Juniper Firewall SSG20-WLAN for Web Servers

Hi all,

I am very unfamiliar with Juniper firewalls and this type of firewall generally so was after a little advice.  Typically when configuring firewalls in small offices, ports are forwarded to LAN IP addresses on the network for specific services (e.g.   108.59.196.150  forwards port 80 and 443 to 192.168.10.100).

I am currently configuring a Juniper SSG20-WLAN firewall to protect a couple of low traffic web servers.  I have a range of 4 static IP addresses from our ISP.

Should I be assigning a public IP address to the firewall and one directly to the NIC of each the servers rather than an internal IP on the servers and using port forwarding?  It seems like that is what the Juniper expects.

Any tips on how to configure the unit would be much appreciated!

Thanks

Bob
LVL 1
Mango-ManAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
If you only need to provide a few services with distinct ports (as in your example), using VIPs on the single public interface IP of the SSG is sufficient. I would NOT expose the web servers to the public AND internal. Using web servers with public IPs is recommended only if the web servers are located in an isolated zone, the DMZ, without having any (unprotected) access to the LAN.

VIPs are the ScreenOS way to implement "port forwarding" (in fact, it is NAT/PAT, of course).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mango-ManAuthor Commented:
Hi Qlemo,

Thanks for the response.

Both servers are completely isolated both physically and in terms of subnet - there is nothing for them to compromise, they are two virtual servers in a datacentre.

My hosting company for our main webservers always configures the ones in their datacentres with the IP directly on the NIC.

Given this, would you still recommend using VIPs?

Thanks again

Bob
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
With 4 (available) IPs, you'll be able to implement pass-thru routing for 3 web servers only. If that is sufficient, go on and keep all NICs "public".
Since you want to use web services, it doesn't much of a difference - you'll only have 80 and 443 by default, unless you are able to provide different ports (e.g. with redirectors or links). With the default ports, you only can split one public IP address to two different web servers. Doesn't sound like it is worth the (slight) effort for implementing VIPs.

You can also use MIPs, for 1:1 mapping of public to private IPs, but I wouldn't do that either.
0
Mango-ManAuthor Commented:
Hi Qlemo,

Many thanks for your help - I've implemented the VIPs and it's all working very well except for anything on a non-standard port.  I can telnet in on all the usual ports (80, 443, etc.) but the server is running Plesk whose admin interface runs on https://mydomain.com:8443.

We've setup the custom services for 8443 but no dice - any ideas?

Thanks again!

Bob
0
Mango-ManAuthor Commented:
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.