If you also want to control where they go from the jump box, you might want to look at http://www.xceedium.com/en/index.php as they claim to add rules to what a remotely logged in user can do. Juniper SA is very nice and get's intuitive after you familiriaze yourself with it's workflow which is a pain if you're new to the box. On Fri, Sep 2, 2011 at 15:21, John Peach <john-nanog@johnpeach.com> wrote:
On Thu, 1 Sep 2011 17:45:55 -0400 Rafael Rodriguez <packetjockey@gmail.com> wrote:
I recommend you look into the Juniper SSL VPN products (SA Series). Very power boxes, intuitive admin interface (web driven) and are perfect for the "Vendor Access" type of applications.
They work fine (mostly), but your definition of intuitive obviously does not coincide with mine.
Sent from my iPhone
On Sep 1, 2011, at 16:30, "Jones, Barry" <BEJones@semprautilities.com> wrote:
Hello all. I am looking at a variety of systems/methods to provide (vendor, employee) access into my dmz's. I want to reduce the FW rule sets and connections to as minimal as possible. And I want the accessing party to only get to the destination I define (like a fw rule).
When I refer to access, I'm referring to the ability of a vendor or employee to perform maintenance tasks on a server(s). The server(s) will be running apps for doing different tasks - such as Shavlik, etc.., (patching, reports, logging, etc..), so I am envisioning allowing an outside vendor/employee (from the internet or corp. net) to RDP or SSH to a given Windows or Unix based machines, then perform their application work from that jumping off point - kind of like a terminal server; but I'd like to control and audit the sessions as well.
Overall, I can allow a host/port through the FW to a single host, but I wanted to be able to do the session management and endpoint controls. FW's are ok, but you know as well as I that I now deal with lots of rules sets. And I need to also authenticate the user.
We are a couple smaller facilities (150 hosts each) and I need to be able to control and audit the sessions when requested. I have considered doing a meetingplace server, then providing escorted access for them, or doing just the FW and a "jump" host - but need the endpoint and session solution, or just using VPN - but don't want to install a host on the vendor machines. I also have looked at a product called EDMZ - wondered if anyone had experience with it?
And did I say I wanted to keep it as simple as possible? :-) It's been a few years since I've done hands-on networking work, so excuse the long-winded letter. Feel free to email me directly too.
Sincerely Barry Jones CISSP, GSNA
-- john