SonicWALL Enhanced OS

Holy Moly! I went to configure a simple port-forwarding rule on a customer’s SonicWALL TZ200 today and entered into a whole world of hurt!

All I wanted to do was allow HTTP traffic into an internal web server – exceedingly straightforward on any device I’ve ever worked on before… not so under SonicOS Enhanced!

After about an hour of bizarrely confusing options I realised that one needs to create an address object for the internal server, create a NAT policy to allow access, and then create a firewall access rule. This doesn’t sound too bad except it wasn’t that simple in fact. To add to the confusion, I managed to create a NAT loop which killed the network! That was purely down to my own stupidity though!

So how did I get it to work? I gave in and used one of the wizards after looking at the following excellent post online: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7027

Turns out the device needs THREE NAT policies (inbound, outbound, and loopback) plus address object, plus firewall access rule! What?!!

My advice: take your time with this OS and use the wizards unless you’ve got loads of experience with these devices.

Comments

Resolve WSUS Server issue that gives "Cannot save configuration because the server is still processing"

This is a pretty infuriating error and can sometimes crop up as a result of running a "wsusutil reset" command. First of all, give the server some time, and then a bit more... but you've probably already done this. These steps may help to resolve the situation: - Install Microsoft SQL Management Studio (free download) - Run SQL Management Studio and start to connect to the WSUS database - Enter this in the "Server Name" box: \\.\pipe\MICROSOFT##WID\tsql\query - Expand the "Databases" tree - Right-click on "SUSDB" and choose "New Query" - Paste this query in: UPDATE tbSingletonData SET ResetStateMachineNeeded = 0 - You should see a message like "1 row affected", which is good - Quit SQL Management Studio - Open "Services" and restart the "WSUS Service" - Now, open WSUS

Convert Ruckus AP from Unleashed to ZoneDirector-managed

Here is the method to convert a Ruckus Unleashed AP to one which can be managed by a Ruckus ZoneDirector controller: - Login to https://support.ruckuswireless.com/ - Click "Downloads" - Choose the correct product, e.g. Ruckus R550 - Choose a "standalone" version along the lines of 118.2.0.0.875.bl7 or something similar - Agree to terms and download the software - Connect to the AP's IP address - It should open the setup wizard, showing "Unleashed Installation" - Click "Local Upgrade" - Choose the firmware image file you just downloaded - It will upload, process, and then be ready for upgrade when you click "Yes" - After this, the ZD should detect the new AP - The new AP will then need to be approved - The new AP will then be upgraded to the correct software by the ZD - The new AP will then reboot and should be ready to use - Don't forget that, for the ZD to even detect, let alone manage the new AP, it must have enough licenses

DNS Dynamic Updates & DNS Scavenging

I was encountering an issue at a customer's site where the DNS records of their client PCs often would be behind or out of sync with the records in DHCP. Usually the IP address would be older in DNS and this was causing issues with scripts executing and network tools correctly resolving client PC hostnames to their correct IP addresses. I realised I needed to make some changes to their dynamic DNS updating configuration. After a lot of reading through Microsoft's documentation and various online forums, this is what I ended up configuring. Hopefully this may help someone, some day: - Make the DHCP server a member of the "DnsUpdateProxy" group - Create a new user account, in the "Users" OU, called "dnsdynamicupdates" - This new user only needs to be a member of the "Domain Users" group - no special privileges - Make the password strong and set it to never expire - Set this new user as the credentials used by the DCHP server in IPv4...

Artifact Weblog

Search This Blog