swiss ict-skills competition (trade 39) - ict … swiss ict-skills competition (trade 39) demo tp...

1/16

Swiss ICT-Skills Competition (Trade 39) Demo TP

Swiss ICT-Skills Competition (Trade 39)

Time: 6:45h

Trade: 39 - IT Network Systems Administration

Experts: Danny Meier, Florian Meier,

Pascal Meier, Tobias Meier, Lukas Hubschmid

Competitor fills in

Name

Date

Signature

Expert fills in

Points

2/16


Overview 1 EXAM .................................................................................................................................................... 3

1.1 CONTENTS .................................................................................................................................... 3

1.2 INTRODUCTION ............................................................................................................................ 3

1.3 DESCRIPTION OF PROJECT AND TASKS ......................................................................................... 3

1.3.1 Client ..................................................................................................................................... 3

1.3.2 Server .................................................................................................................................... 3

1.3.3 Network ................................................................................................................................ 3

1.4 Important hints und tips ............................................................................................................... 3

1.5 PART 1 CLIENT .............................................................................................................................. 4

1.5.1 Windows 8.1 on PC3 ............................................................................................................. 4

1.6 PART 2 SERVERS ........................................................................................................................... 5

1.6.1 ESXi server (esx01) ................................................................................................................ 5

1.6.2 ESXi server (esx02) ................................................................................................................ 5

1.6.3 vCenter Server (vcs01) .......................................................................................................... 5

1.6.4 Windows Server 2012 R2 ..................................................................................................... 6

1.6.5 First Debian Linux ................................................................................................................. 8

1.6.6 Second Debian Linux ............................................................................................................ 9

1.7 PART 3 NETWORKING ................................................................................................................. 10

1.7.1 rt01 ..................................................................................................................................... 10

1.7.2 rt02 ..................................................................................................................................... 10

1.7.3 sw01.................................................................................................................................... 10

1.7.4 AP01 .................................................................................................................................... 11

1.7.5 Sophos Firewall ................................................................................................................... 11

1.7.6 Routing ............................................................................................................................... 13

2 APPENDIX ........................................................................................................................................... 14

2.1.1 PHYSICAL NETWORK DIAGRAM .......................................................................................... 14

2.1.2 LOGICAL NETWORK DIAGRAM ........................................................................................... 15

2.2 INSTRUCTIONS ............................................................................................................................ 16

2.2.1 INSTRUCTIONS TO THE COMPENTITOR .............................................................................. 16

2.2.2 EQUIPMENT, MACHINERY, INSTALLATIONS AND MATERIALS REQUIRED ......................... 16

3/16


1 EXAM

1.1 CONTENTS This Exam Project proposal consists of the following document/file:

1. network administration (trade 39) task sheet (this document)

1.2 INTRODUCTION The competition has a fixed start and finish time. You must decide how to best divide your time.

You have to confirm each task of your doings on a separate sheet. This means – if you have processed

the task check the appropriate checkbox. Otherwise this task will not be corrected and you won’t get

points.

If you mark any task as done but you haven’t done anything you will lose points!

READ THROUGH THE ENTIRE SCRIPT BEFORE STARTING. AFTERWARDS YOU MAY WORK IN ANY ORDER.

PLAN CAREFULLY!

1.3 DESCRIPTION OF PROJECT AND TASKS You are the IT responsible to implement some changes to the CloudHosting company. A brief overview

of the upcoming changes is available in the network diagrams. Please consider the logical as well as the

physical diagram.

1.3.1 Client

The client (PC3) is located on a remote site and is the designated workplace for employees. You don’t

have to setup this computer. Just configure the settings which are described in the tasks.

1.3.2 Server

To reduce hardware and maintaining costs the servers are mostly virtualized.

1.3.3 Network

Cloudhosting uses a super-fast, reliable cisco network infrastructure.

1.4 Important hints und tips On some difficult tasks there are hints which gives you some advice how to configure. A hint is written in

italic and begins with: “Hint: If you’re not familiar …”

If you are not familiar with the configuration of network devices Cisco/ESXi and routing try to use a

flat network design. You will only lose points for the network tasks.

The tasks will be judged by functionality. Maybe there are other paths to achieve the solution

requested by the script. Your solutions must be reproducible by the experts by using an appropriate

level of documentation.

If the administrator or root password isn’t set to the given defaults and it isn’t documented

somewhere, the judges will not be able to mark your work and you will lose points.

4/16


1.5 PART 1 CLIENT Work Task Client

Note: Please use the default configuration if you are not given the details. The default password for the

administrator is Trade39

1.5.1 Windows 8.1 on PC3

Please configure Windows 8.1 on PC3.

Hostname is cl01

Local Administrator password is Cloud2014. (Use Administrator user!)

Configure network settings as specified in appendix

Install the ciscorollovercable.exe (Driver) for using the cisco configuration cable

Install filezilla FTP client located on the USB Stick

Install VMWare vSphere Client located on the USB Stick

Install Chrome located on the USB Stick

Turn off the Windows firewall

Join the computer into the domain

Hint: Some other tools are also useful on the usb stick. For example, maybe you want to use putty for

router configuration, or winscp to transfer files.

5/16


1.6 PART 2 SERVERS Work Task Server

Note: Please use the default configuration if you are not given the details.

Install and configure the servers related to the following concept.

In case of undefined subtasks make a reasonable assumption.

Note: Before you can install ESXi you have to change settings in BIOS (F10).

Set system time to current time

Activate Data Execution Prevention (Security -> System Security)

Enable VTx (Security -> System Security)

Enable VTd (Security -> System Security)

Disable secure boot (Security -> Secure Boot Configuration)

1.6.1 ESXi server (esx01)

Use PC1 as the ESXi machine.

Set-up the ESXi server

Important: Make sure the time/date is correctly set!

keyboard layout: swiss german

Root password: Cloud2014.

Configure the network as specified in the appendix (VLAN, IP, hostname)

Configure 192.168.50.1 as default gateway

(vSphere Client) On the host configure VLAN 40 as Intern and VLAN 20 as DMZ virtual machine network

Rename datastore1 to esx01.vms

Hint: ESXi server are configured by vSphere Client. You will find it on the USB stick.

1.6.2 ESXi server (esx02)

Use PC2 as the ESXi machine.

Set-up the ESXi server

Important: Make sure the time/date is correctly set!

keyboard layout: swiss german

Root password: Cloud2014.

Configure the network as specified in the appendix (VLAN, IP, hostname)


(vSphere Client) On the host configure VLAN 40 as Intern, VLAN 30 as WLAN, VLAN 20 as DMZ, and VLAN 10 as Internet virtual machine network

Rename datastore1 to esx02.vms

Hint: ESXi server are configured by vSphere Client. You will find it on the USB stick.

1.6.3 vCenter Server (vcs01)

Hint: Use vSphere Client to import virtual machines on the ESXi host.

Import vCenter ova template from Tools USB Stick (Tools) to the ESXi server (esx01)

import vCenter ova template into ESXi server using vSphere Client

the vCenter server should be homed in “Intern” network

6/16


login to vCenter installation wizard username: root and password: vmware

Set the password for root: Cloud2014.

Use [email protected] as e-mail address

Configure the network as specified in the appendix


Enable Certificate regeneration

Connect with vSphere web client and add the ESXi servers

Create datacenter with name “Swiss ICT”

Import ESXi into the datacenter

1.6.4 Windows Server 2012 R2

Hint: Use vSphere Client to install virtual machines on the ESXi host.

Install Windows Server 2012 R2 as virtual machine on ESXi host esx02. Don’t create a hardware version

10 VM, please use an older hardware version!

Important: Make sure the time/date on the ESXi server is correctly set before install the VM!

Use ad01 as virtual machine name

OS: Windows Server 2012 R2

Use VMXNet3 as network adapter an choose the “Intern” network (!Important)

Disk space: 100GB, thin provisioning

Set-up the Windows Server 2012 R2 (with GUI) o Hostname: ad01 o Administrator password: Cloud2014. o Install VMWare Tools o Deactivate IE-ESC for Users and Admins (Internet Explorer Enhanced Security) o Use network settings given in the appendix o Configure 192.168.50.1 as default gateway

1.6.4.1 Install the following services

Active Directory Services

o Domain name (AD): cloudhosting.com o Netbios: cloudhosting o Use for active directory recovery password: Cloud2014. o Save Active Directory unattended installation script under “C:\ad-install.ps1”

DNS Server

Configure reverse lookup zone for the “Intern” network

Configure the forward zone cloudhosting.com o Configure the following A records:

web01.cloudhosting.com 52.32.1.20 web02.cloudhosting.com 52.32.1.21 www.cloudhosting.com -> 34.67.120.1

o Configure the following CNAME records: customer01.cloudhosting.com www.cloudhosting.com customer02.cloudhosting.com www.cloudhosting.com

Create a new forward zone “.” o Create the following A records:

“” 34.67.120.1

mailto:[email protected]

7/16


DHCP Server

Enable DHCP service for “Intern” network o range: 192.168.50.100-254 o default GW: 192.168.50.1 o DNS: 192.168.50.20

DFS sharing

Install DFS Namespaces feature

Create folder “c:\shares\business” and share folder with read/write rights for admin and all domain users

Create Namespace “shares” o Use Domain-based namespace and enable 2008 Server mode o Create a folder “business” in Namespaces with target to the business share on

ad01

1.6.4.2 Other tasks:

Rename the Administrator to “Admin”

Install Chrome located on the USB stick

Install WinSCP located on the USB stick

Copy putty on the desktop of the administrator (also located on the USB stick)

1.6.4.3 Organisation Unit and groups

Create following organisation units:

CEO

MOBILE

IT

Create security group “CEO” in OU “CEO” and assign users from OU CEO

Create security group “MobileUsers” in OU “MOBILE” and assign users from OU MOBILE

1.6.4.4 Domain User

Create the following users in the active directory. (Hint: use a scripting language)

Name Username Password Organisation Unit

mobileuser1 ... mobileuser120 mobileuser{1..120} Cloud2014. MOBILE

ceo1 ... ceo15 ceo{1..15} Cloud2014. CEO

It1 It1 Cloud2014. IT

1.6.4.5 Group Policies

Default Domain Controller Policy

Allow logon locally for domain users (hint: this is very important!)

Create a policy called “user_defaults” on top of domain hierarchy.

Map the DFS drive \\cloudhosting.com\shares\business to X:\

Disable first sign-in animation for Microsoft windows

8/16


Users of the organisation unit IT

Should automatically be included in the local administrators group

Users of the organisation unit CEO have the following restrictions:

Are not allowed to access the display settings on the control panel

Disable the use of any USB devices Users of the organisation unit MOBILE have the following restrictions:

Set the default homepage (Internet Explorer) to www.cloudhosting.com

The default homepage setting should not be changeable

Hide all local drives for this OU Client computer cl01 (PC3)

At logon on this computer, users should see this message before logging in: “For authorized usage only. Unauthorized usage is strictly prohibited.”

1.6.5 First Debian Linux

Hint: Use vSphere Client to install virtual machines on the ESXi host. Don’t create a hardware version 10

VM, please use an older hardware version!

Use web01 as virtual machine name

OS: Debian GNU/Linux 7 (64-bit)

Use E1000 as network adapter an choose the “DMZ” network (!Important)


Note: Don’t use any graphical user interfaces! Otherwise you will be penalised!

Set-up the Debian Server as a virtual machine on esx01 o Configure virtual machine using the DMZ network adapter o Hostname: web01 o Root password: Cloud2014. o Configure the network settings specified in the appendix o Configure 52.32.1.1 as default gateway

9/16


1.6.5.1 Install follow services

Web server

o Configure the web server for listening on port 80 o Configure Virtual Hosts

customer01.cloudhosting.com

Document Root /var/www/customer01

Copy the game files located on the USB stick (Net Rush 2) into the webservers root (hint: use the windows 8.1 client and WinSCP)

customer02.cloudhosting.com

Document Root /var/www/customer02

Create the file index.html, which shows “Customer02” when opening customer02.cloudhosting.com

Make sure that NetRush2 (customer01.cloudhosting.com) is the default site on the webserver

o Install PHP5

FTP

o Install FTP server o Configure FTP user “www” with password “Cloud2014.” for access to www directory of

the webserver

mySQL

o Install mySQL Server & phpmyadmin o Use Cloud2014. for all passwords

1.6.6 Second Debian Linux

Hint: With vCenter installed, you are able to clone machines this saves a lot of time

Install the debian machine exactly with same configuration than the machine “First Debian

Linux”

Configure the cloned debian machine as specified in the appendix (hostname, IP)

10/16


1.7 PART 3 NETWORKING Work Task Network

Note: Please use the default configuration if you are not given the details.

Hint: If you not familiar with the configuration of Cisco devices make a flat network (for example:

192.168.50.0/24) and connect all devices to that network!

Hint: All Cisco devices could be configured with the light blue rollover cable and putty (on Tools USB stick)

Attention: For all Cisco devices use Cloud2014. as enable password

1.7.1 rt01

Hint: If you not familiar with configuring a trunk on a router use interface GE0/0 as “Intern” and

interface GE0/1 as “Internet”. Connect GE0/0 to swi01 port 07 and GE0/1 to swi01 port 06

Configure the Router switch to fit these requirements:

Configure the physical ports on rt01 as specified in the appendix

Configure VLANs and IP addresses as specified in the network diagram

Configure the hostname as specified in the appendix

Enable SSH v2 remote management services o Create user cisco with password cisco for SSH login

1.7.2 rt02

Configure the router to fit these requirements:

GE0/1 is used for the Internal network for the client and GE0/0 for the INTERNET (see details in the appendix)



Configure a DHCP server on the router o Scope: 172.16.0.100-254 o Default gateway: 172.16.0.1 o DNS: 192.168.50.20

1.7.3 sw01

Configure the switch to fit these requirements:

Configure the physical ports on sw01 as specified in the table below


Configure VLANs and IP addresses as specified in the network diagram

Configure default gateway: 192.168.50.1

Enable spanning-tree portfast by default


11/16


PORT CONNECT TO MODE

01 PC1 trunk 02 PC2 trunk 03 rt01 trunk 04 ap01 access (VLAN 30) 05 rt02 access (VLAN 10) 06 nothing access (VLAN 10) 07 nothing access (VLAN 40) 08-24 nothing Shutdown

1.7.4 AP01

AP01 was already pre configure by a colleague. Unfortunately there are some errors in the

configuration.

Important Note: The access point is only accessible over SSH with IP address specified in the appendix

(use putty on the USB stick). Do not change IP or SSH configuration otherwise you will lose all points of

this task. The username for SSH access is cisco with password cisco. Enable password: Cloud2014.

Configure the details specified in the appendix

Please let the network radio interfaces disabled! Otherwise you will be penalised (and you

allow strangers to access your infrastructure)

Configure the SSID hotspot with WPA2 pre shared key

Configure both radio interfaces with the SSID hotspot (do not activate the radio interfaces!)

Use as WPA2 Key “secureHOTSPOT”

Remove all other SSIDs

1.7.5 Sophos Firewall

Note: the Sophos Management web interface is reachable under https://[ipsophos]:4444/.

Create new virtual machine on esx02 as specified in the network diagram. Don’t create a hardware

version 10 VM, please use an older hardware version!

Use fw01 as virtual machine name

OS: Other 2.6.x Linux (64-bit)

Use E1000 as network adapter an choose the “Intern” network (!Important)


Connect all VLANs to the virtual machine

o First interface: Intern

o Second interface: WLAN

o Third interface: DMZ

o Fourth interface: Internet

12/16


Configure the Sophos Firewall to fit these requirements:

Set-up the Sophos Firewall o Hostname: fw01 o Keyboard: German o Company: Cloudhosting o City: Bern o Admin email account: [email protected] o Root/admin password: Cloud2014.

Configure IP addresses as specified in the appendix

NAT

o Enable outbound NAT for all Intern clients (Masquerading)

ACLs

o Allow access from network “Intern” to “DMZ” and “WLAN”

o Allow access from “Intern” to “remote site network” and vice versa

o Enable access to the internet for all devices in the network “Intern”, “WLAN” and “DMZ”

o Deny any other access

o Allow ICMP on and through firewall

o Allow ICMP ping and trace route on firewall

Configure Hotspot feature for WLAN network

o Enable hotspot feature on interface WLAN in voucher mode

o Enable “1 Day” voucher

o After successful login redirect to page www.cloudhosting.com

o Allow access to “Intern” network without authentication

o Enable user portal from any network for every user

o Login as admin and create 20 vouchers and export it as CSV on C:\users.csv on the client

Configure Sophos web application firewall for web01 and web02

o Use www.cloudhosting.com as access URL

o Make sure that Sophos firewall does load balance between web01 and web02

Enable “Pass Host Header”

o Enable basic firewall protection

o Test www.cloudhosting.com from the client or server (use chrome browser)

DHCP

o Configure a DHCP server for the VLAN “WLAN”

o Use 10.0.0.100-254 as range

o Default Gateway: 10.0.0.1

o DNS: 10.0.0.1

DNS Forwarding

o Enable DNS on Sophos Firewall

o Forward DNS request to ad01

13/16


1.7.6 Routing

Note: These requirements are for rt01, rt02 and fw01

Do not set a default-gateway on any of the devices

Use static routes for communication between main and remote network

o Make sure that both routers have configured the appropriate routes that cl01 could

reach all hosts in the network “Intern”

Hint: connections from “Intern” to “remote site” pass the router and the Sophos

Firewall. You have to configure an appropriate route on the Sophos firewall too.

14/16


2 APPENDIX

2.1.1 PHYSICAL NETWORK DIAGRAM

15/16


2.1.2 LOGICAL NETWORK DIAGRAM

16/16


2.2 INSTRUCTIONS

2.2.1 INSTRUCTIONS TO THE COMPENTITOR

Do not bring any materials with you to the competition.

Mobile phones are not to be used.

Do not disclose any competition material / information to any person during each day’s

competition.

Read the whole competition script prior you start working.

2.2.2 EQUIPMENT, MACHINERY, INSTALLATIONS AND MATERIALS REQUIRED

Computers:

PC (3x)

Display (2x)

Keyboard (2x)

Mouse (1x)

Network:

Cisco Switch 2960s series (1x)

Cisco Router 2911 series (2x)

Cisco Wireless CAP2602 (1x)

Additional software:

Linux Debian engl. Version DVD (1-3)

Microsoft Windows Server 2012 R2 DVD

VMWare ESXi 5.5 CD

UTM Sophos Firewall DVD

Tools USB Stick including:

o vCenter Appliance, vSphere Client, Cisco Packet Tracer Version 6, Fillezilla,

Wireshark, Putty, Java, Flash Player, WinSCP, VPN Client

Additional equipment:

Power cables 7x

Rollover cables 2x (Console cable for cisco devices)

Miscellaneous patch cable 8x (2-4 m)

swiss ict-skills competition (trade 39) - ict … swiss ict-skills competition (trade 39) demo tp...

Documents