Showing results for 
Search instead for 
Did you mean: 

SSL VPN Two Leg Deployment Design

Regular Contributor

SSL VPN Two Leg Deployment Design

Hello Experts


There is any security concern when connecting the external port of SSL VPN in public DMZ behind the perimeter firewall and internal port directly to the core firewall/core switch? My concern is. in this way, we are connecting pubic DMZ segment and inside network back to back physically through SSL VPN device.  


Thanks You

Regular Contributor

Re: SSL VPN Two Leg Deployment Design

Thank you


Re: SSL VPN Two Leg Deployment Design

This is a common question that applies to more than just Juniper's SSL VPN product, and it's really about risk exposure tolerances.


Connecting the internal port right into the LAN is the easiest way to deploy, but should the device software get exploited, a hacker could potentially gain unrestriced access to all LAN resoruces, assuming you have no internal access controls on the LAN segment the device is connecteed too.


A generally best practice for security would be to not have a device accepting internet facing connects to be directly connected to the LAN, but this is a more complex setup.  There are many ways to accomplish this with both 1 and 2 arm configurations.


In general, a secure and fairly easy configuration would be 1 arm in DMZ, which would use only the internal port,


Check out this KB for all the options:


It talks about SA-6000 but it's relevant to any SA/MAG device with an internal//external interface.  It's also relevant to just about any device (or virtual appliance) where you have at least 2 interfaces available.