I'm just curious to see how others have their SA appliances set up. I've currently got the external firewalled in a DMZ and the internal sitting right on the LAN. We use Watchguard firewalls and we have a burstable T3 so I have a lot of bandwidth caps in place for both inbound and outbound traffic. I've been thinking about giving the SA external port a public IP and bypassing the firewall to see if it helps with some bandwidth inconsistencies I've been seeing (upload vs download over NC).
How do you guys have your SA tied into your physical networks?
What type of inconsistencies are you seeing?
I don't expect that it should matter as the user -> IVE is encrypted SSL or ESP traffic; the backend traffic may be more of a bottleneck (but I don't know what type of inspection you are doing on your FW either so it could have an impact)
Download performance was 50% of the upload performance. I spoke with our guys in Europe who tried a similar config and they reported similar issues. I placed the external interface outside the network with a public IP and the performance is much better, and now ESP works (never could get that working through the FW). We weren't doing anyting special at the firewall, just port-based NAT rules.
This is interesting. I have never been able to get ESP working either and I have mine in a DMZ behind my Juniper SSG's.