Standard Network Configuration

Document Sample
Standard Network Configuration Powered By Docstoc
					                                  embc pl

Standard Network Configuration
                                 Version 1.21

                   Registered in England No: 3491956
                             Certificate No: FS 45856
Standard Network Configuration                                                                        EMBC pl

Document Control and Information
Document Information

       Document Information
              File Name                 Standard Network Configuration
Date Printed                            3 March 2010
Current Document Status                 Final 1.2

Revision History

   Date        Version                                       Comments
 02/02/08       Draft     Initial Draft – Sarah Powell, Carl Beckett, Peter Thewlis
 20.02/08       Final     Final agreed version
 20/07/08       Final     Update on PCF, Firefox 3, Local Proxies, Edge Site Firewalls, VC Services and
                 1.1      Dial-Out. Carl Beckett
 20/02/10       Final     Update on Browser Exclusions, Browser Security, Browser Requirements.
 03/03/10       Final     Update of Lincolnshire support contacts (page 3)

    Dedicated to Andy Murphy (1959-2009), who was responsible for the original content of this
  document, and dedicated his working career to pioneering and developing the use of Information
                      Technology within the schools of the East Midlands.

                                                                                            Page 1 of 36
Standard Network Configuration                                              EMBC pl

Table of Contents
WHERE TO GET INFORMATION                                            3	
WHERE TO REQUEST SUPPORT                                            3	
INTRODUCTION                                                        4	
COMPUTER NETWORK TOPOLOGY AND DESIGN                                6	
CHOOSING YOUR NETWORK SWITCH                                        9	
TCP/IP ADDRESSING AND USE OF VLANS                                10	
INTER-SCHOOL COMMUNICATION                                        12	
SUGGESTED USE OF IP ALLOCATION                                    13	
AND DESIGN                                                        14	
USE OF PROXY / CACHE SERVERS                                      18	
THE EMBC URL FILTERING SERVICE                                    19	
CACHE SERVERS                                                     21	
USE OF FIREWALLS                                                  22	
WIRELESS NETWORKING                                               23	
SECURITY CONSIDERATIONS                                           26	
WORKSTATION REQUIREMENTS                                          30	
PORTAL SERVICES BROWSER REQUIREMENTS                              34	
GLOSSARY                                                          36	

                                                                Page 2 of 36
Standard Network Configuration                                                                   EMBC pl

Where to Get Information

The embc Gateway is the main source of information and can be accessed via the following URL

The embc Gateway also houses the Technical Library, which contains all reference materiel and guides for
the new embc services.

Where to Request Support

Support should be requested by through your normal first line service desk

Local Authority             Helpdesk           Telephone             Email
Derbyshire                  Derbyshire Help    01629 580000 ext
                            Desk               7777
                                               01629 585777
Leicester                   Synetrix           08000 740 474
Leicestershire              Synetrix           08000 740 474
Lincolnshire                Lincolnshire       0845 456 6700
Nottingham                  IT Helpdesk        01159 150900
Nottinghamshire             Schools’ Service   01158 546116
                            Desk (ICT
Northamptonshire            Synetrix           08000 740 474
Rutland                     Synetrix           08000 740 474

Second line support will be provided by the Synetrix Service Desk.

embc can be contacted on

                                                                                       Page 3 of 36
Standard Network Configuration                                                           EMBC pl

The aim of this document is to help you achieve the best possible results from the embc
Broadband Service, as well as your own internal network and its connected computers. The
guidance provided includes recommendations on the set up and configuration of your site’s
computer network and how to connect it to the embc Broadband Service.

Your site should conform to the recommendations in this document. Failure to do so may result in
some of the embc Broadband Services not being available to your users and poor performance
which can invalidate the service level agreements for your site.

The document has, in general, been written so that a user with no technical knowledge can
understand the guidance provided however, some of the topics are technical by nature and you
may need to seek advice on certain areas with which you are not confident. Advice, in the first
instance, should be sought from the Glossary Section of this documentation and then via your
Local LEA Technical Support Team or the embc Service Desk as specified above.

Throughout this document the term “Site” or “Edge-Site” is used to describe your School, College
or Organisation. Network topologies (layouts) within sites are designed to meet the particular local
environments and requirements, so on this basis a “one size fits all” or standard solution cannot be
realistically advised within the scope of this document.

However, it is recommended that your site’s computer network conforms to the guidelines
described in this document so that you achieve the best possible results from the embc Broadband
Service and can take advantage of the applications offered through the service.

Throughout this document the advice presented should be seen as a “best practice” approach to
issues that face many network installations. It is in line with DCSF and BECTa advice but has been
tailored to meet the particular requirements of the embc broadband network.

The Standard Network Build documentation consists of nine main areas, which are entitled:

    1. How the embc Broadband Service is connected to the site’s own network
    2. Computer Network Topology and Design
    3. TCP/IP Addressing and Use of VLANs
    4. Use of Proxy / Cache Servers
    5. Use of School Firewalls
    6. Video Conferencing
    7. Wireless Devices and Considerations
    8. Security Considerations
    9. Workstation Configuration

                                                                               Page 4 of 36
Standard Network Configuration                                                             EMBC pl

How the embc Broadband Service connects to the site’s network
For the majority of readers, their site will already be connected to the embc Broadband Service.
However, for those sites new to the embc Broadband Service, the ‘How to connect your site to the
embc Broadband Service’ document explains the process of connecting to the embc Broadband

Each connected site has had a data connection (similar to a telephone connection) installed in a
suitable place on its premises. In the majority of cases, this is provided by BT. Alongside this is an
electronic device, known as a router, provided and managed by the embc Broadband Service.
This is manufactured by a company called Cisco Systems. Any issues relating to this device
should be referred to the embc Service Desk or your LA. This device should not be touched or
tampered with under any circumstances AND SHOULD BE POWERED UP AT ALL TIMES i.e. 24
hours a day and 365 days a year. Please note that turning off power will cause an alarm in the
network monitoring centre and will adversely affect the ability to take the measurements needed to
support your site’s SLA which may also be invalidated.

The device will look like the devices shown in the pictures below:

Figure 1: Cisco 2600 and 1700 routers

For your site to successfully connect to the embc Broadband Service, a direct Ethernet connection
should be made, using a category 5 LAN cable, between an Ethernet switch port on your site’s
network and the Ethernet port on the embc Broadband Service router. Once this connection has
been made the LED on the embc Broadband Service router should become permanently green.
The router should automatically detect the speed (10Mbps or 100Mbps) and duplex (full or half)
settings of the direct Ethernet connection. However, for optimal performance, we recommend that
the switch port to which the router connects is configured to operate at full duplex.

                                                                                 Page 5 of 36
Standard Network Configuration                                                             EMBC pl

Computer Network Topology and Design

In basic terms, a computer network is the means by which two or more pieces of computer
equipment communicate back and forth. For example, a PC communicates to its printer via its
parallel cable. Similarly, computers on a site usually communicate with each other by all being
connected to an Ethernet switch.

When it comes to thinking how computers should be connected analogies with a (well-designed!)
road network are particularly useful. Important computers, known as servers, should be connected
to the motorway (the main network switch) with lots of links to the other computers rather than
down a narrow country lane with congested access (a network hub at the end of the computer

As the number of computer devices (including computers, telephones, video equipment etc) grows
at an extraordinary rate so does the size of the computer network. Like the analogy with the
transport network, it is very important to think well ahead when designing a computer network and
to think the unthinkable! If you build a motorway with three lanes, we are always astonished at how
quickly it fills up. Can you remember when the M1 was quiet during the day and cars travelled
freely? It certainly was not that long ago!

In computing terms, the majority of sites will use Ethernet switches as the way of connecting up its
computers. It is strongly recommended that any Ethernet hubs are phased out. Hubs strongly
hinder network performance as the computers have to compete with each other to communicate
causing users to experience performance issues. From a commercial viewpoint, there is now no
price advantage in purchasing hubs. PCs can now commonly connect to an Ethernet network at
speeds of 10Mbps, 100Mbps (fast Ethernet) and 1000Mbps (gigabit Ethernet).

The following diagrams show how switches can be used to inter-connect the computers in a typical
small primary school and a typical large primary school / small secondary school.

Note, the embc Broadband Service should connect to the central switch in the school network as
this is the core service providing access to the internet and embc services. Each of the site’s
workstations should have direct access to the embc Broadband Service and access should not be
via the site’s proxy server. Please refer to the section on proxy servers for further explanation. For
advanced services (an example being Portal Control Filtering, or PCF) the client IP address has to
both be visible to the central embc data centre, and fall within the allocated embc IP address
range. As a result you should not use any form of device that performs a network address
translation on your sites network. Firewalls can still be used, but should be configured to operate in
routing mode. Please see the section entitled Use of Firewalls later in this document.

                                                                                 Page 6 of 36
Standard Network Configuration             EMBC pl

                                 Page 7 of 36
Standard Network Configuration             EMBC pl

                                 Page 8 of 36
Standard Network Configuration                                                          EMBC pl

Choosing your Network Switch

There are many network switch manufacturers to choose from, and as a guide you are advised to
purchase devices from known manufacturers such as 3COM, Cisco, HP, D-Link or Nortel.

As a general rule look for the devices management connectivity, usually either a dedicated port
identified for the purpose or a 9 way ‘D’ socket either on the front or the rear of the device.
Management of the device may be via a web-style or text style command line interface.

The devices should support what is known as Layer 2 as a minimum or Layer 3 or 4 for specific
requirements. For larger networks, where specific IP routing requirements are required, then the
minimum level of a Layer 3 core grade switch will be required.

Primary Schools or small business units with less than 20 computers should select a switch that
has a switching capacity in excess of 8Gbps for 24 port switches ports or greater than 13Gbps for
48 port density switches.

Secondary schools or sites with larger network topologies using a tiered network bandwidth design
should choose a “core” grade switch that has a switching capacity of more than 50Gbps.

All switches should be “stackable” to produce larger port density network infrastructures
without the need to cascade to downstream switches. All switches which, by their geographic
positioning within your site, require a downstream connection should be connected back to your
“core” active components by a gigabit connection (copper or fibre-optic).

Other key requirements that you should look for when purchasing a Network Switch are:

    •    IEEE 802.1q Virtual Private Networks (VPN).
    •    IEEE 802.1p Quality/Class of Service standard.
    •    Backplane speed (throughput) greater than 8Gbps for 24port and 13Gbps for 48port
    •    Expansion capability - switches should be stackable to allow for expansion or may be even
         chassis based on a large site.

IEEE 802.1p is especially important should your school wish to use Video Conferencing Services
or operate a “VoIP” (Voice over Internet Protocol) system across your network infrastructure.

Should you require further information and advice on the design of your computer network and the
purchase of network equipment then please consult either your LEA or the Synetrix Support Desk.

                                                                              Page 9 of 36
Standard Network Configuration                                                             EMBC pl

TCP/IP Addressing and Use of VLANs

Prior to your site’s connection to the embc Broadband Service, you were allocated a range of
TCP/IP addresses for use by the computers on your site. TCP/IP addresses are the means by
which computers identify each other in order to communicate (a good analogy being telephone
numbers) and how they communicate with systems outside of your site.

The allocation for a primary school is 256 TCP/IP addresses (known as a class C IP range) and for
a secondary school it is 1048 TCP/IP addresses (known as four class C IP ranges). For the
majority of sites, this allocation continues to be sufficient. However, there are a number of sites
which require additional TCP/IP addresses. The process for obtaining additional IP addresses and
the associated network considerations are described later in this chapter.

To use TCP/IP (usually abbreviated to IP) each computer device using it must have a unique IP
address. An IP address is a simple number which breaks down in to two parts. Each part has a
specific function, the network part of the address identifies your site allowing other sites to send
and receive information from your site. The identifier part of the address is used to deliver the
information directly to the relevant computer within your site. (Note, larger schools will have more
than one network part).

As an example a device has been given an IP address of

The network part is 10.250.88 and identifies your site.

The identifier part of the IP address, 15, identifies the individual computer.

Subnet Mask

The subnet mask tells computer systems how to split the IP address into the two parts.

The subnet mask in use in primary schools is which can be represented as / 24 and is a standard C class subnet mask. This means that the numbers up to the
third dot is the network part and the number after the dot is the identifier for the computer. Please
note that an identifier of 0 or 255 are reserved for specific network purposes and cannot be used
by any of your computer devices. An identifier of 1 is used by the embc Broadband Services
router so also cannot be used by one your computer devices. IP addresses available for use are

In secondary schools, a subnet mask of is used. This means that where the
allocated range is (, the network parts identifying the site are 10.71.44,
10.71.45, 10.71.46 and 10.71.47. Please note that the lowest and highest IP addresses from the
entire range are reserved for specific network purposes and cannot be used by any of your
computer devices (That is and in our example). An identifier of 1 in the
first range is used by the embc Broadband Services router so also cannot be used by one
your computer devices. IP addresses available for use are Please note
that client addresses within the range 240 to 254 are designed for use by video conference

                                                                                 Page 10 of 36
Standard Network Configuration                                                            EMBC pl

equipment, and it is possible to access these addresses from other schools within the
embc network. Please see the Suggested Use of IP Allocation section later in this chapter.


Routing is the technology by which computer devices in different IP networks (for example, those
with different network parts) communicate with each other. The device known as a router
computes how the two computer networks communicate (a good analogy is the telephone switch in
the telephone exchange that connects up telephones with different dialling codes).

The embc Broadband Service router provides the routing connectivity between your site and the
embc broadband network.

There should be no need for routing on your site’s network in most cases. The exemptions
(becoming more common) are large network of over 1000 IP addresses or networks connecting
many types of devices (such as computer, telephones, wireless, CCTV) where some logical
separation may be required for security and management reasons. Please refer to section 5.7 of
this document for further details on why and how you would introduce routing in your own network.

Configuring IP Addresses on Computer Devices

All computer devices that communicate using IP addresses will need to have been told of its IP
address and associated details. Many devices support the use of the Dynamic Host Control
Protocol (DHCP) from a server on the site’s network to allocate IP addresses. With DHCP a central
server allocates unique IP details to each device on the network. Please note you should ensure
that you have only one DHCP service allocating device active in your network.

Clearly, using DHCP is an easier mechanism for allocating IP addresses than a manual allocation
of IP addresses as it provides less scope for mistakes and makes more efficient use of the IP
range that has been allocated to your site. With manual allocation it is very easy to forget which IP
addresses have already been allocated and which ones are no longer required. To use DHCP you
will need to configure each computer device to receive its IP details via DHCP and you will need to
set up a DHCP server on your network. All Windows server software supports this functionality.

It is good practise to manually configure the IP details on important devices in your network such
as servers, switches, printers etc and use DHCP to allocate IP details to PC workstations. To do
this, a section of the lower part to the site’s IP range is reserved for important devices with the
remainder of the IP range being available for DHCP allocation. This is known as the ‘useable IP

                                                                                Page 11 of 36
Standard Network Configuration                                                                   EMBC pl

The details required for configuring the IP details on devices are shown in the table below:

Parameter                   DHCP Server Setting         Device Setting (if not      Purpose
                                                        using DHCP)
DCHP?                       Yes                         No                          Identifies wish to use
IP address                  Useable Range of IP         Unique IP address           Unique Identifier
Subnet mask           or         or    Tells system which
                                      part of IP address
                                                                                    identifies the school
Default Gateway             IP address of your site’s   IP address of your site’s   This enables your site
                            embc         Broadband      embc         Broadband      to access the internet
                            Services Router             Services Router             and        the      embc
                                                                                    Broadband Services.
Domain       Name                                    Identifies the device
Server (DNS)                                    on the embc network
                                                                                    that            translates
                                                                                    between host names
                                                                                    and IP addresses.
Site domain name        Domain name that
                                                                                    identifies     the     site
                                                                                    name. This is usually
                                                                                    the domain name that
                                                                                    has been allocated to
                                                                                    your       school       by
                                                                                    Nominet UK.
Host name                   Unique name                 Unique name                 Unique label allocated
                                                                                    to       identify      the
                                                                                    computer device.

Inter-school communication

As standard, the embc Broadband Service enables each school to access the internet and the
embc broadband applications through the central data centres. It does not, as a standard
configuration, permit a site to access services in another site. However, it is understood that many
sites have partner relationships with other sites and may wish its partner sites to access its
services. Where this is the case, the site that wishes other sites to access some (or all) of its
services may request access to be opened up by contacting your normal first line Support Desk.
The request and its associated security implications will be discussed with embcpl, the LA and the
sites involved and, if agreed by all parties, implemented.

The other exemption to inter-site access is to permit video conferencing between sites using
devices that conform to video conferencing standard H.323. Video conferences using the H.323

                                                                                       Page 12 of 36
Standard Network Configuration                                                            EMBC pl

protocol can take place between sites if the devices are given an IP address that has an identifier
part of between 240 and 254 respectively. This address can be on any of the class C IP ranges
allocated to the site. It is strongly recommended that devices or applications that the school wishes
to remain private within the school are not given IP addresses from these sub-ranges as they may
be accessed by users within other schools. Please refer to the section below for the use of IP

Suggested Use of IP Allocation

When allocating IP addresses to devices, it is recommended to follow a well defined scheme. The
table below shows a suggested schema to follow. It highlights the addresses reserved for embc
Broadband Services applications and access.

                      IP Address(es)   Embc reserved use              Recommended Use
First Class C         .1               Embc router
IP Range              .2 - .3                                         Management PCs
                      .4 - .31                                        Site’s network equipment
                      .32 - .63                                       Site’s servers and print
                      .64 - .239                                      DHCP Allocation
                      .240 - .254      Inter-site VC communication    NOT for site’s private
Second Class          .1 - .239                                       DHCP Allocation
C IP Range            .240 - .254      Inter-site VC communication    NOT for site’s private
Third Class C         .1 - .239                                       DHCP Allocation
IP Range              .240 - .254      Inter-site VC communication    NOT for site’s private
Fourth Class C        .1 - .239                                       DHCP Allocation
IP Range              .240 - .254      Inter-site VC communication    NOT for site’s private

Note, for typical school IP allocations only the first class C IP range applies to primary schools
whereas all four ranges apply to secondary schools.

Process for Acquiring Additional IP addresses

It is recognised that some schools have used all the IP addresses in their original allocation and
require some more IP addresses. This is because the number of devices in schools that require IP
addresses (such as PCs, CCTV units, telephones, vending machines etc) has multiplied at least
fivefold since the creation of the embc Broadband Service.

Additional IP ranges can be obtained by contacting your first line Support Desk. Your school may
wish to apply for the addresses directly as a result of schools developments or this can be done by
the LEA on your behalf if it is part of an LEA project (e.g. to deploy wide area IP telephony).

                                                                                Page 13 of 36
Standard Network Configuration                                                             EMBC pl

The performance of a site network will degrade as the number of IP devices placed in a single
subnet increases, we strongly recommend that your IP network is split into several subnets through
the introduction of VLANs and a layer three switch. This type of network configuration is detailed in
the following section.

As part of the process of activating any additional IP ranges allocated to the school, we require that
your school implements the new IP ranges in a different VLAN to the original range and routing is
introduced into your site’s network. We recommend that this is done by introducing a layer three
switch into the network, if it does not exist already. The Synetrix Support Desk will work alongside
your site’s ICT or your LEA’s co-ordinator to ensure that this happens successfully.

Introducing Routing or Layer Three Switching into your site’s network -
Benefits and Design

As discussed earlier in this section, some sites may wish to introduce routing in their site’s network.
This may be for one or more reasons:

     The number of devices has increased on the network resulting in performance deterioration

     Different types of devices have been connected to the network which require logical
      separation for management, security or application reasons

An example may be where a site has deployed a wireless network for users who should only be
given restrictive access to content or services. This type of control can be achieved by setting up a
subnet. The control of access to or from the subnet requires routing or layer 3 switching. This
effectively creates a partitioned element on the network...

Another example is where the site is deploying IP telephones or IP CCTV, The site may wish to
logically separate these from the site’s PCs to ensure network integrity and performance.

In these circumstances therefore, schools should acquire additional IP address ranges and set up
the subnets and routing.

Virtual LANs (VLANs) and Layer Three Switching

VLANs offer a way of carrying different subnets on a single bearer (wire), whilst keeping them
separate from each other. Using VLANs enables the new subnets to be delivered to those places
in the site where they are needed, without having to put in more cabling. Where VLANs are
required a VLAN switch is required AND the data path back to the core of the site network should
be fully switched with switches that support VLANs and VLAN trunking. (This means that the
switch should support the IEEE 802.1q standard).

                                                                                 Page 14 of 36
Standard Network Configuration                                                           EMBC pl

The eventual objective should be for the site network to be fully switched, and for all of the
switches in the network to support VLANs and VLAN trunking.

It is very easy to route between VLANs using a layer three switch. A layer three switch is simply an
Ethernet switch with some IP routing capability. They can be purchased through all major IT

Once communication has been established between the different VLANs, it is then possible to
place restrictions on which subnets (group of similar users or devices) can communicate with
which other subnets. For example, your site may wish that no curriculum users can access the
CCTV systems.

The following diagram shows what a routed network (using layer 3 switches) may look like:

                                                                               Page 15 of 36
Standard Network Configuration                                                                      EMBC pl

Recommended Browser Configuration and Security

You should configure your browser to use the central embc proxy array. To achieve this, add in the following
proxy information

You should use TCP port 80 for all proxy services.

Ensure that the “bypass proxy server for local LAN access” is ticked.

The following exclusions should be added into your workstations’ proxy exclusion list :


You may also have to add in some Local Authority specific proxy exclusions. Your Local Authority
representative will be able to advise you of these settings (if any).

Any school-based web service should also be included in the exclusion list.

embc recommend that all schools lock down their client browsers to prevent users from amending their
browser settings. This precaution will ensure all internet traffic is filtered by the embc proxy servers and
guarantee users are fully protected when using the internet and related servers.

Leaving your browsers unsecured poses a potential security risk.
Disabling the security tab within Internet Explorer will prevent a user adding unaudited HTTPS web
addresses or proxy anonymizers to their trusted sites. Disabling the connection tab will prevent a user from
directing the client proxy address to proxy server other than the embc’s.

To singularly manage the administration of these changes embc recommend that all schools employ an
Active Directory client server solution with a minimum specification of Windows Server 2003 and Windows
XP Pro. This will allow the administrator to use Group Policy within Active Directory to effectively deploy the
required changes to the network stations.

Below is an example of how to perform this task within Group Policy

When a user opens Internet Options in Control Panel or from the Internet Explorer Tools menu, they are
presented with 7 tabs.

Group policy can be used to limit which tabs are available to a user. In Group Policy Editor navigate to User
Configuration / Administrative Templates / Windows Components / Internet Explorer / Internet Control Panel.
At this point you will have the option to enable the following group policy objects:

Disable the General page
Disable the Security page
Disable the Content page
Disable the Connections page
Disable the Programs page
Disable the Privacy page
Disable the Advanced page
                                                                                          Page 16 of 36
Standard Network Configuration                                                                 EMBC pl

Schools must be aware that this solution will only work when all client stations successfully login into a
Windows domain that supports Active Directory. Schools that operate with NT servers and/or client stations
below these minimum recommendations will not easily be able to administer and deploy these browser
changes. This highlights the need for all schools to use equipment that meets their LA’s recommended
minimum specification.

                                                                                     Page 17 of 36
Standard Network Configuration                                                             EMBC pl

Use of Proxy / Cache Servers
Proxy and Cache Servers are usually combined into one device, although the functions of both
elements can be separated and presented as individual services or devices.

A proxy, as defined by most dictionaries, is to “act for someone on their behalf”. In computing
terms this would be reflected in the way in which a server would act on behalf of service delivery
for a user’s access to a learning resource for example.

The embc Broadband Service uses proxy/cache servers to provide enhanced security, filtering and
enhanced speed of access. External access to learning content via the Internet is not possible
without the web browser on each of your site’s workstations being configured to use the embc
proxy servers at address:
 (port 80)

It is strongly recommended that each workstation on your site uses the proxy servers provided by
the embc Broadband Service and that each workstation has a direct path to the central proxy
servers. The main reason for this is the enhanced performance and availability that the embc
Broadband Service proxy servers provide. A more detailed reasoning is given in the following

On site proxy / cache server designs cannot take advantage of the performance / availability of the
embc proxies and should only be used where the school is confident

a) of managing the configuration and filtering and

b) that the cache server has throughput capabilities on par with the school’s broadband

If neither of these criteria are met, then there are no advantages to be gained from the site hosting
its own cache server.

It is understood that, historically, proxy servers have been set up as gateways (in-line) between the
site’s network and its internet service provider (ISP) as shown in the diagram. This is usually the
case when the ISP does not provide such a service. As well, as providing proxy services, it usually
provides IP address translation and caching. This is not recommended on the embc network as it
will deteriorate performance and in certain instances not allow services to be fully delivered where
those services are dependent on the systems from the central server farms seeing the workstation
IP address. One example of such a service is Portal Control Filtering.

All proxy services are provided by the embc Broadband Service so it is no longer necessary to
have an in-line proxy server. Instead, there are performance and availability benefits to using the
central embc Broadband Service’s proxy servers and using your embc Broadband Service IP
address on all of your workstations. IP address translation between the embc Broadband Service
and the internet is also provided centrally.

                                                                                 Page 18 of 36
Standard Network Configuration                                                            EMBC pl

The embc URL Filtering Service

The embc Broadband Service uses multiple proxy servers located in Central Data Centres. The
individual proxy servers are pooled together to act as a high-performance, single proxy server
which is accessed by the name This is shown in the figure below.

There are two benefits of this arrangement:

     1. Performance. Each Proxy Server’s throughput is effectively aggregated together through
        load distribution – resulting in a far higher throughput required to meet the demands of the
        EMBC network.
     2. Availability.    Should one of the proxy servers fail then it is removed from the pool,
        allowing the service to continue without any loss of service for users.

                                                                                Page 19 of 36
Standard Network Configuration                                                         EMBC pl

Where schools continue to use their own proxy server (in-line or otherwise) then they will not
benefit from the high performance and high availability of the embc proxy solution. In this case,
when each school workstation accesses the internet the session is always via the school server
which in turn always has its sessions with the same server in the software array. This means that
the school cannot take advantage of the embc Broadband Services proxy array. Portal Control
Filtering (PCF) will also be unavailable to the site.

This is shown in the diagram below:

                                                                             Page 20 of 36
Standard Network Configuration                                                             EMBC pl

Cache Servers

The embc does support the usage of compliant cache servers within schools. Cache servers
must comply with the embc filtering system and have the ability to check with the NetSweeper
filtering servers in order to ensure that your schools “duty of care” choices are applied correctly to
each user’s profile.

For example: should your cache server not check with the embc filtering system it could deliver
content to a student that is not intended for their age or learning ability. This would happen as a
your cache server would be performing its task of delivering content already received into your site
by a user allowed to receive it, and would simply supply the content speedily to any other user
without the necessary checks.

To correctly operate Cache Servers must simply “sit on” rather than “sit in” the data path to the
embc broadband service. By sitting on the data path they will not interfere with any data type that
they are not capable of caching or interfere with real time protocols such as Video Conferencing.

Certain types of Multi-Media data, either object based static or streamed-data, can also be cached.
This type of data caching is usually performed by a separate module within the cache server that
may require a renewable subscription.

The graphic below shows how a Cache Server “sits on” your embc broadband data path to provide
speed enhancements without tampering with the IP addressing scheme or contaminating any data

                                                                                 Page 21 of 36
Standard Network Configuration                                                             EMBC pl

Use of Firewalls
As a general rule, embc do not recommend the use of firewalls on edge sites. The embc
Broadband Service provides a centralised managed firewall service that provides network security
services to schools.

If firewalls are installed, they should be configured to route all traffic, rather than performing a
network address translation. This type of configuration will enable the use of embc services which
require a valid source IP address of the client to be visible to the embc data centres. An example is
Portal Control Filtering. Put simply, if you NAT traffic from your school then you will not be able to
make use of the portal control filtering service or other advanced embc service offerings.

You should also ensure that the firewall is managed by a technically competent person. Incorrect
configuration of your firewall can have a detrimental impact on embc service performance.

Video Conferencing and the embc Broardband Service

Two video conferencing services are available through the embc network. These are Click-to-Meet
and the Janet Video Conferencing Service (JVCS).

Full configuration and user guides are available from the embc Technical Library. Support
and advice on these services is available from your first line desk and LA representative.

In our endeavour to make VC calls as reliable as possible and therefore become a useful tool to
teachers in the classroom, embc do not currently support any external H.323 VC calls (including to
Click to Meet) other than calls made using the JVCS on-demand or in-advance booking services.
VC endpoints within the embc network must have registered E.164 numbers and must use the
embc H.323 Gatekeeper services. Calls to VC systems with public IP addresses or on the ISDN
network are supported by the JVCS.

embc do not block any calls to or from H.323 VC endpoints registered to the embc Gatekeeper
services and external H.323 VC endpoints registered with valid E.164 numbers to any gatekeeper,
nationally or internationally, that forms part of the global dialling schema (GDS) as defined by
leading educational organisations worldwide including UKERNA. Although direct dial calls by E.164
number are likely to work, there will be many reasons why these calls may fail, including issues
with versions of H.323, manufacturer incompatibilities or bugs, external 3rd party firewalls and NAT
boundaries outside of embc control. As a result, these call types do not form part of the
supportable VC service.

                                                                                 Page 22 of 36
Standard Network Configuration                                                             EMBC pl

Wireless Networking

So far in this document, we have assumed that network communications is via a wire. Today, there
are technologies that allow devices to communicate without wires.

Wireless networks, when used correctly, can provide for excellent learning opportunities and
delivery of the embc Broadband Service to areas of a school where a “wired to desk” topology
infrastructure would be impossible to achieve – the centre of a large hall, a large library area,
mobile learning units or even the school playing field. It should be understood from the onset that
wireless access systems use “shared” bandwidth and are unable to provided the advantages and
performance of a “wired to desk” and switched infrastructure. They should be used to complement
your network system rather than be the only means of network communications for a whole site.

A very important consideration of wireless communication is the security implications. Quite simply,
it is possible to restrict a wired user to an on-site user. It is not possible to do this with wireless
technology as the range of a wireless network may exceed the site’s boundary It is therefore very
important to understand how to ensure that wireless users are the intended users of the network.
This can be done via authentication. As discussed in an earlier section, the systems available to
wireless users can be restricted if the site’s networking has introduced routing and restrictions on
inter-VLAN communication.

There are a number of different standards for wireless communication which are described below,
each with its own price and technology advantages and disadvantages.

There are three basic types of wireless access standards in general usage. The first of these is
known as IEEE802.11b, which can have a connection speed of up to 11Mbps between the device
and the wireless access point. The bandwidth for communication across this link however will be
half of the speed proclaimed and will be limited to a maximum of 5.5Mbps.

The second type of access point uses a higher speed, but compatible with older 802.11b systems,
known as IEEE802.11g. This type of access point has a communications speed of up to 54Mbps,
and as with the 802.11b devices the communications bandwidth will be half of this at 27Mbps.
However you cannot mix both 802.11g and 802.11b devices at the same time and retain the higher
speeds as the access point will default to the lower speed 802.11b standard.

The third is IEEE802.11a which is not backwardly compatible with 802.11g or b devices. Operating
at a wireless frequency 5Ghz rather than 2.4Ghz the penetration and durability of the signal is not
as robust as 802.11g or b but does allow for a greater access point density for any given area.
Where in reality 802.11g and b access points have only 3 unique channels to choose from 802.11a
can choose from 8 available channels.

Both of the above devices have to conform to ETSI standards for radio network transmissions and
are only allowed to irradiate their signal using a maximum specified power output. As this will
greatly affect the range of the wireless network both 802.11 standards compensate for weaker
received signals by offering lower bandwidths as the signal becomes weaker. This can reduce to a
mere 500Kbps before the signal becomes too weak to achieve a locked connection.

                                                                                 Page 23 of 36
Standard Network Configuration                                                             EMBC pl

It is difficult to identify which of the two types is best for any given purpose. As a general rule
IEEE802.11g should be chosen as a preference over IEEE802.11a.

For both types sites are best advised to engage LEA services, or a trusted infrastructure supplier,
and request that a detailed radio site survey is undertaken. This will identify areas where additional
wireless access points would need to be located in order to ensure that the intended area of usage
is fully covered. Indeed advice to swamp an area with multiple wireless access points in too close a
proximity should be treated with extreme caution as the radio channels these devices use are
limited and will result in the devices fighting each other for control. If a greater range is required
look to using specialist antenna’s to direct signals into a room or area. Sector panel or flat plate
antenna’s are best for this purpose.

However if the wireless network access points are not correctly installed there are many possible
flaws that raise concerns over the security of information and the protection of the network. For this
reason, it is recommended that wireless workstations are placed in their own VLAN. This means
that security measures can be implemented on the network to prevent wireless users from
accessing secure school data thus ensuring its security and data protection compliance. It is also
recommended that each wireless workstation successfully completes a form of authentication
before being accepted on to the network.

Remember the wireless network signals do not respect the boundaries of buildings or grounds and
may travel, once un-impeded by the internal fabric of the building, much further than intended or
required. Therefore the main concerns in using wireless are its operational security for the network,
data and users as part of the school’s “duty of care” responsibilities.

When purchasing any wireless access point it should be ensured that it meets 4 basic

(1) That the device’s SSID (Service Set Identifier), sometimes known as beaconing, can be turned
off in order to prevent undesirable visibility of the wireless access points to any visiting wireless
device (either invited or otherwise). If beaconing is switched off then the SSID must be manually
entered into the wireless network card’s parameters – otherwise operating systems such as
WindowsXP will be attracted by any nearby wireless networks that are “beaconing”.

(2) That the Wireless Access Point device supports encryption of transmitted data using a system
known as WEP (Wired Equivalent Protocol) with at least 128bit encryption strength. An encryption
standard known as WPA is replacing WEP as the standard for wireless security so ideally the
chosen device should also support this method of security.

(3) That the Wireless Access Point uses MAC address filtering in order to allow only those network
devices that have been allowed to use the wireless network access to it. Every computer network
card, wireless network card or removable wireless network interface has a unique MAC (Media
Access Control) address that details its manufacturer and other information.

(4) That the Wireless Access Point can have additional antenna support. Ideally the type of access
point chosen will have two standard TNC or Reverse SMA type “rubber duck” antenna’s, as these
deliver the signals transmitted at what is known as a quarter wavelength apart – which helps in
achieving a connection should one of the antennas be masked from a computer’s or laptop’s
wireless receivers view.

                                                                                 Page 24 of 36
Standard Network Configuration                                                             EMBC pl

With the above detailed it should ensure that the wireless network is anonymous (by SSID
suppression), secured (by WEP or WPA encryption) and limited (by MAC address permissions).
However all the above can, with a great deal of patience and suitable wireless packet sniffing
devices, be circumvented. The following should therefore also be considered in order to provide
another level of security.

All of the wireless access points should be placed into their own VLAN specifically for use by them.
DHCP services should not be used to supply IP addresses to any device that connects to the
wireless network, making it harder for unwanted guests to be given access to the network.
Consider the use of an authentication device to validate any wireless usage before granting access
to the site’s network.

This can be achieved by using AAA (Authentication, Authorisation and Accounting) devices. These
can be used to allow visitors restricted access to your network by the use of a loaned secure
passkey. These types of devices are used more commonly in wireless “Hot-Spot” areas such as
Internet Café’s and Hotels.

One last tip for the security of in-school wireless access points would be to ensure that 7 day digital
timers are used to cut the power to the wireless access points during out of school hours and at

                                                                                 Page 25 of 36
Standard Network Configuration                                                                 EMBC pl

Security Considerations

Network Security

          The embc take network security very seriously, we have in place a number of
          safeguards designed to protect connected sites from threats. Network security is a
          complicated subject, historically only tackled by well-trained and experienced experts.
          However, as more and more people become “wired'', schools need to understand the
basics of security in a networked world.

History has shown that if we take a multi-layered approach to security we have a much greater
chance of success. We should understand that we have a legal responsibility under the data
protection act to secure data we hold on our pupils and staff. Therefore access to that data should
be restricted from both inside and outside the school.

                           Security is a cyclical process, in that it is never ending. Site’s need to
                           understand that they can never be 100% secure, at the best they can be “one
                           step behind the game” which is much better than twenty steps behind it.

                           All sites will need to put in place policies and processes to help them
                           evaluate their security practices, Information security is about balancing risk
                           against functionality, the hard part is getting that balance right.

There are three primary goals of ICT security:
    1. To protect confidentiality by ensuring private information is kept private.
    2. To ensure data integrity by preventing data from being inappropriately changed or deleted.
    3. To ensure data availability by making sure services are available and uninterrupted, that
       data can be accessed whenever it is needed, and that data can be restored quickly.

Protecting confidentiality means - at a minimum - keeping passwords out of the wrong hands;
preventing access to financial information and pupil data and protecting private user data such as
documents and email. The principle of least privilege, which states that the user be given only the
privileges that they need to perform their jobs or tasks, should always be applied. For instance, if a
user only needs to check or print out their email using a school’s internet connection, they have no
need (and should have no ability) to access the operating system.

Protecting data integrity means ensuring that breaches of integrity and attacks by viruses,
worms, and Trojan horses can be recognized and the system recovered.

Ensuring data availability means knowing how to recognize and defend against attacks, viruses
and worms, using good backup and recovery procedures and ensuring service is not interrupted
during routine hardware and software maintenance.

                                                                                     Page 26 of 36
Standard Network Configuration                                                               EMBC pl

Sites should analyse the risks to their network and realise that good security is about minimizing
the risk whilst allowing end users to be able to study and learn effectively. All network security is a
balance; the hard part is achieving an acceptable balance.

Network attacks can take many forms; one of the most news worthy items at the moment seems to
be Denial of Service (DoS) attacks. Basically a DoS attack involves gaining control of a number of
PC’s and then using those PCs to send a huge amount of data to a website thereby rendering it
unusable. If you think that this would, in practice, be difficult to achieve think again as there are
tools available on the internet which have automated the process so anyone with a PC and an
internet connection can perform this type of attack.

The Denial of Service attack is only one of many which can occur if we are not vigilant and
appropriate precautions are not in place. It would also be wrong to believe that attacks against
networks only come from external organisations. Many reported incidents of illegal access are from
disgruntled internal users. In the US recently publish figures make it apparent that users in schools
can and are just as disruptive as external hackers sitting in darkened rooms and indeed there have
previously been internal attacks, including DoS attacks, on the embc network.

Embcpl, its suppliers and the LA’s aim is to work in partnership with sites to help them to better
understand the various threats that exist and the safeguards that are available and should be in
place to help secure the network for the benefit of all sites and users.

How can sites help embc police the network?

Most Technical staff tend to focus on the data access side of security. There are many more
aspects to it than that. The following list of topic’s give advice to schools on the actions they can be
taking. Each LEA should have a senior engineer, or member of staff, with responsibility for this
area, this may be your first port of call for advice or assistance if you are missing or don’t
understand any of the following:

Schools can help embc improve security in a number of ways:

    •    Security is not just about software, it’s about locking doors and thinking about where to
         house equipment; it’s about alarms and security fencing; it’s about protecting the

    •    Harden operating systems - Operating system hardening is the process of modifying and
         locking down a standard default installation of an operating system, whether is it used as a
         server or a workstation.

    •    It’s about using reasonably strong passwords wherever possible. Young children can
         struggle with strong passwords, in this situation it is imperative that their level of access is
         locked down to an acceptable level to compensate for weak or singular passwords.

    •    It is also about educating your users to be responsible, to not leave machines logged in, to
         not use post it™ notes to remember passwords.

                                                                                   Page 27 of 36
Standard Network Configuration                                                                EMBC pl

    •    The school should have a security policy to help staff and teachers know where the
         boundaries are of what they can and cannot do. If you need help or guidelines to help you
         do this the SANS institute have a project page with numerous sample security policies for
         download, most of which can be adapted as necessary to achieve a fit for you situation:


    •    Write an acceptable use policy for both staff and pupils and stick to the rules within it (your
         LEA should have sample templates as a starting point).

    •    Make sure that regular checks are carried out to see if security patches and updates are
         available for both servers and workstations. Microsoft, as well as many other vendors, offer
         fixes to bugs in the form of a "patch." After enough patches are compiled, they release a
         "service pack" which is more or less just a compilation of various patches and other fixes.

    •    Make sure you know what is happening on the school network, use software if necessary. If
         the network had been compromised now how would you know? For security tools it is worth
         looking at open source software as a starting point. See for
         the top 75 open source security tools.

    •    Make sure that school networks are secure and that users only have access to the
         minimum level resources required for there role.

    •    Limit or manage the use of USB pen drives. This is by far the easiest method of removing
         valuable data/programs from your school. Whilst undoubtedly very useful devices they pose
         a real security risk, Viruses and Trojans can come into the network via this method.

    •    Apple iPod’s™ and other such devices fall into the same category as pen device in that
         they too can be used to add and remove data / programs on the network.

    •    Bios passwords - protect the BIOS Setup program from unauthorized users. This stops
         users enabling USB pen drives. Protecting the Bios with a password also stops users
         changing the boot sequence to allow booting from a floppy or CD media.

    •    Do not install wireless devices without first determining the best way of making them
         secure. Think about installing a wireless authentication device to force any wireless users
         to logon. This can be linked into active directory so should be easy to administer.

    •    Make sure up to date anti-virus software is installed on all of your PC’s, servers and laptop
         PC’s. Have a mechanism or policy in place to update the AV software and make sure this is
         someone’s responsibility with automation and quality reporting to ensure all clients and
         servers are up to date and that this can be easily checked.

    •    Restrict or remove the ability for local users to install software on laptops or desktop PC’s.

                                                                                    Page 28 of 36
Standard Network Configuration                                                             EMBC pl

Externally Visible Servers
Schools frequently need to host externally visible servers on their networks. These can be for a
range of applications but do represent a security threat to the embc network if appropriate security
measures are not in place. Schools will be asked about the measures they have instituted when
applying for the external IP address needed to enable visibility.

All non-essential ports should be closed and the latest patches applied to the server. This process
is known as hardening. A policy to police the testing and application of software vendor patches
within your organisation should be in place and be written into the site’s security policy document.

Your Local Authority will be able to advise on what security measures are required for your server
to be made visible from the Internet.

Good security is a continuous process and by it’s very nature is never finished. Therefore it is in
your best interests to check embc documentation on a regular basis. Subscribe to one or more of
the various bug track mailing lists as this will keep you up to date on potential flaws in products you

The following sites offer RSS feeds for security alerts:

Firewall and Perimeter Security - Open Port Policy

As discussed earlier the embc has an obligation to maintain the security of the network and this
requires certain rules to be in place at the edge of the regional network. These rules protect the
whole of the network and it is essential that schools do not introduce back door routes in to the
network by introducing third party external connectivity (e.g. a third party provided ADSL line)
which will circumvent the regionally applied security measures. Any such threat will be treated
seriously and can result in the school be temporarily disconnected from the network whilst it is

Where a school has specific requirements these should always be addressed through the
appropriate first line Support Desk who will be aware of methods or tools that are already provided
or be in a position to take this up with embc and the suppliers.

                                                                                 Page 29 of 36
Standard Network Configuration                                                            EMBC pl

Workstation Requirements

Workstation or Laptop Computer Clock and embc Web-Based Services

Embc web-based services include the Portal, Web-Based e-Mail (OWA and MeMeMail) and
administration tools.

These services use date and time as part of their authentication process. If your workstation or
laptop’s computer clock is more than 30 minutes off from the actual time then you will experience
difficulties in using web-based embc services.

Note that the services use Universal Time, so as long as your workstation or laptop is within 30
minutes of the actual local time, you will be able to log in to these web-based services anywhere in
the world.

To ensure that your workstation or laptop’s computer clock is automatically adjusted to the correct
time you can configure something known as ntp – network time protocol.

If your computer is part of an Active Directory domain, then the computer clock will be
automatically adjusted to that of the Active Directory Domain Controllers. You can then configure
the domain controller to query an internet-based ntp-server. This will ensure that your entire Active
Directory client network is set automatically to the correct time.

If your computer is stand-alone, then you can configure it to query the internet-based ntp server
directly to automatically adjust it’s computer clock.

Full details on configuring ntp on Windows systems are available from the Microsoft web site
( Details for configuring ntp for Mac OS-X are available from the apple web
site (

                                                                                Page 30 of 36
Standard Network Configuration                                                          EMBC pl

Hardware Specifications

The minimum specifications in this document are those that all schools should be striving toward in
order that administration staff, teachers and pupils can make effective use of developing media.

Schools should be looking towards a three-year rolling program where computers – especially
admin computers – are upgraded or replaced regularly. Failure to do so could result in programs
not working properly and a limited view/use of the embc learning resources.


                                                                              Page 31 of 36
Standard Network Configuration                                                                              EMBC pl

Admin Computer Specification

                                                                                               Consideration for
                                    New                            Existing

                                                           Computers above this             Computers below this
                                                         specification will run most    specification are not likely to
                            When purchasing new
                                                        applications adequately. You          be suitable for the
                        computers they should meet
                                                         may experience problems        applications you are required
                         or exceed this specification
                                                        using a computer below this       to use in your day-to-day
                                                                specification.              running of your school

CPU                    Intel Pentium 4, 3.0Ghz          1.7Ghz Intel P3, 1.3Ghz AMD     Intel P2/AMD 1Ghz

Memory                 2Gb                              1Gb                             512Mb

CD/DVD                 52 x CD-R or CD-R/DVD            32 x CD or 8 x DVD              32 x CD

Hard Drive             80Gb                             40Gb                            10Gb

Network Interface      100Mps                           100Mbps                         100Mbps

                       Floppy and other re-writable     Floppy and other re-writable    Floppy and other re-writable
Re-writable media
                       media                            media                           media

                       Video card with 128Mb            Video card with 64Mb            Video card with 32Mb
Graphics               memory 1024 x 768 @ 24 bit       memory 1024 x 768 @ 24 bit      memory 1024 x 768 @ 24 bit
                       (8Mb)                            (8Mb)                           (4Mb)

Ports                  1 parallel, 1 serial, 4 USB      1 parallel, 1 serial, 4 USB     1 parallel, 1 serial, 2 USB

Keyboard &             UK Keyboard and pointing         UK Keyboard and pointing        UK Keyboard and pointing
Mouse                  device                           device                          device

                                                        15” or 17” flat screen or 17”
                       17” normal or flat screen.
Monitor                                                 normal screen. Must support     15” supporting 1024 x 768
                       Must support 1024 x 768
                                                        1024 x 768

                       16-bit soundcard output          16-bit soundcard output         16-bit soundcard output
                       through stereo headphones        through stereo headphones       through stereo headphones or
Sound Output
                       or speakers with adjustable      or speakers with adjustable     speakers with adjustable
                       volume                           volume                          volume

Sound In               N/A                              N/A                             N/A

Operating System       Windows XP Professional          Windows XP Professional         Windows 2000

                                                                                                  Page 32 of 36
Standard Network Configuration                                                                             EMBC pl

Curriculum Computer Specification

                                                                                            Consideration for
                                    New                           Existing

                                                           Computers above this            Computers below this
                                                         specification will run most   specification are not likely to
                            When purchasing new
                                                        applications adequately. You         be suitable for the
                        computers they should meet
                                                         may experience problems       applications you are required
                         or exceed this specification
                                                        using a computer below this      to use in your day-to-day
                                                                specification.             running of your school

CPU                    Intel Pentium 4, 3.0Ghz          1.7Ghz Intel, 1.3Ghz AMD       Intel/AMD 1Ghz

Memory                 2 Gb RAM                         1 Gb                           512Mb

                                                        32 x CD or 8 x DVD or
CD/DVD                 52 x CD-R or CD-R/DVD                                           32 x CD
                                                        CD/DVD server access

                                                                                       10Gb (20Gb in order to meet
Hard Drive             80Gb                             40Gb minimum
                                                                                       the min spec for KS3ICT)

Network Interface      100Mps                           100Mbps                        100Mbps

                       Floppy and other re-writable     Floppy or other re-writable    Floppy or other re-writable
Re-writable media
                       media                            media                          media

                       Video card with 128Mb            Video card with 64Mb           Video card with 32Mb
Graphics               memory 1024 x 768 @ 24 bit       memory 1024 x 768 @ 24 bit     memory 1024 x 768 @ 24 bit
                       (8Mb)                            (8Mb)                          (4Mb)

Keyboard &             UK Keyboard and pointing         UK Keyboard and pointing       UK Keyboard and pointing
Mouse                  device                           device                         device

                                                        15” or 17”, TFT where
                       17” normal or flat screen.       possible. 85Hz for CRT or
Monitor                                                                                15” supporting 1024 x 768
                       Must support 1024 x 768          65Hz for TFT. Must support
                                                        1024 x 768

                       16-bit soundcard output          16-bit soundcard output        16-bit soundcard output
                       through stereo headphones        through stereo headphones      through stereo headphones or
Sound Output
                       or speakers with adjustable      or speakers with adjustable    speakers with adjustable
                       volume                           volume                         volume

Sound In               Recording capability             Recording capability           Recording capability

Operating System       Windows XP Professional          Windows XP Pro                 Windows 2000/ME

                                                                                                 Page 33 of 36
Standard Network Configuration                                                              EMBC pl

Portal Services Browser Requirements
The embc portal is based on Sharepoint 2007 This section contains Microsoft’s recommendations
for a workstation’s internet browser for use with the embc Portal and Webmail services.

SUMS has been tested exhaustively with Internet Explorer 7, requires JavaScript to be enabled (as
it uses Web 2.0 technologies) and a minimum resolution of 1024 x 768 (however a resolution of
1280 x 1024 is recommended). Other browsers and configurations have been reported to work
however issues raised against these cannot be guaranteed to be resolved.

Plan browser support (Windows SharePoint Services)
About browser support

Windows SharePoint Services 3.0 supports several Web browsers that are commonly used.
However, there are certain browsers that might cause some Windows SharePoint Services 3.0
functionality to be downgraded, limited, or available only through alternative steps. In some cases,
functionality might be unavailable for noncritical administrative tasks. As part of planning your
deployment of Windows SharePoint Services 3.0, we recommend that you review the browsers
used in your organization to ensure optimal performance with Windows SharePoint Services 3.0.

Levels of browser support

Web browser support is divided into two levels: level 1 and level 2. Although administrative tasks
on SharePoint sites are optimized for level 1 browsers, Windows SharePoint Services 3.0 also
provides support for other browsers that are commonly used. To ensure that you have complete
access to all the functionality, we recommend that you use a level 1 browser for administrative

Level 1 Web browsers

Level 1 Web browsers take advantage of advanced features provided by ActiveX controls and
provide the most complete user experience. Level 1 browsers offer full functionality on all
SharePoint sites, including the SharePoint Central Administration Web site.

Level 1 Web browsers are as follows:

Windows Internet Explorer 7.x (32-bit)
Windows Internet Explorer 8.x (32-bit) (includes running in compatibility mode)

Level 1 browser support is only available for computers running the Windows operating system.

Level 2 Web browsers

Level 2 Web browsers provide basic functionality so that users can both read and write in
SharePoint sites and perform site administration. However, ActiveX controls are supported only in
                                                                                  Page 34 of 36
Standard Network Configuration                                                             EMBC pl

level 1 browsers. In addition, there are functionality differences between different browsers. As a
result, there might be a user experience that is different from that in level 1 browsers.

Level 2 Web browsers are listed in the following table.

                                                          Linux/          Macintosh OSX
            Browser                       Windows          Unix              Leopard
Internet Explorer 7.x (64-bit)        X
Internet Explorer 8.x (64-bit)        X
Firefox 3.x                                               X           X
Safari 3.x                                                            X

If a browser is not listed in either level 1 or level 2, it is not supported. For example,
older browsers — such as Internet Explorer 5.01, Internet Explorer 5.5x, Internet
Explorer for Macintosh, and versions of third-party Web browsers that are earlier than
the ones listed as level 2 browsers — are not supported.

                                                                                 Page 35 of 36
Standard Network Configuration                                                                EMBC pl


   CSP                    Customer Services Portal – the new Management and Communications Portal
                          from Synetrix

   DHCP                   Dynamic Host Configuration Protocol – used to allocate IP addresses and
                          settings to workstations

   DNS                    Domain Name System – marries IP addresses to hostnames

   E-164 Address An allocated address, similar to a telephone number, used in Video
                 Conferencing Calls

   E-Mail Filtering The filtering of e-mails based on e-mail addresses or e-mail content
                    (profanities, etc)

   H-323                  A collection of protocols and standards allowing voice and video
                          communication over packet based networks such as the IP based EMBC and
                          JANET networks

   IMAP                   Internet Message Access Protocol. A communications protocol used between
                          e-mail clients and e-mail servers

   JVCS                   Janet Video Conferencing Service

   POP3                   Post Office Protocol Version 3. A communications protocol used to retrieve e-
                          mail from an e-mail server

   SMTP                   Simple Mail Transfer Protocol. A communications protocol used to send and
                          receive e-mail between e-mail servers, and send e-mail from some clients

   TCR                    Technical Change Request. The procedure in place for approving and tracking
                          changes made to the EMBC network.

                                                                                    Page 36 of 36

Shared By: