SSL VPN
Reply
Contributor
willj
Posts: 18
Registered: ‎10-02-2008
0

Re: pre-deployment question

 

Ray/Kevin - thanks for the info.  When I deploy into prod it will be with a single nic. Just wanted to be sure there were no issues - I've had issues doing this kind of deployment with other vendor appliances so wanted to know if there were any issues I should be aware of before rolling out.

 

thanks again

will

 

Contributor
ozmark
Posts: 17
Registered: ‎10-28-2008
0

Re: pre-deployment question

'With my paranoid hat on'

 

Deploying this way is an issue - as only the encrypted traffic is processed by the firewall.  All other traffic, like netconnect traffic, goes 'unfiltered'  into the internal network.

 

How about sub-interfacing the firewall nic and have the both ports going back into the firewall, were at least

the exiting traffic can be checked.

 

 

 

 

Ray
Contributor
Ray
Posts: 76
Registered: ‎11-12-2007
0

Re: pre-deployment question

You may have inadvertently just argued against the deployment practive of having the internal port on the LAN when using both ports. :-)

 

If you use only the internal port, the traffic flow is this way:

 

Internet HTTPS -> firewall -> internal port -> decrypted HTTP (and the IVE does its thing)

 

decrypted HTTP/NC/Whatever -> Internal port -> firewall -> LAN

 

Routing on the firewall and IVE control the flow of traffic even though we're just using one port. I then use firewall rules to inspect and control the traffic between the IVE and the LAN, something that is impossible if you put the internal port on the LAN.

 

Ray

Contributor
ozmark
Posts: 17
Registered: ‎10-28-2008
0

Re: pre-deployment question

To avoid confusion im arguing for:

 

firewall nic (sub interface) -> switch (vlan xxx) -> IVE external port + IVE internal port -> switch (vlan yyy) -> firewall nic (sub interface) -> internal net 

 

The use of the switches also lends itself to clustering.

 

 

 

 

Contributor
willj
Posts: 18
Registered: ‎10-02-2008
0

Re: pre-deployment question

Ray / Mutt

 

I've tried doing the single-armed approach as its what I've used on several other devices.  However, Im experiencing a problem...

 

Ray - as you explained it is as I have it setup.  Only the internal interface is configured with an IP add (dmz address).  Logical Traffic flow is:

 

internet ---> FW ---> IVE ---> FW ---> internal lan server

 

Heres what I see.

 

Traffic comes into the FW, is natted and is forwarded onto the IVE -- This works.  I see inbound 443 traffic to the IVE from internet clients.

 

The IVE does nothing with this traffic at all...  No packets are initiated by the IVE whatsoever.  I would expect to see the IVE initiate LDAP traffic to the configured auth servers (tcp/389) in order to authenticate the inbound client connections it was receiving.  it doesnt.

 

I know the IVE can talk (for example) LDAP to the internal auth servers as if I click the "test connection" box in the Auth section I then see 2-way LDAP traffic as expected.  

 

It doesn't appear to be a routing thing and its not a firewall thing.  Whats getting me is the IVE doesnt seem to be doing anything with inbound client connections - its not trying to auth them. 

 

(I've observed all this with numerous tcpdumps).

 

any help on this would be much appreciated!

Contributor
willj
Posts: 18
Registered: ‎10-02-2008
0

Re: pre-deployment question


ozmark wrote:

To avoid confusion im arguing for:

 

firewall nic (sub interface) -> switch (vlan xxx) -> IVE external port + IVE internal port -> switch (vlan yyy) -> firewall nic (sub interface) -> internal net 

 

The use of the switches also lends itself to clustering.

 


 

Mark - there is no need for the 2nd port / vlan connection, if you can config using a one-armed approach.  Inbound and outbound traffic would still be firewalled.  The benefit of the one-armed approach is that you can keep your dmz-based devices physically and logically seperate from your internal devices.  The only devices with interfaces on the clean and dirty/semi-dirty (ie dmz) segments of your network would be your firewalls.  This is beneficial in many ways.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.