Solved

SonicWALL - How to configure port forwarding multiple services for internal servers?

Posted on 2011-02-20
9
1,499 Views
Last Modified: 2012-05-11
On a SonicWALL (TZ 180 with SonicOS Enahnced 4.2.1.0-20e) I need to configure the device to port forward to multiple servers on various subnets with various service ports.  I understand how this is done through Network -> NAT Policies -> Public Server Wizard...  however this sets up a new server each time with one or a port range.  In my scenario I need to open up port ranges: tcp 1719, tcp 1721, tcp 3230-3300, udp 3230-3400.  

Obviously I don't want to go through the wizard for each service port set and then have to name the server each time.  I'm going to ultimately have boatloads of these to configure and I'd prefer a streamlined method for this.

Is there a superior method for configuring this use case scenario other than the wizard?  To me it seems that using the wizard for the first port range to configure the server and then using an alternate method would be perhaps the best, unless there is a way to coax the wizard into a port table for each server setup, which would be the nicest case it seems.
0
Comment
Question by:gpsocs
  • 5
  • 4
9 Comments
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 34940285
ok...i understand now.  what i do when i have to forward multiple ports to a single server, i either create a service group and add the respective services to the group.  run the public server wizard and select the service group.  Or, run the public server wizard to get the initial NAT and firewall rules setup.  then, go back and modify them replacing the service object with the service group that you created.

hope that helps.
0
 

Author Comment

by:gpsocs
ID: 34940409
This is quite good.  Thank you.  That seems to be the right approach.

I'm additionally curious though now in this same discussion vein, since I'm using H.323 devices primarily, how well do the VoIP options work.  It seems that perhaps I may even not have to worry about port forwarding from some of the preliminary reading I've done regarding the H.323 / VoIP options with consistent NAT, etc.

It seems that TCP can traverse the nat okay... Further, these devices have settings for NAT traversal and even an H.323 option that may or may not be a good idea to use (depending on how robust the H.323 implementation is in the SonicWALL implementation).  In this particular manual, you'll see some more info on pages 26 & 27 (2-12 and 2-13).  Of course you can see additional H.323 settings and information strewn throughout this in context to what I'm referring to on this device.

Hmmm...
0
 
LVL 33

Expert Comment

by:digitap
ID: 34940534
you're welcome.

i have a client with three polycom HDX units.  one of those has a multi-connect license.  in order for the other HDX units to get to the multi-connect unit, i ran the public server wizard to allow those units to get to the HDX.  i configured the firewall rules, WAN > LAN, to only allow those HDX units to reach the multi-connect HDX unit.

i had challenges with one of those sonicwalls. i didn't manage that sonicwall and spent several hours working with their IT.  i didn't know it was a sonicwall originally.  when i found it it was a sonicwall, i told them that they'd wasted my time and let me into the sonicwall and fix it or i was going to bill them the total time i'd spent messing with the issue...they let me in.  in 5 minutes, i enabled h.323 under the VoIP settings.  this is all i had to do for the remote sites...enabled H.323.  it was the multi-connect HDX that i had to open.

review the KB and PDF information within the link below.  i think you'll find that you have to open the sonicwall if the HDX is on the LAN.  if you put it on a DMZ giving it a public IP address, you'll configure VoIP based on the PDF in the link and it will work just fine.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=3713
0
 

Author Comment

by:gpsocs
ID: 34940549
All of the H.323 units in the diagram are Polycom HDX units.  There are also content PCs connected to each of them.  There will be hundreds in the network, however at the moment there are about 10.  We have HDX units connecting from the outside to the inside (down in the VPN tree), from the inside to the outside, and from the inside to the inside on each LAN and from inside to inside across the VPNs:

https://img.skitch.com/20110219-gx38xuirrj6uymfkddmy6epxec.jpg
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:gpsocs
ID: 34940578
Also, of note, we have no Gatekeeper as of yet.  I don't know if we're going to get one, but it appears it's going to be my job to really flesh out the infrastructure as I was brought aboard after they tried to assemble something and I've spent much of my time disassembling and trying to piece things back together.

Polycom is trying to get us to get a VBP (Video Border Proxy) unit, however this appears to perhaps not be necessary with SonicWALL units and DNS.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34940589
i think you're still good.  perhaps i'm not seeing something here, http:#a34940549, you want me to see.  otherwise, i think your question spans into your other question here, http://rdsrc.us/SpPEiU.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34940609
re: http:#a34940578

i'm not sure.  knowing polycom, their hardware expensive and using something else other than their stuff will always save you some green.  i'm not doing anything really big with our polycoms but can say that the sonicwalls have been sufficient.  i also will say that we've been looking at hosting more sessions than the 4 multi-connect license will get us (which is all the Polycom HDX units that we have will support).  making this decision will change the game some, but i don't think it will much.

i believe that you'll always need a good firewall.  you're in a tz180 and as you grow, you'll need something that will handle the throughput without compromising security.  an NSA model would get you there.  so, whether you bought a higher end sonicwall or not (watchguard, cisco, etc.) i think what you have is enough...unless you make a decision to change the game.  for instance, decide to do something with polycom that requires some specialized widget from them that requires some particular interface that sonicwall can't do.
0
 

Author Comment

by:gpsocs
ID: 34940650
It's very possible we're going to provide a software layer to the network fabric in the near to mid term that will act as a gatekeeper and service manager offering out an API or such to other services that utilize the fabric being built out here.  It seems perhaps these SonicWALL units may be enough as they provide, it appears, some LDAP and so forth functionality that would help to manage security and level access up and down the system.  Hmm.

On the gatekeeper issue, I agree.  There is no reason for a gatekeeper at this point with the facility of offering near direct (or virtual) p2p connection between each unit under in our fabric and outside of our fabric.  DNS really will cover that nicely and I think this direct method will provide significantly more performance since we're not having to hop into and out of any other services or networks in which a gatekeeper may sit.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34940657
if you did get a gatekeeper, i'd recommend referring to the KB's PDf i referenced earlier and put the hardware in a DMZ on the sonicwall.  you can poke holes DMZ <> LAN for that traffic and make it easier to serve up those API services to the internet.

sonicwall does LDAP...at least for VPN access.  i'm not sure what security solutions you'd want to flesh out between the polycom hardware, clients and sonicwall.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now