Office of Administration Enterprise Server Farm CoLocation Quarterly Session

1
Office of Administration Enterprise Server
FarmCo-Location Quarterly Session

• Web Farm Hardware Load Balancing
• Web Farm SSL Acceleration
• Web Security Zone Enhancement
• Database Security Zone changes for Co-location
• Server Security Patch implementation
• Citrix Active Directory Management Groups
• Co-location Cabinet Access Procedures
• October 23rd, 2003

2
Web Farm Load Balancing
Public addressing NAT's to Private
Addressing Load balance HTTP/HTTPS/FTP traffic to
private address sockets
3
Load Balancing Status

• CSS are live in the Web Farm
• Several agencies are using the content switching
  services
• Traffic destined for Web Farm public IP address
  is terminated on CSS and translated to Private
  address
• CSS is configured to pass only limited services
  
• Traffic is routed to private addresses on web
  farm servers configured with private addressing

4
SSL Acceleration
- CSS uses server Verisign certificate
(previously exported to CSS) to decrypt HTTPS
traffic - Public addressing translated to Private
addressing - HTTPS traffic changed to HTTP.
5
SSL Acceleration Status

• SSL Traffic destined for Web Farm public IP
  address is decrypted using server registered
  Verisign certificate (previously exported to CSS)
• Exported certificate based on URL not IP address.
• Has been favorably tested and is available for
  Agencies desiring this service

6
Private VLANs
7
Private VLAN Status

• Implemented for several Co-location customers
  with great results.
• Requires that Agency Web or Proxy servers change
  Front End addressing to Private addressing
• Agency servers can intercommunicate, and
  communicate with resources on other subnets but
  no-one else on the same subnet.

8
Database Server Co-location
9
Database Server Co-location

• Goal is to move Co-located Database servers from
  the external network (DMZ) to the internal (MAN)
  network.
• Router between Co-location and Managed Services
  networks controls connectivity

10
Database Server Co-locationStatus

• Several Agencies migrated with great success.
• Communicate to DMZ web servers via their BLL
  address
• Communicate directly to agencies via added
  firewall rules (no BLL address necessary)
• Server is not available directly from the
  Internet, though Internet routable addresses let
  the server contact the Internet for updates, etc.

11
Security Patches

• Implementing server security patches is critical
  to maintaining the Security integrity of the
  Enterprise Server Farm.
• ESF notifies Co-location customers of Security
  advisories and patches as they are received from
  CERT, SANS, Microsoft, etc.
• Required Security patches should be installed as
  soon as possible.

12
Citrix Access Management

• Agencies create Active Directory groups following
  our naming standard
  XX-DS1800_YYYYY (ex. IN-DS1800_CAPS)
• Multiple groups can be created as required
• Agencies can manage their own DS1800 AD group(s)
• For Initial configuration, call the ESF Help
  Desk, option 1 and open a Remedy ticket to the
  Technical Operations Team with group names and
  the servers to which they should be assigned

13
Co-location Cabinet Access Management

• Agencies are not provided access to the back of
  the server cabinets.
• If access is required to the back of the agency
  cabinet, please create a Remedy ticket with the
  Technical Operations Team (TOT). If emergency
  access is required after hours, a lock box with a
  key is located in the co-location area with
  directions.
• TOT is in the process of getting all required
  keys issued to co-location customers so the
  fronts of all cabinets can be locked.
• Please leave the front of your racks unlocked
  until TOT notifies the agency that all keys have
  been distributed