Running XG Alongside UTM

Hi all,

We've been using UTM for years now but are aware that at some point we need to migrate to XG.  We're a school and have limited resources and test facilities available but I want to be able to run XG on a VM, using the same internet connection as we use with the UTM (which is our main gateway).  Can anyone see any reason why I can't put a switch between our main router and the UTM, then have the UTM keep running but then connect the XG from the switch too?  That way, users continue to use the UTM but I can route via the XG for testing.

I've attached a basic diagram which shows what I'm trying to achieve.

 

  • Hi colly72,

    Do you have access to the router and is your network connected to WAN side of XG and UTM a private network? I would be careful to route through XG as this will case asynchronous connection which will cause the issue with your connectivity.

  • The switch will work as long as you have at least one spare public IP address to use on the new device.

    The migration process can be segmented this way:

    Transparent vs. Standard Mode functions

    Transparent mode functions rely on the default network flow, while Standard Mode functions relay through the filter device.   You can peel off Standard Mode functions piecemeal.  For example:  You configure Standard Mode web proxy on the new device, then push out the new Standard Mode proxy settings to groups of devices using GPO.

    Transparent mode functions move when the routing changes.  You may be able to move some Transparent Mode functions using static routes.  For example, if default gateway is still on the old device, you may be able to move the VPN connection for a remote site accessed as 10.10.10.0/24 by changing a static route.   Changing static routes will work best if your router is something other than UTM. 

    Public IP movement

    You can probably move public IP addresses to the new device one at a time, but you need to consider all of the ports that are used on a particular IP.   For example, if one address is used for both Client VPN connections and email MX, then you need to either move those functions at the same time, or reconfigure them to remove the address sharing.

    Site-to-Site VPN

    These are probably best handled by working with the other organization to move the tunnels one at a time to the new device on a new IP address.

    DNS Changes

    As much as possible, you want to move IP addresses from the old to new box, rather than changing IP addresses.   If inbound IP addresses change, then you have to change DNS, and DNS has to propagate, so some users or functions may experience downtime while DNS propagates.

    An exception would be your MX record.   You can bring up Standard Mode SMTP on a new address on the new box while simultaneously running it on the old address on the old box.   This is because the architecture allows multiple MX destinations.   You add the new MX to DNS, run with both systems for a day, then take down the old MX, then change DNS to drop the old DNS.

    User impacts

    These are the hardest:

    • You probably need to deploy a new VPN Client and client configuration components to anyone using the UTM VPN client.
    • If you are using UTM One-Time-Passwords, you need to determine if those can be moved to XG by copying the seed secret.   I have asked in this forum but no one replied.   If not, all of your OTP users need to be reconfigured with the new solution.
  • In reply to Aditya Patel:

    This post should help with planning, because it discusses Standard Mode and Transparent Mode features.

    https://community.sophos.com/products/unified-threat-management/f/general-discussion/100848/how-to-understand-utm-port-usage

  • In reply to Aditya Patel:

    Hi Aditya,

     

    The router is managed so I'm not able to change the config.  Our network is connected via the internal UTM port, with the UTM being the default gateway.  My plan is to have a test network that has it's default gateway of the XG device.  If I set up the XG with a separate public IP, would this work?  I'm not sure what you mean by asynchronous network?

  • In reply to colly72:

    Asynchronous Routing is simply bad for most of network devices. 

    You have something called Stateful firewalling. https://en.wikipedia.org/wiki/Stateful_firewall

    So basically you will break this concept with asynchronous routing, because one network firewall will only see outgoing or incoming packets. 

    You can call it asymmetric routing as well. Here is a good post about this issue: https://networkguy.de/?p=409