i have 2 data centres to deploy a number of wsa appliances into
i'll have 4 in each
the ironports will be deployed into dmzs on an internet facing firewall
on my internal network i'll have an load blancer directing traffic to the appliances in both data centres
is there a deployment guide for such a design setting out pros and cons or have any of you a link to a guide
thanks to anyone taking the time to read this or to reply
Is there a specific reason why you would want your WSA in the DMZ? Deployments where you are servicing traffic from hosts behind a different interface of the firewall is typically not supported. But if you must, can you be a little more specific as to how you will be directing the traffic via the load balancer?
apologies for taking so long to get to you but i'm been off on other tasks
the proxies are in a dmz for policy reasons and they will also service traffic from other dmzs
clients will have the load balancer's ip configured as their explicit proxy and so forward all traffic, unless defined as an exception, to the load balancer
the load balancers will then forward traffic to the upstream ironports using round robin or least connections as the load balancing algorithm
i need to consider how to authenticate users from the dmz to the internal ad servers (i may just have to open a firewall rule for specific traffic) the context directory agent look like a viable option
at a later stage i may use the load balancer to send traffic for particular urls to particular ironports
This is going to be a complex deployment and there are things you need to consider. I do not believe there is a guide for this.
First off, when the traffic leaves the load balancer, what source IP will it have? Clients'?
thanks for getting back in touch
when the traffic leaves the load balancer the source ip will be the client address
i've installed the c670s today with m1 in my management dmz and p1in the proxy dmz
i've a bit to learn on these boxes it think
Assuming that you can overcome the challenges of crossing the security zones on your Firewall, these deployments will work. Will you be giving your Intranet full access to the DMZ? Because that's what it sounds like you will need to do with this setup.
i've implemented my topology
the internal lan has a load balancer
the web dmz manages web requests
the management dmz handles ssh/https management requests to the box
i now have to consider authentication methods
i have users in a number of domains that i need to authenticate, how can i do this?
i don't want to join a domain as the c670s are in a dmz
Regarding the authentication, the thing to remember this all goes by the management port, I don't know what ports it uses.
Could the management port be on the internal network?