Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
413
Views
5
Helpful
5
Replies

Where to place a Concentrator on the Network?

whiteford
Level 1
Level 1

‎09-28-2006 04:14 AM - edited ‎03-09-2019 04:20 PM

We are thinking of putting our Concentrator on our DMZ (on a Pix) so we can block ports and basically use the firewall rules. Is the the usual place to put one?

Labels:
0 Helpful
5 Replies 5

pthomsett
Level 1
Level 1

‎09-28-2006 04:24 AM

The position of both public and private interfaces is debatable. I have implimented a number for different customers and installed both with the outside interface directly on the outside of the firewall and in a DMZ, also with the inside interface on the inside of the network or in a dmz. This has mainly been dependent on the customers attitude to security and a number of other things such as possible loading on the firewall or large number of rule changes needed.

As the concentrator outside interface is hardened there is not a problem placing it on the outside of the firewall. Like wise as you can control policy to a degree on the concentrator, placing the inside interface directly on the inside of the network shouldnt be a problem either (unless you possibly want to restrict access based on differing IP pools.

So in short there is no right or wrong way, I wasnt sure from your initial question if it was your inside or outside interface of the concentrator that you was placing in the firewall dmz.

whiteford
Level 1
Level 1
In response to pthomsett

‎09-28-2006 05:04 AM

Thanks for the reply, currently our public port is placed on the outside and the private is placed into the inside LAN switch. Just not sure if this is ok or not. It all was fine, but not sure about security? What is the External port for?

0 Helpful

pthomsett
Level 1
Level 1
In response to whiteford

‎10-04-2006 06:36 AM

Sorry for the delay, just seen your additional question. The external port can be used to setup Extranet access to say a 3rd party, ie. can be used as an additional public interface.

0 Helpful

gweatherford
Level 1
Level 1

‎11-08-2006 11:56 AM

Our implementation has the outside interface on the internet and the inside interface on the LAN. However, we recently performed a security scan on our outside networks and found that the concentrator is adminstrativly available from the outside. We are not sure if this is on by default or what configuration change caused this. Our rule in the outside filter states that HTTP and HTTPs are not allowed. Do any of you have any ideas how I can kill this service to the outside?

0 Helpful

TimACOX33
Level 1
Level 1
In response to gweatherford

‎11-29-2006 11:20 AM

In the Interface configuration go to the WebVPN tab and uncheck "Allow Management HPPS sessions" on your public interface. hth

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents