»CLEO (Cumbria and Lancashire Education Online)

Skip to main content
24th April 14

Recommended Configuration for School Network

 

Many of the challenges in successfully establishing a remote access service to your school network across the CLEO network relate to ensuring the school network is designed and configured correctly. As a result of the trials carried out with the original pilot the following configuration is provided as an example of good practice when setting up the school network. This configuration should ensure that the remote access service will work and that it is setup securely:

DNS and DHCP Recommendations

These are a few pointers on setting up a Windows 2000 or 2003 domain at a CLEO connected site. Windows Active Directory is not entirely reliant on DNS for its correct operation: if you get you DNS configuration wrong on either of your servers or client PCs a range of very strange faults can occur. For extra fun these can be intermittent and transitory.

  1. Have two domain servers acting as Domain Controllers and also have DNS installed.
  2. Do NOT use your Internet domain name as your windows domain name. This will cause headaches if you ever want to do remote access. e.g. use <schoolname>.<LEA>.local in place of <schoolname>.<LEA>.sch.uk
  3. The DNS service should be configured for Cumbria schools to forward all other enquires to the CLEO DNS servers 10.96.0.2 & 10.64.0.2. For Lancashire schools the settings are as follows: DNS 212.219.82.4 and secondary DNS 212.219.83.4
  4. DHCP is a good idea for client PCs but ensure at the DHCP DNS settings are for your internal Windows DNS servers only.
  5. Static Addresses are a good idea for servers  - make sure your static DNS settings are for your internal Windows DNS servers only.

These points are particularly important if your are running a firewall like MS ISA or Censor-Net box.

Securing Wireless LANs 

As part of the process of setting up your school network you should also take into account security of wireless LANs. Whether or not you are enabling remote access at your school it is essential that wireless LANs are properly secured. Please ensure you adhere to the security recommendations and instructions provided by the manufacturer of the equipment. You may also wish to refer to the BECTA website and the JANET website for helpful guidance and a range of useful reference documents:

http://schools.becta.org.uk/index.php?section=te&catcode=as_net_lan_03&rid=12250

http://www.ja.net/development/wireless/nw-admin.html

Please remember that it is essential that you provide advice to staff to help them secure home wireless access points before enabling CLEO VPN remote access. If you have any doubts about how to set up your wireless network securely please contact your Local Authority Schools ICT Support Service for advice.

Network Administrator Passwords

Security of passwords is absolutely essential in designing a network to follow best practice principles. The following guidance should always be adhered to:

Network administrators must never login in over remote access links using the administrator password, including from another PC within the school.

High level users usernames must never identify themselves as high level users e.g. “bob-admin”

Network administrator passwords and other essential passwords should be stored securely, preferably in the school safe.

Passwords should follow guidelines for creating strong passwords. See the Microsoft website for more information:

http://www.microsoft.com/athome/security/privacy/password.mspx