Project HarleyV2
What is HarleyV2
Norske Skog has developed a new, global IT strategy. A priority action for the new IT strategy is to implement a
common, global infrastructure for information systems. The goal of this strategy is not only to improve global management, sharing and communication of information but also to greatly reduce the total cost of ownership of information systems.
Project team established at headquarters in Oslo. Local Implementation Managers nominated for each of the 20+
units. The project team in Oslo has the responsibility to produce the
systems design, the systems management processes and the processes for continued management and development of the system. It is a regional responsibility to migrate existing regional infrastructures to the HarleyV2 design.
HarleyV2 Design
Requirements
Requirements analysisRequirements analysis
Requirements collection and analysis done February – March 2003
Resulted in 115 Requirements Statements, defining project scope and functional specifications
Requirements broken down into 9 areas:– Directory– Messaging– Collaboration– Desktop– Application– Security– Networking – Operations– Deployment
Requirements summary (1)Requirements summary (1)
Directory– Microsoft Active Directory (AD) based (Windows 2003)– Provide a global address list for all employees– Accessible and utilised by future applications requiring information about
people, computers and printers.• Example applications: Phone directory, Messaging, Software distribution,
Software license management, Invoice printing …
Messaging– Microsoft Exchange 2003– Outlook client– Outlook Web Access for external (across Internet) access– Internal (WAN) routing of all mail between Norske Skog employees
Requirements summary (2)Requirements summary (2)
Collaboration– Instant messaging available internally– Support information sharing in voice- and video-conferences
Note : Collaboration infrastructure beyond this taken out of HarleyV2 project,handled by Portal project.
Desktop– Limit number of client environments supported to a minimum– Windows XP on all desktop / laptop clients– Standardised “everything” (desktop look, rights, application portfolio,
software distribution, antivirus control …– Roaming capability within the company
Requirements summary (3)Requirements summary (3)
Desktop (cont.)– Access to mail, applications and data from HarleyV2 laptops outside the
company– Automated installation of new applications on all clients– No unauthorized applications on any client
Applications– Standardised Office application portfolio, based on Microsoft software– Support for several languages in Office applications– Only one application for each “function” in the company. To be achieved
through a application portfolio consolidation process (separate project)– All applications to be packaged and distributed through a centralised
scheme
Requirements summary (4)Requirements summary (4)
Security– A secure boundary between Norske Skog internal network and “other
networks”– A complete antivirus solution for the entire chain of components
(servers, clients, mail)– Proxy access to Internet only (browsing)– Single point mail access to/from Internet– No local Internet access points (at mills / offices) - from regional hub only– Provide a secure extranet design to enable external connectivity to
Norske Skog information– A comprehensive security policy for IT infrastructure, including
governance rules and rules of usage (password policy, data storage policy, LAN segmentation policy…)
– Firewall based security scheme for LAN at each mill
Requirements summary (5)Requirements summary (5)
Networking– Company-wide WAN with any-to-any connectivity (provided by separate
WAN project)– New IP plan for the entire company, providing extendibility and
scalability– LAN standard, comprising network equipment and IP schematics
Operations– Centrally managed servers, clients and software, supporting cost savings– External provider of global Operations (HP chosen)– End-to-end responsibility on Operations provider– Integration of 2 local FTEs in global operational model
Requirements summary (6)Requirements summary (6)
Deployment– Rollout to start Autumn 2003 (Europe)– Rollout to complete before Spring 2004 (Australasia last)– Involvement of local resources in preparation and rollout activities (LIM
to coordinate)– Centrally planned and coordinated rollout
WANWAN
Global IP connectivity between all Norske Skog units– Essential to HarleyV2 infrastructure design
MPLS network, provided by Equant– AsiaPacific exception : Frame Relay connections between Mills for Elixir -
kept as is– Sydney currently bridge location for MPLS connection to WAN
WAN - topologyWAN - topology
Rhodes HP
Albury Mill
Brisbane Warehouse
Internet
Melbourne Warehouse
Sydney Warehouse
Kawerau Mill
Sydney Head Office
AucklandMount Maunganui
Melbourne Marketing
Equant
Global
HP Olympic Park
32k/64k
128k/2mb256k/2mb
4-8 mbps
1 mbps
512k/2mb
512k/2mb
512k/2mb
256k/2mb
32k/64k
64k/192k
2Mb/2mb
512k/1mb
368k/1mb
512k/1mb
Global IP schemaGlobal IP schema
Global IP addressing schema– Using 10.0.0.0/8 class A address– Regionally divided
Assigning a class B to every Hub, Mill and Large office (100+ users)– Ex: Skogn: 10.19.0.0/16
Assigning 4 class C to every Small office– Ex: Graz: 10.2.64.0/22
Additional class B defined for migration purposes
HUB locationsHUB locations
Three HUB locations in network– Europe HUB (Oslo) Location code : HEU– AsiaPacific HUB (Sydney) Location code : HAP– South America HUB (to be decided) Location code : HSA
All HUB locations to be hosted and managed by HP (decision pending for South America)
Internet access points at HUB locations only.
All “central” BackOffice services located at HUB locations. Full redundancy built into HUB location LAN and BackOffice services.
LANLAN
Today’s diversity in LAN equipment and logical design (among units) to be merged into a common LAN Standard for all units and HUB locations
Complies with Security Design, zone structure
Standardised network equipment : Cisco
Ethernet only supported (Office Network)
LAN - MillsLAN - Mills
A Mill is divided into security zones– Requiring VLAN, LAN routing
Redundant design within zones and on layer-2
One single layer-2 infrastructure centrally managed
Creating a “ring of switches” cost efficient redundancy– Minimising required cabling– Minimising number of switches– Reducing available bandwidth
Layer-3 based routing
Secure wireless design
Flexible Process and MWS design
LAN – layer 3LAN – layer 3
Servers
WAN
WAN-Router
Core-1-swich (layer3)
Core-2-swich (layer3)
Off
ice
re
sou
rce
s
Servers
Internal FW
Transit
Office Wireless
AP AP
IP telephony LANSH
ea
lth/M
ed
ica
l
Process-router-2
Process transit
MW
S
Process-router-1
Office client LAN 1
Office client LAN 2
Office client LAN 3
Office client LAN 4
IP telephony LANS
IP telephony LANSProcess LANS
Process LANS
Process LANS
Ma
na
ge
me
nt
MWS Wireless
AP AP
LAN – layer 2LAN – layer 2
Building F
Building G
Building E
L2-sw-8
Comp 2
Comp 1
Building D
L2-sw-5
Building C
L2-sw-4
Building B
Building A
Core-sw-1
L2-sw-3
L2-sw-1
1000 Mb
1000 Mb
WAN-Router-1
1000 Mb
L2-sw-7
1000 Mb
1000 Mb
L2-sw-2
1000 Mb
1000 Mb
Core-sw-2
L2-sw-9
L2-sw-10
1000 Mb
100 Mb
1000 Mb
1000 Mb
1000 Mb
1000 Mb
IP subnets - MillsIP subnets - Mills
SUBNET MASK VLAN-ID NAME
10.x.1.0 1000 Management
10.x.2.0 255.255.255.0 2 Transit
10.x.3.0-5.255 Future usage
10.x.6.0 255.255.254.0 6 Office resources
10.x.8-11.0 255.255.255.0 8-11 Office clients
10.x.12.0-63.255 Future usage
10.x.64-67.0 255.255.255.0 64-67 IP telephony
10.x.68.0-119.255 Future usage
10.x.120.0 255.255.255.0 120 Health
10.x.121.0 255.255.255.0 SecureClient
10.x.122.0 255.255.255.0 122 Office Wireless
10.x.124.0 255.255.255.0 124 MWS Wireless
10.x.126.0 255.255.254.0 126 MWS
10.x.128-255.0 N/A 500-699 Process
LAN – Small OfficesLAN – Small Offices
Simple and efficient design– One subnet– No LAN routing – No redundancy
VLAN ready
LAN-segment
PrintersLaptop computer
Desktop PC
IP Telephone
Servers
WAN
WAN-Router
Core switch
Desktop-sw-3Desktop-sw-2Desktop-sw-1
WAN-Router
Migration strategies LANMigration strategies LAN
Small offices: Big Bang– One time incident– Moves everything– Requiring VLAN, LAN routing
Mills:– Phased- OR - – Small Big Bang
Phased (1)Phased (1)
Target Mills:– You are not running any VLAN infrastructure– You are not running pure Ethernet infrastructure– Address spaced allocated for Office zone is in use
Prepare structure for HarleyV2 servers and firewall
Assign new address space to HarleyV2
Roll-out state reached– Clients located in Process zone (wrong side of Mill firewall)– Performance issue in firewall– Complex NAT rules– Entire old network still active in Process zone
Phased (2)Phased (2)
NAT will be used to secure connectivity to non HarleyV2 assigned addresses
Deploy HarleyV2 LAN structure on Mill in addition to old network
Move clients/printers according to Mill specific plan
Move Process and MWS into HarleyV2 LAN structure
Start readdressing
Remove old network infrastructure
Free extra address space
Small Big Bang (1)Small Big Bang (1)
Target Mills:– You are running full or partial VLAN infrastructure– Address spaced used for Office zone is unallocated
Install key LAN router – Separating LAN into “old” and “new”
Move as much of clients, printers and servers as possible in one batch– Quality assurance for critical services must be made
Prepare structure for HarleyV2 servers and firewall
Roll-out state reached– Most equipment available in new infrastructure– Small dependencies on Mill firewall
Small Big Bang (2)Small Big Bang (2)
NAT will be used to secure connectivity to non HarleyV2 assigned addresses
Implement full HarleyV2 LAN infrastructure
Move remaining servers/printers/client onto HarleyV2 LAN infrastructure
Start readdressing
Free extra address space
Naming Standard
Naming standardNaming standard
Naming Standard defined for all components needing names– Examples: Location names & codes, usernames, mail addresses, client
computers, server computers, groups, distribution lists, network equipment…
All objects in Active Directory and relevant properties covered
All relevant physical equipment covered
Naming - examplesNaming - examples
Usernames– <Fname><first initial of Lname> eg: JohnS
Email address– <Fname>.<Lname>[numerical] [email protected]– <Fname>-<Mname>.<Lname>[numerical] John-
Client computers– <domain-code>UNITCODE-Wnnnnn ex: EUOXE-W00001
ex: EUPAR-W00124ex: APTAS-W00031ex: SAPIS-W00003
BackOffice
Overall Design Decisions (1)Overall Design Decisions (1)
Products– Windows 2003– Exchange 2003– HP server hardware - only
All new server hardware, no utilisation of existing servers in initial HarleyV2 rollout.
100% standardised configuration of all servers, 100% remotely managed
Client authentication redundancy built into network
Overall Design Decisions (2)Overall Design Decisions (2)
Large Units : Distributed model for File services, Authentication services and Application services– Local Authentication (Domain Controller) at each unit– File & Print Services at each unit– Terminal server(s) at each unit
Small Units : Centralized model for File services, Authentication services and Application services– No local authentication (Domain Controller), authentication performed
across network to region’s HUB location– No local File Services, files stored at region’s HUB– No local Terminal Services, Applications accessed on Terminal Servers
located at Region’s HUB location– Local Print
Domain DesignDomain Design
Single Active Directory forest, contiguous AD domain name space
Active Directory installed in Windows 2003 native mode, i.e. no Windows 2000 domain controllers or NT4 PDC/BDC possible.– Legacy Member servers possible, though not wanted unless absolutely
necessary
Regional sub-domains, domain boundaries follow geographical regions
Trusts from legacy domains (NT4) allowed for an intermediate time period.– Only if required for single-logon purposes, etc.
No integration with Novell environment, except data access during transition
Organisational Unit structureOrganisational Unit structure
<domain>
<LOCATION>
COMPUTERS
USERS
PRINTERS
SERVERS
TERMINAL
DESKTOPS
LAPTOPS
ServersServers
Large units (mills)– 3 basic servers at each site
1) Domain Controller, Exchange, DNS ex: EUOXE-D0012) File & Print, DHCP, Software distribution ex: EUOXE-M0013) Terminal server ex: EUOXE-M101
– Additional terminal servers may be added, if needed
Small units (sales offices)– No servers, with a possible exception of software distribution support
(design is currently under development)
HarleyV2 project does not affect existing application servers, unless the Application consolidation process does
Existing File & Print, authentication, DNS, WINS, Mail servers will be obsolete when HarleyV2 rollout is completed.
RedundancyRedundancy
Redundancy to the BackOffice infrastructure is by large built into the design.
Basic requirements:– Client authentication shall be possible even though a local DC (Domain
Controller) fails– Access to some core applications (e.g. SAP in Europe) shall be possible
as long as network connection exists
Remains to be done– Identify and describe an overall availability of services, with measurable
metrics– Review the overall design to catch potential conflict with availability
definitions
Messaging (1)Messaging (1)
Exchange 2003 product for all messaging
All Email will be virus-checked (Internet and internal)
Internet Email: Outbound mail will be routed via the European Hub location as the primary route with AsiaPacific hub location providing a fall back route
Internet Email: Inbound, the lowest preference value will be set against the European virus sweeper server with AsiaPacific Hub server providing fall back
SMTP is the only supported inter-messaging
Messaging (2)Messaging (2)
Connectivity to existing mail systems to be made, existing during the entire rollout period. SMTP is the only supported inter-system messaging protocol.
New Internet mail alias for all users : norskeskog.com (without the minus)
Existing Internet mail aliases will work for inbound mail for a period of 6 months
All Internet DNS records (MX) will be maintained by a single provider
Mail Systems, current situationMail Systems, current situation
HarleyV1Groupwise
ParencoExchange5.5
WalsumNotes
South AmericaExchange5.5
NSKOG
AustraliaExchange 5.5
FCL
UnionExchange 5.5
StetiGroupwise
BioBioGroupwise
InternetNorske-skog.com
InternetNorske-skog.cz
Internetunionco.no
Internetnorske-skog.nl
parenco.nl
Internetnorske-skog.de
Internetnorske-skog.cl
Internetnorske-skog.com.br
Internetnorske-skog.com.aunorske-skog.com.nz
smartdist.com.aufcpa.com.aufcpa.com.nz
albury.anm.com.au
Mail Systems, transition phaseMail Systems, transition phase
norskeskog.comnorske-skog.comnorske-skog.nlnorske-skog.de
Exchange2003norskeskog.com
Pri:Outbound
HarleyV1Groupwise
ParencoExchange5.5 Walsum
Notes
South AmericaExchange5.5
NSKOG
Australasia
Exchange 5.5FCL
norske-skog.com.brpisa.com.br
norske-skog.com.aunorske-skog.co.nzsmartdist.com.aufcpa.com.aufcpa.com.nzalbury.anm.com.au
unionco.nonorske-skog.com.aunorske-skog.co.nzsmartdist.com.au
Trend IMSS
UnionExchange 5.5
StetiGroupwise
BioBioGroupwise
norske-skog.cl
norske-skog.cz
norske-skog.com
unionco.co
norske-skog.nlparenco.nl
norske-skog.de
pisa.com.brnorske-skog.com.brnorske-skog.czparenco.nl
albury.anm.com.aunorske-skog.cl smartdist.co.nz
Internet
Message Routing (internally)Message Routing (internally)
Underlying MPLS network gives “any-to-any” connections for all connected sites, i.e. messages are routed directly from originating mail server to destination mail server
Global Address ListGlobal Address List
A single global address list will be available to all users, containing all mail-enabled users and contacts defined
The display name is the key property of any entry in the GAL
Naming standard : <Lname>,<space><Fname><space>UNITNAME– EX: Smith, John (Southport)
Hågensen, Øyvind (Union)
Global Address list available for all HarleyV2 users from point of conversion, to include all users (also users not yet converted)
SOEStandard Office
Environment
Client environmentClient environment
HarleyV2 standardises the client environment for all users, covering– Desktop computers– Laptop computers– Thin clients (Terminal server / Citrix clients)– PDAs
Current working assumption : All desktop, laptop and PDA hardware to be replaced with new models during Rollout
Desktop “locked down” to reduce problem sources, reduced support call environment.
Operating system on desktops / laptops is Windows XP Professional
Client computers to be delivered from vendor with Operating system andRing 0 applications preinstalled
Desktop / Thin client environmentDesktop / Thin client environment
No access to local disk (C:)
Unable to store data or create shortcuts on the desktop
Globally common, standardised start menu
Users may roam to any desktop computer / thin client within the company
Limited roaming for desktop / thin client users to portable computers
All desktop computers / thin clients must be connected to the internal network, i.e. remote access may not be performed from this environment
Laptop client environmentLaptop client environment
Full access to specified directory on local disk (C:), i.e. data may be stored locally
Local disk (C:) data directory secured by backup to network storage
Unable to store data or create shortcuts on the desktop
Ability to connect to Norske Skog network across Internet, GSM, ISDN, ADSL, Wireless.
Globally common, standardised start menu
Limited roaming for laptop client users to desktop computers; access to data stored on local (laptop) disk not possible
A laptop computer is Personal, i.e. may not be used by others (PontSec)
Only client type approved for remote access to internal Norske Skog network
ApplicationsApplications
Most applications installed automatically, some manual installations
All new applications to go through an application acceptance process, which ends up with packaging and distributing the application to appropriate users
Initial application portfolio input from Application consolidation project– Exception : Ring 0 applications (decided by HarleyV2 project)
Applications Ring 0 (Standard PC Build)Applications Ring 0 (Standard PC Build)
System Vendor Application Name Laptop Desktop Fat Thin client (PDA)
Client Operating system Microsoft Windows XP X X X
SW Distribution / PC Deployment Altiris Client Mgmt suite X X X (X)
SW / HW Inventory Altiris Client Mgmt suite X X X X
Remote take over (remote control) Altiris Client Mgmt suite X X X (X)
Antivirus protection Trend Micro Office Scan X X X X
Personal FireWall Checkpoint Secure Client X X
VPN Client Checkpoint Secure Client X X
PDF Reader Adobe Reader X X X
Internet Browser Microsoft Internet Explorer X X X X
Word, Spreadsheet & Presentation Microsoft Office X X X
Instant Messaging Client Microsoft Windows Messenger X X X
Media player Microsoft Windows Mediaplayer X X X
Hard Disk Encryption software PointSec For PC X (X)
Conferencing Microsoft Netmeeting X X
Dialer X
Software distributionSoftware distribution
Altiris software distribution tool for Operating system and applications
Microsoft SUS services for distribution of Microsoft security patches
Company-wide software distribution design, managed and controlled centrally (HP)
Client types (1)Client types (1)
Desktop computer– One model (…)– No floppy drive– Fully managed computer– Delivered pre-installed with Windows XP and Ring 0 Applications– Application Self repair
Client types (2)Client types (2)
Laptop computer– Two models (…)– GSM Phone card (Nokia phone card)– Wireless (Nokia Phone card) – ISDN card (Eicon diva pro)– No floppy drive– Delivered pre-installed with Windows XP and Ring 0 Applications– Fully managed computer– Encrypted Hard disk, personal device, others not able to decrypt the HD– Application Self repair
Client types (3)Client types (3)
PDA– HP iPAQ– Remote sync of e-mail, contacts and calendar– Wireless– Pocket PC secure edition– USB sync with HarleyV2 computer only– Possible to provide access to Citrix, but not as part of initial deployment
Thin client– Same HW as the desktop, but locked down to only run Citrix client and
Internet Explorer– Applications run on Citrix server(s)– Used primarily for small (server-less) offices (Auckland & Mt.Maunganui)
Security
Trend Micro Antivirus
Interscan Messaging Security Suite Virus, content and attachment scanning of all incoming/outgoing SMTP traffic
Interscan WebProtect for ISA Virus and URL filtering of all HTTP traffic
Serverscan for Microsoft server Real time virus scanning of files on Microsoft servers
ScanMail for Microsof Exchange Real time Virus scanning of all internal SMTP traffic and mail boxes
OfficeScan Corporate Edition Real time virus scanning of files on PCs and laptops, and the whole disk once a month
Control Manager Centralized and comprehensive management providing automatic antivirus pattern updates
Check Point VPN/FW-1
Check Point FW-1 Internet, Secure zone and process LAN on mills
CheckPoint VPN-1 VPN connections for remote access and wireless
CheckPoint SecureClient Personal firewall and VPN for laptops
CheckPoint ConnectControl High Availability for servers Check Point Management Centralized log and mgmt of all
firewalls Check Point GUI for Management
RSA SecureID Authentication
RSA SecureID two factor authenticationRemote Internet Access to WANWireless Access to WANSecure Zone AccessOWA AccessPartner Access
Provides a strong authentication scheme using a dynamic passcode generator based on something that you know (4 digit number) and something you have (RSA key fob)
Pointsec Hard Disk Encryption
Laptop hard disk encryption Centralized Management Automated software and profile updates Remote unlocking in case of forgotten password Boot protection and data loss prevention
PDA Security Design
CheckPoint Firewall CheckPoint VPN for remote access Trend PC-cillin to scan for viruses PocketPC Secure Edition to stop any unauthorised PDA’s
syncing to the Norske Skog WAN Access Methods
WirelessRemote accessDedicated secure sync
Hub Security Design
Mill Security Design
General security considerations
Remote access is only allowed through a VPN tunnel using the Internet to connect to one of the HUBs
Remote access will only be granted to employees that have a dedicated HarlyV2 client (laptop, PDA) and has been granted remote access (RSA Token)
Wireless will be offered on all mills and large offices, and will have the same restriction as remote access from the Internet.
Only employees that has been granted access will be able to log into OWA (RSA Token)
The process LAN on the mills will be protected by a dedicated firewall, that also will offer VPN connection to wireless users. The firewall will have a cold standby providing some level of HA.
HP Managed Services – scope (1)
HW– Leasing of servers and workstations with refresh of HW in a predefined
cycle.– HW service, using local depot on each site with spare equipment.– Asset management. Norske Skog will do the local deployment from HW
depot to the users office.
Housing– Housing of HUB locations in Europe, South America and Australasia.
Support– HP will give second and third level support on the delivered services.– Norske Skog will do call handling and first level incident handling
internally.
HP Managed Services - scope (2)
Operations– HUB sites
• HUB servers• Active directory• MS Exchange• DNS / DHCP• Citrix servers
– Local Norske Skog sites• HarleyV2 servers (DC, Exchange, File/Print, SW distribution, Terminal servers)• Local LAN
– Monitoring– Error corrections (Problem and Incident management)– Backup (local media handled by Norske Skog)– Security management– Anti-virus management– Change management– WAN Management– Software packaging and distribution
Top Related