Teleworker DMZ network topology 1

[professorguy]

I have a Mitel Teleworker Server/Gateway. It has 2 NICs.

We put this server on our DMZ so remote users can get it by its public IP. We run our firewall DMZ interface into a DMZ switch, and the server hangs off that.

Then we also run the teleworker's backend interface into the DMZ switch. Then the firewall rules allow remote users onto the server's first IP (outside to DMZ) and allow the server's second IP to get at our Mitel ICP (DMZ to inside).

But the server is supposed to be on our voice vlan. Of course I cannot tag all packets coming off the firewall inside interface as voice since the majority of traffic coming from the firewall is NOT voice traffic.

We discussed running the second NIC directly into an inside switch (and tagging all traffic from it as our voice vlan), but IT IS UNACCEPTABLE to run connections from the DMZ directly into the LAN with no firewall protection.

So what is the typical scenario here? What does everyone else running Teleworker do?

Do I have to directly connect and insert a second firewall between the second NIC and the inside LAN? Because the sales guys didn't mention another required box.

 

[kwbMitel]

I cannot quite make sense of your description but a couple of things stand out.

When configuring the server for a DMZ implementation it only uses 1 NIC. The DMZ programming controls directing traffic to and from the NIC Card for internal and External IP's. In the DMZ, the server would be configured in server only mode.

With DUAl NICs you have the option of configuring as a server and Gateway. In this mode the server runs as it's own firewall. The External IP would be connected directly to the server (outside the Firewall)on one NIC and the LAN with an internal IP would be connected to the other NIC.

My preference by far is DUAL NIC in Server and Gateway mode and leave the DMZ alone.



*******************************************************
If we don't take care of the customer, Maybe they'll stop bugging us.

 

[professorguy]

Let's say we keep it on the DMZ and use just one of the NICs, i.e., configure it in Server mode. Then we have rules on the firewall to allow traffic from the server to get to the inside interface. No problem. But how to tag them as our voice vlan? Not all traffic on that interface is voice.

The way I see it there's only 2 solutions:

1) Subinterfaces on the firewall. On the firewall there's a physical (native, untagged) interface on the inside as well as a subinterface (voice vlan tagged). Give the inside subinterface a name then change my firewall rules to allow the second server NIC to talk to that subinterface (rather than the physical interface). Then, on the inside switch, define the connection from the firewall inside to the switch as a trunk with a voice vlan and a native (untagged) vlan. But what should the native vlan be in that case? Currently no vlans are used on the firewall so the core is expecting untagged traffic and assigns it to a vlan depending on the destination. But if a native vlan is set up on the trunk, doesn't a specific vlan have to be chosen?

2) Connecting the second NIC directly to the core and put that switch port on the voice vlan. This makes me very nervous. Assuming the DMZ server succumbs to attack, there's now a path to the LAN. I'd like to allow this server to talk only to the Mitel ICP, but can only guarantee this if the firewall stays in both loops. Then if the server falls, attackers would have only one target available. Remove the DMZ-to-inside hurdle and the entire LAN could be targeted.

 

[montrealguyhere]

we have the teleworker and we wanted to place it in a dmz also.
You may be out of luck, we were advised that it will NOT support NAT, ( we tried and tried, but finnaly were told quitly, as if they were embarresed, that the TW server can not be behind a nat box) it needs to be placed on the internet, thats why it comes as a Gateway/FW
the strange thing is they ( mitel) kept telling us , "ohh just set it up as a gate way....) after serious pushing they admited that no no support for the nat or in a dmz with NAT.

so stop worring about the Vlans and tagging, and just place that baby on the internet and lan. it will protect itself.

John



John - Up in Montreal

It's about who??????
Then make it about us....

 

[kwbMitel]

My DMZ Knowledge is very sketchy but I do know NAT and PORT Forwarding are non-starters.

It has to be connected to a firewall that has a hardware port for DMZ.

The actual programming is way beyond me.

*******************************************************
If we don't take care of the customer, Maybe they'll stop bugging us.

 

[montrealguyhere]

you could do it if, you place a hardware solution in front but, you will still have to give the IP of the Wan interface a routeable IP , you can not use a RFC1918 IP network, ( 192.168/16 , 172.16/12, 10./8 )
These are NON routable, and need NAT or PAT, and are droped at edge routers.
so if you set the box up with a routable Internet IP behind a BOX , no nat, but just routing/switchin you could use ACL , or IP Policies depending on your router/switch box, just find out what ports you need opend and act acordingly with ACL's or Ip Policies.

good luck

John



John - Up in Montreal

It's about who??????
Then make it about us....

 

[nappyshock]

The teleworker has two config options, the server/gateway and the server only. The server/gateway is supposed to work on a network without using a firewall it should have a direct connection to the internet on the second NIC with the first NIC sitting on the voice vlan, it has only the required ports open by design so is like a built in firewall. The server only option is designed with just the one NIC to sit on the DMZ of an existing firewall setup with all the required ports having to be opened up by the user.
You are trying to use the server/gateway option setup in a server only network design.

 

[professorguy]

It is my understanding that in Server-Only mode, the TW server must reside on the same segment as the ICP voice server. That rules out putting the Server-Only on the DMZ. Is this correct?

The only way it can be on a DMZ is in Server-Gateway mode and the firewall must do nat-traversal on the TW public IP. However, that destroys our DMZ which has 10.222.2.x servers already populating it; the DMZ interface has a 10.222.2.1 (255.255.255.0) gateway address. Is this correct?

So unless you build a DMZ with all public IP servers on it (which is not only unlikely, but probably stupid), the TW box CANNOT GO ON A DMZ!

What am I missing? Besides the target on the sales rep's back.

 

[nappyshock]

No the server only setup is for installation in the DMZ of an existing firewall setup, you use static NAT to map a public ip address on the outside of the firewall to the teleworker server on the DMZ and in the rules on the firewall open up access to all the ports required. IF you've got access to MOL get this document....

http://edocs.mitel.com/6010/4.1/TW_EngGuidelines_4.1.pdf

if you haven't get the sales guy to get it for you, it explains the two setups and lists the ports required to be opened if you do use the server only mode on the DMZ.

If you have other servers on your DMZ that are accessible from the internet, it is setup the same as them, it will just have different ports needing to be opened up to the internet and also to the ICP on the LAN.

A TW server setup in gateway mode won't work if you install it within an existing firewall setup it is designed to have one of the two interfaces connected directly to the internet.

Remember the server only mode only has one interface.

 

[professorguy]

Bingo!

Yes, this is much better. Now we use the box in Server-Only mode and it lives on the DMZ. We control both the Outside/DMZ access and the DMZ/Inside access through our industrial firewall (a Cisco ASA). Now I feel I can sleep at night.

Sure enough we had one-way audio for a while, but we got it straightened out. The trick is that there must be a path for Inside IP phones (called streaming devices in the docs) to talk to the TW server on the DMZ (of course) by its PUBLIC-ROUTABLE (P-R) address (rather than by its actual address).

So:
Allow Outside penetration by the remote sets to the TW's P-R address.
Static nat between the P-R and the actual address on the DMZ.
Allow Inside penetration by the inside sets to the TW's P-R address.
Static nat between the P-R and the actual address on the DMZ.

The statics are weird because they must be static (inside,outside) ... and static (inside,dmz) ... instead of the normal static (dmz,inside) ... but it works like a champ.

Thanks for everyone's help.