HP Advanced Services zl Module with Microsoft® Windows Server® 2008 R2 Planning and Design Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

HP Advanced Services zl Module

Planning and Design Guide

with Microsoft

Windows Server

2008 R2

Summary of content (64 pages)

PAGE 1
HP Advanced Services zl Module with Microsoft® Windows Server® 2008 R2 Planning and Design Guide
PAGE 2
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. All Rights Reserved. This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of HewlettPackard.
PAGE 3
Contents Branch Office Solutions with the Advanced Services zl Module with Microsoft Windows Server 2008 R2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Planning Your Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Distributed Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Survivable Services . . . . . . . . . . . . . . . . . . . . .
PAGE 4
Solution 2: Survivable Wireless Networking Problem: Need for Survivable Mobility and Network Services . . . . . . . . . . 3-1 Solution: HP Advanced Services zl Module with Microsoft Windows Server 2008 R2 + HP E-MSM765 zl Mobility Controller . . . . . . . . . . . . . . . . . . . . . 3-2 Solution Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 Solution Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 5
Solution 4: Survivable Authentication and Authorization Problem: Need for Survivable Authentication and Authorization . . . . . . . 5-1 Solution: HP Advanced Services zl Module with Microsoft Windows Server 2008 R2 + HP PCM/IDM Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Solution Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 Solution Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 6
vi
PAGE 7
1 Branch Office Solutions with the Advanced Services zl Module with Microsoft Windows Server 2008 R2 Overview The HP Advanced Services zl Module with Microsoft® Windows Server® 2008 R2 (J9666A) is a zl switch module with integrated Windows Server 2008 R2, Standard Edition, software. When you install the module in an HP E5400 zl or E8200 zl Series switch, the module automatically boots to the prelicensed Windows Server 2008 R2 OS.
PAGE 8
Branch Office Solutions with the Advanced Services zl Module with Microsoft Windows Server 2008 R2 Planning Your Services Planning Your Services You must decide which services you want to host locally on an HP Advanced Services zl Module with Microsoft Windows Server 2008 R2.
PAGE 9
Branch Office Solutions with the Advanced Services zl Module with Microsoft Windows Server 2008 R2 Planning Your Services Survivable Services You should also deploy services that require survivability—that is, users must be able to access them at any time, including during a WAN link failure— locally at each branch. At the most basic level, services that require survivability allow employees to stay connected to the network.
PAGE 10
Branch Office Solutions with the Advanced Services zl Module with Microsoft Windows Server 2008 R2 Planning for Virtualization Planning for Virtualization The server software on the HP Advanced Services zl Module with Microsoft® Windows Server® 2008 R2 is prelicensed for the Standard Edition. The software license allows you to run one instance of the server in the physical operating system environment (POSE) and one in a virtual operating system environment (VOSE).
PAGE 11
Branch Office Solutions with the Advanced Services zl Module with Microsoft Windows Server 2008 R2 Planning for Connectivity Planning for Connectivity The HP Advanced Services zl Module with Microsoft® Windows Server® 2008 R2 has a high-speed, resilient connection to the LAN with two 10 Gigabit internal interfaces that connect to the switch’s backplane. By default, the module connects on a single interface, internal interface 2 being enabled and internal interface 1 being disabled.
PAGE 12
Branch Office Solutions with the Advanced Services zl Module with Microsoft Windows Server 2008 R2 Solutions Overview Solutions Overview This guide describes four solutions that demonstrate how you can deploy the HP Advanced Services zl Module with Microsoft Windows Server 2008 R2. On its own, the module hosts critical applications and delivers all of the basic Windows services required at a branch.
PAGE 13
Branch Office Solutions with the Advanced Services zl Module with Microsoft Windows Server 2008 R2 Solutions Overview Branch Need Solution Branch Size Solution 3 Survivable voice and communication services Less than1000 • HP Advanced Services zl employees Module with Microsoft Windows Server 2008 R2 • HP Survivable Branch Communication zl Module powered by Microsoft LyncTM • Lync solution at the data center Solution 4 Access control over users and survivable services 400 endpoints • HP Advanced Ser
PAGE 14
Branch Office Solutions with the Advanced Services zl Module with Microsoft Windows Server 2008 R2 Solutions Overview 1-8
PAGE 15
2 Solution 1: WAN Optimization and Survivability Problem: Congested, Non-Resilient WAN Connection A company has a branch office with just under 100 employees. The employees routinely rely on resources and services that are stored at the corporate data center. Due to these constant requests to the data center, the WAN link is experiencing congestion and, as a result, employees have complained that the network is slow.
PAGE 16
Solution 1: WAN Optimization and Survivability Solution: HP Advanced Services zl Module with Microsoft Windows Server 2008 R2 + HP AllianceONE Extended Services Figure 2-1. Problem: Congested WAN Solution: HP Advanced Services zl Module with Microsoft Windows Server 2008 R2 + HP AllianceONE Extended Services zl Module with Riverbed® Steelhead RiOS® The company will deploy an HP Advanced Services zl Module with Microsoft Windows Server 2008 R2 to support basic Windows services at the branch.
PAGE 17
Solution 1: WAN Optimization and Survivability Solution: HP Advanced Services zl Module with Microsoft Windows Server 2008 R2 + HP AllianceONE Extended Services at the branch, helping to decrease congestion on the company’s WAN link. In addition, by supporting basic network services locally, the module protects branch users’ access to local resources in the case of a WAN failure.
PAGE 18
Solution 1: WAN Optimization and Survivability Solution Components Solution Components Figure 2-2 shows an example network design for this solution. Figure 2-2.
PAGE 19
Solution 1: WAN Optimization and Survivability Solution Implementation • Any additional interface modules the company requires for connectivity The switch in the example network is an HP E5406 zl switch.
PAGE 20
Solution 1: WAN Optimization and Survivability Solution Implementation Software Version The HP zl switch in which you install the modules that support this solution requires software version K.14.65, K.15.03, or greater. Version K.15.03 or greater is recommended because it supports seamless failover from an active to a standby management module on E8200 zl Series switches.
PAGE 21
Solution 1: WAN Optimization and Survivability Solution Implementation Switch Clock Both HP zl Services modules take their time from the switch clock. If that clock is not accurate, the services might fail; for example, the Windows Server 2008 R2 running on the module cannot join the domain. Therefore, it is recommended that the HP zl switch use SNTP to synchronize its clock to the same server used by the domain controller.
PAGE 22
Solution 1: WAN Optimization and Survivability Solution Implementation tagged f2 untagged a15-a21 exit vlan 8 name “LAN8” ip address 10.10.8.1 255.255.255.0 tagged f2 untagged a22-a24 exit ip routing ip route 0.0.0.0/0 10.10.2.
PAGE 23
Solution 1: WAN Optimization and Survivability Solution Implementation In this example, the module is installed in slot C, and the server belongs in VLAN 5: hostzlswitch(config)# vlan 5 untagged c2 3. Move to the module’s CLI and set the module’s IP address. a. View the Services zl Modules installed in the switch: hostzlswitch(config)# show services You should see output similar to the following. Note the slot letter and index number for the service described as Branch Core Svcs Module-Standard.
PAGE 24
Solution 1: WAN Optimization and Survivability Solution Implementation Enter P@ssw0rd and then set the new password, following standard Windows complexity requirements. Note The a has been replace with @ and the o with the numeral 0. d. Move to the interface 2 context: hostzlswitch(hp-svcs-std-:win)# interface 2 e. Set the IP address: hostzlswitch(hp-svcs-std-:eth-2)# ip address For this example: hostzlswitch(hp-svcs-std-C:eth-2)# ip address 10.10.5.2 255.255.
PAGE 25
Solution 1: WAN Optimization and Survivability Solution Implementation • DHCP • IIS and FTP • Print Services • File Services Again, follow Microsoft guidelines for installing and configuring these services. No special considerations apply to the server running on this module that would not apply to another branch office server. 8. You can then install any other desired roles, features, and applications.
PAGE 26
Solution 1: WAN Optimization and Survivability Solution Implementation amnesiac (config)# in-path procurve map zone id 1 interface wan0_0 6. You do not need to map the zone that you created for the Riverbed zl module’s internal interface 2 (NORMAL, in this example) to an interface. Next enable your zone policy, which is named intercept in this example: amnesiac (config)# in-path procurve zone-serv-pol name intercept amnesiac (config)# in-path procurve zone-serv-pol enable 7.
PAGE 27
3 Solution 2: Survivable Wireless Networking Problem: Need for Survivable Mobility and Network Services A public high school has a network of 400 to 500 wired clients, including PCs, laptops, printers and phones. Currently, Ethernet ports offer the only means of access to the network, which provides little flexibility or mobility. The school district would like to deploy a wireless solution at the high school that is similar to wireless solutions that it has deployed elsewhere.
PAGE 28
Solution 2: Survivable Wireless Networking Solution: HP Advanced Services zl Module with Microsoft Windows Server 2008 R2 + HP E-MSM765 zl Mobility Controller Figure 3-1. Problem: Need for Survivable Mobility and Network Services Solution: HP Advanced Services zl Module with Microsoft Windows Server 2008 R2 + HP E-MSM765 zl Mobility Controller The school district will establish a wireless network at the high school by deploying an HP E-MSM765 zl Mobility Controller and 17 HP E-MSM APs.
PAGE 29
Solution 2: Survivable Wireless Networking Solution: HP Advanced Services zl Module with Microsoft Windows Server 2008 R2 + HP E-MSM765 zl Mobility Controller The school district will also deploy an HP Advanced Services zl Module with Microsoft Windows Server 2008 R2.
PAGE 30
Solution 2: Survivable Wireless Networking Solution Components With the Mobility Controller and these Windows services deployed locally at the high school, users’ wired and wireless access is protected in the event of a WAN link failure. The HP E5406 zl switch will now support IP routing as a backup default gateway, ensuring that users’ routed traffic can reach the Internet in the event of a WAN link failure.
PAGE 31
Solution 2: Survivable Wireless Networking Solution Components Figure 3-2.
PAGE 32
Solution 2: Survivable Wireless Networking Solution Implementation The components required to implement this solution are:  At the campus, an HP zl switch with these modules: • HP Advanced Services zl Module with Microsoft Windows Server 2008 R2 • HP E-MSM765 zl Mobility Controller module • Other interface modules as needed for connectivity The switch in the example network is an HP E5406 zl switch.
PAGE 33
Solution 2: Survivable Wireless Networking Solution Implementation Because you are deploying the server running on the module as a read-only domain controller (RODC), you must also ensure that the domain and forests are set up correctly on the other domain controllers. Refer to Microsoft guidelines. Branch HP zl Switch You can configure whatever features your environment requires on the HP zl switch that hosts the Advanced Services zl Module and the E-MSM765 zl Mobility Controller.
PAGE 34
Solution 2: Survivable Wireless Networking Solution Implementation • Internal interface 1—In this solution, the Mobility Controller’s Internet interface bridges wireless users’ traffic into the LAN (the APs could alternatively bridge the traffic themselves). This interface is assigned untagged to VLAN 294. It is also tagged for the user-based VLAN. The IP address will be 10.29.4.20/24 on the untagged VLAN. The tagged VLAN will not have IP addresses.
PAGE 35
Solution 2: Survivable Wireless Networking Solution Implementation Also note that in a real world environment, the branch office would include other switches with similar settings for 802.1X. interface e1 disable vlan 1 name “DEFAULT_VLAN” no untagged a1,b1-b17,c1-c2,e2 untagged a2-a24,b18-b24,e1 exit vlan 192 name “APs” untagged b1-b17,c2 exit vlan 294 name “HighSchool” ip address 10.29.4.2 255.255.255.0 untagged a1,c1,e2 exit vlan 2917 name “HighSchoolUsers” ip helper-address 10.29.4.30 ip address 10.29.
PAGE 36
Solution 2: Survivable Wireless Networking Solution Implementation 2. Access the switch CLI and assign the module’s internal interface 2 to the correct VLAN for the branch server. (This interface is enabled by default and is typically used for LAN traffic as well as switch-to-module communications.) hostzlswitch(config)# vlan untagged 2 In this example, the module is installed in slot E, and the server belongs in VLAN 294: hostzlswitch(config)# vlan 294 untagged e2 3.
PAGE 37
Solution 2: Survivable Wireless Networking Solution Implementation You can alternatively enter: Syntax: services name hp-svcs-std Replace with the ID of the slot in which the module is installed. hostzlswitch(config)# services name hp-svcs-std c. Access the Windows context: hostzlswitch(hp-svcs-std-)# windows SBMAdmin Enter P@ssw0rd and then set the new password, following standard Windows complexity requirements.
PAGE 38
Solution 2: Survivable Wireless Networking Solution Implementation 4. Access the module at its IP address using RDP. Log in to Windows as the SBMAdmin user, entering the new password that you set. 5. Access the Windows Server Manager. 6. Use the wizard to add the Active Directory role, and promote the server to a read-only domain controller for your domain. At the same time, you can configure DNS on the server.
PAGE 39
Solution 2: Survivable Wireless Networking Solution Implementation A network administrator must also configure the Mobility Controller to manage your APs and provide your wireless services. Follow the instructions in the controller’s Management and Configuration Guide, keeping these guidelines in mind:  When you set up authentication, specify the IP address on the server that is running on the local module either for the primary or secondary RADIUS server (10.29.4.30 in this example).
PAGE 40
Solution 2: Survivable Wireless Networking Solution Implementation 3-14
PAGE 41
4 Solution 3: Survivable Communications Problem: Need for Survivable Communications & Collaboration Services A company has a branch office of close to 1000 employees who rely on the company’s Microsoft Lync 2010 solution for communications, including voice and telephony services, web conferencing, and video conferencing. Currently, the WAN link to the company’s data center does not provide high availability, so the branch office is at risk of losing telephony services without a PSTN connection of its own.
PAGE 42
Solution 3: Survivable Communications Solution: HP Advanced Services zl Module with Microsoft Windows Server 2008 R2 + HP Survivable Branch Solution: HP Advanced Services zl Module with Microsoft Windows Server 2008 R2 + HP Survivable Branch Communications zl Module Powered by Microsoft LyncTM The company will deploy an HP Survivable Branch Communications zl Module (SBM) powered by Microsoft Lync to provide resilient voice communications for the branch.
PAGE 43
Solution 3: Survivable Communications Solution Components The server running on this module can also provide other services to decrease WAN link traffic and enhance branch survivability.
PAGE 44
Solution 3: Survivable Communications Solution Components Figure 4-2. Solution 3 The components required to implement this solution are:  At the branch, an HP zl switch chassis with these modules: • HP Advanced Services zl Module with Microsoft Windows Server 2008 R2 • HP SBM • Other interface modules as needed for connectivity The switch in the example network is an HP E5406 zl switch.
PAGE 45
Solution 3: Survivable Communications Solution Implementation  WAN routers that connect the branch and data center  Switches and routing switches at the branch and data center  Domain controller and other servers at the data center Solution Implementation The following sections provide some basic guidelines for implementing this solution as well as references to places where you can find more information. You may need to adapt these guidelines to fit your particular network infrastructure.
PAGE 46
Solution 3: Survivable Communications Solution Implementation Branch HP zl Switch You can configure whatever features your environment requires on the HP zl switch that hosts the Advanced Services zl Module and the SBM. The sections below provide guidelines for the specific configurations required by this solution. Software Version The HP zl switch in which you install the modules that support this solution requires software version K.14.65, K.15.03, or greater. Version K.15.
PAGE 47
Solution 3: Survivable Communications Solution Implementation Switch Clock Note that the switch must be configured to the correct time. Its modules take their time from the switch clock. If that clock is not accurate, the services might fail; for example, the server cannot join the domain. Therefore, it is recommended that the HP zl switch use SNTP to synchronize its clock to the same server used by the domain controller.
PAGE 48
Solution 3: Survivable Communications Solution Implementation ip default-router 10.4.2.1 qos type-of-service diff-services qos dscp-map 101000 priority 6 name lync_call timesync sntp sntp unicast sntp server priority 1 10.1.2.10 time timezone -480 time daylight-time-rule continental-us-and-canada WAN Router Previously, the WAN router at the branch was forwarding DHCP requests from VLAN 41 and 42 to the DHCP at the data center.
PAGE 49
Solution 3: Survivable Communications Solution Implementation Figure 4-3. HP zl Switch CLI—show services Output b. Access the module’s application OS: Syntax: services Replace with the ID of the slot in which the module is installed. Replace with the index number that you just noted for the service.
PAGE 50
Solution 3: Survivable Communications Solution Implementation For this example: hostzlswitch(hp-svcs-std-E:eth-2)# ip address 10.4.2.30 255.255.255.0 f. Set the default gateway address: hostzlswitch(hp-svcs-std-:eth-2)# ip default-gateway For this example: hostzlswitch(hp-svcs-std-E:eth-2)# ip default-gateway 10.4.2.1 g.
PAGE 51
Solution 3: Survivable Communications Solution Implementation HP SBM Refer to the HP Survivable Branch Communication zl Module (SBM) powered by Microsoft Lync© Installation and Getting Started Guide for instructions on installing this module in the HP zl switch and getting the module up and running. In this example solution, the module’s internal interface 2 is placed in VLAN 41 (untagged), and the module is assigned IP address 10.4.1.20/ 24.
PAGE 52
Solution 3: Survivable Communications Solution Implementation 4-12
PAGE 53
5 Solution 4: Survivable Authentication and Authorization Problem: Need for Survivable Authentication and Authorization A large enterprise company has a branch office with about 400 endpoints. This company implements 802.1X authentication on all edge ports. Currently, users authenticate to NPS servers in the data center.
PAGE 54
Solution 4: Survivable Authentication and Authorization Solution: HP Advanced Services zl Module with Microsoft Windows Server 2008 R2 + HP PCM/IDM Agents Figure 5-1. Problem: Need for Survivable Authentication and Authorization Solution: HP Advanced Services zl Module with Microsoft Windows Server 2008 R2 + HP PCM/IDM Agents The company will deploy the HP Advanced Services zl Module with Microsoft Windows Server 2008 R2 at the branch.
PAGE 55
Solution 4: Survivable Authentication and Authorization Solution: HP Advanced Services zl Module with Microsoft Windows Server 2008 R2 + HP PCM/IDM Agents The server will also support a PCM+ agent, which works with the centralized PCM+ server, relieving some of the burden required for managing the branch network infrastructure.
PAGE 56
Solution 4: Survivable Authentication and Authorization Solution Components Solution Components Figure 5-2 illustrates the example solution. Figure 5-2. Solution 4 The components required to implement this solution are: ■ At the branch, an HP zl switch with these modules: • HP Advanced Services zl Module with Microsoft Windows Server 2008 R2 with IDM agent • Whatever interface modules the company requires for connectivity ■ The switch in the example network is an HP E5406 zl switch.
PAGE 57
Solution 4: Survivable Authentication and Authorization Solution Implementation Solution Implementation The following sections provide some basic guidelines for implementing this solution as well as references to places where you can find more information. You may need to adapt these guidelines to fit your particular network infrastructure. Predeployment Steps By default, the server that runs on the module requests a DHCP address on its internal interface 2.
PAGE 58
Solution 4: Survivable Authentication and Authorization Solution Implementation The branch LAN itself consists of a single VLAN, VLAN 90. You must specify the module’s internal interface 2 as an untagged member of this VLAN. The module’s IP address will be 172.16.90.30/24 and its default gateway, 172.16.90.1/24. Note Before this solution was implemented, the WAN router forwarded VLAN 90 DHCP requests to the DHCP router in the data center (172.16.25.30).
PAGE 59
Solution 4: Survivable Authentication and Authorization Solution Implementation vlan 1 name “DEFAULT_VLAN” no untagged a1-a24,b1-b24,c2 untagged c1 exit vlan 90 name “Branch” ip address 172.16.90.10 255.255.255.0 untagged a1-a24,b1-b24,c2 exit aaa authentication port-access eap-radius aaa port-access authenticator a2-a24,b1-b24 aaa port-access authenticator active radius-server host 172.16.25.30 key example radius-server host 172.16.90.30 key example ip default-gateway 172.16.90.
PAGE 60
Solution 4: Survivable Authentication and Authorization Solution Implementation You should see output similar to the following. Note the slot letter and index number for the service described as Branch Core Svcs Module-Standard. For example, in Figure 5-3 you can see that the index number is 2. Figure 5-3. HP zl Switch CLI—show services Output b. Access the module’s application OS: Syntax: services Replace with the ID of the slot in which the module is installed.
PAGE 61
Solution 4: Survivable Authentication and Authorization Solution Implementation hostzlswitch(hp-svcs-std-:eth-2)# ip address For this example: hostzlswitch(hp-svcs-std-C:eth-2)# ip address 172.16.90.30 255.255.255.0 f. Set the default gateway address: hostzlswitch(hp-svcs-std-:eth-2)# ip default-gateway For this example: hostzlswitch(hp-svcs-std-C:eth-2)# ip default-gateway 172.16.90.1 g.
PAGE 62
Solution 4: Survivable Authentication and Authorization Solution Implementation Again, follow Microsoft guidelines for installing and configuring these services. No special considerations apply to the server running on this module that would not apply to another branch office server. Important The PCM+ agent will take control of TCP port 21, which is the standard port for FTP. You must change the port on which the FTP server listens, or the FTP services will fail.
PAGE 63
center Connection Manager Controller Management and Configuration
PAGE 64
Technology for better business outcomes To learn more, visit www.hp.com/networking © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP will not be liable for technical or editorial errors or omissions contained herein.