Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Assign IP to VNic's when deploying Web Gateway 5.1 as Virtual Appliance

Created: 13 Feb 2013 | 11 comments

Dear Experts,

I installed web gateway trial version 5.1 as a virtual appliance and I plan to test it in inline + proxy mode. Before poweing on the virtual machine, I created three NIC's, management, WAN and LAN. After I power on the machine I see a list of options in MAIN MENU, number 5 is change/ Test IP configuration when I select it I can enter IP address but this IP address for which NIC ? for management, LAN or WAN, if I enter one IP address here , then where I have to enter IP addresses for other two NIC's ?

 

I need help for this and also Shall I change the operating mode of web gateway from here option number 10 OR shall I connect through management console web browser and change the operating mode.

 

Waiting for response.

 

Kind Regards,

Comments 11 CommentsJump to latest comment

BenDC's picture

The first IP you set should be the managemnet interface.

The WAN/LAN ports share an IP in inline mode as they are a bridged interface.

Be sure each virtual NIC has its own virtual switch set to permit promiscuous mode and each interface has its own physical NIC on the host.

Wajeeh's picture

I want to use inline + proxy mode, not ONLY inline mode, what you are mentioning is that WAN/LAN port share an IP , does this is applicable in my senario ?

Each virtual NIC should have its own virtual switch, I can not have one virtual switch and have all vlans for virtual symantec gateway required, as in my case three v NIC on three differnet vlans on one v Switch.

I will assign the management port to Vlan 10, LAN port to Vlan 20 and WAN port to Vlan 99 but all of them in one virtual switch, this will work or not ?

Concerning permit promiscuous mode, is it a must ?

My senario on VMware is like I have one vSwitch, and I have multiple VLan on it and different virtual machines are running on it and now symantec virtual appliance is going to be one of them. So please explain still do I need to create seprate v Swtiches for each v NIC?

 

thanks,

 

BenDC's picture

Yes even in inline+proxy mode the WAN/LAN share an IP.

Each virtual NIC requires its own virtual switch. Promiscuous mode is a requirement as well.

I have attached the Implementation Guide. Chapter 4 starting on page 67 covers the Virtual Edition.

table 4-4 on page 73 shows the physical NIC requirements.

 

 

AttachmentSize
Symantec_Web_Gateway_5.1_Implementation_Guide_EN.pdf 2.73 MB
Wajeeh's picture

Thanks for help,

I will follow it and incase of problem, I will write back to you.

Regards,

 

Wajeeh's picture

Please let me know that which operating mode is required to block internet applications like VNC, online gaming ?

Is it supported in proxy only mode OR I should go for inline + proxy mode, because the implementation guide 5.1 says on page 111 , configuring internet application policies that , All Application control settings are available for inline and inline plus proxy mode.

regards,

BenDC's picture

it is supported with proxy mode and inline mode so it is supported in inline+proxy mode.

Wajeeh's picture

Dear BenDC,

You mentioned to me that WAN/LAN share same IP in inline+proxy mode, I am confused about this because on page 73 of it says inline+proxy physical NIC 3 (are they talking about vNIC or physical), if the interfaces are different for WAN/LAN are different how they share same IP address ?

Also as you mentioned each vNIC require its own vSwitch with promiscous mode enabled, can these vSwitches have vLANS?

For physical NIC's are they needed to be dedicated uplinks ?

 

thanks,

Wajeeh

BenDC's picture

Page 73 indicates 3 physical NICs are required for inline and inline+proxy mode.

The WAN/LAN ports create a bridged interface an IP associated with a bridged interface is active on each interface assoicated with the bridge.

The guide says to leave the vlan tagging as is for each of the virtual switches.

 

DGLMike's picture

Hi Ben,

I'm also struggling to get inline +proxy working in my virtual lab.

I have 1 physical NIC on my ESXi host connected physically to our Internet firewall and virtually to the WAN vSwitch.

All test Servers and Clients are VM's on this ESXi host which are all connected to the same vSwitch as the SWG LAN port.

I have the Mgmt port connected to a 3rd vSwitch and also a Windows client connected for management console access.

All vSwtches are set to promiscuous mode.

The ESXi networking side works fine for other servers/apps; I do all my SEP / SCSP / SEE / SSIM / CCS testing in the same lab, never a problem.

So SWG can ping the management client but can't ping anything on the LAN or WAN ports, any idea where I might be going wrong?

Do you have anything like this Tap/SPAN mode config guide for inline + proxy?: http://www.symantec.com/business/support/resources/sites/BUSINESS/content/live/DOCUMENTATION/6000/DOC6298/en_US/SWG_Easy_Setup.pdf

Cheers,

Mike

BenDC's picture

You need a phyiscal NIC for each Network Card attached to the network on the SWG. Typically this means two at minium for proxy mode and span/tap mode. inline would require 3.

 

 

DGLMike's picture

OK, thanks for confirming that. I was hoping that the virtual networking for LAN & MGMT would be sufficient to test it :(

Oddly though I got Inline mode working in VMware Workstaion last year on my laptop (with help from the partner enablement team) and that only has one NIC...