• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 922
  • Last Modified:

Setup a failover ISP

We have a small company that has several remote sites. We use Terminal Services to connect thru the internet to the server. Users start a desktop terminal services icon that points to mycompany.com.

I have a SonicWall TZ170. I have two internet providers, ISPA and ISPB. I have a static ip from each provider: a.a.a.a and b.b.b.b. I have set provider ISPA up as the primary provider.

I have an A record at my hosting site that points to a.a.a.a. I also want the hosting site to point to b.b.b.b. Then, when users startup the TS icon, if ISPA is down, they will go to ISPB.

My first question is, am I handling this in the correct manner? If so, can I have two A records that point to different static IP's? If not, what is the best way to accomplish this task?
0
rodneygray
Asked:
rodneygray
  • 2
1 Solution
 
VCBoothCommented:
Is the TZ170 using Enhanced OS?  If so then you simple create two address objects, Address 1 with a.a.a.a and Address 2 with b.b.b.b.  You then create a group called "Addresses" and add Address 1 and Address 2.

Create your firewall and NAT policy to allow Addresses access to your internal server.  Caviat - you can only NAT an internal server to a single IP outbound (multiple inbound).  So NAT it to a.a.a.a which is on X1.  With WAN failover, the SonicWALL automatically knows to NAT it to X2 so don't worry about it.
0
 
rodneygrayAuthor Commented:
Sonic Wall OS: SonicOS Enhanced 3.1.0.11-30e
I assume I create the address objects on the SonicWall. Do I create those in access rules?

How would my remote sites get to primary site if primary ISPA fails? When their desktop TS icon is started, it points to mycompany.com. The A record IP address would cause DNS to point to the router that no longer functions. Wouldn't DNS would have to be setup to point to ISPB address b.b.b.b in that case?
I just don't see how addresses access to internal server would work if DNS does not point to the site.

Thanks for you help in this matter.
0
 
gunguyCommented:
VCBooth is correct on the sonicwall config  but what I believe your real question is a DNS question.

You can NOT have two A records of the same name point to two different IP addreses ex.  ts.mydomain.com can not point to a.a.a.a AND b.b.b.b
You would need TWO A records tsa.mydomain.com -> a.a.a.a and tsb.mydomain.com -> b.b.b.b.  You could then setup two ts icons for your users a primary and secondary.  Instruct them to use primary and if it does not work then use the secondary.

There are some dynamic dns providers that may allow you to run an agent on an pc on your inside location such that if your sonicwall had to fail over it would automatically update your dns server to the secondary IP.  This is not a 'normal' industry standard type of thing.  Not something that I would recommend for my clients but it may work for you.

Really, the best solution is to use a VPN from each remote site to your primary location.  The SonicWALL VPN's can be configured with secondary peers so if your primary ISP is down the tunnel will automatically come backup on the secondary provider.  This works pretty darn well, keeps terminal services CLOSED to the outside world, and gives you stronger encryption of the data being transfered via TS.
0
 
rodneygrayAuthor Commented:
The VPN idea is probably the best idea and is the one I will use.
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now