1 Reply Latest reply on Dec 19, 2012 2:38 AM by MarXtar

    Is our setup correct???

    Apprentice

      Hello

       

      I am having a bit of an issue getting our gateway to work properly. To begin with I want to find out if our current setup is correct, and if not what would be the best setup. Our setup looks like this:

       

       

       

      in DMZ              allows communication beween DMZ and ISN                    in ISN

      [[[gateway]]] <------------------------->[TMG] <-------------------------------------------> [[[core server]]]

       

       

       

      Eventually we will also have the TMG handle public facing communications as well. So:

       

       

      in DMZ              allows communication beween DMZ and ISN                    in ISN

      [[[gateway]]] <------------------------->[TMG] <-------------------------------------------> [[[core server]]]

                                                                  =

                                                                  =

                                                                  =

                                      [workstations/mobile devices outside of network]

        • 1. Re: Is our setup correct???
          MarXtar ITSMMVPGroup

          Not quite clear what you diagram describes, but having the gateway in a DMZ is a pretty standard implementation.

           

          Some basic setup and troubleshooting tips:

           

          • If at all possible, do not rack-mount the appliance (if using the physical one) until you have confirmed all of the connectivity because it can be a real pain going backwards and forwards
            • Get ports mapped to your desk or somewhere else until it all is proven to work
          • External DNS needs to be setup to resolve to an external IP address which is fowarded to the externally facing interface of your gateway appliance
            • For testing purposes you can configure connection from the core and clients using just IP addresses but you shouldn't really need to; I tend to try that when working out if the security department have really given me what I asked for and I do that by connecting the gateway to a broadband connection that doesn't have the corporate security just to prove the basic concept
          • The appliance has a built-in firewall that needs to be configured correctly to allow communication on the subnets you have specified
            • Turn this off temporarily to prove that your communication is working correctly to start with
            • This means you can attempt to ping the appliance (easy on a broadband test, not so easy if your security team do not forward pings)
              • If this works when turned off but not when turned on then you have a configuration issue with your appliance firewall
          • Use a simple internet connection for testing from a configured laptop, I tend to use a portable MiFi or even the tethering option on my phone to have a device check conectivity over the internet

           

          Hope some of this helps. In short, configuration isn't hard providing you get what you ask for from security (and you asked for the right thing). If possible, start as open as you can be and then lock down rather than starting from alocked down state.

           

          Mark McGinn

          MarXtar Ltd

          http://landesk.marxtar.co.uk

          LANDesk Silver ESP

           

          The One-Stop Shop for LANDesk Enhancements

          - Wake-On-WAN - Distributed Wake-On-LAN, Scheduled Power Down, and SWDist Sequencing

          - State Notifier - Real-Time Device & User State Inventory Updating & Alerting

          Update - WoW & State Notifier now integrate for even more functionality

          Update - State Notifier now detects machine and user Idle states