Network Design help

Hello there,

i want to redesign my network for security reasons. the company has some static IPs. we have 1web server,2 application server (AS). the AS is used by te staff to do their everyday tasks. we also have branch offices around the country and these branch users connect remotely via RDP to the AS and do their work. these servers are directly connect to the a D-Link switch on which the ISP internet is connected.then we have another D-Link switch which again the servers are connected to. I mean these servers have two NICs,one of these NIC is WAN and another as LAN. the LAN is for the local users and the WAN for the remote users.
Now I want to put a UTM between the ISP internet and the local network. the UTM i have selected is Zentyal(EBox). i have setup a machine for Zentyal. now my question is do i still need to have 2 D-Link switches on the local network or 1 D-Link will do. i mean how wil the remote users connect now since the UTM has been placed between the internet and local network.please help me as i am not an expert in networking.appreciate your help

Who is Participating?
aleghartConnect With a Mentor Commented:
The switch is what connects all of the computers into a LAN.  The patch panel is no different than a plug on the wall.  It just happens to terminate all of the remote jacks in your server closet.

The important concept is that _all_ network equipment must be patched into the switch(es).  In your case, a single 48-port switch would work fine.  If yours aren't that big, then you'll have to link them together.

"Dumb" switches (no routing) connect to each other with a single patch cable.  Newer switches don't require anything special...a straigh-through patch cable in any port will work.  The switch will automatically turn the port into an uplink.  Older switches will have one or more designated ports with a manual uplink (MD/MDIX) switch or button.

The second NICs in your application servers should no longer be required for WAN connections.  Use only the LAN NIC to the switch.

The firewall's WAN port plugs into your ISP's equipment.  The firewall LAN port plugs into your LAN switch.  You only need one WAN port and one LAN port on the firewall.
One switch will work, connected to the LAN side of your firewall.  Your application servers will sit on the LAN only.  Your firewall will have NAT rules to connect your outside users through the firewall and to the servers.

Each WAN IP address will be translated to the LAN IP address of the server.

Since your LAN users are already connecting to the servers with a LAN connection, there should be no change for them.  Your remote users won't know there's a difference either.
To be protected, all your servers need to be behind the Firewall/UTM.  This means no dual NICs.  You will forward the ports for the services you need (RDP) from the WAN to the LAN using rules or policies on the UTM.  The number of switches is irrelevant really.  The swithes can both be on both the wan and lan networks at the same time.  A basic setup would look like ISP > router > UTM > switches > servers/workstations/printers.  You will now be able to controll all WAN/LAN access from the UTM.  

-dont worry about the switches, just use the number you need to provide enough ports.
-DO worry about what ports are open to the world
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

zolfAuthor Commented:
so i will unplug the WAN NIC. on the firewall i will have NAT for e.g. saying users using RDP should be forwarded to to the servers LAN ip

also the devices will be like this:

ISP > UTM > Switch > Server,Patch Panel,Wireless AP.
"modem" or other handoff device
LAN nodes (servers, desktops, printers, WAP)

A patch panel is infrastructure hardware, so it would not appear in a network diagram.  Similarly, you wouldn't list patch cables, wire in wall, jacks, etc.

I think you've got it down pat.
SacTechGroupConnect With a Mentor Commented:
zolf.  when you say 'unplug the WAN NIC' .. well it depends.  If you are talking about your new UTM, then not necessarily.  Your UTM (like most) will have the WAN NIC connected to the ISP router while its LAN NIC will be connected to a LAN swith.  the UTM then bridges the LAN and WAN networks.

Your public static IP's will then answer on the UTM's WAN port and forward desired services to the specified servers/IPs on the LAN.  this forwarding happens by means of NAT rules and firewall policies.

That is a generalized overview.  there are many little steps in configuring the UTM that you will need to refer to its manual to figure out.  Typical setups include defining address book entries for hosts (yoru servers) and also specifying services (RDP uses port 3389).  Since you have multiple RDP servers you will need to use multiple public IP's (one each) or change the port on the secondary servers and make rules that match etc.  

Lots to be done
zolfAuthor Commented:

>>A patch panel is infrastructure hardware
appreciate your see all the computers(45) in our network is connected to the patch panel.from what i understand 1 port of the patch panel will be connected to 1 port of the swtich,so that these computers will have access to each other and the internet.correct??please clear my doubt

thanks for that feedbacks. at present i have 4 NICs but only 2 are in for the LAN and the other for WAN. Now from what i have understood is that i will have to enable another NIC on the UTM machine to allow RDP on the other AS.
this part i did no tunderstand
>>) or change the port on the secondary servers and make rules that match etc.  
zolfAuthor Commented:


i meant the WAN NIC of the AS which are at present connected directly to the internet. if i setup the UTM then the WAN NIC which I have on these AS will not be needed on the LAN NIC will be used.correct??
zolfAuthor Commented:

On the AS NIC, do i have to also assign a Default Gateway or not needed
Default gateway should be the LAN gateway IP address.  You could leave it blank, and let it "guess".  It might work...but really better to put the gateway in explicitly.  Some installations have two possible gateways: the internet router, and the network router.  Either will work, but using the internet router as a gateway may bypass some rules in place on the network router.  (That only applies if you have Layer3 switches for your network switches.)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.