Network admins, infrastructure gurus and IT folks, a question if I may...

I have a rather large asset manager server sitting on a domain, let’s call it .xyz

It will soon be moved to another domain we will call .abc

I have been told by our network folks that once it is moved, the .xyz folks will not be able to access this system any longer.

The tech solution I was given was to buy two new servers and duplicate everything I did, so that the data would be available to everyone. This seems a little redundant to me, but I’m not an IT guy by any stretch of the imagination.

I guess what I was hoping was that somehere there would be some sort of bridge that would allow one domain access to the boxes on the other. Most of the data is graphics, photos and whatnot, but a large chuck of it is streaming video that occasionally needs to get to the cut off audience.

Any thoughts, or am I doomed to explaining to every fourth or fifth customer that his computer will not be able to find what he need?
Thans for the any help in advance…
YLB

The data can be reached if networked, but it should be noted that a domain is a security boundary. Therefore, domain .abc has to be set to trust domain .xyz.

I think we need a lot more information. Are the two networks physically connected? Can they be logically connected? Is there a firewall between the two? What security considerations are there? Corporate ‘chinese walls’? This may not be a trivial exercise.

Two ideas:

If the networks are pure IP networks (e.g. 10/8 and 192.168/16), then you could give the server addresses on both networks, maybe using multiple network cards.

If it’s a Windows network (domain or AD forest), you could put the server in its own domain or forest (.rst) and create trusts between .abc and .rst and between .xyz and .rst.

Note that if there’s an airgap, you’re SOL.

That’s what I was afraid of. :slight_smile:

The only information I have is anecdotal. We were told that the split would be because of security issues, so I’m guessing there is an “airgap” between the domains. The guy that walked us through it kept talking about a wall would be placed between them to keep one secure. I’m sure he was dumbing it down for the poor operators, but I have a feeling it is a physical separation.
Sigh.

Looks like a third of my customers may be SOL.

I think some change control is needed here. If it legitimately serves a purpose where it is currently, why is it moving, and who is asking for it to be moved? Is it just a data repository or does it do discovery of assets? How are you communicating the impact of the change?

Buying another set of servers doesn’t necessarily allow the two servers to be synced, unless your package allows that. Perhaps the main data repository should be kept separate from either domain, and allow data to be fed back from “store and forward” servers on the separate domains.

I’m not a network guy, but I can tell you that in my IT department, an answer of “well, those customers just won’t be able to get what they need, suck it up or spend thousands on extra equipment” would NOT be accepted. At all.

The split for “security issues”, as you’ve explained it, is asinine. If you’re copying data to multiple servers so that everyone can reach all the data, then your security is no better than before.

Unless the purpose of the “secured” server is to keep people from messing with your live data, and what they’re suggesting is a separate reporting-only server or front-end server or something. That is a valid way to go, and would improve security.

But a reporting-only server should be able to be set up so that both sets of customers can reach it. You shouldn’t need two servers. And they should be able to set up replication or something, so that YOU don’t need to do anything to have the data on both servers.

And if the main server can talk to two servers, one in each domain, to allow for duplication, then I’d guess there’s no “air gap”. Which means that this is a “we’ve decided to do it this way, damn the consequences” issue rather than a technical issue.

I’d go back and insist on getting more info. The questions Aestivalis posted are a good start. Once you understand who’s forcing the change and why, you’ve got some possibility of getting the changes amended to meet your needs.

I am not in this scale of IT much but sounds to me like a second opinion from another IT firm might be the best couple hundred $ you could ever spend.

If it’s a data repository or application residing on servers in another domain, I might look at something like a Citrix solution. But, that requires the .abc domain to have the infrastructure to present applications over Citrix, which isn’t cheap or easy to set up. While that won’t help if the application has to discover assets in the .xyz domain, it might address the issue of .xyz users needing to use the application.

I’ll try and explain the necessity, but if I vague out on a few things, understand that this is a military system we are talking about, do logic goes right out the window.

I work at the Air Force Academy, which has run into some issues recently due to the networks need to be secure, and the need for students, faculty and staff to properly research and travel to places that would normally be off limits on an Air Force Network.

The answer was to physically separate the two domains over the summer. One would continue to be secure and used for millitary apps, while the other could be used for academics.

I fall on the academic side, my asset management system is a repository of historical imagery, photos, graphics and some video and audio clips that a client can download on his or her desktop and use in classrooms, for homework, research etc.

Since it’s launch one year ago, many of the people who are on the military domain have gotten used to having this available. We have been communicating with the network securty folks about our clients needs, but we have been politely rebuffed.

The clients who will be affected have been notified that the change is coming, but I would like to find a way to continue serving them without having to buy more servers and copying assets over, and duplicating what has taken about three year to put together.

I know there is really not much to go on, I am a front end administrator, who is learning, rather rapidly, as I go along.

Ha! Second opinion. That’s rich!

I’m lucky If I can get into the room where my servers are located, let alone actually download updates and patches.

I was told whemn I got hired that Government work took a special kind of mind. I’m starting to believe…

OOOOOhhhhhhhhhhhhhhhhh, military. There ya go then.

I suspect that there is a technical solution to the problem. However, you may not be able to get them to implement it.

Probaby what’s needed is to set your academic-side domain to allow access from the other domain (trusted domain). If you can talk them in to it.

However, they may be disallowing their military-side network (servers and users) to access outside networks AT ALL, not just your server. This would be to improve security on their entire network, by keeping their users and machines away from things that might cause problems.

You might ask them about the possiblity of setting up a VPN to your server, which would allow credentialed users access through a secured tunnel. I don’t know anything about what’s needed for that, though. Maybe one of the actual networking folks here could tell you if that’s an appropriate solution.

Ah, this explains everything. I have experience with such networks and you are indeed going to have to suck it up because there will be an airgap between the two networks. The secure network will have no connection at all to the non-secure network.

Your major problems are going to be how to replicate the data and data integrity if you need to keep the two sets of information identical. But do you? Won’t the information from the secure network itself have a security classification? These are asset management servers: surely you need one managing the secure network and one managing the non-secure network, each with seperate data? So you only need to copy across part of the data, then remove that data from the source. You’ll need a new server and new software, of course.

This seems like a relatively simple project but one that needs careful thought and planning. Remember, it’s the little things that bite you big time.

Just a suggestion, but as you’re not an IT person, why don’t you get the IT department to do it all?

yanceylebeef is on the non-classified side of the network - so his data is not secured. He wants the mil side to continue to have access. Copying the data and replicating the servers is one option - given military attitudes, the most likely one, in spite of all the pain it will cause. The other option is for yanceylebeef to set up some kiosks on the unclassified network for the military guys to use as needed.

Si

Unfortunately, per yanceylebeef’s reply to Aestivalis the whole of one network is being switched to a secure network. I expect that there’s an auditting app that writes back information on each client to the server in question. The data on the auditting server therefore needs to be cleansed such that there is no information about what is now the secure network on the non-secure server, and vice versa.

I will reiterate my suggestion that yanceylebeef get the IT department to do its job. If necessary, he should get his site’s security controller to back him up.

Got it in one Si. I need the military side to have access, so the kiosk approach may be the perfect solution. We have a meeting this afternoon where I will bring it up.
Thanks to everyone for your help. I’m in a little over my head, but I’m paddling as fast as I can!

Icy cold beers for everyone the next time you in my neck of the woods!

And I’ll second the motion. This is something that the IT department really should have figured out before they even talked to you. It’s definitely something they should fix once alerted to it, rather than dumping the problem on you.