Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

General design questions - where to put it

SOLVED
Go to solution
cryptochrome_
Contributor
‎04-01-2008 06:05:AM
‎04-01-2008 06:05:AM

General design questions - where to put it

Hi there,

I am wondering what would be the best option to put an SSL gateway into the network. I am planing on placing the gateway into a DMZ of the firewall, but I am not quite sure yet how I connect the internal end. Use two interfaces (internal/external), place the external interface in DMZ and hook up the internal interface directly to the LAN? Or use just one interface and use it for both, internal and externa? Or use two interfaces and put both into the same DMZ?

How are others usually doing it? What's the best compromise between security and ease of integration?

Thanks

Sascha

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
Roy_
New Contributor
‎04-01-2008 10:21:AM
‎04-01-2008 10:21:AM

Re: General design questions - where to put it

When you configure the Juniper box you will assign an internal IP address pool. You will also assign an external IP address which is reachable from the Internet and configure your firewall to send connections for that address to the DMZ which your VPN will pick up. Once the connection reaches the VPN it will assign that user an internal IP address from its configured pool and your internal LAN routing takes it from there. So to answer your question the return traffic comes back to the Internal IP address assigned by the Juniper IP address pool. The Juniper box keeps track of which external connection it assigned that internal IP address to and automatically sends it back out to the correct user across the Internet.

Roy Kestler

View solution in original post

0 Kudos
5 REPLIES 5
Roy_
New Contributor
‎04-01-2008 06:37:AM
‎04-01-2008 06:37:AM

Re: General design questions - where to put it

Hi Sascha,

Your first impression is correct. Put the external interface in the DMZ and the internal interface on the internal LAN. It works like a charm and even though the Juniper box is hardened, it also gains the benefit of your Internet firewall helping to protect it. We also have an IPS protecting our devices in the DMZ, so if you are using any type of IPS/IDS, the IPS would sit between your DMZ port on the firewall and the Juniper external interface.

Hope this helps,

Roy Kestler

0 Kudos
cryptochrome_
Contributor
‎04-01-2008 07:27:AM
‎04-01-2008 07:27:AM

Re: General design questions - where to put it

Thanks Roy,

what puzzels me with this design is the question how routing is supposed to set up on the internal LAN. If the default gateway for the network points to the firewall, the return traffic from SSL secured applications will be sent to the firewall instead of the SSL gateway (the firewall dropping it because not in state table). Am I right? Or will the SSL machine do some sort of NAT so external traffic will be translated to an internal address?

Cheers

Sascha

0 Kudos
Roy_
New Contributor
‎04-01-2008 10:21:AM
‎04-01-2008 10:21:AM

Re: General design questions - where to put it

When you configure the Juniper box you will assign an internal IP address pool. You will also assign an external IP address which is reachable from the Internet and configure your firewall to send connections for that address to the DMZ which your VPN will pick up. Once the connection reaches the VPN it will assign that user an internal IP address from its configured pool and your internal LAN routing takes it from there. So to answer your question the return traffic comes back to the Internal IP address assigned by the Juniper IP address pool. The Juniper box keeps track of which external connection it assigned that internal IP address to and automatically sends it back out to the correct user across the Internet.

Roy Kestler

0 Kudos
cryptochrome_
Contributor
‎04-01-2008 10:24:AM
‎04-01-2008 10:24:AM

Re: General design questions - where to put it

All right, got it. Thanks! Smiley Happy

0 Kudos
Roy_
New Contributor
‎04-01-2008 10:34:AM
‎04-01-2008 10:34:AM

Re: General design questions - where to put it

Your welcome! Glad I could help. Smiley Happy

Roy Kestler

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.