Solved

WatchGuard to SonicWALL

Posted on 2011-03-18
9
1,093 Views
Last Modified: 2012-08-14
Greetings,

I'm looking to replace my WatchGuard Core X1250e with a SonicWALL NSA5500.  I have 200+ users that use the WG MUVPN client to connect remotely to my network daily.  My question is: Is there a way to do a gradual migration from WG to SW with both devices on the network at the same time?  While this seems to be a potential disaster, it would allow the migration of remote users to move to the new SW firewall via the Global VPN Client (GVC) in advance of a cutover.  Yes, we could look at implementation of the Aventail SSL solution, but that is budgetted and scheduled for later this year.  It is the remote users that concern me in the case of a hard cutover.  However, I see having issues with routing, especially with 2 gateways.  But, if there is a fairly reasonable way to do it, I'm all for it.  

On a side note, is there a way to migrate the config from WG to SW?

Thanks for any assistance.

Jer
0
Comment
Question by:Jer
  • 5
  • 4
9 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 35170144
what i would do is change the IP subnet on the LAN interface on watchguard. setup a new zone on the sonicwall and assign it to an available interface. make the interface the same subnet as the IP assigned to the watchguard.

on the sonicwall, make it the gateway in place of the watchguard.

use the sonicwall to route incoming WG MUVPN access.

this should allow you have both in place.

thoughts?

regarding your last question, no. there isn't a way to migrate other than manually doing it.
0
 
LVL 3

Author Comment

by:Jer
ID: 35185177
Digitap,

Why the need to change the IP subnet on the LAN of the WG?  It seems that your suggestion simply has me place them both (SW & WG) on the same subnet.  Perhaps I'm misreading and your intention is for the LAN on the SW takes over the current WG gateway address (192.168.1.2) and the created zone supports the WG on a different subnet?

Just trying to get my arms around the concept.  

Thanks,

Jer
0
 
LVL 33

Expert Comment

by:digitap
ID: 35186163
your final comment is it exactly. there are two steps. 1. replace the primary gateway (WG) with the sonicwall. 2. change the LAN subnet of the WG and create a new zone on the sonicwall.

what this does is allow your WG vpn users to maintain access and simplifies routing. if you put the WG on the same subnet as the sonicwall, you'd have to decide how to parse out the traffic as far as routing is concerned. in my mind, it would make routing simpler. also, since your getting rid of your WG anyway, why not remove the primary dependence on it.

hope that clarifies things.
0
 
LVL 3

Author Comment

by:Jer
ID: 35236698
Digitap,

With your suggestion, I'd think that I'd have to have the SonicWALL completely configured (to replace the WG effectively) and remove nearly all configuration from the WG?  My concern is trying to avoid anything getting lost in routing.  I currently have the WG performing NAT as needed (email, TS enviroment, web server, etc).  Seems like having both units up at the same time would still require me to not have certain parts of the SW configured.  I'm currently working in my test environment to replicate my WG environment on my SW.  I hope to have that done in the next couple of days.  At that point, I hope to have the remaining effort to be in a sequence of bite-size pieces.  :-)

Thanks,

Jer
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 33

Expert Comment

by:digitap
ID: 35314631
Sorry for the delay. Wife and I had our baby on the 26th, so busy with that.

anywho, you are correct. you'd be swapping roles of the two appliances. i've been thinking about it and I don't see any other way around it. you'd be intrusively affecting everything but the remote users, but i believe that, based on your question, this was your biggest concern. once you change out the two appliances, you could slowly migrate the remote users from the WG to the SW.

hope that makes sense. i'd be happy to assist through the SW config if you need.
0
 
LVL 3

Author Comment

by:Jer
ID: 35319708
Gratz on the kiddo.  Can't believe you blew off responding for such an excuse, but...  :-P  Well, much to my surprise/delight, I got approval to move forward with the purchase of the Aventail SSL appliance.  This may solve all issues, as I should be able to get users connecting via the agent and then just change it's destination upon going live (from WG to SW).  At least that is my understanding.  While you are correct that avoiding pain to my remote users, I don't want to add a significant amount of unnecessary pain to myself or support team.  It seems that having a simultaneous existance of the WG and SW creates way more havoc than it is worth.  Are you familiar with the SSL appliance?

Thanks,

Jer
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 35320733
yes, my priorities are so out of line!!  >GRIN<!

the ssl appliance is really going to make a difference. i've installed a couple and they are nice. the portals are great and you can use them to customize access. with single sign on, you can move users right into a TS session with a single login to the portal. it's nice!

you'll want to deploy it with the sonicwall...but, that's not necessary. you could move it between the WG and SW as you moved away from the WG. i use the following deployment guide to decide how i want to configure the ssl appliance.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6122
0
 
LVL 3

Author Comment

by:Jer
ID: 35417622
Sorry, been out ill for a bit.  Great information.  I'm looking to take full advantage off the appliance and ease the transition, in addition to the NAC options.

Thanks for your input.

Jer
0
 
LVL 33

Expert Comment

by:digitap
ID: 35421521
Sure. Glad I could assist and thanks for the points!
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now