On Thu, 1 Sep 2011 17:45:55 -0400
Rafael Rodriguez <packetjoc...@gmail.com> wrote:

> I recommend you look into the Juniper SSL VPN products (SA Series). Very 
> power boxes, intuitive admin interface (web driven) and are perfect for the 
> "Vendor Access" type of applications.

They work fine (mostly), but your definition of intuitive obviously does
not coincide with mine.

> 
> Sent from my iPhone
> 
> On Sep 1, 2011, at 16:30, "Jones, Barry" <bejo...@semprautilities.com> wrote:
> 
> > 
> > Hello all.
> > I am looking at a variety of systems/methods to provide (vendor, employee) 
> > access into my dmz's. I want to reduce the FW rule sets and connections to 
> > as minimal as possible. And I want the accessing party to only get to the 
> > destination I define (like a fw rule).
> > 
> > When I refer to access, I'm referring to the ability of a vendor or 
> > employee to perform maintenance tasks on a server(s). The server(s) will be 
> > running apps for doing different tasks - such as Shavlik, etc..,  
> > (patching, reports, logging, etc..), so I am envisioning allowing an 
> > outside vendor/employee (from the internet or corp. net) to RDP or SSH to a 
> > given Windows or Unix based machines, then perform their application work 
> > from that jumping off point - kind of like a terminal server; but I'd like 
> > to control and audit the sessions as well.
> > 
> > Overall, I can allow a host/port through the FW to a single host, but I 
> > wanted to be able to do the session management and endpoint controls. FW's 
> > are ok, but you know as well as I that I now deal with lots of rules sets. 
> > And I need to also authenticate the user.
> > 
> > We are a couple smaller facilities (150 hosts each) and I need to be able 
> > to control and audit the sessions when requested. I have considered doing a 
> > meetingplace server, then providing escorted access for them, or doing just 
> > the FW and a "jump" host - but need the endpoint and session solution, or 
> > just using VPN - but don't want to install a host on the vendor machines. I 
> > also have looked at a product called EDMZ - wondered if anyone had 
> > experience with it?
> > 
> > And did I say I wanted to keep it as simple as possible? :-) It's been a 
> > few years since I've done hands-on networking work, so excuse the 
> > long-winded letter. Feel free to email me directly too.
> > 
> > Sincerely
> > Barry Jones
> > CISSP, GSNA
> 



-- 
john

Reply via email to