IT 216 Final Group 3

8/22/2019 IT 216 Final Group 3

http://slidepdf.com/reader/full/it-216-final-group-3 1/32

Environment Configuration

Servers | Routers | Firewalls | IP’s

Created By:

Oliver Karr

Chad Brown

Matt Graham





GP3ADS001

GP3ADS002

GP3DFS001

AD-Domain Controller

DNS

DFS sync to GP3DFS001

AD-Domain Controller

DNS

DHCP

AD-Tools

DFS sync to GP3ADS001

Exchange 2010: HUB CA Mailbox

RDP-Manager

Win7-1

Win8-1

Win7-2

GP3DMZDNS

WORKGROUP

Stand-alone DNS

WORKGROUP

Stand-alone IIS

WORKGROUP

Exchange 2010: Edge Transport

GP3WEB001

GP3EML001

Client Machines

Corp.Group3.Tech

Corp Servers DMZ Servers

Group3.Tech



Contents

Infrastructure ................................................................................................................................................ 6

Router: Cisco 4507 .................................................................................................................................... 6

Firewall 1 - WAN - 10.145.200.131 LAN - 10.145.223.5 ........................................................................... 6

Firewall 2 - WAN - 10.145.223.6 LAN - 10.145.243.5 ............................................................................... 7

DMZ ............................................................................................................................................................. 13

GP3WEB001 - 10.145.223.8 .................................................................................................................... 17

GP3EML001 - 10.145.223.9..................................................................................................................... 18

GP3DMZDNS - 10.145.223.7 ................................................................................................................... 19

Internal Network ......................................................................................................................................... 19

GP3ADS001 - 10.145.243.10 ................................................................................................................... 19

GP3ADS002 - 10.145.243.11 ................................................................................................................... 20

GP3DFS001- 10.145.243.52 .................................................................................................................... 20

C1 - Set to DHCP ...................................................................................................................................... 21

C2 - Set to DHCP ...................................................................................................................................... 21

C3 - Set to DHCP ...................................................................................................................................... 21

Testing Scenarios and Results ..................................................................................................................... 22

Firewall 1 - WAN - 10.145.200.131 LAN - 10.145.223.5 ......................................................................... 22

Firewall 2 - WAN - 10.145.223.6 LAN - 10.145.243.5 ............................................................................. 23

Proxy Server: ........................................................................................................................................... 24

Web Server: GP3WEB001 - 10.145.223.8 ............................................................................................... 25

E-Mail Server: GP3EML001 - 10.145.223.9 ............................................................................................. 25

DNS: GP3DMZDNS - 10.145.223.7 .......................................................................................................... 26

Configuring a Syslog Server: Installation and Configuration................................................................... 28

Active Directory: GP3ADS001 - 10.145.243.10 ....................................................................................... 29

Active Directory: GP3ADS002 - 10.145.243.11 ....................................................................................... 30

File Share Server: GP3DFS001 - 10.145.243.12 ...................................................................................... 31





Infrastructure

Router: Cisco 4507

The router is preconfigured by ISP (AlanNET) with a public IP range of 10.145.200.131 to 140.

10.145.200.131 for MS-RDP (tested, takes authenticated user to GP3DFS001) 10.145.200.132 for WEB (

10.145.200.133 for DMZDNS

10.145.200.134 for DMZ EMAIL (Mail Enable tested, internal and outgoing mail)

10.145.200.135 for VPN PPTP

10.145.200.136 (Not Assigned)

10.145.200.137 (Not Assigned)

10.145.200.138 (Not Assigned)

10.145.200.139 (Not Assigned)

10.145.200.140 (Not Assigned)

Firewall 1 - WAN - 10.145.200.131 LAN - 10.145.223.5a. “First Line of Defense” configured to route traffic to the DMZ servers and to the WAN port of

Firewall 2.

a. Port Forwarding

b. 1:1 NAT

c. All outgoing traffic is auto configured by pfsense.



b. Rules

a. WAN

Firewall 2 - WAN - 10.145.223.6 LAN - 10.145.243.5

1. Firewall 2 is configured to route traffic from the DMZ zone to the Private LAN.

2. VPN setup for PPTP

a. Configuration



3. Firewall 2 is also configured with Squid, and Squidguard to enable a proxy server for the clients,

as well as an active blacklist for websites that shouldn't be accessed.

a. Proxy Server Settings for client-side.



b. Configuration on firewall



c. Black List rule configuration settings



d. Testing Squid Guard

4. Also has HAVP antiviruses installed which has been tested and confirmed working.

a. Anti-Virus status page



b. Anti-Virus Test Passed. Used www.eicar.org\download\eicar.com.txt



Installing and Configuring Snort:

Fig 1 – Configuring the interface, verifying that Snort is enabled, and that Blocking attacks are

enabled.



Fig 2 – Configuring the global settings of Snort; Installing and configuring the various rules, The Emerging

threats rule, the automatic updates rule, and the logging, and removal of blocked hosts rule.



Fig 3 – Under the If Settings tab and configuring the interface to these specific settings



Fig 4- Under the Preprocessors tab and enabling the following options: “Collect Performance Statisticsfor this interface” & “Use HTTP Inspect to Normalize/Decode and detect HTTP traffic and protocol

anomalies”



Fig 5 – In the Preprocessors tab. Selecting to enable the following options under “Portscan Settings”

section. Also enabling the following options in the “General Preprocessor Settings” section.

DMZ

GP3WEB001 - 10.145.223.8

1. Server 2008 R2 Service Pack 1

a. GP3WEB001 is not joined to a domain but instead left on WORKGROUP.

2. Enabled remote desktop NLA

3. Added local Administrator account for each administrator on the network.

a. Added each Administrator to the RDP-NLA access list

4. The Firewall 1 Has the PAT setup to redirect:80 traffic to the Web Server.



5. The Web server is hosting the public website for our Group3.com.

6. Downloaded a HTML template and placed it within the C:\Inetpub\wwwroot directory

a. IIS default website, created during installation, is using the Index.html file of the

template to display our website

b. An A record in corp.group3.tech was created to point to the DMZWEB server. Later a

group policy will be created to have all users default homepage load as our website.

i. Corpweb 10.145.223.8

c. The website is accessible from the public and other Group# companies.

d. Once our DMZDNS is registered with AlanNet our A and MX records will lead our public

searchers to our website.

GP3EML001 - 10.145.223.9


a. GP3EML001 is not joined to a domain but instead left on WORKGROUP.

b. The Network is set to group3.tech (see the two images below)


3. Added local administrator account for each administrator on the network.

a. Also added each admin to the RDP-NLA access list

4. Installed Exchange 2010

a. Edge Transport Role with Management Tools

i. Once Transport role is installed the remaining steps is completed by the HUB

Transport in corp vlan. Use the following command “New-EdgeSubscription -

FileName "C:\EdgeSubscriptionInfo.xml" ” to generate a Subscription on the

EDGE; this is how the HUB can control the edge server. Copy the XML file to the

GP3DFS001 and import the Edge Server.

b. The Firewall 1 has the PAT\NAT setup to redirect: 25 traffic to the email Server

10.145.223.9.



c. Ensure either the HOST file or DMZDNS is modified with the 10.145.223.6 GP3DFS001

d. Ensure the FW2 has DNS 53 and 586 port forwarded to the LAN address (not specific

machine)

i. This allows both DNS servers to listen and the Exchange Hub Role to listen as

well.

5. Roles Installed - Active Directory Lightweight Directory Services, Web Server (IIS)

6. Features Installed - RPC over HTTP Proxy, Remote Server Administration Tools, Role

Administration Tools, AD DS and AD LDS Tools, AD DS Snap-Ins and Command-Line Tools, Active

Directory Administrative Center, Server for NIS Tools, AD LDS Snap-Ins and Command-Line Tools,

Active Directory module for Windows PowerShell, Web Server (IIS) Tools, Windows Process

Activation Service, Process Model, .Net Environment, Configuration APIs, .Net Framework 3.5.1

Features

GP3DMZDNS - 10.145.223.7


a. GP3EML001 is not joined to a domain but instead left on WORKGROUP.

b. The Network is set to group3.tech (see the two images below)


3. Added local administrator account for each administrator on the network.

a. Also added each admin to the RDP-NLA access list

4. DNS is installed as a standalone server, as it is not joined to the domain.

a. The TCP/IP settings are set to its self and 8.8.8.8 (googleDNS).

b. The Zone Transfer is set to Any Server.

i. The corp dns is setup to pull this server’s DNS entries as a STUB zone.

c. Each A-Record is created manually as the servers do not create or update the records as

they change.

5. Roles Installed - DNS Server

6. Features Installed - Remote Server Administration Tools, Role Administration Tools, DNS Server

Tools

7. Created A records for:

a. Each DMZ server

b. Corpweb, internal website

c. Pfsense, to easily access the pfsense firewall

Internal Network

GP3ADS001 - 10.145.243.10


2. Active Directory

a. Domain Name: Corp.Group3.Tech

3. DNS (primary)



4. File Services

a. Distribution File Services

i. Uses 2nd HDD for DFS replication to GP3DFS001 and hosts

\\corp.group3.tech\cloud namespace

GP3ADS001 is the first Domain Controller for Corp.Group3.tech . All 5 of the FSMO roles are

present on this server as Exchange had issues installing when the Infrastructure Operation

Master was on GP3ADS002. DNS is installed for Active Directory. These records, for the most

part, are updated as machines are added and removed. A few additional configurations is

adding the reverse lookup zones for the CORP and DMZ networks, adding “STUB” zones for the

DMZ (Ensure the DMZ DNS Name Server IP is not the loopback). Distributed File Services is

installed and replicated to GP3DFS001.

GP3ADS002 - 10.145.243.111. Server 2008 R2 Service Pack 1

2. Active Directory

a. Domain Name: Corp.Group3.Tech


4. DNS (secondary)

5. DHCP

a. Subnet: 10.145.243.50 – 100

b. DNS: 10.145.243.10, 10.145.243.11

c. Gateway set to 10.145.243.5

GP3DFS001- 10.145.243.52


2. Features Installed - RPC over HTTP Proxy, Remote Server Administration Tools, Role

Administration Tools, AD DS and AD LDS Tools, AD DS Snap-Ins and Command-Line Tools, Active

Directory Administrative Center, Server for NIS Tools, Active Directory Module for Windows

PowerShell, File Services Tools, Distributed File System Tools, Web Server (IIS) Tools, Feature

Administration Tools, Failover Clustering Tools, Telnet Client, Windows Process Activation

Service, Process Model, .NET Environment, Configuration APIs, .NET Framework 3.5.1 Features,

WCF Activation, HTTP Activation, Non-HTTP Activation

3.

Active Directory Services Installed (not a DC)a. Domain Name: Corp.Group3.Tech


a. Firewall 1 passes port 3389 from internet to Firewall2 WAN. Firewall2 passes 3389 from

DMZ WAN to GP3DFS001. From here we can manage the whole environment.

5. Install Remote Desktop Manager from Microsoft.com

a. Configure RDP list for EACH server and Client

http://corp.group3.tech/cloud





6. Install role DFS

a. GP3DFS001 is a Distributed File Server with GP3ADS001

7. Install Exchange 2010 HUB, CA & Mailbox Roles

a. Sync with GP3EML001 in the DMZ using the Edge generated sub transcript.

b. The HUB server is the only way to edit the settings on the Edge Transport server.

c. Added the additional SMTP receives connectors (FQDN) and send connectors (FQDN).

d. Ensure DNS can resolve from Corp to DMZ (edge server IP) Corp to Internet and DMZ to

Internet.

i. Use PING and NSLOOKUP commands to test\diagnose.

NOTE: Exchange successfully sent mail internally and to internet email accounts e.g. Gmail or

Hotmail.

C1 - Set to DHCP

1. Windows 7: Service Pack 1

a.

Joined To Domain: Corp.Group3.Tech2. Enabled remote desktop NLA

3. Installed Office

a. Outlook – Auto config to mailbox per user account upon first open

C2 - Set to DHCP

1. Windows 7: Service Pack 1

a. Joined To Domain: Corp.Group3.Tech


3. Installed Office


C3 - Set to DHCP

1. Windows 8:

a. Joined To Domain: Corp.Group3.Tech


3. Installed Office




Testing Scenarios and Results

Objectives: Testing the Infrastructure of Firewall #1, Firewall #2, Web Server, DNS Server,

Internal Network, Active Directory Server, DHCP, VPN, E-Mail, Proxy Server with Anti-Virus

Installed, Accessing The Group 3 Website & Installing and Configuring a Syslog Server

Firewall 1 - WAN - 10.145.200.131 LAN - 10.145.223.5

Acce ss in g Fi re wa ll #1 thro ugh PfSe nse



Firewall 2 - WAN - 10.145.223.6 LAN - 10.145.243.5

Acce ss in g Fi re wa ll #2 thro ugh PfSe nse



Proxy Server:

HAVP is setup properly and is fully operational

Af te r tr yi ng to gain access to an in ap pr op ria te we bs it e we ca n see tha t ju st

like HAVP. Squidguard is setup properly, and is fully operational



Web Server: GP3WEB001 - 10.145.223.8

On the Web Server, In the command line prompt and running a tra ce route

to group3.tech

Acce ss in g the Group 3 We bs it e http://www.group3.tech

E-Mail Server: GP3EML001 - 10.145.223.9

http://www.group3.tech/






Sent and received E-mail between Group 3 and Group 1

E-Mail sent, received and replied to [email protected]

DNS: GP3DMZDNS - 10.145.223.7



Using the command line prompt for the Web Server and pinging the DNS ma chine “GP3DMZDNS - 10.145.223.7”

In the DNS machine “GP3DMZDNS - 10.145.223.7” and viewing the ARecords from the Server Manager



Configuring a Syslog Server: Installation and Configuration

Configure Remote logging from the internal and external firewalls

Configure PFsense Firewall 2 with a LAN and WAN rule allowing port 514

to send to the DMZDNS server. ”Please Note: Had to create a rule to

allow Port #514 through WAN ”



Checked statistics to make sure the syslog server is receiving logs from both

firew al ls

Active Directory: GP3ADS001 - 10.145.243.10



Acce ss in g the Se rv er Mana ge r in the Act iv e Di recto ry Mac hine “GP3ADS001

- 10.145.243.10” and showing that all the necessary roles are installed

Active Directory: GP3ADS002 - 10.145.243.11

DHCP



Acce ss in g the Se rv er Mana ge r In the Act iv e Di re ctory Machine “GP3ADS002

- 10.145.243.11” and showing that the DHCP Server is correctly confi gured

File Share Server: GP3DFS001 - 10.145.243.12

Distributed File System installed as a Role, With Corp.Group3 .Tech successfully

replicated under the sub-folder entitled Cloud1

Remote Desktop Hub to environment



Adm in ist ra tor s ca n use Re mo te Desk to p fr om th e “Inte rn et” si de of FW 1 to th e

File Server and successfully access the rest of the Internal Network

Documents

IT 216 Final Group 3