This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RED-60 Branch to SG230 Head Office Deployment

Hi Guys,

Setting up a new Branch Office location that will sit about 25 Staff. I have about 100 Staff at Head Office and have an SG230 onsite for a number of years. I have a couple of smaller remote offices with 2-4 staff with a couple of RED 15's deployed - all working fine. Head Office runs a number of vLANS internally, all routing through the Layer 3 switch onsite - everyone is happy.

Server vLAN: 10.0.10.x VOIP vLAN 10.0.30.x Managment vLAN 10.0.100.x (plus a couple more internal ones that aren't relevant to the discussion)

New Site office will have a DC deployed out there due to the number of Staff onsite and I'll have a local file share out there, and all the regular stuff AD DC's have ie DNS, DHCP, Group Policy etc. I have already setup the new subnet 10.0.60.x, new Site in AD Sites (NewSitename) and associated that subnet to that site as per normal and given the new server the IP address of 10.0.60.10 and done the DC Promo. DNS and DHCP replication all setup and I setup a new 10.0.60.0/24 DHCP scope in DHCP. I have bound vLAN 60 to the subnet on the switch going out onsite, trunk ports setup to pass vlans 10, 60, 100 on Port 1, and configured some Untagged vLAN 60 ports on the site switch, site switch is also setup as 10.0.60.253

So far, so good. 

My stumbling block here is - best way to setup this Red 60 device to provide the link between site and Head Office which will provide or allow for:

DC at Remote Site to do DNS and DHCP for local network - but connect to Head Office DC's for AD Replication etc via RED
Pass traffic to Head Office Servers on vLAN 10 (10.0.10.x network) via RED
Pass traffic to VOIP PABX on vLAN 30 (10.0.30.x network) via RED
Pass traffic to Management vLAN 100 (10.0.100.x network) via RED
Allow vLAN 60 on remote (site) network to get to Servers at Head Office via RED
All Remote Site Internet traffic to go out local Internet

I've setup more than a few Unified and also Split networks with no dramas - but I'm looking at Transparent here for what I want to do and I'm having a bit of trouble wrapping my head around it. 

The guides I am finding online aren't showing the setup I am looking for and are more standard type setups without a remote DC in the mix doing DHCP and DNS or AD Replication. Does anyone have some hints/tips/advice or pointers to a good primer for a setup like this? I've done plenty of Site-to-Site VPN's before with other brand hardware but I was hoping to keep this all SOPHOS and that the RED60 will work for what I am trying to do

Cheers!



This thread was automatically locked due to age.
  • Ah, so I'm not the only one with this problem who can't find a solution and doesn't know what to do!

    We have a very similar set up, with remote offices having their own DHCP. Slight difference in circumstances in that we are using XG (a new user of 25 days) ideally wanting to use standard/unified mode. Added complication that I can't work out yet is, what are the IP settings to put in the XG when using an internet line with a modem in front? Needed because the line has user name and password.) The settings I can't work out are both for the Uplink, DHCP or Static and the RED IP etc. Hoping someone has done this before and can help please.

    Thanks

  • Yes, plenty of documentation, examples and even Youtube videos for Unified and Standard/Split but a dearth of information on Transparent. I have an XG sitting here ready to replace the SG at Head Office - just have not had the time to get into it as I have over 5 years of Firewall Rules, NATs, Mail exceptions, Multipath rules, Interfaces, RED's etc on the current UTM to try and work out how to setups (since you can't migrate) on the XG.

    Hopefully someone has the info we need and can point us in the right direction! 

  • No-one has setup a RED Device with an AD server at the Remote Site?

  • Hello Dread,

    I do have setups at customers sites like this, but they use the older RED-boxes. Did not have a SD-RED yet.

    But from the setup menu possibilities in UTM RED-Helper dialogue, I guess the SD-RED behave very similar.

    Now to your topology: there ist nothing special about having an AD-Controller in a subsidiary site.

    The RED-Box simply has to be told, which network(s) have to be contacted through the tunnel, and which not.

    So the magic is outside the RED-configuration: your DHCP-Server at that site has to supply the "right" configuration to your clients.

    That is, the AD-Controller at this site is the primary DNS and forwards its DNS-requests to the ISP. Then, the Sophos should be the default gateway for all clients AND the AD controller, so that the RED box can decide, which IP packets have to be sent through the tunnel and which not.

    And all the VLAN decisions / routes are done at the main site, so the remote RED has nothing to do wtih this. You simply define the "local networks". Transparent mode adds the ability to have the IPs assigned by the remote DHCP-Server. Either you make the RED box the default gateway, or you have to use a routing table, that points your hosts to the networks of the main site.

    Maybe this is not that complicated as you think.

    If you have further questions, pleas ask again. Or come back with your findings.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Cheers for replying Philipp! ;)

    I was out onsite Friday and finally ended up deploying a Standard/Split connection. Not overly happy with the current setup - but it is working. To get it working what I have had to do is:

    1. FTTN Modem 10.0.59.1 with DHCP turned ON. This will give a 10.0.59.x IP to the RED Device
    2. Standard/Split setup on SG230 at Head Office with 10.0.60.251 assigned to the RED Interface, DHCP Scope setup on UTM allocating IP's to remote network, Head Office Subnets set as split networks.

    3. Turned off UTM's DHCP Scope

    4. Re-enabled DHCP scope for 10.0.60.x subnet on site AD Controller, gateway set to 10.0.60.251, DNS site AD Server

    Tested VOIP phone connecting to internal vLAN 30 address - all good
    Tested AD replication - seems to be all good so far *fingers crossed*
    Tested local PC login, using local AD Controller as login server- tested OK


    So it seems like we are good to go BUT ... if the RED connection drops they will have no internet or phones, which is a concern. I'd still like to get Transparent/Split up and running. I may have a play around with it during the week as the site goes live next Monday, but still unsure as to some of the settings needed for Transparent :(