Page 1 of 2 12 LastLast
Results 1 to 10 of 19
  1. #1
    Untangler
    Join Date
    Dec 2010
    Posts
    83

    Default Changing from ISA Server to Untangle - Need Proper Network Desgin

    Hi All,
    I'm currently on the process of evaluating proxy's to be replaced for our university. Now, we do have three ISA Servers, two ISA's serving staff each with two interfaces one from external and one in Internal network, doing firewalling and proxy too.

    Students have ISA Server with only one interface serving as a cache only proxy.

    Current network setup as attached,
    * Two ISPs, hocked into the router, from the router to the Firewall and from Firewall to the Nortel Application Switch. Stacked switches gets connection for both DMZs from application switches, production vLAN, staff vLAN, Student's vLAN, etc all comes from Nortel Passport via fiber cables.

    Connection goes from Stacked Switches to vSphere Servers, and vLAN presented into the vSphere using Trunk.

    Now;

    How can I get Untangle to replace all the ISA Servers and have only Clustered of Untangle Servers to server all the vLANs including Wireless network?

    ISP redundancy required between ISP 1 and ISP 2.

    WAN split for each vLAN network is required.

    Currently students get DHCP from production on different vLAN and being authenticated with Active Directory in the production vLAN. Need that to be possible Untangle.

    Thanks,

  2. #2
    Untangle Ninja Mathiau's Avatar
    Join Date
    Feb 2008
    Location
    Costa Frickn' Rica
    Posts
    1,636

    Default

    1 UT box
    multiple NIC's for sperate networks, 3 minimum
    Wan Balancer / Failover
    Directory Connector

    good to go.... i think...
    kv-2 | UT 11.0.1 | Dell R610 Server | Intel Xeon 2.8Ghz Quad Cores | 24Gb DDR3 ECC | 1 Intel QPort NIC | Integrated Broadcom QP | Dell Perc 4i | 6 x 73G 2.5 15k SAS raid 10 | 100mb/100mb | 30mb/30Mb

  3. #3
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,881

    Default

    One nic should be able to handle all the internal networks, and one nic each for your external networks. Untangle should also be able to replace your existing router and firewall devices -- you'd go from 6 devices down to 1.

    The downside is that Untangle does not cluster. You would be left with a single point of failure. I've heard it's possible, but not simple, to work around this situation, such that an untangle failure leaves you with an active connection. You'll have to ask someone more familiar with the setup exactly how to do it.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.4.1 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  4. #4
    Untangler
    Join Date
    Dec 2010
    Posts
    83

    Default

    Hello,

    Thanks for your reply, The problem there is no other product such as Untangle to provide the required features we are looking for except the clustering... I have tried MS TMG, but that doesn't do the ISP NLB not NAT Split at all, because of Windows Limitation in it's IP Stack. I have done expensive research and testing in TMG but it didn't success at all.

    Any scenarios of clustering implementation? We are in a vSphere environment HA/vMotion will do high availability or clustering requirement in my opinion by the time we decide to go with Untangle and implement it, I think Untangle Team will come up with a Clustering Solution... Hope So!!

    Now, let me go to the implementation scenario and how I can take it from this point.

    As I have explained the network infrastructure above and all the vLANs/Networks in place, how can I place Untangle for testing purposes, users survey? Anyone can help me to understand our network and how I can it fit Untangle before revamp the entire network?

    I have implemented it before in the Production, but I keep getting loop in the network, and cannot reach any network unless I turn off the box, disable the network.

    Hope some one can guide me through..

    Highly appreciate your help.

    Thanks,
    Hussain

  5. #5
    Untangle Ninja Mathiau's Avatar
    Join Date
    Feb 2008
    Location
    Costa Frickn' Rica
    Posts
    1,636

    Default

    you could literally just have one site an identical box, perform daily backups of your UT box or when ever something changes and if somethying goes down, toss in the other box and off you go!

    in 2 years i have not had a single piece of hardware fail in the 3 UT boxes i am running, all using desktop boards and PSU's with intel NIC's.

    there will always be a single point of failure somewhere down the line.
    kv-2 | UT 11.0.1 | Dell R610 Server | Intel Xeon 2.8Ghz Quad Cores | 24Gb DDR3 ECC | 1 Intel QPort NIC | Integrated Broadcom QP | Dell Perc 4i | 6 x 73G 2.5 15k SAS raid 10 | 100mb/100mb | 30mb/30Mb

  6. #6
    Untangler
    Join Date
    Dec 2010
    Posts
    83

    Default

    Hi,

    As I said before vSphere HA will allow me to switch between Untangle VMs using Backup Restore / Daily Clone or clone when there is a change,, etc etc...

    Now, how can I deploy Untangle in the existing setup without interruption to the environment? Deploy as Bridge Mode, or Transparent Mode,, etc etc..

    Thanks,

  7. #7
    Untangler
    Join Date
    Dec 2010
    Posts
    83

    Default

    Quote Originally Posted by Mathiau View Post
    you could literally just have one site an identical box, perform daily backups of your UT box or when ever something changes and if somethying goes down, toss in the other box and off you go!

    in 2 years i have not had a single piece of hardware fail in the 3 UT boxes i am running, all using desktop boards and PSU's with intel NIC's.

    there will always be a single point of failure somewhere down the line.
    I can do that between Physical Appliance and Virtual Appliance?

    My main worries is the networking part. I'm currently testing it, it's perfectly doing all my requirements, specially NATing each subnet to separate ISP.

    As I have explained above regarding the vLANs that are in the Nortel Passport, and all the clients in respective vLAN having vLAN IP as the Gateway. All the vLANs are accessible on each other.

    If I replace the Checkpoint and the Nortel Application Switches with Untangle Appliance that configured with two Public IP Address, and configured separate Interfaces in Untangle represents each vLAN in the Nortel Passport, how the clients in the vLANs having default gateway as the vLAN IP will access the Internet? Do I have to put a persistent route in each vLAN 0.0.0.0 /24 to go via the Untangle Internal Interfaces for each interface in Untangle?

    What about the clients DNS? Currently the are pointed to the AD Domain Controller and DHCP is from the same server.

    Highly appreciate your response.

    Thanks,

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,249

    Default

    You have an interface per vLAN or simply alias all of the appropriate IPs to a single interface. The latter isn't possible if you need Untangle do to the DHCP work, but if that's done elsewhere it's pretty easy.

    You'll be merging layer 2 on that final hop, which is sort of anti-vlan, but at the same time if that "wire" is exposed to tinkering that means your server harness is insecure and you have larger issues. Also, Untangle bypasses traffic that enters and exits through the same interface so only the packet filter can be deployed to control traffic in these cases.

    Separate interfaces makes things cleaner in that you can engage the full Untangle feature set between segments.

    You attach the switch port a given UT interface is attached to to a specific vLAN. That IP is the gateway for that segment.

    If you have a layer 3 switch you could go the easier route. Let the layer 3 deal with all the internal access control and routing, make a new IP network between the layer 3 switch, and the edge device. Untangle is either the edge device or a bridge spliced in on the way to said edge device. All Untangle needs in either case is a static route for each vLAN.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Untangler
    Join Date
    Dec 2010
    Posts
    83

    Default

    What about Untangle Place in the network? is it in the Edge behind the Internet Router with Public IP address for each ISP to handle WAN Balancer and WAN Fail-over? Or shall I put it behind a Firewall

    "Internet -> Router -> UT with Public IP -> DMZ for web servers ->vLANs

    Or

    Internet -> Router -> Firewall -> "DMZ" -> UT ->vLANs

    Thanks,

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,249

    Default

    Untangle as a bridge in complex networks gets to be more trouble that its worth IMHO. I far prefer Untangle routers, even with NAT disabled they are far easier to troubleshoot.

    your first map is what I'd start with, assuming that router is handing out real IPs. Double NAT is bad!
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2