2

Its my first post on serverfault and my first time to setup this kind of network, so my apologies in advance if it is not well formed.

I'm planning a small (education center) network that has about 20-30 windows Student PCs, tablets and employee laptops.

my goals:

  • create two security zones which separate students and employees. Students have restricted (denied) internet access. employees can see all.
  • ghost a windows image to all the student PCs
  • keep track of student files
  • serve student resources via a web server

the plan:

  • Use FOG to ghost a windows image and maintain and update the student PCs.
  • Use Samba to centralize student files (their isn't much of them). Plan to have one general login for all students, then write a script and gui that uses dirsyncpro to sync student files to their own subdirectory.
  • use apache to serve web resources.

I'm not really sure how to go about making a restricted zone for the students. My guess is that I need to set up 2 subnets for students and employees, but I'm not sure how to serve both of them. Do I just have to configure my services to listen to both subnets? Would I need 2 NICs for this? Is it correct to call my server a gateway in this case? I'm thinking the structure should look something like this:

Internet
|
Modem
|
Router
|                 |            |             |
Ubuntu Server     Employee    Employee     etc..
|
Router
|             |           |
Student    student       etc...

I this a good way to go about it? or can I implement the subnets somehow that its all on the same router. I have never used subnets or iptables before, but it's something I'm trying to learn while doing this.

Afterwards, I'm going to admin it all remotely via ssh or VPN

Edit: I forgot to mention that we're not in a position to invest into windows servers. I Know I will miss out on the benefits of Active directory, but wouldn't it be great to find a linux sulution for windows client administration?

Thanks in advance,

neildaemond
  • 189
  • 7
  • Just a thought, but you may find it a lot easier using an appliance distro like [untangle](http://www.untangle.com/) instead of a general purpose distro like Ubuntu. – Zoredache Dec 22 '11 at 10:06
  • Thanks for the suggestion Zoreache. It looks like a nice appliance. However, I'm most comfortable using Ubuntu and would prefer to customize the services running on it myself. I feel I might learn a thing or two that way too. – neildaemond Dec 23 '11 at 01:52
  • The problem is that for a project like you are asking you are going to either need to learn or already know a lot more then a simple thing-or-two. The scope of possibilities solutions and methods to your many questions asked here is so large it is very difficult to compose an answer. – Zoredache Dec 23 '11 at 01:57
  • OK, I guess I mentioned too many topics. My main difficulty right now is the network architecture. How do I create separation between 2 networks (subnets?) and service them both with one (linux) server. would that server require 2 NICs? or could I position the router differently? – neildaemond Dec 23 '11 at 02:15

1 Answers1

1

There is definitely not just one answer to your question, and your idea of having students and teachers on different subnets is not a bad one, but it is a little complicated for such a small network, in my opinion...

You could make one subnet, cut out the extra router, and use routing software on the server from which you could easily control who has access to what web sites, etc., through Active Directory authentication. Of course having Ubuntu in the middle of all this would be like trying to use a hammer as a screwdriver; if you were using Windows Server instead you could use ISA, which is now known as Threat Management Gateway (TMG.)

Or, forget Windows altogether if you want. Squid for Linux: http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:Ch32:_Controlling_Web_Access_with_Squid

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
  • Thanks Ryan, I know it doesn't make too much sense to use a Linux box while managing a windows network, but I prefer Linux, and want to avoid the licensing issues with windows products. I updated my original question to better reflect that fact. – neildaemond Dec 23 '11 at 02:06
  • No problem. Forget Windows altogether. Squid: http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch32_:_Controlling_Web_Access_with_Squid – Ryan Ries Dec 23 '11 at 02:50
  • You were right, Ryan. It was a little complicated for for my small network. When I wrote the question, I was planning without having been to the site yet. I ended up having one router as the top level gateway which fed to DES-1024R unmanaged switches which connected everything else. And it turned out that employees are closely nearby the students while they are in (we're a learning center), so don't even have to restrict the internet much. I'll just selectively mount network drives to separate the network shares or put them in different workgroups. – neildaemond Jan 06 '12 at 10:18