I am considering to deploy an ASA 5540 VPN to replace a current VPN3000 platform which aggregates around 1000 concurrent IPSec tunnels from Internet. Many remote stations are third parties not under IT management, so adding extra security enhancements as those offered by the CSC SSM: antivirus, anti-spyware, file blocking, anti-spam, anti-phishing, URL blocking & filtering, and content filtering-all would be really appreciated. And I have two questions:
1) The SSM Admin Guide and other docs states how to divert traffic flows from an inside user to outside through the SSM for deeper inspection. But there is nothing about diverting traffic from an ASA IPSec tunnel termination through the SSM. Is it possible?
2) As stated in the SSM User License Sizing Guidelines, the module's user licenses are not for simultaneous users, but for the total number of users whose traffic is being scanned. Therefore, Should I consider to provide an additional SSM 1000 user license to fit the 1000 concurrent IPSec tunnels expected ?
Regards in advance.