Network Design help
Hello there,
i want to redesign my network for security reasons. the company has some static IPs. we have 1web server,2 application server (AS). the AS is used by te staff to do their everyday tasks. we also have branch offices around the country and these branch users connect remotely via RDP to the AS and do their work. these servers are directly connect to the a D-Link switch on which the ISP internet is connected.then we have another D-Link switch which again the servers are connected to. I mean these servers have two NICs,one of these NIC is WAN and another as LAN. the LAN is for the local users and the WAN for the remote users.
Now I want to put a UTM between the ISP internet and the local network. the UTM i have selected is Zentyal(EBox). i have setup a machine for Zentyal. now my question is do i still need to have 2 D-Link switches on the local network or 1 D-Link will do. i mean how wil the remote users connect now since the UTM has been placed between the internet and local network.please help me as i am not an expert in networking.appreciate your help
cheers
Zolf
i want to redesign my network for security reasons. the company has some static IPs. we have 1web server,2 application server (AS). the AS is used by te staff to do their everyday tasks. we also have branch offices around the country and these branch users connect remotely via RDP to the AS and do their work. these servers are directly connect to the a D-Link switch on which the ISP internet is connected.then we have another D-Link switch which again the servers are connected to. I mean these servers have two NICs,one of these NIC is WAN and another as LAN. the LAN is for the local users and the WAN for the remote users.
Now I want to put a UTM between the ISP internet and the local network. the UTM i have selected is Zentyal(EBox). i have setup a machine for Zentyal. now my question is do i still need to have 2 D-Link switches on the local network or 1 D-Link will do. i mean how wil the remote users connect now since the UTM has been placed between the internet and local network.please help me as i am not an expert in networking.appreciate your help
cheers
Zolf
To be protected, all your servers need to be behind the Firewall/UTM. This means no dual NICs. You will forward the ports for the services you need (RDP) from the WAN to the LAN using rules or policies on the UTM. The number of switches is irrelevant really. The swithes can both be on both the wan and lan networks at the same time. A basic setup would look like ISP > router > UTM > switches > servers/workstations/print
-dont worry about the switches, just use the number you need to provide enough ports.
-DO worry about what ports are open to the world
-dont worry about the switches, just use the number you need to provide enough ports.
-DO worry about what ports are open to the world
ASKER
so i will unplug the WAN NIC. on the firewall i will have NAT for e.g. saying users using RDP 89.122.123.133 should be forwarded to to the servers LAN ip 192.168.0.1.
also the devices will be like this:
ISP > UTM > Switch > Server,Patch Panel,Wireless AP.
also the devices will be like this:
ISP > UTM > Switch > Server,Patch Panel,Wireless AP.
ISP
"modem" or other handoff device
firewall
switch
LAN nodes (servers, desktops, printers, WAP)
A patch panel is infrastructure hardware, so it would not appear in a network diagram. Similarly, you wouldn't list patch cables, wire in wall, jacks, etc.
I think you've got it down pat.
"modem" or other handoff device
firewall
switch
LAN nodes (servers, desktops, printers, WAP)
A patch panel is infrastructure hardware, so it would not appear in a network diagram. Similarly, you wouldn't list patch cables, wire in wall, jacks, etc.
I think you've got it down pat.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
aleghart:
>>A patch panel is infrastructure hardware
appreciate your comments.you see all the computers(45) in our network is connected to the patch panel.from what i understand 1 port of the patch panel will be connected to 1 port of the swtich,so that these computers will have access to each other and the internet.correct??please clear my doubt
SacTechGroup:
thanks for that feedbacks. at present i have 4 NICs but only 2 are in use.one for the LAN and the other for WAN. Now from what i have understood is that i will have to enable another NIC on the UTM machine to allow RDP on the other AS.
this part i did no tunderstand
>>) or change the port on the secondary servers and make rules that match etc.
ASKER
SacTechGroup:
i meant the WAN NIC of the AS which are at present connected directly to the internet. if i setup the UTM then the WAN NIC which I have on these AS will not be needed on the LAN NIC will be used.correct??
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
On the AS NIC, do i have to also assign a Default Gateway or not needed
Default gateway should be the LAN gateway IP address. You could leave it blank, and let it "guess". It might work...but really better to put the gateway in explicitly. Some installations have two possible gateways: the internet router, and the network router. Either will work, but using the internet router as a gateway may bypass some rules in place on the network router. (That only applies if you have Layer3 switches for your network switches.)
Each WAN IP address will be translated to the LAN IP address of the server.
Since your LAN users are already connecting to the servers with a LAN connection, there should be no change for them. Your remote users won't know there's a difference either.