
Secure Remote Access Technical Solution Guide v1.0
______________________________________________________________________________________________________
13
Figure 2: Secure Remote Access Solution topology
4.1.2 Required internal firewall policies
The VPN Gateway must have restricted access to intranet resources through the DMZ internal
firewall. The security policy on this DMZ internal firewall is completely dependent on the
applications and services provided by the remote access solution. Access to DNS and
Authentication, Authorization, and Accounting (AAA) servers must be configured to provide name
resolution and end-user authentication services to the VPN Gateway. In general, you should only
configure access from the VPN Gateway trusted interface IP address to specific application
servers. The exception is that when using NetDirect, you must assign a block of internal network
addresses for use by NetDirect clients. Packets from NetDirect clients are forwarded on the
trusted interface of the VPN Gateway and must access intranet resources through the DMZ
internal firewall.
When NetDirect is used to provide IP Telephony services, the NetDirect pool of addresses may
need to reach IP telephones or PCs within the Local or Wide Area Network to support peer-to-
peer media connections using the RTP protocol, which runs over UDP. Use internal firewall
policies to restrict which protocols and ports can access these internal zones. The RTP protocol
typically uses a UDP source port greater than 1023 and a range of UDP destination ports
between 40 000 and 60 000.
4.1.3 Threat Protection System (intrusion prevention) integration
Although not strictly required, Nortel strongly recommends the use of an intrusion
detection/prevention system as an additional security layer in remote access solution designs. In
Comentários a estes Manuais