TSM interworking with USG6000s in hot standby out-of-path mode

1

This example describes the typical network and configuration method for TSM interworking in USG6000 hot standby bypass mode.
The networking requirements of this example are as follows:
All PCs in a company's sales department connect to core switches through access switches and then connect to the HQ through 1000 Mbit/s optical fiber leased lines. The core switches are hot standby. In normal conditions, core switch 1 forwards all traffic. If the switch fails, traffic is switched to core switch 2.
To secure the internal network, the company deploys the TSM system at the HQ to control the access of sales department PCs to the HQ network and uses NGFWs for access control.

Other related questions:
TSM interworking with USG6000s in hot standby in-path mode
This example describes the typical network and configuration method for TSM interworking in USG6000 hot standby in-path mode. The networking requirements of this example are as follows: A company deploys a TSM server group and NGFWs in hot standby mode. Requirements are as follows: ?wo TSM Controllers are deployed. If the NGFWs cannot interwork with both TSM Controllers, the NGFWs do not control terminal hosts. That is, all traffic from the terminal hosts is permitted. ?erminal hosts in the company network have the TSM proxy software installed. To authenticate guests, the NGFWs must be configured to authenticate end users on the web UI, who do not have the TSM proxy software installed. ?sers in different roles can access specific network resources. The account lee is used as an example. The user can access only the "service system," not resources in the post-authentication domain. ?f an end user passes identity authentication but fails security authentication, fixing measures must be taken in the isolation domain, such as patch download and virus database updates.

TSM interworking with a single USG6000 in out-of-path mode
This example describes the typical network and configuration method for TSM interworking with a single USG6000 in out-of-path mode. Networking requirements are as follows: An enterprise divides its network resources into three domains: pre-authentication, isolation, and post-authentication. A pre-authentication domain is the area that can be accessed by terminal hosts before they pass identity authentication. This domain contains the DNS server, external authentication source, TSM Controller, and TSM Manager. An isolation domain is the area that can be accessed by terminal hosts that pass only identity authentication but not security authentication. This domain contains the patch server and virus signature database server. A post-authentication domain is the area that can be accessed by terminal hosts after they pass both identity authentication and security authentication. This domain contains the ERP system, financial system, and database system. Requirements are as follows: ?wo TSM Controllers are deployed. If the NGFWs cannot interwork with both TSM Controllers, the NGFWs do not control terminal hosts. That is, all traffic from the terminal hosts is permitted. ?erminal hosts in the company network have the TSM proxy software installed. To authenticate guests, the NGFWs must be configured to authenticate end users on the web UI, who do not have the TSM proxy software installed. ?sers in different roles can access specific network resources. The account lee is used as an example. The user can access only the "service system," not resources in the post-authentication domain. ?f an end user passes identity authentication but fails security authentication, fixing measures must be taken in the isolation domain, such as patch download and virus database updates.

TSM interworking in USG2000/5000 hot standby in-path mode
This example describes the typical network and configuration method for TSM interworking in USG2000/5000 hot standby in-path mode. The networking requirements of this example are as follows: A company deploys a TSM server group and USG firewalls in hot standby mode. Requirements are as follows: ?wo TSM Controllers are deployed. If the USGs cannot interwork with both TSM Controllers, the USGs do not control terminal hosts. That is, all traffic from the terminal hosts is permitted. ?erminal hosts in the company network have the TSM proxy software installed. To authenticate guests, the NGFWs must be configured to authenticate end users on the web UI, who do not have the TSM proxy software installed. ?sers in different roles can access specific network resources. The account lee is used as an example. The user can access only the "service system," not resources in the post-authentication domain. ?f an end user passes identity authentication but fails security authentication, fixing measures must be taken in the isolation domain, such as patch download and virus database updates.

TSM interworking with a single USG6000 in in-path mode
The in-path mode means that an NGFW serving as an SACG directly connect to the original network in serial mode, or replace the original core switch or router, to interwork with the TSM system. The in-path mode realizes TSM interworking and provides other security functions at the same time. Networking requirements are as follows: To establish access permission management mechanism to grant access permissions to users as work required and protect enterprise core network resources, configure the NGFW as the TSM's SACG to interwork with the TSM system. An enterprise deploys a DNS server and two TSM Controllers in the pre-authentication domain, the patch server and virus signature database server in the isolation domain, the service system in the post-authentication domain. A pre-authentication domain is the area that can be accessed by terminal hosts before they pass identity authentication. This domain contains the DNS server, external authentication source, TSM Controller, and TSM Manager. An isolation domain is the area that can be accessed by terminal hosts that pass only identity authentication but not security authentication. This domain contains the patch server and virus signature database server. A post-authentication domain is the area that can be accessed by terminal hosts after they pass both identity authentication and security authentication. This domain contains the ERP system, financial system, and database system. The TSM Manager and TSM Controller 1 are installed on one server. Requirements are as follows: ?wo TSM Controllers are deployed. If the NGFWs cannot interwork with both TSM Controllers, the NGFWs do not control terminal hosts. That is, all traffic from the terminal hosts is permitted. ?erminal hosts in the company network have the TSM proxy software installed. To authenticate guests, the NGFWs must be configured to authenticate end users on the web UI, who do not have the TSM proxy software installed. ?sers in different roles can access specific network resources. The account lee is used as an example. The user can access only the "service system," not resources in the post-authentication domain. ?f an end user passes identity authentication but fails security authentication, fixing measures must be taken in the isolation domain, such as patch download and virus database updates.

TSM interworking with a single USG2000&5000 in out-of-path mode
This example describes the typical network and configuration method for TSM interworking with a single USG2000&5000 in out-of-path mode. Networking requirements are as follows: To establish access permission management mechanism to grant access permissions to users as work required and protect enterprise core network resources, configure the USG as the TSM's SACG to interwork with the TSM system. An enterprise divides its network resources into three domains: pre-authentication, isolation, and post-authentication. A pre-authentication domain is the area that can be accessed by terminal hosts before they pass identity authentication. This domain contains the DNS server, external authentication source, TSM Controller, and TSM Manager. An isolation domain is the area that can be accessed by terminal hosts that pass only identity authentication but not security authentication. This domain contains the patch server and virus signature database server. A post-authentication domain is the area that can be accessed by terminal hosts after they pass both identity authentication and security authentication. This domain contains the ERP system, financial system, and database system. Requirements are as follows: ?wo TSM Controllers are deployed. If the USGs cannot interwork with both TSM Controllers, the USGs do not control terminal hosts. That is, all traffic from the terminal hosts is permitted. ?erminal hosts in the company network have the TSM proxy software installed. To authenticate guests, the NGFWs must be configured to authenticate end users on the web UI, who do not have the TSM proxy software installed. ?sers in different roles can access specific network resources. The account lee is used as an example. The user can access only the "service system," not resources in the post-authentication domain. ?f an end user passes identity authentication but fails security authentication, fixing measures must be taken in the isolation domain, such as patch download and virus database updates.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top