Pure Remote Access Deployment

In some instances, the scale of the Remote AP solution or security requirements dictate that the internal Mobility Controllers serving campus users should not be used for termination of wide-area APs. Typically this means that dedicated Mobility Controllers are placed in the Demilitarized Zone (DMZ) of the network. These Mobility Controllers are solely responsible for terminating RAP and IPSec connections from users.

In this scenario it is important that controllers be highly available because Remote AP functionality is delivered as an “always-on” service. The controllers in this reference architecture are often deployed in Master/Local clusters of two controllers using Active-Active redundancy. These devices also typically straddle the corporate firewall to provide access back into the enterprise just as a typical IPSec concentrator would.

Figure 5 Remote access Mobility Controllers sit in the network DMZ

DMZ

Internet Corporate

When using stand alone remote access Mobility Controllers it is highly advised that MMS be used in the network to provide configuration. This ensures that all controllers receive the same user roles and firewall policy. This is critical to ensure that the user experiences the same privilege level on the Remote AP as they would on the corporate WLAN.

Campus Wireless Networks Validated Reference Design Version 3.3 Design Guide

Alternative Deployment Architectures 75

Page 75
Image 75
Aruba Networks Version 3.3 manual Pure Remote Access Deployment, Dmz