Where connect External NIC...?
Updated: 19 Jul 2011 | 9 comments
This issue has been solved. See solution.
Hello,
I am deploying a SNAC gateway enforcer 6100 to controller VPN. I have a Fortigate Firewall with IPsec VPN and VPN CLientless. i'm sure that internal NIC connect with the SEPM, but where to connect External NIC and which IP address...?
My network is very simple.
Internet (ISP) ---> Router (ISP) ---> (UTM) Firewall Fortigate with IPsec/Clientless VPN ---> Switches ---> Client and Servers.
The
Thank you very much.
Discussion Filed Under:
Group Ownership:
Comments
network map attached
...for better undertanding...
Gateway connects between VPN and switch
Connect the Gateway Enforcer's external NIC to the VPN and the internal NIC to the switch.
VPN ---> Gateway Enforcer ---> switches ---> servers & SEPM
The internal NIC should have a valid IP that works in your internal network. The external NIC needs a null-IP (dummy IP address). With this configuration, packet traffic will come in through the VPN, get approved by the Gateway Enforcer, and allowed into your corporate network (if agents' HI check passes).
External NIC connect
Thanks SNACpack,
In order and to confirm.... in my image, the External and Internal NIC mut be connected to the same SWITCH LAN.
VPN will not connect directly to the switch
Hi Rojopipe,
Only the Enforcer's internal NIC connects to the switch (Switch LAN in diagram).
In your diagram, remove the network cable connecting the VPN to the Switch LAN, then continue the Enforcer's red line (external NIC) to the VPN. Essentially, the Enforcer replaces the network cable between the VPN and the Switch LAN. Internal NIC plugs into swtich, external NIC plugs into VPN. The only connection the VPN will have to the switch is through the Gateway enforcer.
How to test...
Hi SNACpack, thank you for your help .
Is very sensitive this change. Is there any way to test before the change...? How i can to test if on-demand is working correctly..?
Learning mode option via Enforcer command line
The gateway Enforcer can be placed in Learning Mode, where all traffic is still passed/allowed through enforcer, but the logs will track what action WOULD have occured if Enforcer was in enforcement mode.
This info should be in the Installtion guide. Unfortunately, I'm short on time and can't dig up/verify the specific instructions for you. I will be away from the office for this coming week and will return on the 11th. If you can't get this working in the mean time, I can help you when I return.
---or---
to test a single client, keep your configuration as your diagram shows and connect a single client (instead of VPN) to the Gateway Enforcer's external NIC (client ---> Gateway Enforcer ---> Switch). The On-demand client should still be available via this configuration.
Enforcement Mode
Hi SNACpack, excuse me newly.
I can't find, how to change learning mode to enforce mode in the installation guide. It's possible that help me with the instruction..?
Thank you very much.
Instructions for Enforcer Learning mode
To change the Enforcer Mode to Learning:
In the SEPM, go to Administrator,
Expand Local Site
Select the enforcer you want to configure
Under Tasks, Click on Edit Group Properties
In the enforcer settings window that appears, go to the Authentication tab
Select the option for "Allow all clients, but continue to log which clients are not authenticated".
Now click on OK.
Where connect External NIC...?
wow it looks interested.
Would you like to reply?
Login or Register to post your comment.