In the process of setting up Network Connect. I setup the resource policy with the appropriate IP range... but I am stuck on the network settings (system >> network >> network connect). There are two options... the first is IP address filter. I just specified the IP address range on the resource policy. What's this? The next which I am even more confused about is Network Connect Server IP Address. I would think that the IP address of my appliance would go here.... but it says "Be careful to choose an IP other than your IVE external/internal IPs. For the the record, I am setup without an external port. My internal port is connected directly to my public network, which are all public IPs. The IPs I will be assigning via Network Connect are public IP addresses as well.
Here is a snapshot of my network topology:
External Firewall ---> VLANs with External IP address --> VPN VLAN ---> Juniper SSL (internal port)
I don't see a reason to use the external... not sure where the use of the external port would be applicable.
In a simple setup like yours, your IP filter would probably just match what you configured in your resource policy. In multiple appliance/site configurations, the filter is one way to break apart which appliances can assign which addresses.
As for the external port, many environments require that web traffic only enter the network in a particular segment, and would prefer that both their VPN clients and rewritten traffic from the IVE don't reside in that zone. But for simple implementations you can certainly just one-arm the appliance.
Thanks, that makes sense. How about the Network Connect Server IP address? What is the function of this IP and how is it related to Network Connect?
This is an "internal address" that is used by the NC process and has nothing to do with client side IP's. Hence the need to make sure it is not part of your address pool. It is an address that the NC process uses to communicate and hand out addresses to the clients.
Best to leave the default address in place.
Best to leave the default of 10.200.200.200 in place? I saw another configuration that used the next IP in sequence... so it went 10.10.10.2 for the appliance, 10.10.10.3 for the NC server, and the NC IP address range was 10.10.10.4-100. Is there any traffic that is routed between the NC server interface and the internal LAN?
Yes - leave it in place - here is the exact statement from the admin guide -