Network Separation Project

Friday, January 26th, 2007 8AM-1:30 PM

The Changes

A Router has been installed to send traffic that needs to go over the wireless link over that link. Other traffic will not go over the link to the courthouse.

DHCP and DNS will be now all controlled by EUTERPE for the ACPL staff network.

All internal IP addresses have changed to fit into the scheme 192.168.20.1-254 (they were 192.168.4..)

IP tables have been updated on the Linux firewall machine.

Machines and other devices with static IP addresses have been changed to DHCP reservations (or static IPs within the new scheme). This included:

-PCs in computer list document that are listed as static.

-PocketPro print servers.

-Phones

-Web server (WWW)

-EUTERPE

-INTRANET/ACPL2

-Linux firewall

-ACLF computers

Complete list of PC's that were changed:

• WWW
• EUTERPE
• ACPL
• ACPL2
• OUTREACH
• NOVA
• LIB-FOUND-EXEC
• LIB-ADM-VAN
• LIB-ADM-ASST
• LIB-CHI-CHIREF
• LIB-CIRC-CENTER
• LIB-CIRC-EAST
• LIB-STAFFRM
• LIB-NTWK-MOBILE
• LIB-TSS-ACQ

Configuration changes may also be necessary to point machines to the new gateway and DNS servers.

The Web Server (WWW) was moved back to the library building in advance of these other changes.

Downtime was minimal. We worked with staff who needed to work Friday morning, so that they could use the "public" wireless network for internet in the meantime.

Now that the change has been done:

We will still be able to access the web based management system for the VOIP network to change the messages, menus etc.

We will still be able to use phones and computers on the same port.

Phones will still rout over the wireless link to the courthouse.

Future DNS/DHCP issues should occur only when there's a problem with our network within the library, or with Qwest.

Phone outtages will be as before, staff will need to use a cell or landline to call the county IT.

The web server and timecard system will function as before from the same addresses (both the co. and lib. addresses will still work) but the internal IP address will change when we change the others.

We now have our own "class C" network. "Static routs" will be set up over the link to the courthouse for the phone system.

No need for VPN use is forseen at this point.

Questions, answers and tasks:

• Bernie and Rehka needed to use Workflows, the web, etc. We moved them to the patron network.

• Can we have more phones?

Not until the VOIP license is updated (maybe Spring). The county isn't allowed any more at this point.

• Can we move the fax analog extension line from the old refdesk to the circ workroom, or to the Adult Services office if that won't work?

This can be done, but we didn't have time on the 26th. We will try to do this next week

• Test downstairs port for patron wireless access point

• Get printout/list of routing tables for firewall

• If we have to reimage firewall:
  • Smoothwall
  • IPCop

Continuing issues:

Having trouble with VTC access from outside of network. Almost certainly an IIS config issue:

Httpcfg command to listen to IP?

DNS propagation?

Issues with having Apache and IIS together?

http://www.faqts.com/knowledge_base/view.phtml/aid/9400

http://blog.econtentpark.com/permalinks/2006/11/19/Running-ColdFusion-on-IIS-and-have-Apache-run-on-port-80-also/

Host header issue seems to be fixed, so VTC is working internally:

http://msmvps.com/blogs/bernard/archive/2004/07/29/10855.aspx

http://support.microsoft.com/kb/287726

Got this error a few times in the log but wasn't up for this drastic surgery solution:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q240779

IIS info:

http://www.microsoft.com/technet/archive/winntas/support/archit.mspx?mfr=true

Some phones not working. Unplug and replug should fix them.

Move the fax line to the circ workroom.

Some laptops still need new IPs.

Some computers/users still need the HP printer set to its new IP.

Let staff know the new routine for downtime and phone issues.