Solved

Publish TSgateway using Sonicwall NSA 3500

Posted on 2011-03-17
19
921 Views
Last Modified: 2012-05-11
I am attempting to publish TSgateway services from my Sonicwall NSA 3500 directly to my internal TSgateway server.  We are trying to phase out our ISA 2006 server, so I'm testing just changing some of our web publishing rules on the Sonicwall to go directly to our internal server services.

I have changed the rules to go from WAN to my internal network interface.  I believe my firewall, and NAT rules are correct.  Problem is, it doesn't seem to work unless I change my TSgateway server default gateway to the Sonicwall ZONE IP address that is assigned as my internal network.  

Maybe that's the only way these will work, not sure.  My ISA must have been handling the routing with my previous setup, even though my ISA server isn't the default gateway for any of my internal PC's.  Is this how it works by design?  any help is appreciated, thanks!
0
Comment
Question by:jmchristy
  • 10
  • 9
19 Comments
 
LVL 33

Expert Comment

by:digitap
Comment Utility
Your ISA must have a public IP address, yes? what is the gateway of your TS when it's not the LAN IP of your sonicwall? Is it of the WAN interface? otherwise, it sounds like you have it configured properly.
0
 

Author Comment

by:jmchristy
Comment Utility
The ISA server doesn't have a public IP address, it's external IP address is a DMZ address.  I just send the traffic to that DMZ address.  ISA's external NIC does have a gateway which is the LAN (DMZ) address of the Soincwall.

The gateway of my TSgateway is set to an Edgemarc router, which is used seperately on another ISP that connects all our remote sites together over a VPN tunnel.  If I change the gateway of my servers to the Sonicwall then they are unreachable at remote locations.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
ok...that makes sense.

cool...that makes sense too. just to clarify, is the LAN interface of the edgmarc on the same subnet as the LAN of the sonicwall? it sounds as if it might be.

sorry for the extra questions.
0
 

Author Comment

by:jmchristy
Comment Utility
No problem.

The LAN interface of the Edgemarc is set to the DMZ.  I created another Interface/Zone with the name of my internal network, and that is on the same subnet as my Edgemarc.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
ok, so your sonicwall is routing traffic between your interfaces. this is good.

So, to recap:

X0 - LAN
X1 - WAN
X2 - DMZ?
X3 - Edmarc?

what kind of sonicwall do you have? is the firmware up to date? is it enhanced or standard OS?

i'm getting confused about where the TS is physically sitting on the network. if you changed the gateway, you must have had to change the IP address and where it was physically connected to the network, right?
0
 

Author Comment

by:jmchristy
Comment Utility
X0 - DMZ
X1 - unused
X2 - WAN #2
X3 - Internal Network

It's an NSA 3500 SonicOS Enhanced, the firmware is not up to date.

Our current setup for internet access is as follows Internet --> Sonicwall --> DMZ --> ISA --> Internal.  The TS is physically sitting in the "Internal" network, behind ISA.  All I'm trying to change it move the ISA server out of the equation, and change the rules to say if it comes in over X2, send it to X3.

We have a seperate internet source, which is used for VPN tunnels that all our internal computers gateway is set too.  It goes Internet --> Edgemarc --> Internal.  Our other sites, are connected via a VPN tunnel thru the Edgemarc.

Hope this makes sense.
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
Comment Utility
ok...i'm getting a good picture. the sonicwall has a lot of builtin address objects and rules that can't be changed. so, if you setup the sonicwall different from that, you end up having to create a bunch of address objects/groups, NAT policies and firewall access rules to compensate. i believe that's why you've had the issue you did when you tried to setup the TS for external access. what the sonicwall is expecting is this:

X0: LAN
X1: WAN (default)
X2 - X?: whatever you want

my initial recommendation is this (not necessarily in this order):

- remove the ISA and move your internal network at X3 to X0
- move your DMZ to X2
- move your default internet to X1
- put the edgemarc on X3

you have a NSA 3500 so it's not going to have any problem routing. however, if you want it to be stable, i'd recommend putting your traffic where the sonicwall "thinks" your traffic should be.

what do you think of my suggestion? possible?

0
 

Author Comment

by:jmchristy
Comment Utility
I believe this is possible, and it makes sense to me what you are saying.  I could eliminate my DMZ all together as I would no longer have a need for it once ISA is removed.  Temporarily I could make it X2

The only hiccup I have is putting the Edgemarc on X3.  The Edgemarc is on a seperate ISP from X1, it's WAN interface is currently set to connect directly to that secondary ISP we have that is currently outside of the Sonicwall.  It also handles the VPN tunnel for my other sites, as well as SIP VOiP calls.  How would the Sonicwall handle these requests?  Would I just create a rule that allows all traffic to/from the WAN interface of the Edgemarc?

Assign the secondary ISP to X3 and put the Edgemarc on X4?
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
if the edgemarc is negotiating the vpn, then it's "WAN" interface is going to be directly on the internet and you'll have a LAN interface that your clients will need to connect to. thus:

2nd isp <> edgemarc WAN <> edgemarc LAN <> sonicwall X3

let's say you setup X3 with a subnet of 10.10.10.0/24 and the X3 as 10.10.10.1 and the edgemarc LAN as 10.10.10.2. let's say that the subnet on the other side of the vpn was 10.10.9.0/24. on the sonicwall, you'd setup a route:

source: any
destination: 10.10.9.0/24
gateway: 10.10.10.2
service: any

this way traffic on the LAN could get to 10.10.9.0/24 on the other side of the VPN. you'd need to make sure that your router at the other end would have a static route back to the LAN subnet.

make sense?

is the 2nd isp used ONLY for the VPN traffic?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:jmchristy
Comment Utility
Yes, that makes sense except for that last part.  About the other router having a static route back to the LAN subnet.  There are currently no static routes on it, I rely on the VPN tunnel in order to reach that remote site and vice versa.

The 2nd ISP is used for VPN traffic, and it also (thru the Edgemarc WAN/LAN ports) connects with our phone system to handle/route SIP calls to a SIP server.  There is a NAT setup on the Edgemarc that takes traffic from the WAN interface and routes it to the LAN IP of my phone system.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
in that event, i don't think i'd involve the sonicwall at all. assuming that you remove the dmz and move your hosts to the X0 (LAN) interface, i'd put the LAN of the edgemarc on the LAN subnet. setup a static route on the sonicwall to send vpn traffic to the LAN ip address of the edgemarc.

this would eliminate the need for a route at the other sites. they already know about the network as it's controlled by their end through the vpn. the issue here is that the sonicwall isn't managing those vpns. you could put the 2nd isp on an interface of the sonicwall and configure a secondary WAN interface removing the edgemarc completely. this would make routing MUCH easier.

if you keep the edgemarc, i wouldn't put it through the sonicwall. just configure the sonicwall to route vpn traffic to it.

is your VoIP server on the LAN subnet (again assuming)
0
 

Author Comment

by:jmchristy
Comment Utility
I'm not sure if I could remove the Edgemarc completely, because our VoIP/SIP server is hosted externally.  We have a phone system on-site but it's not routing any VoIP traffic it just is an endmarc for our digital keysets.  Any calls incoming/outgoing are routed to and from the Edgemarc and the Edgemarc sends it to a SIP server (coredial)
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
cool. then, i'd keep it separate from the sonicwall. give the LAN interface an IP on the LAN subnet and setup the route on the sonicwall.

once you re-org your sonicwall as indicated above, i think your setup will simplify. add, moves, and changes will be easier...so will troubleshooting.
0
 

Author Comment

by:jmchristy
Comment Utility
Ok then that's what I will do, just keep the Edgemarc seperate...have it's ISP go into the WAN of the Edgemarc and the LAN directly into the switch.

I can make the changes we spoke of earlier to help simplify my setup, appreciate your help digitap!
0
 

Author Closing Comment

by:jmchristy
Comment Utility
ty digitap
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
you're welcome! thanks for the points!
0
 

Author Comment

by:jmchristy
Comment Utility
Digitap, I was reading over this and have a few more questions if you don't mind :)

Did you want me to take the LAN of the Edgemarc and put it into X3? Or just keep it seperate and put it directly into the switch, I thought what I gathered was to keep it seperate from the Sonicwall but when you said "give the LAN interface an IP on the LAN subnet and setup the route on the sonicwall" it lost me.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
sure. "keep it separate from the sonicwall" means not setup a special interface for edgemarc traffic. all you need to do after moving your x3 stuff to x0, is put the LAN of the edgemarc on the switch and give it an IP address on the LAN subnet. you'll use that IP address as the gateway for the route you setup on the sonicwall.
0
 

Author Comment

by:jmchristy
Comment Utility
Cool, thanks for the clarification!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now