Looks like we've got it settled now - there are one or two little things. We'd like to be able to tweak the IPSEC tunnel to improve VOIP performance across it for example. But otherwise I think we've got it all working for the basic services. Definitely a LOT to learn though.
Ben M. Schorr Chief Executive Officer ______________________________________________ Roland Schorr & Tower www.rolandschorr.com <http://www.rolandschorr.com/> [email protected] <mailto:[email protected]> From: Kramer, Jack [mailto:[email protected]] Sent: Tuesday, January 04, 2011 11:19 To: NT System Admin Issues Subject: Re: Small/Mid Firewall? Definitely been in your shoes - my first SSG-5 is a little over a year and a half old now and setting that thing up was an experience to end all experiences. You may benefit from trying it on the command line - simple policies make a lot more sense written out. Also swing for Tier-2 support as the Tier-1 people vary wildly in quality. If you're still having problems make sure you try another firmware version for the device - I had ipsec issues with the client who got the device for about a month until I tried one of the later releases and then poof, all fixed overnight. ---- Jack Kramer Computer Systems Specialist University Relations, Michigan State University w: 517-884-1231 / c: 248-635-4955 From: Ben Schorr <[email protected]> Reply-To: NT System Admin Issues <[email protected]> Date: Fri, 31 Dec 2010 12:41:35 -0500 To: NT System Admin Issues <[email protected]> Subject: RE: Small/Mid Firewall? Well I think part of the frustration is that appears that to create a simple port forward that sends all incoming traffic on a specific port to an internal server (for example) requires 17 different "policies" and "interfaces" and "zones". I'm exaggerating a bit, yes, but the Juniper seems very powerful and ridiculously complex. We're not trying to do anything fancy and it's taken more than 2 days to get it even half working and that's with more than an hour of a Juniper support engineer remoting into it and working on it themselves. The old SnapGear 580s (before McAfee bought SnapGear at least) could be set up for this in 15 minutes or so. Even a newbie could figure out how to set up a basic port forward fairly quickly. I suspect we'll like the Juniper...once we get a thousand pages or so deeper into the documentation and figure out how to actually make the damned thing do anything useful. We have one IPSEC tunnel created with it (created by the Juniper engineer). The dashboard on the "Home" Screen says it's "Inactive/Unused" but the VPN monitor lists it as "Active". Ummm....o.k. This morning my day started with a phone call from one of the local users telling me they can't even get on the web. Good grief. Ben M. Schorr Chief Executive Officer ______________________________________________ Roland Schorr & Tower www.rolandschorr.com <http://www.rolandschorr.com/> [email protected] <mailto:[email protected]> From: Erik Goldoff [mailto:[email protected]] Sent: Friday, December 31, 2010 5:20 AM To: NT System Admin Issues Subject: RE: Small/Mid Firewall? I agree with Andrew ... I've been configuring the Juniper 'screens for years now, including the 5GT and SSG 5 that replaced it. Granted, the Juniper is very different from a Cisco PIX/ASA firewall, and different from Checkpoint. I wonder if extensive knowledge of some other brand of firewall is what is causing your minions problems with the Juniper. Erik Goldoff IT Consultant Systems, Networks, & Security ' Security is an ongoing process, not a one time event ! ' From: Ben Schorr [mailto:[email protected]] Sent: Friday, December 31, 2010 1:16 AM To: NT System Admin Issues Subject: RE: Small/Mid Firewall? Well, to be fair *I* haven't looked at it yet myself. It's been in the hands of two of my junior people; at least one of whom is generally very capable and has deployed several other firewall/routers of other vendors in the past. But he's spent the better part of all day trying to get the Juniper working and finally has resorted to having Juniper tech support remote in and try to get it working. Apparently even the Juniper support person has spent quite a bit of time wrestling with it to only mixed results. It gives me some pause that even a Juniper support engineer would struggle with getting this unit configured. But I've still got 2200 more pages of the manual to read so... Ben M. Schorr Chief Executive Officer ______________________________________________ Roland Schorr & Tower www.rolandschorr.com <http://www.rolandschorr.com/> [email protected] <mailto:[email protected]> From: Andrew S. Baker [mailto:[email protected]] Sent: Thursday, December 30, 2010 8:15 PM To: NT System Admin Issues Subject: Re: Small/Mid Firewall? Really? IPSec VPNs are one of the easiest things to configure on those devices. In fairness, however, I've been using Netscreen devices since Feb 2000, so that might simply be familiarity talking. The VPN wizard is very straightforward ASB (My XeeSM Profile) <http://XeeSM.com/AndrewBaker> Exploiting Technology for Business Advantage... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
