Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Best practice vpn secure login to lan and GWWA

0 views
Skip to first unread message

John Destreel

unread,
Dec 17, 2003, 4:42:34 AM12/17/03
to
Hi,

I need your practical experience and do's and do-not's on the
following matter.

We are in the proces of getting us a new network setup.
What would be best practice getting groupwise web-access and a secure
login from the internet (home) to the internal network.

a) home >> internet >> Cisco Pix >> dmz GWWA
>> BM >> lan
or
b) home >> internet >> BM >> GWWA >> Cisco Pix >> lan

or
c) home >> internet >> BM (2nic's) >> dmz GWWA
>> Cisco Pix >> lan

TIA

John Destreel

Jim Michael

unread,
Dec 17, 2003, 9:36:37 AM12/17/03
to
John Destreel wrote:

> I need your practical experience and do's and do-not's on the
> following matter.
>
> We are in the proces of getting us a new network setup.
> What would be best practice getting groupwise web-access and a secure
> login from the internet (home) to the internal network.

The question I ask is: do you want to only let users access WebAccess via
VPN? If so, that will severely restrict its usefullness, as you would
obviously need a VPN client on any host you want to get to webaccess with...
this would eliminate access from Palms, etc.

In my opinion, if you secure webaccess with SSL there's no need to then put
it behind a VPN as well.

--
Jim
NSC Sysop

Craig Johnson

unread,
Dec 17, 2003, 12:13:01 PM12/17/03
to
What Jim said on the Webaccess end.

It seems all your scenarios involve putting a PIX somewhere. If you
are going to do this, the situation I see most often is with the PIX
between the Internet and a DMZ segment, and the BMgr server between the
DMZ and the LAN.

The BMgr server should have a public IP address in this case, for best
results.

However, there may be something to be said for having the PIX between
the LAN and DMZ, for this reason - it is more capable in the NAT area,
and if it has multiple public IP addresses, you could do things like
support H.323 (conferencing) that you might not be able to do
otherwise. A drawback here is that anything related to logging into
the BMgr server, using proxy authentication, or the BMgr server being
in the same tree as servers in the LAN requires NDS packets to be
passed into the DMZ, and probably to be initiated from the BMgr server
into the LAN. This sort of makes a hole in a DMZ concept, as the BMgr
server would not be truly isolated.

Either approach would work.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

0 new messages