Capstone Documentation

Home Contact Education Capstone Project PPT Capstone Documentation Facebook Harlow Diegel IT Resume Photo Album Blog Favorite Links Catalog Composition Page Photo Guest Book

SARATOGA HEALTH CLINICS

A COMPRENHENSIVE NETWORK DEVELOPMENT PROJECT BY:

ADVANCED TECHNOLOGY SOLUTIONS

SUBMITTED TO THE IT/COMPUTER NETWORK SYSTEMS PROGRAM

IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE ASSOCIATE DEGREE

DAN TINDALL

HARLOW DIEGEL

DALE TUTTLE

JOSH ABEL

LON REED

ADVISOR - MR. DALE MCKAY

ITT TECHNICAL INSTITUE

ALBANY, NEW YORK

NOVEMBER, 2009

Pages 2 & 3 Index

Page 4 About our company

Page 4 Network Infrastructure

Page 5 ISP (Internet Service Provider)

Page 5 Out of scope or upgrades

Page 6-32 Hardware

Page 32 Software

Page 32-39 Windows Server

Page 39-41 Virtualized Servers

Page 42 Microsoft Office 2007 and McAfee Business

Page 43 Linux Server

Page 44 Redundant connections and Backup

Page 45 Workstations

Page 46 Training

Page 46 Physical Security and Software Security

Page 47 Testing the Network

Page 47 Preparation for Live Run of system

Page 47 Live run of system

Page 48 On-site support for 30 days

Page 48 60 additional day's on-site support

Page 49 Removal of Old hardware equipment

Page 50 Additional Services we provide

Pages 51 & 52 All Scripts Software (Medical Management)

Page 53 IP Ranges

Pages 54 - 58 SOW (Statement of Work)

Pages 59 & 60 Budget

About our company

Advanced Technology Solutions is an IT based company that has serviced Upstate New York for over fourteen years. We have implemented and upgraded everything from small business to some larger businesses up to over 500 employees. Our installers and design staff has been with the company since it was first founded August 21, 1995. We have expanded our company services over the years as company needs change. We have an extensive IT Technical staff on hand and working for us. All our employees are background checked, and regularly drug screened. We provide the best option for the company we are assisting. We have a vast amount of resources and knowledge to work from to help in the design and network solution that best fits the company needs, and with expandability for future expansion with new technology.

Network Infrastructure

The network infrastructure will use Ethernet handoff for data from site to site through VPN tunnels on Vlans with Spanning Tree protocol. Spanning Tree will have to be used so that the separate Vlans can transmit data between each other. . There will be two Virtualization Servers (VM's) at the Central Office, and one at remote backup location which will be located in South Glens Falls. Each of the sites in the network will have Verizon ISP provided fiber lines into the sites with Cat 6a lines from the fiber termination box to routers, switches and devices connected internally, and a analog backup line. There will also be if you choose the option of secondary backup lines, Time Warner backup lines to the sites. This option although costs more will provide a redundant connection for all sites and servers, with a 99.999% up time with no interruption of service or speed on the network. The dial backup is a slow backup line for connection, and would greatly affect the speed of the network and the staff to input and retrieve data from the servers. Josh and Harlow will label all cable runs and create reference sheets for numbers assigned to cables to where the cables go.

ISP (Internet Service Provider)

Verizon will provide each of the five sites with Fiber into the sites and box for termination, with an RJ-48 or RJ-45 connection port. Verizon will also provide the analog backup line to the sites, and the line will end at the Server room, for connection into the network routers or switches. If Saratoga Health chooses to have a secondary High speed connection (Time Warner) for backup in the event the Primary ISP line failed, this would give a substantial reliability feature to your network connections and recovery time for hard-line failures. While this is not necessary for backup or network servers, it would give a reliable network stability, and backup system, with multiple connections that would result in almost no network slow downs or impacts. The only possibility for this would be a complete power outage across the grid.

Out of scope or upgrades

The RFS required several items that were either unnecessary with today's technology or unavailable due to being outdated. The machines will not have Windows XP on them due to Microsoft is no longer offering XP Licensing to any new machines, due to the rollout of the new OS. Windows 7 will be installed on the new machines throughout the network.

The server machines might have had the expectations for Windows Server 2003 which is still available, but due to the extensive licensing costs, would not have been beneficial for Saratoga Health over time. After 2013, Licensing for these machines will need renewal and they will no longer be supported after that point. Saratoga Health would need at that point to spend money for all new OS's, new licensing, and migrating of data to the new machines as well, which would far exceed the cost of the initial purchase and install of Windows Server 2008, which at this point will be supported and licensed through 2018. These Windows Servers will be running in Virtual Machines on actual servers.

Hardware

The hardware for the network will be the following items. One Cisco 3725 ISR-IPS-MA router, 5 Catalyst 3560 switches, 5 Cisco 2906 Wireless Lan (supports 6 wap), Dell Power edge Rack 2420 24U, 2970, Dell Power Vault MD1000, HP Server Console Switch, 75 HP IQ800T desktops, 10 HP Multi-function Printers M2727, HP Power Edge T300 Print Servers.

Cisco 3725 MAS ISR with IPS, Redundant power supply (Non Hot-swappable)

Cisco 3725 routers include the following additional features:

• High-performance 240-MHz Reduced Instruction Set Computer (RISC) processor

• Up to 256 MB SDRAM

• Up to 128 MB Compact Flash memory

• Two slots for network modules, one of which can accommodate a double-wide network module

• Three interface card slots

• Two Cisco 3700 Compact Flash slots (one external and one internal)

• Two AIM slots

• Installation in a 19- or 23-inch rack or on a desk

• Support for Cisco Redundant Power System

SDRAM-Stores the running configuration and routing tables and is used for packet buffering by the network interfaces. Cisco IOS software executes from SDRAM memory

EPROM-based memory-Stores the ROM monitor, which allows you to boot an operating system software image from internal or external Compact Flash memory.

3725 Router Memory and processor specs

Processor	240-MHz PMC-Sierra RM7061A RISC processor
SDRAM	128-256 MB
NVRAM	56 KB
CompactFlash	32, 64, or 128 MB
Boot ROM	512 KB

Cisco 3725 Interfaces

Each individual interface (port) on a Cisco 3725 router is identified by number, as described in the following sections.

WAN and LAN Interface Numbering

The Cisco 3725 router chassis contains the following WAN and LAN interface types:

• Two built-in Fast Ethernet LAN interfaces

• Three slots in which you can install WAN interface cards (WICs)

• One single-wide slot (slot 1) in which you can install one network module

• One double-wide slot (slot 2) in which you can install one single-wide or double-wide network module

The numbering format is interface-type slot-number/interface-number. Two examples are:

• FastEthernet 0/0

• Serial 1/2

The slot numbers are as follows:

• 0 for all built-in interfaces

• 0 for all WIC interfaces

1 for interfaces in the single-wide network module slot

• 2 for interfaces in the double-wide network module slot

Interface (port) numbers begin at 0 for each interface type, and continue from right to left and (if necessary) from bottom to top.

Figure 1-3 shows an example of interface numbering on a Cisco 3725 router with these interfaces:

• A WIC in each WIC slot (containing interfaces Serial 0/0 and Serial 0/1 in physical slot W0, interface Serial 0/2 in physical slot W1, and interface BRI 0/0 in physical slot W2)

• A 2-port T1 network module in slot 1 (containing the following ports: T1 1/0 and T1 1/1)

• A 36-port EtherSwitch network module in slot 2 (containing the following ports: Fast Ethernet 2/0 through 2/35, and Gigabit Ethernet 2/0 and 2/1)

• Two built-in Ethernet 10/100-Mbps interfaces-Fast Ethernet 0/0 and Fast Ethernet 0/1

The slot number for all WIC interfaces is always 0. (The W0 and W1 slot designations are for physical slot identification only.) Interfaces in the WICs are numbered from right to left, starting with 0/0 for each interface type, regardless of which physical slot the WICs are installed in. Some examples are as follows:

• If slot W0 is empty and slot W1 contains a 1-port serial WIC, the serial interface in the WIC is numbered Serial 0/0.

If slot W0 contains a 2-port serial WIC and slot W1 contains a 1-port serial WIC, the serial interfaces in physical slot W0 are numbered Serial 0/0 and Serial 0/1, and the serial interface in physical slot W1 is numbered Serial 0/2.
If slot W0 contains a 2-port serial WIC and slot W1 contains a 1-port BRI WIC, the serial interfaces in physical slot W0 are numbered Serial 0/0 and Serial 0/1, and the BRI interface in physical slot W1 is numbered BRI 0/0.

Voice Interface Numbering

Voice interfaces are numbered as follows:

chassis-slot/voice-module-slot/voice-interface

If a 4-channel voice network module is installed in chassis slot 1, the voice interfaces are:

• 1/0/0-Chassis slot 1/Voice module slot 0/Voice interface 0

• 1/0/1-Chassis slot 1/Voice module slot 0/Voice interface 1

• 1/1/0-Chassis slot 1/Voice module slot 1/Voice interface 0

• 1/1/1-Chassis slot 1/Voice module slot 1/Voice interface 1

Cisco 3700 series routers provide inline power to IP phones connected to the router through Ethernet switch network modules. This power is supplied by special -48 V modules that connect directly to the chassis power supplies in Cisco 3725

Table 1-4 Cisco 3725 Router System Specifications
Description	Specification
Dimensions (H x W x D)	3.5 x 17.1 x 15.0 in. (8.9 x 43.4 x 38.1 cm), 2-RU chassis height
Weight	14 lb (6.4 kg)
Input voltage, AC power supply Frequency Input surge current (AC)	100 to 240 VAC, autoranging 47-63 Hz 50 A maximum, one cycle (-48-V power module included)
Input rating, DC power supply Input surge current (DC)	24-36 VDC, 9 A, positive or negative, operational from 18-36 VDC 36-60 VDC, 4 A, positive or negative, operational from 36-72 VDC 50 A, < 10 ms
Power dissipation	135 W (maximum)
Heat Dissipation	135W Maximum 460.661 BTU/hour, 495W Maximum 1689.089 BTU/hour
Console and auxiliary ports	RJ-45 connector
Operating humidity	5-95%, noncondensing
Operating temperature	32-104��F (0-40��C)
Nonoperating temperature	-40 to 162��F (-40 to 72��C)
Noise level	52 dBA (maximum)
Regulatory compliance	FCC Part 15 Class A. For additional compliance information, see the Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Regulatory Compliance and Safety Information document that accompanied the router.
Safety compliance	UL 60950; CAN/CSA C22.2 No. 60950-00; IEC 60950; AS/NZS 3260; TS001

Cisco Catalyst 3560 Switches

The Cisco Catalyst 3560 Series can provide a lower total cost of ownership (TCO) for deployments that incorporate Cisco IP phones, Cisco Aironet^® wireless LAN (WLAN) access points, or any IEEE 802.3af-compliant end device. PoE removes the need for wall power to each PoE-enabled device and eliminates the cost for additional electrical cabling that would otherwise be necessary in IP phone and WLAN deployments

The Cisco^® Catalyst^® 3560 Series is a line of fixed-configuration, enterprise-class switches that include IEEE 802.3af and Cisco prestandard Power over Ethernet (PoE) functionality in Fast Ethernet and Gigabit Ethernet configurations. The Cisco Catalyst 3560 is an ideal access layer switch for small enterprise LAN access or branch-office environments, combining both 10/100/1000 and PoE configurations for maximum productivity and investment protection while enabling the deployment of new applications such as IP telephony, wireless access, video surveillance, building management systems, and remote video kiosks. Customers can deploy network wide intelligent services-such as advanced quality of service (QoS), rate limiting, access control lists (ACLs), multicast management, and high-performance IP routing-while maintaining the simplicity of traditional LAN switching. Available for the Cisco Catalyst 3560 Series at no charge, the Cisco Network Assistant is a centralized management application that simplifies the administration tasks for Cisco switches, routers, and wireless access points. Cisco Network Assistant provides configuration wizards that greatly simplify the implementation of converged networks and intelligent network services.

Gigabit Ethernet

At speeds of 1000 Mbps, Gigabit Ethernet provides the bandwidth to meet new and evolving network demands, alleviate bottlenecks, and boost performance while increasing the return on existing infrastructure investments. Today's workers are placing higher demands on networks, running multiple, concurrent applications. For example, a worker joins a team conference call through an IP videoconference, sends a 10-MB spreadsheet to meeting participants, broadcasts the latest marketing video for the team to evaluate, and queries the customer-relationship-management database for the latest real-time feedback. Meanwhile, a multigigabyte system backup starts in the background and the latest virus updates are delivered to the client. The Cisco Catalyst 3560 provides a means to intelligently scale the network beyond 100 Mbps over existing Category 5 copper cabling and simultaneously support PoE for maximum productivity and investment protection.

Intelligence in the Network

Networks of today are evolving to address four new developments at the network edge:

• Increase in desktop computing power

• Introduction of bandwidth-intensive applications

• Expansion of highly sensitive data on the network

• Presence of multiple device types, such as IP phones, WLAN access points, and IP video cameras

These new demands are contending for resources with many existing mission-critical applications. As a result, IT professionals must view the edge of the network as critical to effectively manage the delivery of information and applications.

As companies increasingly rely on networks as the strategic business infrastructure, it is more important than ever to help ensure their high availability, security, scalability, and control. By adding Cisco intelligent functions for LAN access, customers can now deploy

network wide intelligent services that consistently address these requirements from the desktop to the core and through the WAN.

With Cisco Catalyst Intelligent Ethernet switches, Cisco Systems^® helps enable companies to realize the full benefits of adding intelligent services into their networks. Deployments of capabilities that make the network infrastructure highly available to accommodate time-critical needs, scalable to accommodate growth, secure enough to protect confidential information, and capable of differentiating and controlling traffic flows is critical to further optimizing network operations.

Enhanced Security

With the wide range of security features that the Cisco Catalyst 3560 Series offers, businesses can protect important information, keep unauthorized people off the network, guard privacy, and maintain uninterrupted operation.

Cisco Identity Based Networking Services (IBNS) provides authentication, access control, and security policy administration to secure network connectivity and resources. Cisco IBNS in the Cisco Catalyst 3560 Series prevents unauthorized access and helps ensure that users get only their designated privileges. It provides the ability to dynamically administer granular levels of network access. Using the 802.1x standard and the Cisco Access Control Server (ACS), users can be assigned a VLAN or an ACL upon authentication, regardless of where they connect to the network. This setup allows IT departments to enable strong security policies without compromising user mobility-and with minimal administrative overhead.

To guard against denial-of-service and other attacks, ACLs can be used to restrict access to sensitive portions of the network by denying packets based on source and destination MAC addresses, IP addresses, or TCP/UDP ports. ACL lookups are done in hardware, so forwarding performance is not compromised when implementing ACL-based security.

Port security can be used to limit access on an Ethernet port based on the MAC address of the device to which it is connected. It also can be used to limit the total number of devices plugged into a switch port, thereby protecting the switch from a MAC flooding attack as well as reducing the risks of rogue wireless access points or hubs.

With Dynamic Host Configuration Protocol (DHCP) snooping, DHCP spoofing can be thwarted by allowing only DHCP requests (but not responses) from untrusted user-facing ports. Additionally, the DHCP Interface Tracker (Option 82) helps enable granular control over IP address assignment by augmenting a host IP address request with the switch port ID. Building further on the DHCP snooping capabilities, IP address spoofing can be thwarted using Dynamic ARP Inspection and IP Source Guard.

The MAC Address Notification feature can be used to monitor the network and track users by sending an alert to a management station so that network administrators know when and where users entered the network. The Private VLAN feature isolates ports on a switch, helping ensure that traffic travels directly from the entry point to the aggregation device through a virtual path and cannot be directed to another port.

Secure Shell (SSH) Protocol Version 2, Kerberos, and Simple Network Management Protocol Version 3 (SNMPv3) encrypt administrative and network-management information, protecting the network from tampering or eavesdropping. TACACS+ or RADIUS authentication enables centralized access control of switches and restricts unauthorized users from altering the configurations. Alternatively, a local username and password database can be configured on the switch itself. Fifteen levels of authorization on the switch console and two levels on the Web-based management interface provide the ability to give different levels of configuration capabilities to different administrators.

The Cisco Catalyst 3560 Series is equipped with a robust set of features that allow for network scalability and higher availability through IP routing as well as a complete suite of Spanning Tree Protocol enhancements aimed to maximize availability in a Layer 2 network.

The Cisco Catalyst 3560 switches deliver high-performance, hardware-based IP routing. The Cisco Express Forwarding-based routing architecture allows for increased scalability and performance. This architecture allows for very high-speed lookups while also helping ensure the stability and scalability necessary to meet the needs of future requirements. In addition to dynamic IP unicast routing, the Cisco Catalyst 3560 Series is perfectly equipped for networks requiring multicast support. Protocol Independent Multicast (PIM) and Internet Group Management Protocol (IGMP) snooping in hardware make the Cisco Catalyst 3560 Series switches ideal for intensive multicast environments.

Implementing routed uplinks to the core improves network availability by enabling faster failover protection and simplifying the Spanning Tree Protocol algorithm by terminating all Spanning Tree Protocol instances at the aggregator switch. If one of the uplinks fails, quicker failover to the redundant uplink can be achieved with a scalable routing protocol such as Open Shortest Path First (OSPF) or Enhanced Interior Gateway Routing Protocol (EIGRP) rather than relying on standard Spanning Tree Protocol convergence. Redirection of a packet after a link failure using a routing protocol results in faster failover than a solution that uses Layer 2 spanning-tree enhancements. Additionally, routed uplinks allow better bandwidth use by implementing equal cost routing (ECR) on the uplinks to perform load balancing. Routed uplinks optimize the utility of uplinks out of the LAN Access by eliminating unnecessary broadcast data flows into the network backbone.

The Cisco Catalyst 3560 also offers dramatic bandwidth savings as a wiring-closet switch in a multicast environment. Using routed uplinks to the network core eliminates the requirement to transmit multiple streams of the same multicast from the upstream content servers to LAN access switches. For example, if three users are assigned to three separate Vlans and they all want to view multicast ABC, then three streams of multicast ABC must be transmitted from the upstream router to the wiring-closet switch-assuming the wiring-closet switch is not capable of routed uplinks.

Deploying IP routing to the core with Cisco Catalyst 3560 switches allows users to create a scalable, multicast-rich network. The Cisco IP Services license offers IPv6 routing, including support for simultaneous IPv4 and IPv6 forwarding. IPv6 protocol support includes OSPFv3, and EIGRPv6. IPv6 management and MLD Snooping are supported on all Cisco Catalyst 3560 software images

Cisco Express Setup simplifies initial configuration with a Web browser, eliminating the need for more complex terminal emulation programs and CLI knowledge. (We will use the CLI to setup)

• IEEE 802.3af and Cisco prestandard PoE support comes with automatic discovery to detect a Cisco prestandard or IEEE 802.3af endpoint and provide the necessary power without any user configuration.

• DHCP auto configuration of multiple switches through a boot server eases switch deployment.

• Automatic QoS (Auto QoS) simplifies QoS configuration in voice-over-IP (VoIP) networks by issuing interface and global switch commands to detect Cisco IP phones, classify traffic, and enable egress queue configuration.

• Autosensing on each 10/100 port detects the speed of the attached device and automatically configures the port for 10- or 100-Mbps operation, easing switch deployment in mixed 10- and 100-Mbps environments.

• Auto negotiating on all ports automatically selects half- or full-duplex transmission mode to optimize bandwidth.

• Dynamic Trunking Protocol (DTP) helps enable dynamic trunk configuration across all switch ports.

• Port Aggregation Protocol (Pap) automates the creation of Cisco Fast EtherChannel^® groups or Gigabit EtherChannel groups to link to another switch, router, or server.

• Link Aggregation Control Protocol (LACP) allows the creation of Ethernet channeling with devices that conform to IEEE 802.3ad. This feature is similar to Cisco EtherChannel technology and PAgP.

Link Aggregation Control Protocol (LACP) allows the creation of Ethernet channeling with devices that conform to IEEE 802.3ad. This feature is similar to Cisco EtherChannel technology and PAgP
DHCP Server enables a convenient deployment option for the assignment of IP addresses innetworks that do not have a dedicated DHCP server.

• DHCP Relay allows a DHCP relay agent to broadcast DHCP requests to the network DHCP server.

• IEEE 802.3z-compliant 1000BASE-SX, 1000BASE-LX/LH, 1000BASE-ZX, 1000BASE-T, and coarse wavelength-division multiplexing (CWDM) physical interface support through a field-replaceable SFP module provides unprecedented flexibility in switch deployment.

• Support for the Cisco Catalyst 3560 SFP Interconnect Cable facilitates a low-cost, point-to-point gigabit connection between Cisco Catalyst 3560 Series switches.

• The default configuration stored in Flash memory helps ensure that the switch can be quickly connected to the network and can pass traffic with minimal user intervention.

• Automatic medium-dependent interface crossover (Auto-MDIX) automatically adjusts transmit and receive pairs if an incorrect cable type (crossover or straight-through) is installed on a 10/100 port.

• Time Domain Reflectometry (TDR) to diagnose and resolve cabling problems on copper Ethernet 10/100/1000 ports.

Cisco Uplink Fast and BackboneFast technologies help ensure quick failover recovery, enhancing overallnetwork stability and reliability.

• IEEE 802.1w Rapid Spanning Tree Protocol (RSTP) provides rapid spanning-tree convergence independent of spanning-tree timers and the benefit of distributed processing.

• Per-VLAN Rapid Spanning Tree Plus (PVRST+) allows rapid spanning-tree reconvergence on a per-VLAN spanning-tree basis, without requiring the implementation of spanning-tree instances.

Cisco Hot Standby Router Protocol (HSRP) is supported to create redundant, fail-safe routing topologies.
Command-switch redundancy enabled in Cisco Network Assistant software allows designation of a backup command switch that takes over cluster-management functions if the primary command switch fails.

• Unidirectional Link Detection Protocol (UDLD) and Aggressive UDLD allow unidirectional links to be detected and disabled to avoid problems such as spanning-tree loops.

• Switch port autorecovery (errdisable) automatically attempts to reenable a link that is disabled because of a network error.

• Cisco RPS 2300 support provides superior internal power-source redundancy, resulting in improved fault tolerance and network uptime.

• Equal cost routing (ECR) provides load balancing and redundancy.

• Bandwidth aggregation up to 8 Gbps through Cisco Gigabit EtherChannel technology and up to 800 Mbps through Cisco Fast EtherChannel technology enhances fault tolerance and offers higher-speed aggregated bandwidth between switches and to routers and individual servers.

Cisco Express Forwarding hardware routing architecture delivers extremely high-performance IP routing.

• Basic IP unicast routing protocols (static, RIPv1, RIPv2 and RIPng) are supported for small-network routing applications.

• Advanced IP unicast routing protocols (OSPF, Interior Gateway Routing Protocol [IGRP], EIGRP, Border Gateway Protocol Version 4 [BGPv4] and IS-ISv4) are supported for load balancing and constructing scalable LANs. The IP Services license is required.

• IPv6 routing capability (OSPFv3, EIGRPv6) is support. IP Services license is required.

• Policy-Based Routing (PBR) allows superior control by enabling flow redirection regardless of the routing protocol configured.

Inter-VLAN IP routing provides for full Layer 3 routing between two or more Vlans.

• Protocol Independent Multicast (PIM) for IP Multicast routing is supported, including PIM sparse mode (PIM-SM), PIM dense mode (PIM-DM), and PIM sparse-dense mode. The IP Services license is required.

• Fallback bridging forwards non-IP traffic between two or more Vlans.

IEEE 802.1x allows dynamic, port-based security, providing user authentication.

• IEEE 802.1x with VLAN assignment allows a dynamic VLAN assignment for a specific user regardless of where the user is connected.

• IEEE 802.1x with voice VLAN permits an IP phone to access the voice VLAN irrespective of the authorized or unauthorized state of the port.

• IEEE 802.1x and port security are provided to authenticate the port and manage network access for all MAC addresses, including those of the client.

• IEEE 802.1x with an ACL assignment allows for specific identity-based security policies regardless of where the user is connected.

• IEEE 802.1x with Guest VLAN allows guests without 802.1x clients to have limited network access on the guest VLAN.

• Web authentication for non-802.1x clients allows non-802.1x clients to use an SSL-based browser for authentication.

• Multi-Domain Authentication allows an IP phone and a PC to authenticate on the same switch port while placing them on appropriate Voice and Data VLAN.

• MAC Auth Bypass (MAB) for voice allows third-party IP phones without an 802.1x supplicant to get authenticated using their MAC address.

• Cisco security VLAN ACLs (VACLs) on all Vlans prevent unauthorized data flows from being bridged within Vlans.

• Cisco standard and extended IP security router ACLs (RACLs) define security policies on routed interfaces for control- and data-plane traffic.

Port-based ACLs (PACLs) for Layer 2 interfaces allow application of security policies on individual switch ports.

• Unicast MAC filtering prevents the forwarding of any type of packet with a matching MAC address.

• Unknown unicast and multicast port blocking allows tight control by filtering packets that the switch has not already learned how to forward.

• SSHv2, Kerberos, and SNMPv3 provide network security by encrypting administrator traffic during Telnet and SNMP sessions. SSHv2, Kerberos, and the cryptographic version of SNMPv3 require a special cryptographic software image because of U.S. export restrictions.

• Private VLAN Edge provides security and isolation between switch ports, helping ensure that users cannot snoop on other users' traffic.

• Private Vlans restrict traffic between hosts in a common segment by segregating traffic at Layer 2, turning a broadcast segment into a nonbroadcast multi-access-like segment.

• Bidirectional data support on the Switched Port Analyzer (SPAN) port allows the Cisco Secure Intrusion Detection System (IDS) to take action when an intruder is detected.

• TACACS+ and RADIUS authentication enable centralized control of the switch and restrict unauthorized users from altering the configuration.

• MAC address notification allows administrators to be notified of users added to or removed from the network.

• Dynamic ARP Inspection (DAI) helps ensure user integrity by preventing malicious users from exploiting the insecure nature of the ARP protocol.

• DHCP snooping allows administrators to help ensure consistent mapping of IP to MAC addresses. This can be used to prevent attacks that attempt to poison the DHCP binding database, and to rate limit the amount of DHCP traffic that enters a switch port.

• IP source guard prevents a malicious user from spoofing or taking over another user's IP address by creating a binding table between the client's IP and MAC address, port, and VLAN.

DHCP Interface Tracker (Option 82) augments a host IP address request with the switch port ID.

• Port security secures the access to an access or trunk port based on MAC address.

• After a specific timeframe, the aging feature removes the MAC address from the switch to allow another device to connect to the same port.

• Trusted Boundary provides the ability to trust the QoS priority settings if an IP phone is present and to disable the trust setting if the IP phone is removed, thereby preventing a malicious user from overriding prioritization policies in the network.

• Multilevel security on console access prevents unauthorized users from altering the switch configuration.

• The user-selectable address-learning mode simplifies configuration and enhances security.

• BPDU Guard shuts down Spanning Tree Protocol PortFast-enabled interfaces when BPDUs are received to avoid accidental topology loops.

• Spanning-Tree Root Guard (STRG) prevents edge devices not in the network administrator's control from becoming Spanning Tree Protocol root nodes.

• IGMP filtering provides multicast authentication by filtering out nonsubscribers and limits the number of concurrent multicast streams available per port.

• Dynamic VLAN assignment is supported through implementation of VLAN Membership Policy Server (VMPS) client functions to provide flexibility in assigning ports to Vlans. Dynamic VLAN helps enable the fast assignment of IP addresses.

• Cisco Network Assistant software security wizards ease the deployment of security features for restricting user access to a server as well as to a portion of or the entire network.

• Two thousand access control entries (ACEs) are supported.

Cisco 2106 Wireless Lan

The Cisco 2106 Wireless lan provides 6 access points at each location for wireless devices.

Features	Benefits
Eight 10/100 Ethernet Ports	Provides eight 10/100 Ethernet ports, intended to support a combination of access points and redundant LAN uplinks
Power-over-Ethernet-Enabled Ports	Two of the eight 10/100 Ethernet ports are 802.3af Power over Ethernet (PoE) and Cisco PoE enabled, rated for use with Cisco Aironet^® lightweight access points
Small Form Factor	Allows for convenient desktop mounting or rack mounting, with optional rack mount kit for flexible deployment
Extended Secure Coverage	Extended secure coverage for larger stores and warehouses
PCI Integration	Supports a PCI-certified architecture for retail customers
Support for 802.11n	Offers robust coverage with 802.11 a/b/g or delivers unprecedented reliability using 802.11n and Cisco Next-Generation Wireless Solutions and Cisco Enterprise Wireless Mesh.
Wireless Standards	IEEE 802.11a, 802.11b, 802.11g, 802.11d, 802.11h, 802.11n
Wired/Switching/Routing	IEEE 802.3 10BASE-T, IEEE 802.3u 100BASE-TX specification, and IEEE 802.1Q VLAN tagging
Data Rocs	RFC 768 UDP RFC 791 IP • RFC 792 ICMP RFC 793 TCP RFC 826 ARP RFC 1122 Requirements for Internet Hosts • RFC 1519 CIDR • RFC 1542 BOOTP RFC 2131 DHCP
Security Standards	Wi-Fi Protected Access (WPA) IEEE 802.11i (WPA2, RSN) RFC 1321 MD5 Message-Digest Algorithm RFC 2104 HMAC: Keyed Hashing for Message Authentication RFC 2246 TLS Protocol Version 1.0 • RFC 3280 X.509 PKI Certificate and CRL Profile
Encryption	• WEP and Temporal Key Integrity Protocol-Message Integrity Check (TKIP-MIC): RC4 40, 104 and 128 bits (both static and shared keys) • Secure Sockets Layer (SSL) and Transport Layer Security (TLS): RC4 128-bit and RSA 1024- and 2048-bit • Advanced Encryption Standard (AES): CCM, Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)
Authentication, Authorization, and Accounting (AAA)	• IEEE 802.1X • RFC 2548 Microsoft Vendor-Specific RADIUS Attributes • RFC 2716 PPP EAP-TLS • RFC 2865 RADIUS Authentication • RFC 2866 RADIUS Accounting • RFC 2867 RADIUS Tunnel Accounting • RFC 2869 RADIUS Extensions • RFC 3576 Dynamic Authorization Extensions to RADIUS • RFC 3579 RADIUS Support for EAP • RFC 3580 IEEE 802.1X RADIUS Guidelines • RFC 3748 Extensible Authentication Protocol • Web-based authentication
Management	• SNMP v1, v2c, v3 • RFC 854 Telnet • RFC 1155 Management Information for TCP/IP-Based Internets • RFC 1156 MIB • RFC 1157 SNMP • RFC 1213 SNMP MIB II • RFC 1350 TFTP • RFC 1643 Ethernet MIB • RFC 2030 SNTP • RFC 2616 HTTP • RFC 2665 Ethernet-Like Interface types MIB • RFC 2674 Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering, and Virtual LAN Extensions • RFC 2819 RMON MIB RFC 2863 Interfaces Group MIB RFC 3164 Syslog RFC 3414 User-Based Security Model (USM) for SNMPv3 RFC 3418 MIB for SNMP RFC 3636 Definitions of Managed Objects for IEEE 802.3 MAUs Cisco private MIBs
Management Interfaces	Designed for use with Cisco Wireless Control System Web-based: HTTP/HTTPS individual device manager Command-line interface: Telnet, SSH, serial port
Interfaces and Indicators	Console port: RS-232 (DB-9 male/RJ-45 connector included) Network: Eight 10/100 Mbps Ethernet (RJ-45) including two 802.3af or Cisco PoE ports rated for use with Cisco Aironet lightweight access points LED indicators: Link Activity (each 10/100 port), Power, Status, Alarm, Access Point Joined
Physical and Environmental	Dimensions: 1.75 x 7.89 x 6.87 in. (4.45 x 20.04 x 17.45 cm) Weight: 4.0 lbs (with power supply) Temperature: Operating: 32 to 104°F (0 to 40°C) Storage: -13 to 158°F (-25 to 70°C) Humidity: Operating humidity: 10 to 95 percent, noncondensing Storage humidity: Up to 95 percent Power adapter: Input power: 100 to 240 VAC; 50/60 Hz Heat Dissipation: 72 BTU/hour
Regulatory Compliance	CE Mark Safety: UL 60950-1:2003 EN 60950:2000 EMI and susceptibility (Class B): U.S.: FCC Part 15.107 and 15.109 Canada: ICES-003 Japan: VCCI • Europe: EN 55022, EN 55024

Dell Power edge Rack 2420 24U

The dell Power edge rack supports the mounting of 24 units inside.

Height 47.3" (1202mm)
Width 23.82" (605mm)
Depth 42.15" (1071mm

With a static load rating of 1,500 lbs, the 2420 rack needs no special infrastructure for many installations. It is available with stabilizer bars to secure the rack to the floor.

Lockable doors at the front and rear provide security in data centers, remote offices, wiring closets, factory floors and other environments.

Important New PDU Mounting Features

In addition to U-space power distribution unit (PDU) mounting, the PowerEdge 2420 rack enclosure allows 24 PDUs to be mounted on either side or at the back along the doors - no tools necessary. With more space between the back panels of the server and the PDU outlets than previous Dell racks, the PDUs mounted along the rear doors won't interfere with air circulation.

The 2420 rack is deeper than the previous generation of Dell racks (1071mm vs. 1000mm), so there's more space for hot air to move outside. Flexible air dams help keep hot air from moving from the back to the front, a problem common in many racks.

For hot-aisle/cold-aisle thermally efficient datacenter topologies, its footprint matches standard 2-foot floor tile placement to optimize access to cold air.

The increase in size to 1071mm helps the 2420 rack accommodate servers with deeper dimensions, while still providing space for cable management. The large open base and dual side panels with removable sections on both sides provide more options for cable access.

Removable "tail-bars" at the top and bottom of the back frame eliminate a common obstacle to power and cable routing. The bars can be re-attached after the cables are in place.

Other access features include:

Dual rear doors
Reversible front door
Removable front and rear door
Rotating rear castors
Easily accessible leveling feet

The three Dell Power edge 2970 servers for the VM. Specifications are 2 dual core AMD Opteron 2.2 GHz processors 6 Mb cache, 16 GB DDR2 667 MHz ram, 160 GB 7200 Serial ATA Hard drives, Intel Pro 1000VT quad port 1 GbEthernet, Lom Nics TOE ready,

The one Power vault MD 1000 for the SAN server box. The specifications on this will be 2 enclosure management modules, Perc Card, 500 GB Sata 3 Gbps Hot plug hard drives, Rack mounts, and a 3 year next day service warranty.

HP Server console switch will be used to administer all servers.

HP IQ800T Touch screen Desktops are dual core T9600 2.8 GHz processors with 6mb Cache, 8 GB DDR2 800 MHz ram, 500 GB Sata 7200 hard drives, 512 MB Nvidia video, Wireless-N Lan, Bluetooth, 5 in card readers, 2 Usb ports, 1394 firewire, TV tuner, DVD drive, integrated 2.0 Speakers, 2009 Britannica Visual Dictionary and Britannica Desktop Encyclopedia, Wired keyboard and mouse(It came with the wireless Keyboard and mouse, but that would mean a lot of costly battery replacements when needed), HP surge protector 8 outlet power strip with Coax, Phone protection as well., and a 2 year warranty in-house service.

HP Laser jet M2727 b/w printer/fax/copier has the following specification

Print speed, black (normal quality mode)	Up to 27 ppm
Page yield footnote	For page and photo yields and other cartridge options, see http://www.hp.com/go/pageyield
First page out (black)	As fast as 10.0 sec
Monthly duty cycle	Printer: up to 15,000 pages; copier: up to 15,000 pages; ADF: up to 2250 pages
Recommended monthly print volume	750 to 3000 pages
Print technology	Laser
Print resolution, black	Up to 1200 x 1200 dpi
Print Speed Footnote	Exact speed varies depending on the system configuration, software program and document complexity.
Paper handling optional, input	Optional second 250-sheet paper tray
Paper handling standard, input	50-sheet media input tray, 250-sheet media input tray, 50-sheet automatic document feeder
Paper handling standard, output	125-sheet face-down output bin and straight-thru paper path
Envelope capacity	Up to 10 envelopes
Envelope feeder	No
Duplex printing (printing on both sides of paper)	Automatic (standard)
Document finishing	Sheetfed
Media sizes, standard	Tray 1, output bin: 16 to 43 lb; Tray 2: 16 to 32 lb; automatic document feeder (ADF): 16 to 24 lb
Media sizes, custom	Tray 1: 3.0 x 5.0 to 8.5 x 14.0 in; Tray 2: 5.8 x 8.3 to 8.5 x 14.0 in; Automatic document feeder: 5.5 x 5 to 8.5 x 14.0 in
Media types	Paper (bond, color, heavy, letterhead, light, plain, preprinted, prepunched, recycled, rough), envelopes, transparencies, labels, cardstock
Media weight	Tray 1, output bin: 16 to 43 lb; Tray 2: 16 to 32 lb; automatic document feeder (ADF): 16 to 24 lb
Product weight	37.8 lb
Additional Specifications
Processor speed	450 MHz
Memory, standard	64 MB
Memory, maximum	64 MB
Print languages, standard	HP PCL 6, HP PCL 5e, HP postscript level 3 emulation

Scanner specifications
Scanner type	Flatbed, ADF
Scan resolution, optical	Up to 1200 dpi
Bit depth	24-bit
Scan size, maximum (flatbed)	8.5 x 11.7 in
Scan size, maximum (ADF)	8.5 x 14 in
Scan speed (default)	Up to 3 ppm
Automatic paper sensor	No

Copier specifications
Copy resolution, black	Up to 600 x 600 dpi
Copy reduce/enlarge settings	25 to 400%
Maximum number of copies	Up to 99 copies

Fax specifications
Fax transmission speed (seconds per page)	3 sec per page
Fax memory	Up to 600 pages
Fax note	Based on standard ITU-T test image #1 at standard resolution. More complicated pages or higher resolution will increase the transmission time.
Fax resolution, black (dots per inch)	Up to 300 x 300 dpi (halftone enabled)
Speed dials, maximum number	Up to 120 numbers (119 group dials)
Auto Redial	Yes
Fax delayed sending	Yes
Fax broadcast	119
Junk fax barrier	Yes
Polling	Yes (receive only)
Remote retrieval	No
Fax forwarding	Yes
Faxing	Yes

Connectivity
Connectivity, standard	10/100Base-T Ethernet network port, Hi-Speed USB 2.0 compatible port, RJ-11 Fax port, RJ-11 line-out port
Connectivity, optional	None
Minimum system requirements	PC: Microsoft® Windows® 7 ready. For more information go to http://www.hp.com/go/windows7. Some features may not be available. Windows Vista® (32-bit and 64-bit): 1 GHz processor, 512 MB RAM, check User's Guide for minimum hard disk space; Windows XP-32 Home, XP-32 Professional, XP-x64: any Pentium II processor (Pentium III or higher recommended), 128 MB RAM; Windows Server 2003, 2000 (print driver, scan driver only): any Pentium II processor or higher, 64 MB RAM, for all systems: 250 MB available hard disk space, SVGA 800 x 600 with 16-bit color display, Internet Explorer 5.5 or higher (full install), CD-ROM drive, USB port Macintosh: Mac OS X v10.3, 10.4, 10.5, 10.6; PowerPC G3, G4, G5, or Intel processors; 512 MB RAM; 100 MB available hard disk space; CD-ROM drive; USB or network port
Compatible operating systems	Microsoft® Windows® 7 ready. For more information go to http://www.hp.com/go/windows7. Some features may not be available. Windows Vista®, Windows XP Professional x64, Mac OS X v10.3, 10.4, 10.5, 10.6, Linux (see http://www.hplip.net)
Operating temperature	59 to 90.5° F

Photo printing
Display	2.5-in LCD (text)

Dimensions and weight
Product dimensions (W x D x H)	19.7 x 16 x 18 in
Product weight	37.8 lb
Package weight	48.4 lb

Power and operating requirements
Power supply	Input voltage 110 to 127 VAC (+/- 10%), 50/60 Hz (+/- 2 Hz), 4.5 amp; 220 to 240 VAC (+/- 10%), 50/60 Hz (+/- 2 Hz), 2.6 amp
Power consumption, active	425 watts
Power Consumption, Standby	15 watts
Power Consumption, Power save	15 watts
Power Consumption, Off	0.1 watts
Power consumption note	Values subject to change. See http://www.hp.com/support for current information. Power numbers are the highest values measured using all standard voltages.
Acoustic power emissions	6.4 B(A) (continuous print at 27 ppm)
Operating temperature range	59 to 90.5° F
ENERGY STAR® Qualified	Yes
Software included	HP Toolbox FX, HP LaserJet Scan, TWAIN 1.9 or WIA scanner drivers, HP LaserJet Fax, HP Fax Setup Wizard, Readiris PRO text recognition software (not installed with other software, separate installation required), printer drivers (HP PCL 6, HP postscript level 3 emulation), installer/uninstaller,

HP Power Edge T300 File-Print Server has the following specifications.

Intel core 2 dual 1.8 GHz processor E6305, 2 Mb cache, 1066 FSB, Windows Server 2008 R2 included with 10 Cals, 40 Gb partition override(Restore), Sata dual 160 Gb drives, 16x DVD rom drive, On board dual Gigbit Ethernet adapter, with 3 yr hardware warranty.

Software

Windows 7 Professional version, Windows Server 2008, Fedora Red Hat Linux 10, VMSphere, Netapp FAS-6000 (SAN), Microsoft Office Small Business, and McAfee Business AV/Spyware/Hijacker Protection

Windows Server 2008

New features in Server 2008 R2 are

Windows Server 2008 R2 is the first Windows Server to fully support DNSSEC. DNSSEC is a security protocol that helps to verify that a Web address hasn't been hacked and redirected to a pretender. Better still, Windows 7 also supports DNSSEC, which Microsoft claims is a first among client operating systems.

Active Directory Domain Services in Windows Server 2008 R2 support a new forest functional level.

They replaced the current Active Directory command line tools. There are about 85 Active Directory-related PowerShell cmdlets

Powershell CMDlets are the basis of the new streamlined management experience. The team said there were approximately 85 Active Directory Services and Active Directory Lightweight Services related CMDlets available, most of them starting with Get-AD and Set-AD. These new Powershell CMDlets replace the current Active Directory command line tools. (dsget.exe, dsmod.exe, dsadd.exe, dsmove.exe, dsquery.exe and others)

Central Task Scheduling

Manage tasks on multiple servers
Runs on all Windows systems
Numerous event-based triggers
Many different task types
Customizable user interface

Active Directory Administrative Center

The Active Directory Administrative Center is a new task-oriented user interface for the Active Directory Services. You can perform similar tasks as with the Active Directory Users and Computers console (ADUC). It is based on the new PowerShell cmdlets and displays the PowerShell commands that correspond to the tasks performed with the GUI.

Managed Service Accounts

If the password of an account that is used as identity for services is changed by an admin, the managed service account feature will update all services automatically. (Requires R2 functional level) The Active Directory team created a new Active Directory object type, called a Managed Service Account. This object type, based on the workstation account allows for easier management of service accounts in Active Directory.

Since the new object type is based upon the computer account it is not hindered by account policies, like the password policy and the account lockout policy. Additionally it doesn't offer interactive logons, which is an added layer of security.

Managed Service Accounts are related to Computer Accounts. You can add multiple Managed Service Accounts to one Computer Accounts, but you can't, however, assign a Managed Service Account to multiple Computer Accounts.

The Managed Service Accounts feature requires the Windows Server 2008 R2 Domain level.

Offline Domain Join

Admins can automate the joining of a Windows 7 machine to a domain during deployment with an XML file. The target computer can be offline during the deployment process. The tool that is used to join the domain is djoin.exe.

Authentication Assurance

Authentication Assurance provides an authentication mechanism that allows administrators to map specific certificates to security groups using certificate policies. Users logged on with a smart card, USB token, or some other type of certificate logon method can be distinguished in this way. This feature can be used to grant external users access to corporate resources using Active Directory Federated Services. (Requires R2 functional level)

In a Windows Server 2008 R2 level domain Administrators can map various properties, including authentication type and authentication strength to an identity and based on information during authentication, these identities are added to Kerberos tickets (such as use of smartcard for logon or the certificate used 2048 bit encryption) to provide access to federated resources. This way authentication methods (and thus identification) get assured.

Authentication Assurance requires the Windows Server 2008 R2 Domain Level.

Accompanying the Active Directory Administrative Center is the Active Directory Best Practices Analyzer (ADBPA), which will help Active Directory administrators to correct Active Directory problems proactively and compare Active Directory performance with previously made baselines. The version of the Active Directory Best Practices Analyzer (ADBPA) included in Windows Server 2008 R2 (version 1.0) focuses mainly on DNS problems, because they cause the most problems for Active Directory environments. Updates to the Active Directory Best Practices Analyzer (ADBPA) can be made available using Windows Update to address problems that might arise during the lifecycles of your Domain Controllers.

Recycle Bin for Active Directory

Restoring deleted objects from Active Directory Services and Active Directory Lightweight Directory Services in current versions of Windows Server, using the Directory Services Restore Mode, is not for the faint of heart. In this time of economic turmoil proposing an expensive 3rd party application for this purpose to the CFO isn't for the faint of heart either...

Windows Server 2008 therefore comes with a Recycle Bin for Active Directory that can be enabled. This feature enables administrators to quickly undo an accidental deletion from Active Directory. It works like the Recycle Bin on a Windows client and allows an administrator to fully undelete a deleted object, because an object will not get tombstoned (immediately) but made inactive, while all the attributes and values are kept intact for a period of 180 days. After this period it will get recycled for 180 days, which effectively has the same function as the tombstone period.

To make the recycle bin possible a new forest level is introduced.

A lot of advancements are being made to Active Directory management. In Windows Server 2008 R2 not only do we have more reliable authentication and service accounts, but also we can undelete objects in an easier way, join machines to the domains in an easier way and resolve problems more easily and without expensive 3rd party programs.

All dot pro (.pro) will be used for internal access to the Linux based websites including FTP server.

.pro is a new top level domain that can be used. It is for Doctor, Lawyers, and other Professionals.

Forest and Domain Function level will be set to Server 2008 R2.

Forest- SaratogaHealth.local

Tree-East. West, South, North, Central (?SaratogaHealth.local) Where ? is tree

Domain-Saratoga, Ballston Spa, Schuylerville, S.Glens Falls, Clifton Park, Saratoga (?*.SaratogaHealth.local) where? Is domain, and * is the Tree

And .com instead of .pro for the external web site for all locations. This will be handled by the Red Hat Linux machine shared through Samba.

4 Windows Servers (BHS, BDC & 2^nd Catalog Server, Multimaster PDC, and San.

A bridgehead server, in S.Glens Falls to Schuylerville and one in Saratoga the ISTG (Preferred) and BDC to Clifton Park Schema Domain Naming Master, Global Catalog, and LDAP.

The Schuylerville Server will be BDC, and 2^nd Global Catalog

FSMO-Multimaster in Ballston Spa (VM) PDC, RID Master, DNS, DHCP, IIS

All intranet activities require login through SSL through the intranet site.

https://www.SaratogaHealthClinics.com Linux machine will have the VPN access Server

The intranet site will use PKE.

The AD, DNS, DHCP, and WSus server address are the same.

Realm trust to the Linux Machine with Kerberos

Shortcut trusts to other domains to speed up lookup and links

No cross forest trusts or External trusts are needed

Each office has a digital signature, public and private keys managed by the certificate store in Windows Server 2008 AD with IIS, FSMO, and PDC with alt servers at each site, and Alt-print server at each site.

RIS on second 2tb drive

WSus (Enterprise Root Certificate Authority)

NAT Transversal (NAT-T) for forwarding packets using IPSec. Regular Nat will cause packet drops.

IPSec monitor will be setup as well.

Logs will be monitored for file access, login failures, and

Integrated Windows authentication

All email messages to Intraoffice locations must have digital signatures.

Redirect snap-in capability for controlling PC's

MBSA installed as well. Microsoft Baseline Security Analyzer

WSUS will handle the updates. People requesting updates will be directed to this server to get them. https://update.saratogahealth.pro/

All updates will happen automatically at night through GPO for the computer object through Auto download and schedule install. Installs will take place at night after 9:30 pm.

Software share folder will be assigned, not published. This will take place at night after 12 AM when all updates, patches are completed

Per Device licensing

No administrator logon. The admin logons with their logon credentials, but use the runas feature to access administrator features.

Administrator account renames, and Guest accounts will be renamed and disabled along with default remote accounts, and assistance accounts.

Roaming profiles for all users -My Documents redirected to server for storage, and My documents folder on their desktop sync during offline status

Security will be enforced through group policy password length

WINDOWS 7 to be installed from pre-configured image copy (With all software) on server through RIS. Medical Software requires the use of a .zap file

Internet Zone blocking of known malicious websites. (Spybot search and destroy feature)

Network LAN settings will use the firewall, windows defender, Spybot Search and Destroy, as well as filtering protocols with the network adapter setting to provide an additional firewall type protection.

Due to restrictions of file use we will not use the tea timer (Registry protector) due to Group policy necessity to access, and make changes. Tea Timer would not allow that change.

Synchronize offline files (Copy mode) for default folder when network goes offline, and they are working on files.

Offline Caching is disabled.

Auditing policies enforced

Printers will have connection through IP addressing and network share for location as well as through CO.

Backups will use volume shadow copy to San server

All PC's will be imaged through the week and copied to RIS folder.

Software Restriction polices enforced.

Smartcard required to logon

Account lockout after 3 failed attempts and 5 minute duration

Desktops on all machines auto lock after 5 minutes of nonuse

Forest function level- Windows Server 2008

Domain Function Level - Windows Server 2008

- The Auxiliary machine will be at least 30 miles from the CO.
- VMware ESX and ESXi set the record in virtual performance delivering up to 8,900 db transactions per second, 200,000 I/O operations per second, and up to 16,000 Exchange mailboxes per host.
- One of the key capabilities in VMware ESX and ESXi is the high performance cluster file system optimized for virtual environments called VMware vStorage VMFS, allowing efficient disk access and enhanced I/O performance.
- In addition to numerous core kernel performance optimizations, VMware ESX and ESXi support multiple third party technologies that improve virtual performance such as Intel's Extended Page Tables (EPT)and AMD's Rapid Virtualization Indexing (RVI). VMware ESX and ESXi allow virtual machines to be configured with up to eight virtual processors and 255 GB of RAM to support the most resource intensive applications.
- Deploy mature hypervisor technology that has been proven in tens of thousands of customer environments.

- The bare metal architecture of VMware ESX and ESXi delivers hardware like reliability to your applications. Built in high availability features such as NIC teaming and storage access multipathing protect your virtual machines against hardware component failures, while the advanced security features ensure a secure computing environment.
- The advanced resource management and support for scaled up physical machines in VMware ESX and ESXilets you run virtual machines at twice the consolidation ratio possible with other first-generation hypervisors. Take advantage of hardware systems with up to 64 physical CPU cores and 1TB of RAM, and run up to256 virtual machines on a single host to facilitate large-scale consolidation and disaster recovery projects.
- With VMware ESX and ESXi, you can virtualize any environment, from the corporate data center to the branch office, with a compatibility list that includes hundreds of x86 servers and storage systems, and the broadest range of supported applications and guest operating systems, including Windows, Linux, Netware, Solaris and more.
- VMware ESX and VMware ESXi form the robust foundation ofVMware vSphere and are included in all VMware vSphere editions. VMware vSphere delivers improved service levels and operational efficiency by enabling centralized management, automatic load balancing, business continuity, power management and the ability to live migrate a virtual machine across physical machines to minimize service interruption.
- Customers can choose to deploy either VMware ESX or VMware ESXi as part of VMware vSphere. All the functionality of VMware vSphere is supported on both VMware ESX and VMware ESXi. In fact, VMware vSphere supports resource pools that contain both hypervisors.

Vmotion (live vm migration)

Fault Tolerance

Data Protection

Thin Provisioning

High Availability

Patch Management

Central Management

Storage Virtualization

Next Generation Hypervisor

Platinum

VMware Platinum Support is designed with your production environments in mind. Our global support centers are staffed around the clock to provide you access to our industry-leading expertise in virtualization supporting virtual infrastructure products in real-world customer environments.

Platinum Support Key Benefits

Global, 24x7 support for Severity 1 issues
Fast response times for critical issues
Unlimited number of support requests
Remote Support
Online access to documentation and technical resources, knowledge base, discussion forums
Product updates and upgrades
Length of Service available for 1, 2 or 3 Years

Microsoft Office Small Business 2007 product overview

Applies to: Microsoft Office Excel 2007, Outlook 2007, PowerPoint 2007, Publisher 2007, Word 2007

Excel

Create spreadsheets, analyze and share information easily.

Outlook with Business Contact Manager

Organize and manage customer information.

PowerPoint

Create professional-looking presentations quickly and easily.

Publisher

Create, and personalize marketing materials in-house.

Word

Effortlessly create and share documents.

McAfee® security software as a service

Anti-virus, anti-spyware and desktop firewall, PLUS website blocking, content filtering, vulnerability scanning and PCI compliance AND email security service with additional protection for your email server. Automatic updates and an online management portal hosted by McAfee-so there is no additional hardware or software to buy

Fedora Red Hat Linux

Root User to have complex password at least 8 characters

No GUI. Web Server running out of Chroot Jail with all bin/bash, and lib files needed and configured. SSH2 will be used for SaratogaHealth.Pro and .com website

This will implicitly deny all port access

Hosts.deny - Portmap: all

This will allow these addresses to access this server

Hosts.allow -

10.54.0.0/27

10.204.0.0 SaratogaHealth.pro #Internal Servers

127.0.0.1 Localhost #Loopback

Samba for internal network so SaratogaHealth.pro Admin user can connect from internal network. SaratogaHealth.pro users run out of a Chroot Jail as well. Root to have limited remote access with Root Squash. You must login with the proper credentials on the Linux machine to have root access.

The service Iptables will be running. MySql installed. Apache web server configured and two virtual servers configured, one for external, and one for internal. The internal has direct edit access to the home page for SaratogaHealth.com

All unnecessary services will be off, and SELinux enforced. This was developed by NSA (Hipaa compliance) Security policy enforced. Policy - Strict

The policies will be assigned to the Linux server level and to access only. All other functions are controlled in the Linux server. Administrator, and Web Editors to connect through VPN must be added to the Linux server, with same passwords, and logon id as AD has. This will ensure proper access with no additional information needed.

The Linux server will have DNS as well, but will not have a Cname record to internal network.

IPChains will also be enabled on the Linux Server. This is your firewall

Redundant Connections and Backup

ISP to provide fiber lines into the Sites with an Analog dial backup lines as well. Central Office will be Ballston Spa site, with the redundant backup site as South Glens Falls.

If the main server in the Central office fails it will move to the Hot-Standby in the Central site. If power grid or a disaster at the CO fails, the Hot-Standby becomes the Backup VM server located at the South Glens Falls site. The redundant server is to ensure that sites have a constant connection to the server and software on them. This will ensure that there will be no loss of connection, and will implement with no recognizable impact to the users.

GSE-12 Solar to UPS battery (Main Power recharge compatible)

20 Panels will power 10 Servers and 5 Workstations for 48 hours non-continuous or 10 Servers for 96 hours continuous.

The state-of-the-art lead-acid battery is the valve-regulated type (sometimes called "sealed&" or maintenance-free), which fixes the acid electrolyte in a gel or in an absorptive fiberglass mat. The advantage of this design is that the battery needs no water additions, can be operated in any position, and can be used in close proximity to people and sensitive equipment.

Universal Battery is a leader in competitively priced sealed absorbent glass mat (AGM) and gel technology. This new technology provides the following benefits compared to old technology wet batteries:

Workstations

Windows 7 Machines- Group policy will also rename administrator, and guest accounts, as well as disable the guest, and default remote accounts.

Group policy from AD will be applied to the Computer Objects and enforced during boot. User specifics will be applied through group policy to the user objects and redirect there My Documents to the San server location of file://san01/Users/... Disk quotas enabled. 150 MB.

Roaming profiles for all users -My Documents redirected to server for storage, and My documents folder on their desktop sync during offline status. Offline Caching is disabled.

Security will be enforced through group policy password length

WINDOWS 7 to be installed from pre-configured image copy (With all software) on server through RIS. Medical Software requires the use of a .zap file

Internet Zone blocking of known malicious websites. (Spybot search and destroy feature)

Due to restrictions of file use we will not use the tea timer (Registry protector) due to Group policy necessity to access, and make changes. Tea Timer would not allow that change.

Synchronize offline files (Copy mode) for default folder when network goes offline, and they are working on files.

Auditing policies enforced

Printers will have connection through IP addressing and network share for location as well as through CO.

Backups will use volume shadow copy to San server

All PC's will be imaged through the week and copied to RIS folder.

Software Restriction polices enforced.

Training

Medical software training will be provided by us for all staff. We will train you're employees in a location at your choosing at a time of your choosing. We will train them all at once or in two groups. The training should take place over a 2 day period of 2 hours each day. The medical software we choose is very similar to the CMS software you were using. The software differences are the form types and layout. Functionality and ease of use was a priority for us to choose one that your company employees will have an easier time to learn and manage accounts. The billing layout is similar and the coding has very little difference. We will have Virtualized desktop software on some of our laptops laid out in the location and will walk your staff through the process from scheduling, entering patient information, diagnosis, and follow-ups. We will use a training program that also comes with the software, and show a few representative of your company on how to use for training as we go through this conversion.

Physical Security and Software Security

The physical security to the Server rooms will have card access to enter the Central and Remote Server rooms, Doors are included in the install price, and Card readers will be coded for IT personnel. They will have electronic door lock with key override. Network Administrators will have smartcards and smart card readers attached to the physical servers. Each smart card must be removed. Disable the DVD rw -/+ drives, and USB access. Administrative access will be allowed through the command line or using the run as command to access USB or DVD RW devices. Admins must login to servers as there user name and use the runas function in order to execute programs or make changes. No Administrator logon at console. No remote access. No remote assistance

MMC will administer site devices and direct connection at the router and switches.

Testing the Network

The network will be tested and stress tested by our staff with workloads to ensure that the network exceeds standards that it would be expected to perform at. All Installers and support staff from our company will be all sites, to ensure that everything is functioning and to resolve any issues prior to the live run.

Preparation for Live Run

All network connects are to be tested for connectivity prior to live run, and make sure all events are logged and are receiving errors and informational alerts. We will disconnect devices, shut off devices, cause conflicts on the network, cause problems on the network and resolve issues. All events will be checked for accuracy to ensure they are all being received by routers, switches, software, workstations and Windows Servers.

Live Run of system

All support staff to be on all sites 2 hours prior to begin the switch to live run. At 8AM the new system will come online and we will logon all staff prior to arrival. This will ensure everything is ready when they arrive at 9 am. Old system computers will be temporarily added to system in the old computers folder in AD and connected to old system as a redundant connection in case of problems, so business can still be conducted as usual. By 9:30 we should see problems with any links into system. Support staff will remain on all sites throughout the week. Successful implementation will be determined at the end of the week. 30 day on-site support will begin when Saratoga Health and our technical staff agree that the system is running optimally with little to no problems after the week is finished out.

Onsite support

We will provide 5 people to remain onsite for the full 30 days, at every site. One person per site, except for Lunch hour. No more than two of our support people shall be out of the office at a given time. If two go to lunch the others must wait for them to return before they go to lunch. A pager number will be available to your staff to call during these times if there is no one on site to help. We will resolve any and all issues within a timely fashion, based on the problem. As with any new network there might be minor problems to work out, during the first few weeks, and these will be resolved by us. If there should arise a problem towards the end of 30 day support, we will stay onsite to fix the problem, and a couple people will stay on an extra week to ensure the problem is resolved.

60 days additional onsite support

We shall provide 60 days additional pager onsite support. If a problem should arise your staff will be able to page us and expect a return call within 30 minutes. We will arrive on site within one hour of original page. We will resolve any issues that Saratoga Health is having with the network at no cost, with the exception of Saratoga Health caused mis-configurations. We will walk your IT person through the steps to determine the problem, and resolving.

Removal of old equipment

All old equipment will be removed from the desks after the successful live run of the system. They will be stacked in the Server room closet, until a decision is made by Saratoga Health as to what will be done, and by whom. The old equipment can be recycled and the money of the recycling will be returned to Saratoga Health. The old equipment value is estimated to be $700.00 including the Server through our recycler. Saratoga Health has the option to get a second recycler offer if they so choose.

Old equipment will be removed by us if Saratoga Health so chooses. All hard drives to all old equipment will be backed up onto a disk and handed over to Saratoga Health Representative or IT support person on there staff. Hard drives will be removed and destroyed onsite after a NSA level wipe in front of a Saratoga Health Representative. Old Server will remain onsite for possible recovery of information. Once completed the hard drive will be NSA level wiped in front of an authorized representative. All removed equipment will be documented on removal with make, model, and specs they had when removed. A data sheet will be provided to Saratoga Health to get quotes for the recycling prices. Each piece of equipment will be marked with a reference number for Saratoga Health to use with the sheet. They will be able to look at the reference number and look on the sheet and find the specs. All old equipment will be number with accordance to size of machine for stacking purposes.

Additional services we provide

We also have 5 contract members on staff that are currently available to be personnel to do IT Network and Server support.

This feature is only for one year, after which time you can have the option to hire them permanently. They are all certified Network technicians and have certifications for MSNA, MSNE, Cisco certifications, as well as specialist in VM with certifications. If you choose to have our IT support staff you receive a 10% network installation charge, and you will decide which person you would like. We will have all 5 available to interview with you. You may choose one or have two. One primary and one secondary (On Call). As on call contract on-call personnel. You would page them, and they will be onsite within one hour. We also offer this function as well for you to have 24/7 on call support within one hour. The on call personnel are paid through us, with you paying for service as needed. This seems to be the way companies are choosing rather than taking on new personnel. There are some drawbacks to this, as you do not have a dedicated person on staff to help with any and all issues immediately. While we build our networks to do update regularly and to distribute updates, an onsite person will also look at other areas of your network that people often forget about. Regular server maintenance and upkeep can get costly at an on-call basis or even fixing problems after they occur. Most network issues can be fixed prior to failure. An on site person might have been able to detect a problem coming and fix the problem first. Servers need proper cleaning, and dusting. Dust is a deadly element to computers.

EMR Software

Based on product efficiency and ease of use for not only physicians, but for clinical staff alike, it looks like the best product out there is a company called Allscripts. This company specializes in the specific needs of the physician, and not preloaded software that the company thinks the physician and nurses need.

The overview is simple:

One integrated solution covering practice management, EMR, and claims management...everything you need to keep your practice operating at top efficiency.

One unified database that makes finding the information you need for clinical or business operations fast and effortless.

One great way to apply healthcare information technology to your practice: Allscripts MyWay.

Designed for smaller-sized physician practices.

Designed for the unique working environments found in primary care specialties.

Designed to give you a choice: select a hosted service to minimize the cost and effort of using advanced technology; pick the on-premise version to leverage your current IT infrastructure and in-house capabilities.

Designed to work the way you do-quick, efficient, thorough and competent.

And, despite its simplicity, Allscripts MyWay doesn't compromise on providing the features and functions you need to be successful in every aspect of your practice.

Practice Management
Schedule patients, allocate resources, pull reports, handle the demographic details that profile contact points, insurance coverage, pharmacies used, and link it all into your billing process.

Electronic Medical Records
Build a patient history, do clinical charting, capture lab results, handle e-prescriptions and eliminate the paper chase. You've got a full-featured EMR capability to enhance your clinical operations.

Claims Management
Your financial performance is covered with features that span the entire revenue cycle and make transactions, filing claims and receiving payments easier and faster than ever before.

The technology behind Allscripts EMR is sophisticated enough for even the smallest IT team, and can be graduated up to the savviest team. The medical staff will require little training, as the interface is easy to learn and can be modified for a small practice, so everyone is able to work with very little question after the training. Below are some of the support points that Allscripts has to offer a company such as ours:

Product Specialists are responsible for using their detailed knowledge of our solutions to analyze customer workflow, offer system setup advice, complete system setup, provide training and product demonstrations, and assist in issue resolution.

Release-based enhancements include additions to or extensions of software functionality and features released on a periodically scheduled basis.
An automated case management system is used to manage customer, product, and contact information. Each issue is reported, tracked, and resolved through this system.

Product documentation includes system requirements, reference information, installation, upgrade, and configuration instructions, and other product-related documents.

Internet case submission/review is available at no charge through WebFirst, the customer component of our case management system. You can electronically submit cases directly to the Resolution Center and follow the status of each issue through the tracking and resolution process.

The Allscripts Resolution Center provides access to toll-free support, 24 hours per day, 365 days per year.

IP Ranges

Advanced Technology Solutions

Statement of Work

Version 0.0

11/18/09

Time and materials

Client name	Saratoga Health Clinics
Client's administrator	Dale McKay
Project name	New Network Design, and Installation
Engagement duration	120 Days
Begin date	11/27/09
End date	02/28/10

Item description	Delivery schedule (Business days)	Cost (estimate)
Software	45 Days	$443,257.70
Hardware	45 Days	$227,344.48
Setup and install all Hardware, Pc's,Laptops, Router(s), Switches, and any other needed Network Devices	45 Days
Setup AD, DNS, DHCP, SAN, Virtual Machines, and all other software	45 Days
Installation cost	90 Days	$85,000
Cabeling, Wall Plates, Switches, and Routers for 5 sites	30 Days
Testing and 90 day support	Immediate	Free
Total Cost	N/A	$755,602.19

Payment terms

Phase	Completion date	Payments due
Hardware	2/10/10	60 Days
Software	01/20/10	60 Days
Installation	02/28/10	30 Days after Live run
Live run of system	02/20/10

Statement of work

Assumptions

Project is to be completed with successful test and live run of system. All user access and restrictions will be implemented prior to end date and live test of system. Group policy will handle security restrictions for all objects within Domains. Group policy will handle all certificates, trusts. Distribution of updates, patches, and service packs will be handeled by WSUS.

Change management process

Advanced Technology Solutions company to front the costs untill scope of change and payment due dates listed above. Payment due dates will be adhered to by Saratoga Health as per the terms in Payment Due above.

Engagement related expenses

Advanced Technology Solutions will assume all costs for this install in reguards to the specified scope above with all products and services. Payment to adhere to the scope of the Payment Due dates specified above.

Professional services agreement

All Licenses for Server and Pc's will be handeled by Advanced Technology Solutions in accordance with the above specified terms. All Security, Updates, Service Packs, and Patches will be handeled by Advanced Technology Solutions, and once project completed, Saratoga Health Clinics Administrator will assume responsiability for these. All Network Security Specifications and requirements will be overseen by Saratoga Health's Administrator, and installed to the machines by Advanced Technology Solutions.

Acceptance and authorization

Saratoga Health agrees to take responsiblity for the Network after Live run completeion and the term of 90 days expires. If a problem was caused by Saratoga Health after the 90 days, Sartoga Health will pay the minimum consultant fee to Advanced Technology Solutions to resolve the problem should they choose to consult them. All work for cabeling and installs are guaranteed by New Horizon's to be free from defect for 36 months, and all hardware is warranteed through the manufacture for 1 year. If a problem should occur weather Hardware, or software as far as defective product within 1 year, (cabeling within 3 years), Advanced Technology Solutions will correct the problem at no charge to Saratoga Health. If Saratoga Health does damage to items mentioned and the problem is not with Hardware, Software or Cabeling, they hereby release Advanced Technology Solutions from fault, and charges might apply. Advanced Technology Solutions will perform all onsite service within the 90 days free of charge and within an hour and half response time from first call. Advanced Technology Solutions will provide Saratoga Health with the beeper numbers for service technichans, and will adhere and uphold our quality of service guarentee to Saratoga Health.

The terms and conditions of the Professional Services Agreement apply in full to the services and products provided under this Statement of Work.

IN WITNESS WHEREOF, the parties hereto each acting with proper authority have executed this Statement of Work, under seal.

Saratoga Health Clinics		Advanced Technology Solutions
^{Full name}		^{Full name}
President /CEO/Owner		Owner
^Title		^Title
		Dan Tindall
^Signature		^Signature
11/19/10		11/19/10
^Date		^Date

Budget