Project HarleyV2

What is HarleyV2

Norske Skog has developed a new, global IT strategy. A priority action for the new IT strategy is to implement a

common, global infrastructure for information systems. The goal of this strategy is not only to improve global management, sharing and communication of information but also to greatly reduce the total cost of ownership of information systems.

Project team established at headquarters in Oslo. Local Implementation Managers nominated for each of the 20+

units. The project team in Oslo has the responsibility to produce the

systems design, the systems management processes and the processes for continued management and development of the system. It is a regional responsibility to migrate existing regional infrastructures to the HarleyV2 design.

HarleyV2 Design

Requirements

Requirements analysisRequirements analysis

Requirements collection and analysis done February – March 2003

Resulted in 115 Requirements Statements, defining project scope and functional specifications

Requirements broken down into 9 areas:– Directory– Messaging– Collaboration– Desktop– Application– Security– Networking – Operations– Deployment

Requirements summary (1)Requirements summary (1)

Directory– Microsoft Active Directory (AD) based (Windows 2003)– Provide a global address list for all employees– Accessible and utilised by future applications requiring information about

people, computers and printers.• Example applications: Phone directory, Messaging, Software distribution,

Software license management, Invoice printing …

Messaging– Microsoft Exchange 2003– Outlook client– Outlook Web Access for external (across Internet) access– Internal (WAN) routing of all mail between Norske Skog employees

Requirements summary (2)Requirements summary (2)

Collaboration– Instant messaging available internally– Support information sharing in voice- and video-conferences

Note : Collaboration infrastructure beyond this taken out of HarleyV2 project,handled by Portal project.

Desktop– Limit number of client environments supported to a minimum– Windows XP on all desktop / laptop clients– Standardised “everything” (desktop look, rights, application portfolio,

software distribution, antivirus control …– Roaming capability within the company

Requirements summary (3)Requirements summary (3)

Desktop (cont.)– Access to mail, applications and data from HarleyV2 laptops outside the

company– Automated installation of new applications on all clients– No unauthorized applications on any client

Applications– Standardised Office application portfolio, based on Microsoft software– Support for several languages in Office applications– Only one application for each “function” in the company. To be achieved

through a application portfolio consolidation process (separate project)– All applications to be packaged and distributed through a centralised

scheme

Requirements summary (4)Requirements summary (4)

Security– A secure boundary between Norske Skog internal network and “other

networks”– A complete antivirus solution for the entire chain of components

(servers, clients, mail)– Proxy access to Internet only (browsing)– Single point mail access to/from Internet– No local Internet access points (at mills / offices) - from regional hub only– Provide a secure extranet design to enable external connectivity to

Norske Skog information– A comprehensive security policy for IT infrastructure, including

governance rules and rules of usage (password policy, data storage policy, LAN segmentation policy…)

– Firewall based security scheme for LAN at each mill

Requirements summary (5)Requirements summary (5)

Networking– Company-wide WAN with any-to-any connectivity (provided by separate

WAN project)– New IP plan for the entire company, providing extendibility and

scalability– LAN standard, comprising network equipment and IP schematics

Operations– Centrally managed servers, clients and software, supporting cost savings– External provider of global Operations (HP chosen)– End-to-end responsibility on Operations provider– Integration of 2 local FTEs in global operational model

Requirements summary (6)Requirements summary (6)

Deployment– Rollout to start Autumn 2003 (Europe)– Rollout to complete before Spring 2004 (Australasia last)– Involvement of local resources in preparation and rollout activities (LIM

to coordinate)– Centrally planned and coordinated rollout

WANWAN

Global IP connectivity between all Norske Skog units– Essential to HarleyV2 infrastructure design

MPLS network, provided by Equant– AsiaPacific exception : Frame Relay connections between Mills for Elixir -

kept as is– Sydney currently bridge location for MPLS connection to WAN

WAN - topologyWAN - topology

Rhodes HP

Albury Mill

Brisbane Warehouse

Internet

Melbourne Warehouse

Sydney Warehouse

Kawerau Mill

Sydney Head Office

AucklandMount Maunganui

Melbourne Marketing

Equant

Global

HP Olympic Park

32k/64k

128k/2mb256k/2mb

4-8 mbps

1 mbps

512k/2mb

512k/2mb

512k/2mb

256k/2mb

32k/64k

64k/192k

2Mb/2mb

512k/1mb

368k/1mb

512k/1mb

Global IP schemaGlobal IP schema

Global IP addressing schema– Using 10.0.0.0/8 class A address– Regionally divided

Assigning a class B to every Hub, Mill and Large office (100+ users)– Ex: Skogn: 10.19.0.0/16

Assigning 4 class C to every Small office– Ex: Graz: 10.2.64.0/22

Additional class B defined for migration purposes

HUB locationsHUB locations

Three HUB locations in network– Europe HUB (Oslo) Location code : HEU– AsiaPacific HUB (Sydney) Location code : HAP– South America HUB (to be decided) Location code : HSA

All HUB locations to be hosted and managed by HP (decision pending for South America)

Internet access points at HUB locations only.

All “central” BackOffice services located at HUB locations. Full redundancy built into HUB location LAN and BackOffice services.

LANLAN

Today’s diversity in LAN equipment and logical design (among units) to be merged into a common LAN Standard for all units and HUB locations

Complies with Security Design, zone structure

Standardised network equipment : Cisco

Ethernet only supported (Office Network)

LAN - MillsLAN - Mills

A Mill is divided into security zones– Requiring VLAN, LAN routing

Redundant design within zones and on layer-2

One single layer-2 infrastructure centrally managed

Creating a “ring of switches” cost efficient redundancy– Minimising required cabling– Minimising number of switches– Reducing available bandwidth

Layer-3 based routing

Secure wireless design

Flexible Process and MWS design

LAN – layer 3LAN – layer 3

Servers

WAN

WAN-Router

Core-1-swich (layer3)

Core-2-swich (layer3)

Off

ice

re

sou

rce

s

Servers

Internal FW

Transit

Office Wireless

AP AP

IP telephony LANSH

ea

lth/M

ed

ica

l

Process-router-2

Process transit

MW

S

Process-router-1

Office client LAN 1

Office client LAN 2

Office client LAN 3

Office client LAN 4

IP telephony LANS

IP telephony LANSProcess LANS

Process LANS

Process LANS

Ma

na

ge

me

nt

MWS Wireless

AP AP

LAN – layer 2LAN – layer 2

Building F

Building G

Building E

L2-sw-8

Comp 2

Comp 1

Building D

L2-sw-5

Building C

L2-sw-4

Building B

Building A

Core-sw-1

L2-sw-3

L2-sw-1

1000 Mb

1000 Mb

WAN-Router-1

1000 Mb

L2-sw-7

1000 Mb

1000 Mb

L2-sw-2

1000 Mb

1000 Mb

Core-sw-2

L2-sw-9

L2-sw-10

1000 Mb

100 Mb

1000 Mb

1000 Mb

1000 Mb

1000 Mb

IP subnets - MillsIP subnets - Mills

SUBNET MASK VLAN-ID NAME

10.x.1.0 1000 Management

10.x.2.0 255.255.255.0 2 Transit

10.x.3.0-5.255 Future usage

10.x.6.0 255.255.254.0 6 Office resources

10.x.8-11.0 255.255.255.0 8-11 Office clients

10.x.12.0-63.255 Future usage

10.x.64-67.0 255.255.255.0 64-67 IP telephony

10.x.68.0-119.255 Future usage

10.x.120.0 255.255.255.0 120 Health

10.x.121.0 255.255.255.0 SecureClient

10.x.122.0 255.255.255.0 122 Office Wireless

10.x.124.0 255.255.255.0 124 MWS Wireless

10.x.126.0 255.255.254.0 126 MWS

10.x.128-255.0 N/A 500-699 Process

LAN – Small OfficesLAN – Small Offices

Simple and efficient design– One subnet– No LAN routing – No redundancy

VLAN ready

LAN-segment

PrintersLaptop computer

Desktop PC

IP Telephone

Servers

WAN

WAN-Router

Core switch

Desktop-sw-3Desktop-sw-2Desktop-sw-1

WAN-Router

Migration strategies LANMigration strategies LAN

Small offices: Big Bang– One time incident– Moves everything– Requiring VLAN, LAN routing

Mills:– Phased- OR - – Small Big Bang

Phased (1)Phased (1)

Target Mills:– You are not running any VLAN infrastructure– You are not running pure Ethernet infrastructure– Address spaced allocated for Office zone is in use

Prepare structure for HarleyV2 servers and firewall

Assign new address space to HarleyV2

Roll-out state reached– Clients located in Process zone (wrong side of Mill firewall)– Performance issue in firewall– Complex NAT rules– Entire old network still active in Process zone

Phased (2)Phased (2)

NAT will be used to secure connectivity to non HarleyV2 assigned addresses

Deploy HarleyV2 LAN structure on Mill in addition to old network

Move clients/printers according to Mill specific plan

Move Process and MWS into HarleyV2 LAN structure

Start readdressing

Remove old network infrastructure

Free extra address space

Small Big Bang (1)Small Big Bang (1)

Target Mills:– You are running full or partial VLAN infrastructure– Address spaced used for Office zone is unallocated

Install key LAN router – Separating LAN into “old” and “new”

Move as much of clients, printers and servers as possible in one batch– Quality assurance for critical services must be made

Prepare structure for HarleyV2 servers and firewall

Roll-out state reached– Most equipment available in new infrastructure– Small dependencies on Mill firewall

Small Big Bang (2)Small Big Bang (2)

NAT will be used to secure connectivity to non HarleyV2 assigned addresses

Implement full HarleyV2 LAN infrastructure

Move remaining servers/printers/client onto HarleyV2 LAN infrastructure

Start readdressing

Free extra address space

Naming Standard

Naming standardNaming standard

Naming Standard defined for all components needing names– Examples: Location names & codes, usernames, mail addresses, client

computers, server computers, groups, distribution lists, network equipment…

All objects in Active Directory and relevant properties covered

All relevant physical equipment covered

Naming - examplesNaming - examples

Usernames– <Fname><first initial of Lname> eg: JohnS

Email address– <Fname>.<Lname>[numerical] John.Smith@norskeskog.com– <Fname>-<Mname>.<Lname>[numerical] John-

Palmer.Smith@norskeskog.com

Client computers– <domain-code>UNITCODE-Wnnnnn ex: EUOXE-W00001

ex: EUPAR-W00124ex: APTAS-W00031ex: SAPIS-W00003

BackOffice

Overall Design Decisions (1)Overall Design Decisions (1)

Products– Windows 2003– Exchange 2003– HP server hardware - only

All new server hardware, no utilisation of existing servers in initial HarleyV2 rollout.

100% standardised configuration of all servers, 100% remotely managed

Client authentication redundancy built into network

Overall Design Decisions (2)Overall Design Decisions (2)

Large Units : Distributed model for File services, Authentication services and Application services– Local Authentication (Domain Controller) at each unit– File & Print Services at each unit– Terminal server(s) at each unit

Small Units : Centralized model for File services, Authentication services and Application services– No local authentication (Domain Controller), authentication performed

across network to region’s HUB location– No local File Services, files stored at region’s HUB– No local Terminal Services, Applications accessed on Terminal Servers

located at Region’s HUB location– Local Print

Domain DesignDomain Design

Single Active Directory forest, contiguous AD domain name space

Active Directory installed in Windows 2003 native mode, i.e. no Windows 2000 domain controllers or NT4 PDC/BDC possible.– Legacy Member servers possible, though not wanted unless absolutely

necessary

Regional sub-domains, domain boundaries follow geographical regions

Trusts from legacy domains (NT4) allowed for an intermediate time period.– Only if required for single-logon purposes, etc.

No integration with Novell environment, except data access during transition

Organisational Unit structureOrganisational Unit structure

<domain>

<LOCATION>

COMPUTERS

USERS

PRINTERS

SERVERS

TERMINAL

DESKTOPS

LAPTOPS

ServersServers

Large units (mills)– 3 basic servers at each site

1) Domain Controller, Exchange, DNS ex: EUOXE-D0012) File & Print, DHCP, Software distribution ex: EUOXE-M0013) Terminal server ex: EUOXE-M101

– Additional terminal servers may be added, if needed

Small units (sales offices)– No servers, with a possible exception of software distribution support

(design is currently under development)

HarleyV2 project does not affect existing application servers, unless the Application consolidation process does

Existing File & Print, authentication, DNS, WINS, Mail servers will be obsolete when HarleyV2 rollout is completed.

RedundancyRedundancy

Redundancy to the BackOffice infrastructure is by large built into the design.

Basic requirements:– Client authentication shall be possible even though a local DC (Domain

Controller) fails– Access to some core applications (e.g. SAP in Europe) shall be possible

as long as network connection exists

Remains to be done– Identify and describe an overall availability of services, with measurable

metrics– Review the overall design to catch potential conflict with availability

definitions

Messaging (1)Messaging (1)

Exchange 2003 product for all messaging

All Email will be virus-checked (Internet and internal)

Internet Email: Outbound mail will be routed via the European Hub location as the primary route with AsiaPacific hub location providing a fall back route

Internet Email: Inbound, the lowest preference value will be set against the European virus sweeper server with AsiaPacific Hub server providing fall back

SMTP is the only supported inter-messaging

Messaging (2)Messaging (2)

Connectivity to existing mail systems to be made, existing during the entire rollout period. SMTP is the only supported inter-system messaging protocol.

New Internet mail alias for all users : norskeskog.com (without the minus)

Existing Internet mail aliases will work for inbound mail for a period of 6 months

All Internet DNS records (MX) will be maintained by a single provider

Mail Systems, current situationMail Systems, current situation

HarleyV1Groupwise

ParencoExchange5.5

WalsumNotes

South AmericaExchange5.5

NSKOG

AustraliaExchange 5.5

FCL

UnionExchange 5.5

StetiGroupwise

BioBioGroupwise

InternetNorske-skog.com

InternetNorske-skog.cz

Internetunionco.no

Internetnorske-skog.nl

parenco.nl

Internetnorske-skog.de

Internetnorske-skog.cl

Internetnorske-skog.com.br

Internetnorske-skog.com.aunorske-skog.com.nz

smartdist.com.aufcpa.com.aufcpa.com.nz

albury.anm.com.au

Mail Systems, transition phaseMail Systems, transition phase

norskeskog.comnorske-skog.comnorske-skog.nlnorske-skog.de

Exchange2003norskeskog.com

Pri:Outbound

HarleyV1Groupwise

ParencoExchange5.5 Walsum

Notes

South AmericaExchange5.5

NSKOG

Australasia

Exchange 5.5FCL

norske-skog.com.brpisa.com.br

norske-skog.com.aunorske-skog.co.nzsmartdist.com.aufcpa.com.aufcpa.com.nzalbury.anm.com.au

unionco.nonorske-skog.com.aunorske-skog.co.nzsmartdist.com.au

Trend IMSS

UnionExchange 5.5

StetiGroupwise

BioBioGroupwise

norske-skog.cl

norske-skog.cz

norske-skog.com

unionco.co

norske-skog.nlparenco.nl

norske-skog.de

pisa.com.brnorske-skog.com.brnorske-skog.czparenco.nl

albury.anm.com.aunorske-skog.cl smartdist.co.nz

Internet

Message Routing (internally)Message Routing (internally)

Underlying MPLS network gives “any-to-any” connections for all connected sites, i.e. messages are routed directly from originating mail server to destination mail server

Global Address ListGlobal Address List

A single global address list will be available to all users, containing all mail-enabled users and contacts defined

The display name is the key property of any entry in the GAL

Naming standard : <Lname>,<space><Fname><space>UNITNAME– EX: Smith, John (Southport)

Hågensen, Øyvind (Union)

Global Address list available for all HarleyV2 users from point of conversion, to include all users (also users not yet converted)

SOEStandard Office

Environment

Client environmentClient environment

HarleyV2 standardises the client environment for all users, covering– Desktop computers– Laptop computers– Thin clients (Terminal server / Citrix clients)– PDAs

Current working assumption : All desktop, laptop and PDA hardware to be replaced with new models during Rollout

Desktop “locked down” to reduce problem sources, reduced support call environment.

Operating system on desktops / laptops is Windows XP Professional

Client computers to be delivered from vendor with Operating system andRing 0 applications preinstalled

Desktop / Thin client environmentDesktop / Thin client environment

No access to local disk (C:)

Unable to store data or create shortcuts on the desktop

Globally common, standardised start menu

Users may roam to any desktop computer / thin client within the company

Limited roaming for desktop / thin client users to portable computers

All desktop computers / thin clients must be connected to the internal network, i.e. remote access may not be performed from this environment

Laptop client environmentLaptop client environment

Full access to specified directory on local disk (C:), i.e. data may be stored locally

Local disk (C:) data directory secured by backup to network storage

Unable to store data or create shortcuts on the desktop

Ability to connect to Norske Skog network across Internet, GSM, ISDN, ADSL, Wireless.

Globally common, standardised start menu

Limited roaming for laptop client users to desktop computers; access to data stored on local (laptop) disk not possible

A laptop computer is Personal, i.e. may not be used by others (PontSec)

Only client type approved for remote access to internal Norske Skog network

ApplicationsApplications

Most applications installed automatically, some manual installations

All new applications to go through an application acceptance process, which ends up with packaging and distributing the application to appropriate users

Initial application portfolio input from Application consolidation project– Exception : Ring 0 applications (decided by HarleyV2 project)

Applications Ring 0 (Standard PC Build)Applications Ring 0 (Standard PC Build)

System Vendor Application Name Laptop Desktop Fat Thin client (PDA)

Client Operating system Microsoft Windows XP X X X

SW Distribution / PC Deployment Altiris Client Mgmt suite X X X (X)

SW / HW Inventory Altiris Client Mgmt suite X X X X

Remote take over (remote control) Altiris Client Mgmt suite X X X (X)

Antivirus protection Trend Micro Office Scan X X X X

Personal FireWall Checkpoint Secure Client X X

VPN Client Checkpoint Secure Client X X

PDF Reader Adobe Reader X X X

Internet Browser Microsoft Internet Explorer X X X X

Word, Spreadsheet & Presentation Microsoft Office X X X

Instant Messaging Client Microsoft Windows Messenger X X X

Media player Microsoft Windows Mediaplayer X X X

Hard Disk Encryption software PointSec For PC X (X)

Conferencing Microsoft Netmeeting X X

Dialer     X

Software distributionSoftware distribution

Altiris software distribution tool for Operating system and applications

Microsoft SUS services for distribution of Microsoft security patches

Company-wide software distribution design, managed and controlled centrally (HP)

Client types (1)Client types (1)

Desktop computer– One model (…)– No floppy drive– Fully managed computer– Delivered pre-installed with Windows XP and Ring 0 Applications– Application Self repair

Client types (2)Client types (2)

Laptop computer– Two models (…)– GSM Phone card (Nokia phone card)– Wireless (Nokia Phone card) – ISDN card (Eicon diva pro)– No floppy drive– Delivered pre-installed with Windows XP and Ring 0 Applications– Fully managed computer– Encrypted Hard disk, personal device, others not able to decrypt the HD– Application Self repair

Client types (3)Client types (3)

PDA– HP iPAQ– Remote sync of e-mail, contacts and calendar– Wireless– Pocket PC secure edition– USB sync with HarleyV2 computer only– Possible to provide access to Citrix, but not as part of initial deployment

Thin client– Same HW as the desktop, but locked down to only run Citrix client and

Internet Explorer– Applications run on Citrix server(s)– Used primarily for small (server-less) offices (Auckland & Mt.Maunganui)

Security

Trend Micro Antivirus

Interscan Messaging Security Suite Virus, content and attachment scanning of all incoming/outgoing SMTP traffic

Interscan WebProtect for ISA Virus and URL filtering of all HTTP traffic

Serverscan for Microsoft server Real time virus scanning of files on Microsoft servers

ScanMail for Microsof Exchange Real time Virus scanning of all internal SMTP traffic and mail boxes

OfficeScan Corporate Edition Real time virus scanning of files on PCs and laptops, and the whole disk once a month

Control Manager Centralized and comprehensive management providing automatic antivirus pattern updates

Check Point VPN/FW-1

Check Point FW-1 Internet, Secure zone and process LAN on mills

CheckPoint VPN-1 VPN connections for remote access and wireless

CheckPoint SecureClient Personal firewall and VPN for laptops

CheckPoint ConnectControl High Availability for servers Check Point Management Centralized log and mgmt of all

firewalls Check Point GUI for Management

RSA SecureID Authentication

RSA SecureID two factor authenticationRemote Internet Access to WANWireless Access to WANSecure Zone AccessOWA AccessPartner Access

Provides a strong authentication scheme using a dynamic passcode generator based on something that you know (4 digit number) and something you have (RSA key fob)

Pointsec Hard Disk Encryption

Laptop hard disk encryption Centralized Management Automated software and profile updates Remote unlocking in case of forgotten password Boot protection and data loss prevention

PDA Security Design

CheckPoint Firewall CheckPoint VPN for remote access Trend PC-cillin to scan for viruses PocketPC Secure Edition to stop any unauthorised PDA’s

syncing to the Norske Skog WAN Access Methods

WirelessRemote accessDedicated secure sync

Hub Security Design

Mill Security Design

General security considerations

Remote access is only allowed through a VPN tunnel using the Internet to connect to one of the HUBs

Remote access will only be granted to employees that have a dedicated HarlyV2 client (laptop, PDA) and has been granted remote access (RSA Token)

Wireless will be offered on all mills and large offices, and will have the same restriction as remote access from the Internet.

Only employees that has been granted access will be able to log into OWA (RSA Token)

The process LAN on the mills will be protected by a dedicated firewall, that also will offer VPN connection to wireless users. The firewall will have a cold standby providing some level of HA.

HP Managed Services – scope (1)

HW– Leasing of servers and workstations with refresh of HW in a predefined

cycle.– HW service, using local depot on each site with spare equipment.– Asset management. Norske Skog will do the local deployment from HW

depot to the users office.

Housing– Housing of HUB locations in Europe, South America and Australasia.

Support– HP will give second and third level support on the delivered services.– Norske Skog will do call handling and first level incident handling

internally.

HP Managed Services - scope (2)

Operations– HUB sites

• HUB servers• Active directory• MS Exchange• DNS / DHCP• Citrix servers

– Local Norske Skog sites• HarleyV2 servers (DC, Exchange, File/Print, SW distribution, Terminal servers)• Local LAN

– Monitoring– Error corrections (Problem and Incident management)– Backup (local media handled by Norske Skog)– Security management– Anti-virus management– Change management– WAN Management– Software packaging and distribution