Advertisement

05.09.2008 at 02:16AM PDT, ID: 23388731 | Points: 500
[x]
Attachment Details
Setting up Juniper firewall to replace proxy server
Zones: Networking Hardware Firewalls, Virtual Private Networking (VPN), SBS Small Business Server
Tags: Juniper, Firewall, SSG 140, Windows server 2003, proxy server
At work I have one server (Windows 2003 SBS) which runs Exchange 2003 and ISA 2004.  The server has two NIC cards, one set to the local network (plugs straight into the local NETGEAR switch) and the other directly into a BT modem which dynamically sets a public IP address.  This public IP address allows VPN access directly to the server as well as access to Outlook Web Access.  We dont host our email domain but the servers public IP is authenticated to send mail from our parent company via FQDN, DNS forward and reverse lookup and SPF.    

I have decided to remove the software firewall and install a hardware firewall to sit between the server and the Internet.  Our parent companies preference is to go with Juniper firewalls, in preference to Cisco, thus I have purchased a Juniper SSG 140.  

My initial plan is to plug the Juniper into the trusted network (NETGEAR) and Internet (un-trusted) via the BT modem.  

My question is do I need to assign a second public IP for the Juniper server?  I have tried plugging the Juniper into the BT modem, and the IP assigned from the BT modem is a private and not public accessible IP.  I have also tried statically assigning the servers public IP to the Juniper to see if it would be accessible from the Internet but it was not.  

Ultimately what I am trying to do is enable the Juniper as the firewall for my network which allows:

1)      VPN access to the network  I have set up the VPN users on the Juniper.
2)      Continue to allow OWA.  Currently utilised via the servers public IP.
3)      Outgoing email must be authenticated against the servers public IP.  Some spam filters check the originating server of emails against registered servers thus I need to retain the servers public IP in this fashion.
4)      Enable Internet access straight to the Juniper instead of via server proxy.

Any comments would be appreciated.      
Start your free trial to view this solution
Question Stats
Zone: Software
Question Asked By: DHPBilcare
Question Asked On: 05.09.2008
Participating Experts: 1
Points: 500
Views: 0
Translate:
Loading Advertisement...
05.11.2008 at 05:13PM PDT, ID: 21544019
iw0k:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
Loading Advertisement...
Microsoft
  • Internet Protocols
  • Applications
  • Development
  • OS
  • Hardware
  • Windows Security
Apple
  • Operating Systems
  • Hardware
  • Programming
  • Networking
  • Software
Internet
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Spy / Ad Blockers
  • Web Browsers
  • New Net Users
  • Web Development
  • Chat / IM
  • Anti Spam
  • Web Servers
  • Anti-Virus
  • Email Clients
Gamers
  • Tips
  • Online / MMORPG
  • Puzzle
  • Emulators
  • Action / Adventure
  • Role Playing
  • Consoles
  • Game Programming
  • Strategy
  • Sports
  • Misc
  • Computer Games
Digital Living
  • Hardware
  • New Net Users
  • New Users
  • Software
  • Digital Music
  • Gaming World
  • Home Security
  • Apple
  • Networking Hardware
Virus & Spyware
  • Vulnerabilities
  • IDS
  • Encryption
  • Anti-Virus
  • Operating Systems Security
  • Software Firewalls
  • WebApplications
  • Cell Phones
  • Operating Systems
  • Internet
  • Hardware Firewalls
Hardware
  • Handhelds / PDAs
  • Displays / Monitors
  • Components
  • Networking Hardware
  • Peripherals
  • Laptops/Notebooks
  • Storage
  • Servers
  • Desktops
  • New Users
  • Misc
  • Apple
Software
  • System Utilities
  • Industry Specific
  • Network Management
  • Photos / Graphics
  • Page Layout
  • VMWare
  • Misc
  • Web Development
  • OS
  • CYGWIN
  • Voice Recognition
  • Message Queue
  • Quality Assurance
  • Security
  • Firewalls
  • MultiMedia Applications
  • Development
  • Database
  • Office / Productivity
  • Business Management
  • OS/2 Apps
  • Server Software
  • Internet / Email
ITPro
  • OS
  • Storage
  • Encryption
  • Operating Systems Security
  • Apple Hardware
  • Laptops & Notebooks
  • Servers
  • Networking Hardware
  • Peripherals
  • Devices
  • Displays / Monitors
  • WebTrends / Stats
  • Search Engines
  • Firewalls
  • WebApplications
  • IDS
  • Vulnerabilities
  • Email Clients
  • File Sharing
  • Spy / Ad Blockers
  • Web Browsers
  • Web Servers
  • Networking
  • Anti-Virus
  • Chat / IM
  • Anti Spam
Developer
  • Web Servers
  • Web Browsers
  • Game Programming
  • Dev Tools
  • Industry Specific
  • Office / Productivity
  • Database
  • CYGWIN
  • Web Development
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Programming
  • Content Management
  • Application Servers
  • Protocols
Storage
  • Removable Backup Media
  • Storage Technology
  • Servers
  • Grid
  • Remote Access
  • Backup / Restore
  • Misc
  • Hard Drives
OS
  • Miscellaneous
  • Security
  • Development
  • Linux
  • VMWare
  • MainFrame OS
  • Unix
  • Apple
  • OS / 2
  • AS / 400
  • BeOS
  • Microsoft
  • VMS / OpenVMS
Database
  • Oracle
  • Miscellaneous
  • MySQL
  • Software
  • Sybase
  • Contact Management
  • PostgreSQL
  • Data Manipulation
  • Clarion
  • InterSystems Cache
  • Siebel
  • MUMPS
  • OLAP
  • SQLBase
  • SAS
  • GIS & GPS
  • 4GL
  • Berkeley DB
  • DB2
  • Informix
  • Interbase / Firebird
  • FoxPro
  • Reporting
  • LDAP
  • Filemaker Pro
  • MS SQL Server
  • dBase
  • MS Access
Security
  • Misc
  • Web Browsers
  • Software Firewalls
  • Operating Systems Security
  • File Sharing
  • Spy / Ad Blockers
  • Vulnerabilities
  • WebApplications
  • IDS
  • Anti-Virus
  • Encryption
  • Anti Spam
  • Email Clients
  • VPN
  • Chat / IM
Programming
  • Editors IDEs
  • Installation
  • Handhelds / PDAs
  • Multimedia Programming
  • System / Kernel
  • Algorithms
  • Game
  • Signal Processing
  • Project Management
  • Open Source
  • Database
  • Misc
  • Languages
  • Processor Platforms
  • Theory
Web Development
  • Scripting
  • Blogs
  • Web Servers
  • Software
  • Search Engines
  • Web Graphics
  • Images
  • Internet Marketing
  • Images and Photos
  • Components
  • Document Imaging
  • Web Languages/Standards
  • Illustration
  • WebApplications
  • Fonts
  • WebTrends / Stats
  • Authoring
  • Digital Camera Software
  • Miscellaneous
Networking
  • Protocols
  • Apple Networking
  • Network Management
  • Message Queue
  • Application Servers
  • Content Management
  • File Servers
  • Email Servers
  • Misc
  • Java Editors & IDEs
  • Wireless
  • Networking Hardware
  • Backup / Restore
  • System Utilities
  • ISPs & Hosting
  • Web Servers
  • Storage Technology
  • Removable Backup Media
  • Servers
  • Broadband
  • Grid
  • OS / 2
  • Novell Netware
  • Unix Networking
  • Windows Networking
  • Security
  • Telecommunications
  • Operating Systems
  • Linux Networking
Other
  • Community Advisor
  • Lounge
  • Community Support
  • New Net Users
  • Philosophy / Religion
  • Math / Science
  • Miscellaneous
  • URLs
  • Expert Lounge
  • Politics
  • Puzzles / Riddles
Community Support
  • Suggestions
  • New to EE
  • New Topics
  • Community Advisor
  • CleanUp
  • Announcements
  • General
  • Feedback
  • Input
  • EE Bugs
 
05.11.2008 at 05:13PM PDT, ID: 21544019
iw0k:
I strongly recommend you to register on the Juniper website, register your products (will be necessary for getting the firmware updates and all) and to get the Concept and Examples guide.
Despite the pdf is big (more than 2000 pages) just read the main thing such as the architecture concept (around 200 or 300 pages) and your will see way better how things working. After you can pickup the information you needs on all the big book.
Now to answer to your needs, you need to define a DMZ :
BT modem <-> Juniper <-> ISA <-> LAN.
Now up to you if you need to define the gateway for everyone on the ISA or just for the needed service, you can just enable the gateway (to use the ISA server as a gateway after enabling the routing) for the needed servers.
In this case, it would make something like that :
BT modem (111.111.111.1/32) <->(WAN=eth3 111.111.111.2/32) Juniper (DMZ=eth4 10.200.0.1/24) (LAN=10.10.0.1/24) <-> (DMZ=eth1 10.200.0.10/24) ISA (LAN=eth2 10.10.20.10/16).
And after on your servers 10.10.20.* you can use the ISA as gateway, while still using the interface LAN of the Juniper for your workstations... depends on your needs !
(your modem can have a transparent IP, and you can use straight the WAN ip as well, etc etc...)
Of course, splitted domain routing is recommended, etc etc... but it's quite a long story to explain everything, that's why it would be very good for you to understand first of all the ScreenOs architecture ! :)
 
 
20080236-EE-VQP-29 / EE_QW_2_20070628