Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100430

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
61626364656667686970
1-24
Overview
Deployment Options for Routing Mode—Threat Protection
to particular types of traffic. For example, you could limit the number of
connections to your Web server to 300 and the number of connections to your
FTP server to 50.
Furthermore, you can configure policies to apply only during certain hours of
the day. For example, you can configure a policy so that it applies only during
office hours.
When the TMS zl Module provides perimeter threat protection, you might
want it to provide other services that are typical for a device that controls the
border between your private network and the Internet. These capabilities
include:
NAT
VPN gateway
Perimeter Protection with NAT. If another device such as an edge router
does not provide NAT, you can use the TMS zl Module to perform NAT on
traffic that is transmitted between the public and private networks.
Perimeter Protection with VPN. A VPN uses encryption and authentica-
tion to protect traffic that is sent over an untrusted network. The TMS zl
Module supports IPsec VPN connections for purposes such as the following:
To provide a site-to-site VPN tunnel between the corporate head office
and a branch office (IPsec or GRE over IPsec)
To provide a mobile workforce with remote access to the corporate
internal network over the Internet (IPsec or L2TP over IPsec)
The TMS zl Module also supports Generic Routing Encapsulation (GRE)
tunnels, which tunnels traffic transparently between two endpoints. The GRE
tunnels do not provide security, but they do support other non-IP traffic. You
can set up GRE over IPsec to enhance the security of the GRE tunnel.
Deployment Location for Perimeter Threat Protection
For perimeter threat protection, the TMS zl Module stands in-line between the
Internet router and the private network. The module receives network
traffic by:
Acting as the default gateway for internal traffic
Being the next-hop router in the route to the private network on the router
that connects to the external network
You should typically install the module in a ProCurve 5400zl or 8200zl switch
in a location near the perimeter.