SA appliance & SSG config

OTT · ‎08-03-2009

Hi

Newbie with Juniper hw but wondering what are best practices with setting up a SA700 behind a SSG140 please? For example, stick SA appliance in existing dmz or enable one of the spare interfaces on SSG and link it there etc. Thanks in advance.

Ott

mehdi · ‎08-19-2008

hi

you can put your SA behind your SSG in DMZ example :

internet<---------------------SSG------------->>>>> DMZ-SA

|

local Network

if yu need more detail or need help to implemeting your SA with config, let me know

thaks

Message Edited by mehdi on 08-06-2009 11:19 AM

**If this reply solved your problem click on Kudos **
Kind Regard
http://www.linkedin.com/in/mkhitmane
personal mail: mehdi.khitmane@gmail.com

muttbarker · ‎01-29-2008

As Mehdi said - you can put it in the DMZ and it works fine. You can also put it in the trust zone - add a MIP and a policy from untrust to trust to the MIP address and that works fine also. I have set them up both ways. You can configure the IVE to just use one interface (internal) or to use both the internal and external.

It depends on how "secure" you want to make your environment and what level of complexity you want to add to put it in.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

tkolb · ‎08-07-2009

Hi

I would always suggest to put the external port of the SA behind a firewall. Solely for the purpose of protecting the device from DoS and DDoS attacks. There are some mechanisms onboard to prevent the success of such attacks but it is always better to get this job done by a device that really is designed for it, a firewall.

With regards to the internal port, you are really free to place it on an firewall port or directly to your internal network. This depends on how much configuration work you want to do on the firewall (need all the ports open for AAA, logging, applications, etc..) and on the other hand how high are your demands in terms of security/visibility/control.

Regards

T.

dennish · ‎09-03-2008

Most deployments i do is one armed (internal interface) in DMZ. The reason i don't like to deploy a SA in trust is both security and routing. When only using proxy, this might not be much of an issue, however when using network connect routing and security are more of a concern.

mehdi · ‎08-19-2008

Hi

yes all rigth,

OTT let us know what would you like to do ?? there are differentre topology, you can let us know what you want and we can help you.

however put your SA in DMZ with MIP and use one SA's eth and let your fiwall forwar traffic to local Network with policy and routing

we wait your decision

take care all

thanks

**If this reply solved your problem click on Kudos **
Kind Regard
http://www.linkedin.com/in/mkhitmane
personal mail: mehdi.khitmane@gmail.com

SA appliance & SSG config

Re: SA appliance & SSG config

Re: SA appliance & SSG config

Re: SA appliance & SSG config

Re: SA appliance & SSG config

Re: SA appliance & SSG config