SCMDM Gateway server WAN connection
- Hi there guys ,
I really hope this is something you can help me with. I have got a requirement that the public IP of the SCMDM gateway server will need to sit behind a firewall.
From the reading I have done so far NAT for the public interface is not supported!(well at least you wont get full functionality out of it). I have got a Cisco ASA firewall and have bunch of public ips available.
My SCMDM gateway is sitting in the DMZ nic 1 has a DMZ ip address assigned to it and nic 2 to has a public ip. Is there a way of setting this up so that the public interface sits behind the firewall as well? As at the moment some traffic is bypassing the Firewall and this raises some security concerns.
I would like to find out how everyone else is handling their public ip interfaces on the gateway server.
I intend to configure the server to be accessible from the internet is it sufficient to configure static NAT with 1:1 mapping of official to public IP or PAT. Does SCMDM Gateway support this option?
Cheers
Ras
Answers
- Ras,
Hi there guys ,
My SCMDM gateway is sitting in the DMZ nic 1 has a DMZ ip address assigned to it and nic 2 to has a public ip. Is there a way of setting this up so that the public interface sits behind the firewall as well?If I am reading this correctly, this is exactly how I setup the MDM gateway. DMZ NIC 1 should be internally facing, and have a private IP assigned. DMZ nic 2 should be externally facing, and have a public IP assigned. DMZ nic 2 should have a Default Gateway assigned. DMZ nic 1 should not have a Default Gateway assigned. I couple of static routes thrown in for good measure and you are good to go. Are you with me so far ?
The big difference is how you setup your external firewall. You don't need to NAT to your MDM gateway public IP address, this is just a waste of a perfectly good IP address. ;-) The external firewall should be configured to route the traffic to the DMZ rather than NAT it. If you route the traffic to your MDM gateway, you will have a fully supported solution with a functioning alerter service.
PAT is effectively a NAT with extra sauce. ;-) IPSEC has inbuilt security (Authentication Headers) to detect when traffic is being manipulated. So NAT will negate the inbuilt IPSEC AH security. When you start using Windows 7 Direct Access IPSEC VPN (Yes it is a VPN) the same rules apply !
Cheers Wayne
Airloom- Marked As Answer byWayne Phillips.MVP, ModeratorMonday, November 09, 2009 12:20 AM
There are two routes that need to be defined. You've created a VPN Pool Network, so you need to tell you network how to reach it. You also need to tell your MDM gateway where you internal network is.
You need to tell your MDM Gateway how you get to your internal network. I'll assume your LAN segment (that host your servers) is 192.168.1.0/24. You need add this route to your MDM gateway :
route -p ADD 192.168.1.0 MASK 255.255.255.0 192.168.10.254
If you have multiple segments then add multiple static routes. My record is 24 static routes. examples :
route -p ADD 192.168.1.0 MASK 255.255.255.0 192.168.10.254
route -p ADD 192.168.2.0 MASK 255.255.255.0 192.168.10.254
route -p ADD 192.168.3.0 MASK 255.255.255.0 192.168.10.254
Your devices will be able to route traffic to your internal servers, but your servers will not be able to route traffic back. You need to add a static route to your firewall/router and have this route proprgated thoughout your network :
route -p ADD 192.168.11.0 MASK 255.255.255.0 (NIC 1 IP address)
Hope this helps.
Cheers Wayne
Airloom- Marked As Answer byWayne Phillips.MVP, ModeratorMonday, November 09, 2009 12:20 AM
All Replies
- If you want to go the way of supported scenarios you'll have to avoid NAT and map the public IP directly to the Gateway. The best practice analyzer will flag it as an error if you assign an IP from a private range to the external interface.
You should run Security Configuration Wizard with the gateway template to reduce the attack surface on the gateway. If you want a firewall in front as an extra layer you should be good as long as the firewall only locks down the unneccesary ports and don't try to modify the packets flowing through. (IPSec isn't too happy with altered traffic.)
I tried running it through a NAT scenario with an ISA server in front, and I simply could not get it to work. (I didn't really expect this either, but I had to test it.) The thing is that the clients might be NATed on their end too (depends on the mobile operator), and double NAT doesn't go along too well with the VPN tunnel. PAT doesn't work either as you cannot configure which ports to user for IPSec in SCMDM. - Ras,
Hi there guys ,
My SCMDM gateway is sitting in the DMZ nic 1 has a DMZ ip address assigned to it and nic 2 to has a public ip. Is there a way of setting this up so that the public interface sits behind the firewall as well?If I am reading this correctly, this is exactly how I setup the MDM gateway. DMZ NIC 1 should be internally facing, and have a private IP assigned. DMZ nic 2 should be externally facing, and have a public IP assigned. DMZ nic 2 should have a Default Gateway assigned. DMZ nic 1 should not have a Default Gateway assigned. I couple of static routes thrown in for good measure and you are good to go. Are you with me so far ?
The big difference is how you setup your external firewall. You don't need to NAT to your MDM gateway public IP address, this is just a waste of a perfectly good IP address. ;-) The external firewall should be configured to route the traffic to the DMZ rather than NAT it. If you route the traffic to your MDM gateway, you will have a fully supported solution with a functioning alerter service.
PAT is effectively a NAT with extra sauce. ;-) IPSEC has inbuilt security (Authentication Headers) to detect when traffic is being manipulated. So NAT will negate the inbuilt IPSEC AH security. When you start using Windows 7 Direct Access IPSEC VPN (Yes it is a VPN) the same rules apply !
Cheers Wayne
Airloom- Marked As Answer byWayne Phillips.MVP, ModeratorMonday, November 09, 2009 12:20 AM
DMZ nic 1 should not have a Default Gateway assigned. I couple of static routes thrown in for good measure and you are good to go. Are you with me so far ?
Hi there Wayne ,
Cheers for that Yes I believe I am with you on that one. So NIC 1 is in privateDMZ with private ip , nic 2 is on publicdmz with public ip. and basically i remove the gateway from the priv interface. and add static routes. Bit more on the static routes. My DMZ priv zone is :
192.168.10.x/24 with gw:192.168.10.254.
I am planning on assigning 192.168.11.x /24 addresses for the devices vpn pool.
Does that mean I add a static route on my gateway server for 192.168.11.x traffic to be routed via ??? is that the gateway of the priv dmz?
Cheers
RasThere are two routes that need to be defined. You've created a VPN Pool Network, so you need to tell you network how to reach it. You also need to tell your MDM gateway where you internal network is.
You need to tell your MDM Gateway how you get to your internal network. I'll assume your LAN segment (that host your servers) is 192.168.1.0/24. You need add this route to your MDM gateway :
route -p ADD 192.168.1.0 MASK 255.255.255.0 192.168.10.254
If you have multiple segments then add multiple static routes. My record is 24 static routes. examples :
route -p ADD 192.168.1.0 MASK 255.255.255.0 192.168.10.254
route -p ADD 192.168.2.0 MASK 255.255.255.0 192.168.10.254
route -p ADD 192.168.3.0 MASK 255.255.255.0 192.168.10.254
Your devices will be able to route traffic to your internal servers, but your servers will not be able to route traffic back. You need to add a static route to your firewall/router and have this route proprgated thoughout your network :
route -p ADD 192.168.11.0 MASK 255.255.255.0 (NIC 1 IP address)
Hope this helps.
Cheers Wayne
Airloom- Marked As Answer byWayne Phillips.MVP, ModeratorMonday, November 09, 2009 12:20 AM
- Did this help ?
Cheers Wayne
Airloom - Wayne,
Sorry about that mate , Just seen your post !
Yes that works , I have done exactly that and it seems perfectly fine! I now need to get rid of old devices from MDM console and See how we go !
Cheers
Ras
