File exchange over 2 split networks?

[gshaw]

Another weird one but becoming an issue now so just wondering for some thoughts on this...

Basically we've got 2 separate networks for admin and teaching (personally I'd merge but it's been like this for so long there's still resistance to change it so for now we'll keep as is). Students on our teaching side have always just used generic machine accounts on auto-login due to the large volumes of students we get coming in (approx 8000 part time).

This summer we're looking to rip up the rulebook and go to student accounts on the teaching side as we need them for the VLE anyway so might as well use LDAP and have the accounts stored on the network and authenticate everything from AD.

Looking at our options ideally we need to automate the system so it would be along the lines of...

- MIS system runs a query to find new enrolment students
- exports to CSV file
- CSV picked up by script
- script runs on DC to create users

Great but one small problem of making the leap from one network to the other!

So my thought was a PC sitting in the middle with multihomed network cards to exchange the data, maybe domained on one side and accessed via C$ on the other. Was thinking of firewalling it one way so the teaching lets the admin through but not vice versa... not sure how this would work with gaining access to the file shares though?

It's all a bit of a bodge to some extent but need to try and make the best of the situation and get a working solution soon

[SYNACK]

Depends on how advanced and secure you want to make it. For maximum security the idea would be to offer the CSV via an internal web server and only allow port 80 from that machine into your curriculum network.

On the (much) more advanced side depending on your routing gear an advanced router could be setup inbetween the two networks with reflexive access lists allowing for any admin station to talk to any curriculum station but only if initiated from the admin side.

[jamesb]

Wouldn't it be easier to set up an outgoing trust from the Teaching network to the Admin network, create an account to run the script and give it administrative control over the appropriate areas of the Teaching network, and away you go.

How you'd do the connection itself is pretty much up to you.

[gshaw]

Wouldn't it be easier to set up an outgoing trust from the Teaching network to the Admin network, create an account to run the script and give it administrative control over the appropriate areas of the Teaching network, and away you go.

How you'd do the connection itself is pretty much up to you.

Could do but didn't want the networks to be that much joined together really, bit overkill to move 1 file.

Like the idea of the internal web server, could be just the ticket

[Willott]

Bit overkill to move one file, but it's the first step towards merging networks

I would assume that teachers currently use laptops on the Admin network to facilitate MIS, so how do they access data on the teaching network (like pupil resources, teaching resources etc)? Sticking this trust in place would mean that you could start to allow them access to these, they will see the benefit of merging the networks, as long as you explain that the speed may be reduced due to the way it's done.

We moved all our teachers laptops onto the teaching network, with trust to the admin network so that they could get on SIMs. We've now pretty much finished with moving all the other machines off the admin domain, so that will be shut down shortly, and the response that teachers gave to being able to access all the resources they need has been highly encouraging! Find yourself a couple of plyable teachers to use as guinea pigs, and the rest will follow when the guinea pigs start talking to other staff about what they can do!

Cheers

Will

[gshaw]

Already discussed merging but even though it's a better solution in the long run there's not much chance of it happening tbh. We don't have MIS in classrooms, so not much prob there it's more to do with this data transfer really.

Only downside will be that tutors will need 2 accounts when we change the auth method on the teaching side, bit of a pain but can't do much about it as yet...