• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 726
  • Last Modified:

Juniper Firewall SSG20-WLAN for Web Servers

Hi all,

I am very unfamiliar with Juniper firewalls and this type of firewall generally so was after a little advice.  Typically when configuring firewalls in small offices, ports are forwarded to LAN IP addresses on the network for specific services (e.g.   108.59.196.150  forwards port 80 and 443 to 192.168.10.100).

I am currently configuring a Juniper SSG20-WLAN firewall to protect a couple of low traffic web servers.  I have a range of 4 static IP addresses from our ISP.

Should I be assigning a public IP address to the firewall and one directly to the NIC of each the servers rather than an internal IP on the servers and using port forwarding?  It seems like that is what the Juniper expects.

Any tips on how to configure the unit would be much appreciated!

Thanks

Bob
0
Mango-Man
Asked:
Mango-Man
  • 3
  • 2
2 Solutions
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
If you only need to provide a few services with distinct ports (as in your example), using VIPs on the single public interface IP of the SSG is sufficient. I would NOT expose the web servers to the public AND internal. Using web servers with public IPs is recommended only if the web servers are located in an isolated zone, the DMZ, without having any (unprotected) access to the LAN.

VIPs are the ScreenOS way to implement "port forwarding" (in fact, it is NAT/PAT, of course).
0
 
Mango-ManAuthor Commented:
Hi Qlemo,

Thanks for the response.

Both servers are completely isolated both physically and in terms of subnet - there is nothing for them to compromise, they are two virtual servers in a datacentre.

My hosting company for our main webservers always configures the ones in their datacentres with the IP directly on the NIC.

Given this, would you still recommend using VIPs?

Thanks again

Bob
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
With 4 (available) IPs, you'll be able to implement pass-thru routing for 3 web servers only. If that is sufficient, go on and keep all NICs "public".
Since you want to use web services, it doesn't much of a difference - you'll only have 80 and 443 by default, unless you are able to provide different ports (e.g. with redirectors or links). With the default ports, you only can split one public IP address to two different web servers. Doesn't sound like it is worth the (slight) effort for implementing VIPs.

You can also use MIPs, for 1:1 mapping of public to private IPs, but I wouldn't do that either.
0
 
Mango-ManAuthor Commented:
Hi Qlemo,

Many thanks for your help - I've implemented the VIPs and it's all working very well except for anything on a non-standard port.  I can telnet in on all the usual ports (80, 443, etc.) but the server is running Plesk whose admin interface runs on https://mydomain.com:8443.

We've setup the custom services for 8443 but no dice - any ideas?

Thanks again!

Bob
0
 
Mango-ManAuthor Commented:
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now