If you also want to control where they go from the jump box, you might want to look at http://www.xceedium.com/en/index.php as they claim to add rules to what a remotely logged in user can do.
Juniper SA is very nice and get's intuitive after you familiriaze yourself with it's workflow which is a pain if you're new to the box. On Fri, Sep 2, 2011 at 15:21, John Peach <john-na...@johnpeach.com> wrote: > On Thu, 1 Sep 2011 17:45:55 -0400 > Rafael Rodriguez <packetjoc...@gmail.com> wrote: > >> I recommend you look into the Juniper SSL VPN products (SA Series). Very >> power boxes, intuitive admin interface (web driven) and are perfect for the >> "Vendor Access" type of applications. > > They work fine (mostly), but your definition of intuitive obviously does > not coincide with mine. > >> >> Sent from my iPhone >> >> On Sep 1, 2011, at 16:30, "Jones, Barry" <bejo...@semprautilities.com> wrote: >> >> > >> > Hello all. >> > I am looking at a variety of systems/methods to provide (vendor, employee) >> > access into my dmz's. I want to reduce the FW rule sets and connections to >> > as minimal as possible. And I want the accessing party to only get to the >> > destination I define (like a fw rule). >> > >> > When I refer to access, I'm referring to the ability of a vendor or >> > employee to perform maintenance tasks on a server(s). The server(s) will >> > be running apps for doing different tasks - such as Shavlik, etc.., >> > (patching, reports, logging, etc..), so I am envisioning allowing an >> > outside vendor/employee (from the internet or corp. net) to RDP or SSH to >> > a given Windows or Unix based machines, then perform their application >> > work from that jumping off point - kind of like a terminal server; but I'd >> > like to control and audit the sessions as well. >> > >> > Overall, I can allow a host/port through the FW to a single host, but I >> > wanted to be able to do the session management and endpoint controls. FW's >> > are ok, but you know as well as I that I now deal with lots of rules sets. >> > And I need to also authenticate the user. >> > >> > We are a couple smaller facilities (150 hosts each) and I need to be able >> > to control and audit the sessions when requested. I have considered doing >> > a meetingplace server, then providing escorted access for them, or doing >> > just the FW and a "jump" host - but need the endpoint and session >> > solution, or just using VPN - but don't want to install a host on the >> > vendor machines. I also have looked at a product called EDMZ - wondered if >> > anyone had experience with it? >> > >> > And did I say I wanted to keep it as simple as possible? :-) It's been a >> > few years since I've done hands-on networking work, so excuse the >> > long-winded letter. Feel free to email me directly too. >> > >> > Sincerely >> > Barry Jones >> > CISSP, GSNA >> > > > > -- > john > >
