TSM interworking with a single USG6000 in out-of-path mode

This example describes the typical network and configuration method for TSM interworking with a single USG6000 in out-of-path mode.

Networking requirements are as follows:
An enterprise divides its network resources into three domains: pre-authentication, isolation, and post-authentication. A pre-authentication domain is the area that can be accessed by terminal hosts before they pass identity authentication. This domain contains the DNS server, external authentication source, TSM Controller, and TSM Manager. An isolation domain is the area that can be accessed by terminal hosts that pass only identity authentication but not security authentication. This domain contains the patch server and virus signature database server. A post-authentication domain is the area that can be accessed by terminal hosts after they pass both identity authentication and security authentication. This domain contains the ERP system, financial system, and database system.

Requirements are as follows:

?wo TSM Controllers are deployed. If the NGFWs cannot interwork with both TSM Controllers, the NGFWs do not control terminal hosts. That is, all traffic from the terminal hosts is permitted.

?erminal hosts in the company network have the TSM proxy software installed. To authenticate guests, the NGFWs must be configured to authenticate end users on the web UI, who do not have the TSM proxy software installed.

?sers in different roles can access specific network resources. The account lee is used as an example. The user can access only the "service system," not resources in the post-authentication domain.

?f an end user passes identity authentication but fails security authentication, fixing measures must be taken in the isolation domain, such as patch download and virus database updates.

Scroll to top