Remote Firewall Deployment



Similar documents
Using Microsoft Active Directory Server and IAS Authentication

StoneGate Firewall/VPN How-To Evaluating StoneGate FW/VPN in VMware Workstation

VPNC Interoperability Profile

StoneGate SSL VPN Technical Note Adding Bundled Certificates

StoneGate SSL VPN Technical Note Setting Up BankID

StoneGate IPsec VPN Client Release Notes for Version 4.3.0

RELEASE NOTES. StoneGate Firewall/VPN v for IBM zseries

StoneGate SSL VPN Technical Note Setting Up SSO with Citrix Presentation Server

StoneGate SSL VPN Technical Note Setting Up WPA Authentication

Release Notes for Version

StoneGate SSL VPN Technical Note Setting Up Sygate On-Demand

StoneGate SSL VPN Technical Note Setting up ActiveSync

Intrusion Detection and Analysis for Active Response - Version 1.2. Installation Guide

VPN CLIENT ADMINISTRATOR S GUIDE

version 1.0 Installation Guide

Stonesoft Firewall/VPN 5.4 Windows Server 2008 R2

StoneGate Installation Guide

STONEGATE 5.2 I NSTALLATION GUIDE I NTRUSION PREVENTION SYSTEM

Application Note: GateManager Internet requirement and port settings

StoneGate. High Availability Firewall and Multi-Link VPN. Security Availability Manageability Scalability

STONEGATE IPSEC VPN 5.1 VPN CONSORTIUM INTEROPERABILITY PROFILE

FortiAuthenticator Agent for Microsoft IIS/OWA. Install Guide

Installation Guide Supplement

Installing the BlackBerry Enterprise Server Management Software on an administrator or remote computer

RackConnect User Guide

Symantec Endpoint Protection 11.0 Architecture, Sizing, and Performance Recommendations

Contents Notice to Users

Placing the BlackBerry Enterprise Server for Microsoft Exchange in a demilitarized zone

Web Remote Access. User Guide

Integrated Citrix Servers

Backup Exec Cloud Storage for Nirvanix Installation Guide. Release 2.0

Blue Coat Systems. Client Manager Redundancy for ProxyClient Deployments

Strong Authentication for Microsoft TS Web / RD Web

Radius Integration Guide Version 9

Strong Authentication for Microsoft SharePoint

Whitepaper. A Practical Guide to ISP Redundancy and Uninterrupted Internet Connectivity

Symantec Security Information Manager - Best Practices for Selective Backup and Restore

1.6 HOW-TO GUIDELINES

VPN Configuration Guide. Dealing with Identical Local and Remote Network Addresses

System Requirements. Installation. Microsoft SQL Express 2008 R2 Installation

FW-310. Appliance Installation Guide

Web Security Firewall Setup. Administrator Guide

High Availability Configuration Guide Version 9

F IREWALL/VPN INSTALLATION GUIDE

2.0 HOW-TO GUIDELINES

Installing the BlackBerry Enterprise Server Management console with a remote database

MIGRATION GUIDE. Authentication Server

SSL VPN. Virtual Appliance Installation Guide. Virtual Private Networks

Symantec Enterprise Vault Technical Note. Administering the Monitoring database. Windows

Encryption. Administrator Guide

Strong Authentication for Juniper Networks

Dell Recovery Manager for Active Directory 8.6. Quick Start Guide

MobileStatus Server Installation and Configuration Guide

LDAP Synchronization Agent Configuration Guide for

Whitepaper. StoneGate Multi-Link. Ensuring Always-on Connectivity with Significant Savings

Intel Entry Storage System SS4000-E

Application Note. Intelligent Application Gateway with SA server using AD password and OTP

ChangeAuditor 6.0 For Windows File Servers. Event Reference Guide

Disaster Recovery. Websense Web Security Web Security Gateway. v7.6

Inspection of Encrypted HTTPS Traffic

Dell One Identity Cloud Access Manager Installation Guide

ChangeAuditor 5.6. For Windows File Servers Event Reference Guide

VPN CLIENT USER S GUIDE

Dell One Identity Cloud Access Manager How to Configure for High Availability

SA Server 2.0. Application Note : Evidian SafeKit 7.0.4, Failover

Contents Firewall Monitor Overview Getting Started Setting Up Firewall Monitor Attack Alerts Viewing Firewall Monitor Attack Alerts

SolarWinds Migrating SolarWinds NPM Technical Reference

SMC INSTALLATION GUIDE

Decommissioning the original Microsoft Exchange

Dell InTrust Preparing for Auditing and Monitoring Microsoft IIS

Citrix XenServer Emergency Network Reset. Published Wednesday, 29 February Edition

Veritas Operations Manager LDom Capacity Management Add-on User's Guide 4.1

Secure Web Service - Hybrid. Policy Server Setup. Release Manual Version 1.01

Dell Statistica Statistica Enterprise Installation Instructions

IBM Lotus Protector for Mail Encryption

Symantec AntiVirus Corporate Edition Patch Update

Installing the Shrew Soft VPN Client

Symantec Mail Security for Microsoft Exchange Management Pack Integration Guide

Interworks. Interworks Cloud Platform Installation Guide

Deployment Guide for the Polycom SoundStructure VoIP Interface for Cisco Unified Communications Manager (SIP)

SolarWinds. Packet Analysis Sensor Deployment Guide

By the Citrix Publications Department. Citrix Systems, Inc.

Symantec Integrated Enforcer for Microsoft DHCP Servers Getting Started Guide

Symantec Mobile Management for Configuration Manager

Symantec Security Information Manager 4.8 Release Notes

How to configure DNAT in order to publish internal services via Internet

Accessing BlackBerry Data Services Using Wi-Fi Networks

Strong Authentication for Juniper Networks SSL VPN

Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation

IBM Proventia Management SiteProtector. Configuring Firewalls for SiteProtector Traffic Version 2.0, Service Pack 8.1

Secure Web Gateway 11.7 Upgrade Release Notes

Installation Guide. Squid Web Proxy Cache. Websense Enterprise Websense Web Security Suite. v for use with

ACTi NVR Config Converter User s Manual. Version /06/07

Cyberoam Multi link Implementation Guide Version 9

MailMarshal SMTP in a Load Balanced Array of Servers Technical White Paper September 29, 2003

HP A-IMC Firewall Manager

HP IMC Firewall Manager

How to Guide: StorageCraft Cloud Services VPN

Application Note. SA Server and ADAM

Transcription:

StoneGate How-To Remote Firewall Deployment StoneGate Firewall 3.0 and Management Center 3.5

Table of Contents The Scenario............................... page 3 Adjusting the Access Rules and NAT rules.......... page 3 Defining Locations and Contact Addresses......... page 5 SGHT 20060807 Table of Contents 2

The Scenario This document describes the steps needed to make the StoneGate s internal systems communications work in an environment where a StoneGate Management Center at a headquarters (HQ) site, protected by a StoneGate firewall, is used to manage firewalls at remote office sites and to store any logs that are generated. This example scenario includes a commonly used setup where the Management Server and Log Server at the HQ site have private IP addresses, which the StoneGate firewall at the central site translates to public IP addresses for communications over the Internet. Illustration 1: Example Scenario The following changes are needed to allow system communications from the remote firewalls to the HQ site: The Access rules of the firewall at the HQ site must be modified to allow the communications between the Management Center Servers and the remote office firewalls. The pre-defined rules inherited from the Default Policy Template allow system communications that have the firewall itself as the source or destination. The NAT rules at the HQ site must be modified to translate the private IP addresses of the Management Server and the Log Server to public IP addresses for routing through the Internet. Locations and contact addresses must be defined to make the remote office firewalls aware of the translated IP addresses of the Management Server and the Log Server. Otherwise the firewalls will assume that the components private IP addresses in the HQ network should be used and the communications will fail. Adjusting the Access Rules and NAT rules This section shows you the Access and NAT rules that are needed in the central HQ office firewall to allow the system communications from the remote office firewalls to the Management Center. There is no need to edit the policies of the remote office firewalls (because the Default Policy Template is in use and it does allow system communications that have the remote office firewalls themselves as the source or destination). There are pre-defined Service elements for system communications. The Services needed in this example case are explained in the two tables below. A complete list of system communications is presented in the StoneGate- Specific Ports appendix included in all StoneGate user guides. The listed Service elements are available in the system by default. They are used in the Default Template Policy and in the example rules in this document to allow the system communications. The Scenario 3

TABLE 1: System Communications Initiated by the Firewall Service Name TCP Port Description SG-log 3020 SG-init 3021 SG-log-backup 3023 SG-dynamic-control 8906 Logs, alerts, and firewall statistics and (from firewall version 3.0 onwards) status information from the firewall to the Log Server. Initial contact from the engine to the Management Server to establish a trust relationship. Backup channel for sending information on engine status from the engine to the Management Server if the Log Server is unavailable. All other communications between a firewall with a dynamic IP address and the Management Server. Always initiated from the firewall. Not used by firewalls with a fixed IP address. The communications detailed in Table 2 are connections initiated from the Management Server to the firewalls, and they concern only firewalls that have a fixed IP address. If the firewall has a dynamic IP address, connections are always initiated from the firewall to the Management Server as explained in the table above. TABLE 2: System Communications from the Management Server to Firewalls Service Name TCP Port Description ldaps 636 StoneGate s internal LDAP database replication (for end-user authentication). SG-remote-upgrade 4950 Connection for remotely upgrading the software of the firewall. SG-mgmt 4987 Policy update, activation, and other control connections. SG-monitor 8888 Connection monitoring information and monitoring information from firewall versions prior to 3.0. SG-blacklist 15000 Manual blacklisting commands given by administrators in the Management Client. Illustration 2 below shows the Access rules that allow communications from the remote office firewalls to the Management Center. The Firewall elements are not used in the policy directly, but they are included in the Group element Remote FW control IPs. The remote office firewalls must use the public (translated) IP address of the Log Server and the Management Server, so the rules use a Host elements Management NAT and Log Server NAT to represent the public IP addresses instead of the Server elements, which contain the internal IP addresses. Note If the remote firewalls have a dynamic IP address, specific Remote FW control IPs groups can not be defined for the firewalls, because the IP addresses of the firewalls are unknown. Instead, the Source must be ANY or Not Internal, or If the DHCP IP address range of the remote firewalls (assigned by the internet operator) is known, also these ranges can be used in the policy. Illustration 2: Example Access Rules Adjusting the Access Rules and NAT rules 4

Illustration 3 below shows the NAT rules that translate the internal IP address of the Management Server and Log Server. The Log Server does not initiate connections to the external network in the example configuration, so there is only one rule for the Log Server. Naturally, the first rule that translates connections initiated by the Management Server would not be necessary either if the remote office firewalls had dynamic IP addresses. In that case, all communications would be initiated by the firewalls. Illustration 3: Example NAT Rules Defining Locations and Contact Addresses Because the IP addresses of the Management Server and the Log Server are translated, a Location and Contact Addresses must be defined. The Location element is used to group together elements that are on one side of a device that does Network Address Translation (NAT). Detailed instructions for configuring Locations and Contact Addresses can be found in the Installation Guide, the Administrator s Guide, and the online help system of the Management Client. Illustration 4: Example Scenario with Locations As our illustration shows, only a single Location is needed in this case: the Location External that includes the remote office firewalls. This is because when the remote office firewalls communicate with the Management Server or Log Server, both firewalls are in contact with the same translated IP address, and if the remote office firewalls contact each other (to establish a VPN between the remote offices), there is no address translation between them. All other elements are left in the Default Location, which all system components are part of unless otherwise defined. The first step is to create the External Location element. Defining Locations and Contact Addresses 5

Illustration 5: Properties of the External Location The illustration above shows the properties of the External Location fully configured with the two remote office firewalls. The Contact Addresses tab can be left empty in this scenario. The next step is to define the Contact Address that the elements in the External Location should use when contacting the Management Server. This is done in the Management Server properties. Illustration 6: Management Server Contact Address Settings In the illustration above, a Contact Address dialog has been opened in the Management Server properties, and a Contact Address (the public IP address of the Management Server) has been added for the External Location. The next step is to define the Log Server Contact Address in the same way. Defining Locations and Contact Addresses 6

Illustration 7: Log Server Contact Address Settings After the Log Server receives its Contact Address definition for the External Location, the configuration is complete. The HQ firewall will start passing the traffic when its policy is refreshed. The administrators can take initial contact from the remote office firewalls to the Management Server s public IP address to establish a trust relationship. Defining Locations and Contact Addresses 7

Trademarks and Patents Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-link technology, multi-link VPN, and the StoneGate clustering technology-as well as other technologies included in StoneGate-are protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are property of their respective owners. Copyright and Disclaimer Copyright 2000 2006 Stonesoft Corporation. All rights reserved. These materials, Stonesoft products and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation. Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not represent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC configuration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products described herein. THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMA- TION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUD- ING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. Revision: SGHT_20060807 Stonesoft Corp. Itälahdenkatu 22a FIN-00210 Helsinki Finland tel. +358 9 4767 11 fax +358 9 4767 1234 Stonesoft Inc. 1050 Crown Pointe Parkway Suite 900 Atlanta, GA 30338 USA tel. +1 770 668 1125 fax +1 770 668 1131 Stonesoft Corp. 90 Cecil Street #13-01 Carlton Building Singapore 069531 tel. +65 6325 1390 fax +65 6325 1399 www.stonesoft.com 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information