Solved

Network Design help

Posted on 2010-11-18
10
299 Views
Last Modified: 2012-05-10
Hello there,

i want to redesign my network for security reasons. the company has some static IPs. we have 1web server,2 application server (AS). the AS is used by te staff to do their everyday tasks. we also have branch offices around the country and these branch users connect remotely via RDP to the AS and do their work. these servers are directly connect to the a D-Link switch on which the ISP internet is connected.then we have another D-Link switch which again the servers are connected to. I mean these servers have two NICs,one of these NIC is WAN and another as LAN. the LAN is for the local users and the WAN for the remote users.
Now I want to put a UTM between the ISP internet and the local network. the UTM i have selected is Zentyal(EBox). i have setup a machine for Zentyal. now my question is do i still need to have 2 D-Link switches on the local network or 1 D-Link will do. i mean how wil the remote users connect now since the UTM has been placed between the internet and local network.please help me as i am not an expert in networking.appreciate your help

cheers
Zolf
0
Comment
Question by:zolf
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
10 Comments
 
LVL 32

Expert Comment

by:aleghart
ID: 34170715
One switch will work, connected to the LAN side of your firewall.  Your application servers will sit on the LAN only.  Your firewall will have NAT rules to connect your outside users through the firewall and to the servers.

Each WAN IP address will be translated to the LAN IP address of the server.

Since your LAN users are already connecting to the servers with a LAN connection, there should be no change for them.  Your remote users won't know there's a difference either.
0
 
LVL 2

Expert Comment

by:SacTechGroup
ID: 34170719
To be protected, all your servers need to be behind the Firewall/UTM.  This means no dual NICs.  You will forward the ports for the services you need (RDP) from the WAN to the LAN using rules or policies on the UTM.  The number of switches is irrelevant really.  The swithes can both be on both the wan and lan networks at the same time.  A basic setup would look like ISP > router > UTM > switches > servers/workstations/printers.  You will now be able to controll all WAN/LAN access from the UTM.  

-dont worry about the switches, just use the number you need to provide enough ports.
-DO worry about what ports are open to the world
0
 

Author Comment

by:zolf
ID: 34170828
so i will unplug the WAN NIC. on the firewall i will have NAT for e.g. saying users using RDP 89.122.123.133 should be forwarded to to the servers LAN ip 192.168.0.1.

also the devices will be like this:

ISP > UTM > Switch > Server,Patch Panel,Wireless AP.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 32

Expert Comment

by:aleghart
ID: 34170845
ISP
"modem" or other handoff device
firewall
switch
LAN nodes (servers, desktops, printers, WAP)

A patch panel is infrastructure hardware, so it would not appear in a network diagram.  Similarly, you wouldn't list patch cables, wire in wall, jacks, etc.

I think you've got it down pat.
0
 
LVL 2

Assisted Solution

by:SacTechGroup
SacTechGroup earned 200 total points
ID: 34170870
zolf.  when you say 'unplug the WAN NIC' .. well it depends.  If you are talking about your new UTM, then not necessarily.  Your UTM (like most) will have the WAN NIC connected to the ISP router while its LAN NIC will be connected to a LAN swith.  the UTM then bridges the LAN and WAN networks.

Your public static IP's will then answer on the UTM's WAN port and forward desired services to the specified servers/IPs on the LAN.  this forwarding happens by means of NAT rules and firewall policies.

That is a generalized overview.  there are many little steps in configuring the UTM that you will need to refer to its manual to figure out.  Typical setups include defining address book entries for hosts (yoru servers) and also specifying services (RDP uses port 3389).  Since you have multiple RDP servers you will need to use multiple public IP's (one each) or change the port on the secondary servers and make rules that match etc.  

Lots to be done
0
 

Author Comment

by:zolf
ID: 34170951

aleghart:
>>A patch panel is infrastructure hardware
appreciate your comments.you see all the computers(45) in our network is connected to the patch panel.from what i understand 1 port of the patch panel will be connected to 1 port of the swtich,so that these computers will have access to each other and the internet.correct??please clear my doubt

SacTechGroup:
thanks for that feedbacks. at present i have 4 NICs but only 2 are in use.one for the LAN and the other for WAN. Now from what i have understood is that i will have to enable another NIC on the UTM machine to allow RDP on the other AS.
this part i did no tunderstand
>>) or change the port on the secondary servers and make rules that match etc.  
0
 

Author Comment

by:zolf
ID: 34170962

SacTechGroup:

i meant the WAN NIC of the AS which are at present connected directly to the internet. if i setup the UTM then the WAN NIC which I have on these AS will not be needed on the LAN NIC will be used.correct??
0
 
LVL 32

Accepted Solution

by:
aleghart earned 300 total points
ID: 34170969
The switch is what connects all of the computers into a LAN.  The patch panel is no different than a plug on the wall.  It just happens to terminate all of the remote jacks in your server closet.

The important concept is that _all_ network equipment must be patched into the switch(es).  In your case, a single 48-port switch would work fine.  If yours aren't that big, then you'll have to link them together.

"Dumb" switches (no routing) connect to each other with a single patch cable.  Newer switches don't require anything special...a straigh-through patch cable in any port will work.  The switch will automatically turn the port into an uplink.  Older switches will have one or more designated ports with a manual uplink (MD/MDIX) switch or button.

The second NICs in your application servers should no longer be required for WAN connections.  Use only the LAN NIC to the switch.

The firewall's WAN port plugs into your ISP's equipment.  The firewall LAN port plugs into your LAN switch.  You only need one WAN port and one LAN port on the firewall.
0
 

Author Comment

by:zolf
ID: 34194379

On the AS NIC, do i have to also assign a Default Gateway or not needed
0
 
LVL 32

Expert Comment

by:aleghart
ID: 34199236
Default gateway should be the LAN gateway IP address.  You could leave it blank, and let it "guess".  It might work...but really better to put the gateway in explicitly.  Some installations have two possible gateways: the internet router, and the network router.  Either will work, but using the internet router as a gateway may bypass some rules in place on the network router.  (That only applies if you have Layer3 switches for your network switches.)
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question