Hello, I'm just starting the configuration of my first SA 700. From a laptop connected to the internal port I can logon and get to the GUI, but I can't ping the external port or get any traffic through it. Is this normal? Do I need to go further in the config process or do I have an issue that I should address first before going any furher? Thanks for any help anyone can offer.
Is the external Interface enabled? Watch the Network Tab in your IVE configuration.
But no matter - you can go on configuring and learn the basic concept of this great solution even if ext. interface is still not enabled.
The most important thing on beginning is to understand the concept...
1. Sign-In Policies >>> Generate a URL for the users. Maps a Sign-In Webpage and a Realm to that URL.
2. Realms >>> Define which Authentication Server to use, Pre-Login Restrictions and how to map User-Roles to that Realm. You can also activate hostchecker to check a host pc BEFORE the user logs in to the IVE!
3. Roles >>> Defines which Ressources the users who will be mapped to that role will have (only Web? Only VPN? Only Fileaccess? Only SSH or RDP? Or everything?). Here you can also activate hostchecker, to check host pc AFTER User did log in to the IVE!
4. Resource Policies >>> Defines which userrole will be able to access which resources.
Well, i dont know anything about your network topology. I hope i did get you right...
IVE has nothing to do with the "other" traffic which passes from the inside to the outside (internet) network.
Its just a "hardened gateway" which allows secure access to internal ressources from the outside.
So, it needs an IP on the external interface, to be accessable from the internet.
If you have no public IP for your IVE, use NAT on the firewall and give IVE a private IP.
If it has a public IP, place it in the DMZ and thats it.
If you can not ping it, troubleshoot if it has a link (LED). Check Duplex and Speedsettings.
Sometimes negotiation does not work properly. Maybe its best idea to put a fix speed setting, according to your firewall port (100Mbit?).
If it has a link, do a tracert or pathping or traceroute commands to find out why ICMP can not access IVE.
You dont need to connect an notebook directly to the internal port to expect to ping the external interface.
Connect internal interface to your LAN, connect external Interface to your Firewall and thats it.
Even if you put your external interface to DMZ - its safe.
This is a hardened machine. No unnecessary ports are opened, only TCP 443 / 80 and UDP 4500.
Thanks, I think that's really the info I needed. My setup is as follows:
Firewall (public IP address)
Juniper (private IP on both interfaces)
Cisco router (private IP)
Assuming there aren't any obvious problems,I'll just start hacking at it and see what I can come up with.Thanks for the help.
The IVE is also a router.
Give each interface an IP from another subnet, for example internal IF= 10.10.10.1/24 and external IF=10.10.10.20.1/24.
The IVE will create automatically the proper routing table.
Then think about the transfer-networks between your FW and external interface, and between your IVE internal interface and your cisco router interface.
i have windows 7 os in my laptop i can't conn't to SA700 box its giving me error
this is a config-related error. what message do you see in your user access log?