Showing results for 
Search instead for 
Did you mean: 

Where to Place MAG Series

Occasional Contributor

Where to Place MAG Series

Hi Guys,

Just a "starter" question. Where would you reccomend to place a MAG series, in a typical deployment? Definitely, this may vary from Networ to Network, but I just need an idea on where/how to place it. 

What customer needs to achieve is to ensure SSL VPN acces to their ERP software. Thanks.

Willys W.
Respected Contributor

Re: Where to Place MAG Series

Thanks for your awesome response, spuluka!
Respected Contributor

Re: Where to Place MAG Series

Directly on the internet or behind a FW in your DMZ & in front of the ERP software. Unfortunately, as you indicated in your post, there are multiple options. What type of network deployment are you looking at?
Super Contributor

Re: Where to Place MAG Series

I've been looking in the admin guide and searching the kb because I was sure there would be a section discussing the four primary deployment models for SSL VPN.  But if it exists, I can't find it.  So here is the short version.

The SSL VPN appliance has two ethernet ports that allow for both "one arm" and "two arm" deployment.  The interfaces can be thought of as external and internal with the internal being able to functiona as both.  Connections come into the SSL vpn and then are proxied by the appliance to the ultimate destination.

One Arm without a DMZ

In this model the site is a single zone behind the firewall with all the local resources located together.  Here the SSL VPN applicance is attached by the internal interface to the single local LAN.

The firewall forwards http, https and port 4500 from the internet to the appliance.  And resources are setup for access from this same internal port.

The advantage is that this is a simple deployment in a simple network.  But care must be taken in setting up the access resources on the SSL appliance.  Because the SSL appliance is on the same lan as all the local resources, any open access or errors in granting broader access can expose local servers and systems to remote connected systems that are compromised.

One Arm in the DMZ

In this model the internal interface is connected to the existing DMZ segment behind a firewall with both a DMZ zone and internal resources.  The inbound connections to the SSL appliance and the appliance proxies those connections out to internal resouces.

In this model the firewall forwards http, https and 4500 to the SSL appliance but the outbound connections can be firewall restricted.  Since the single arm is in a DMZ they must again transit the firewall be reaching any internal resources.  So there is an opportunity to create firewall rules that only permit internal connections from the SSL vpn client pool addresses to resources that should be available to remote users.  Even with mis configurations that permit broad access on the SSL appliance, the firewall will block the attempts to use that broader access.

The disadavantage is that when new resources are made availabe on the SSL appliance, firewall rules must also be updated.  Thus the administration is slightly more complex.

Two Arm with a DMZ

In this model the external interface of the SSL appliance is connected to the DMZ while the internal interface is connected to the internal zone of the site.  Here the inbound connections come to the external interface and the appliance proxies the resource connetion on the internal interface.

This model makes use of the DMZ landing zone to physically separate external traffic from internal.  This overcomes the maintainance disadvange of one arm with DMZ by connecting the proxy traffic directly to the internal resource lan.  Thus there are no firewall rules needed for further access.  This can be especially helpful when the remote resources are already segregated on the network so that the additional firewall is not necessary to protect resouces that will not be used remotely.

Two arm with two DMZ

In this model the external interface of the SSL appliance is connected to the public landing zone DMZ while the internal interface is connected to an internal landing zone DMZ.  This combines the physical separation of two arm with DMZ with the firewall protections on the internal proxy traffic of the single arm in the DMZ.  This makes the traffic fully separated and secured but adds a layer of complexity to the management of the system.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) -