I have two SA devices and I wanna deploy them in cluster (active/passive), can someone help me to find the best possible design ?
what are the recommendations?
is the external port used? when I put the external ports in the public segment and configured a VIP with a public IP, then I notice that these public IPs are not reachable.
now come to the intenal port, I notice that local lan user are unable to access SA via its internal VIP (with private IP).
Kinldy help me out with your expert knowledge to deploy them.
Thanks and best regards,
We've tried deployment a couple different ways and here is what we do:
We enable the external port and put it into a DMZ, then we create NATs in the firewall for the outside world to access the site. You need to hit this site by a hostname, not an IP and the sign-in policy has to be configured for the host name you are using. You should also get a certificate for this site.
We enable the internal port and put it into a seperate subnet on our internal network. Then we lock down what people can get to with the IVE policy. It's normal for users to be denied from hitting the internal port. As a security measure the Internal port is for admins only.
Best of Luck.. The deployment guides are very good.
You should really read up alot before setting this up. there are alot of diffrent ways Junipers can be setup but once they are setup a change will require downtime and this is always a big issue for us.
you can hide the external interfaces behind a nat but than we ran into issues using the pass through proxy so i recommend putting the external interfaces directly on the internet but behind a firewall.
the VIP for the cluster is setup in the cluster setup and not the network configuration. The cluster setup will only show up if you have a cluster license though.