Solved

Publish TSgateway using Sonicwall NSA 3500

Posted on 2011-03-17
19
927 Views
Last Modified: 2012-05-11
I am attempting to publish TSgateway services from my Sonicwall NSA 3500 directly to my internal TSgateway server.  We are trying to phase out our ISA 2006 server, so I'm testing just changing some of our web publishing rules on the Sonicwall to go directly to our internal server services.

I have changed the rules to go from WAN to my internal network interface.  I believe my firewall, and NAT rules are correct.  Problem is, it doesn't seem to work unless I change my TSgateway server default gateway to the Sonicwall ZONE IP address that is assigned as my internal network.  

Maybe that's the only way these will work, not sure.  My ISA must have been handling the routing with my previous setup, even though my ISA server isn't the default gateway for any of my internal PC's.  Is this how it works by design?  any help is appreciated, thanks!
0
Comment
Question by:jmchristy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 9
19 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 35157463
Your ISA must have a public IP address, yes? what is the gateway of your TS when it's not the LAN IP of your sonicwall? Is it of the WAN interface? otherwise, it sounds like you have it configured properly.
0
 

Author Comment

by:jmchristy
ID: 35157506
The ISA server doesn't have a public IP address, it's external IP address is a DMZ address.  I just send the traffic to that DMZ address.  ISA's external NIC does have a gateway which is the LAN (DMZ) address of the Soincwall.

The gateway of my TSgateway is set to an Edgemarc router, which is used seperately on another ISP that connects all our remote sites together over a VPN tunnel.  If I change the gateway of my servers to the Sonicwall then they are unreachable at remote locations.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35157896
ok...that makes sense.

cool...that makes sense too. just to clarify, is the LAN interface of the edgmarc on the same subnet as the LAN of the sonicwall? it sounds as if it might be.

sorry for the extra questions.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:jmchristy
ID: 35157942
No problem.

The LAN interface of the Edgemarc is set to the DMZ.  I created another Interface/Zone with the name of my internal network, and that is on the same subnet as my Edgemarc.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35158197
ok, so your sonicwall is routing traffic between your interfaces. this is good.

So, to recap:

X0 - LAN
X1 - WAN
X2 - DMZ?
X3 - Edmarc?

what kind of sonicwall do you have? is the firmware up to date? is it enhanced or standard OS?

i'm getting confused about where the TS is physically sitting on the network. if you changed the gateway, you must have had to change the IP address and where it was physically connected to the network, right?
0
 

Author Comment

by:jmchristy
ID: 35158647
X0 - DMZ
X1 - unused
X2 - WAN #2
X3 - Internal Network

It's an NSA 3500 SonicOS Enhanced, the firmware is not up to date.

Our current setup for internet access is as follows Internet --> Sonicwall --> DMZ --> ISA --> Internal.  The TS is physically sitting in the "Internal" network, behind ISA.  All I'm trying to change it move the ISA server out of the equation, and change the rules to say if it comes in over X2, send it to X3.

We have a seperate internet source, which is used for VPN tunnels that all our internal computers gateway is set too.  It goes Internet --> Edgemarc --> Internal.  Our other sites, are connected via a VPN tunnel thru the Edgemarc.

Hope this makes sense.
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 35159796
ok...i'm getting a good picture. the sonicwall has a lot of builtin address objects and rules that can't be changed. so, if you setup the sonicwall different from that, you end up having to create a bunch of address objects/groups, NAT policies and firewall access rules to compensate. i believe that's why you've had the issue you did when you tried to setup the TS for external access. what the sonicwall is expecting is this:

X0: LAN
X1: WAN (default)
X2 - X?: whatever you want

my initial recommendation is this (not necessarily in this order):

- remove the ISA and move your internal network at X3 to X0
- move your DMZ to X2
- move your default internet to X1
- put the edgemarc on X3

you have a NSA 3500 so it's not going to have any problem routing. however, if you want it to be stable, i'd recommend putting your traffic where the sonicwall "thinks" your traffic should be.

what do you think of my suggestion? possible?

0
 

Author Comment

by:jmchristy
ID: 35159920
I believe this is possible, and it makes sense to me what you are saying.  I could eliminate my DMZ all together as I would no longer have a need for it once ISA is removed.  Temporarily I could make it X2

The only hiccup I have is putting the Edgemarc on X3.  The Edgemarc is on a seperate ISP from X1, it's WAN interface is currently set to connect directly to that secondary ISP we have that is currently outside of the Sonicwall.  It also handles the VPN tunnel for my other sites, as well as SIP VOiP calls.  How would the Sonicwall handle these requests?  Would I just create a rule that allows all traffic to/from the WAN interface of the Edgemarc?

Assign the secondary ISP to X3 and put the Edgemarc on X4?
0
 
LVL 33

Expert Comment

by:digitap
ID: 35159990
if the edgemarc is negotiating the vpn, then it's "WAN" interface is going to be directly on the internet and you'll have a LAN interface that your clients will need to connect to. thus:

2nd isp <> edgemarc WAN <> edgemarc LAN <> sonicwall X3

let's say you setup X3 with a subnet of 10.10.10.0/24 and the X3 as 10.10.10.1 and the edgemarc LAN as 10.10.10.2. let's say that the subnet on the other side of the vpn was 10.10.9.0/24. on the sonicwall, you'd setup a route:

source: any
destination: 10.10.9.0/24
gateway: 10.10.10.2
service: any

this way traffic on the LAN could get to 10.10.9.0/24 on the other side of the VPN. you'd need to make sure that your router at the other end would have a static route back to the LAN subnet.

make sense?

is the 2nd isp used ONLY for the VPN traffic?
0
 

Author Comment

by:jmchristy
ID: 35160064
Yes, that makes sense except for that last part.  About the other router having a static route back to the LAN subnet.  There are currently no static routes on it, I rely on the VPN tunnel in order to reach that remote site and vice versa.

The 2nd ISP is used for VPN traffic, and it also (thru the Edgemarc WAN/LAN ports) connects with our phone system to handle/route SIP calls to a SIP server.  There is a NAT setup on the Edgemarc that takes traffic from the WAN interface and routes it to the LAN IP of my phone system.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35160132
in that event, i don't think i'd involve the sonicwall at all. assuming that you remove the dmz and move your hosts to the X0 (LAN) interface, i'd put the LAN of the edgemarc on the LAN subnet. setup a static route on the sonicwall to send vpn traffic to the LAN ip address of the edgemarc.

this would eliminate the need for a route at the other sites. they already know about the network as it's controlled by their end through the vpn. the issue here is that the sonicwall isn't managing those vpns. you could put the 2nd isp on an interface of the sonicwall and configure a secondary WAN interface removing the edgemarc completely. this would make routing MUCH easier.

if you keep the edgemarc, i wouldn't put it through the sonicwall. just configure the sonicwall to route vpn traffic to it.

is your VoIP server on the LAN subnet (again assuming)
0
 

Author Comment

by:jmchristy
ID: 35161013
I'm not sure if I could remove the Edgemarc completely, because our VoIP/SIP server is hosted externally.  We have a phone system on-site but it's not routing any VoIP traffic it just is an endmarc for our digital keysets.  Any calls incoming/outgoing are routed to and from the Edgemarc and the Edgemarc sends it to a SIP server (coredial)
0
 
LVL 33

Expert Comment

by:digitap
ID: 35161033
cool. then, i'd keep it separate from the sonicwall. give the LAN interface an IP on the LAN subnet and setup the route on the sonicwall.

once you re-org your sonicwall as indicated above, i think your setup will simplify. add, moves, and changes will be easier...so will troubleshooting.
0
 

Author Comment

by:jmchristy
ID: 35161054
Ok then that's what I will do, just keep the Edgemarc seperate...have it's ISP go into the WAN of the Edgemarc and the LAN directly into the switch.

I can make the changes we spoke of earlier to help simplify my setup, appreciate your help digitap!
0
 

Author Closing Comment

by:jmchristy
ID: 35161060
ty digitap
0
 
LVL 33

Expert Comment

by:digitap
ID: 35161071
you're welcome! thanks for the points!
0
 

Author Comment

by:jmchristy
ID: 35164723
Digitap, I was reading over this and have a few more questions if you don't mind :)

Did you want me to take the LAN of the Edgemarc and put it into X3? Or just keep it seperate and put it directly into the switch, I thought what I gathered was to keep it seperate from the Sonicwall but when you said "give the LAN interface an IP on the LAN subnet and setup the route on the sonicwall" it lost me.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35165634
sure. "keep it separate from the sonicwall" means not setup a special interface for edgemarc traffic. all you need to do after moving your x3 stuff to x0, is put the LAN of the edgemarc on the switch and give it an IP address on the LAN subnet. you'll use that IP address as the gateway for the route you setup on the sonicwall.
0
 

Author Comment

by:jmchristy
ID: 35166264
Cool, thanks for the clarification!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question