Author Topic: Change Mitel Border Gateway to run behind firewall  (Read 1348 times)

Offline kyleighterry

  • New Member
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Change Mitel Border Gateway to run behind firewall
« on: September 20, 2024, 04:00:28 AM »
Hi all. I've got to move a Mitel Border Gateway running on MSL 11 from a WAN edge deployment (2 NICs - first on internal LAN and second with a WAN IP on it) to go via a FortiGate firewall behind NAT. I'm happy with the FortiGate config, but could do with some pointers on getting the VM reconfigured if anyone knows?


Offline dilkie

  • Global Moderator
  • Sr. Member
  • *****
  • Posts: 346
  • Karma: +11/-0
    • View Profile
Re: Change Mitel Border Gateway to run behind firewall
« Reply #1 on: September 20, 2024, 09:46:11 AM »
it'll only work properly if the MBG's WAN interface is located in the DMZ of the f/w. A proper, 3 port, DMZ... In that situation, you can exist as a "proper" DMZ only, single network interface, or if the company allows BMG to also have it configured with 2 interfaces, the lan interface and be located on the internal lan network.. in that case, you must use "custom" mode in the networking to properly configure everything to work correctly.

any, of course, your f/w must be configured correctly, see eng guidelines, AND you MUST have a dedicated public ip address that the f/w will forward only to MBG in the DMZ. The requirement for a unique/non-shared public ip address does not go away.

Offline acejavelin

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 4104
  • Country: us
  • Karma: +133/-0
  • High-tech, heavy metal redneck!
    • View Profile
    • Like what I do and wanna help out? Send me a donation!
Re: Change Mitel Border Gateway to run behind firewall
« Reply #2 on: September 20, 2024, 12:09:03 PM »
@dilkie is 100% spot on here...

I would also like to mention if you are doing this for "security", don't bother... it's a waste of time if you maintain updates and proper config in your MBG... the Teleworker gateway will be more secure than your firewall in 99.9% of cases.

I have done a lot of these... many "network" people have tried to set it up like you want to do, and it is absolutely a supported setup that is well documented, but I find a lot of setups have weird issues and when we switch to the two NIC's in a WAN edge deployment, all the problems disappear.

The change is easy... ssh or console to the VM, run the configurator and change the IP on the NIC into the DMZ and then reboot and login to it and change the deployment mode in the MBG setup... There really isn't anything else to do, you don't have to delete the second NIC if you don't want to but I would do it to make things clean.

Offline billbry66

  • Full Member
  • ***
  • Posts: 94
  • Karma: +3/-0
    • View Profile
Re: Change Mitel Border Gateway to run behind firewall
« Reply #3 on: November 09, 2024, 01:57:32 AM »
you can change MBG to be single nic by rerunning the setup my server and de-selecting the WAN interface

then you can open ports on MBG public ip on firewall and allow them to teh Internal Address of the MBG.
MBG with 2 interfaces is only supported when one of them has a public IP
if its lan mode or in DMZ it MUST have single network interface Eth0
its its got a WAN interface (Eth1 ) the WAN MUST be direct connected and have a public IP assigned

Offline dilkie

  • Global Moderator
  • Sr. Member
  • *****
  • Posts: 346
  • Karma: +11/-0
    • View Profile
Re: Change Mitel Border Gateway to run behind firewall
« Reply #4 on: November 09, 2024, 10:10:46 AM »
you can change MBG to be single nic by rerunning the setup my server and de-selecting the WAN interface

then you can open ports on MBG public ip on firewall and allow them to teh Internal Address of the MBG.
MBG with 2 interfaces is only supported when one of them has a public IP
if its lan mode or in DMZ it MUST have single network interface Eth0
its its got a WAN interface (Eth1 ) the WAN MUST be direct connected and have a public IP assigned

"got a WAN interface (Eth1 ) the WAN MUST be direct connected and have a public IP assigned"

not true.. the WAN connection can be in a private network (like a DMZ) without a direct public ip assigned to the interface. You do require a public ip assigned to MBG, but that can be owned by the f/w (routing all traffic to MBG). In MBG, you select a "custom" network profile and populate the "setside streaming address" to be the public (and the "icpside" one to be the lan address).

Offline sarond

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1405
  • Country: au
  • Karma: +73/-0
    • View Profile
Re: Change Mitel Border Gateway to run behind firewall
« Reply #5 on: November 09, 2024, 07:52:31 PM »
you can change MBG to be single nic by rerunning the setup my server and de-selecting the WAN interface

then you can open ports on MBG public ip on firewall and allow them to teh Internal Address of the MBG.
MBG with 2 interfaces is only supported when one of them has a public IP
if its lan mode or in DMZ it MUST have single network interface Eth0
its its got a WAN interface (Eth1 ) the WAN MUST be direct connected and have a public IP assigned

"got a WAN interface (Eth1 ) the WAN MUST be direct connected and have a public IP assigned"

not true.. the WAN connection can be in a private network (like a DMZ) without a direct public ip assigned to the interface. You do require a public ip assigned to MBG, but that can be owned by the f/w (routing all traffic to MBG). In MBG, you select a "custom" network profile and populate the "setside streaming address" to be the public (and the "icpside" one to be the lan address).

This is how we do a lot of our deployments. The public IP is attached to the customers firewall and they allow the ports required. They like to have control over the network.

Azure/AWS deployments also work like this. The MBG WAN NIC has a private IP and the public IP is associated to that. It also has Network Security Group rules that restrict ports before it gets to the MBG. This is all provided in the templates supplied by Mitel.

Offline billbry66

  • Full Member
  • ***
  • Posts: 94
  • Karma: +3/-0
    • View Profile
Re: Change Mitel Border Gateway to run behind firewall
« Reply #6 on: November 28, 2024, 04:17:55 AM »
"not true.. the WAN connection can be in a private network (like a DMZ) without a direct public ip assigned to the interface."
i never said that you couldn't do it , its not supported though.
check the engineering Guidelines and you will thee there are only 3 modes for TW
- single nic on lan
- single nic in DMZ
- dual nic with public IP natively assigned

we had a couple of sites that had internal IP on wan and ended up with some issues with micollab sip softphone
changed them to single NIC and never had any further issues.

if the third nic is used it acts like a 2nd internal connection - is only supported for sip trunk cross connects

Offline johnp

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2209
  • Country: us
  • Karma: +67/-0
    • View Profile
Re: Change Mitel Border Gateway to run behind firewall
« Reply #7 on: December 01, 2024, 06:34:28 PM »
Would that not be custom mode?


 

Sitemap 1 2 3 4 5 6 7 8 9 10