Author Topic: Change Mitel Border Gateway to run behind firewall (Read 789 times)

kyleighterry · « **on:** September 20, 2024, 04:00:28 AM »

Hi all. I've got to move a Mitel Border Gateway running on MSL 11 from a WAN edge deployment (2 NICs - first on internal LAN and second with a WAN IP on it) to go via a FortiGate firewall behind NAT. I'm happy with the FortiGate config, but could do with some pointers on getting the VM reconfigured if anyone knows?

dilkie · « **Reply #1 on:** September 20, 2024, 09:46:11 AM »

it'll only work properly if the MBG's WAN interface is located in the DMZ of the f/w. A proper, 3 port, DMZ... In that situation, you can exist as a "proper" DMZ only, single network interface, or if the company allows BMG to also have it configured with 2 interfaces, the lan interface and be located on the internal lan network.. in that case, you must use "custom" mode in the networking to properly configure everything to work correctly.

any, of course, your f/w must be configured correctly, see eng guidelines, AND you MUST have a dedicated public ip address that the f/w will forward only to MBG in the DMZ. The requirement for a unique/non-shared public ip address does not go away.

acejavelin · « **Reply #2 on:** September 20, 2024, 12:09:03 PM »

@dilkie is 100% spot on here...

I would also like to mention if you are doing this for "security", don't bother... it's a waste of time if you maintain updates and proper config in your MBG... the Teleworker gateway will be more secure than your firewall in 99.9% of cases.

I have done a lot of these... many "network" people have tried to set it up like you want to do, and it is absolutely a supported setup that is well documented, but I find a lot of setups have weird issues and when we switch to the two NIC's in a WAN edge deployment, all the problems disappear.

The change is easy... ssh or console to the VM, run the configurator and change the IP on the NIC into the DMZ and then reboot and login to it and change the deployment mode in the MBG setup... There really isn't anything else to do, you don't have to delete the second NIC if you don't want to but I would do it to make things clean.

billbry66 · « **Reply #3 on:** November 09, 2024, 01:57:32 AM »

you can change MBG to be single nic by rerunning the setup my server and de-selecting the WAN interface

then you can open ports on MBG public ip on firewall and allow them to teh Internal Address of the MBG.
MBG with 2 interfaces is only supported when one of them has a public IP
if its lan mode or in DMZ it MUST have single network interface Eth0
its its got a WAN interface (Eth1 ) the WAN MUST be direct connected and have a public IP assigned

dilkie · « **Reply #4 on:** November 09, 2024, 10:10:46 AM »

Quote from: billbry66 on November 09, 2024, 01:57:32 AM

you can change MBG to be single nic by rerunning the setup my server and de-selecting the WAN interface

then you can open ports on MBG public ip on firewall and allow them to teh Internal Address of the MBG.
MBG with 2 interfaces is only supported when one of them has a public IP
if its lan mode or in DMZ it MUST have single network interface Eth0
its its got a WAN interface (Eth1 ) the WAN MUST be direct connected and have a public IP assigned

"got a WAN interface (Eth1 ) the WAN MUST be direct connected and have a public IP assigned"

not true.. the WAN connection can be in a private network (like a DMZ) without a direct public ip assigned to the interface. You do require a public ip assigned to MBG, but that can be owned by the f/w (routing all traffic to MBG). In MBG, you select a "custom" network profile and populate the "setside streaming address" to be the public (and the "icpside" one to be the lan address).

sarond · « **Reply #5 on:** November 09, 2024, 07:52:31 PM »

Quote from: dilkie on November 09, 2024, 10:10:46 AM

Quote from: billbry66 on November 09, 2024, 01:57:32 AM
you can change MBG to be single nic by rerunning the setup my server and de-selecting the WAN interface

then you can open ports on MBG public ip on firewall and allow them to teh Internal Address of the MBG.
MBG with 2 interfaces is only supported when one of them has a public IP
if its lan mode or in DMZ it MUST have single network interface Eth0
its its got a WAN interface (Eth1 ) the WAN MUST be direct connected and have a public IP assigned

"got a WAN interface (Eth1 ) the WAN MUST be direct connected and have a public IP assigned"

not true.. the WAN connection can be in a private network (like a DMZ) without a direct public ip assigned to the interface. You do require a public ip assigned to MBG, but that can be owned by the f/w (routing all traffic to MBG). In MBG, you select a "custom" network profile and populate the "setside streaming address" to be the public (and the "icpside" one to be the lan address).

This is how we do a lot of our deployments. The public IP is attached to the customers firewall and they allow the ports required. They like to have control over the network.

Azure/AWS deployments also work like this. The MBG WAN NIC has a private IP and the public IP is associated to that. It also has Network Security Group rules that restrict ports before it gets to the MBG. This is all provided in the templates supplied by Mitel.

Mitel Forums - The Unofficial Source

News:

Author Topic: Change Mitel Border Gateway to run behind firewall (Read 789 times)

kyleighterry

Change Mitel Border Gateway to run behind firewall

dilkie

Re: Change Mitel Border Gateway to run behind firewall

acejavelin

Re: Change Mitel Border Gateway to run behind firewall

billbry66

Re: Change Mitel Border Gateway to run behind firewall

dilkie

Re: Change Mitel Border Gateway to run behind firewall

sarond

Re: Change Mitel Border Gateway to run behind firewall