This article is specifically about single node servers. If you are deploying a HA cluster (two servers) please click here.
It's important to decide how the Zynstra server will connect into an existing network before it is installed.
Each server has the following network ports:
- a Wide Area Network (WAN) port which connects it to the Internet
This needs a direct connection to the Internet, and can be a public or private IP address. If it’s a private IP because it’s behind a firewall, you need to ensure that there is full outbound access to the Internet (all ports open), and inbound you need port UDP 1194 open. If you are using a private IP address, it must be on a different subnet to the LAN IP address. .
- a Local Area Network (LAN) port which connects it to the LAN
This needs a connection to the local area network, and needs a private IP address. - an iLO (integrated Lights Out) port which connects it to the Internet and enables the Support Team to access the server in the event of a serious hardware failure (if the WAN connection is unusable).
This needs a direct connection to the Internet, and can be a public or private IP address. If it’s a private IP because it’s behind a firewall, you need to ensure that there is full outbound access to the Internet (all ports open), and inbound you need these ports open: TCP TCP 20022, TCP 20080, TCP 20443, TCP 20988, TCP 20990.
You can view detailed information on the Network interface and IP address requirements in the article Network Interface and IP address requirements.
It is important to note that the Virtual Machines on the server have their own unique subnet, which is different to the LAN and is allocated automatically. This means that all Virtual Machines will have an IP address in a different range to the devices on the LAN.
The virtual router inside the server will route traffic between the LAN and Virtual Machine ranges, and will route, and NAT, any traffic from the LAN and Virtual Machine ranges going to the WAN. For further information please read the article Network Internals.
Now let's consider the approaches available for network integration.
The most common arrangement of a customer’s LAN and its connection to the Internet before the introduction of the server is shown below. The customer has a router (often supplied by their ISP) and they have one or more static public IPs available to them from their ISP. They have a firewall which has a private IP address of 192.168.1.1. Often the firewall and the router are combined into a single device. The firewall is the default gateway for all client devices on the LAN. The firewall connects to the devices on the LAN through a switch.
The 3 most common options for integrating the server into your network are explained below:
Option 1. Behind existing firewall
Below is a diagram of a common network configuration with a router/firewall device with 1 WAN IP address, and a private IP range of 192.168.1.x.
A new 'private WAN' subnet is created for the WAN and iLO ports (the WAN and iLO ports must be in a different subnet to the LAN port). You assign the server WAN port the IP 192.168.10.2, and the iLO port 192.168.10.3. The LAN (private) port of the existing firewall needs to change from 192.168.1.1 to 192.168.10.1.
The server LAN port IP address is given the address 192.168.1.1. This becomes the default gateway for all client devices, replacing the existing firewall that was previously on this IP. This way, the client LAN does not change and statically configured devices do not need their default gateway or other settings updated.
DHCP is running on the server and gives out the range 192.168.1.100 to .200 for the client devices.
With the above approach, you specify the following network details:
Local Network
LAN IP address: 192.168.1.1
Subnet Mask: 255.255.255.0
DHCP Enabled: yes
DHCP Range Start: 192.168.1.100
DHCP Range End: 192.168.1.200
iLO
iLO IP address: 192.168.10.3
Subnet Mask: 255.255.255.0
Gateway: 192.168.10.1
WAN
WAN IP address: 192.168.10.2
Subnet Mask: 255.255.255.0
Gateway: 192.168.10.1
Existing Firewall
On your existing firewall, you will need to create a new 'private WAN' subnet for the LAN (private) side of the firewall - the LAN of the existing firewall and the WAN of the server are in this new network. The LAN (private) port of the existing firewall needs to change from 192.168.1.1 to 192.168.10.1.
On the existing firewall, you will also need to configure it to allow some ports through to the server WAN IP of 192.168.10.2.
Please also view the article How to install your server behind a firewall.
Option 2. Remove existing firewall
With this approach, the server replaces the existing firewall and connects on the WAN side directly into the existing router, and on the LAN side into a LAN switch. Two additional static public IP addresses are required for this approach, one for the WAN port and one for the iLO port.
With the above approach, you specify the following network details:
Local Network
LAN IP Address: 192.168.1.1
Subnet Mask: 255.255.255.0
DHCP Enabled: yes
DHCP Range Start: 192.168.1.100
DHCP Range End: 192.168.1.200
iLO
iLO IP Address: 54.229.16.179
Subnet Netmask: 255.255.255.248
Gateway: 54.229.16.177
WAN
WAN IP Address: 54.229.16.178
Subnet Netmask: 255.255.255.248
Gateway: 54.229.16.177
Existing Firewall
There are no changes to be made to the existing firewall as you are remove it and the server has been configured with matching LAN and WAN settings as a 'drop-in' replacement. Any inbound port forwards on the existing firewall can also be replicated on the server, using the Gateway Control Console.
Option 3. Parallel to Existing Firewall
If you wish to retain an existing firewall, the server can be deployed parallel to it. Two additional public IP addresses are required for this approach. If the default gateway for clients will continue to be the existing firewall, then a static route needs to be added to the existing firewall to allow traffic destined for the Virtual Machines on the server to be correctly routed.
Local Network
LAN IP Address: 192.168.1.2
Subnet Mask: 255.255.255.0
DHCP Enabled: No
DHCP Range Start: 192.168.1.100
DHCP Range End: 192.168.1.200
iLO
IP Address: 54.229.16.179
Subnet Mask: 255.255.255.248
Gateway: 54.229.16.177
WAN
WAN IP Address: 54.229.16.178
Subnet Mask: 255.255.255.248
Gateway: 54.229.16.177
Existing Firewall
On your existing firewall you will need to add a static route.
Assuming the Virtual Machine IP range (inside the server) is 10.10.0.128/25, then the LAN-side static route on the firewall would be:
route add 10.10.0.128 mask 255.255.255.128 192.168.1.2
The exact syntax will depend on your firewall, but this rule will ensure that traffic destined for the virtual machines (on 10.10.0.x) will be sent to 192.168.1.2 as the next hop (the LAN IP of the server) which will then route the traffic internally to reach the VMs (the return route already exists since the server has an IP on the local LAN).
After the initial deployment, it is possible to move the DHCP server to the server. The existing DHCP service on the existing firewall or DHCP server on the LAN would be disabled, and the DHCP service enabled on the server in authoritative mode with matching scope options.
Now please read the article Determine Approach To Deploying Active Directory