Page 1 of 1

Firewall upgrade: corrections/additions to instructions

Posted: Mon Nov 24, 2014 3:14 pm
by ulupoi
The official instructions are here:
https://www.lds.org/help/support/bc/cle ... rewall.pdf

Here are some corrections/additions based on my experience with four upgrades, including one building with an FHC. (I have also submitted these to mht@lds.org.)

1. Public Zone IP address range corrections. The Public Zone DHCP range starts at 192.168.108.33 (not .32). For Public Zone static IP addresses, the range is 192.168.108.2-.32 (not .31), the subnet mask is 255.255.252.0, and the gateway is 192.168.108.1.

The smart way to run this upgrade is to sit at a computer and change all the static IP addresses of devices in the Public Zone before the upgrade. That way, you don't have waste time connecting each device separately to a computer on which you have modified the IPv4 settings to match the old static IP addresses. (However, for FHCs, see below.)

2. Based on my experience, if you use the online tool to initiate the upgrade, you'll have to manually powercyle the firewall afterwards (waiting 15 minutes seems safe). When using the upgrade tool on tm.lds.org, on three of three upgrades, after running the tool and waiting for 15 minutes or more, I had to manually powercycle the firewall to get it working again. For our building with an FHC, I called the GSC and they initiated the upgrade, and in this case, I did not have to manually restart the firewall.

3. FHC Special Purpose Zones in different buildings will get different IP addresses assigned to them. If you call the GSC to get your Special Purpose Zone static ip range ahead of time, thinking that you can pre-assign the new static IP addresses to your printers, they might just look up a random FHC and give you its address range, but this range will turn out to be wrong for you. I learned this the hard way.

4. If you have an FHC, call for the upgrade during normal business hours. Regardless of what GSC reps may tell you, if you have a building with an official FHC, you should only call to initiate the upgrade during normal business hours because that's when the people who can create the Special Purpose Zone are there. Maybe those people can give you the correct new static range ahead of time, but the normal GSC reps cannot. Also, note that the subnet mask of the Special Purpose Zone is not the same as for the Public Zone. In my case, the Special Purpose Zone subnet mask was 255.255.255.0.

5. If you change any FHC printer static IP addresses, notify the FHD. I used the form at this URL: https://fhcprofile.familysearchsupport.org/printers/new This form will ask you for the serial number, so you'll want to write it down.

6. The Facilities Zone static IP range is different for every building. In our stake, in 4 of 4 buildings, the FZ subnet mask is 255.255.255.240.

Re: Firewall upgrade: corrections/additions to instructions

Posted: Tue Nov 25, 2014 12:07 pm
by CleggGP
ulupoi wrote:The official instructions are here:
https://www.lds.org/help/support/bc/cle ... rewall.pdf
Here is some feedback to the items of this post.

1. The IP address corrections were made to the online instructions. Thanks.
2. The firewall reboots as part of the upgrade process. Afterwards the firewall periodically "phones home" to transmit information to Technology Manager. A second firewall power cycle is usually not needed, but may be done if you prefer. The GSC uses the Upgrade button in Technology Manager to initiate the upgrade, and they also use a function in TM to create a Special Purpose Zone.
3 & 4. The IP address of the Special Purpose Zone is only known AFTER the SP Zone is created. As stated, currently only a few GSC reps can create a SP Zone--so a request may take 2-3 days to be fulfilled. Once the SP Zone is created, the SP Zone IP address range will be listed in TM (once the firewall "phones home").
6. Additional note. If a meetinghouse has a Facilities Zone before the firewall upgrade, the same Facilities Zone IP addresses will be in place after the upgrade.