We hide terminal servers. Budget solution

    Basically, in our company, all jobs were built on the basis of thin clients HP t5530. The exceptions were several jobs with special requirements (exotic hardware or software) and several laptops of key employees. The total number of jobs was approximately 120 units. All this was served by two terminal servers (Windows 2003 Ent), one Active Directory server and one file storage. Access to an Internet server with FreeBSD. The standard tasks are IE (access to a remote online database), TheBat with mail in large quantities, MS Office (Word / Excel), 1C.

    Unfortunately, all software, with very few exceptions, was unlicensed for one reason or another. And, of course, contained a fairly large amount of information that should not have reached certain authorities.

    At some point, the authorities set a task - to take a series of measures in case of unforeseen and not very visits of certain people. Minimum time was given, and funding was not given at all.

    After a short brainstorming, the following idea was born:

    From what was found in the server room, a relatively good terminal server was built, which, theoretically, could withstand the input of all users. Of course, they were unlikely to be able to work there. On this server, we placed Active Directory with a copy of user accounts, a large amount of white documentation, installed software, and generally imitated in every way that all the work was done on it.

    Real servers have been removed away. In the same building, but where no one would look for them. Only the fake server, PBX and all network equipment remained in the server room.

    Thin clients and a fake server were placed on a separate subnet, say 192.168.1.1/24 (A). All real servers were on the 192.168.0.1/24 (B) subnet. On FreeBSD, virtual interfaces were raised in subnet A in terms of the number of terminal servers. In normal mode, thin clients accessed the IP addresses of virtual interfaces, where they were redirected to real servers on subnet B. In the case of hour X, forwarding was turned on from all interfaces to 1 fake server IP on subnet A.

    Users were accordingly instructed that if the connection with the terminal was interrupted, and after its restoration they see a certain picture - that’s the way it is, it’s necessary to remain calm, imitate the work and not dismantle the panic and shouts “why doesn’t everything work”.

    This whole system worked in manual mode - i.e. All necessary manipulations were performed by executing the script by the administrator on duty. Over time, the plans were to implement an automatic mode by crossing with an existing office notification system about guests (a radio keychain at the secretaries and a light alarm in the necessary rooms).

    In general, the system turned out: a) very budget, b) not requiring a long time to recover after the guests leave.

    Also popular now: