We are currently looking to move to virtual appliances and in the process simplify our design a bit. In our current layout (explicit forward), we have P1 on the internal network and P2 in the DMZ. We don't like giving our virtual infrastructure access to both internal and DMZ VLANS. My thought is to use a single interface design on the WSA (P1) and place it on our internal network with an outbound only direct NAT'd connection to the internet.
What is the best practice in this case? If it is one internal interface only, should it be segmented into it's own VLAN for any reason? We would normally place it in our server VLAN.
Thanks,
Tim
