jmchristy
asked on
Publish TSgateway using Sonicwall NSA 3500
I am attempting to publish TSgateway services from my Sonicwall NSA 3500 directly to my internal TSgateway server. We are trying to phase out our ISA 2006 server, so I'm testing just changing some of our web publishing rules on the Sonicwall to go directly to our internal server services.
I have changed the rules to go from WAN to my internal network interface. I believe my firewall, and NAT rules are correct. Problem is, it doesn't seem to work unless I change my TSgateway server default gateway to the Sonicwall ZONE IP address that is assigned as my internal network.
Maybe that's the only way these will work, not sure. My ISA must have been handling the routing with my previous setup, even though my ISA server isn't the default gateway for any of my internal PC's. Is this how it works by design? any help is appreciated, thanks!
I have changed the rules to go from WAN to my internal network interface. I believe my firewall, and NAT rules are correct. Problem is, it doesn't seem to work unless I change my TSgateway server default gateway to the Sonicwall ZONE IP address that is assigned as my internal network.
Maybe that's the only way these will work, not sure. My ISA must have been handling the routing with my previous setup, even though my ISA server isn't the default gateway for any of my internal PC's. Is this how it works by design? any help is appreciated, thanks!
digitap
Your ISA must have a public IP address, yes? what is the gateway of your TS when it's not the LAN IP of your sonicwall? Is it of the WAN interface? otherwise, it sounds like you have it configured properly.
ASKER
The ISA server doesn't have a public IP address, it's external IP address is a DMZ address. I just send the traffic to that DMZ address. ISA's external NIC does have a gateway which is the LAN (DMZ) address of the Soincwall.
The gateway of my TSgateway is set to an Edgemarc router, which is used seperately on another ISP that connects all our remote sites together over a VPN tunnel. If I change the gateway of my servers to the Sonicwall then they are unreachable at remote locations.
The gateway of my TSgateway is set to an Edgemarc router, which is used seperately on another ISP that connects all our remote sites together over a VPN tunnel. If I change the gateway of my servers to the Sonicwall then they are unreachable at remote locations.
ok...that makes sense.
cool...that makes sense too. just to clarify, is the LAN interface of the edgmarc on the same subnet as the LAN of the sonicwall? it sounds as if it might be.
sorry for the extra questions.
cool...that makes sense too. just to clarify, is the LAN interface of the edgmarc on the same subnet as the LAN of the sonicwall? it sounds as if it might be.
sorry for the extra questions.
ASKER
No problem.
The LAN interface of the Edgemarc is set to the DMZ. I created another Interface/Zone with the name of my internal network, and that is on the same subnet as my Edgemarc.
The LAN interface of the Edgemarc is set to the DMZ. I created another Interface/Zone with the name of my internal network, and that is on the same subnet as my Edgemarc.
ok, so your sonicwall is routing traffic between your interfaces. this is good.
So, to recap:
X0 - LAN
X1 - WAN
X2 - DMZ?
X3 - Edmarc?
what kind of sonicwall do you have? is the firmware up to date? is it enhanced or standard OS?
i'm getting confused about where the TS is physically sitting on the network. if you changed the gateway, you must have had to change the IP address and where it was physically connected to the network, right?
So, to recap:
X0 - LAN
X1 - WAN
X2 - DMZ?
X3 - Edmarc?
what kind of sonicwall do you have? is the firmware up to date? is it enhanced or standard OS?
i'm getting confused about where the TS is physically sitting on the network. if you changed the gateway, you must have had to change the IP address and where it was physically connected to the network, right?
ASKER
X0 - DMZ
X1 - unused
X2 - WAN #2
X3 - Internal Network
It's an NSA 3500 SonicOS Enhanced, the firmware is not up to date.
Our current setup for internet access is as follows Internet --> Sonicwall --> DMZ --> ISA --> Internal. The TS is physically sitting in the "Internal" network, behind ISA. All I'm trying to change it move the ISA server out of the equation, and change the rules to say if it comes in over X2, send it to X3.
We have a seperate internet source, which is used for VPN tunnels that all our internal computers gateway is set too. It goes Internet --> Edgemarc --> Internal. Our other sites, are connected via a VPN tunnel thru the Edgemarc.
Hope this makes sense.
X1 - unused
X2 - WAN #2
X3 - Internal Network
It's an NSA 3500 SonicOS Enhanced, the firmware is not up to date.
Our current setup for internet access is as follows Internet --> Sonicwall --> DMZ --> ISA --> Internal. The TS is physically sitting in the "Internal" network, behind ISA. All I'm trying to change it move the ISA server out of the equation, and change the rules to say if it comes in over X2, send it to X3.
We have a seperate internet source, which is used for VPN tunnels that all our internal computers gateway is set too. It goes Internet --> Edgemarc --> Internal. Our other sites, are connected via a VPN tunnel thru the Edgemarc.
Hope this makes sense.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I believe this is possible, and it makes sense to me what you are saying. I could eliminate my DMZ all together as I would no longer have a need for it once ISA is removed. Temporarily I could make it X2
The only hiccup I have is putting the Edgemarc on X3. The Edgemarc is on a seperate ISP from X1, it's WAN interface is currently set to connect directly to that secondary ISP we have that is currently outside of the Sonicwall. It also handles the VPN tunnel for my other sites, as well as SIP VOiP calls. How would the Sonicwall handle these requests? Would I just create a rule that allows all traffic to/from the WAN interface of the Edgemarc?
Assign the secondary ISP to X3 and put the Edgemarc on X4?
The only hiccup I have is putting the Edgemarc on X3. The Edgemarc is on a seperate ISP from X1, it's WAN interface is currently set to connect directly to that secondary ISP we have that is currently outside of the Sonicwall. It also handles the VPN tunnel for my other sites, as well as SIP VOiP calls. How would the Sonicwall handle these requests? Would I just create a rule that allows all traffic to/from the WAN interface of the Edgemarc?
Assign the secondary ISP to X3 and put the Edgemarc on X4?
if the edgemarc is negotiating the vpn, then it's "WAN" interface is going to be directly on the internet and you'll have a LAN interface that your clients will need to connect to. thus:
2nd isp <> edgemarc WAN <> edgemarc LAN <> sonicwall X3
let's say you setup X3 with a subnet of 10.10.10.0/24 and the X3 as 10.10.10.1 and the edgemarc LAN as 10.10.10.2. let's say that the subnet on the other side of the vpn was 10.10.9.0/24. on the sonicwall, you'd setup a route:
source: any
destination: 10.10.9.0/24
gateway: 10.10.10.2
service: any
this way traffic on the LAN could get to 10.10.9.0/24 on the other side of the VPN. you'd need to make sure that your router at the other end would have a static route back to the LAN subnet.
make sense?
is the 2nd isp used ONLY for the VPN traffic?
2nd isp <> edgemarc WAN <> edgemarc LAN <> sonicwall X3
let's say you setup X3 with a subnet of 10.10.10.0/24 and the X3 as 10.10.10.1 and the edgemarc LAN as 10.10.10.2. let's say that the subnet on the other side of the vpn was 10.10.9.0/24. on the sonicwall, you'd setup a route:
source: any
destination: 10.10.9.0/24
gateway: 10.10.10.2
service: any
this way traffic on the LAN could get to 10.10.9.0/24 on the other side of the VPN. you'd need to make sure that your router at the other end would have a static route back to the LAN subnet.
make sense?
is the 2nd isp used ONLY for the VPN traffic?
ASKER
Yes, that makes sense except for that last part. About the other router having a static route back to the LAN subnet. There are currently no static routes on it, I rely on the VPN tunnel in order to reach that remote site and vice versa.
The 2nd ISP is used for VPN traffic, and it also (thru the Edgemarc WAN/LAN ports) connects with our phone system to handle/route SIP calls to a SIP server. There is a NAT setup on the Edgemarc that takes traffic from the WAN interface and routes it to the LAN IP of my phone system.
The 2nd ISP is used for VPN traffic, and it also (thru the Edgemarc WAN/LAN ports) connects with our phone system to handle/route SIP calls to a SIP server. There is a NAT setup on the Edgemarc that takes traffic from the WAN interface and routes it to the LAN IP of my phone system.
in that event, i don't think i'd involve the sonicwall at all. assuming that you remove the dmz and move your hosts to the X0 (LAN) interface, i'd put the LAN of the edgemarc on the LAN subnet. setup a static route on the sonicwall to send vpn traffic to the LAN ip address of the edgemarc.
this would eliminate the need for a route at the other sites. they already know about the network as it's controlled by their end through the vpn. the issue here is that the sonicwall isn't managing those vpns. you could put the 2nd isp on an interface of the sonicwall and configure a secondary WAN interface removing the edgemarc completely. this would make routing MUCH easier.
if you keep the edgemarc, i wouldn't put it through the sonicwall. just configure the sonicwall to route vpn traffic to it.
is your VoIP server on the LAN subnet (again assuming)
this would eliminate the need for a route at the other sites. they already know about the network as it's controlled by their end through the vpn. the issue here is that the sonicwall isn't managing those vpns. you could put the 2nd isp on an interface of the sonicwall and configure a secondary WAN interface removing the edgemarc completely. this would make routing MUCH easier.
if you keep the edgemarc, i wouldn't put it through the sonicwall. just configure the sonicwall to route vpn traffic to it.
is your VoIP server on the LAN subnet (again assuming)
ASKER
I'm not sure if I could remove the Edgemarc completely, because our VoIP/SIP server is hosted externally. We have a phone system on-site but it's not routing any VoIP traffic it just is an endmarc for our digital keysets. Any calls incoming/outgoing are routed to and from the Edgemarc and the Edgemarc sends it to a SIP server (coredial)
cool. then, i'd keep it separate from the sonicwall. give the LAN interface an IP on the LAN subnet and setup the route on the sonicwall.
once you re-org your sonicwall as indicated above, i think your setup will simplify. add, moves, and changes will be easier...so will troubleshooting.
once you re-org your sonicwall as indicated above, i think your setup will simplify. add, moves, and changes will be easier...so will troubleshooting.
ASKER
Ok then that's what I will do, just keep the Edgemarc seperate...have it's ISP go into the WAN of the Edgemarc and the LAN directly into the switch.
I can make the changes we spoke of earlier to help simplify my setup, appreciate your help digitap!
I can make the changes we spoke of earlier to help simplify my setup, appreciate your help digitap!
ASKER
ty digitap
you're welcome! thanks for the points!
ASKER
Digitap, I was reading over this and have a few more questions if you don't mind :)
Did you want me to take the LAN of the Edgemarc and put it into X3? Or just keep it seperate and put it directly into the switch, I thought what I gathered was to keep it seperate from the Sonicwall but when you said "give the LAN interface an IP on the LAN subnet and setup the route on the sonicwall" it lost me.
Did you want me to take the LAN of the Edgemarc and put it into X3? Or just keep it seperate and put it directly into the switch, I thought what I gathered was to keep it seperate from the Sonicwall but when you said "give the LAN interface an IP on the LAN subnet and setup the route on the sonicwall" it lost me.
sure. "keep it separate from the sonicwall" means not setup a special interface for edgemarc traffic. all you need to do after moving your x3 stuff to x0, is put the LAN of the edgemarc on the switch and give it an IP address on the LAN subnet. you'll use that IP address as the gateway for the route you setup on the sonicwall.
ASKER
Cool, thanks for the clarification!