Virtual Secure Web Gateway

 View Only
Expand all | Collapse all

Assign IP to VNic's when deploying Web Gateway 5.1 as Virtual Appliance

  • 1.  Assign IP to VNic's when deploying Web Gateway 5.1 as Virtual Appliance

    Posted Feb 13, 2013 05:52 AM

    Dear Experts,

    I installed web gateway trial version 5.1 as a virtual appliance and I plan to test it in inline + proxy mode. Before poweing on the virtual machine, I created three NIC's, management, WAN and LAN. After I power on the machine I see a list of options in MAIN MENU, number 5 is change/ Test IP configuration when I select it I can enter IP address but this IP address for which NIC ? for management, LAN or WAN, if I enter one IP address here , then where I have to enter IP addresses for other two NIC's ?

     

    I need help for this and also Shall I change the operating mode of web gateway from here option number 10 OR shall I connect through management console web browser and change the operating mode.

     

    Waiting for response.

     

    Kind Regards,



  • 2.  RE: Assign IP to VNic's when deploying Web Gateway 5.1 as Virtual Appliance

    Posted Feb 13, 2013 09:36 AM

    The first IP you set should be the managemnet interface.

    The WAN/LAN ports share an IP in inline mode as they are a bridged interface.

    Be sure each virtual NIC has its own virtual switch set to permit promiscuous mode and each interface has its own physical NIC on the host.



  • 3.  RE: Assign IP to VNic's when deploying Web Gateway 5.1 as Virtual Appliance

    Posted Feb 13, 2013 10:55 AM

    I want to use inline + proxy mode, not ONLY inline mode, what you are mentioning is that WAN/LAN port share an IP , does this is applicable in my senario ?

    Each virtual NIC should have its own virtual switch, I can not have one virtual switch and have all vlans for virtual symantec gateway required, as in my case three v NIC on three differnet vlans on one v Switch.

    I will assign the management port to Vlan 10, LAN port to Vlan 20 and WAN port to Vlan 99 but all of them in one virtual switch, this will work or not ?

    Concerning permit promiscuous mode, is it a must ?

    My senario on VMware is like I have one vSwitch, and I have multiple VLan on it and different virtual machines are running on it and now symantec virtual appliance is going to be one of them. So please explain still do I need to create seprate v Swtiches for each v NIC?

     

    thanks,

     



  • 4.  RE: Assign IP to VNic's when deploying Web Gateway 5.1 as Virtual Appliance

    Posted Feb 13, 2013 01:29 PM
      |   view attached

    Yes even in inline+proxy mode the WAN/LAN share an IP.

    Each virtual NIC requires its own virtual switch. Promiscuous mode is a requirement as well.

    I have attached the Implementation Guide. Chapter 4 starting on page 67 covers the Virtual Edition.

    table 4-4 on page 73 shows the physical NIC requirements.

     

     



  • 5.  RE: Assign IP to VNic's when deploying Web Gateway 5.1 as Virtual Appliance

    Posted Feb 14, 2013 06:29 AM

    Thanks for help,

    I will follow it and incase of problem, I will write back to you.

    Regards,

     



  • 6.  RE: Assign IP to VNic's when deploying Web Gateway 5.1 as Virtual Appliance

    Posted Feb 14, 2013 07:10 AM

    Please let me know that which operating mode is required to block internet applications like VNC, online gaming ?

    Is it supported in proxy only mode OR I should go for inline + proxy mode, because the implementation guide 5.1 says on page 111 , configuring internet application policies that , All Application control settings are available for inline and inline plus proxy mode.

    regards,



  • 7.  RE: Assign IP to VNic's when deploying Web Gateway 5.1 as Virtual Appliance

    Posted Feb 14, 2013 09:20 AM

    it is supported with proxy mode and inline mode so it is supported in inline+proxy mode.



  • 8.  RE: Assign IP to VNic's when deploying Web Gateway 5.1 as Virtual Appliance

    Posted Feb 17, 2013 08:29 AM

    Dear BenDC,

    You mentioned to me that WAN/LAN share same IP in inline+proxy mode, I am confused about this because on page 73 of it says inline+proxy physical NIC 3 (are they talking about vNIC or physical), if the interfaces are different for WAN/LAN are different how they share same IP address ?

    Also as you mentioned each vNIC require its own vSwitch with promiscous mode enabled, can these vSwitches have vLANS?

    For physical NIC's are they needed to be dedicated uplinks ?

     

    thanks,

    Wajeeh



  • 9.  RE: Assign IP to VNic's when deploying Web Gateway 5.1 as Virtual Appliance

    Posted Feb 19, 2013 12:55 PM

    Page 73 indicates 3 physical NICs are required for inline and inline+proxy mode.

    The WAN/LAN ports create a bridged interface an IP associated with a bridged interface is active on each interface assoicated with the bridge.

    The guide says to leave the vlan tagging as is for each of the virtual switches.

     



  • 10.  RE: Assign IP to VNic's when deploying Web Gateway 5.1 as Virtual Appliance

    Posted Apr 17, 2013 09:25 AM

    Hi Ben,

    I'm also struggling to get inline +proxy working in my virtual lab.

    I have 1 physical NIC on my ESXi host connected physically to our Internet firewall and virtually to the WAN vSwitch.

    All test Servers and Clients are VM's on this ESXi host which are all connected to the same vSwitch as the SWG LAN port.

    I have the Mgmt port connected to a 3rd vSwitch and also a Windows client connected for management console access.

    All vSwtches are set to promiscuous mode.

    The ESXi networking side works fine for other servers/apps; I do all my SEP / SCSP / SEE / SSIM / CCS testing in the same lab, never a problem.

    So SWG can ping the management client but can't ping anything on the LAN or WAN ports, any idea where I might be going wrong?

    Do you have anything like this Tap/SPAN mode config guide for inline + proxy?: http://www.symantec.com/business/support/resources/sites/BUSINESS/content/live/DOCUMENTATION/6000/DOC6298/en_US/SWG_Easy_Setup.pdf

    Cheers,

    Mike



  • 11.  RE: Assign IP to VNic's when deploying Web Gateway 5.1 as Virtual Appliance

    Posted Apr 17, 2013 12:09 PM

    You need a phyiscal NIC for each Network Card attached to the network on the SWG. Typically this means two at minium for proxy mode and span/tap mode. inline would require 3.

     

     



  • 12.  RE: Assign IP to VNic's when deploying Web Gateway 5.1 as Virtual Appliance

    Posted Apr 18, 2013 08:12 AM

    OK, thanks for confirming that. I was hoping that the virtual networking for LAN & MGMT would be sufficient to test it :(

    Oddly though I got Inline mode working in VMware Workstaion last year on my laptop (with help from the partner enablement team) and that only has one NIC...