
– Ping
– Nbt
– Nmap
– Full
Mass updates:– DNS records
– DHCP reservations
– IP properties (object class, asset number…)
Mass delete CLI can be used remotelly as an API (PHP pages for instance)
© 2007 Infoblox Inc. All Rights Reserved.
Demo and Labs
How to start with IPAM
Discovery
MS DNS/DHCP management
© 2007 Infoblox Inc. All Rights Reserved.
Lab 1: How to start
Connect to the web GUI:– http://IP-of-your-IPAM
© 2007 Infoblox Inc. All Rights Reserved.
Lab 1: How to start
Explore IPAM features in demo database
© 2007 Infoblox Inc. All Rights Reserved.
Lab 1: How to start
Explore IPAM features in demo database
© 2007 Infoblox Inc. All Rights Reserved.
Lab 1: How to start
Create a new organization
© 2007 Infoblox Inc. All Rights Reserved.
Lab 1: How to start
Go to the home page and select the new organization
© 2007 Infoblox Inc. All Rights Reserved.
Lab 1: How to start
Create a location
© 2007 Infoblox Inc. All Rights Reserved.
Lab 1: How to start
Create a subnet
© 2007 Infoblox Inc. All Rights Reserved.
Lab 1: How to start
Create a host
Create a contact
Create an object class
Create a document
© 2007 Infoblox Inc. All Rights Reserved.
Lab 2: Discovery
Start a manual discovery Schedule a discovery job
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
Create an account for the connector on the central IPAM:
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
Create an account for the connector in the MS environment:– Open Active Directory Users and Computers
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
Create an account for the connector in the MS environment:– Fill-in the account credentials
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
Create an account for the connector in the MS environment:– Set the account in DNSAdmin, DHCPAdmin and Administrators groups
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
Install DNS/DHCP connector– Run IpantoAgentWin_3.0.2.exe and follow the instructions of the wizard.
– Edit C:\Program Files\Ipanto Agent\aipd-win.conf with Wordpad:• In the « server » section, set « host » key to the IP address of your IPAM• In the « config » section, set « name » key to the name of the connector• In the « runtime » section, set « verbose » key to 5
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
Configure connector settings for DHCP
service dhcp "WIN2K3-VM4-60"
{
# Network address of the server to contact.
# The address must be given as an IP address in numeric format, enclosed
# by double quotes (eg: "192.168.7.99").
# Loopback addresses are not authorized.
server_address "10.67.3.60";
# Configuration access control.
# A value of 1 limits Ipanto(r) Server access to read only, while a value of 0 allows
# read/write access.
read_only 0;
}
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
Configure connector settings for DNS
service dns "win2k3-vm4-60.ad.infoblox.net"
{
# Configuration access control.
# A value of 1 limits Ipanto(r) Server access to read only, while a value of 0 allows
# read/write access.
read_only 0;
}
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
Configure the Ipanto service to use the Infoblox account:
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
Check the MS event logs for Ipanto events:
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
Configure DNS from Infoblox IPAM– Create a new forward zone
– Create a new reverse zone
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
Configure DNS from Infoblox IPAM– Manage DNS records from a zone
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
Configure DNS from Infoblox IPAM– Assign a new IP address and create the DNS records
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
Configure DHCP from Infoblox IPAM– Create a new scope
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
Configure DHCP from Infoblox IPAM– Configure DHCP server options
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
Configure DHCP from Infoblox IPAM– Configure DHCP pool options
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
Configure DHCP from Infoblox IPAM– Configure a DHCP reservation
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
Configure DHCP from Infoblox IPAM– Generate leases on the DHCP server
© 2007 Infoblox Inc. All Rights Reserved.
Q&A
Q&A