Install decisions

[CyberGlitch]

Have a few different ways to install the new Untangle server and wanted to get other opinions. Management is saying do it 1 way and I'm thinking another with questions on that as well.

Currently have
Netgear FVS338 firewall that feeds to gb switches.

Management is wanting
Netgear -> Untangle (bridge mode) -> switches

They are thinking this because will cause little to no down time or any extra needed configuration changes.

I'm thinking trash the netgear firewall since it doesn't really do much anyways. My question would then be we have a SBS that is handling DHCP, DNS etc. So I was thinking put Untangle in router mode and then turn off DHCP and DNS.

This way I would have a lot more control with the firewall and apps in untangle to do just about anything we need.

[jcoehoorn]

I agree with your approach, especially as I don't see how this will cause any more downtime than the alternative if you play your cards right. But management is management. Document that you opposed this, but then do what they told you to.

[sky-knight]

You'll have a TON fewer headaches long run with an Untangle router over a bridge. Also, bridge mode installations don't always go plug and play. If you've got a single IP range, both configurations are just as easy to deploy.

And yes, disabling DHCP and DNS on Untangle is the preferred way to support any AD enabled environment. So you're on the right track.

Here's what I'd do:

1.) Install Untangle with the "External" interface connected to your LAN
2.) Use the physical console UI to update Untangle, and install all modules I wanted
3.) Double check the little green lights in config -> networking -> interfaces to make sure I know what interface is what.
3.) Disconnect Untangle
4.) Configure Untangle's External and Internal interfaces to match the Netgear (repeat for any other interfaces you may have)
5.) Configure any port forwards to match the Netgear and other settings too. (get ready for production settings here)
6.) Disconnect power to the Internet device (Cable mode, T1 CSU, whatever)
7.) Connect the Internet device to Untangle, Connect the Untangle to the core switch
8.) Power the Internet device up

You may want to have your ISP's support online, sometimes you have to have them manually reset an arp cache. I'm assuming you've got a business grade connection with a static address to deal with, and one that is hosting exchange services? That's where things get a hair more complex. However, as jcoehoorn suggests, the downtime is the same with either approach. And the repair if it doesn't come up correctly is the same, just reconnect the netgear.

[CyberGlitch]

I think I'm just going to do it my way and when something happens and it saves the day I'll bring it up then. They'll never really know anyways. I'm thinking set a port forward rule to forward everything to the SBS to begin with and later come in and lock it down more.

Another question. Internal port set to same as the current firewall. All the other ports I've got set to bridge to internal besides the external port obviously. Wanting all those ports to act as switched ports if that makes sense. Is that correct?

Trying to get everything setup and ready today so I don't have to spend a lot of time in here over the weekend. I want to come in, switch some wires, do a few tests and go back home!

[sky-knight]

Bridging to internal does make Untangle an expensive switch. However, the packet filter interjects other realities to that situation that aren't always transparent. It's really best to not do that!

Well you can configure it that way if you wish, but don't use the ports unless there is a reason to isolate a particular device.

[CyberGlitch]

Then how should I setup the other ports? 2 go to wifi access points both with static IPs on the same subnet of 10.0.0.x and the other to the phone system.

Phone system is not VOIP, some proprietary system they had someone install and company said it doesn't need internet. I really don't know why it's hooked to the network and the company that installed it seemed like they didn't want to give out much info about it. I guess afraid I would cut them out of the picture!

Edit:
Ideally I'll be redoing some of the wiring so I can isolate the wifi and the phone system to better manage the network and the wifi. So right now just trying to keep the wiring as-is until I can do up a proper diagram and plan to show them what I am going to change. So the APs and phone system plug directly into the current firewall and want to plug them directly to Untangle, don't even care about managing what they do at this point. They just need to work.

Their whole network and system is a mess and pieced together over time by several different companies over the course of the past few years. Now I have to clean it all up so I can manage it properly.

[sky-knight]

The PBX likely has a management interface that works off the LAN.

You can use the bridged ports to support the APs, just beware that the connectivity between the wireless and the LAN will be UVM controlled, and the appropriate configuration changed and performance realities will be present.

I'm not telling you it's a bad idea, I'm simply warning you that things will be a little strange for a bit while you hammer some things down. Untangle is designed to be at the edge of your network, using it at the core can be done but the first time you go live things will be a bit odd until you get your brain wrapped around the unique way that Untangle plays with your network.

[CyberGlitch]

Ok. Yea, whoever did this network to begin with should be shot. I've found so many strange things. The APs were the icing on the cake. There are actually 4, 2 on 1 switch and 2 on another switch and then those switches directly to the firewall. Each switch had 1 public and 1 private hooked to the network?! Then the placement of the APs, the ones for the public were at the back of the building and the private ones up front where the lobby and conference rooms are?! So the private ones for employees were basically useless.

I've got a lot of work cut out for me.

On a different topic. Man is the u150 loud! I wouldn't think with such a small package the fans would have been that loud. Glad to finally have it out of my office today and in the server room!

[sky-knight]

Check out the BIOS, if it's anything like my appliance there's a thermal fan switch in the BIOS that can slow the fans when they aren't needed.

If not, well I guess next time you'll have to get a device from someone that actually knows how to build them.

[CyberGlitch]

Looks like everything went fairly smoothly. Took me a bit to realize why Outlook wasn't working outside the network until I went to OWA and saw the Untangle page and forgot the Untangle admin uses 443. Once I changed that everything started to work.

Not all the features are enabled yet. Will slowly configure the apps and install them 1 at a time over the next few weeks.