cancel
Showing results for 
Search instead for 
Did you mean: 

SA4500 external port, public IP or behind a firewall?

Highlighted
Occasional Contributor

SA4500 external port, public IP or behind a firewall?

Hi,

I'm just curious to see how others have their SA appliances set up. I've currently got the external firewalled in a DMZ and the internal sitting right on the LAN. We use Watchguard firewalls and we have a burstable T3 so I have a lot of bandwidth caps in place for both inbound and outbound traffic. I've been thinking about giving the SA external port a public IP and bypassing the firewall to see if it helps with some bandwidth inconsistencies I've been seeing (upload vs download over NC).

How do you guys have your SA tied into your physical networks?

-Josh.

3 REPLIES 3
Highlighted
Respected Contributor

Re: SA4500 external port, public IP or behind a firewall?

What type of inconsistencies are you seeing?

I don't expect that it should matter as the user -> IVE is encrypted SSL or ESP traffic; the backend traffic may be more of a bottleneck (but I don't know what type of inspection you are doing on your FW either so it could have an impact)

Highlighted
Occasional Contributor

Re: SA4500 external port, public IP or behind a firewall?

Download performance was 50% of the upload performance. I spoke with our guys in Europe who tried a similar config and they reported similar issues. I placed the external interface outside the network with a public IP and the performance is much better, and now ESP works (never could get that working through the FW). We weren't doing anyting special at the firewall, just port-based NAT rules.

Highlighted
Frequent Contributor

Re: SA4500 external port, public IP or behind a firewall?

This is interesting. I have never been able to get ESP working either and I have mine in a DMZ behind my Juniper SSG's.