Solved

PaloAlto Solution for 2008R2 Servers on outside network

Posted on 2016-08-31
6
154 Views
Last Modified: 2016-09-09
Hello Experts,
I'm very much a novice when it comes to firewall security, terms, and options.

I have a small network which is protected by a pair of PA3020 security devices.  The current setup is working great and I have a decent handle on the security of the local networks.  I also have a working VPN (GlobalProtect) setup working with my users when they travel off-site.

I've been tasked with moving our internal infrastructures servers (DC, Shared Storage, AV, Monitoring, RADIUS, Print) to a virtual server farm which exists outside of our "trusted networks".  The server farm is accessible on the internet, but from the perspective of my local "trusted" LANs the IP range of the new VM servers is considered out on the public internet.

I do not have access to their security appliances at the server farms, only RDP to the servers.  I'm not sure at what level I can request edits to whatever security device is managing the access to my VM servers.

The VMs themselves will all be Win Server2008R2 OS, and I have admin access to the boxes via RDP.  As far as I know the security team is allowing unfettered access to the servers from my public IP address.

Keeping things at a novice level...  what are my options with regards to getting these VM servers to join my "trusted networks" and become a viable infrastructure to my LANs?

What I need to happen:
 - The server farm need to attach to my "Trusted Networks"
 - Upon reboot the servers need to automatically re-connect to my "Trusted Networks"
 - The servers will only be infrastructure boxes... (no end-user logins)
 - The servers need to have communications with my LANs and supply their individual services as if they were on-site.

What I've attempted:
I've contacted PA and have an open case.  They have suggested a GlobalProtect client type setup with "Pre-Logon" and "Always-On" VPN configuration.  I'm not sure if this is what I'm needing to setup as I will not have a user tied to the servers.

Global Protect (Client Configurations)
Global Protect (Always-On)


I'm open to any direction.  If by chance you could offer a step-by-step that would be great.
0
Comment
Question by:irishmic33
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 12

Expert Comment

by:Bryant Schaper
ID: 41778475
This seems like a very messed up design, your infrastructure servers should not be on the public internet.

What service are you hosting them in?  Is it a public cloud infrastructure like AWS or Azure?
0
 
LVL 2

Author Comment

by:irishmic33
ID: 41778609
This would be considered a private cloud.  

The service/data center is a consortium of entities which host for local businesses on our local fiber ring.  While I say raw Internet, the data center is logically no different than being on the Internet with respect to my networks.  All traffic will need to route across the PA device, but hopefully as a secure connection.

So while its not actually on the public net I'm treating it as it it were for the sake of the PA device.
0
 
LVL 12

Accepted Solution

by:
Bryant Schaper earned 500 total points
ID: 41778697
So what is trust and untrust is really up to you, they are just labels.  But from what you are trying to do, I would look more at what options your private provider is offering?

Are the servers on a private network together, can you install virtual Palo Alto and setup a VPN tunnel or can they establish a VPN tunnel to your PA?  These are important questions, you could set them up with globalprotect, but you will be relying a poor vpn client in the first place.  We use GlobalProtect and it can be very flaky.  The other option would be to use the built in VPN of Windows, but these are core machines like the DC, so they should not rely on software vpn, that is why a would push a hardware or software firewall to establish the connection.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Author Comment

by:irishmic33
ID: 41778833
I'll approach the vendor about a hardware solution.

When you say software... Could you offer examples?  Are you thinking software on the boxes themselves or software running outside of my VMs?

Is the Win Server built in VPN a viable option?  I've never worked with it, but I'm open to what would work.

Thanks.
0
 
LVL 12

Expert Comment

by:Bryant Schaper
ID: 41778884
Windows server is viable, but I dont think it is a good fit.

I was more referring to a "virtual firewall" appliance, like the palo alto VM for example.

You would have a "cloud network" for example call it 10.0.0.0/24 that all your cloud machines are on.  That network would be behind the vm firewall, that has the public IP.   That VM firewall would establish a VPN tunnel to the on prem palo alto and your inside devices would just know to go to the palo alto to get to those devices.
0
 
LVL 2

Author Closing Comment

by:irishmic33
ID: 41791640
Thank you for your assistance.  I have contacted our ISP and am waiting back to hear from them the options for a secure connection.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question