I am setting up a VGVA to terminate VPN connections from AP150W’s at several satellite offices and for WFH staff. We normally put things like this that expose an interface to the internet in a DMZ so that is where I started with the VGVA, but it looks like the second interface on the VGVA is meant to be connected directly to an internal network segment in order to bridge L2 traffic from devices connected to the AP150. I feel like this is the not a great idea since if the VGVA if compromised will give attackers an interface directly to the internal network.
I am wondering what is the recommended way to go about this? Was thinking the first thing to try is connecting the VGVA’s second interface port on the firewall, and put in rules to let the clients reach the internal network from there… and probably a DHCP relay..
Anyhow I am interested to hear how you all have been setting this thing up and keeping it as secure as possible.