Meetinghouse Firewall Upgrade Available to FMs/STSs

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
CleggGP
Church Employee
Church Employee
Posts: 98
Joined: Mon Jul 28, 2014 12:55 pm

Meetinghouse Firewall Upgrade Available to FMs/STSs

Postby CleggGP » Mon Oct 20, 2014 12:42 pm

The new Meetinghouse Firewall upgrade can now be done by Stake Technology Specialists and Facilities Managers using Technology Manager (tm.lds.org). The upgrade enables 990 DHCP addresses, faster firewall data throughput, and dedicated network zones. Church technology specialists should prepare their meetinghouses for the upgrade.

The new firewall configuration requires dedicated firewall ports for network connectivity. Before doing the upgrade you must ensure that network cabling is connected to specific firewall ports, and identify network devices using static IP addresses.

    Dedicated Firewall Port Assignments
      Firewall Port(s) / Connection Description
      FE LAN Ports 0 and 1 / Public Network
      FE LAN Port 2 / Reserved
      FE LAN Port 3 / Facilities Zone
The firewall upgrade creates a new 192.168.x.x Public Network space; after the upgrade any network device with a static IP address will need to be reassigned to the new Public Network static IP range (192.168.108.2 to 192.168.108.32). If the meetinghouse contains an “official” Family History Center (with a Church unit number that is separate from the Stake/Ward), then the firewall upgrade must be done by the Global Service Center.

The attached “Upgrading an Existing Meetinghouse Firewall” document contains information for upgrading the firewall. Please download and study the document before performing the upgrade. Stake Technology Specialists may contact the Global Service Center (+1 855-537-4357) for questions or additional support.

Once the Meetinghouse Firewall has been upgraded, please notify the Facilities Manager about the upgrade (including the meetinghouse address and the firewall serial number).
Attachments
Upgrading an Existing Meetinghouse Firewall.pdf
(129.97 KiB) Downloaded 317 times
Last edited by MarchantRR on Tue Oct 21, 2014 2:38 pm, edited 2 times in total.
Reason: Removed outdated attachment.

russellhltn
Community Administrator
Posts: 20746
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Meetinghouse Firewall Upgrade Available to FMs/STSs

Postby russellhltn » Mon Oct 20, 2014 1:47 pm

Yea! Questions:

If a Special Purpose Zone is created for a Family History Center, then only Family History Center devices should be connected to the “Reserved” firewall port

Since my FHC is in a separate building, I'm lucky and can do that. But what about the many installs where the FHC is not separate? If they're using any AP at all (to connect printers or FHC computers), short of installing a Faraday cage, it's going to be a mix of FHC and public.

My understanding is that the FHC zone is required for remote management of the FHC printers. FHC computer have to be on the same segment to print to the printers. But other than the limited IP range, is there really a downside to mixing public traffic with the FHC segment?


The Special Purpose Zone does not have an assigned static IP range. As a general practice, if devices are assigned static addresses in the Special Purpose Zone, the devices should be assigned addresses starting at the end of the IP address range.

I believe this information is out of date. Last I saw, there is a static IP range, but it won't show in TM until a later version of TM. Assigning any device a static IP in the DHCP range is poor practice.
Have you searched the Wiki?
Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

drepouille
Senior Member
Posts: 1227
Joined: Sun Jul 01, 2007 5:06 pm
Location: Plattsmouth, NE
Contact:

Re: Meetinghouse Firewall Upgrade Available to FMs/STSs

Postby drepouille » Mon Oct 20, 2014 1:56 pm

This could get interesting. A few months ago, one of my FHC directors asked me to make two of her computers wireless, because she didn't like seeing the long cable runs along the wall to the computers. What may save us is that these two computers may have their own USB printer, so it may be OK for them to be on the 192.168.x.x, rather than the 10.x.x.x.

Or I can just ask the FM to install conduit and run the cable through the ceiling.
Dana Repouille, Plattsmouth, Nebraska

User avatar
Mikerowaved
Community Moderators
Posts: 3131
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

Re: Meetinghouse Firewall Upgrade Available to FMs/STSs

Postby Mikerowaved » Mon Oct 20, 2014 2:20 pm

If a Special Purpose Zone is not created on the firewall, then the “Reserved” port may be used for connecting Public Network devices.

This has not been my experience. In one building, I had a 10/100 switch on port 0, and 2 AP's plugged into ports 1 and 2 respectively. After rescripting, the AP on port 2 disappeared. To get it back, I had to rewire it to the switch.

My recommendation is to only use ports 0 and 1 for public use.
So we can better help you, please edit your Profile to include your general location.

CleggGP
Church Employee
Church Employee
Posts: 98
Joined: Mon Jul 28, 2014 12:55 pm

Re: Meetinghouse Firewall Upgrade Available to FMs/STSs

Postby CleggGP » Mon Oct 20, 2014 3:25 pm

The Special Purpose Zone does not have an assigned static IP range. As a general practice, if devices are assigned static addresses in the Special Purpose Zone, the devices should be assigned addresses starting at the end of the IP address range.

I believe this information is out of date. Last I saw, there is a static IP range, but it won't show in TM until a later version of TM. ... (mikerowaved)

Good catch. Now a Special Purpose Zone contains 15 static IP addresses (.2 - .16).

russellhltn
Community Administrator
Posts: 20746
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Meetinghouse Firewall Upgrade Available to FMs/STSs

Postby russellhltn » Tue Oct 21, 2014 4:56 pm

FAMILY HISTORY CENTER. If the meetinghouse contains an official Family History Center, then DO NOT PROCEED with firewall upgrade. Please contact the Global Service Center (GSC) at +1 855-537-4357 for additional information.

I made the call. It seem the procedure is to do the upgrade, call and open a ticket to have the FHC Zone added. It will be done in 24 hours - not during the call.

Needless to say, you'll have to time this when the FHC is closed and when you can get back in to reset all the static IPs and everything that points to them. I don't think you'll be able to know the static range until the zone is added.
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

russellhltn
Community Administrator
Posts: 20746
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Meetinghouse Firewall Upgrade Available to FMs/STSs

Postby russellhltn » Wed Oct 22, 2014 12:17 am

Here's my experience:

I went to the first meetinghouse. All 4 ports on the firewall are used. Will have to bug FM to get a switch. I'll just sacrifice the podium jack for now.

When I clicked on "Start Upgrade", I got a message: "By clicking the "Confirm" button, I acknowledge I have read and understand the information and cautions pertaining to upgrading/refreshing the firewall configuration." When I click on the link, I get "Access Denied". I'm a STS. Go figure.

I go ahead anyway. It warns me it could take 10 minutes. I have connectivity back in maybe 2-3 minutes.

But when I look at the status in TM, it says "This firewall has undergone an upgrade. Confirmation can take up to 60 minutes. If this message persists, please contact the Global Service Center." So it looks like I won't see the new layout in TM for a bit.

Edit: After 18 minutes, I got a error message. It was trying to access 127.0.0.1 and getting a bad request.

Trying it again at about 22 minutes, I got the updated status. Port 2 is not listed with any zone, but it's part of Port 0 and 1, even pulling from the same DHCP zone.

I did power cycle the two APs while I was waiting. I'm not sure if it's necessary.

The "Start Upgrade" button has now become a "Refresh Configuration" button.
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

russellhltn
Community Administrator
Posts: 20746
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Meetinghouse Firewall Upgrade Available to FMs/STSs

Postby russellhltn » Wed Oct 22, 2014 1:24 am

CleggGP, is the zone "Public" or "User"? Because the documentation says "Public", but TM says "User". I'd like to know the proper terminology before labeling things.
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

CleggGP
Church Employee
Church Employee
Posts: 98
Joined: Mon Jul 28, 2014 12:55 pm

Re: Meetinghouse Firewall Upgrade Available to FMs/STSs

Postby CleggGP » Wed Oct 22, 2014 8:07 am

russellhltn wrote:When I clicked on "Start Upgrade", I got a message: "By clicking the "Confirm" button, I acknowledge I have read and understand the information and cautions pertaining to upgrading/refreshing the firewall configuration." When I click on the link, I get "Access Denied".

You discovered a permissions issue that needs to be resolved. Below is the text of the "read and understand" link:
==============
Meetinghouse Firewall Upgrade Warning

Upgrading a Meetinghouse Firewall yields several benefits, but it also makes changes to the IP addresses used for the meetinghouse network. Please read through the following information to understand these changes and to take any necessary actions. Ignoring this information may result in some devices on the meetinghouse network not working properly after the upgrade.

If the meetinghouse contains an official Family History Center or other co-located Church entity (such as a Facilities Management Office or Mission Office), then DO NOT PROCEED unless authorized by the Global Service Center (GSC). Contact the Global Service Center (GSC) at +1 855-537-4357 or dial the toll-free number for your area.

Meetinghouse Firewalls being upgraded to the new configuration will receive a new IP address range for the User Zone (also known as the Public Network). Where it used to use 10.x.x.x addresses, after the upgrade it will use 192.168.x.x addresses. This means that any devices with statically assigned IP addresses will need to be changed to use IP addresses in the new static IP address range or to obtain IP addresses automatically in order for them to work correctly. Network printers and servers usually use static IP addresses. Clerk computers should be checked to make sure they are set to obtain IP addresses automatically or use a static IP address in the new static IP address range. The Public Network will now support 990 dynamic addresses and 31 static addresses.

Meetinghouse Firewalls activated prior to August 13, 2014 were not automatically configured with a Facilities Zone, though a Facilities Zone could have been added by contacting the GSC. Firewalls activated on or after August 13, 2014 and those that go through this upgrade process will automatically have a port assigned to the Facilities Zone (usually port 3, except in the case of the C891F which uses port 7). The Facilities Zone is not designed for any connections other than Internet-enabled appliances (IEAs) such as air conditioning systems and remote door lock systems. Even if there are no IEAs in a meetinghouse, this port is now always configured for this purpose. After the upgrade, any non-IEA devices (such as computers or wireless access points) connected to the Facilities Zone will no longer work. Please make sure all non-IEA devices are plugged into the User Zone (also known as the Public Network) and not the Facilities Zone.

Visit Technology Manager at tm.lds.org to see which zones are assigned to which ports and for the ranges of static and dynamic IP addresses available.
==============

CleggGP
Church Employee
Church Employee
Posts: 98
Joined: Mon Jul 28, 2014 12:55 pm

Re: Meetinghouse Firewall Upgrade Available to FMs/STSs

Postby CleggGP » Wed Oct 22, 2014 9:22 am

russellhltn wrote:I clicked on "Start Upgrade" ... It warns me it could take 10 minutes. I have connectivity back in maybe 2-3 minutes. But when I look at the status in TM, it says "This firewall has undergone an upgrade. Confirmation can take up to 60 minutes. If this message persists, please contact the Global Service Center." ... after 18 minutes, I got a error message. It was trying to access 127.0.0.1 and getting a bad request. ... Trying it again at about 22 minutes, I got the updated status.

After confirming "Start Upgrade" the new configuration is downloaded to the firewall and the firewall restarts. A firewall restart usually takes about 3 minutes, but it may take a few minutes longer for connectivity to be established. This is the basis for the "10 minutes" estimate.

During the upgrade TM does complex tasks to define networks while maintaining network connectivity. So it's possible to get a TM error during the first few minutes (depending on what feature a user tries to access). The firewall must also "phone home" for data to be shown in TM. There are many factors that affect the reporting of network data in TM, so the "... can take up to 60 minutes" statement basically tells the user to be patient.
Last edited by CleggGP on Wed Oct 22, 2014 9:59 am, edited 1 time in total.


Return to “Meetinghouse Internet”

Who is online

Users browsing this forum: No registered users and 1 guest