cancel
Showing results for 
Search instead for 
Did you mean: 

pre-deployment question

Highlighted
Occasional Contributor

pre-deployment question

quick question...

Are these devices meant to be deployed with one 1 interface in the DMZ and 1 interface on the inside network?

cheers

15 REPLIES 15
Highlighted
Super Contributor

Re: pre-deployment question

Yes. One interface is in the unprotected network (typically the Internet) and one in the protected network (typically your enterprise's internal network).

Occasional Contributor

Re: pre-deployment question

thanks for the info.

I trust these devices are running a pretty secure OS with little/no chance of being exploited themself?

Highlighted
Valued Contributor

Re: pre-deployment question

Yes - the O/S is a hardened one. There is quite a bit of literature on this on the Juniper main web site.

Highlighted
Frequent Contributor

Re: pre-deployment question

We do ours using just the internal interface on a DMZ. That way we can monitor and control where the box can go on the internal network. Multi-homed stuff crossing security boundaries are always a concern to me.

Ray

Highlighted
Frequent Contributor

Re: pre-deployment question

Ray, but you can control for sure, if the outside interface is directly connected to a firewall (outbound) and the internal interface to a firewall inbound.

So you can also monitor where the machine can go in inside direction and how it is reachable from the outside / internet network.

Highlighted
Occasional Contributor

Re: pre-deployment question

Ray - what you have described is ideally how I would like to deploy this kind of service. Effectively single-armed and located in a dmz.

I have had as SA2500 on eval but was not sent any documentation or access to the support site. As such, I deployed using both the internal and external interface - which isn't what I really want to do for production.

Is the method of deployment you have described outlined in the support documentation? Could you point me to it? Did you come across any gotcha's deploying it this way?

thanks

will

Highlighted
Occasional Contributor

Re: pre-deployment question

Ben, if both your external and internal interfaces are screened by your firewalls, what is the point of having them both in use?
Highlighted
Frequent Contributor

Re: pre-deployment question

No gotchas at all. Only the internal interface is in use and that is the management interface also. I don't know if it's documented anywhere but it's been in use for almost two years with zero issues.

Ray

Highlighted
Valued Contributor

Re: pre-deployment question

Hey Will - I will jump in, in support of Ray. I have implemented this configuration in several customers and it is also the same one that my company uses. We could probably argue the merits of either solution but they are both very acceptable. What is right? The one that works, is easy to implement and that fits in with your internal architecture.

If you have an eval unit you should have recieved documentation from Juniper or your reseller. You can contact them and they should give it to you.

However - there is really not much to bringing up the unit this way. You bring the unit up via a console cable - IP address, name, DNS, self cert....

Login build out the box (make a realm, a role and some resources...) and just hit it from inside your network with the assigned IP - create the necessary map to punch through the firewall with the outside IP mapped to inside and you are good to go.

If you can't seem to get hold of the documentation easily - go yell at the sales guy or just post the questions here.