Change Mitel Border Gateway to run behind firewall

[kyleighterry]

Hi all. I've got to move a Mitel Border Gateway running on MSL 11 from a WAN edge deployment (2 NICs - first on internal LAN and second with a WAN IP on it) to go via a FortiGate firewall behind NAT. I'm happy with the FortiGate config, but could do with some pointers on getting the VM reconfigured if anyone knows?

[dilkie]

it'll only work properly if the MBG's WAN interface is located in the DMZ of the f/w. A proper, 3 port, DMZ... In that situation, you can exist as a "proper" DMZ only, single network interface, or if the company allows BMG to also have it configured with 2 interfaces, the lan interface and be located on the internal lan network.. in that case, you must use "custom" mode in the networking to properly configure everything to work correctly.

any, of course, your f/w must be configured correctly, see eng guidelines, AND you MUST have a dedicated public ip address that the f/w will forward only to MBG in the DMZ. The requirement for a unique/non-shared public ip address does not go away.

[acejavelin]

@dilkie is 100% spot on here...

I would also like to mention if you are doing this for "security", don't bother... it's a waste of time if you maintain updates and proper config in your MBG... the Teleworker gateway will be more secure than your firewall in 99.9% of cases.

I have done a lot of these... many "network" people have tried to set it up like you want to do, and it is absolutely a supported setup that is well documented, but I find a lot of setups have weird issues and when we switch to the two NIC's in a WAN edge deployment, all the problems disappear.

The change is easy... ssh or console to the VM, run the configurator and change the IP on the NIC into the DMZ and then reboot and login to it and change the deployment mode in the MBG setup... There really isn't anything else to do, you don't have to delete the second NIC if you don't want to but I would do it to make things clean.