SMA Deployment
SWuser_123
Newbie ✭
Hello,
We are looking into SMA as we are trying to limit SSL VPN connections to only corporate devices.
Is it able to be deployed as portrayed in the attached image?
Any other advice on the topic would be appreciated. Thanks!
Category: Secure Mobile Access Appliances
0
Best Answer
-
CORRECT ANSWER
BWC
Cybersecurity Overlord ✭✭✭
@SWuser_123 that is not the way to go, you put the SMA usually in a seperate zone like DMZ behind the Firewall. The traffic between LAN and DMZ is controlled by the TZ.
On the SMA side you have to use Endpoint Control combined with a proper Authentication to grant access only to Users and Devices of your choice.
--Michael@BWC
1
Answers
@BWC so there is no way to have it sitting on the edge of the network? I'm confused as to why it would need to be internal?
@SWuser_123 the SMA has "no" routing and security capabilities like a Firewall, look at it more as a Webserver with some bells and whistles. You wouldn't install a Webserver in front of a Firewall, would you? :)
Internal is "relative" in that situation, because it's isolated from the rest of the network by the Firewall in a seperate Zone/Subnet.
--Michael@BWC
@BWC Okay, so if I understand correctly, the traffic would flow from Outside -> TZ -> SMA -> TZ -> LAN ?
Isolated, yes. But one misconfig or vulnerability away from access? Or am I overthinking it
@SWuser_123 yes, the traffic flow is correct.
As always, Firewall configuration needs some caution but there is no alternative. Vulnerabilities with SMA are somewhat common, so always be on alert, but this counts for every externally exposed service to be fair.
You need to be careful what your SMA (or the NetExtender IP Ranges) are allowed to access in your LAN.
--Michael@BWC
@BWC very true. Thanks for the info!!