We will be upgrading Confluence Wiki on Saturday 25th of August from 10:00pm through to 2:00am Sunday the 26th of August. During the upgrade process, Wiki will be unavailable. Please make sure to plan your work around these times. Thank you.

Child pages
  • Nectar - Microsoft Windows Solution (Trial)
Skip to end of metadata
Go to start of metadata

Contents

People

Sean Matheny - Nectar Cloud Operator, Centre for eResearch - s.matheny@auckland.ac.nz

Rob Burrowes - Research Systems Lead, Centre for eResearch - r.burrowes@auckland.ac.nz

Marcus Gustafsson - Manager, Centre for eResearch - m.gustafsson@auckland.ac.nz

Synopsis

Aims and Background

There is a large demand from UoA researchers to use Windows operating system(s) in the UoA NeCTAR Research Cloud Pilot. Although Nectar will likely always be predominately Linux-based in its offerings to researchers, a significant portion of software and  use cases can be realised only within Microsoft Windows environments. Most of the other Nectar member institutions provide some form of Microsoft Windows for their researchers' needs, and in all cases so far this is covered by CAUDIT licensing. The degree to which the Windows solution is integrated, implemented, and supported at each university varies quite a bit.

In our specific case, we will be requesting a fixed number of Microsoft Windows licenses (exact OS TBD) on a trial basis, to be restricted for deployment only by Centre for eResearch staff (i.e. not for self-service use by the researchers). Use of the Windows environments by the researchers would be limited to within UoA network use (possibly restricted by firewall rules), and used only for non-commercial research. 

 

Requirements

1) Investigate how UoA CAUDIT licensing (or it's replacement) will apply to Nectar instances run on UoA hardware, and what restrictions are involved to be licensing-compliant.

2) Work with other Australian Nectar nodes to gain insight as to how they implemented this, and what successes and pain points they had along the way. 

3) Architect and implement the environment (including border firewall rules required for services) for this solution to exist, including any necessary restrictions to be licensing-compliant. 

4) Design processes for Centre for eResearch staff to be able to launch Microsoft Windows images for us in to building VMs for UoA researchers. 

General Implementation Status at other Nectar member Universities:

UniMelb has private address space specifically for Windows instances that is routable to the university infrastructure. In this case, the Unimelb ITS manage the group policy, activation, patching and monitoring, etc., just as they would with other VMs of theirs, and these systems consequently behave similarly to any other virtualised VM in the university. The address space is private, and as such these VMs are not public-facing in nature (at least by default).

 

Monash seems to fall in the middle, where they have pinhole border firewall access for LDAP and KMS activation, but the instances are otherwise "outside the firewall". Researchers who are approved for Windows are given access to the appropriate image, and the Windows instance that gets launched can communicate in limited ways back to the university. It’s still unclear whether these instances are joined to the domain, or what the exact circumstances of support and integration are.

 

Finally, some other sites, particularly those who operate Nectar for multiple institutions (e.g. QCIF, Intersect), may manage the access to Windows images on Nectar (specific to each university), but the instances themselves are largely isolated from any other university services (which leaves them comparatively crippled). Some need to activate (and then re-activate) via VPN, for example.

 

Whatever the degree of integration, operators at all sites seem to confirm that there is some form of Windows image that is cloud-prepared from an ISO supplied by that university’s ITS with a tool such as https://github.com/cloudbase/windows-openstack-imaging-tools , and afterwards is uploaded for use for researchers only at that university. Access to use each image is a manual process, approved by local people— this image is not accessible to all or by default.


Possible Border Firewall Rules Required for this Solution:

Firewall Rules

Reason
Source
Destination
UDP/TCP
Ports
Notes
DNScerguinzprd01.uoa
cerguinzdev01.uoa 

130.216.190.1
130.216.191.1 

UDP & TCP53 Should already be allowed or public.
AD Kerberoscerguinzprd01.uoa
cerguinzdev01.uoa

130.216.190.44
130.216.5.170
130.216.5.65
130.216.4.233
130.216.190.179

UDP & TCP
UDP & TCP 
88
464 
Both ways
Both ways
Global Catalog Servercerguinzprd01.uoa
cerguinzdev01.uoa
130.216.190.44
130.216.5.170
130.216.5.65
130.216.4.233
130.216.190.179
TCP

3268
3269

 
TSMcerguinzprd01.uoa
cerguinzdev01.uoa
 TCP1500
1501 
2nd NIC local subnet only
NTPcerguinzprd01.uoa
cerguinzdev01.uoa
130.216.190.44
130.216.5.170
130.216.5.65
130.216.4.233
130.216.190.179
UDP123 
SCCMcerguinzprd01.uoa
cerguinzdev01.uoa
130.216.88.106TCP
TCP
TCP
TCP/UDP
TCP
TCP 

8530
8531
445
135
80
443
 



Both ways
Both ways

SCOM-Outcerguinzprd01.uoa
cerguinzdev01.uoa
130.216.5.248
130.216.5.250 

TCP/UDP
TCP/UDP 
TCP
TCP/UDP 
 

137
139
445
5723

 
SCOM-In130.216.5.248
130.216.5.250 
cerguinzprd01.uoa
cerguinzdev01.uoa
 ICMP 
RDP (Sys Admin)

130.216.5.148
130.216.2.35

130.216.19.179 

cerguinzprd01.uoa
cerguinzdev01.uoa
TCP3389 
LDAPcerguinzprd01.uoa
cerguinzdev01.uoa
130.216.190.44
130.216.5.170
130.216.5.65
130.216.4.233
130.216.190.179

TCP/UDP
TCP 

 

389
636 (SSL)
 
Squid Proxycerguinzprd01.uoasquid.auckand.ac.nzTCP3128 Likely not needed, unless tenant network space for the Windows segment(s) changes.
Network Share Accesscerguinzprd01.uoafhmsb3.uoa.auckland.ac.nz / 130.216.9.18

TCP

UDP

135-139, 445

135-139

 Access to UoA storage will not go through firewall.

 

Above copied from the Growing up in New Zealand Researcher Portal, which was developed by CeR and ITS and required Windows functionality in a completely isolated F5 partition. 

 

https://wiki.auckland.ac.nz/pages/viewpage.action?pageId=112779734


Status

Consultation 

  • No labels