Sean Matheny - Nectar Cloud Operator, Centre for eResearch - email@example.com
Rob Burrowes - Research Systems Lead, Centre for eResearch - firstname.lastname@example.org
Marcus Gustafsson - Manager, Centre for eResearch - email@example.com
Aims and Background
There is a large demand from UoA researchers to use Windows operating system(s) in the UoA NeCTAR Research Cloud Pilot. Although Nectar will likely always be predominately Linux-based in its offerings to researchers, a significant portion of software and use cases can be realised only within Microsoft Windows environments. Most of the other Nectar member institutions provide some form of Microsoft Windows for their researchers' needs, and in all cases so far this is covered by CAUDIT licensing. The degree to which the Windows solution is integrated, implemented, and supported at each university varies quite a bit.
In our specific case, we will be requesting a fixed number of Microsoft Windows licenses (exact OS TBD) on a trial basis, to be restricted for deployment only by Centre for eResearch staff (i.e. not for self-service use by the researchers). Use of the Windows environments by the researchers would be limited to within UoA network use (possibly restricted by firewall rules), and used only for non-commercial research.
1) Investigate how UoA CAUDIT licensing (or it's replacement) will apply to Nectar instances run on UoA hardware, and what restrictions are involved to be licensing-compliant.
2) Work with other Australian Nectar nodes to gain insight as to how they implemented this, and what successes and pain points they had along the way.
3) Architect and implement the environment (including border firewall rules required for services) for this solution to exist, including any necessary restrictions to be licensing-compliant.
4) Design processes for Centre for eResearch staff to be able to launch Microsoft Windows images for us in to building VMs for UoA researchers.
General Implementation Status at other Nectar member Universities:
UniMelb has private address space specifically for Windows instances that is routable to the university infrastructure. In this case, the Unimelb ITS manage the group policy, activation, patching and monitoring, etc., just as they would with other VMs of theirs, and these systems consequently behave similarly to any other virtualised VM in the university. The address space is private, and as such these VMs are not public-facing in nature (at least by default).
Monash seems to fall in the middle, where they have pinhole border firewall access for LDAP and KMS activation, but the instances are otherwise "outside the firewall". Researchers who are approved for Windows are given access to the appropriate image, and the Windows instance that gets launched can communicate in limited ways back to the university. It’s still unclear whether these instances are joined to the domain, or what the exact circumstances of support and integration are.
Finally, some other sites, particularly those who operate Nectar for multiple institutions (e.g. QCIF, Intersect), may manage the access to Windows images on Nectar (specific to each university), but the instances themselves are largely isolated from any other university services (which leaves them comparatively crippled). Some need to activate (and then re-activate) via VPN, for example.
Whatever the degree of integration, operators at all sites seem to confirm that there is some form of Windows image that is cloud-prepared from an ISO supplied by that university’s ITS with a tool such as https://github.com/cloudbase/windows-openstack-imaging-tools , and afterwards is uploaded for use for researchers only at that university. Access to use each image is a manual process, approved by local people— this image is not accessible to all or by default.
Possible Border Firewall Rules Required for this Solution:
|UDP & TCP||53||Should already be allowed or public.|
|UDP & TCP|
UDP & TCP
|Global Catalog Server||cerguinzprd01.uoa|
|2nd NIC local subnet only|
|RDP (Sys Admin)|
|Likely not needed, unless tenant network space for the Windows segment(s) changes.|
|Access to UoA storage will not go through firewall.|
Above copied from the Growing up in New Zealand Researcher Portal, which was developed by CeR and ITS and required Windows functionality in a completely isolated F5 partition.