08-14-2018 08:44 PM - edited 08-14-2018 08:53 PM
Hello,
In Single Expressway-E LAN Interface with one firewall deployment, I read in the guide that EXP E and C are in different subnets
Is it must and recommended as I have a project and plan to install both in the same subnet
Is there a problem with that or the system will work normally ?
Is there another requirement for the system to work (Nat loopback)?
08-14-2018 08:53 PM
The Expressway-E is usually located in a DMZ segment and is accessible from the Internet, and the Expressway-C is hosted on the local subnet. That way it limits what the public could possibly access if they connect to one of your devices from externally.
Please remember to mark helpful responses and to set your question as answered if appropriate.
08-14-2018 08:59 PM - edited 08-14-2018 09:07 PM
Ok I understand this but You said usually
my question is The system won't work or work in my case ?
If work, Is there another configuration ?
08-14-2018 09:19 PM
It can work, but isn't the recommended way. Remember that the Expressway-E needs to be made accessible to the Internet - ideally you don't want this to happen for the rest of your network. The easiest way to do this is to put the Expressway-E in a DMZ.
Just consider if your Expressway-E gets compromised in any way, then the device, if on the same subnet as everything else, gives pretty open access to your network. This can't happen in a DMZ, as access to your LAN from the DMZ can be restricted quite easily, where limit access between two devices on the same subnet is much more difficult.
Please remember to mark helpful responses and to set your question as answered if appropriate.
08-14-2018 09:36 PM
Yes I got this
The Servers already access the internet as I use CUCM and CUC 12 with smart license
Sorry, Is there Nat reflection or loopback Configuration required in this case ?
08-15-2018 01:36 AM
you will also need reflection since if you plan to use 1 nic deplyoment . You will need to establish a traversal zone between ExpC and ExpE and ExpC needs to be able to reach the public ip address of the ExpE and not the natted one, this scenario assumes you are placing ExpC inside of the LAN and ExpE on the DMZ
08-27-2018 01:12 AM
@Nuno Melo What if I put the both EXP in the same subnet ?
08-27-2018 05:13 AM
Please @Jaime Valencia Can you help me ?
In a single NIC Deployment, I put E in the same subnet with C not in DMZ
Will it work ? Is any other configuration required (Nat Reflection) ?
08-27-2018 07:56 AM
@Chris Deren Can you please help me wit that case ?
08-27-2018 08:19 AM
Sure you could make it work, but my strong advise would be not to do that as you would be opening up internet connection to your UC environment which would be a huge security risk. The Expressway deployment guide should provide some good descriptions on why it's a best practice to have TWO DMZ networks for your Exp-E nodes.
08-28-2018 12:31 AM - edited 08-28-2018 12:32 AM
@Chris Deren My UC environment already see the internet due to smart license, don't worry about that
My question is How to make that because the guide shows only single nic with DMZ
What is the configuration should be done on fortigate ?
Is there any extra configuration on this deployment beyond issuing public certificate to make IP Phone 7841 access from outside ?
08-28-2018 05:37 AM
There is a difference between allowing UC application to connect to internet across stateful firewall vs. putting your application on network facing the internet.
In either case you simply open all necessary firewall ports between Exp-C and outside internet to the single IP address you have and point everything to these addresses rather than separate ones you'd normally do.
08-28-2018 05:44 AM
Ok @Chris Deren I opened the required ports,
Is Nat reflection or anything else required in this deployment and if yes, Where can I find the configuration for fortigate
08-28-2018 05:55 AM
Unless you are assigning a public IP address to the Exp-E server then you will need to configure NAT to allow external connectivity to the server. On Exp-E you just add the public IP address under NAT field, and your security/network administrator should know how to configure it on your firewall as there is nothing unique to configuring this NAT from any other NAT you may already have. If you need assistance configuring firewall for NAT you should open new thread under the security forum.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide