I don't know the Juniper but I will have soon a cluster of 4500 and I have some questions about
They are 3 access methods (core,application layer and network layer).
The Juniper will have the Wan and Lan interface in a separate DMZ (controled by a firewall)
I will use one realm by country or some services now I would like
Can you confirm me if possible If I don't make too many mistake ?
It's not possible to use a realm with a termination in a separate vlan on the LAN interface
It's not possible for core access and application layer accessto use a different IP address, all realm use the LAn ip address
For the network layer access I can use a different IP or a pool by realm
Can I use a policy base routing function (based on source or desdination or port) to redirect some flow to an other gateway.
How can I split or separate the flow with the core or application access.
Thanks for your reply
Ok for roles, but is it possible to define a user belong to a role , and assign it (user or role) to a particular vlan and Regards
Yes, this can be done. You will need to create a VLAN on the system.
On the role, you will need to enable the option to use custom source IP and VLAN information at the following locations:
1) Users>User Roles>roleName>General>Options
2) Users>User Roles>roleName>General>Source IP/VLAN
Don't get confused between realms and roles, roles contain the settings for users, and can be assigned to different vlans. A user can be part of more than one role though too. realms are puresly mapping authentication servers to roles.
SAs only support static destination routing, but each vlan has its own routing table.
I known others SSL VPN solution, SA is my first step with Juniper
Ok for roles, but is it possible to define a user belong to a role , and assign it (user or role) to a particular vlan and network.
One question that I have is to control that a user from a country will have a dedicated IP address/network and if it's possible to filter it on the firewall but it's an other topic.
I will have 10 countries and 5 services and for each I would like to delegate the management and use a different Ip , As I read is that we can only define an IP or pool for the network Layer access.