Hey all,
I have inherited a failing DSFW healthcare environment and need to move away from it ASAP. The majority of our business critical applications have been moved to cloud based solutions, and there is no longer a need for the organization to hold on to failing equipment.
The current environment:
- OES DSFW running on OpenSuse VMs
- DHCP and DNS handled by OpenSuse VMs
- Physical hosts are 3 years past end of life
- Each campus has a primary internet circuit provided by Comcast or Verizon
- MPLS circuit implemented for WAN connectivity, as well as redundancy in the event of a primary circuit failure
- on-premise PBX for each site
- ~350-400 end user devices and workstations accross the organization.
- ForcePoint/Websense is utilized for Web Proxy, filtering, email security, and file sandboxing
The DSFW, DHCP, and DNS servers are failing on a regular basis, and require constant monitoring and restarting of services to keep them up and running, the physical hosts are past due and I have some serious concerns regarding their health. Things are getting progressively worst and we need to make a move to viable safe and stable environment.
Our concept of moving forward:
We will be deploying Trend Micro Worry-Free as our end-user antivirus solution, as we roll out the software to each workstation, the workstation will be removed from the DSFW domain and brought into a simple workgroup environment.
Websense Endpoint Client will also be removed at this point, as users will have no means to authenticate to the Web Proxy without DSFW. This is okay because Trend Micro will full-fill the Web Proxy and Content filtering roll as well.
Also, during the roll-out wrokstations will be pointed to Google's DNS servers.
Once the roll-out of Trend Micro is complete and all computers are removed from the DSFW domain and brought into a workgroup environment, DHCP will be stopped on the OpenSuse VMs, and instead we will have our Cisco ASA's handling DHCP for each respective facility and subnet.
This will enable us to completely turn down the failing servers, and put us in a stable environment. The end result will be users logging in with a local computer account and authenticating to each one of their cloud applications independently.
This is a short-term solution. Obviously it is not ideal from an administration perspective, to have 400 devices in a workgroup environment spread out over a large geographical area. We will have 0 ability to centrally manage our users and devices until we implement a new Domain Environment.
I would love to just jump right into an Active Directory environment, and join the computers to a new Domain at the time of the Trend Micro rollout, but unfortunately we do not currenrly have the time or cash flow required to provision new physical hosts. So this implementation will have to happen at a later date.
My concept for the future implementation of a new Domain:
I am still on the fence about joining the workstations to a new Domain or keeping them in a workgroup environment, and utilizing some different solutions to centrally manage the devices, as all of our applications are in the cloud, as well as our file-sharing and email solutions etc.
But if I did implement AD, I was thinking of something like this:
Once we are able to we will spin up two new VMs for our AD DCs with DNS, and rejoin each computer to the new Domain. We will keep Trend Micro in place as our Web Filtering and Proxy solution.
DHCP will remain on the Cisco ASA for each site.
We are also moving away from the MPLS circuit and implementing an SD-WAN solution with hosted PBX.
What do you guys think of my plan? This is the first time I am taking on a project of this magnitude and I don't want to overlook anything huge.
Any comments, criticisms, or idea generating questions are welcome and much appreciated!
No comments:
Post a Comment