IMPLEMENTATION GUIDE - Juniper Networks SRX Series Services Gateways/Websense V10000
Introduction
A powerful new paradigm of
and partners. These are powerful tools that can create and sustain competitive
Scope
This document is targeted at system engineers, network administrators, and other technical audiences interested in designing and implementing Juniper Networks SRX Series Services Gateways with Websense TRITON V10000 Web Security Gateway appliances.
Design Considerations
Figure 1 illustrates a common network design solution using the SRX Series and V10000 appliances. The SRX Series is responsible for redirecting specific traffic from the User LAN
The enterprise network includes the SRX Series and the Websense TRITON V10000 appliances in the “management” segment of the network, and the enterprise users are identified in the “User LAN” segment of the network. This deployment architecture leverages the flexibility of the SRX Series to securely separate the user traffic from the network administration of the SRX Series and the Websense security appliances.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| For the one V10000 appliance solution, three physical |
| INTERNET |
|
|
|
|
| ports are utilized: “C”, “P1,” and “N.” The “C” port of the | ||||||||||||||||||
|
|
|
|
|
| appliance is the management port through which the | |||||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| administrator manages the appliance. The “C” port is also |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| the destination for the “Block Page” redirection. The “P1” |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| port is the proxy port of the V10000 that provides the |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Websense | |||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| ||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| ||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| V10000 | SRX Series connects the V10000 to both the user LAN and | ||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| ||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SRX |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| the Internet. The “N” port is used to provide application | ||
|
|
|
|
|
|
|
|
| |||||||||||||||||
Series |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| and Web | |
|
|
|
|
|
|
|
|
|
| ||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| V10000 | |||||
|
|
|
|
|
|
| L2 Switch |
|
|
|
| throttling. Over 120 Web protocols are recognized by | |||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| protocol “fingerprint” (this permits the identification |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| of applications such as Skype, BitTorrent, and Yahoo |
|
|
|
|
|
|
|
|
|
|
|
| USER LAN |
|
|
|
|
| Chat.) Malware | |||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| also recognized and denied access to the Internet. To | ||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| implement this capability, a layer 2 switch is needed to |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
| L2 Switch |
|
|
|
|
|
|
|
|
|
|
|
|
|
| mirror user traffic. When the P1 port allows user traffic, | |||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| the V10000 establishes a new traffic flow (proxy) via |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
| Figure 1: Reference network | the same P1 port. When traffic is not permitted, the | ||||||||||||||||||||
|
|
|
| V10000 issues a redirect message via the P1 port to the | |||||||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
user browser. The user browser is redirected to a “Block Page” that is served by the V10000 at the C port. These two scenarios are illustrated in the following ladder diagrams.
Copyright © 2010, Juniper Networks, Inc. | 3 |