WatchGuard to SonicWALL
Greetings,
I'm looking to replace my WatchGuard Core X1250e with a SonicWALL NSA5500. I have 200+ users that use the WG MUVPN client to connect remotely to my network daily. My question is: Is there a way to do a gradual migration from WG to SW with both devices on the network at the same time? While this seems to be a potential disaster, it would allow the migration of remote users to move to the new SW firewall via the Global VPN Client (GVC) in advance of a cutover. Yes, we could look at implementation of the Aventail SSL solution, but that is budgetted and scheduled for later this year. It is the remote users that concern me in the case of a hard cutover. However, I see having issues with routing, especially with 2 gateways. But, if there is a fairly reasonable way to do it, I'm all for it.
On a side note, is there a way to migrate the config from WG to SW?
Thanks for any assistance.
Jer
I'm looking to replace my WatchGuard Core X1250e with a SonicWALL NSA5500. I have 200+ users that use the WG MUVPN client to connect remotely to my network daily. My question is: Is there a way to do a gradual migration from WG to SW with both devices on the network at the same time? While this seems to be a potential disaster, it would allow the migration of remote users to move to the new SW firewall via the Global VPN Client (GVC) in advance of a cutover. Yes, we could look at implementation of the Aventail SSL solution, but that is budgetted and scheduled for later this year. It is the remote users that concern me in the case of a hard cutover. However, I see having issues with routing, especially with 2 gateways. But, if there is a fairly reasonable way to do it, I'm all for it.
On a side note, is there a way to migrate the config from WG to SW?
Thanks for any assistance.
Jer
ASKER
Digitap,
Why the need to change the IP subnet on the LAN of the WG? It seems that your suggestion simply has me place them both (SW & WG) on the same subnet. Perhaps I'm misreading and your intention is for the LAN on the SW takes over the current WG gateway address (192.168.1.2) and the created zone supports the WG on a different subnet?
Just trying to get my arms around the concept.
Thanks,
Jer
Why the need to change the IP subnet on the LAN of the WG? It seems that your suggestion simply has me place them both (SW & WG) on the same subnet. Perhaps I'm misreading and your intention is for the LAN on the SW takes over the current WG gateway address (192.168.1.2) and the created zone supports the WG on a different subnet?
Just trying to get my arms around the concept.
Thanks,
Jer
your final comment is it exactly. there are two steps. 1. replace the primary gateway (WG) with the sonicwall. 2. change the LAN subnet of the WG and create a new zone on the sonicwall.
what this does is allow your WG vpn users to maintain access and simplifies routing. if you put the WG on the same subnet as the sonicwall, you'd have to decide how to parse out the traffic as far as routing is concerned. in my mind, it would make routing simpler. also, since your getting rid of your WG anyway, why not remove the primary dependence on it.
hope that clarifies things.
what this does is allow your WG vpn users to maintain access and simplifies routing. if you put the WG on the same subnet as the sonicwall, you'd have to decide how to parse out the traffic as far as routing is concerned. in my mind, it would make routing simpler. also, since your getting rid of your WG anyway, why not remove the primary dependence on it.
hope that clarifies things.
ASKER
Digitap,
With your suggestion, I'd think that I'd have to have the SonicWALL completely configured (to replace the WG effectively) and remove nearly all configuration from the WG? My concern is trying to avoid anything getting lost in routing. I currently have the WG performing NAT as needed (email, TS enviroment, web server, etc). Seems like having both units up at the same time would still require me to not have certain parts of the SW configured. I'm currently working in my test environment to replicate my WG environment on my SW. I hope to have that done in the next couple of days. At that point, I hope to have the remaining effort to be in a sequence of bite-size pieces. :-)
Thanks,
Jer
With your suggestion, I'd think that I'd have to have the SonicWALL completely configured (to replace the WG effectively) and remove nearly all configuration from the WG? My concern is trying to avoid anything getting lost in routing. I currently have the WG performing NAT as needed (email, TS enviroment, web server, etc). Seems like having both units up at the same time would still require me to not have certain parts of the SW configured. I'm currently working in my test environment to replicate my WG environment on my SW. I hope to have that done in the next couple of days. At that point, I hope to have the remaining effort to be in a sequence of bite-size pieces. :-)
Thanks,
Jer
Sorry for the delay. Wife and I had our baby on the 26th, so busy with that.
anywho, you are correct. you'd be swapping roles of the two appliances. i've been thinking about it and I don't see any other way around it. you'd be intrusively affecting everything but the remote users, but i believe that, based on your question, this was your biggest concern. once you change out the two appliances, you could slowly migrate the remote users from the WG to the SW.
hope that makes sense. i'd be happy to assist through the SW config if you need.
anywho, you are correct. you'd be swapping roles of the two appliances. i've been thinking about it and I don't see any other way around it. you'd be intrusively affecting everything but the remote users, but i believe that, based on your question, this was your biggest concern. once you change out the two appliances, you could slowly migrate the remote users from the WG to the SW.
hope that makes sense. i'd be happy to assist through the SW config if you need.
ASKER
Gratz on the kiddo. Can't believe you blew off responding for such an excuse, but... :-P Well, much to my surprise/delight, I got approval to move forward with the purchase of the Aventail SSL appliance. This may solve all issues, as I should be able to get users connecting via the agent and then just change it's destination upon going live (from WG to SW). At least that is my understanding. While you are correct that avoiding pain to my remote users, I don't want to add a significant amount of unnecessary pain to myself or support team. It seems that having a simultaneous existance of the WG and SW creates way more havoc than it is worth. Are you familiar with the SSL appliance?
Thanks,
Jer
Thanks,
Jer
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry, been out ill for a bit. Great information. I'm looking to take full advantage off the appliance and ease the transition, in addition to the NAC options.
Thanks for your input.
Jer
Thanks for your input.
Jer
Sure. Glad I could assist and thanks for the points!
on the sonicwall, make it the gateway in place of the watchguard.
use the sonicwall to route incoming WG MUVPN access.
this should allow you have both in place.
thoughts?
regarding your last question, no. there isn't a way to migrate other than manually doing it.