Hi there, We just upgraded our 4.1 to FW-1 NG on NOkia platform. OUr environment consist of single policy server with multiple enforcement module across multiple countries. THe policy server is sitted in an internal network 10.x.x.x Previous 4.1 allow us to define multiple IP address for policy servers in our nokia box, where we can define the NATed IP address of our policy server in the enforcement module, just so whenever a restart the enforcement will be able to reach the policy server and perform a policy load. Somehow we realized this is not possible in NG, as the policy server IP seems to tie to the physical ip of the policy server. This has cause our FIrewall unable to reload the policy when we restart the hardware or the FW daemon. Solution given was to move the POlicy server out to public network and have a valid IP. Is this the only way ? thanks in advance. YH p/s: SOrry if I have posted this to wrong forum ..
I'm assuming by "policy server" you really mean "management server". Technically a policy server is for distributing SecureClient desktop policies.
We have been able to get around this issue as follows: - Put the mgmt server (e.g. "NG.test.com", which controls 50+ enforcement points) behind a firewall on private IP space (e.g. 172.16.1.10/24), NAT'd to a public internet address (e.g. 65.210.200.10). - Allow CPfw1 group from internet to mgmt server - When setting up mgmt server, be sure to use FQDN that will resolve on the internet to the external IP of the NAT'd firewall (in this example NG.test.com would resolve on the internet to 65.210.200.10). As a side note, anything behind the firewall on the 172.16.1.0/24 network would need a special DNS or hosts file to point to the 172.16.1.10/24 address. - Now, when you establish SIC to an external enforcement point and push your initial policy, it will have the FQDN of NG.test.com, and can resolve it to the proper address.
A nice side effect of this approach is you can bind all of your licenses to the mgmt server's private IP address, making it easy to move licenses between enforcement points without having to re-issue from CP User Center (or maintain support if that's an issue).
of this approach is you can bind all of your licenses to the mgmt server's private IP address, making it easy to move licenses between enforcement points without having to re-issue from CP User Center (or maintain support if that's an issue).
