Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

SMA500v esxi with TZ appliance - Best deploy

GentiaGentia Newbie ✭
in Secure Mobile Access Appliances

Hi

i have work with TZ and SMa appliance: use TZ DMZ zone for connect SMA appliance.

But with 500v image, what'is the best deploy?

I my farm run:

  • one TZ570 for cloud services to customer.
  • one ESXI 7.01 server

i prefer connect SMA virtual interface to TZ and not directly to provider wan. It's correct?

What is best deploy?

Very thank's

Category: Secure Mobile Access Appliances
Reply

Best Answers

  • CORRECT ANSWER
    BWCBWC Cybersecurity Overlord ✭✭✭
    Answer ✓

    Hi @Gentia

    you could either use a dedicated interface on the TZ for the DMZ (or a new SMA zone which I prefer) or via VirtualInterface. Connect it to your switch and the VM Interface should just point into the same VLAN. It's pretty straight forward. I would go with a DHCP on the TZ for NetExtender/MobileConnect.

    You should never put the SMA in front of your firewall for sure.

    --Michael@BWC

  • CORRECT ANSWER
    shiprasahu93shiprasahu93 Moderator
    Answer ✓

    @Gentia,

    I have usually seen customers go with the first option. Since all security checks are done on TZ, two separate interfaces are not really necessary.

    But, even if you choose to configure two, it should be possible.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

Answers

  • shiprasahu93shiprasahu93 Moderator
    @Gentia ,

    Welcome to SonicWall community.
    Please do through the following KB article.

    https://www.sonicwall.com/support/knowledge-base/typical-deployment-of-sma-sra-appliance/170502718544728/

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • GentiaGentia Newbie ✭

    for my sma appliance it's ok, i use tz and SMA on DMZ zone


    Well, is best:

    1 routing with SMA (web access -> TZ wan -> TZ DMZ -> x1 SMA -> x0 SMA -> destination zone for routing

    use SMA x1 to connect on TZ interface (zone dmz or custom) - vlan dedicated

    use SMA x0 to connect on vmware nic for access to server - vlan dedicated

    2 routing with TZ (web access -> TZ wan -> TZ DMZ -> x0 (or x1?) SMA -> TZ DMZ -> destination zone for routing)

    use only SMA x0 (or x1?) for to connect on TZ interface (zone DMZ or custom):


    Thank's

  • shiprasahu93shiprasahu93 Moderator
    @Gentia,

    As we have X0 as LAN and X1 as WAN in TZ devices, it is not dedicated in that manner on SMA. So, you can choose which interface should go to the TZ and which should go to the server.
    It should function either way.
    If you have any additional queries, please let us know.
    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • GentiaGentia Newbie ✭

    it's clearly, but the question is for interfaces on virtual SMA500v (for TZ it's ok):

    i must use only X0 on SMA500v (for receipt external access and for route to destination (vmware server) - EXACTLY with example for SMA appliance https://www.sonicwall.com/support/knowledge-base/typical-deployment-of-sma-sra-appliance/170502718544728/

    OR

    best i use two SMA500v interface; one for receive web request access (ex. X1 on SMA500v) and one for routing to server (ex. x0 on SMA500v)


    thank's

  • GentiaGentia Newbie ✭

    Thank'you very muche and good work!

    Cris

  • shiprasahu93shiprasahu93 Moderator

    Glad to help!

    Shipra Sahu

    Technical Support Advisor, Premier Services

Sign In or Register to comment.