Click For Large Image Diagram

I serve a large organization with multiple branch offices in remote places. Typically, these offices are staffed with from one to fifty employees. Most of the offices have a local Windows Domain Controller, which doubles as a file/print server, DNS, and DHCP server.

The larger of the offices are usually connected to the Internet via T1, or DSL via a local service provider. In addition, the offices have a firewall that is connected back to headquarters via IPSec VPN tunnel.

This arrangement has provided a good solution for several years, however there are limitations. Recently, many of our offices have begun providing Internet access for clients – this added network load, in addition to increased usage of high-bandwidth services like You Tube, have placed new demands on us to manage the bandwidth. In addition, configuring servers and firewalls per individual office – and getting local support who can help us on site – is challenging.

A major point of our current initiative is to make our network locations more homogeneous, and more under the control of IT staff at headquarters. Virtualization has become an attractive option for several reasons: it eliminates the cost of a separate hardware firewall, and it allows us to configure a hardware-agnostic server “image” for use on any local hardware.

My “One Box Solution” allows for the firewall, bandwidth management, and Windows Domain Controller to exist on a single, portable, server.

I recently began piloting such a solution in one of our offices. Not having a current budget for my project, I took advantage of an unused Dell workstation at HQ. I added an additional 10/100 NIC we had lying in our closet. I installed Ubuntu 8.10 server (any version of Linux will work) and VMWare’s latest version of free server for Linux.

If you haven’t been exposed to VMWare yet, go to www.vmware.com and download the free player and one of the free virtual appliances (pre configured workstations and computers). VMWare server is also free and will allow you to build and configure your own virtual machines.

Having built the Linux box and installed VMWare server, I configured one of my NICS as an internal nic, with an address on my local subnet, and the other NIC as an external NIC with one of my assigned Internet IP addresses.

Inside VMWare server, I configured three virtual networks. One network connected to my external interface of my Linux server. The second connected to a host only virtual network, and the third connected to the internal NIC of my Linux server.

The first virtual server I built was my M0n0wall firewall. Note that M0n0Wall is available PRE-BUILT! AS A VIRTUAL APPLIANCE! This means you don’t have to compile or build it. Just download the Virtual Appliance files and open them in VMWare Server.  I choose M0n0wall for several reasons. It is free. It is easy to configure. It allows for QoS, Traffic Shaping, and most importantly the IPSec tunnels that connect back to Headquarters and our DR NOC. The external WAN interface of M0n0Wall was connected to the external virtual network. The internal LAN interface of M0n0Wall was connected to the HOST ONLY virtual nework (we’ll see why in sec…). The WAN and LAN interfaces were configured with appropriate network settings, NTP server settings, DNS, etc. The WAN IP will be on our Internet subnet, and the Gateway will point to our ISP’s router or gateway IP address. The LAN interface will become the internal default gateway for our local network. M0n0wall is a powerful firewall solution for a small office. With the addition of a third NIC, you can easily set M0n0wall up to provide a DMZ, or a Captive Portal for your Wireless users. A Captive Portal will allow you to plug in a wireless device, authenticate users in a browser, and/or use RADIUS for advanced authentication.

The second virtual server is Untangle – also available Pre-built as a virtual appliance! Untangle can install as a bridge – meaning there is no routing involved. It sits between your firewall and your internal network. Untangle can also function as the firewall, but since it lacks the IPSec function for our tunnel back to Headquarters, we choose M0n0Wall. Where Untangle really excels is in Internet filtering and management. Untangle provides a suite of free modules for management and OpenVPN. There are also paid and supported modules available. The free version provides for very granular reporting and a powerful degree of access control right out of the box.

The third server is our Windows Domain Controller. This is the only commercial device which requires a paid-for license. Our virtual domain controller runs inside VMWare and connects via one interface to our internal network.

This arrangement has allowed us to provide a one-box all-in-one appliance to our remote offices that can be built and exchanged as needed, with a minimum of configuration. The Windows server can easily be promoted to a domain controller on site. IP Addresses and other site specific information can all be easily configured through graphical utilities.

Using online backup, such as Mozy Pro, in conjunction with our single box, we have discovered a way to provide highly-available network services to our smaller, budget and staff challenged offices in the field.

Options include using ESXi, which is VMWare’s free version of ESX server. The downside of ESXi is that it requires more expensive hardware. It will not run on a workstation with a SATA disk drive. However, if you have a true server that is on the hardware compatibility list, ESXi will provide a better platform. It installs as it’s own OS. Linux and Windows are not required. The management tools and options are also much nicer.

One additional thing we’ve looked at – and likely something we’ll be hearing more about in the coming months – are WAN optimization appliances such as Riverbed that run as a virtual machine. This will likely become a solution in our most remote offices where slow satellite connectivity is the norm.