08-21-2013 04:10 PM
folks
i have 2 data centres to deploy a number of wsa appliances into
i'll have 4 in each
the ironports will be deployed into dmzs on an internet facing firewall
on my internal network i'll have an load blancer directing traffic to the appliances in both data centres
is there a deployment guide for such a design setting out pros and cons or have any of you a link to a guide
thanks to anyone taking the time to read this or to reply
08-21-2013 10:48 PM
Is there a specific reason why you would want your WSA in the DMZ? Deployments where you are servicing traffic from hosts behind a different interface of the firewall is typically not supported. But if you must, can you be a little more specific as to how you will be directing the traffic via the load balancer?
-Vance
09-03-2013 05:28 AM
vance
apologies for taking so long to get to you but i'm been off on other tasks
the proxies are in a dmz for policy reasons and they will also service traffic from other dmzs
clients will have the load balancer's ip configured as their explicit proxy and so forward all traffic, unless defined as an exception, to the load balancer
the load balancers will then forward traffic to the upstream ironports using round robin or least connections as the load balancing algorithm
i need to consider how to authenticate users from the dmz to the internal ad servers (i may just have to open a firewall rule for specific traffic) the context directory agent look like a viable option
at a later stage i may use the load balancer to send traffic for particular urls to particular ironports
thanks again
09-04-2013 09:48 PM
This is going to be a complex deployment and there are things you need to consider. I do not believe there is a guide for this.
First off, when the traffic leaves the load balancer, what source IP will it have? Clients'?
-Vance
09-05-2013 03:32 PM
vance
thanks for getting back in touch
when the traffic leaves the load balancer the source ip will be the client address
i've installed the c670s today with m1 in my management dmz and p1in the proxy dmz
i've a bit to learn on these boxes it think
09-05-2013 09:37 PM
Assuming that you can overcome the challenges of crossing the security zones on your Firewall, these deployments will work. Will you be giving your Intranet full access to the DMZ? Because that's what it sounds like you will need to do with this setup.
09-06-2013 06:24 AM
Or just put the intranet as an exception either in the PAC file or browser settings.
Cheers
Chris
09-08-2013 02:59 PM
vance
i've implemented my topology
the internal lan has a load balancer
the web dmz manages web requests
the management dmz handles ssh/https management requests to the box
i now have to consider authentication methods
i have users in a number of domains that i need to authenticate, how can i do this?
i don't want to join a domain as the c670s are in a dmz
thanks again
09-08-2013 11:54 PM
Hi,
You can configure one NTLM realm, for additional realms you will need to use LDAP.
Thanks
Chris
09-05-2013 01:07 AM
Hi,
Regarding the authentication, the thing to remember this all goes by the management port, I don't know what ports it uses.
Could the management port be on the internal network?
Thanks
Chris
09-05-2013 03:34 PM
mooncat76
thanks for your reply
the management port has to be in the dmz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide