Basic Single Arm Mode details

This mode requires a free (Ethernet) network interface on the existing firewall which will act as a DMZ interface.

The SSL VPN gateway will be deployed on the created DMZ network and will use a single interface.

SSL protected traffic from remote users will enter the Internet facing interface of the existing firewall(WAN interface above) and will be forwarded through the DMZ interface to the SSL VPN gateway.

Traffic between the SSL VPN gateway and the internal network will be passed through the firewall’s DMZ and LAN interfaces.

Benefits of the Single Arm Mode

• Minimum impact on the current network layout; only a free Ethernet interface is needed on the current edge firewall.
• This firewall will take care of the routing.
• Network layer protection can be provided by the firewall for the SSL VPN gateway; to mention a few: DoS and DDoS protection or botnet/Geo IP filtering if available.
• As the traffic between the SSL VPN gateway and the internal network passes through the network firewall, an extra layer of protection can be achieved by having the firewall to apply IPS, content and gateway antivirus inspection(if available); this is useful especially in the case of the SSL VPN clients needing network level access.

Sonicwall Approach

Sonicwall offers fully support for the Single Arm Mode and recommends this mode of deployment.
A Sonicwall SRA appliance can be easily integrated into a network protected at edge by a Sonicwall NSA firewall as depicted below; the Sonicwall NSA firewall adds a layer of security with its IPS, gateway antivirus and content inspection, Flood Protection and Geo-IP & Botnet Filter features.

• The IPS, gateway antivirus and content inspection can be applied over the traffic between the SRA appliance and the internal network in both directions.
• The Flood Protection feature protects the SRA appliance from DoS and DDoS attacks.
• The Geo-IP & Botnet Filter options prevent remote devices part of botnets or suspicious countries to reach the SRA appliance.

Summary

One of the most common modes of deployment for a SSL VPN appliance is the Single Arm Mode.
This mode allows a plug-and-play deployment experience as little change is required to the current network infrastructure.