Infoblox IPAM for Microsoft
Expert Session Workshop
© 2007 Infoblox Inc. All Rights Reserved.
Infoblox IPAM for Microsoft
A new offering from Infoblox available on Infoblox appliances that:
 Replaces Excel sheets with real IPAM
 Monitors and manages of Microsoft DNS and DHCP services
 Provides network discovery
© 2007 Infoblox Inc. All Rights Reserved.
Architecture – Infoblox IPAM WinConnect
• 1 connector for 15 MS Servers
• 1 DNS server is enough in each AD
• Discovery to detect all IP
© 2007 Infoblox Inc. All Rights Reserved.
Product – Infoblox IPAM WinConnect
Advantages
 Advantages over the native MS configuration consoles:
– Simple
•
•
•
•
•
DNS, DHCP and IP Address management from a single centralized console
Intuitive Graphical and hierarchical representation of the IP plan
Extra IPAM info fields (device type, location, owner, custom fields…)
Easy insight in Historic and current IP usage
Easy Discovery of existing IP devices
– Secure
• Granular Role Based Administration for delegation,
• Audit log for follow-up of admin activities
• Secured communication
– Reliable
• Winconnect runs on hardened appliance
• Centralised backup and restore
© 2007 Infoblox Inc. All Rights Reserved.
Architecture – Infoblox IPAM WinConnect
Discovery


On-demand and automatic discovery (discovery jobs)
Full discovery:
– ICMP sweep to get active IP
– Netbios discovery (nbtscan) to get hostname/MAC of Windows hosts
– Nmap discovery on 12 standard services (telnet, HTTP…) to get remaining hosts

Discovery behind firewalls:
© 2007 Infoblox Inc. All Rights Reserved.
Product – Infoblox IPAM WinConnect
Hierarchical view by location
Subnet by location
Low-impact discovery
of all IP devices
Subnet with no
location
Get control of your IP address scheme
•Logical containers to manage multiple IP number plans, even with overlapping subnets
•Browse locations, networks and subnets
© 2007 Infoblox Inc. All Rights Reserved.
Product – Infoblox IPAM WinConnect
At-a-glance overview of subnet utilization
Automatic gathering
of IP properties
Clear and concise
range status
Get control of your IP addresses
•Real-time and up-to-date IP directory synchronized with MS DNS/DHCP and discovery
DHCP lease history, IP address usage history
Subnet utilization thresholds and alerts
© 2007 Infoblox Inc. All Rights Reserved.
Product – Infoblox IPAM WinConnect
DHCP server/pool view
Real-time service status
with automatic alerts
Pool utilization with
automatic alerts
DHCP configuration
functions
Get control of your Microsoft DHCP
•Monitoring and configuration of your DHCP services
•Delegation with granular role based administration
DHCP utilization thresholds and alerts
© 2007 Infoblox Inc. All Rights Reserved.
Product – Infoblox IPAM WinConnect
IP address pool management
Automatic gathering
of IP properties
DHCP configuration
functions
Get control of your Microsoft DHCP
•Monitoring and configuration of your DHCP scopes
•DHCP lease history
© 2007 Infoblox Inc. All Rights Reserved.
Product – Infoblox IPAM WinConnect
DNS server/zone view
Real-time service status
with automatic alerts
DNS configuration
functions
Get control of your Microsoft DNS
•Monitoring and configuration of your DNS services
•Delegation with granular role based administration
© 2007 Infoblox Inc. All Rights Reserved.
Product – Infoblox IPAM WinConnect
DNS records view
Monitor and configure
DNS records
Get control of your Microsoft DNS
•Management and configuration of your DNS records
•Filter, sort and search through your DNS records
© 2007 Infoblox Inc. All Rights Reserved.
MANAGEMENT
Infoblox IPAM for Microsoft –
Phase 1: Stand-Alone
Infoblox IPAM for MS Module
Infoblox NIOS™ Software
DEDICATED HARDWARE PLATFORM
• Real-time monitoring of DNS and
DHCP data on Microsoft servers
• Easy-to-use Web GUI
• Granular, delegated management
of Microsoft DNS & DHCP
• Automatically synchs with any
changes made via Microsoft MMC
• Non-invasive integration – no
agent software required on
Microsoft DNS/DHCP servers
© 2007 Infoblox Inc. All Rights Reserved.
INFOBLOX NIOS™ SOFTWARE
bloxSDB™
Database
bloxHA™
Failover
bloxSYNC™
Data Assurance
DEDICATED HARDWARE PLATFORM
CONFIDENTIAL
MS Connector
VitalQIP
NAC
NTP
HTTP
TFTP
RADIUS
DNS
DHCP
IPAM
API
MANAGEMENT
Infoblox IPAM for Microsoft –
Phase 2: Integrated
• Optional software add-on
module available in combination
with other Infoblox protocols
and services
• Native Infoblox IPAM module
provides a complete view of all
DNS and DHCP data whether
on MS servers or Infoblox
appliances
© 2007 Infoblox Inc. All Rights Reserved.
Infoblox IPAM for Microsoft - Value Proposition
Replace your spreadsheet
• On demand and automatic discovery of IP devices
• Real-time and dynamic IP address repository
• Pull IP information from existing Microsoft DNS and DHCP servers
Implement Easily
• Non-intrusive: No agent installed on Microsoft DNS/DHCP servers
• Uses a non-invasive connector (connector can be configured in read only mode)
Improve Control
• Provides strong reporting capabilities
• Keeps history on IP assignment (SoX compliance)
Share Access & Delegate
• User-friendly and intuitive Web GUI
• Management of user profiles (reader, operator, administrator)
• Delegate 1st-level, day-to-day tasks (support, DNS Entry set-up, DHCP pool monitoring)
© 2007 Infoblox Inc. All Rights Reserved.
Products Pricing: Phase 1
Products
$3k to $6k
Infoblox-250
IPAM for MS
Infoblox-550
IPAM for MS
Infoblox-1050
IPAM for MS
Infoblox-1550
IPAM for MS
Pricing
Company Size
IPAM Costs
Return on
Investment
$3,000 to
$6,000*
Up to 1,500 employees
(2,000 nodes)
$ 8,000 / year
9 months
$5,000 to
$11,000*
Up to 4,000 employees
(5,000 nodes)
$20,000 / year
6 months
$10,000 to
$20,000*
Up to 8,000 employees
(10,000 nodes)
$40,000 / year
6 months
$15,000 to
$55,000*
Up to 40,000 employees
(50,000 nodes)
$200,000 / year
3 months
*Assumes base price for appliance licensed with a
base number of IPs, then $2/IP for additional IPs
© 2007 Infoblox Inc. All Rights Reserved.
Product - Competitors
Vendor
Software
IP Control V 3.0
(software)
IP Control Sapphire V 3.0 (appliances),
Men & Mice Suite V. 5.5 (software)
Features
 IP Address Management
 DNS / DHCP Management (ISC and Microsoft)
 DNS/ DHCP Appliances,
 IP Address Management Module
 DNS Management Module
 DHCP Management Module
 Analyzing and monitoring Module
 Agents needs to be installed on every server
– Risk: agent installed on AD/DC servers is not latest
– Responsibility: MS Team will never allow network team to install agents on MS DNS/DHCP servers
 DNS/DHCP-management-oriented vs IPAM:
– MMC is working fine no need to have a solution to manage MS DNS/DHCP servers
 Other:
–No friendly Web GUI
© 2007 Infoblox Inc. All Rights Reserved.
Infoblox IPAM for Microsoft
Product demo and labs
SE Workshop
© 2007 Infoblox Inc. All Rights Reserved.
Introduction
Infoblox IPAM for MS is a tool for managing IP address spaces and
native MS AD environments.
Major features:








Real time and dynamic IP Addresses repository,
On demand and automatic discovery of IP devices,
Pull IP information from existing DNS and DHCP services,
Configure DNS and DHCP servers,
User-friendly and intuitive Web GUI,
Management of user profiles,
Reporting, Import/Export
CLI
© 2007 Infoblox Inc. All Rights Reserved.
Architecture
e
Op
or
ra t
Ad
Im min
po
rt
Helpdesk
d
Local Admin
Rea
Network Admin
Re
Security
ad
DNS Microsoft 2000/2003
age
Ma n I
WM
XML protocol
/SSL
Infoblox IPAM for Microsoft
Ma n
DNS/DHCP Connector W age
MI
Discovery
DHCP Microsoft 2000/2003
© 2007 Infoblox Inc. All Rights Reserved.
Architecture
 Infoblox IPAM for Microsoft:
– Appliance for the server modules
– Postgres DB, Apache/PHP web service, C++ code
 MS DNS/DHCP & AD connectors:
– Run on Windows 2000/2003 servers, also Win2000, XP, Vista with Admin
Pack
– 1 instance can manage servers in 5 different AD domains, or 20 DNS/DHCP
in the same AD
 Protocols:
– HTTP/HTTPS to access to the GUI
– XML protocol, can be SSL secured
– WMI for MS management
© 2007 Infoblox Inc. All Rights Reserved.
Architecture
 Advantages over the native MS management tools:
– IPAM/DNS/DHCP from a single and central console
– Graphical and hierarchical representation of the IP address scheme, can
easily see what is where
– Extended IP properties (asset tag, object class, customized fields…)
– IP history
– Discovery of all IP devices
– Higher granularity to manage user privileges, can setup rights on different
subnets within the same DNS zone or DHCP server. Operator profile for
basic admin tasks (IP provisionning, DNS RR…)
– Follow-up of user activities to know who has done what
– Easy to backup and restore as everything is in the DB
© 2007 Infoblox Inc. All Rights Reserved.
Product components






IPAM
Discovery
MS DNS/DHCP connector
MS AD connector
Import/Reporting
Labs
As described in phase roll-out some components will become NIOS
modules.
© 2007 Infoblox Inc. All Rights Reserved.
Component: IPAM
 Several containers (organizations) in the DB to manage several IP
address scheme, even with overlapping subnets
 Browse networks/locations
 Contacts, documents
 Device classification
 DHCP lease history, IP history
 Used, unused, static, dynamic
 Searching, find IP address from the search, then go to
 Filter on device type, location, subnet
 DHCP and subnet utilization threshold
 IP extended attributes
© 2007 Infoblox Inc. All Rights Reserved.
Component: Discovery


On-demand and automatic discovery (discovery jobs)
Full discovery:
– ICMP sweep
– Netbios discovery (nbtscan)
– Nmap discovery on 12 standard services

Discovery behind firewalls:
Infoblox IPAM for Microsoft
OrgA
CLI/Discovery
OrgB
CLI/Discovery
© 2007 Infoblox Inc. All Rights Reserved.
Component: Discovery

Integration with CiscoWorks LMS to get additional information for each IP
address:
– Automatic creation of subnets and VLAN information
– Extended atributes:
•
•
•
•
Switch
Port
Phone number (IP phone)
…
– Nothing is required on the CiscoWorks side, agentless solution. We only need an
account in CW and HTTP/HTTPS access to its export servlet.
© 2007 Infoblox Inc. All Rights Reserved.
Component: MS DNS/DHCP Connector
 Connector to read and configure MS DNS/DHCP servers
 Can be installed locally on each server or on a remote Windows
machine with Admin Pack
 Connector runs as a Windows service and needs DNS/DHCP
admin rights
 Communication with the central server uses 1 TCP port, which can
be configured and secured with SSL
 Communication with remote MS DNS/DHCP uses WMI
 Several timers to configure synchronization of configs, leases and
zones
 Connector processes data locally and sends a diff to central DB
© 2007 Infoblox Inc. All Rights Reserved.
Component: MS AD Connector
 Logs AD events in the central DB
 Associates AD events with IP events: you know which user is
connected on which IP address
 Same architecture than the MS DNS/DHCP connector
© 2007 Infoblox Inc. All Rights Reserved.
Component: Import/Reporting
 Import of initial data with CSV files:
–
–
–
–
–
–
Organizations
Locations
Contacts
Subnets
Object class
IP
 Reporting:
–
–
–
–
–
IP address/subnet/location/contact/class…
Subnets, including statistics
DHCP scopes, including statistics
History reporting
Schedule reporting jobs
© 2007 Infoblox Inc. All Rights Reserved.
Component: Import/Reporting
 Reporting, sample reports:
– IP address:
– IP history:
© 2007 Infoblox Inc. All Rights Reserved.
Component: CLI
 Import/Reporting
 Discovery with 4 modes:
–
–
–
–
Ping
Nbt
Nmap
Full
 Mass updates:
– DNS records
– DHCP reservations
– IP properties (object class, asset number…)
 Mass delete
 CLI can be used remotelly as an API (PHP pages for instance)
© 2007 Infoblox Inc. All Rights Reserved.
Demo and Labs
 How to start with IPAM
 Discovery
 MS DNS/DHCP management
© 2007 Infoblox Inc. All Rights Reserved.
Lab 1: How to start
 Connect to the web GUI:
– http://IP-of-your-IPAM
© 2007 Infoblox Inc. All Rights Reserved.
Lab 1: How to start
 Explore IPAM features in demo database
© 2007 Infoblox Inc. All Rights Reserved.
Lab 1: How to start
 Explore IPAM features in demo database
© 2007 Infoblox Inc. All Rights Reserved.
Lab 1: How to start
 Create a new organization
© 2007 Infoblox Inc. All Rights Reserved.
Lab 1: How to start
 Go to the home page and select the new organization
© 2007 Infoblox Inc. All Rights Reserved.
Lab 1: How to start
 Create a location
© 2007 Infoblox Inc. All Rights Reserved.
Lab 1: How to start
 Create a subnet
© 2007 Infoblox Inc. All Rights Reserved.
Lab 1: How to start
 Create a host
 Create a contact
 Create an object class
 Create a document
© 2007 Infoblox Inc. All Rights Reserved.
Lab 2: Discovery
 Start a manual discovery
 Schedule a discovery job
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
 Create an account for the connector on the central IPAM:
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
 Create an account for the connector in the MS environment:
– Open Active Directory Users and Computers
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
 Create an account for the connector in the MS environment:
– Fill-in the account credentials
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
 Create an account for the connector in the MS environment:
– Set the account in DNSAdmin, DHCPAdmin and Administrators groups
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
 Install DNS/DHCP connector
– Run IpantoAgentWin_3.0.2.exe and follow the instructions of the wizard.
– Edit C:\Program Files\Ipanto Agent\aipd-win.conf with Wordpad:
• In the « server » section, set « host » key to the IP address of your IPAM
• In the « config » section, set « name » key to the name of the connector
• In the « runtime » section, set « verbose » key to 5
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management

Configure connector settings for DHCP
service dhcp "WIN2K3-VM4-60"
{
# Network address of the server to contact.
# The address must be given as an IP address in numeric format, enclosed
# by double quotes (eg: "192.168.7.99").
# Loopback addresses are not authorized.
server_address "10.67.3.60";
# Configuration access control.
# A value of 1 limits Ipanto(r) Server access to read only, while a value of 0 allows
# read/write access.
read_only
0;
}
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
 Configure connector settings for DNS
service dns "win2k3-vm4-60.ad.infoblox.net"
{
# Configuration access control.
# A value of 1 limits Ipanto(r) Server access to read only, while a value of 0
allows
# read/write access.
read_only
0;
}
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
 Configure the Ipanto service to use the Infoblox account:
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
 Check the MS event logs for Ipanto events:
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
 Configure DNS from Infoblox IPAM
– Create a new forward zone
– Create a new reverse zone
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
 Configure DNS from Infoblox IPAM
– Manage DNS records from a zone
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
 Configure DNS from Infoblox IPAM
– Assign a new IP address and create the DNS records
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
 Configure DHCP from Infoblox IPAM
– Create a new scope
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
 Configure DHCP from Infoblox IPAM
– Configure DHCP server options
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
 Configure DHCP from Infoblox IPAM
– Configure DHCP pool options
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
 Configure DHCP from Infoblox IPAM
– Configure a DHCP reservation
© 2007 Infoblox Inc. All Rights Reserved.
Lab 3: MS DNS/DHCP management
 Configure DHCP from Infoblox IPAM
– Generate leases on the DHCP server
© 2007 Infoblox Inc. All Rights Reserved.
Q&A
 Q&A
© 2007 Infoblox Inc. All Rights Reserved.