SSL VPN
Reply
OTT
Visitor
OTT
Posts: 2
Registered: ‎08-03-2009
0
Accepted Solution

SA appliance & SSG config

Hi

 

Newbie with Juniper hw but wondering what are best practices with setting up a SA700 behind a SSG140 please? For example, stick SA appliance in existing dmz or enable one of the spare interfaces on SSG and link it there etc. Thanks in advance.

 

Ott

Super Contributor
mehdi
Posts: 240
Registered: ‎08-19-2008

Re: SA appliance & SSG config

[ Edited ]

hi

 

you can put your SA behind your SSG in DMZ example : 

 

                                             internet<---------------------SSG------------->>>>> DMZ-SA 

                                                                                         |                                           

                                                                                         |

                                                                                         |

                                                                                      local Network 

 

 

if yu need more detail or need help to implemeting your SA with config, let me know

 

thaks  

Message Edited by mehdi on 08-06-2009 11:19 AM
**If this reply solved your problem click on Kudos **
Kind Regard
http://www.linkedin.com/in/mkhitmane
personal mail: mehdi.khitmane@gmail.com
Distinguished Expert
muttbarker
Posts: 2,370
Registered: ‎01-29-2008

Re: SA appliance & SSG config

As Mehdi said - you can put it in the DMZ and it works fine. You can also put it in the trust zone - add a MIP and a policy from untrust to trust to the MIP address and that works fine also. I have set them up both ways. You can configure the IVE to just use one interface (internal) or to use both the internal and external.

 

It depends on how "secure" you want to make your environment and what level of complexity you want to add to put it in.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Juniper Employee
tkolb
Posts: 10
Registered: ‎08-07-2009
0

Re: SA appliance & SSG config

Hi

 

I would always suggest to put the external port of the SA behind a firewall. Solely for the purpose of protecting the device from DoS and DDoS attacks. There are some mechanisms onboard to prevent the success of such attacks but it is always better to get this job done by a device that really is designed for it, a firewall.

With regards to the internal port, you are really free to place it on an firewall port or directly to your internal network. This depends on how much configuration work you want to do on the firewall (need all the ports open for AAA, logging, applications, etc..) and on the other hand how high are your demands in terms of security/visibility/control.

 

Regards

T.

Trusted Contributor
dennish
Posts: 207
Registered: ‎09-03-2008

Re: SA appliance & SSG config

Most deployments i do is one armed (internal interface) in DMZ. The reason i don't like to deploy a SA in trust is both security and routing. When only using proxy, this might not be much of an issue, however when using network connect routing and security are more of a concern.

Super Contributor
mehdi
Posts: 240
Registered: ‎08-19-2008
0

Re: SA appliance & SSG config

Hi

 

yes all rigth,

 

OTT  let us know what would you like to do ??  there are differentre topology, you can let us know what you want and we can help you.

 

however  put your SA in DMZ with MIP and use one SA's eth  and let your fiwall forwar traffic to local Network with policy and routing :smileyhappy: 

 

we wait your decision :smileyhappy:

take care all 

 

thanks  

**If this reply solved your problem click on Kudos **
Kind Regard
http://www.linkedin.com/in/mkhitmane
personal mail: mehdi.khitmane@gmail.com
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.