@ozmark wrote: To avoid confusion im arguing for: firewall nic (sub interface) -> switch (vlan xxx) -> IVE external port + IVE internal port -> switch (vlan yyy) -> firewall nic (sub interface) -> internal net The use of the switches also lends itself to clustering. Mark - there is no need for the 2nd port / vlan connection, if you can config using a one-armed approach. Inbound and outbound traffic would still be firewalled. The benefit of the one-armed approach is that you can keep your dmz-based devices physically and logically seperate from your internal devices. The only devices with interfaces on the clean and dirty/semi-dirty (ie dmz) segments of your network would be your firewalls. This is beneficial in many ways. ... View more

Ray / Mutt I've tried doing the single-armed approach as its what I've used on several other devices. However, Im experiencing a problem... Ray - as you explained it is as I have it setup. Only the internal interface is configured with an IP add (dmz address). Logical Traffic flow is: internet ---> FW ---> IVE ---> FW ---> internal lan server Heres what I see. Traffic comes into the FW, is natted and is forwarded onto the IVE -- This works. I see inbound 443 traffic to the IVE from internet clients. The IVE does nothing with this traffic at all... No packets are initiated by the IVE whatsoever. I would expect to see the IVE initiate LDAP traffic to the configured auth servers (tcp/389) in order to authenticate the inbound client connections it was receiving. it doesnt. I know the IVE can talk (for example) LDAP to the internal auth servers as if I click the "test connection" box in the Auth section I then see 2-way LDAP traffic as expected. It doesn't appear to be a routing thing and its not a firewall thing. Whats getting me is the IVE doesnt seem to be doing anything with inbound client connections - its not trying to auth them. (I've observed all this with numerous tcpdumps). any help on this would be much appreciated! ... View more

Thanks Justin, that worked like a charm :) ... View more

I have managed to move the start button into the "Client Apps" box on the toolbar (alongside Home/Preferences etc). However, the custom start page I have put in (which is our intranet home page) is not being served. Instead the .../dana/home/index.cgi page just sits there. Any ideas why ? I went into User Roles / User_Role_Relevant_to_mylogin / UI Options and changed the "Start page" to be our intranet. but nada... ... View more

Why? The firewall maintains state. The initial 3-way handshake would include the src/dest IP pair (along with port info). You just need to concern yourself with tying down what IP src/dest addresses/ranges you are going to allow RDP access for. ... View more

doesnt anyone just use one interface only? (in the dmz) the only devices we allow to have interfaces in external and internal networks are our firewalls. ... View more

Ray/Kevin - thanks for the info. When I deploy into prod it will be with a single nic. Just wanted to be sure there were no issues - I've had issues doing this kind of deployment with other vendor appliances so wanted to know if there were any issues I should be aware of before rolling out. thanks again will ... View more

Ben, if both your external and internal interfaces are screened by your firewalls, what is the point of having them both in use? ... View more

Ray - what you have described is ideally how I would like to deploy this kind of service. Effectively single-armed and located in a dmz. I have had as SA2500 on eval but was not sent any documentation or access to the support site. As such, I deployed using both the internal and external interface - which isn't what I really want to do for production. Is the method of deployment you have described outlined in the support documentation? Could you point me to it? Did you come across any gotcha's deploying it this way? thanks will ... View more

thanks for the info. I trust these devices are running a pretty secure OS with little/no chance of being exploited themself? ... View more