More Secure Network (MSN)
Planning a Migration
Table of Contents
Before You Begin
Generally, a departmental migration to the UVA More Secure Network is handled by the department's Local Support Partner (LSP). Below are basic steps for the LSP to use in the testing/planning process:
- Verify the Availability of the More Secure Network
The More Secure network is now available in most parts of the University. If you find your building is not on the More Secure network, email ITS.
- Assemble a List of Devices to be Moved
- Get Permission/Make Request for Access to the Network Management Tools
Obtain permission from your department chair or dean for access to the Network Management Tools. Request the form, then get appropriate signatures (LSP and the department chair or dean) and submit to the address on the form.Network Management Tools will allow you to:
- locate each user's computer
- move users between the standard and More Secure networks
- switch the computer's network port* to the MSN and then reboot the worksation to obtain the new IP address on the MSN
- change Ethernet speed between 10 and 100 Mbps
- turn ports on and off
- access diagnostics
- Perform Initial Testing
- Read over all More Secure Network documentation in this website.
- Move your personal workstation to the MSN. The process for migrating your department's workstations will be much the same as moving your personal workstation. Note: For departments using a Windows server environment: if your workstation has a standard configuration and you use WINS to locate your servers, simply moving your workstation to the MSN with the Network Tools should work fine. If you do not use WINS, please see the Broadcast Services section before moving your workstation.
- Review the list of tested applications and test all applications commonly used by your department to be sure they function properly on the MSN.
- Servers and Active Directories
- It is recommend that LSPs carefully read the sections about migrating servers and Active Directories before trying to migrate these services to the MSN. Migrating departmental servers should be the last step in the migration process.
- Make a list of the devices you wish to move.
- Verify that applications on these workstations/servers being moved are on the tested applications list.
- Inventory applications.
- Confirm each application has been tested for the MSN.
- Test any applications not already comfirmed as tested.
- Email ITS advising of any test results for applications not on the list.
- Plan the sequence for moving your devices.
- If you are moving a server and the workstations that access it, move the workstations first.
- Consider the relationships and dependencies between your workstations and servers before determining the makeup of a group.
- Look at the set of workstations to be moved and group them in reasonable subsets. When unforeseen issues/problems arise, experience has shown that subsets of 12 or less work best.
- If you are moving a server but not all the users who need to access it, then users who stay on the standard University network will need to utilize the Virtual Private Network (VPN) for the More Secure Network.
- Resolve communications issues.
- Determine any static IP address that will be changed (servers, printers, etc.) These will require special coordination with Hostmaster.
- If you have a server that is not moving to the MSN and this server needs to communicate with one that is, then the communication must be initiated by the server on the MSN.
- Notify people who are not moving but access data or applications on servers or workstations being moved that they will need to obtain a VPN for the MSN.
- Advise people who will require a VPN for the MSN that they cannot concurrently use other services that require VPN connections, i.e. Oracle.
- Determine how Broadcast Services will be handled.
- Broadcast-based services between the MSN and the standard University network in your building will require special consideration. Even though the two networks are in the same building, they do not directly communicate. This includes services like browsing via network neighboorhood to locate computers on another network. In this case, configuring WINS on your workstation may provide a workaround. You can use ITS's WINS server: 220.127.116.11 and 18.104.22.168 if you do not run WINS.
- LMHOST files may be used as an alternative to WINS. These will have to be maintained individually on each workstation.
- Verify that each device to be moved is connected to one jack and it is the only device on the jack (no hubs/switches).
- Inform ITS's Network Systems and your departmental staff about the upcoming move.
- Send email to ITS Networks advising them of your department's intention to move workstations and/or servers to the MSN. Include a preliminary estimate of the number of devices you intend to move.
- Send email to departmental staff advising them of the impending move. Include the proposed date, the expected downtime, and note any workstation changes.
- Follow these steps if you are moving Windows Active Directory.
- Notify Hostmaster at least a week prior to making the request for IP addresses for the MSN and noting that this will involve relocating an Active Directory. You will receive an email acknowledging your request and giving you a date for the move.
- Plan your move for the end of the work day since there will be a day of downtime due to DNS servers scheduled rebooting sequences. Remember to notify users when you do this because they will not be able to access resources until the following day.
- Review the detailed instructions for moving an Active Directory.
- Consider the network implications, if you are moving Windows workgroups and/or Windows domains.
- Antivirus software: what to use (Free antivirus software for the Windows and MAC platforms is available for download at the UVA Software Gateway.)
- Real time virus scanning: Enable
- Non-critical Windows updates: Which ones should be installed?
- Vulnerability scans: may be requested.
- University-owned student-utilized departmental machines: When graduate students are also employees and need to access servers on the MSN, the machine must be department-owned, centrally managed, and not use a shared login (uses a unique login on that machine.)