08-03-2009 10:50 PM
Newbie with Juniper hw but wondering what are best practices with setting up a SA700 behind a SSG140 please? For example, stick SA appliance in existing dmz or enable one of the spare interfaces on SSG and link it there etc. Thanks in advance.
Solved! Go to Solution.
08-06-2009 03:18 AM - edited 08-06-2009 03:19 AM
you can put your SA behind your SSG in DMZ example :
if yu need more detail or need help to implemeting your SA with config, let me know
08-06-2009 08:29 AM
As Mehdi said - you can put it in the DMZ and it works fine. You can also put it in the trust zone - add a MIP and a policy from untrust to trust to the MIP address and that works fine also. I have set them up both ways. You can configure the IVE to just use one interface (internal) or to use both the internal and external.
It depends on how "secure" you want to make your environment and what level of complexity you want to add to put it in.
08-07-2009 04:14 AM
I would always suggest to put the external port of the SA behind a firewall. Solely for the purpose of protecting the device from DoS and DDoS attacks. There are some mechanisms onboard to prevent the success of such attacks but it is always better to get this job done by a device that really is designed for it, a firewall.
With regards to the internal port, you are really free to place it on an firewall port or directly to your internal network. This depends on how much configuration work you want to do on the firewall (need all the ports open for AAA, logging, applications, etc..) and on the other hand how high are your demands in terms of security/visibility/control.
08-07-2009 04:47 AM
Most deployments i do is one armed (internal interface) in DMZ. The reason i don't like to deploy a SA in trust is both security and routing. When only using proxy, this might not be much of an issue, however when using network connect routing and security are more of a concern.
08-09-2009 08:26 AM
yes all rigth,
OTT let us know what would you like to do ?? there are differentre topology, you can let us know what you want and we can help you.
however put your SA in DMZ with MIP and use one SA's eth and let your fiwall forwar traffic to local Network with policy and routing
we wait your decision
take care all