IT Architecture: The new face of IT
A cloud-based framework running on a network of virtual servers is the new look of the modern IT infrastructure.
Paul Yu
Considering major industry trends and the rapidly changing technology landscape, CIOs and technology leaders have an opportunity to rethink the role IT plays in their organizational strategy. Working with the Microsoft Services Division, they can adopt a cloud-based infrastructure that maximizes IT investments. Microsoft Services takes a strategic, agile, and economical approach to developing and deploying such frameworks.
As an architectural reference for other security-conscious organizations, let’s examine one Microsoft Services-led deployment for a federal civilian government customer. Noteworthy facets of this IT architecture include a Microsoft-focused platform strategy, a cloud-first approach to IT, a minimal datacenter server footprint, service reliability and end-to-end security. All architecture planning, deployment and components described here were delivered by Microsoft consultants and engineers.
Capture the cloud
A central aspect of this customer’s architecture strategy involves Microsoft cloud services, particularly Office 365 for enterprises and System Center Advisor. These services provide familiar enterprise productivity and management tools, while reducing IT management and costs and increasing agility and reliability. Exchange Online and Office Professional Plus were deployed organization-wide.
The customer uses all the general Exchange Online capabilities, such as accessing e-mail, calendar, and contacts on computers and devices. It also uses critical features to facilitate compliance with security and auditing guidelines and integrate with other enterprise platforms. These features include message-retention policies and discovery services for electronic discovery, Hosted Encryption for encrypted messaging with external recipients, Allow/Block/Quarantine (ABQ) for granular ActiveSync-enabled device management, and Unified Messaging integration with the customer’s on-premises Lync infrastructure.
Advisor is another key cloud service the customer uses to collect data from on-premises Microsoft servers. The customer can also generate alerts to identify issues or deviations regarding configuration and usage. The on-premises Advisor gateway service, which is a required service, resides on a multi-role System Center 2012 application server running Windows Server 2008 R2 SP1.
Advisor clients are installed on all servers. This lets the company monitor the OS, Active Directory, Hyper-V host, SQL Server 2008 R2 and Lync Server 2010 workloads. The customer can view alerts and get remediation guidance by connecting to the online Advisor portal by Web browser.
In addition to cloud-based services, there are a number of on-premises services for virtualization, directory and federation, public key infrastructure (PKI), network, unified communications and systems management. The customer has had these services implemented across a hybrid of physical and virtual servers, all of which are standardized on Windows Server 2008 R2 SP1 Datacenter and Enterprise Editions.
Virtualization services
Server virtualization significantly improves the efficiency of available computing resources and reduces the administrative overhead of physical server maintenance. This is a considerable element of the customer’s on-premises infrastructure. There are two pairs of dedicated Hyper-V hosts, each running Windows Server 2008 R2 SP1 Datacenter Edition.
Two of the servers host only internal virtual machines (VMs), and provide key features such as Cluster Shared Volumes (CSV) with VM live migration. The other two are standalone servers and host perimeter network VMs. All Hyper-V hosts in the environment use clustered SAN storage.
Active Directory Domain Services
As with most organizations, on-premises Active Directory services exist to provide a number of identity-related capabilities. Central to these capabilities are Active Directory Domain Services (AD DS), which provide localized directory services and a critical single sign-on (SSO) approach for Office 365 authentication. There are two dedicated AD DS domain controllers that provide directory and DNS services for the entire organization. One is a physical server and the other is a VM.
Active Directory Federation Services
In conjunction with AD DS, Active Directory Federation Services (AD FS) 2.0 provides an SSO approach for Office 365 by federating with the Microsoft Federation Gateway. This lets all of the customer’s users, whose identities are based on a federated domain, use their on-premises AD DS credentials to automatically authenticate to online services.
Another key aspect of AD FS 2.0 is the set of client access policy rules that restrict access based on the location of the computer or device making the request. This ensures that no computer—with the exception of devices accessing Exchange Online for Exchange ActiveSync—can ever access Office 365 services unless those services are located on the organization’s network.
To provide federation services, AD FS runs on two separate pairs of dedicated servers. One pair has two virtual federation servers configured with Network Load Balancing (NLB). The other is a standalone pair, with virtual proxy servers located in the perimeter network, also in an NLB configuration.
Directory synchronization
Working with AD DS and AD FS, there are also directory synchronization services on-premises to support SSO for Office 365. The customer uses the Microsoft Online Services Directory Synchronization tool to synchronize the on-premises Active Directory data—which includes users, groups and contacts—with Office 365 directory infrastructure. Identities are authoritative, managed and mastered only on-premises. Directory synchronization services are installed on a single, dedicated, virtual server.
Active Directory Certificate Services
Because this customer is a federal civilian agency, it must support Homeland Security Presidential Directive 12 (HSPD12) with logical access controls for all of its domain-joined computers. With the exception of a few highly secured accounts, all Active Directory Certificate Services (AD CS) administrator accounts used to routinely administer the organization’s infrastructure are enforced with personal identity verification (PIV) smart card logon only.
All workstations are also enforced with only PIV smart card logon. All computers in this agency have Federal Information Processing Standard (FIPS) 201-compliant third-party PIV middleware software installed.
There’s also a third-party hardware security module (HSM), which provides FIPS 201-compliant hardware-based cryptographic services. The customer uses this in conjunction with several dedicated VMs to support its PKI server topology. AD CS root certificate authority (CA) services reside on an offline, standalone virtual CA server. The AD CS that issues CA services is on a virtual CA server. Last, the certificate revocation list (CRL) distribution point (CDP) services are on a virtual Web server.
Network services
There’s a pair of multi-role virtual servers deployed to provide common network services such as Dynamic Host Configuration Protocol (DHCP), file, and print and document services. DHCP Server is deployed across each server to provide increased fault tolerance, and leverages an 80/20 configuration for balancing scope distribution of addresses.
There is both Distributed File System (DFS) Replication (DFS-R) and DFS Namespaces deployed across both servers to provide highly available and simplified access to files. For increased performance and availability, Folder Redirection and offline files are also deployed through workstation Group Policy. This redirects the path of local folders, such as Documents, to a DFS Namespace folder target, while caching contents locally.
Finally, Print and Document Services are configured on a single server to share printers on the network, set up print servers and centralize network printer management tasks.
Unified communications
The agency has established an organization-wide, unified communications network based on Lync Server 2010. It has deployed these services across six dedicated virtual servers, each with specific roles. Two virtual Standard Edition servers provide IM, presence, conferencing and voice features. These servers are hosted across clustered Hyper-V hosts to ensure voice resiliency.
Enterprise Voice and dial-in conferencing capabilities run on a single virtual Mediation Server. This translates signaling and media over a Session Initiation Protocol (SIP) trunk from the organization’s Internet telephony services provider. A third-party, on-premises session border controller also supports SIP trunk connectivity to the Mediation Server as part of the SIP trunk infrastructure.
There are third-party desktop and common area IP phones optimized for Lync deployed throughout the agency. These phones run the Lync Phone Edition client and are directly tethered to workstations to provide enhanced Lync integration capabilities.
A fourth virtual Monitoring Server provides monitoring services. This server collects data about the quality of network media, as well as call error records and call detail records. This information is used to troubleshoot failed calls and gauge usage levels for various Lync Server features. For required SQL services, the Monitoring Server uses a remote, dedicated SQL Server 2008 R2 SP1 Enterprise Edition instance running on a multi-role physical server.
The last set of Lync servers are a pair of standalone, virtual edge servers that reside in the perimeter network. These servers run the Exchange Online Unified Messaging features, such as call notifications and voice access services (which include voicemail).
Integrated management
For an integrated management platform covering the datacenter servers and client devices, the customer uses System Center 2012. The core infrastructure management components and toolsets help with configuration, monitoring and operations. These components are deployed across three dedicated virtual servers, each using a remote SQL Server 2008 R2 Enterprise Edition instance running on a multi-role, physical server.
System Center 2012 Configuration Manager and System Center 2012 Endpoint Protection provide unified infrastructure to manage and protect the organization’s physical and virtual client environments. Configuration Manager centrally manages all software updates, application deployment, reporting and endpoint security. All computers in the environment have the Configuration Manager and Endpoint Protection clients installed, including perimeter networks.
The agency also uses the compliance settings along with Security Compliance Manager (SCM) 2.5 security baselines. All servers in the environment are hardened with the SCM member server baseline. Because SCM offers compliance setting configuration packs, Configuration Manager regularly assesses and reports on SCM security compliance for all servers.
System Center 2012 Data Protection Manager (DPM) handles disk-based data protection and recovery for all servers. Similar to Configuration Manager, the DPM client is required on all servers, including perimeter networks.
System Center 2012 Operations Manager handles monitoring critical services. Based on customized rule formulas, it generates alerts for specific availability, performance, configuration and security situations. For instance, administrators are e-mailed whenever specific AD DS service administrator groups and accounts are modified or when certain AD DS service administrators log on to the network. Operations Manager also provides notification when critical servers, such as DCs, are shut down and restarted.
At the office and on the move
For workstations, the customer uses a laptop and docking solution as a traditional desktop replacement. All workstations run a custom image of Windows 7 SP1 that includes fundamental productivity applications, such as Office 365 Outlook Professional Plus and the Lync 2010 client.
Initially created on-premises, Microsoft Image Deployment Accelerator Solution provides managed quarterly updates. For workstation deployment, the customer uses Configuration Manager OS deployment. This way, it can deploy workstations anywhere on the corporate network.
There are a number of different controls applied to security-related configurations. For access control, all workstations employ built-in smart card readers, FIPS 201-compliant third-party PIV middleware software, and PIV smart card logon enforcement policies. Restricted Group Policy settings and Local User and Group preference items centrally manage all local users, groups, group memberships and passwords.
For general hardening, all workstations use the National Institute of Standards and Technology (NIST) United States Government Configuration Baseline (USGCB) Group Policy settings. The customer is currently awaiting an update to the System Center Configuration Manager Extensions for USGCB Security Content Automation Protocol validation reporting that supports its current versions of Configuration Manager and the Windows client.
The System Center 2012 Endpoint Protection client is installed on all workstations, as well as all other computers. This provides critical features, such as Windows Firewall integration, network inspection, and an antivirus, anti-malware protection engine. BitLocker Drive Encryption provides data protection and is required on all workstations. Data writing restriction Group Policy settings require all removable storage drives to be configured with BitLocker To Go.
Mobile devices running Windows Phone 7.5 are issued to all agency users. Microsoft Office Mobile includes mobile versions of familiar Office applications. Exchange ActiveSync provides secured synchronization with Office 365 Exchange Online and stringent device-access policies, such as complex, alphanumeric password requirements, device quarantining and Information Rights Management (IRM) capabilities.
So, as you can see, this government agency has deployed a sophisticated IT infrastructure consisting of cloud-based and virtual elements from both the server side and the client side. This is an excellent example of a truly modern IT environment.
Paul Yu* is a senior consultant within Microsoft Services and an IT architecture and planning advisor. He has worked at Microsoft for 13 years, providing enterprise solutions architecture to commercial corporations and public sector organizations. Reach him at Paul.Yu@microsoft.com.*