Results 1 to 9 of 9

Thread: Untangle DMZ

  1. #1
    Newbie
    Join Date
    May 2015
    Posts
    6

    Default Untangle DMZ

    Hi

    Does untangle support enterprise configuration of DMZ with two sets of appliances rather than configuring DMZ out of another interface on a single set of appliance? By set I mean HA; therefore 4 nos of Untangle appliances. This is to have additional layer of physical separation between the two layers.

    Also, different modules will be enabled in each set. For example anti-virus and web-filtering will only be enabled on edge appliances while IPS will be enabled on both edge appliance, as well as internal firewall.

    Truly,
    Ramya
    Last edited by esix; 05-09-2015 at 08:52 AM.

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    With VRRP routed configuration, yes.
    As a bridged configuration, no.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Newbie
    Join Date
    May 2015
    Posts
    6

    Default

    dmorris,

    Many Thanks for the quick reply. It won't be a bridged configuration. This will be a green-field setup; i.e. from scratch and there are no existing devices. VRRP may be used for HA; true.

    Can you confirm the second part, please? i.e one pair for the external firewall and another for the internal firewall. There used to be some restrictions earlier, where some features of Untangle must have it functioning as the default gateway. This may not be the case with such a design.

    I am involved in developing the solution for a client and looking at Untangle as a possible alternative to Checkpoint.

    Truly,
    Ramya

  4. #4
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Quote Originally Posted by esix View Post

    Can you confirm the second part, please? i.e one pair for the external firewall and another for the internal firewall. There used to be some restrictions earlier, where some features of Untangle must have it functioning as the default gateway. This may not be the case with such a design.
    Sorry, I have no idea what this means. Untangle filters both inbound and outbound traffic. There is no need for an inbound untangle and an outbound untangle. The VRRP documents how to configure it for failover: http://wiki.untangle.com/index.php/N...mbined_Example

    Untangle must be in-line yes. http://wiki.untangle.com/index.php/N...Cardinal_Rules
    Usually that means being the gateway.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Newbie
    Join Date
    May 2015
    Posts
    6

    Default

    dmorris,

    Thanks. This is not what I mean. Allow me to explain, please.

    Internet>Router>Untangle HA (VRRP)>DMZ Servers (DNS, SMTP, Web Proxy etc...)>Untangle HA (VRRP)>Server Farm (AD, Exchange, DHCP, SharePoint etc.)>Separate vLAN for clients etc.

    The first set of Untangle HA is the external firewall for perimeter and second set of Untangle HA is the internal firewall. I will post a picture if required later.

    Does this explain? Thanks.

    Truly,
    Ramya

  6. #6
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    I guess, but you could do the same thing with much less complexity and expense with just one untangle.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Newbie
    Join Date
    May 2015
    Posts
    6

    Default

    dmorris,

    Yes, you could; by defining the DMZ out of another interface from the external firewall. However, this would put the external firewall as a SPOF. Also, the customer requires layered architecture for better security.

    Is this supported? Do you know if others have used Untangle this way?

    Truly,
    Ramya

  8. #8
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Quote Originally Posted by esix View Post
    dmorris,
    However, this would put the external firewall as a SPOF. Also, the customer requires layered architecture for better security.
    Not if you use VRRP. Then you have two untangle with three interfaces each, instead of four untangles with two interfaces each.

    Just my 2 cents. I obviously don't know your network or what constraints you are working with.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  9. #9
    Newbie
    Join Date
    May 2015
    Posts
    6

    Default

    dmorris,

    Thanks. The thinking goes that, if this single or pair of devices are compromised, that puts the entire network at risk.

    In the layered approach you have another layer of protection where the internal pair of devices protects your server farm. Does this explain?

    Truly,
    Ramya

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2