We help IT Professionals succeed at work.
Get Started

PaloAlto Solution for 2008R2 Servers on outside network

838 Views
Last Modified: 2016-09-09
Hello Experts,
I'm very much a novice when it comes to firewall security, terms, and options.

I have a small network which is protected by a pair of PA3020 security devices.  The current setup is working great and I have a decent handle on the security of the local networks.  I also have a working VPN (GlobalProtect) setup working with my users when they travel off-site.

I've been tasked with moving our internal infrastructures servers (DC, Shared Storage, AV, Monitoring, RADIUS, Print) to a virtual server farm which exists outside of our "trusted networks".  The server farm is accessible on the internet, but from the perspective of my local "trusted" LANs the IP range of the new VM servers is considered out on the public internet.

I do not have access to their security appliances at the server farms, only RDP to the servers.  I'm not sure at what level I can request edits to whatever security device is managing the access to my VM servers.

The VMs themselves will all be Win Server2008R2 OS, and I have admin access to the boxes via RDP.  As far as I know the security team is allowing unfettered access to the servers from my public IP address.

Keeping things at a novice level...  what are my options with regards to getting these VM servers to join my "trusted networks" and become a viable infrastructure to my LANs?

What I need to happen:
 - The server farm need to attach to my "Trusted Networks"
 - Upon reboot the servers need to automatically re-connect to my "Trusted Networks"
 - The servers will only be infrastructure boxes... (no end-user logins)
 - The servers need to have communications with my LANs and supply their individual services as if they were on-site.

What I've attempted:
I've contacted PA and have an open case.  They have suggested a GlobalProtect client type setup with "Pre-Logon" and "Always-On" VPN configuration.  I'm not sure if this is what I'm needing to setup as I will not have a user tied to the servers.

Global Protect (Client Configurations)
Global Protect (Always-On)


I'm open to any direction.  If by chance you could offer a step-by-step that would be great.
Comment
Watch Question
CERTIFIED EXPERT
Commented:
This problem has been solved!
Unlock 1 Answer and 6 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE