My SSL concentrators are configured as an Active/Passive cluster. I turned on a sniffer to trace a session from the concentrator (the internal interface) to internal web resources, and found that the Active concentrator innitiates sessions with its real IP instead of the internal VIP.
¿Is this normal behavior? I want to be sure, since I have to configure policies in the firewall located between the SSL concentrator and the internal resources.
Your kind answers will be greatly appreciated.
Best regards, Rogelio
I create a group with all three addresses, the vip and the two physical cluster members. Then use this to write the rules for access to resources.
The other set of rules you will need is for any address pools you create for network connect or Junos pulse connections.
You will also need a nat enabled internet access rule from these addresses if you do not use split tunnel and force any internet traffic over this link. These will be from the interface addresses. This will also be the source address for for any web resources that go to internet servers.
Thank you very much for your kind answer.
So if there is a firewall between the cluster and the backend resources, my security policies must take into account the IP addresses of both internal interfaces of the cluster devices. ¿Am I right?