Meetinghouse Firewall Upgrade Available to FMs/STSs

[tlhackett]

I doubt if FM will be able to access anything on Port 0 or 1 unless they are in the building - that's because that range is the same for every building - there's no way for someone outside to specify an IP and get routed to the right building. If it wasn't on port 3 before, or if the port 3 range got changed, then they'll have to be reconfigured. Note that there is no DHCP on port 3 - all devices have to have a static IP in the range shown by TM.

This is not totally true. The honeywell redlink webstats only do DHCP. They need to be on ports 0 or 1 because of this. They connect to a server on the internet where the FM office manages them. They do not connect to them directly.

If they were using port 3 before the upgrade and the port wasn't set up on a Facility zone, it would make sense as to why they needed to move them to ports 0 and 1 after the upgrade as port 3 would no longer have DHCP IP addresses

[russellhltn]

This is not totally true. The honeywell redlink webstats only do DHCP. They need to be on ports 0 or 1 because of this. They connect to a server on the internet where the FM office manages them. They do not connect to them directly.

Good to know. Is there any list that would indicate what "FM Devices" should be in which zone? Hopefully FM knows that and adds them accordingly (but I wouldn't bet on it), but it would still be good if the STS knows which is which.

[tlhackett]

Good to know. Is there any list that would indicate what "FM Devices" should be in which zone? Hopefully FM knows that and adds them accordingly (but I wouldn't bet on it), but it would still be good if the STS knows which is which.

There isn't but if there were it would be very small. Almost everything they install would go into port 3 and specifically set up so that they can access it from the office. I want to say that the Honeywell Redlink webstats are the only devices that don't need to be in port 3 but I'm not positive if there are more.

[ksteurer]

Thanks russellhltn and mikerowaved for the tips.

[drepouille]

As for FM devices (HVAC, sprinkler systems, etc.), I found most of them were connected to ports 0, 1, or 2 before I upgraded the firewall. So I didn't move them. If one was connected to port 3, I left it on port 3. I think in one or two cases, if an FM device was moved to port 3 during the upgrade, it became unusable after the upgrade. I told the FM to have his technician look into each such case.

[drepouille]

This could get interesting. A few months ago, one of my FHC directors asked me to make two of her computers wireless, because she didn't like seeing the long cable runs along the wall to the computers. What may save us is that these two computers may have their own USB printer, so it may be OK for them to be on the 192.168.x.x, rather than the 10.x.x.x.

Or I can just ask the FM to install conduit and run the cable through the ceiling.

Follow up:
I did ask my FM to install conduit and a single Ethernet cable from the two computers in the back room to the switch on the staff desk. However, his tech didn't understand. He simply ran two Cat 5 cables around the edge of the room, above and behind a bookshelf, with no conduit. The Cat 5 cables were much too long, so he left the excess coiled on top of a table behind a monitor. Each Cat 5 cable was indeed terminated with an RJ-45 jack, and each computer connected via a patch cable. However, one of the patch cables was bad, so only one of the computers could connect.

I removed the redundant cable, and connected both computers to a switch. Everything works now. I just wish we had a conduit to hide the cable better, and a box for the RJ-45 connector.

[drepouille]

I called back into GSD this morning. The person I talked to wasn't able to create the FHC zone himself, but he was able to cause it to be created during the call so we could both confirm the creation. (I should add this was during normal MT working hours.)

I had heard that the weekend crew on the GSD did not have privileges needed to create the VPN/SPZ for FHC on port 2, but I was at a remote meetinghouse on Saturday night for other reasons, so I made the call. I asked the young lady if she was able to upgrade a firewall in a meetinghouse that had a FHC. First she said yes. A little later, she said something about creating a ticket for the Level 2 support guys. It wasn't until AFTER she had upgraded the firewall that she told me she could not create the VPN/SPZ on port 2, and that is why she needed to forward my ticket to Level 2. Just great.

Since this meetinghouse is 45 minutes away from my house, I showed a bishopric counselor there how to reset the static IP for the Lexmark printer in the FHC, as well as add a new port for the printer in the two FHC computers. When port 2 was activated on Monday morning, I sent the new static IP address for the printer to the bishopric counselor, and he made all necessary changes for me.

After each firewall upgrade that needed port 2 activated (I have four FHCs in my stake), I notified FamilySearch FHC Support of the new IP addresses for the Lexmark printers. They just recently informed me that I can set those IP addresses myself using a FamilySearch web page.

[russellhltn]

I think in one or two cases, if an FM device was moved to port 3 during the upgrade, it became unusable after the upgrade.

Since port 3 is all static with no DHCP, I would expect ALL devices moved there to be unusable until reconfigured. But devices that "call home" via the internet rather than wait for someone to call them need to be on port 0 or 1.

[CleggGP]

As stated previous in this forum, but just a reminder, if a Facilities Zone ("FAC") exists in a meetinghouse network before performing the firewall update--then the same Facilities Zone static IP 10.x.x.x addresses will be in place after the upgrade. This means that provided FAC devices are connected to the firewall Facilities Zone port, they should function normally after the firewall update. The exception is for FAC devices that use DHCP network addresses; in those cases those devices should be connected to the Public Network (since the FAC Zone only uses static IP addresses).

Below is guidance given to FMs (from the FM online manual):
=====
Facilities Zone Devices. As a general rule meetinghouse facilities devices (e.g., WebStat, card access, sprinkler systems) should be connected to the Facilities Zone port of the firewall (Cisco 881 series: Port 3; Cisco C891F: Port 7). The Facilities Zone only supports static IP network addresses. If there are facilities devices that uses dynamic (DHCP) network addressing, then those devices should be connected to the Public Network firewall ports (Cisco 881 series: Ports 0-1; Cisco C891F: Ports 0-5). An example of such a devices is the Honeywell Redlink (“Prestige”) Red Gateway device that uses dynamic network addresses.

If a facilities device does not function the same way it did before the upgrade, then try connecting the device to the Public Network instead of being connected to the Facilities Zone firewall port.