Let’s put everything together to get a complete picture of how a typical branch office SRX is deployed.
In this case study, you will focus on a branch office with the characteristics listed here and shown in Figure 9-14:
The DMZ zone should provide inbound access to an HTTP and FTP server.
The Trust zone should require antivirus and web filtering services.
The FTP server should allow only downloads; uploading of files is not permitted.
Since only FTP downloads are allowed and the FTP server will not have HTTP or mail access, no virus scanning is needed.
Traffic from the Trust to the Untrust zones will be NATed using the address of the egress interface.
Traffic from the Untrust to the DMZ zones will be NATed using the address of the Untrust interface. Traffic to port 80 will be sent to the HTTP server, while traffic to port 21 will be sent to the FTP server (using destination NAT with port forwarding).
Access to the SRX from the Untrust network is only allowed for SSH and HTTPS. HTTP access from the Untrust zone cannot be allowed as this traffic will be forwarded to the HTTP server in the DMZ zone.
Figure 9-14. Reference branch office
Follow along with the configurations. First let’s set the NTP and DNS configuration:
set system host-name SRX650-1 #NTP and DNS configuration set system name-server 18.104.22.168 set system ntp server pool.ntp.org
Now set the management ...