TSM interworking with a single USG6000 in in-path mode

The in-path mode means that an NGFW serving as an SACG directly connect to the original network in serial mode, or replace the original core switch or router, to interwork with the TSM system. The in-path mode realizes TSM interworking and provides other security functions at the same time.

Networking requirements are as follows:
To establish access permission management mechanism to grant access permissions to users as work required and protect enterprise core network resources, configure the NGFW as the TSM's SACG to interwork with the TSM system.
An enterprise deploys a DNS server and two TSM Controllers in the pre-authentication domain, the patch server and virus signature database server in the isolation domain, the service system in the post-authentication domain.

A pre-authentication domain is the area that can be accessed by terminal hosts before they pass identity authentication. This domain contains the DNS server, external authentication source, TSM Controller, and TSM Manager. An isolation domain is the area that can be accessed by terminal hosts that pass only identity authentication but not security authentication. This domain contains the patch server and virus signature database server. A post-authentication domain is the area that can be accessed by terminal hosts after they pass both identity authentication and security authentication. This domain contains the ERP system, financial system, and database system. The TSM Manager and TSM Controller 1 are installed on one server.

Requirements are as follows:

?wo TSM Controllers are deployed. If the NGFWs cannot interwork with both TSM Controllers, the NGFWs do not control terminal hosts. That is, all traffic from the terminal hosts is permitted.

?erminal hosts in the company network have the TSM proxy software installed. To authenticate guests, the NGFWs must be configured to authenticate end users on the web UI, who do not have the TSM proxy software installed.

?sers in different roles can access specific network resources. The account lee is used as an example. The user can access only the "service system," not resources in the post-authentication domain.

?f an end user passes identity authentication but fails security authentication, fixing measures must be taken in the isolation domain, such as patch download and virus database updates.

Scroll to top