Are these devices meant to be deployed with one 1 interface in the DMZ and 1 interface on the inside network?
Yes. One interface is in the unprotected network (typically the Internet) and one in the protected network (typically your enterprise's internal network).
We do ours using just the internal interface on a DMZ. That way we can monitor and control where the box can go on the internal network. Multi-homed stuff crossing security boundaries are always a concern to me.
Ray, but you can control for sure, if the outside interface is directly connected to a firewall (outbound) and the internal interface to a firewall inbound.
So you can also monitor where the machine can go in inside direction and how it is reachable from the outside / internet network.
Ray - what you have described is ideally how I would like to deploy this kind of service. Effectively single-armed and located in a dmz.
I have had as SA2500 on eval but was not sent any documentation or access to the support site. As such, I deployed using both the internal and external interface - which isn't what I really want to do for production.
Is the method of deployment you have described outlined in the support documentation? Could you point me to it? Did you come across any gotcha's deploying it this way?
No gotchas at all. Only the internal interface is in use and that is the management interface also. I don't know if it's documented anywhere but it's been in use for almost two years with zero issues.
Hey Will - I will jump in, in support of Ray. I have implemented this configuration in several customers and it is also the same one that my company uses. We could probably argue the merits of either solution but they are both very acceptable. What is right? The one that works, is easy to implement and that fits in with your internal architecture.
If you have an eval unit you should have recieved documentation from Juniper or your reseller. You can contact them and they should give it to you.
However - there is really not much to bringing up the unit this way. You bring the unit up via a console cable - IP address, name, DNS, self cert....
Login build out the box (make a realm, a role and some resources...) and just hit it from inside your network with the assigned IP - create the necessary map to punch through the firewall with the outside IP mapped to inside and you are good to go.
If you can't seem to get hold of the documentation easily - go yell at the sales guy or just post the questions here.