MDM Gateway and WAN NAT
- Hello, I've seen in MDM doc that MDM Gateway with private IP Address is not supported because of NAT Timeout, Alerter, etc. but some VPN functionalities work well and we prefer using NAT if possible !...
So, is anybody which have a similar configuration (MDM GW Behind a WAN NAT) with :
A private Address (not routable on WEb)
Enterprise FW Port redirection (IKE, etc.)
If the answer is NO, what's your architecture ? we think to Share one of our Public Addresses with MDM Port redirection to MDM Gateway...
Thanks for your helping
Answers
Port redirection is effectively a NAT, so it would be subject to the same "translation", therefore subject to the same device wipe and timeout issues. As Port Redirection is a NAT, I’m guessing this would not be supported.
The mdm solution does support SNAT (Source NAT), as most carriers NAT the devices at source. MDM uses Negotiation of NAT-Traversal in the IKE, to support SNAT.It does not support DNAT (Destination NAT), or any destination translation of the IPSEC traffic. IPSEC uses AH (Authentication Headers) to check the traffic has not been modified.
Destination NAT does not offer any addition security, and increases latency (a little bit) in the translation, so dedicated IP is the best option.
There are only two reasons to require NAT: 1) LAB environment 2) Cost (Additional IP addresses, If your ISP does such things).
This being said, you can still get this working in a supported mode, with limited IP addresses. ;-) This is very dependent on your firewall. In the past, I’ve included one IP range as a network route and included the same subnet in Port Redirection rules ! Not sure your firewall vendor will support this either !
The NAT rules are usually processed first so you can set Port redirection for your other services (HTTP, FTP, whatever!). If traffic matches these rules, it gets redirected to the relevant backend servers. If the traffic doesn’t match a NAT rule, it gets processed by the router daemon and sent directly to the MDM server, unmolested. The benefit is having 1 IP address servicing MDM in a supported mode, and also servicing other services through NAT. Not a Best Practice Setup, but great for cost effective LAB environments. I was in a hurry !
Cheers Wayne
Airloom
- Marked As Answer byLylian L Friday, May 29, 2009 12:05 PM
All Replies
Port redirection is effectively a NAT, so it would be subject to the same "translation", therefore subject to the same device wipe and timeout issues. As Port Redirection is a NAT, I’m guessing this would not be supported.
The mdm solution does support SNAT (Source NAT), as most carriers NAT the devices at source. MDM uses Negotiation of NAT-Traversal in the IKE, to support SNAT.It does not support DNAT (Destination NAT), or any destination translation of the IPSEC traffic. IPSEC uses AH (Authentication Headers) to check the traffic has not been modified.
Destination NAT does not offer any addition security, and increases latency (a little bit) in the translation, so dedicated IP is the best option.
There are only two reasons to require NAT: 1) LAB environment 2) Cost (Additional IP addresses, If your ISP does such things).
This being said, you can still get this working in a supported mode, with limited IP addresses. ;-) This is very dependent on your firewall. In the past, I’ve included one IP range as a network route and included the same subnet in Port Redirection rules ! Not sure your firewall vendor will support this either !
The NAT rules are usually processed first so you can set Port redirection for your other services (HTTP, FTP, whatever!). If traffic matches these rules, it gets redirected to the relevant backend servers. If the traffic doesn’t match a NAT rule, it gets processed by the router daemon and sent directly to the MDM server, unmolested. The benefit is having 1 IP address servicing MDM in a supported mode, and also servicing other services through NAT. Not a Best Practice Setup, but great for cost effective LAB environments. I was in a hurry !
Cheers Wayne
Airloom
- Marked As Answer byLylian L Friday, May 29, 2009 12:05 PM
- Thank you very much for your answer Wayne !
Regards
Lylan
