Page 1 of 1

Firewall Upgrade Feedback

Posted: Sat Feb 28, 2015 12:55 pm
by autryld
I was surprised that our FM group didn't know anything about the firewall upgrade. Once I started working with them however, they initiated the necessary work orders to install additional cabling and switches in the buildings where required. Another point of confusion was which port to put the FM desktop systems and printers on. The upgrade announcement and instructions provided no guidance for how to connect FM groups co-located with ecclesiastic units. Due to the vague wording, the FM group thought it was port 3 along with their HVAC and other devices. Initially I thought the same thing but that port is static only. After the upgrade, I contacted the Global Service Center for advice. They stated that the FM group can connect to either Port 0,1 or 2. (I'm not sure why it's not solely port 2 since that would connect them with the CHQ LAN (?).) Regardless, they are off of port 3 now and all is well.

By the way...
It's very good that we finally have enough addresses for all the devices present in the building. However, I do hope that usage doesn't go up as a result since our bandwidth is barely sufficient to support the uplink for a webcast even with WiFi disabled. I'm going to request an increase to the next bandwidth tier to see if our video image improves at the ward meetinghouses. I'm also happy that I can now disable WiFi from the TM interface. It saves my knees from climbing up all six of our access points to disconnect and later connect WiFi.

Thanks,
Larry Autry

Re: Firewall Upgrade Feedback

Posted: Sat Feb 28, 2015 1:35 pm
by russellhltn
Port 0 and 1 would be "public". Port 2 is the VPN. Since FM will probably want to talk to their devices on Port 3 in other buildings (which is also on the 10.x.x.x network), I suspect they should be on Port 2. Port 0/1 will work to some degree since they will have internet access, but I think they'll find some aspects limited unless they are on Port 2 (VPN).

Re: Firewall Upgrade Feedback

Posted: Sat Feb 28, 2015 1:42 pm
by autryld
I agree that they should be on port 2 (10.x.x.x). However, they have already connected to port 0 along with along with the unit PCs. I believe that the GSC should have given that same advice to the FM group rather than the vague, "port 0, 1 or 2 is okay".

Thanks,
Larry Autry

Re: Firewall Upgrade Feedback

Posted: Mon Mar 02, 2015 9:57 am
by CleggGP
As a general rule meetinghouse facilities devices (e.g., HVAC, sprinkler systems) should be connected to the facilities zone port of the firewall (Cisco 881 series: Port 3; Cisco C891F: Port 7). The facilities zone only supports static IP network addresses. If there are facilities devices that uses dynamic (DHCP) network addressing, then those devices should be connected to the Public Network firewall ports (Cisco 881 series: Ports 0-1; Cisco C891F: Ports 0-5). An example of such a devices is the Honeywell Redlink Webstat device that uses DHCP network addresses.

If a facilities device does not function the same way it did before the upgrade, then try connecting the device to the Public Network (instead of being connected to the Facilities Zone).

Firewall Cisco 881 Port 2 (Cisco C891F Port 6) is also a Public Network port unless a "official" Family History Center exists, in which case that port should be converted by the GSC to a "special purpose zone" (VPN) for the FHC.

Re: Firewall Upgrade Feedback

Posted: Mon Mar 02, 2015 12:35 pm
by tlhackett
Just to reiterate what was said, the FM group would go in port 0-1 (and 2 if there isn't an official family history center). Being on the ports 0-1 will not hinder their access to the equipment that they need. Port 2 does connect to the VPN, but it does not give them the access they need for their devices in other buildings. They have a VPN client that they connect to to give them the access they need and therefore can be plugged into the public ports without issue.

In short, the FM group goes on the same port as the rest of the building

Re: Firewall Upgrade Feedback

Posted: Mon Mar 02, 2015 12:57 pm
by russellhltn
yarrgh wrote:In short, the FM group goes on the same port as the rest of the building
Thanks for that clarification.

Is that the same for other Church Employees? Is there anyone besides a FHC that would go on the VPN?

Re: Firewall Upgrade Feedback

Posted: Mon Mar 02, 2015 2:27 pm
by CleggGP
russellhltn wrote:Is that the same for other Church Employees? Is there anyone besides a FHC that would go on the VPN?
No, not currently in most meetinghouses.

Re: Firewall Upgrade Feedback

Posted: Mon Mar 02, 2015 2:32 pm
by russellhltn
OK, while I have your attention - what about a WAP that only services the FHC (separate building). It would only be used for patron laptops, since all the FHC stuff is hard wired. For me to put it on "public" I'd have to have FM run another line to the building. But if I can put it on the VPN, then I can just plug it into the switch.