Author Topic: MiCollab with "WAN" DMZ  (Read 2345 times)

Offline acejavelin

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 4104
  • Country: us
  • Karma: +133/-0
  • High-tech, heavy metal redneck!
    • View Profile
    • Like what I do and wanna help out? Send me a donation!
MiCollab with "WAN" DMZ
« on: July 21, 2017, 07:07:09 PM »
So I am doing an install of MiCollab, vMCD, and a vMBG... pretty simple, until the customer decided that they want to do their "DMZ" more like a 1:1 NAT on a separate virtual NIC for the MBG and MiCollab servers.

Essentially on the LAN NIC of those servers is a 192.168.200.X IP address in the voice VLAN, and on the second WAN NIC they have a 1:1 "DMZ" NAT with addresses of 172.16.20.X, where each IP address internally is mapped 1:1 to a public IP address

Now I know I can make this work with the MBG using a custom configuration, but how does this work for AWC on the MiCollab since it needs 2 public IP addresses, one that is resolvable, and a second one for the AWC that is just a public IP address. Would I need two 172.16.20.X IP's mapped independently to two public IP's, or could I use one 172.16.20.X IP address and have both public IP's mapped to that one internal IP? I am guessing I need two internal and two public, but I have never done this kind of a configuration before.

Would have been so much simpler if they just would have put them in a real DMZ, or allowed the public IP's to come directly into the WAN NIC's of the VM's (my preferred way).

Thoughts? Is this going to work, or am I just asking for issues with this setup?
« Last Edit: July 21, 2017, 07:16:39 PM by acejavelin »


Offline sarond

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1405
  • Country: au
  • Karma: +73/-0
    • View Profile
Re: MiCollab with "WAN" DMZ
« Reply #1 on: July 21, 2017, 08:28:12 PM »
The latest release of MiCollab 8.0 now allows only 1 public IP Address for AWC  :) :) :)
Check Bulletin PB20170161, this won't be available until late August though.

I would think in the Web Conference settings you can add the second FQDN (e.g. mca2.domain.com) to the webconference name and have DNS records to point it to the second public IP (which is 1:1 NAT to 172.16.20.x)

Recently on a MiVB-x install I have just used the same FQDN in the AWV settings and used port 4443 for both internal and external. This works as long as the far end doesn't have their firewalls blocking traffic to port 4443. This allowed me to use only 1 FQDN and Public IP address. I know this is not supported but it works.



Offline acejavelin

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 4104
  • Country: us
  • Karma: +133/-0
  • High-tech, heavy metal redneck!
    • View Profile
    • Like what I do and wanna help out? Send me a donation!
Re: MiCollab with "WAN" DMZ
« Reply #2 on: July 21, 2017, 09:01:18 PM »
The latest release of MiCollab 8.0 now allows only 1 public IP Address for AWC  :) :) :)
Check Bulletin PB20170161, this won't be available until late August though.

I would think in the Web Conference settings you can add the second FQDN (e.g. mca2.domain.com) to the webconference name and have DNS records to point it to the second public IP (which is 1:1 NAT to 172.16.20.x)

Recently on a MiVB-x install I have just used the same FQDN in the AWV settings and used port 4443 for both internal and external. This works as long as the far end doesn't have their firewalls blocking traffic to port 4443. This allowed me to use only 1 FQDN and Public IP address. I know this is not supported but it works.
Interesting... I don't think MiCollab 8.0 will really apply here, well not for me anyway. This system is pretty much provisioned and ready to go except the external connections, and I have 3 days to finish it or someone else will have to because Thursday is the last day at my current employer and I am changing jobs.

I will just tell them I need 2 local and 2 public IP's, each mapped 1:1, and just be done with it.

Offline johnp

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2209
  • Country: us
  • Karma: +67/-0
    • View Profile
Re: MiCollab with "WAN" DMZ
« Reply #3 on: July 23, 2017, 03:19:02 PM »
If you are using the web proxy blade on the MBG, it should work without issue if the second external converts 443 to 4443 and points to the MBG, IMHO. Thie MBG is a proxy, which means a man in the middle, and should pass it.

My assumption is that Micollab is in lan mode, clustered to MBG in dmz/custom mode. All applications needed are added to teleworker blade settings. naming is resoled correctly and proxy blade settings complete.

Offline acejavelin

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 4104
  • Country: us
  • Karma: +133/-0
  • High-tech, heavy metal redneck!
    • View Profile
    • Like what I do and wanna help out? Send me a donation!
Re: MiCollab with "WAN" DMZ
« Reply #4 on: July 24, 2017, 03:03:28 PM »
Now they want to know what ports to have open... Here is the list I gave them, am I missing anything important?

TCP Ports
22
80
443
3998-3999
4443
5060-5061
5602-5603
6800-6811
6880-6881
35000-35010
36000-36008

UDP Ports
69
5060
20000-31000


 

Sitemap 1 2 3 4 5 6 7 8 9 10