Beruflich Dokumente
Kultur Dokumente
Administration Guide
Release
7.1
Published: 2011-04-04
Part Number: , Revision 1
Copyright 2011, Juniper Networks, Inc.
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
This product includes the Envoy SNMPEngine, developedby Epilogue Technology, an IntegratedSystems Company. Copyright 1986-1997,
Epilogue Technology Corporation. All rights reserved. This programand its documentation were developed at private expense, and no part
of themis in the public domain.
This product includes memory allocation software developed by Mark Moraes, copyright 1988, 1989, 1993, University of Toronto.
This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation
and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright
1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.
GateD software copyright 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through
release 3.0 by Cornell University and its collaborators. Gated is based on Kirtons EGP, UC Berkeleys routing daemon (routed), and DCNs
HELLOrouting protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD
software copyright 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright 1991, D.
L. S. Associates.
This product includes software developed by Maker Communications, Inc., copyright 1996, 1997, Maker Communications, Inc.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are
owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,
6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Junos Pulse Secure Access Service Administration Guide
Revision History
February 2010Integrate Version 7.0 newfeatures
The information in this document is current as of the date listed in the revision history.
Copyright 2011, Juniper Networks, Inc. ii
ENDUSER LICENSE AGREEMENT
READTHIS ENDUSER LICENSE AGREEMENT (AGREEMENT) BEFORE DOWNLOADING, INSTALLING, OR USINGTHE SOFTWARE.
BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TOTHE TERMS
CONTAINED HEREIN, YOU (AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO
BINDTHE CUSTOMER) CONSENTTOBE BOUNDBYTHISAGREEMENT. IF YOUDONOTORCANNOTAGREE TOTHE TERMSCONTAINED
HEREIN, THEN (A) DONOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE, AND (B) YOU MAY CONTACT JUNIPER NETWORKS
REGARDING LICENSE TERMS.
1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customers principal office is located in the Americas) or
Juniper Networks (Cayman) Limited(if theCustomers principal officeis locatedoutsidetheAmericas) (suchapplicableentity beingreferred
tohereinas Juniper), and(ii) thepersonor organizationthat originally purchasedfromJuniper or anauthorizedJuniper reseller theapplicable
license(s) for use of the Software (Customer) (collectively, the Parties).
2. The Software. In this Agreement, Software means the programmodules and features of the Juniper or Juniper-supplied software, for
which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by
Juniper in equipment which Customer purchased fromJuniper or an authorized Juniper reseller. Software also includes updates, upgrades
and newreleases of such software. Embedded Software means Software which Juniper has embedded in or loaded onto the Juniper
equipment and any updates, upgrades, additions or replacements which are subsequently embedded in or loaded onto the equipment.
3. LicenseGrant. Subject to payment of the applicable fees andthe limitations andrestrictions set forth herein, Juniper grants to Customer
a non-exclusive and non-transferable license, without right to sublicense, to use the Software, in executable formonly, subject to the
following use restrictions:
a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by
Customer fromJuniper or an authorized Juniper reseller.
b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units
for which Customer has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access
Client software only, Customer shall use such Software on a single computer containing a single physical randomaccess memory space
and containing any number of processors. Use of the Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines
(e.g., Solaris zones) requires multiple licenses, regardless of whether such computers or virtualizations are physically contained on a single
chassis.
c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may
specify limits toCustomers useof theSoftware. Suchlimits may restrict usetoamaximumnumber of seats, registeredendpoints, concurrent
users, sessions, calls, connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of
separate licenses to use particular features, functionalities, services, applications, operations, or capabilities, or provide throughput,
performance, configuration, bandwidth, interface, processing, temporal, or geographical limits. In addition, such limits may restrict the use
of the Software to managing certain kinds of networks or require the Software to be used only in conjunction with other specific Software.
Customers use of the Software shall be subject to all such limitations and purchase of all applicable licenses.
d. For any trial copy of the Software, Customers right to use the Software expires 30 days after download, installation or use of the
Software. Customer may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not
extend or create an additional trial period by re-installing the Software after the 30-day trial period.
e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customers
enterprise network. Specifically, service provider customers are expressly prohibited fromusing the Global Enterprise Edition of the
Steel-Belted Radius software to support any commercial network access services.
The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase
the applicable license(s) for the Software fromJuniper or an authorized Juniper reseller.
4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees
not to and shall not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized
copies of the Software (except as necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the
Software, in any form, toany thirdparty; (d) remove any proprietary notices, labels, or marks on or in any copy of the Software or any product
in which the Software is embedded; (e) distribute any copy of the Software to any third party, including as may be embedded in Juniper
equipment soldinthesecondhandmarket; (f) useany locked or key-restrictedfeature, function, service, application, operation, or capability
without first purchasing the applicable license(s) and obtaining a valid key fromJuniper, even if such feature, function, service, application,
operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper to any third party; (h) use the
iii Copyright 2011, Juniper Networks, Inc.
Software in any manner that extends or is broader than the uses purchased by Customer fromJuniper or an authorized Juniper reseller; (i)
use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that
the Customer did not originally purchase fromJuniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking
of the Software to any third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly
provided herein.
5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper,
Customer shall furnish such records to Juniper and certify its compliance with this Agreement.
6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper.
As such, Customer shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence,
which at a minimumincludes restricting access to the Software to Customer employees and contractors having a need to use the Software
for Customers internal business purposes.
7. Ownership. Juniper and Junipers licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to
the Software, associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance
of any right, title, or interest in the Software or associated documentation, or a sale of the Software, associated documentation, or copies
of the Software.
8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty
statement that accompanies theSoftware(theWarranty Statement). Nothinginthis Agreement shall giverisetoany obligationtosupport
the Software. Support services may be purchased separately. Any such support shall be governed by a separate, written support services
agreement. TOTHE MAXIMUMEXTENT PERMITTED BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA,
ORCOSTSORPROCUREMENTOFSUBSTITUTEGOODSORSERVICES, ORFORANYSPECIAL, INDIRECT, ORCONSEQUENTIALDAMAGES
ARISINGOUTOFTHISAGREEMENT, THESOFTWARE, ORANYJUNIPERORJUNIPER-SUPPLIEDSOFTWARE. INNOEVENTSHALLJUNIPER
BE LIABLE FOR DAMAGES ARISING FROMUNAUTHORIZED OR IMPROPER USE OF ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE.
EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TOTHE EXTENT PERMITTED BY LAW, JUNIPER DISCLAIMS ANY
AND ALL WARRANTIES IN AND TOTHE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING ANY
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NOEVENT DOES
JUNIPER WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT
ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TOINTRUSION OR ATTACK. In no event shall Junipers or its suppliers
or licensors liability to Customer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid
by Customer for the Software that gave rise to the claim, or if the Software is embedded in another Juniper product, the price paid by
Customer for such other product. Customer acknowledges and agrees that Juniper has set its prices and entered into this Agreement in
reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between
the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same
forman essential basis of the bargain between the Parties.
9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination
of the license granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related
documentation in Customers possession or control.
10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from
the purchase of the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction
shall be provided to Juniper prior to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All
payments made by Customer shall be net of any applicable withholding tax. Customer will provide reasonable assistance to Juniper in
connection with such withholding taxes by promptly: providing Juniper with valid tax receipts and other required documentation showing
Customers payment of any withholding taxes; completing appropriate applications that would reduce the amount of withholding tax to
be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder. Customer shall comply with
all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related to any
liability incurred by Juniper as a result of Customers non-compliance or delay with its responsibilities herein. Customers obligations under
this Section shall survive termination or expiration of this Agreement.
11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any
applicable foreign agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such
restrictions, laws or regulations, or without all necessary approvals. Customer shall be liable for any such violations. The version of the
Software supplied to Customer may contain encryption or other capabilities restricting Customers ability to export the Software without
an export license.
Copyright 2011, Juniper Networks, Inc. iv
12. Commercial Computer Software. The Software is commercial computer software and is provided with restricted rights. Use,
duplication, or disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS
227.7201 through 227.7202-4, FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.
13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer
with the interface information needed to achieve interoperability between the Software and another independently created program, on
payment of applicable fee, if any. Customer shall observe strict obligations of confidentiality with respect to such information and shall use
such information in compliance with any applicable terms and conditions upon which Juniper makes such information available.
14. ThirdParty Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products
or technology are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement,
and such licensor or vendor shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party
software may be provided with the Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent
portions of the Software are distributed under and subject to open source licenses obligating Juniper to make the source code for such
portions publicly available (such as the GNU General Public License (GPL) or the GNU Library General Public License (LGPL)), Juniper
will make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to three
years fromthe date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA
94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of the LGPL
at http://www.gnu.org/licenses/lgpl.html .
15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws
principles. The provisions of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes
arising under this Agreement, the Parties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal
courts within Santa Clara County, California. This Agreement constitutes the entire and sole agreement between Juniper and the Customer
with respect to the Software, and supersedes all prior and contemporaneous agreements relating to the Software, whether oral or written
(including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an
authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained
herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in writing
by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity
of the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the
Parties agree that the English version will govern. (For Canada: Les parties aux prsents confirment leur volont que cette convention de
mme que tous les documents y compris tout avis qui s'y rattach, soient redigs en langue anglaise. (Translation: The parties confirmthat
this Agreement and all related documentation is and will be in the English language)).
v Copyright 2011, Juniper Networks, Inc.
Copyright 2011, Juniper Networks, Inc. vi
Abbreviated Table of Contents
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvii
Part 1 Getting Started
Chapter 1 Initial Verification and Key Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 2 Introduction to the SA Series Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Part 2 Access Management Framework
Chapter 3 General Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Chapter 4 User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Chapter 5 Resource Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Chapter 6 Virtual Desktop Resource Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Chapter 7 Resource Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Chapter 8 Authentication and Directory Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Chapter 9 Authentication Realms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Chapter 10 Sign-In Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Chapter 11 Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Chapter 12 Synchronizing User Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Part 3 Endpoint Defense
Chapter 13 Host Checker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Chapter 14 Cache Cleaner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Part 4 Remote Access
Chapter 15 Hosted Java Applets Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Chapter 16 Citrix Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Chapter 17 Lotus iNotes Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Chapter 18 Microsoft OWA Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Chapter 19 Microsoft Sharepoint Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Chapter 20 Web Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Chapter 21 File Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Chapter 22 Secure Application Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Chapter 23 Telnet/SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Chapter 24 Terminal Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
vii Copyright 2011, Juniper Networks, Inc.
Chapter 25 Secure Meeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
Chapter 26 Email Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
Chapter 27 Network Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
Part 5 SystemManagement
Chapter 28 General System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683
Chapter 29 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717
Chapter 30 System Archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755
Chapter 31 Logging and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797
Chapter 32 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 821
Chapter 33 Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835
Chapter 34 Delegating Administrator Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 863
Chapter 35 Instant Virtual System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869
Chapter 36 SA Series Appliance and IDP Interoperability . . . . . . . . . . . . . . . . . . . . . . . . 923
Part 6 SystemServices
Chapter 37 SA Series Appliance Serial Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 935
Chapter 38 Customizable Admin and End-User UIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941
Chapter 39 SA6000 Series Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 943
Chapter 40 SA4500 and SA6500 Series Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . 947
Chapter 41 Secure Access FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 957
Chapter 42 SA4500 and SA6500 FIPS Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 969
Chapter 43 Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 979
Chapter 44 Multi-Language Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 983
Chapter 45 Handheld Devices and PDAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 987
Chapter 46 Using IKEv2 with the SA Series Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . 995
Chapter 47 Writing Custom Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1001
Part 7 Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1023
Copyright 2011, Juniper Networks, Inc. viii
Junos Pulse Secure Access Service Administration Guide
Table of Contents
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvii
Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvii
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvii
Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvii
Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxviii
Obtaining Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxviii
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxviii
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxviii
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxix
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxix
Part 1 Getting Started
Chapter 1 Initial Verification and Key Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Verifying User Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Creating a Test Scenario to Learn SA Series Appliance Concepts and Best
Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Defining a User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Defining a Resource Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Defining an Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Defining an Authentication Realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Defining a Sign-In Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Using the Test Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Default Settings for Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Chapter 2 Introduction to the SA Series Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
SA Series Solution Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Securing Traffic With SA Series Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Authenticating Users With Existing Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Fine-Tuning Access to the SA Series SSL VPN Appliance and the Resources It
Intermediates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Creating aSeamless IntegrationBetweenthe SASeries SSL VPNAppliance and
the Resources It Intermediates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Protecting Against Infected Computers and Other Security Concerns . . . . . . . . . . 21
Ensuring Redundancy in the SA Series Environment . . . . . . . . . . . . . . . . . . . . . . . 22
Making the SA Series Interface Match My Companys Look-and-Feel . . . . . . . . . 22
Enabling Users on a Variety of Computers and Devices to Use the SASeries SSL
VPN Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Providing Secure Access for My International Users . . . . . . . . . . . . . . . . . . . . . . . . 23
Configuring the SA Series SSL VPN Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
ix Copyright 2011, Juniper Networks, Inc.
Network and Security Manager and the Infranet Controller . . . . . . . . . . . . . . . . . . 25
How the SA Series SSL VPN Appliance and NSM communicate . . . . . . . . . . 25
Available Services and Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . 26
DMI Communication with the SA Series SSL VPN Appliance . . . . . . . . . . . . . 27
Configuring Secure Access for the Initial DMI Connection . . . . . . . . . . . . . . . . . . . 27
Managing Large Binary Data Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Uploading and Linking Large Binary Data Files With NSM . . . . . . . . . . . . . . . . . . . 30
Importing Custom Sign-In Pages With NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Importing Antivirus LiveUpdate Settings With NSM . . . . . . . . . . . . . . . . . . . . . . . . 32
Importing Endpoint Security Assessment Plug-in (ESAP) Packages With
NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Uploading a Third-Party Host Checker Policy With NSM . . . . . . . . . . . . . . . . . . . . 34
Linking to a Third-Party Host Checker Policy Shared Object With NSM . . . . . . . . 35
Linking to a Secure Virtual Workspace Wallpaper Image Shared Object With
NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Importing Hosted Java Applets With NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Importing a Custom Citrix Client .cab File With NSM . . . . . . . . . . . . . . . . . . . . . . . 37
Junos Pulse Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Session Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Location Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Security Certificates on Junos Pulse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
User Experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
SA Series Gateway Deployment Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Platform Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Junos Pulse Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Configuring a Role for Junos Pulse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Client Connection Set Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Creating a Client Connection Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Configuring Connection Rules for Location Awareness . . . . . . . . . . . . . . . . . . . . . 47
Junos Pulse Component Set Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Creating a Client Component Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Junos Pulse Client Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Installing the Junos Pulse Client from the Web . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Installing the Junos Pulse Client Using a Preconfiguration File . . . . . . . . . . . . . . . 53
Installing the Pulse Client Using Advanced Command Line Options . . . . . . . 55
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Part 2 Access Management Framework
Chapter 3 General Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Access Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Policies, Rules & Restrictions, and Conditions Overview . . . . . . . . . . . . . . . . . . . . 60
Accessing Authentication Realms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Accessing User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Accessing Resource Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Policies, Rules & Restrictions, and Conditions Evaluation . . . . . . . . . . . . . . . . . . . 62
Dynamic Policy Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Understanding Dynamic Policy Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Understanding Standard Policy Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Copyright 2011, Juniper Networks, Inc. x
Junos Pulse Secure Access Service Administration Guide
Enabling Dynamic Policy Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Specifying Source IP Access Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Specifying Source IP Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Specifying Browser Access Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Specifying Certificate Access Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Specifying Password Access Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Specifying Session Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
IF-MAP Federation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
IF-MAP Federation Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
IF-MAP Federation Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
IF-MAP Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Task Summary: Configuring IF-MAP Federation . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Configuring IF-MAP Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Configuring the IF-MAP Federation Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
IF--MAP Federation Network Timing Considerations . . . . . . . . . . . . . . . . . . . . . . . 82
Session-Export and Session-Import Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Default Session-Export and Session-Import Policy Action . . . . . . . . . . . . . . 85
Advanced Session-Export and Session-Import Policies . . . . . . . . . . . . . . . . . 85
Configuring Session-Export Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Session-Import Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Troubleshooting the IF-MAP Federation Network . . . . . . . . . . . . . . . . . . . . . . . . . 88
Viewing Active Users on the IF-MAP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Trusted Server List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Administrator and User Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
White List Flow Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Chapter 4 User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
User Roles Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
User Role Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Permissive Merge Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Configuration of User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Configuring General Role Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Role Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Specifying Role-Based Source IP Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Specifying Role Session Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Customizing the SA Series SSL VPN Appliance Welcome Page . . . . . . . . . . . . . 103
Defining Default Options for User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Customizing Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Customizing UI Views for User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Chapter 5 Resource Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Resource Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Resource Profile Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Defining Resource Profile Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Defining Resource Profile Autopolicies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Defining Resource Profile Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Defining Resource Profile Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Resource Profile Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
xi Copyright 2011, Juniper Networks, Inc.
Table of Contents
Chapter 6 Virtual Desktop Resource Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Virtual Desktop Resource Profile Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Configuring a Citrix XenDesktop Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . 124
Configuring a VMware ViewManager Resource Profile . . . . . . . . . . . . . . . . . . . . . 125
Defining Bookmarks for a Virtual Desktop Profile . . . . . . . . . . . . . . . . . . . . . . . . . 126
Configuring the Client Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Connecting to the Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Chapter 7 Resource Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Resource Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Resource Policy Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Specifying Resources for a Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
General Notes About the Canonical Formats . . . . . . . . . . . . . . . . . . . . . . . . . 133
Specifying Server Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Resource Policy Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Creating Detailed Rules for Resource Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Writing a Detailed Rule for Resource Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Customizing Resource Policy UI Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Chapter 8 Authentication and Directory Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
About Authentication and Directory Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Task Summary: Configuring Authentication Servers . . . . . . . . . . . . . . . . . . . . . . . 143
About Anonymous Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Anonymous Server Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Defining an Anonymous Server Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Using an RSA ACE/Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Defining an ACE/Server Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Using Active Directory or NT Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Defining an Active Directory or Windows NT Domain Server Instance . . . . . . . . . 150
Multi-Domain User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Windows 2000 and Windows 2003 Multi-Domain Authentication . . . . . . . 152
Windows NT4 Multi-Domain Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 152
NT User Normalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Using the Kerberos Debugging Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Active Directory and NT Group Lookup Support . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Active Directory Lookup Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
NT4 Group Lookup Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Certificate Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Configuring a Certificate Server Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Using an LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Defining an LDAP Server Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Configuring LDAP Search Attributes for Meeting Creators . . . . . . . . . . . . . . . . . . 160
Enabling LDAP Password Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Enabling LDAP Password Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Supported LDAP Directories and Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Troubleshooting LDAP Password Management on the SA Series
Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Using a Local Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Defining a Local Authentication Server Instance . . . . . . . . . . . . . . . . . . . . . . . . . 165
Copyright 2011, Juniper Networks, Inc. xii
Junos Pulse Secure Access Service Administration Guide
Creating User Accounts on a Local Authentication Server . . . . . . . . . . . . . . . . . . 168
Configuring an NIS Server Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Configuring a RADIUS Server Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
User Experience for RADIUS Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Using CASQUE Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Defining an SA Series RADIUS Server Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Enabling RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
General RADIUS Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Understanding Clustering Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Understanding the Interim Update Feature . . . . . . . . . . . . . . . . . . . . . . . . . . 186
eTrust SiteMinder Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Authentication Using Various Authentication Schemes . . . . . . . . . . . . . . . . 190
Determining the Username . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Configuring SiteMinder to Work with the SA Series SSL VPN Appliance . . . . . . . 191
Configuring the SiteMinder Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Creating a SiteMinder Authentication Scheme for the SA Series SSL VPN
Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Creating a SiteMinder Domain for the SA Series SSL VPN Appliance . . . . . . . . . 195
Creating a SiteMinder Realm for the SA Series SSL VPN Appliance . . . . . . . . . . 195
Creating a Rule/Response Pair to Pass Usernames to the SA Series SSL VPN
Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Configuring Secure Access to Work with SiteMinder . . . . . . . . . . . . . . . . . . . . . . . 197
Using SiteMinder User Attributes for Secure Access Role Mapping . . . . . . . . . . . 207
Defining a SiteMinder Realm for Automatic Sign-In . . . . . . . . . . . . . . . . . . . . . . 208
Debugging SiteMinder and Secure Access Issues . . . . . . . . . . . . . . . . . . . . . . . . 208
Configuring a SAML Server Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Using the Artifact Profile and POST Profile . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Using the Artifact Profile Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Using the POST Profile Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Understanding Assertions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Creating a new SAML Server Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Configuring the SAML Server Instance to Use an Artifact Profile . . . . . . . . . . . . . 215
Configuring the SAML Server Instance to Use the POST Profile . . . . . . . . . . . . . . 215
About SAML 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
About Metadata Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Using the SA Series Appliance as a Service Provider . . . . . . . . . . . . . . . . . . . 217
Using the SA Series Appliance as an Identify Provider . . . . . . . . . . . . . . . . . . 217
Using the SA Series Appliance as a Policy Enforcement Point . . . . . . . . . . . 217
Configuring Global SAML 2.0 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Managing Metadata Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Configuring the SA Series SSL VPN Appliance as a Service Provider for SAML
2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Configuring the SA Series SSL VPN Appliance as an Identity Provider . . . . . . . . . 221
Configuring the SA Series SSL VPN Appliance as a Policy Enforcement Point . . 223
xiii Copyright 2011, Juniper Networks, Inc.
Table of Contents
Chapter 9 Authentication Realms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Authentication Realm Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Creating an Authentication Realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Defining Authentication Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Role Mapping Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Specifying Role Mapping Rules for an Authentication Realm . . . . . . . . . . . . . . . . 231
Using the LDAP Server Catalog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Customizing User Realm UI Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Chapter 10 Sign-In Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
About Sign-In Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Task Summary: Configuring Sign In Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
About Configuring Sign In Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Configuring User Sign In Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Defining authorization-only access policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Defining Meeting Sign-In Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Configuring Sign-In pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Configuring Standard Sign-In Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Chapter 11 Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
About Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
About Multiple Sign-In Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Task Summary: Configuring Multiple Authentication Servers . . . . . . . . . . . . . . . 253
Task Summary: Enabling SSOto Resources Protected by Basic
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Task Summary: Enabling SSO to Resources Protected by NTLM . . . . . . . . . . . . 254
Multiple Sign-In Credentials Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Configuring SAML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Configuring SAML SSO Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Creating a Single Sign-On POST Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Creating a SAM Access Control Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . 270
Creating a Trust Relationship Between SAML-Enabled Systems . . . . . . . . . . . . . 273
Configuring Trusted Application URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Configuring an Issuer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Configuring Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Configuring SSO Transactions: Artifact Profile . . . . . . . . . . . . . . . . . . . . 274
Configuring SSO Transactions: POST Profile . . . . . . . . . . . . . . . . . . . . . 275
Configuring Access Control Transactions . . . . . . . . . . . . . . . . . . . . . . . . 276
Configuring User Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Chapter 12 Synchronizing User Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
About User Record Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Enabling User Record Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Configuring the User Record Synchronization Authentication Server . . . . . . . . . 282
Configuring the User Record Synchronization Server . . . . . . . . . . . . . . . . . . . . . . 282
Configuring the User Record Synchronization Client . . . . . . . . . . . . . . . . . . . . . . 283
Configuring the User Record Synchronization Database . . . . . . . . . . . . . . . . . . . 284
Copyright 2011, Juniper Networks, Inc. xiv
Junos Pulse Secure Access Service Administration Guide
Part 3 Endpoint Defense
Chapter 13 Host Checker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Host Checker and Trusted Network Computing . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Task Summary: Configuring Host Checker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Creating Global Host Checker Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Enabling Enhanced Endpoint Security Functionality . . . . . . . . . . . . . . . . . . . . . . 295
Enabling Connection Control Host Checker Policies (Windows Only) . . . . . . . . 297
Creating and Configuring New Client-side Host Checker Policies . . . . . . . . . . . . 298
Checking for Third-Party Applications Using Predefined Rules (Windows
Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Configuring a Predefined Antivirus Rule with Remediation Options . . . . . . . . . . 300
Configuring a Predefined Firewall Rule with Remediation Options (Windows
Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Configuring a Pre-defined AntiSpyware Rule (Windows Only) . . . . . . . . . . . . . . 303
Configuring Virus Signature Version Monitoring and Patch Assessment Data
Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Patch Management Info Monitoring and Patch Deployment . . . . . . . . . . . . . . . 306
Additional Functionality with Pulse 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
User Experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Using a System Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Specifying Customized Requirements Using Custom Rules . . . . . . . . . . . . . . . . 309
Using a Wildcard or Environment Variable in a Host Checker Rule . . . . . . . . . . . . 315
Configuring Patch Assessment Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Using a System Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Configuring Patch Assessment Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Using Third-party Integrity Measurement Verifiers . . . . . . . . . . . . . . . . . . . . . . . . 321
Configuring a Remote IMV Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Implementing the Third-Party IMV Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Implementing Host Checker Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Executing Host Checker Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
About Host Checker Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Remediating Host Checker Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
General Host Checker Remediation User Experience . . . . . . . . . . . . . . . . . . 333
Configuring General Host Checker Remediation . . . . . . . . . . . . . . . . . . . . . . . . . 334
Upgrading the Endpoint Security Assessment Plug-In . . . . . . . . . . . . . . . . . . . . 336
Defining Host Checker Pre-Authentication Access Tunnels . . . . . . . . . . . . . . . . . 338
Specifying Host Checker Pre-Authentication Access Tunnel Definitions . . . . . . 339
Specifying General Host Checker Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Specifying Host Checker Installation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Client ActiveX Installation Delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Using Host Checker with the GINA Automatic Sign-In Function . . . . . . . . . . . . . 345
Installing Host Checker Automatically or Manually . . . . . . . . . . . . . . . . . . . . . . . 346
Using Host Checker Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Configuring Host Checker for Windows Mobile . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Requiring Junos Pulse Mobile Security for SA Series Gateway Access . . . . . 348
Using Proxy Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
xv Copyright 2011, Juniper Networks, Inc.
Table of Contents
Enabling the Secure Virtual Workspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Secure Virtual Workspace Restrictions and Defaults . . . . . . . . . . . . . . . . . . 350
Configuring the Secure Virtual Workspace . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Defining Secure Virtual Workspace Permissions . . . . . . . . . . . . . . . . . . . . . . . . . 352
Defining a Secure Virtual Workspace Application Policy . . . . . . . . . . . . . . . . . . . 353
Defining a Secure Virtual Workspace Security Policy . . . . . . . . . . . . . . . . . . . . . . 354
Defining Secure Virtual Workspace Environment Options . . . . . . . . . . . . . . . . . . 355
Defining Secure Virtual Workspace Remediation Policy . . . . . . . . . . . . . . . . . . . 356
Chapter 14 Cache Cleaner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
About Cache Cleaner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Setting Global Cache Cleaner Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Implementing Cache Cleaner Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Specifying Cache Cleaner Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
About Cache Cleaner Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Part 4 Remote Access
Chapter 15 Hosted Java Applets Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
About Hosted Java Applet Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Task Summary: Hosting Java Applets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Uploading Java Applets to Secure Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Signing Uploaded Java Applets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Creating HTML Pages That Reference Uploaded Java Applets . . . . . . . . . . . . . . 370
Accessing Java Applet Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Creating a Hosted Java Applet Resource Profile . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Configuring Hosted Java Applet Resource Profile Bookmarks . . . . . . . . . . . . . . . 372
Creating Hosted Java Applets Bookmarks Through the User Roles Page . . . . . . 374
Required Attributes for Uploaded Java Applets . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Required Parameters for Uploaded Java Applets . . . . . . . . . . . . . . . . . . . . . . . . . 376
Use case: Creating a Citrix JICA 9.5 Java Applet Bookmark . . . . . . . . . . . . . . . . . 377
Chapter 16 Citrix Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
About Citrix Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Comparing Secure Access Access Mechanisms for Configuring Citrix . . . . . . . . 382
Creating Resource Profiles Using Citrix Web Applications . . . . . . . . . . . . . . . . . . 385
Chapter 17 Lotus iNotes Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Creating Resource Profiles Using the Lotus iNotes Template . . . . . . . . . . . . . . . . 391
Chapter 18 Microsoft OWA Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Creating Resource Profiles Using the Microsoft OWA Template . . . . . . . . . . . . . 395
Chapter 19 Microsoft Sharepoint Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Creating Resource Profiles Using the Microsoft Sharepoint Template . . . . . . . . 399
Chapter 20 Web Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Web Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Task summary: Configuring the Web Rewriting Feature . . . . . . . . . . . . . . . . . . . 404
Remote SSO Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Passthrough Proxy Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Creating a Custom Web Application Resource Profile . . . . . . . . . . . . . . . . . . . . . 408
Copyright 2011, Juniper Networks, Inc. xvi
Junos Pulse Secure Access Service Administration Guide
Defining a Web Access Control Autopolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Defining a Single Sign-On Autopolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Defining a Caching Autopolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Defining a Java Access Control Autopolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Defining a Rewriting Autopolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Defining a Web Compression Autopolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Defining Web Resource Profile Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Specifying Web Browsing Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Resource Policy Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Writing a Web Access Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
Defining Single Sign-On Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
About Basic, NTLM and Kerberos Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Writing the Basic, NTLM and Kerberos Resources . . . . . . . . . . . . . . . . . . . . . . . . 435
Writing a Basic Authentication, NTLMor Kerberos Intermediation Resource
Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Writing a Remote SSOFormPOST Resource Policy . . . . . . . . . . . . . . . . . . . . . . . 441
Writing a Remote SSOHeaders/Cookies Resource Policy . . . . . . . . . . . . . . . . . . 443
Writing a Web Caching Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
About OWA and Lotus Notes Caching Resource Policies . . . . . . . . . . . . . . . . . . 447
Specifying General Caching Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Writing a Java Access Control Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Writing a Java Code Signing Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Creating a Selective Rewriting Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Creating a Passthrough Proxy Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Creating a Custom Header Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Creating an ActiveX Parameter Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Restoring the Default SA Series Appliance ActiveX Resource Policies . . . . . . . . 459
Creating Rewriting Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Writing a Web Compression Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Defining an OWA Compression Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . 465
Writing a Web Proxy Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Specifying Web Proxy Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Writing An HTTP 1.1 Protocol Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Creating a Cross Domain Access Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Defining Resource Policies: General Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
Managing Resource Policies: Customizing UI Views . . . . . . . . . . . . . . . . . . . . . . . 470
Chapter 21 File Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
File Rewriting Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Creating a File Rewriting Resource Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Creating a File Access Control Autopolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
Creating a File Compression Autopolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
Creating a Single Sign-On Autopolicy (Windows Only) . . . . . . . . . . . . . . . . . . . . 477
Configuring File Resource Profile Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
Creating Windows File Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Creating Advanced Bookmarks to Windows Resources . . . . . . . . . . . . . . . . . . . . 481
Creating Windows Bookmarks that Map to LDAP Servers . . . . . . . . . . . . . . . . . . 482
xvii Copyright 2011, Juniper Networks, Inc.
Table of Contents
Defining General Windows File Browsing Options . . . . . . . . . . . . . . . . . . . . . . . . 482
Writing a File Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
Windows File Resources Canonical Format . . . . . . . . . . . . . . . . . . . . . . . . . 483
Writing a Windows Access Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
Writing a Windows SSO Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Writing a Windows Compression Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . 486
Defining General File Writing Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Creating Unix File Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Creating Advanced Bookmarks to UNIX Resources . . . . . . . . . . . . . . . . . . . . . . . 489
Defining General Unix File Browsing Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Defining UNIX/NFS File Resource Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Canonical Format: UNIX/NFS File Resources . . . . . . . . . . . . . . . . . . . . . . . . 491
Writing UNIX/NFS Resource Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Writing a Unix/NFS Compression Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . 492
Defining General UNIX/NFS File Writing Options . . . . . . . . . . . . . . . . . . . . . . . . . 493
Chapter 22 Secure Application Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Secure Application Manager Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Task Summary: Configuring WSAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Launching Network Connect During a WSAMSession . . . . . . . . . . . . . . . . . . . . . 497
Debugging WSAM Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
About WSAM Resource Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Creating WSAM Client Application Resource Profiles . . . . . . . . . . . . . . . . . . . . . 499
Creating WSAM Destination Network Resource Profiles . . . . . . . . . . . . . . . . . . . 500
Specifying Applications and Servers for WSAM to Secure . . . . . . . . . . . . . . . . . . 501
Specifying Applications that Need to Bypass WSAM . . . . . . . . . . . . . . . . . . . . . 503
Specifying Role-Level WSAM Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Specifying Application Servers that Users can Access . . . . . . . . . . . . . . . . . . . . 506
Specifying Resource Level WSAM Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Using the WSAM Launcher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
JSAM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Task Summary: Configuring JSAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Using JSAM for Client/Server Communications . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Assigning IP Loopback Addresses to Servers . . . . . . . . . . . . . . . . . . . . . . . . . 515
Using Static Loopback Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
IP Loopback Address Considerations When Merging Roles . . . . . . . . . . . . . . 517
Resolving Host Names to Localhost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Configuring a PC that Connects to the SA Series Appliance Through a Proxy
Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Determining the SA Series Appliance-Assigned Loopback Address . . . . . . . . . . 519
Configuring External DNS Servers and User Machines . . . . . . . . . . . . . . . . . . . . 520
JSAMLinux and Macintosh Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Standard Application Support: MS Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Client/Server Communication Using JSAM . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Standard Application Support: Lotus Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Client/Server Communication Using JSAM . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Configuring the Lotus Notes Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Standard Application Support: Citrix Web Interface for MetaFrame (NFuse
Classic) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Copyright 2011, Juniper Networks, Inc. xviii
Junos Pulse Secure Access Service Administration Guide
Enabling Citrix Published Applications on the Citrix Native Client . . . . . . . . . . . . 526
Enabling Citrix Secure Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Creating a JSAM Application Resource Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
Specifying Applications for JSAM to Secure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Specifying Role Level JSAM Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
Automatically Launching JSAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Specifying Application Servers that Users Can Access . . . . . . . . . . . . . . . . . . . . 539
Specifying Resource Level JSAMOptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
Chapter 23 Telnet/SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
About Telnet/SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Task summary: Configuring the Telnet/SSH Feature . . . . . . . . . . . . . . . . . . . . . . 544
Creating a Telnet/SSH Resource Profile: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Associating Bookmarks with Telnet/SSH Resource Profiles . . . . . . . . . . . . . . . . 546
Configuring General Telnet/SSH Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
Writing a Telnet/SSH Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
Chapter 24 Terminal Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
About Terminal services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
Terminal Services User Experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
Task Summary: Configuring the Terminal Services Feature . . . . . . . . . . . . . . . . . 555
Terminal Services Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
Configuring Citrix to Support ICA Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . 558
About Terminal Services Resource Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
Configuring a Windows Terminal Services Resource Profile . . . . . . . . . . . . . . . . . 561
Defining a Hosted Java Applet Autopolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
Defining a Bookmark for a Windows Terminal Services Profile . . . . . . . . . . . . . . 565
Creating a Windows Terminal Services Bookmark Through the User Roles
Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566
Defining Display Options for the Windows Terminal Services Session . . . . . . . . 567
Defining SSO Options for the Windows Terminal Services Session . . . . . . . . . . 568
Defining Application Settings for the Windows Terminal Services Session . . . . 568
Defining Device Connections for the Windows Terminal Services Session . . . . . 569
Defining Desktop Settings for the Windows Terminal Services Session . . . . . . . . 571
Creating a Citrix Terminal Services Resource Profile Using Default ICA
Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Defining a Bookmark for a Citrix Profile Using Default ICA Settings . . . . . . . . . . . 572
Defining Display Options for the Citrix Terminal Services Session . . . . . . . . . . . . 575
Defining SSO Options for the Citrix Terminal Services Session . . . . . . . . . . . . . . 575
Defining Application, Auto-Launch, andSessionReliability Settings for the Citrix
Terminal Services Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576
Defining Device Connections for the Citrix Terminal Services Session . . . . . . . . . 577
Creating a Citrix Resource Profile That Uses a Custom ICA File . . . . . . . . . . . . . . 578
Defining a Bookmark for a Citrix Profile Using a Custom ICA File . . . . . . . . . . . . 580
Creating a Citrix Profile That Lists Published Applications . . . . . . . . . . . . . . . . . . 581
Defining a Bookmark for a Citrix Profile Listing Applications . . . . . . . . . . . . . . . . 582
Creating Session Bookmarks to Your Terminal Server . . . . . . . . . . . . . . . . . . . . . 584
Creating Advanced Terminal Services Session Bookmarks . . . . . . . . . . . . . . . . . 585
xix Copyright 2011, Juniper Networks, Inc.
Table of Contents
Creating Links froman External Site to a Terminal Services Session
Bookmark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
Specifying General Terminal Services Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
Configuring Terminal Services Resource Policies . . . . . . . . . . . . . . . . . . . . . . . . . 600
Specifying the Terminal Services Resource Option . . . . . . . . . . . . . . . . . . . . . . . 601
Using the Remote Desktop Launcher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
Chapter 25 Secure Meeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
Secure Meeting Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
Task Summary: Configuring Secure Meeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
Scheduling Meetings Through the SA Series End-User Console . . . . . . . . . . . . . 606
Scheduling Meetings Through Microsoft Outlook . . . . . . . . . . . . . . . . . . . . . . . . 607
Sending Notification Emails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608
Joining Meetings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
Attending Meetings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
Conducting Meetings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
Presenting Meetings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
About Instant Meetings and Support Meetings . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
About MySecureMeeting Meetings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
Joining MySecureMeeting Meetings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
Enabling and Configuring Secure Meeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
Permissive Merge Guidelines for Secure Meeting . . . . . . . . . . . . . . . . . . . . . . . . . 619
Specifying Authentication Servers that Meeting Creators can Access . . . . . . . . 620
Configuring System-Level Meeting Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
Troubleshooting Secure Meeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624
Known Issues with SecureMeeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
Monitoring Secure Meeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
Chapter 26 Email Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
About the Email Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
Choosing an Email Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628
Working with a Standards-Based Mail Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 629
Working with the Microsoft Exchange Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
Exchange Server and IMAP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
Exchange Server and POP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
Exchange Server and Outlook Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . 631
About Lotus Notes and the Lotus Notes Mail Server . . . . . . . . . . . . . . . . . . . . . . 632
Enabling the Email Client at the Role Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
Writing the Email Client Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
Chapter 27 Network Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
About Network Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
Task Summary: Configuring Network Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . 637
Network Connect Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639
Automatically Signing into Network Connect using GINA . . . . . . . . . . . . . . . . . . 641
Using GINA Chaining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643
Network Connect Credential Provider for Windows Vista and Later . . . . . . . . . . 643
Smart Card Credential Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645
Launching Network Connect During a Windows Secure Application Manager
Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646
Copyright 2011, Juniper Networks, Inc. xx
Junos Pulse Secure Access Service Administration Guide
Logging In To Windows Through a Secure Tunnel . . . . . . . . . . . . . . . . . . . . . . . . 647
Network Connect Connection Profiles with Support for Multiple DNS
Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Network Connect Incompatibility with Other VPN Client Applications . . . . . . . 648
Linux Client Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
Client Side Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
Network Connect Proxy Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
Network Connect Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
Network Connect Multicast Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
Defining Network Connect Role Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652
About Network Connect Resource Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
Defining Network Connect Access Control Policies . . . . . . . . . . . . . . . . . . . . . . . 656
Creating Network Connect Connection Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . 657
Defining Network Connect Split Tunneling Policies . . . . . . . . . . . . . . . . . . . . . . . 664
Network Connect Resource Policy Configuration Use Case . . . . . . . . . . . . . . . . 666
About Network Connect Bandwidth Management Policies . . . . . . . . . . . . . . . . 667
User is Mapped to Multiple Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669
Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670
Writing a Network Connect Bandwidth Management Resource Policy . . . . . . . 670
Specifying IP Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671
Network Connect installer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672
Network Connect Installation Process Dependencies . . . . . . . . . . . . . . . . . 672
Network Connect Un-installation Process Dependencies . . . . . . . . . . . . . . 674
Network Connect Launcher (NC Launcher) Overview . . . . . . . . . . . . . . . . . . . . . 675
Launching Network Connect On Other Platforms . . . . . . . . . . . . . . . . . . . . . . . . 677
Troubleshooting Network Connect Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679
nc.windows.app.23792 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679
Version Conflict on Downgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679
Error When Connecting to a FIPS Appliance . . . . . . . . . . . . . . . . . . . . . . . . . 680
Part 5 SystemManagement
Chapter 28 General System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683
General Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684
Internal and External Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685
Bonding Ports on the SA Series 6000 SSL VPN Appliance . . . . . . . . . . . . . 685
Bonding Ports on the SA Series 6500 SSL VPN Appliance . . . . . . . . . . . . . 686
Configuring the Internal and External Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686
Configuring SFP Ports on the SA Series 6000 SSL VPN Appliance . . . . . . . . . . 687
Configuring the Management Port on the SA Series 6000 SSL VPN
Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688
Using VLANs with the SA Series Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689
Creating a New VLAN Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691
Creating a New VLAN Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691
Configuring Virtual Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692
Configuring Static Routes for Network Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . 694
Creating ARP Caches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694
Specifying Host Names for the SA Series Appliance to Resolve Locally . . . . . . . 695
xxi Copyright 2011, Juniper Networks, Inc.
Table of Contents
Specifying IP Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696
Using Central Management Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696
Modifying Central Management Dashboard Graphs . . . . . . . . . . . . . . . . . . . 697
Configuring System Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699
Reviewing System Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699
Upgrading or Downgrading the SA Series Appliance . . . . . . . . . . . . . . . . . . 700
Setting System Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
Downloading Application Installers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703
Activating and Deactivating Emergency Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 705
Setting Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705
Setting System-Wide Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706
Configuring Lockout Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707
Configuring NCP and JCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709
Installing a Juniper Software Service Package . . . . . . . . . . . . . . . . . . . . . . . . . . . 710
Configuring Your Management Port Network Settings Fromthe Serial
Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711
Configuring Your Management Port Network Settings Fromthe Adming
Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711
Adding Static Routes to the Management Route Table . . . . . . . . . . . . . . . . . . . . 712
Assigning Certificate to Management Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712
Controlling Administrator Sign-In Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712
Signing in Over the Management Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713
Setting Role-Mapping Rules Using Custom Expressions . . . . . . . . . . . . . . . . . . . 714
Troubleshooting the Management Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714
Using the Management Port on a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
Importing Configurations to a System with the Management Port Enabled . . . . 715
Chapter 29 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717
About Using Certificates on the SA Series Appliance . . . . . . . . . . . . . . . . . . . . . . 718
Using Device Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719
Importing Certificates Into the SA Series Appliance . . . . . . . . . . . . . . . . . . . . . . . 720
Downloading a Device Certificate From the SA Series Appliance . . . . . . . . . . . . 722
Creating a Certificate Signing Request (CSR) for a New Certificate . . . . . . . . . . 723
Using Intermediate Server CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724
Importing Intermediate Server CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . 725
Using Multiple SA Series Device Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725
Task summary: Enabling Multiple Device Certificates . . . . . . . . . . . . . . . . . . 725
Associating a Certificate With a Virtual Port . . . . . . . . . . . . . . . . . . . . . . . . . 726
Associating Different Certificates with Different Virtual Ports . . . . . . . . . . . . . . . 726
Using a Trusted Client CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727
Enabling Trusted Client CAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 728
Automatically Importing a CA Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729
Manually Uploading CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731
Specifying Attributes for the Trusted Client CA Certificate . . . . . . . . . . . . . . . . . . 733
Specifying Client-side Certificate Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . 735
Enabling Client CA Hierarchies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736
Enabling CRLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737
Sending CRL Download Requests to a Proxy Server . . . . . . . . . . . . . . . . . . . . . . 739
Specifying CDP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 740
Copyright 2011, Juniper Networks, Inc. xxii
Junos Pulse Secure Access Service Administration Guide
Enabling OCSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 742
Using Trusted Server CAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 743
Uploading Trusted Server CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 744
Renewing a Trusted Server CA Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 745
Viewing Trusted Server CA Certificate Details . . . . . . . . . . . . . . . . . . . . . . . . . . . 745
Using Code-signing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 746
Additional Considerations for SUN JVM Users . . . . . . . . . . . . . . . . . . . . . . . . 747
Task Summary: Configuring the SA Series Appliance to Sign or Re-Sign Java
Applets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748
Importing a Code-Signing Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748
About Two-Way SSL Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749
Task Summary: Configuring the SA Series Appliance for Two-Way SSL
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 750
Importing the Certificates for Two-Way SSL Handshake . . . . . . . . . . . . . . . . . . . 750
Mapping Resource Policies to the Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751
Mapping an Client Authentication Auto-Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 752
Client Certificate Validation on the External and Virtual Ports . . . . . . . . . . . . . . . 752
Task Summary: Configuring for Client Certificate Validation . . . . . . . . . . . . . . . . 753
Selecting the Ports For Client Certification Validation . . . . . . . . . . . . . . . . . . . . . 753
Chapter 30 System Archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755
About System Archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755
Specifying Archiving Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757
Creating Local Backups of SA Series Appliance Configuration Files . . . . . . . . . . 758
Importing and Exporting SA Series Appliance Configuration Files . . . . . . . . . . . 760
Importing and Exporting IVS Configuration Settings . . . . . . . . . . . . . . . . . . . . . . 764
Importing and Exporting XML Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . 765
Creating and Modifying XML Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767
Integrity Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770
Mapping the XML Instance to UI Components . . . . . . . . . . . . . . . . . . . . . . . . 771
Downloading the Schema File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 772
Strategies for Working With XML Instances . . . . . . . . . . . . . . . . . . . . . . . . . . 772
Importing and Exporting XML Configuration Data . . . . . . . . . . . . . . . . . . . . . . . . 774
System Restarts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780
XML Import/Export Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 782
Importing to a System with the Management Port . . . . . . . . . . . . . . . . . . . . . . . 786
Using Operation Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 786
General Import Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788
Pushing Configurations from one SA Series Appliance to Another . . . . . . . . . . . 788
Defining the Target SA Series Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790
Pushing the Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791
Archiving Secure Meetings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793
Chapter 31 Logging and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797
Logging and Monitoring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797
Log File Severity Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799
Custom Filter Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799
xxiii Copyright 2011, Juniper Networks, Inc.
Table of Contents
Dynamic Log Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799
Viewing and Deleting User Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 800
Configuring the Log Monitoring Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801
Monitoring the SA Series Appliance as an SNMP Agent . . . . . . . . . . . . . . . . . . . 804
Viewing System Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810
About Client-Side Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 811
Enabling Client-Side Logging and Global Options . . . . . . . . . . . . . . . . . . . . . 811
Enabling and Viewing Client-Side Log Uploads . . . . . . . . . . . . . . . . . . . . . . . . . . 812
Viewing General Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 813
Viewing System Capacity Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814
Specifying Time Range and Data to Display in Graphs . . . . . . . . . . . . . . . . . 815
Configuring Graph Appearance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 815
Viewing Critical SystemEvents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 816
Downloading the Current Service Package . . . . . . . . . . . . . . . . . . . . . . . . . . 816
Editing the System Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 816
Monitoring Active Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 817
Viewing and Cancelling Scheduled Meetings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 818
Adding Real Source IP Addresses to Log Messages . . . . . . . . . . . . . . . . . . . . . . . 819
Chapter 32 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 821
About Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 821
Simulating and Tracking Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822
Simulating Events That Cause a Problem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822
Tracking Events Using Policy Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 824
Recording a Trace File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 825
Creating Snapshots of the SA Series Appliance System State . . . . . . . . . . . . . . 826
Creating TCP Dump Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827
SA Series Appliance Network Connectivity Tools . . . . . . . . . . . . . . . . . . . . . . . . . 828
Address Resolution Protocol (ARP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 828
Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 828
Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 828
NSlookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 828
Using UNIX Commands to Test Network Connectivity . . . . . . . . . . . . . . . . . . . . 829
Running NSLookup to Test Name Server Connectivity . . . . . . . . . . . . . . . . . . . . 829
Running Debugging Tools Remotely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 829
Creating Debugging Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 830
Monitoring Cluster Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831
Configuring Group Communication Monitoring on a Cluster . . . . . . . . . . . . . . . . 832
Configuring Network Connectivity Monitoring on a Cluster . . . . . . . . . . . . . . . . . 832
Chapter 33 Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835
About Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835
Cluster Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836
Example 1: Licenses Distributed Equally Among Nodes . . . . . . . . . . . . . . . . 837
Example 2: Licenses Distributed Unequally Among Nodes . . . . . . . . . . . . . 837
Example 3: Licenses Distributed Unequally Among Nodes (Extreme
Case) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837
Copyright 2011, Juniper Networks, Inc. xxiv
Junos Pulse Secure Access Service Administration Guide
Upgrading From Previous Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838
Task Summary: Deploying a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 839
Defining and Initializing a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840
Joining an Existing Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841
Re-adding a Node to a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843
Deploying Two Nodes in an Active/Passive Cluster . . . . . . . . . . . . . . . . . . . . . . . 844
Failing Over the VIP to Another Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845
Deploying Two or More Units in an Active/Active Cluster . . . . . . . . . . . . . . . . . . 845
Synchronizing the Cluster State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847
Specifying Active/Passive, Active/Active, and Other Cluster Settings . . . . . . . . 849
Adding Multiple Cluster Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851
General Cluster Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852
Managing Network Settings for Cluster Nodes . . . . . . . . . . . . . . . . . . . . . . . 852
Upgrading Clustered Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852
Upgrading the Cluster Service Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852
Changing the IP Address of a Cluster Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852
Deleting a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 853
Restarting or Rebooting Clustered Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854
Configuring the External VIP for An Active/Passive Cluster . . . . . . . . . . . . . . . . . 854
Admin Console Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854
Monitoring Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 856
Troubleshooting Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 857
Management IP Address Differs Fromthe Management IP Address Error
Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859
Serial Console Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859
Joining an SA Series Appliance to a Cluster Through Its Serial Console . . . . . . . 860
Disabling a Clustered SA Series Appliance Using Its Serial Console . . . . . . . . . . 861
Chapter 34 Delegating Administrator Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 863
About Delegating Administrator Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 863
Creating and Configuring Administrator Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . 864
Specifying Management Tasks to Delegate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 865
Delegating System Management Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 865
Delegating User and Role Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 866
Delegating User Realm Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 866
Delegating Administrative Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 866
Delegating Resource Policy Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 867
Delegating Resource Profile Management . . . . . . . . . . . . . . . . . . . . . . . . . . 867
Delegating Access to IVS Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 867
Chapter 35 Instant Virtual System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869
Instant Virtual System (IVS) Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 870
Deploying an IVS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 871
Virtualized SA Series Appliance Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 873
Signing In to the Root Systemor the IVS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875
Signing-In Using the Sign-In URL Prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875
Signing-In Over Virtual Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 877
Signing-In Over a VLAN Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 878
Navigating to the IVS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 878
xxv Copyright 2011, Juniper Networks, Inc.
Table of Contents
IVS Configuration Worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 878
Administering the Root System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 881
Configuring the Root Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 881
IVS Provisioning Process Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 882
Configuring Sign-In Ports for IVS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883
Virtual Local Area Network (VLAN) on Subscriber IVS . . . . . . . . . . . . . . . . . . . . 885
Configuring VLANs on the Virtualized SA Series Appliance . . . . . . . . . . . . . . . . 886
Adding Static Routes to the VLAN Route Table . . . . . . . . . . . . . . . . . . . . . . . . . . 887
Deleting a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 888
Loading the Certificates Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889
Creating a Virtual System (IVS Profile) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889
IVS Initial Config Via Copy from the Root System or Another IVS . . . . . . . . . . . . 891
Use Cases for IVS Initial Config Via Copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 892
Signing In Directly to the IVS as an IVS Administrator . . . . . . . . . . . . . . . . . . . . . 893
About Role-Based Source IP Aliasing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 894
Associating Roles with Source IP Addresses in an IVS . . . . . . . . . . . . . . . . . . . . . 894
Configuring Policy Routing Rules on the IVS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 895
Routing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896
Overlapping IP Address Spaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896
Define Resource Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896
Clustering a Virtualized SA Series Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 897
Accessing a DNS Server on the MSP Network . . . . . . . . . . . . . . . . . . . . . . . . . . . 898
Accessing a DNS Server on a Subscriber Company intranet . . . . . . . . . . . . . . . . 899
Configuring Network Connect for Use on a Virtualized SA Series Appliance . . . 900
Configuring a Centralized DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 903
About Authentication Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 904
Rules Governing Access to Authentication Servers . . . . . . . . . . . . . . . . . . . 905
Configuring Authentication on a RADIUS Server . . . . . . . . . . . . . . . . . . . . . 905
Configuring Authentication on Active Directory . . . . . . . . . . . . . . . . . . . . . . 906
Delegating Administrative Access to IVS Systems . . . . . . . . . . . . . . . . . . . . . . . . 906
Accessing Standalone Installers on an IVS System . . . . . . . . . . . . . . . . . . . . . . . 907
Exporting and Importing IVS Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . 907
Using XML Import and XML Export on IVS Systems . . . . . . . . . . . . . . . . . . . . . . 909
Monitoring Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 910
Troubleshooting VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 910
IVS Use Case: Policy Routing Rules Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . 911
Use Case: Configuring a Global Authentication Server for Multiple
Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 917
Use Case: Configuring a DNS/WINS Server IP Address per Subscriber . . . . . . . . 918
Use Case: Configuring Access to Web Applications and Web Browsing for Each
Subscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 918
Use Case: Configuring File Browsing Access for Each Subscriber . . . . . . . . . . . . 919
Use Case: Setting Up Multiple Subnet IP Addresses for a Subscribers
End-Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 920
Use Case: Configuring Multiple IVS Systems to AllowAccess to Shared
Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 921
Copyright 2011, Juniper Networks, Inc. xxvi
Junos Pulse Secure Access Service Administration Guide
Chapter 36 SA Series Appliance and IDP Interoperability . . . . . . . . . . . . . . . . . . . . . . . . 923
About IDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 923
Licensing: IDP Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 924
IDP Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 924
Configuring the SA Series SSL VPN Appliance to Interoperate with IDP . . . . . . . 925
Interaction Between the IC Series and IDP . . . . . . . . . . . . . . . . . . . . . . . . . . 926
Configuring IDP Sensor Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 926
Configuring the SA Series SSL VPN Appliance to Interoperate with IDP . . . . . . 928
Interaction Between the IC Series and IDP . . . . . . . . . . . . . . . . . . . . . . . . . . 929
Defining Automatic Response Sensor Event Policies . . . . . . . . . . . . . . . . . . . . . . 929
Identifying and Managing Quarantined Users Manually . . . . . . . . . . . . . . . . . . . . 931
Part 6 SystemServices
Chapter 37 SA Series Appliance Serial Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 935
Using the Serial Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 935
Rolling Back to a Previous SystemState Through the Serial Console . . . . . . . . . 936
Resetting an SA Series Device to the Factory Setting Using the Serial
Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 937
Performing Common Recovery Tasks with the Serial Console . . . . . . . . . . . . . . 938
Chapter 38 Customizable Admin and End-User UIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941
Customizable Admin and End-User UIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941
Customizable End-User Interface Elements Overview . . . . . . . . . . . . . . . . . 942
Chapter 39 SA6000 Series Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 943
SA6000 Series Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 943
SA6000 Field-Replaceable Units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 944
Chapter 40 SA4500 and SA6500 Series Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . 947
SA4500 and SA6500 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 947
Standard Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 947
SA Series 6500 Field-Replaceable Units . . . . . . . . . . . . . . . . . . . . . . . . . . . 948
Device Status LED Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 949
Ethernet Port LED Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 950
Replacing the Cooling Fans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 951
Replacing a Hard Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 952
Replacing IOC Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 952
Replacing a Power Supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 954
Chapter 41 Secure Access FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 957
SA FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 957
SA FIPS Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 958
Creating Administrator Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 959
Deploying a Cluster in a Secure Access FIPS Environment . . . . . . . . . . . . . . . . . 960
Creating a New Security World . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 962
Recovering an Archived Security World . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 965
xxvii Copyright 2011, Juniper Networks, Inc.
Table of Contents
Chapter 42 SA4500 and SA6500 FIPS Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 969
FIPS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 969
Name and Password Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 970
Initializing a Keystore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 971
Reinitializing the Keystore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 971
Joining a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 972
Importing Device Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 973
Changing the Security Officer Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 973
Changing the Web User Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 974
Resetting the HSMCard In Case Of An Error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 974
Upgrading the HSM Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 974
Binary Importing and Exporting of the Keystore . . . . . . . . . . . . . . . . . . . . . . . . . . 975
FIPS Device Status LED Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 975
Chapter 43 Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 979
About Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 979
Enabling System-Level Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 981
Chapter 44 Multi-Language Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 983
About Multi-Language Support for the SA Series SSL VPN Appliance . . . . . . . . 983
Encoding Files for Multi-Language Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984
Localizing the User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984
Localizing Custom Sign-In and System Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . 985
Chapter 45 Handheld Devices and PDAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 987
Handheld Devices and PDAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 987
Task Summary: Configuring the SA Series SSL VPN Appliance for PDAs and
Handhelds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 988
Defining Client Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 990
Enabling WSAM on PDAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 991
Enabling ActiveSync For Handheld PDAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 992
Chapter 46 Using IKEv2 with the SA Series Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . 995
About IKEv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 995
Extensible Authentication Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 995
Client Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 996
Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 996
Task Summary: Configuring Secure Access for IKEv2 . . . . . . . . . . . . . . . . . . . . . 998
Defining the IKEv2 Role Mapping Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 999
Enabling the IKEv2 Access Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1000
Configuring the IKEv2 Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1000
Chapter 47 Writing Custom Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1001
Custom Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1001
Elements Used in Custom Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1002
Wildcard Matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1005
Distinguished Name Variables and Functions . . . . . . . . . . . . . . . . . . . . . . . . . . 1006
System Variables and Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1006
Using System Variables in Realms, Roles, and Resource Policies . . . . . . . . . . . . 1016
Using Multi-Valued Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1017
Specifying Multi-valued Attributes in a Bookmark Name . . . . . . . . . . . . . . . . . . 1018
Copyright 2011, Juniper Networks, Inc. xxviii
Junos Pulse Secure Access Service Administration Guide
Specifying Fetch Attributes in a Realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1018
Specifying the homeDirectory Attribute for LDAP . . . . . . . . . . . . . . . . . . . . . . . . 1019
Part 7 Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1023
xxix Copyright 2011, Juniper Networks, Inc.
Table of Contents
Copyright 2011, Juniper Networks, Inc. xxx
Junos Pulse Secure Access Service Administration Guide
List of Figures
Part 1 Getting Started
Chapter 2 Introduction to the SA Series Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 1: The SA Series Appliance Working within a LAN . . . . . . . . . . . . . . . . . . . . . 17
Part 2 Access Management Framework
Chapter 3 General Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Figure 2: Security Checks Performed During a User Session . . . . . . . . . . . . . . . . . 63
Figure 3: Federation IF-MAP Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Figure 4: Session-Import and Session-Export Policies . . . . . . . . . . . . . . . . . . . . . 84
Chapter 4 User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Figure 5: Security Checks Performed by the SA Series Appliance to Create a
Session Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Chapter 5 Resource Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Figure 6: Using Roles and Resource Policies to Configure Resources . . . . . . . . . . 115
Figure 7: Using Resource Profiles to Configure Resources . . . . . . . . . . . . . . . . . . . 116
Chapter 7 Resource Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Figure 8: Resource Policy Evaluation Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Chapter 9 Authentication Realms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Figure 9: Server Catalog > Attributes Tab Adding an Attribute for LDAP . . . . . 234
Figure 10: Server Catalog > Groups Tab Adding LDAP Groups . . . . . . . . . . . . . 235
Figure 11: Server Catalog > Groups Tab Adding Active Directory Groups . . . . . 237
Chapter 11 Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Figure 12: Collecting and Submitting Credentials from Multiple Servers . . . . . . . 255
Figure 13: Artifact Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Figure 14: POST Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Figure 15: Access Control Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Part 3 Endpoint Defense
Chapter 13 Host Checker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Figure 16: Host Checker Creates a Tunnel froma Client to a Policy Server Behind
the SA Series Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Part 4 Remote Access
Chapter 22 Secure Application Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Figure 17: Java Secure Application Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
xxxi Copyright 2011, Juniper Networks, Inc.
Figure 18: Java Secure Application Manager and Enhanced MS Exchange
Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Figure 19: Java Secure Application Manager and Enhanced Lotus Notes
Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Chapter 27 Network Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
Figure 20: GINA Installation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642
Part 5 SystemManagement
Chapter 30 System Archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755
Figure 21: SA Series Object Referential Integrity Constraints . . . . . . . . . . . . . . . . 770
Chapter 33 Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835
Figure 22: Active/Passive Cluster Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845
Figure 23: Active/Active Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847
Chapter 35 Instant Virtual System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869
Figure 24: MSP Deployment Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 872
Figure 25: IVS Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 874
Figure 26: Setting a Static Route in MSP Network DNS or Application Servers . . 901
Chapter 36 SA Series Appliance and IDP Interoperability . . . . . . . . . . . . . . . . . . . . . . . . 923
Figure 27: SA Series Appliance and IDP Topology Scenario 1 . . . . . . . . . . . . . . . . 925
Figure 28: SA Series Appliance and IDP Topology Scenario 2 . . . . . . . . . . . . . . . 925
Part 6 SystemServices
Chapter 37 SA Series Appliance Serial Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 935
Figure 29: SA Series Serial Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 936
Copyright 2011, Juniper Networks, Inc. xxxii
Junos Pulse Secure Access Service Administration Guide
List of Tables
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvii
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxviii
Part 1 Getting Started
Chapter 2 Introduction to the SA Series Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Table 2: Configurable Parameters for Junos Pulse Connection Sets . . . . . . . . . . . 43
Table 3: Junos Pulse Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Part 2 Access Management Framework
Chapter 4 User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Table 4: View Menu Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Chapter 5 Resource Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Table 5: Resource Profile Types and Configuration Information . . . . . . . . . . . . . . 116
Chapter 7 Resource Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Table 6: DNS Hostname Special Characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Table 7: Port Possible Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Chapter 8 Authentication and Directory Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Table 8: Supported Password Management Functions . . . . . . . . . . . . . . . . . . . . 163
Table 9: AD/NT Password Management Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Table 10: Attributes Common to both Start and Stop Messages . . . . . . . . . . . . . 176
Table 11: Start Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Table 12: Stop Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Table 13: RADIUS Role Mapping Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Table 14: eTrust SiteMinder Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . 199
Table 15: eTrust SiteMinder Advanced Configuration Options . . . . . . . . . . . . . . . 204
Part 3 Endpoint Defense
Chapter 13 Host Checker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Table 16: Wildcard Characters for Specifying a File Name or Process Name . . . . 315
Table 17: Environment Variables for Specifying a Directory Path on Windows . . . 316
Table 18: Environment Variables for Specifying a Directory Path on Macintosh,
Linux and Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Part 4 Remote Access
Chapter 16 Citrix Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
xxxiii Copyright 2011, Juniper Networks, Inc.
Table 19: Accessing the Citrix Web Interface Server using Web Resource Profile
Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Chapter 20 Web Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Table 20: DNS hostname special characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Table 21: Port possible values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Table 22: Port Possible Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Table 23: Port Possible Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Table 24: OWA Caching Resource Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Table 25: iNotes Caching Resource Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Table 26: Predefined Resource Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Chapter 22 Secure Application Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Table 27: WSAM Command Line Arguments . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Chapter 24 Terminal Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
Table 28: Case-Insensitive Terminal Services Session Bookmark Parameter
Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592
Chapter 27 Network Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
Table 29: Network Connect Compatibility with Third-Party VPN Clients . . . . . . 648
Table 30: Syntax for IP Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658
Table 31: Privilege Levels and Percent of Maximum Bandwidth . . . . . . . . . . . . . 668
Part 5 SystemManagement
Chapter 30 System Archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755
Table 32: System Behavior When Editing Options . . . . . . . . . . . . . . . . . . . . . . . . 780
Table 33: Legal Operation Attribute Relationships . . . . . . . . . . . . . . . . . . . . . . . . 787
Chapter 31 Logging and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797
Table 34: Configuration Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
Chapter 33 Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835
Table 35: Cluster Status Page Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854
Table 36: Cluster Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 857
Chapter 35 Instant Virtual System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869
Table 37: VLAN1 Route Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 915
Table 38: VLAN2 Route Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 915
Table 39: VLAN3 Route Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 915
Table 40: VLAN4 Route Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 915
Table 41: VLAN1 Route Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 916
Table 42: VLAN2 route table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 917
Table 43: VLAN3 route table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 917
Table 44: VLAN4 route table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 917
Part 6 SystemServices
Chapter 40 SA4500 and SA6500 Series Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . 947
Table 45: Device Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 950
Copyright 2011, Juniper Networks, Inc. xxxiv
Junos Pulse Secure Access Service Administration Guide
Table 46: 4-Port Copper Gigabit Ethernet LEDs (available on IC4500 and
IC6500) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 950
Chapter 42 SA4500 and SA6500 FIPS Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 969
Table 47: Status LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 976
Chapter 47 Writing Custom Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1001
Table 48: Custom Expression Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1002
Table 49: System Variables and Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1007
xxxv Copyright 2011, Juniper Networks, Inc.
List of Tables
Copyright 2011, Juniper Networks, Inc. xxxvi
Junos Pulse Secure Access Service Administration Guide
About This Guide
Objective on page xxxvii
Audience on page xxxvii
Document Conventions on page xxxvii
Documentation on page xxxviii
Obtaining Documentation on page xxxviii
Documentation Feedback on page xxxviii
Requesting Technical Support on page xxxviii
Objective
This guide describes basic configuration procedures for Juniper Networks Secure Access
(SA). This document was formerly titled Secure Access Administration Guide. This
document is nowpart of the Junos Pulse documentation set.
Audience
This guide is designed for network administrators who are configuring and maintaining
a Juniper Networks SA Series device. To use this guide, you need a broad understanding
of networks in general and the Internet in particular, networking principles, and network
configuration. Any detailed discussion of these concepts is beyond the scope of this
guide.
Document Conventions
Table 1 on page xxxviii defines notice icons used in this guide.
xxxvii Copyright 2011, Juniper Networks, Inc.
Table 1: Notice Icons
Description Meaning Icon
Indicates important features or instructions. Informational note
Indicates a situation that might result in loss of data or hardware damage. Caution
Alerts you to the risk of personal injury or death. Warning
Alerts you to the risk of personal injury froma laser. Laser warning
Documentation
For a list of related SA documentation, see http://www.juniper.net/support/products/sa/.
If the information in the latest SA Release Notes differs fromthe information in the
documentation, followthe SA Release Notes.
Obtaining Documentation
To obtain the most current version of all Juniper Networks technical documentation, see
the products documentation page on the Juniper Networks web site at http://www.juni
per.net/techpubs.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can send your comments to
techpubs-comments@juniper.net, or fill out the documentation feedback format ht
tps://www.juniper.net/cgi-bin/docbugreport/ . If you are using e-mail, be sure to include
the following information with your comments:
Document name
Page number
Software release version
Requesting Technical Support
Technical product support is availablethroughtheJuniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
or are covered under warranty, and need post-sales technical support, you can access
our tools and resources online or open a case with JTAC.
Copyright 2011, Juniper Networks, Inc. xxxviii
Junos Pulse Secure Access Service Administration Guide
JTAC policiesFor a complete understanding of our JTAC procedures and policies,
reviewthe JTACUser Guide locatedat http://www.juniper.net/us/en/local/pdf/resource-
guides/7100059-en.pdf .
Product warrantiesFor product warranty information, visit http://www.juniper.net/sup
port/warranty/ .
JTAC hours of operationThe JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problemresolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:
Find CSC offerings: http://www.juniper.net/customers/support/
Search for known bugs: http://www2.juniper.net/kb/
Find product documentation: http://www.juniper.net/techpubs/
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
Download the latest versions of software and reviewrelease notes: http://www.juni
per.net/customers/csc/software/
Search technical bulletins for relevant hardware and software notifications: ht
tps://www.juniper.net/alerts/
Join and participate in the Juniper Networks Community Forum: http://www.juni
per.net/company/communities/
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
Toverify serviceentitlement by product serial number, useour Serial Number Entitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see ht
tp://www.juniper.net/support/requesting-support.html .
xxxix Copyright 2011, Juniper Networks, Inc.
About This Guide
Copyright 2011, Juniper Networks, Inc. xl
Junos Pulse Secure Access Service Administration Guide
PART 1
Getting Started
Initial Verification and Key Concepts on page 3
Introduction to the SA Series Appliance on page 15
1 Copyright 2011, Juniper Networks, Inc.
Copyright 2011, Juniper Networks, Inc. 2
Junos Pulse Secure Access Service Administration Guide
CHAPTER 1
Initial Verification and Key Concepts
Verifying User Accessibility on page 3
Creating a Test Scenario to Learn SA Series Appliance Concepts and Best
Practices on page 4
Defining a User Role on page 5
Defining a Resource Profile on page 6
Defining an Authentication Server on page 7
Defining an Authentication Realmon page 9
Defining a Sign-In Policy on page 10
Using the Test Scenario on page 12
Default Settings for Administrators on page 13
Verifying User Accessibility
Youcaneasily createauser account inthesystemauthenticationserver for useinverifying
user accessibility to your SA Series Appliance. After creating the account through the
admin console, sign in as the user on the SA Series Appliance user sign-in page.
To verify user accessibility:
1. Fromthe admin console, choose Authentication > Auth. Servers.
2. Select the SystemLocal link.
3. Select the Users tab.
4. Click New.
5. Type testuser1 as the username and enter a password, and then click Save Changes.
The SA Series Appliance creates the testuser1 account.
6. Use another browser windowto enter the machines URL to access the user sign-in
page. The URL is in the format: https://a.b.c.d, where a.b.c.d is the machine IPaddress
youenteredintheserial consolewhenyouinitially configuredyour SASeries Appliance.
7. Click Yes\ when prompted with the security alert to proceed without a signed
certificate. The user sign-in page appears, indicating that you have successfully
connected to your SA Series Appliance.
3 Copyright 2011, Juniper Networks, Inc.
8. Enter the username and password you created for the user account and then click
Sign In to access the SA Series Appliance home page for users.
9. Enter the URL to an internal Web server in the Address box and click Browse. The SA
Series Appliance opens the Web page in the same browser window, so to return to
theSASeries Appliancehomepage, clickthecenter buttononthetoolbar that appears
on the target Web page.
10. Enter the URL to your external corporate site on the SA Series Appliance home page,
and click Browse. The SA Series Appliance opens the Web page in the same browser
window, so use the button on the toolbar to return to the SA Series Appliance home
page.
11. Click Browsing > Windows Files on the SA Series Appliance home page to browse
throughavailableWindows fileshares or Browsing>UNIX/NFSFiles tobrowsethrough
available UNIX NFS file shares.
Related
Documentation
Creating a Test Scenario to Learn SA Series Appliance Concepts and Best Practices
on page 4
Share (optional)If the share is missing, then star (*) is assumed, meaning ALL paths
match. The systemvariable <username> is allowed.
483 Copyright 2011, Juniper Networks, Inc.
Chapter 21: File Rewriting
Path (optional)Special characters allowed include:
Matches any character *
Matches any character except slash (/) %
Matches exactly one character ?
If the path is missing, then slash (/) is assumed, meaning only top-level folders are
matched. For example:
\\%.danastreet.net\share\<username>\*
\\*.juniper.com\dana\*
\\10.11.0.10\share\web\*
\\10.11.254.227\public\%.doc
Related
Documentation
Writing a Detailed Rule for Resource Policies on page 138
Using SystemVariables in Realms, Roles, and Resource Policies on page 1016
Writing a Windows Access Resource Policy
Information in this topic is provided for backwards compatibility. We recommend that
you configure access to Windows file servers through resource profiles instead, since
they provide a simpler, more unified configuration method.
To write a Windows access resource policy:
1. In the admin console, choose Users >ResourcePolicies >Files >Access >Windows.
2. On the Windows File Access Policies page, click NewPolicy.
3. Enter a name to label this policy (required) and a description of the policy. (optional)
4. In the Resources section, specify the resources to which this policy applies.
5. In the Roles section, specify:
Policy applies to ALL rolesTo apply this policy to all users.
Policy applies to SELECTEDrolesTo apply this policy only to users who are
mapped to roles in the Selected roles list. Make sure to add roles to this list from
the Available roles list.
Policyappliestoall rolesOTHERTHANthoseselectedbelowToapply this policy
to all users except for those who map to the roles in the Selected roles list. Make
sure to add roles to this list fromthe Available roles list.
6. In the Action section, specify:
AllowaccessTo grant access to the resources specified in the Resources list.
Check Read-only to prevent users fromsaving files on the server.
Deny accessTo deny access to the resources specified in the Resources list.
Copyright 2011, Juniper Networks, Inc. 484
Junos Pulse Secure Access Service Administration Guide
Use Detailed RulesTo specify one or more detailed rules for this policy.
7. Click Save Changes.
8. On the Windows File Access Policies page, order the policies according to howyou
want the SASeries Appliance to evaluate them. Keep in mind that once the SASeries
Appliance matches the resource requested by the user to a resource in a policys (or
a detailed rules) Resource list, it performs the specified action and stops processing
policies.
If you want to write a File resource policy that enables you to specify credentials for the
SA Series Appliance to submit to a file server when a user request matches a resource
in the Resource list, you can use the following procedure to do so. You can also configure
the SA Series Appliance to prompt users for credentials.
Related
Documentation
Creating a File Rewriting Resource Profile on page 475
Writing a Detailed Rule for Resource Policies on page 138
Writing a Windows SSOResource Policy
Information in this topic is provided for backwards compatibility. We recommend that
you configure access to Windows file servers through resource profiles instead, since
they provide a simpler, more unified configuration method.
To write a Windows credentials resource policy:
1. In the admin console, choose Users > Resource Policies > Files > SSO> Windows.
2. On the Windows Credentials Policies page, click NewPolicy.
3. Enter a name to label this policy (required) and a description of the policy. (optional)
4. In the Resources section, specify the resources to which this policy applies.
5. In the Roles section, specify:
Policy applies to ALL rolesTo apply this policy to all users.
Policy applies to SELECTEDrolesTo apply this policy only to users who are
mapped to roles in the Selected roles list. Make sure to add roles to this list from
the Available roles list.
Policyappliestoall rolesOTHERTHANthoseselectedbelowToapply this policy
to all users except for those who map to the roles in the Selected roles list. Make
sure to add roles to this list fromthe Available roles list.
6. In the Action section, specify the action to take when a resource requires credentials:
485 Copyright 2011, Juniper Networks, Inc.
Chapter 21: File Rewriting
Use SystemCredentialsIf the SA Series Appliance has stored credentials for the
specified user and resource in its cache, it submits the stored credentials. If the
stored credentials fail or if no stored credentials exist for that user, the SA Series
Appliance prompts for newcredentials and stores the newcredentials.
UseSpecificCredentialsYouspecifystaticcredentialsthat theSASeriesAppliance
submits to resources. The SA Series Appliance file browsing server maintains the
connections open to a server\share so connecting to a different folder on the same
share using a different account may not work reliably. If the specified credentials
fail, the SA Series Appliance may submit alternative credentials. Note that the SA
Series Appliance masks the password you enter here with asterisks.
Prompt for user credentialsThe SA Series Appliance intermediates the share
challenge by presenting an authentication challenge in the SASeries Appliance the
first time a user attempts to access the share. The user enters the credentials and
the credentials are stored in the SASeries Appliance. If the credentials later fail, the
SA Series Appliance again prompts the user for their credentials.
Use Detailed RulesTo specify one or more detailed rules for this policy.
7. Click Save Changes.
8. On the Windows File Access Policies page, order the policies according to howyou
want the SASeries Appliance to evaluate them. Keep in mind that once the SASeries
Appliance matches the resource requested by the user to a resource in a policys (or
a detailed rules) Resource list, it performs the specified action and stops processing
policies.
Related
Documentation
Creating a File Rewriting Resource Profile on page 475
About Single Sign-On on page 251
Writing a Detailed Rule for Resource Policies on page 138
Writing a Windows Compression Resource Policy
Information in this section is provided for backwards compatibility. We recommend that
youconfigurecompressionthroughresourceprofiles instead, sincethey provideasimpler,
more unified configuration method.
Compression policies specify which types of file data the SA Series Appliance should
compress when you enable GZIP compression through the Maintenance > System>
Options page of the admin console.
The SASeries Appliance comes pre-equipped with two file compression policies (*:*/*)
which compress all applicable file data. You may enable these policies through the
Resource Policies > Files > Compression pages of the admin console.
Copyright 2011, Juniper Networks, Inc. 486
Junos Pulse Secure Access Service Administration Guide
To write a Windows file compression resource policy:
1. In the admin console, choose Resource Policies > Files > Compression.
2. Select the Windows tab.
3. Click NewPolicy.
4. Enter a name to label this policy (required) and a description of the policy. (optional)
5. In the Resources section, specify the resources to which this policy applies.
6. In the Roles section, specify:
Policy applies to ALL rolesTo apply this policy to all users.
Policy applies to SELECTEDrolesTo apply this policy only to users who are
mapped to roles in the Selected roles list. Make sure to add roles to this list from
the Available roles list.
Policyappliestoall rolesOTHERTHANthoseselectedbelowToapply this policy
to all users except for those who map to the roles in the Selected roles list. Make
sure to add roles to this list fromthe Available roles list.
7. In the Action section, specify:
CompressTheSASeries Appliancecompresses thesupportedcontent types from
the specified resource.
Do not compressThe SA Series Appliance does not compress the supported
content types fromthe specified resource.
Use Detailed RulesTo specify one or more detailed rules for this policy.
8. Click Save Changes.
Related
Documentation
About Compression on page 979
Creating a File Compression Autopolicy on page 476
Specifying Resources for a Resource Policy on page 133
Creating a NewVLANPort
To create a VLAN port, performthe following steps:
1. Select System> Network > VLANs to open the VLAN Network Settings tab.
2. Click NewPort. If you are running a cluster, you must create the VLAN for the entire
cluster, not just for a single node.
3. Under VLAN settings, enter a name for the VLAN port.
4. Enter a VLAN ID.
NOTE: The VLANIDmust be between 1 and 4094 and must be unique on
the system.
5. Enter the IP address for the VLAN.
6. Enter a netmask for the VLAN.
7. Enter a default gateway for the VLAN.
8. Click Save Changes.
Related
Documentation
Creating a NewVLAN Port on page 691
Creating a NewVLANPort
To create a VLAN port, performthe following steps:
1. Select System> Network > VLANs to open the VLAN Network Settings tab.
2. Click NewPort. If you are running a cluster, you must create the VLAN for the entire
cluster, not just for a single node.
3. Under VLAN settings, enter a name for the VLAN port.
4. Enter a VLAN ID.
NOTE: The VLANIDmust be between 1 and 4094 and must be unique on
the system.
5. Enter the IP address for the VLAN.
6. Enter a netmask for the VLAN.
7. Enter a default gateway for the VLAN.
8. Click Save Changes.
691 Copyright 2011, Juniper Networks, Inc.
Chapter 28: General SystemManagement
Related
Documentation
Using VLANs with the SA Series Appliances on page 689
Configuring Virtual Ports
The SA Series enables you to create virtual ports for users such as employees who are
signing into the SA Series Appliance frominside your internal network. A virtual port
activates an IP alias on a physical port and shares all of the network settings (except IP
address) withtheport that hosts thevirtual port. AnIPalias is anIPaddress that is bound
to a virtual port. (Note that an IPalias is different fromthe SASeries Appliances primary
IPaddress, whichis arequiredsettingthat youconfigureduringtheinitializationprocess.)
You can also specify virtual ports as role-based source IP aliases. These aliases can
correspond to source IPaddresses that you specify on a backend network device as valid
addresses originating fromthe SASeries Appliances internal interface. For example, you
might want to use a firewall behind the SA Series Appliance to direct end-user traffic to
particular departments basedonsourceIPaddresses. Youcandefinearole-basedsource
IP alias for each departmental site. Each end-user is then directed to a specific location
based on their role through the use of the source IP alias.
You can use virtual ports in conjunction with the multiple device certificates feature to
provide users access to the same SA Series Appliance through different IP aliases.
You use virtual ports when using an SA Series Appliance configured with an IVS license.
In summary, you can use virtual ports for different purposes, depending on the physical
port on which you base the virtual port:
Configurevirtual ports ontheinternal port tosupport subnettinginthebackendnetwork
and role-based source IP aliasing. Also, if you have an IVS license, you can use virtual
ports to direct traffic to different virtual systems.
Configure virtual ports on the external port to support clustering and external sign-ins.
Configurevirtual ports ontheManagement Port tosupport redirectionof administrative
traffic.
Configure virtual ports on the SFP ports to support redirection of traffic to and from
those ports.
To create a virtual port for a stand-alone SA Series Appliance:
1. In the admin console, choose System> Network > Port Tab > Virtual Ports. The Port
Tab could be for any one of ports 1, 2, 3, 4, the internal or external ports, or the
Management Port.
2. Click NewPort.
3. Enter a unique name for the virtual port.
Copyright 2011, Juniper Networks, Inc. 692
Junos Pulse Secure Access Service Administration Guide
4. Enter a unique IP alias to associate with the virtual portdo not use an IP address
that is already associated with another virtual port. If you do not enter an IP address,
the SA Series Appliance does not activate the virtual port.
5. Click Save Changes.
If youneedtoassociatethevirtual port withadevicecertificate, usesettings intheSystem
> Configuration > Certificates > Device Certificates tab.
To create a virtual port on a cluster node:
1. In the admin console, choose System> Network > Port Tab > Virtual Ports. The Port
Tab could be for any one of ports 1, 2, 3, 4, the internal or external ports, or the
Management Port.
2. Fromthe Settings for drop-down list, select Entire cluster and then click Update.
3. Click NewPort.
4. Enter a unique name for the virtual port and then click Save Changes. The SA Series
Appliance adds the virtual port name to the Virtual Ports list and provides access to
each node in the cluster.
5. Click the link to a node to access the IP address configuration page. Enter a unique IP
alias to associate with the virtual portdo not use an IP address that is already
associated with another virtual port. If you do not enter an IP address, the SA Series
Appliance does not activate the virtual port.
6. Click SaveChanges. TheVirtual Ports pagereturns tothevirtual port tab. If necessary,
re-select Entire cluster fromthe Settings for drop-down list and then repeat the last
2 steps of this procedure.
To define subnet destinations based on roles:
1. Use settings in the System> Network > Internal Port tab to create virtual ports.
2. Modify one or more roles to point to the virtual ports, in the Users >Roles >RoleName
> General > Source IP page of the admin console.
3. Map your users to specific roles based on the subnet indicated by the source IP of the
role, in the Authentication > RealmName > Role Mapping page of the admin console.
To associate certificates with virtual ports:
1. Use settings in the System> Network > Internal Port tab to create virtual ports.
2. Use settings in the System> Configuration > Certificates > Device Certificates page
of the admin console to import the server certificates that you want to use to validate
user certificates. Also use this tab to specify which ports the SA Series Appliance
should associate with the certificates.
Related
Documentation
Associating Different Certificates with Different Virtual Ports on page 726
Client Certificate Validation on the External and Virtual Ports on page 752
693 Copyright 2011, Juniper Networks, Inc.
Chapter 28: General SystemManagement
Configuring Static Routes for Network Traffic
The SASeries SSL VPNAppliance enables you to addrouting table entries using settings
in the System> Network > Routes tab. All connection requests to internal resources
come fromthe SA Series Appliance internal port regardless of route settings. The route
settings on the external port are used only to route packets associated with connections
that are initiated by a remote client.
You can add static routes, if you want to indicate a specific route that the SA Series
Appliance should use when routing requests. You need to specify a valid IP address,
gateway, andDNSaddress. The metric is away of comparing multiple routes toestablish
precedence. Alower metric number, from0to 15, is a higher precedence. So, a route with
a metric of 2 would be chosen over a route with a metric of 14.
On the SA6000 Appliance, you can configure two additional ports, port 2 and port 3.
Although ports 2 and 3 appear to be equivalent to the Internal port, they are not, and by
default, the SA Series Appliance directs traffic to the Internal port when establishing an
outboundconnection. Therefore, if one of these two ports is connectedto a network that
the Internal port cannot reach, you need a static route for rewrites to access the
unreachable network. Otherwise, the rewrites might fail.
As a consequence, you need to configure static routes to those ports. The ports appear
in the drop down port menu as Port 2 and Port 3.
To specify static routes for network traffic:
1. In the admin console, choose System> Network > Routes.
2. Select a destination route table fromthe Viewroute table for: drop-down list.
3. Click NewRoute.
4. Enter the required information.
5. Click Add to [destination] route table.
Destinationroutetables may beavailablefor theInternal port, External port, Management
port, Port 2, and Port 3, depending on which hardware platformyou are configuring, or
for any VLANs you have defined.
NOTE: Port 2 and Port 3 are available only on the SA6000 and SA6500
Appliances.
Related
Documentation
Internal and External Ports on page 685
Creating ARP Caches
You can use ARP caching to determine the physical (MAC) address of a network device
such as a router or backend application server that connects to the SA Series Appliance.
Copyright 2011, Juniper Networks, Inc. 694
Junos Pulse Secure Access Service Administration Guide
Use the System> Network > Internal Port > ARP Cache tab to manage the following
types of ARP (address resolution protocol) entries:
Static entriesYou can add a static ARP entry to the cache associated with the IP
and MAC address. The SA Series Appliance stores static entries during reboots and
re-activates themafter re-booting. Static entries are always present on the SA Series
Appliance.
Dynamic entriesThe network learns dynamic ARP entries during normal use and
interactionwithother networkdevices. TheSASeries Appliancecaches dynamicentries
for up to 20 minutes and deletes themduring a reboot or when you manually delete
them.
You can viewand delete static and dynamic entries fromthe ARP cache as well as add
static entries. If you have a cluster of SA Series Appliances, note that ARP cache
information is node-specific. The SA Series Appliance only synchronizes ARP cache
information across non-multi-site clusters.
To add a static entry to the ARP Cache:
1. In the admin console, choose System> Network > Port Tab > ARP Cache. The Port
Tab could be for any one of ports 1, 2, 3, 4, the internal or external ports, or the
Management Port.
2. Enter the IP Address and the Physical Address in their respective fields at the top of
thetable. If youaddanentry containinganexistingIPaddress, theSASeries Appliance
overwrites theexistingentrywithyour newentry. Alsonotethat theSASeries Appliance
does not verify the validity of MAC addresses.
3. Click Add.
Specifying Host Names for the SASeries Appliance to Resolve Locally
Specify host names that the SA Series Appliance can resolve to IP addresses locally by
using the Hosts tab. This feature is useful when:
Your DNS server is not accessible to the SA Series Appliance.
You use WINS to access servers within the LAN.
Your corporatesecurity policy does not allowinternal servers tobelistedonanexternal
DNS or requires that internal host names are masked.
To specify host names for the SA Series Appliance to resolve locally:
1. In the admin console, choose the System> Network > Hosts tab.
2. Enter an IP address, a comma delimited list of host names that resolve to the IP
address, a comment of 200 words or less (optional), and then click Add.
695 Copyright 2011, Juniper Networks, Inc.
Chapter 28: General SystemManagement
Specifying IP Filters
You can specify IP filters for the SA Series Appliance to apply to Network Connect IP
pools fromthe System> Network > Network Connect tab. An IP pool is a specific range
of IP addresses available for Network Connect requests.
Specifying IP Filters to Apply to Network Connect IP Pools
To add an IP address to the Network Connect filter list:
1. In the admin console, choose System> Network > Network Connect.
2. Specify an IP address/netmask combination and then click Add. The SA Series
Appliance applies the filters specified on this page to the Network Connect IP Pool
resource policies that apply to a users request.
Specifying the Network Connect Server IP Address
The server-side Network Connect process uses the server IP address to communicate
with enterprise resources.
NOTE: Only change the Network Connect server IPaddress when instructed
to do so by the Juniper Networks Support team.
The Network Connect server IPaddress cannot be part of an IPaddress pool
specified as a part of a NCConnection Profile. That is, the IP address cannot
be in the range of the IP address pool configured for Network Connect or an
IP address that may be assigned by a DHCP server.
Related
Documentation
About Network Connect on page 636
Network Connect Connection Profiles with Support for Multiple DNS Settings on
page 647
Using Central Management Features
The Central management features consist of a two-tier (client/server) systemthat
enables you to manage multiple SASeries Appliances, regardless of whether or not they
are clustered. Central management features include:
SystemdashboardThe systemdashboard feature displays systemcapacity graphs
and alarms that allowyou to easily monitor the system. You can access the system
dashboard fromthe System> Status page of the admin console.
Improved logging and monitoringThe logging feature enables you to create custom
filters so that you may viewand save only those log messages that you choose in the
format of your choice. You can access the logging feature fromthe System>
Log/Monitoring page of the admin console.
Copyright 2011, Juniper Networks, Inc. 696
Junos Pulse Secure Access Service Administration Guide
Push configuration featureThe push configuration feature enables you to easily
push settings fromone SA Series Appliance to another for convenient centralized
management. You can access the push configuration feature fromthe Maintenance
> Push Config page of the admin console.
Minimal downtime upgradesThe minimal downtime upgrade feature enables you
to expedite upgrades across a cluster, ensuring that one cluster member is always
functional during the upgrade process. You can access the upgrade feature fromthe
Maintenance > System> Upgrade/Downgrade page of the admin console.
Deterministic cluster recoveryThe deterministic cluster recovery feature enables
you to assign ranks to various nodes in a cluster such that when a cluster recovers from
split-brain situation, the node with the highest rank propagates the correct cluster
state.
Improveduser interfaceTheadminconsolefor Central Manager includesanenhanced
appearance over the standard admin console for appliances with a user license.
Improved SNMP MIBThe enhanced SNMP MIB feature provides you with capacity
utilization metrics. You can download the improved MIB fromthe System>
Log/Monitoring > SNMP page of the admin console.
Saving local backupsThe local backups feature enables you to save up to 10 local
backups of systemand user configuration files on the SA Series Appliance. You can
access this feature through the Maintenance > Archiving > Local Backups page of the
admin console.
Modifying Central Management Dashboard Graphs
If you have installed the Central Manager upgrade on your SA Series Appliance, the
systemdashboard appears when you open the administrator console. The dashboard
displays systemcapacity graphs that allowyou to easily monitor your system.
If you want to analyze or display the information fromthese graphs using your own tools,
youmayusethegraphdownloadfeature. Fromthesystemdashboard, youmaydownload
the data fromeach of the graphs into an XML file. Then, you may use your own tools to
reformat or analyze the data in the XML files.
Central Management Dashboard Graphs XML Schemas
The XML files for all of the systemdashboard graphs contain the same basic XML
elements:
<xport>Top level element.
<meta>Second level element.
<start>Time that the systemcollected the first data point for the graph, in UTC
format.
<step>Interval at which the systemcollected data points for the graph, in seconds.
For example, the following XML entry indicates that the systemcollects data every
minute: <step>60</step>
<end>Timethat thesystemcollectedthelast datapoint for thegraph, inUTCformat.
697 Copyright 2011, Juniper Networks, Inc.
Chapter 28: General SystemManagement
<rows>Number of data points collected for the graph.
<columns>Number of metrics collected for the graph. (Corresponds to the number
of lines displayed in the graph in the administrator console.)
<legend>Contains a list of <entry> sub-elements that define the names of each of
the metrics collected for the graphs. For example, sub-elements for the Concurrent
Users graph may include:
<legend>
<entry>Local users</entry>
<entry>Concurrent users</entry>
</legend>
<data>Contains alist of <row>sub-elements that includetheperiodicdatacollected
for each entry. Each <row>element contains a <t>sub-element that includes the time
that the systemcollected the data and <v> sub-elements for each piece of data. For
example, a rowwithin the Concurrent Users graph may include:
<data>
<row>
<t>1089748980</t><v>2.1000000000e+01</v><v>2.1000000000e+01</v>
</row>
Sample XML Schema
The following sample shows the XML output for a Concurrent Users graph. (Note that
for the purposes of brevity, some of the original <row> elements have been deleted from
the sample.)
<xport>
<meta>
<start>1089748980</start>
<step>60</step>
<end>1089763440</end>
<rows>242</rows>
<columns>2</columns>
<legend>
<entry>Local users</entry>
<entry>Concurrent users</entry>
</legend>
</meta>
<data>
<row>
<t>1089748980</t><v>2.1000000000e+01</v><v>2.1000000000e+01</v>
</row>
<row>
<t>1089749040</t><v>2.1000000000e+01</v><v>2.1000000000e+01</v>
</row>
Copyright 2011, Juniper Networks, Inc. 698
Junos Pulse Secure Access Service Administration Guide
<row>
<t>1089749100</t><v>2.1000000000e+01</v><v>2.1000000000e+01</v>
</row>
...
<row>
<t>1089763440</t><v>NaN</v><v>NaN</v>
</row>
</data>
</xport>
Related
Documentation
Configuring SystemUtilities on page 699
Configuring SystemUtilities
The SA Series Appliance systemutilities enable you to manage your server, upgrade or
downgrade systemsoftware, enable version monitoring, and to download client
applications and services.
Reviewing SystemData
The Maintenance > System> Platformpage in the admin console lists systemdata and
contains controls for restarting, rebooting, or shutting downaSASeries Appliance. It also
contains a control to test server connectivity. When the SASeries Appliance is a member
of a cluster, this page lists additional, cluster-specific, systemdata and the controls
operate on a cluster-wide basis.
Restarting, Rebooting, Shutting Down, or Testing Server Connectivity
The Maintenance > System> Platformpage lists the following systemdata for an SA
Series Appliance:
ModelDisplays the model of the SA Series Appliance.
VersionDisplays the SA Series Appliances software version.
RollbackDisplays the software version to which the SA Series Appliance reverts
when you roll back the installed image.
Last RebootDisplays amount of time since the SA Series Appliances last reboot.
When the SA Series Appliance is a member of a cluster, the Platformpage lists the
following additional systemdata:
ClusterDisplays the name of the cluster to which the SA Series Appliance belongs.
MemberDisplays the SA Series Appliances cluster member name.
699 Copyright 2011, Juniper Networks, Inc.
Chapter 28: General SystemManagement
The Platformpage contains the following controls:
Restart Services/ClusterKills all processes and restarts the SA Series Appliance.
When the SA Series Appliance is a member of a cluster, this control kills all processes
and restarts all members of a cluster.
RebootPower cycles and reboots the SA Series Appliance. When the SA Series
Appliance is a member of a cluster, this control power cycles and reboots all members
of the cluster.
Shut downShuts down the SA Series Appliance, requiring you to press the reset
buttonontheappliancetorestart theserver. WhentheSASeries Applianceis amember
of a cluster, this control shuts down all members of a cluster, requiring you to press
thereset buttononall clusteredappliances torestart thecluster. Notethat themachine
power remains on after a server shutdown.
NOTE: If you want to restart, reboot, or shut down, or upgrade one SA
SeriesApplianceinacluster, youfirst disabletheSASeriesApplianceusing
the controls on the System> Clustering > Status page, and then return to
the Platformpage to employ the control of your choice.
RollbackRolls back the software image and reboots the SA Series Appliance. After
theSASeries Appliancereboots, theimageontheSASeries Applianceis automatically
rolled back to the image displayed in the Rollback field, above.
Test ConnectivitySends anICMPpingfromthe SASeries Appliance toall the servers
the SASeries Appliance is configuredtouse andreport their connectivity. Eachservers
status is reported under Server Connectivity Results.
Upgrading or Downgrading the SASeries Appliance
Youcaninstall adifferent servicepackageby first obtainingthesoftwarefromtheJuniper
Support Web site and then uploading it through the admin console. Package files are
encryptedandsignedsothat the SASeries Appliance server accepts only validpackages
issued by Juniper Networks. This measure prevents the SA Series Appliance server from
accepting Trojan horse programs.
This feature is typically used to upgrade to newer versions of the systemsoftware, but
you can also use this process to downgrade to a previous version or to delete all your
current configuration settings and start froma clean slate. You may also roll back to a
previous systemstate through the serial console.
You can upgrade or downgrade the SASeries Appliance fromthe Maintenance >System
> Upgrade/Downgrade page of the admin console.
NOTE: Installing a service package can take several minutes and requires
the SA Series Appliance to reboot. Because existing systemdata is backed
up during this process, you can decrease installation time by clearing your
systemlog before trying to install a service package.
Copyright 2011, Juniper Networks, Inc. 700
Junos Pulse Secure Access Service Administration Guide
Setting SystemOptions
You can set a number of systemoptions, such as:
EnableAutomaticVersionmonitoringKeepyour systemcurrent andsecurebyhaving
the SA Series Appliance notify you about critical software patches and updates. To
do this, it reports to Juniper Networks the following data: your company name, an MD5
hash of your license settings, and information describing the current software version.
Enable gzip compressionReduce download speeds when using HTTP
compressionenabled browsers.
Enable Kernel WatchdogEnables the kernel watchdog that automatically restarts
the systemunder kernel deadlock or when the kernel runs lowon some key resources.
NOTE: Enable the kernel watchdog only when instructed by Juniper
Networks Technical Support.
Enable File SystemAuto-clean FeatureEnables the systemto automatically clean
up the file systemwhen disk utilization reaches 90%. IMPORTANT: when enabled,
this feature may result in loss of data that may be relevant in debugging system
problems that occurred a week or earlier in the past.(i.e. old debuglogs, core files, and
snapshots may be removed.)
Java instrumentation cachingImprove the performance of downloading Java
applications.
End-user localizationEnd-user localizationSet thelanguageversionfor theend-user
browser, or accept the default.
Showauto-allowCopy bookmarks for roles to corresponding access control policies
when using resource policies.
External user records managementRemove old user records fromthe system. Use
with caution.
Set the following systemoptions fromMaintenance > System> Options:
1. Select the Automatic Version Monitoring check box to automatically receive
notifications of critical softwarepatches andupdates. For your protection, westrongly
recommend that you enable this automatic service. If necessary, you can disable the
service later.
2. Select the Enable gzip compression check box to reduce the amount of data sent to
browsers that support HTTP compression.
3. Select Enable Kernel Watchdog to allowthe SA Series Appliance to automatically
shut down in the event of an issue with the kernel.
4. Select Enable File SystemAuto-clean Feature to allowthe systemto automatically
clean up the file systemwhen disk utilization reaches 90%.
701 Copyright 2011, Juniper Networks, Inc.
Chapter 28: General SystemManagement
5. Select theEnableJavainstrumentationcachingcheckboxtoimprovetheperformance
of downloading Java applications. With Java instrumentation caching enabled, the
SASeries Appliancecaches Javaapplets accessedby endusers andserves thecached
applets to subsequent requests for the same applets.
6. Select the Enable SSL acceleration checkbox to off-load the encryption and
decryption of SSL handshakes fromthe appliance to the accelerator card.
NOTE: This option appears only if you have purchased an SA Series
Appliance equipped with the corresponding accelerator card.
7. If the ShowAuto-allowcheckbox is checked, deselect the checkbox if you want to
hide the auto-allowoption fromyourself or other administrators who create new
bookmarks for roles.
The auto-allowoption provides the means to automatically add bookmarks for a
given role to an access control policy, for example, Web bookmarks with auto-allow
set are added to the Web access control policy. You only use this feature if you also
use Resource Policies. We recommend that you use Resource Profiles instead.
8. Under the ShowAuto-allowoption, choose either:
Only this URLThis option restricts the bookmarks to be added to the access
control policy to the primary URL. For example, the URL http://www.company.com
would be added to the access control policy.
Everything under this URLThis option enables bookmarks to other paths under
the primary URL to be added to the access control policy. If you define additional
Web sites by role, you might want to include these in the access control policy. For
example, the following URLs are both added when you select this option:
http://www.company.com/sales
http://www.company.com/engineering
9. Usetheoptions under External User RecordsManagement toremoveolduser records
fromthe SA Series Appliance. This feature is useful when systemperformance is
affected due to a large number of user records. We highly recommend you consult
Juniper Networks Technical Support prior to using this feature.
Deleting a user record removes all persistent cookies, SSOinformation, and other
resources for that user on the SASeries Appliance. It does not remove the user record
fromthe external or internal authentication server. If you delete a user record and that
user logs back in to the authentication server, newuser records are created. Records
are not removed if that user is currently logged in.
Persistent user recordslimitEnter themaximumnumber of allowableuser records
on the SA Series Appliance.
Number of user records to delete when the limit is exceededEnter howmany
records to delete when the limit is exceeded. Older records are removed first. Auser
record is not deleted if that user is currently logged in.
Copyright 2011, Juniper Networks, Inc. 702
Junos Pulse Secure Access Service Administration Guide
DeleteRecordsNowClick this buttontocheck whether thepersistent user records
limit has been exceeded. If it is, delete the number of user records specified in the
option above.
Enableautomaticdeletionof user recordsduringnewuser loginsCheckwhether
the persistent user records limit will be exceeded whenever a newuser record is
about to be created. If true, delete the records prior to creating the user newrecord.
10. Select the language for the end-user browser fromthe End-user Localization drop
down menu.
11. Click Save Changes.
Related
Documentation
Setting Security Options on page 705
Downloading Application Installers
You can download an application or service as a Windows executable file, which enables
you to:
Distribute the file to client machines using software distribution tools. This option
enables you to install an application or service on client machines whose users do not
have Administrator privileges, which are required to install the application or service.
Post the executable in a secure repository so that users with the proper administrator
right may download and install the appropriate version.
Download and execute a script that automatically retrieves the proper version of the
installer froman FTP server.
These options allowyou to control which version of an application or service runs on
client machines.
Juniper Installer ServiceThe Juniper Installer Service allows users to download,
install, upgrade, and run client-side applications without administrator privileges. In
order to performthese tasks (which require administrator privileges), the Juniper
Installer Service runs under the clients Local Systemaccount (a powerful account
with full access to the system) and registers itself with Windows Service Control
Manager (SCM). An Active-X control or a Java applet running inside the users Web
browser communicates the details of the installation processes to be performed
through a secure channel between the SA Series Appliance and the client system.
When installing the Juniper Installer Service on client systems, note that:
Youneedadministrator privileges toinstall theJuniper Installer Service. For additional
information, see the Client-side Changes Guide on the Juniper Networks Customer
Support Center.
You should ensure that the Microsoft Windows Installer exists on the client system
prior to installing the Juniper Installer Service.
703 Copyright 2011, Juniper Networks, Inc.
Chapter 28: General SystemManagement
Your end-users client systems must containeither avalidandenabledJavaRuntime
Engine (JRE) or a current SA Series Appliance ActiveX control. If the client systems
do not contain either of these software components, the endusers will be unable to
connect to the gateway.
You should ensure that a valid JRE is enabled on your end-users client systems.
If there is no JRE on your end-users client systems, you should download an
appropriate installer package fromMaintenance > System> Installers.
The service appears in the Windows Services (Local) list as Neoteris Setup Service.
The service starts automatically on install and during client systemstart up.
Host CheckerThis installer (HCInst.exe) installs Host Checker on users systems.
Host Checker is a client-side agent that performs endpoint security checks on hosts
that connect to the SA Series Appliance.
If you decide to distribute Host Checker, make sure to uncheck the Autoupgrade Host
Checker option on the Authentication > Endpoint Security > Host Checker page.
OtherwisetheSASeries Appliancedownloads theHost Checker applicationtoausers
machine, which may not be the same version as the distributed version.
Third-party Integrity Measurement Verifier (IMV) ServerThis installer
(RemoteIMVServerInstall.exe) installs IMVs on users systems. IMVs are software
modules running on the SA Series Appliance that are responsible for verifying a
particular aspect of an endpoints integrity.
WindowsSecureApplicationManager for Windows2000/XP/VistaplatformsThis
installer (WSAMInstNt.exe) includes the NetBIOS version of W-SAM, which enables
users tomapdrives toWindows resources. Usethis versiontoinstall WSAMonWindows
2000 and Windows XP systems.
Junos Pulse for Windows Mobile 5.0PocketPC/6.0Classic/6.0ProfessionalThis
installer includes the PDA version of WSAM, nowcalled Junos Pulse. Use this version
to install Junos Pulse on Pocket PC systems.
Junos Pulse for Windows Mobile 5.0Smartphone/6.0Standard ProfessionalThis
installer includes the PDA version of WSAM, nowcalled Junos Pulse. Use this version
to install Junos Pulse on Smartphone systems.
Network Connect for WindowsThis installer (NcInst.exe) installs Network Connect
on Windows systems. Network Connect is a remote access mechanismthat provides
a VPN user experience.
NetworkConnect for MacOSXThisinstaller (NetworkConnect.dmg) installsNetwork
Connect onMacintoshOSXsystems. Network Connect is aremoteaccess mechanism
that provides a VPN user experience.
Network Connect for LinuxThis installer (ncui-1.2-1.i386.rpm) installs Network
Connect on Linux systems. Network Connect is a remote access mechanismthat
provides a VPN user experience.
Junos Pulse Installer (.exe)This installer installs all the Junos Pulse components.
Junos Pulse Installer (.msi)This installer installs all the Junos Pulse components.
Copyright 2011, Juniper Networks, Inc. 704
Junos Pulse Secure Access Service Administration Guide
Download all installers fromMaintenance > System> Installers.
Related
Documentation
SA Series Appliance Licensing
Activating and Deactivating Emergency Mode
The emergency mode feature allows you to temporarily enable the SA Series Appliance
for a large number of users.
To activate the SA Series Appliance in emergency mode, you must first install an In Case
of Emergency (ICE) license using the standard SA Series Appliance license installation
procedure. Then, when the emergency occurs, you can easily activate emergency mode
through the SA Series Appliance Web console. When your emergency has passed, you
should then deactivate the emergency mode.
NOTE: The ICE license is permanent until you activate emergency mode.
Activating emergency mode switches the ICE license to a temporary license
and only enables you to operate in emergency mode for 8 weeks. Once the
ICElicenseexpires, all features disappear andyour users cannolonger access
the SA Series Appliance using the emergency mode.
To activate or deactivate emergency mode:
1. In the Web console, select System> Configuration > Licensing.
2. Find the In Case of Emergency License entry in the license list. Sample ICE license
names include:
SA4000-ICE
SA4000-ICE-CL
SA6000-ICE
SA6000-ICE-CL
3. Click the Enable link in the right side of the license column to activate emergency
mode or click Disable to deactivate it.
When you enable and disable emergency mode, the SA Series Appliance decrements
the corresponding license in 5 minute intervals.
Related
Documentation
SA Series Appliance Licensing
Configuring License Options
Setting Security Options
Use the System> Configuration > Security page to change the default security settings
for your SA Series Appliance. We recommend that you use the default security settings,
705 Copyright 2011, Juniper Networks, Inc.
Chapter 28: General SystemManagement
whichprovide maximumsecurity, but youmay needtomodify these settings if your users
cannot use certainbrowsers or access certainWebpages. You canalsoconfigure lockout
options for protecting the SA Series Appliance and back-end systems from
DOS/DDOS/Password Guessing attacks fromthe same IP address.
Setting System-Wide Security Options
If any of your users experience browser problems when accessing certain Web pages,
consider adjusting the following settings:
Allowed SSL and TLS VersionSpecify encryption requirements for SA Series
Appliance users. The SA Series Appliance honors this setting for all Web server traffic,
including oNCP and Secure Email client, and all types of clients, including Pocket PC
and iMode. (The SA Series Appliance requires SSL version 3 and TLS by default.) You
can require users who have older browsers that use SSL version 2 to update their
browsers or change the SASeries Appliance setting toallowSSL version2, SSL version
3, and TLS.
Allowed Encryption StrengthThe SA Series Appliance requires 128-bit encryption
by default, or you can specify that the SASeries Appliance requires 168-bit encryption.
Older browsers, which pre-date the 2000 change in the U.S. export lawthat required
40-bit cipher encryption for international export, may still use 40-bit encryption. You
caneither requireusers toupdatetoabrowser with128-bit cipher encryptionor change
the required encryption strength to also allow40-bit ciphers.
If you select the Accept only 168-bit and greater option, the SA Series Appliance gives
preference to 256-bit AES over 3DES.
If youselect theAccept only 128-bit andgreater optionor theAccept 40-bit andgreater
option, the SA Series Appliance gives preference to RC4 ciphers.
To specify a combination of cipher suites for the incoming connection fromthe users
browser, choose the CustomSSL Cipher Selection option under Allowed Encryption
Strength. If you select the AES/3DES option, the SASeries Appliance gives preference
to256-bit AESover 3DES. Thesameselectedcustomciphers arealsousedfor backend
rewriter connections. The SA Series Appliance gives preference to 256-bit AES
encryption for incoming SSL connections to the mail proxy.
NOTE: When using 168-bit encryption on the SA Series Appliance, some
Web browsers may still show128-bit encryption (the gold lock on the
browser status bar) even though the connection is 168-bit. This is typically
a limitation of the browsers capability.
If you are using the FIPS IC6500 version SA Series Appliance, you can choose High,
Mediumor Lowsecurity cipher suites. AES/3DES High and AES Mediumcheck boxes
are recommended for FIPS deployment.
Encryption Strength optionNormally, the allowed encryption strength is enforced
after an SSL session is established, so that a user connecting with a disallowed
encryption strength receives a Web page describing the problem. This option prevents
a browser with a weak cipher fromestablishing a connection.
Copyright 2011, Juniper Networks, Inc. 706
Junos Pulse Secure Access Service Administration Guide
SSL Handshake Timeout optionDetermines howmany seconds before the SSL
handshake times out. The default is 60 seconds.
SSL Legacy Renegotiation Support option SSL and Transport Layer Security (TLS)
renegotiations can be subjected to serious man-in-the-middle (MITM) attacks that
can lead to abuse possibilities. A newTLS extension (defined in RFC 5746) ties
renegotiations to the TLS connections they are being performed over to prevent these
kinds of attacks. The SSL Legacy Renegotation Support option is enabled by default
and allows renegotiation between clients and servers even if they do not support the
newTLS extension. Disable this option to not allowrenegotiations between clients
andservers that donot support the newTLSextension. Awebserver restart is required
when you change the value of this option.
NOTE: The SSL Legacy Renegotiation Support option is not available for
IVS.
Delete all cookies at session terminationFor convenience, the SA Series Appliance
sets persistent cookies on the users machine to support functions such as multiple
sign-in, last associated realm, and the last sign-in URL. If you desire additional security
or privacy, you may choose to not set them.
IncludesessioncookieinURLMozilla1.6andSafari may not pass cookies tothe Java
Virtual Machine, preventing users fromrunning JSAMand Java applets. To support
these browsers, the SASeries Appliance caninclude the user sessioncookie inthe URL
that launches JSAMor a Java applet. By default, this option is enabled, but if you have
concerns about exposing the cookie in the URL, you can disable this feature.
Last Login optionsDisplay the day and time and IP address the user last logged in
to the system. For users, this information appears on their bookmark page. For
administrators, this information appears on the SystemStatus Overviewpage. These
settings do not apply to the customstart page option on Role UI Options page.
SAMLversionBy default, theSASeries Applianceuses SAML1.1 protocol andschema.
If are using SAML 1.0 in your environment, select the SAML 1.0 option.
Configuring Lockout Options
You can configure the following Lockout options to protect the SA Series Appliance and
other systems fromDenial of Service (DoS), Distributed Denial of Service (DDoS), and
password-guessing attacks fromthe same IP address:
NOTE: Lockout options are not available to IVS systems. All other security
options are available to IVS systems.
RateSpecify the number of failed sign-in attempts to allowper minute.
AttemptsSpecify the maximumnumber of failed sign-in attempts to allowbefore
triggering the initial lockout. The SA Series Appliance determines the maximuminitial
period of time (in minutes) to allowthe failed sign-in attempts to occur by dividing the
707 Copyright 2011, Juniper Networks, Inc.
Chapter 28: General SystemManagement
specified number of attempts by the rate. For example, 180attempts divided by a rate
of 3 results in a initial period of 60minutes. If 180or more failed sign-in attempts occur
within 60minutes or less, the SASeries Appliance locks out the IP address being used
for the failed sign-in attempt.
Lockout periodSpecify the number of minutes you want the SA Series Appliance to
lock out the IP address.
The SA Series Appliance reacts quickly to an attack that persists, and then gradually
becomes less restrictive when the attack subsides. After a lockout occurs, the SA Series
Appliance gradually recovers by maintaining the Rate. If the current failure rate since the
last lockout exceeds the specified Rate, the SASeries Appliance locks out the IPaddress
again. If the failure rate is less than the specified Rate for the period of Attempts/Rate,
the SA Series Appliance returns to the initial monitoring state.
For example, if you use the following settings for the Lockout options, the SA Series
Appliance locks out the IP address for the time periods in the following scenario.
Rate = 3 failed sign-in attempts/minute
Attempts = 180 maximumallowed in initial period of 60 minutes (180/3)
Lockout period = 2 minutes
1. During a period of three minutes, 180 failed sign-in attempts occur fromthe same
IPaddress. Becausethespecifiedvaluefor Attempts occurs inless thantheallowed
initial periodof 60minutes (180/3), theSASeries Appliancelocks out theIPaddress
for 2 minutes (4th and 5th minutes).
2. In the 6th minute, the SA Series Appliance removes the lock on the IP address and
begins maintaining the rate of 3 failed sign-in attempts/minute. In the 6th and 7th
minutes, the number of failed sign-in attempts is 2 per minute, so the SA Series
Appliance does not lock the IPaddress. However, when the number of failedsign-in
attempts increases to5inthe8thminute, whichis atotal of 9failedsign-inattempts
within 3 minutes, the SA Series Appliance locks out the IP address for 2 minutes
again (9th and 10th minutes).
3. In the 11th minute, the SA Series Appliance removes the lock on the IP address and
begins maintaining the rate of 3 failed sign-in attempts/minute again. When the
rate remains belowan average of 3/minute for 60minutes, the SASeries Appliance
returns to its initial monitoring state.
In environments where two or more users share the same IP address (as seen by the SA
Series Appliance), the lockout feature prevents all users fromlogging in fromthe shared
IP address even when only one of themis the offending user. Sharing of the IP address
as seen by the SA Series Appliance can happen when, for example, users are logging in
frombehind a NAT box.
Related
Documentation
Configuring SystemUtilities on page 699
Copyright 2011, Juniper Networks, Inc. 708
Junos Pulse Secure Access Service Administration Guide
Configuring NCP and JCP
The following types of internal protocols are used to communicate between the SA
Series Appliance server and client applications:
NetworkCommunications Protocol (NCP)StandardNCPhas beenreplacedby oNCP.
Windows client applications, including the Secure Meeting Windows client, WSAM,
and Terminal Services fallback to NCP if oNCP fails.
OptimizedNCP(oNCP)OptimizedNCP(oNCP) significantlyimproves thethroughput
performance of the client applications over NCP because it contains improvements
to protocol efficiency, connection handling, and data compression. Windows client
applications, including the Secure Meeting Windows client, WSAM, Network Connect
and Terminal Services use oNCP by default.
Java Communications Protocol (JCP)JCP is the Java implementation of standard
NCP. The SA Series Appliance uses JCP to communicate with Java client applications,
including the Secure Meeting Java client, JSAM, and the Java Content Intermediation
Engine.
To set NCP options:
1. In the admin console, choose System> Configuration > NCP.
2. (Windows clients) Under NCP Auto-Select, select:
Auto-select Enabled (recommended)Use the oNCP by default. If you select this
option, the SA Series Appliance uses oNCP for most client/server communications
andthenswitches tostandardNCPwhennecessary. TheSASeries Appliancereverts
to NCP if the user is running an unsupported operating system, browser type, or
combinationthereof, or if theclient applicationfails toopenadirect TCPconnection
to the SA Series Appliance for any reason (for instance, the presence of a proxy,
timeout, disconnect).
Auto-select DisabledAlways use standard NCP. This option is primarily provided
for backwards compatibility.
NOTE: If you are using Network Connect to provide client access, we
recommend that you exercise caution when employing the Auto-select
Disabled option, as Mac and Linux clients cannot connect using the
traditional NCP protocol. If you disable the oNCP/NCP auto-selection
feature and a UDP-to-oNCP/NCP fail-over occurs, the SA Series
Appliance disconnects Macintosh and Linux clients because the SA
Series Appliance fails over fromUDP to NCP (instead of oNCP), which
does not support these users.
3. (Javaclients) Under ReadConnectionTimeout, set thetimeout interval for Javaclients
(15-120 seconds). If client-side secure access methods do not receive data fromthe
SA Series Appliance for the specified interval, they try to reestablish a connection to
709 Copyright 2011, Juniper Networks, Inc.
Chapter 28: General SystemManagement
the SASeries Appliance. Note that this value does not apply to user inactivity in client
applications.
4. (Windows clients) Under Idle Connection Timeout, set the idle connection interval.
This timeout interval determines howlong the SA Series Appliance maintains idle
connections for client-side Windows secure access methods.
5. Click Save Changes.
Installing a Juniper Software Service Package
Theadminconsolelets youinstall anewservicepackageimmediately or stagetheservice
package. Staging lets you to push the package to a directory on the SA Series Appliance
before the planned maintenance time and then install the package during the
maintenance window. Note that staging does not provide the ability to schedule the
installationof thestoredservicepackage. It only pushes theservicepackagetothedevice
without installing it. You must still manually start the installation process.
For clusters, werecommendyoustagetheservicepackageat eachcluster node, especially
for slower networks. This reduces the upgrade time by allowing each node to upgrade
simultaneously insteadof havingonenodepushtheupgradeprocess toeachof theother
clusters nodes. Note, however, that the service package revision at the node where you
first start the installation process overwrites the service package revision at the other
clusters nodes if they are different. For example, suppose you stage service packages
at clusterNode1, clusterNode2 and clusterNode3. Nowstart the upgrade process on
clusterNode3. The service pack revision on clusterNode1 is compared to clusterNode3. If
it is different, then the service package on clusterNode3 is pushed to clusterNode1 before
clusterNode1 starts its upgrade. If the revisions are the same, then clusterNode3 does not
push its service package to clusterNode1. Similarly for clusterNode2.
Before installing a newservice package, please export your current systemconfiguration,
local user accounts, customized user settings, and role and policy information.
To install a service package:
1. Browse to the Juniper Networks Customer Support Center and obtain the desired
service package.
2. In the admin console, select Maintenance > System> Upgrade/Downgrade.
3. Click Browse to find the service package on your hard drive that you obtained from
the Juniper Networks Customer Support Center. If you want to delete your current
configuration settings but continue to use the same SA Series Appliance version,
choose the service package that is currently installed on your appliance.
4. Alternately, select the Upload newpackage into staging area option button and
Browse for a locally stored file and select the option button for Fromstatedpackage.
5. If youarerollingbacktoanolder servicepackageor deletingyour configurationsettings,
select Delete all systemand user data.
Copyright 2011, Juniper Networks, Inc. 710
Junos Pulse Secure Access Service Administration Guide
NOTE: If you choose to revert to delete all systemand user data fromthe
appliance using this option, you will have to reestablish network
connectivity before reconfiguring the system. Also note that you cannot
roll back to a version lower than 3.1.
6. Select the service package file and click Install Now.
Related
Documentation
Configuring SystemUtilities on page 699
Configuring Your Management Port Network Settings Fromthe Serial Console
To configure your Management Port network settings fromthe serial console
1. Start a serial console session.
2. Select item1, SystemSettings and Tools.
3. Select item10, ConfigureManagement port. Thetext indicates if theoptionis enabled
or disabled.
4. Enter the network settings for the Management Port, as prompted.
NOTE: If you enable the Management Port but neglect to configure the
IP address and netmask, the port reverts to a disabled state. Also, you
cannot clear Management Port settings fromthe serial console when the
port isdisabled, thoughyoucanclear themfromwithintheadminconsole.
5. When prompted to accept the changes, if they are correct, enter y. Otherwise, repeat
the process to correct the settings.
6. Close the serial console.
Related
Documentation
Configuring Your Management Port Network Settings Fromthe Adming Console on
page 711
</object3>
</object2>
</object1>
Copyright 2011, Juniper Networks, Inc. 786
Junos Pulse Secure Access Service Administration Guide
Following are the supported operation attributes:
MergeThe configuration data identified by the element containing this attribute is
mergedwiththeconfigurationat thecorrespondinglevel intheconfigurationdatastore
identified by the target parameter. This is the default behavior.
ReplaceThe configuration data identified by the element containing this attribute
replaces any relatedconfigurationintheconfigurationdatastoreidentifiedby thetarget
parameter. Only the configuration actually present in the config parameter is affected.
CreateThe configuration data identified by the element containing this attribute is
added to the configuration if and only if the configuration data does not already exist
on the device.
DeleteThe configuration data identified by the element containing this attribute is
deleted in the configuration datastore identified by the target parameter.
Insert beforeChange the position of a configuration element in an ordered set.
Insert afterChange the position of a configuration element in an ordered set.
RenameChange the name of one or more of a configuration object's identifiers.
If you are merging a listing of objects to an existing list of objects in the configuration
store, the results of the merged list of objects could be unexpected. During a merge
operation the order of the objects in the newlist is not maintained. If you are importing
a listing of objects and wold like to preserve the order of the newlist, you should use the
replace operation attribute. You can also use insert before or insert after to ensure that
you produce the hierarchy that you intended.
Operation attributes are applied to elements recursively unless newoperators are also
defined within lower level elements. There are limitations on the legal operator that can
be usedin childelements without conflict with the parent operator. Table 33 on page 787
displays the legal operator relationships between parent and child elements.
Table 33: Legal Operation Attribute Relationships
Rename Insert
after
Insert
before
Delete Replace Merge Create Child >
V-Parent
OK OK OK OK OK OK OK None
Error OK OK Error Error OK OK Create
OK OK OK OK OK OK OK Merge
Error OK OK Error OK OK Error Replace
Error Error Error OK Error OK Error Delete
OK OK OK OK OK OK OK Insert
before
OK OK OK OK OK OK OK Insert
after
787 Copyright 2011, Juniper Networks, Inc.
Chapter 30: SystemArchiving
Table 33: Legal Operation Attribute Relationships (continued)
OK OK OK OK OK OK OK Rename
Following are two examples of the import operation:
Example 1: Set the MTU to 1500 on an interface named "Ethernet0/0" in the running
configuration.
<interface>
<name>Ethernet0/0</name>
<mtu>1500</mtu>
</interface>
Example2: AddaninterfacenamedEthernet0/0 totherunningconfiguration, replacing
any previous interface with that name.
<interface xc:operation="replace">
<name>Ethernet0/0</name>
<mtu>1500</mtu>
<address>
<name>192.0.2.4</name>
<prefix-length>24</prefix-length>
</address>
</interface>
General Import Rules
The default import modes have equivalent attributes on the root object of the
configuration tree:
Standard Import is always a merge operation.
Quick Import is a create operation.
Full Import is a replace operation.
Related
Documentation
Importing and Exporting XML Configuration Files on page 765
Importing and Exporting XML Configuration Data on page 774
SystemRestarts on page 780
XML Import/Export Use Cases on page 782
Pushing Configurations fromone SASeries Appliance to Another
IVE appliances enable you to copy all configuration settings or selected configuration
settings fromone SA Series Appliance to another using the Push Configuration feature.
This feature provides simple configuration management across an enterprise without
requiring you to cluster SA Series Appliances. With the Push Configuration feature, you
can decide exactly which settings you do and do not want to copy across the enterprise.
The interface for selecting the settings is similar to the XML Import/Export feature.
Copyright 2011, Juniper Networks, Inc. 788
Junos Pulse Secure Access Service Administration Guide
You can push to a single SA Series Appliance or to multiple SA Series Appliances. For
example, if you install several newSA Series Appliances, you can push to set their initial
configuration. You can also push to an SA Series Appliance that is a member of a cluster
as long as the target SA Series Appliance is not a member of the same cluster as the
source. Target SASeries Appliancehavetheoptionof not acceptingpushedconfiguration
settings. If a push to a target SA Series Appliance fails, Push Configuration continues to
the next target until all identified targets are updated. The results page displays the
status and any problems encountered during the process.
You can also push configuration elements froman SA Series Appliance to an Infranet
Controller device to distribute a Junos Pulse configuration. This is required to enable
location awareness for Junos Pulse clients between an ICSeries device and an SASeries
Appliance..
NOTE: When importing Active Directory (AD) authentication server
configuration with an XML file or through Push Config, the Computer Object
name needs tobe changedmanually after the import. Unexpectedproblems
might ariseif twosystemsjoinanADdomainusingthesameComputer Object
name.
Note the following when pushing configurations:
After the SA Series Appliance updates the configuration on a target device, the target
device restarts its services. Brief interrupts may occur while the service restarts. We
recommend you push to target SA Series Appliances when they are idle or when you
can accommodate brief interruptions.
Target SA Series Appliances display no warning message when receiving pushed
configurations.
The target SA Series Appliance automatically logs out administrators during the push
process.
The source and target SA Series Appliances must have the same build version and
number.
If either the source or target IVEs has an IVS license, you must push all configuration
settings. You cannot select which settings to push.
The source SA Series Appliance pushes data only over the internal port or the
Management Port (on the Juniper Networks SA 6000, if configured.) The target SA
Series Appliance can receive data over the internal, external, or Management Port (on
the Juniper Networks SA 6000, if configured.)
You can push up to 8 targets per push operation; up to 25 push operations can be run
simultaneously. The maximumnumber of targets the SA Series Appliance pushes to
at any time is 200.
789 Copyright 2011, Juniper Networks, Inc.
Chapter 30: SystemArchiving
The source SASeries Appliance saves and displays up to 25 push configuration results
intheResults tab. If 25results arecurrently displayed, theSASeries Applianceremoves
the oldest result data when push configuration runs again.
You can not push the following configurations: licensing, clustering, networking and
timezone.
For Push Configuration to work, the administrator account on the source SA Series
Appliance must sign in to the target SASeries Appliance without any human interaction.
For example, you cannot have dynamic credentials or multiple roles that are not merged
as these both require manual interaction.
Prior to using Push Configuration, you must configure your systemfollowing specific
conditions:
You must map to the .Administrators role, thereby creating a super administrator
with full administration privileges. Use settings in the Authentication > Auth Servers >
Administrator Server > Users tab to add yourself to the .Administrators role.
The target SA Series Appliance administrator account must use static password
authentication or two-factor tokens that do not use challenge-response type
authentication. For example, certificates, Soft ID, and Defender Authentication are not
supported. Usesettings intheAdministrators >AdminRealms >[Administrator Realm]
> General tab to select the proper authentication server for the administrator realm.
You must not configure the administrator account in a way that requires the
administrator to select a role to sign in to the target SA Series Appliance. For example,
you must not map a single user to multiple roles, including the push configuration
administrator role, and then fail to permissively merge those roles. We recommend
creating an account exclusively for push configuration administrators to guarantee
that the administrator does not need to choose a role during the sign-in process and
to clearly distinguish the actions of push configuration administrators in your log files.
Use settings in the Administrators > Admin Realms > [Administrator Realm] > Role
Mapping tab to set the appropriate role-mapping rules.
Related
Documentation
Defining the Target SA Series Appliance on page 790
Pushing the Configuration Settings on page 791
Defining the Target SASeries Appliance
If the target SA Series Appliance is part of a cluster, you can push to any member of the
cluster as long as the target is not a member of the source cluster. You must enable the
Allowthis IVE to be a target setting on all cluster members. This setting is important
when specifying the virtual IP (VIP) in the sign-in URL of a destination as it ensures that
the push succeeds regardless of which node is hosting the VIP.
Note the following about target SA Series Appliances.
Target names and target sign-in URLs cannot be edited once they are created.
Copyright 2011, Juniper Networks, Inc. 790
Junos Pulse Secure Access Service Administration Guide
You cannot edit or delete a target SA Series Appliance while the push operation is
pushing configuration data to that target SA Series Appliance.
When deleting a target SA Series Appliance, all push configuration results associated
with that target SA Series Appliance are also deleted.
To define target SA Series Appliances:
1. Create administrator accounts on both SA Series Appliances.
2. In the admin console, choose Maintenance > Push Config > Targets.
3. If you do not want this SA Series Appliance to accept pushed configuration settings,
deselect the Allowthis IVE to be a target check box.
To create a newtarget SA Series Appliance, click NewTarget. On the NewTarget page:
1. In the Name field, enter a name for the target SA Series Appliance.
2. In the Sign-in URL field, enter the sign-in URL defined in the Authentication > Signing
In > Sign-In Policies page.
3. Enter the username, password, andauthentication realmof an administrator account
on the target SA Series Appliance that provides full administration privileges.
4. Click Save Changes.
5. To delete a target SA Series Appliance:
a. Select the checkbox next to the target SA Series Appliance you want to delete.
b. Click Delete and then confirmthat you want to delete the SA Series Appliance.
6. Click Save Changes.
Related
Documentation
Pushing Configurations fromone SA Series Appliance to Another on page 788
Pushing the Configuration Settings
To push selected roles, resources, sign-in settings, auth servers, and local users fromone
SA Series Appliance to another:
To push selected roles, resources, sign-in settings, auth servers, and local users fromone
SA Series Appliance to another:
1. In the admin console, choose Maintenance > Push Config.
2. If you have not set up your target SA Series Appliances, click the Targets tab and
define the target SA Series Appliance.
3. Select one of the following options fromthe What to push list:
Entire configuration to push all configuration settings, except for the following:
791 Copyright 2011, Juniper Networks, Inc.
Chapter 30: SystemArchiving
Network configurations
Licenses
Cluster configurations
Certificates
SNMP settings
Syslog server settings
Push configuration targets configured on the source SA Series Appliance
NOTE: User bookmarks and preferences fromthe source SA Series
Appliancearepushedtoall target SASeries Appliances withthis option.
Any bookmarks and preferences already set on the target SA Series
Appliances are overwritten.
Selected configuration to choose specific settings to push.
NOTE: Youcannot copynetworksettingstoanother SASeriesAppliance
using the Push Configuration feature. You can use the XML
Import/Export feature to export selected network settings and then to
import those settings to another SA Series Appliance.
4. Select the target SA Series Appliances fromthe Available Targets list and click Add
to move themto the Selected Targets list.
5. Select the Overwrite duplicate settings checkbox if you want to overwrite settings
on the target SASeries Appliance that have the same name as settings on the source
SA Series Appliance.
NOTE:
If Overwrite duplicate settings is off, and if the name of any setting in
the imported file matches the name of a corresponding setting on the
target SA Series Appliance, then Push Configuration does not copy the
values for that setting to the target SA Series Appliance. Push
Configurationonlycopiesnewobjectstothetarget SASeriesAppliance.
If Overwrite duplicate settings is on, Push Configuration copies all new
and updated objects to the target SA Series Appliance.
6. Click Push Configuration to copy the selected settings to the target SA Series
Appliances. The SA Series Appliance displays the push status in the Results tab.
Copyright 2011, Juniper Networks, Inc. 792
Junos Pulse Secure Access Service Administration Guide
NOTE: Once you click Push Configuration, you cannot halt the process or
changethetarget SASeries Appliances until theentirepushconfiguration
process completes.
If there are errors during the push process, the operation stops and rolls back the
configuration to the previous state. Error messages are displayed on the Results page.
7. Correct the problems described by the error messages and push to the failed target
SA Series Appliance again.
Related
Documentation
Pushing Configurations fromone SA Series Appliance to Another on page 788
Defining the Target SA Series Appliance on page 790
Archiving Secure Meetings
The SA Series Appliance enables you to archive Secure Meeting instances. You can:
Set up a recurring archival process.
Performa one-time archive.
Archive the deleted meetings into an XML file for later download or deletion. One file
is created for each archive run.
Define the number of days a SecureMeeting instance remains on the SA Series
Appliance before archiving (instances older than x days are archived).
Define which node in a cluster performs the archive.
The archival process removes completed standalone meetings, completed recurring
meeting instances and completed MySecureMeeting instances. For recurring meeting
with end dates already passed, the recurring meetings and their parent meeting are
removed. The parent meeting, however, is not archived since the parent meeting
information is already captured in the recurring instances. The archival process does not
remove meetings in progress or scheduled (future) meetings.
NOTE: By default, archiving Secure Meetings is turned off. Also by default,
MySecureMeetings instances older than 90 days are removed. If the Secure
Meeting archive feature is turned off, the automatic deletion of
MySecureMeetings is not saved into the archive file.
In a cluster configuration, only one node performs the archival task and only the files
stored on that node are archived. You must log in to the archive node using the node IP
instead of the virtual IP to download or delete the archived files.
For IVS, youmust configurethesettings oneachIVSyouwant toarchiveSecureMeetings.
793 Copyright 2011, Juniper Networks, Inc.
Chapter 30: SystemArchiving
Shownbelowis anexamplesnippet of anXMLfilecreatedby theSecureMeetingarchival
process:
<meetings>
<meeting>
<id>20993310</id>
<creator><![CDATA[gary (Users)]]></creator>
<name><![CDATA[Support Meeting (20993310)]]></name>
<agenda><![CDATA[]]></agenda>
<teleconference_info><![CDATA[]]></teleconference_info>
<date><![CDATA[4:11 PMMay 15, 2007 (GMT-08:00) Pacific Time (US &
Canada); Tijuana]]></date>
<duration>1 hour</duration>
<meeting_type>support</meeting_type>
<invitees>
<invitee><![CDATA[gary (SystemLocal) Conductor]]></invitee>
...
</invitees>
<attendees>
<attendee>
<name><![CDATA[gary]]></name>
<join_time>04:11 PM</join_time>
<duration>50 minutes </duration>
</attendee>
...
</attendees>
...
</meeting>
...
</meetings>
To archive SecureMeetings:
1. In the admin console, choose Maintenance > Archiving > Secure Meetings.
2. Toschedulearecurringarchival process, select thePerformautomaticcleanupevery
option and specify howoften the archiving process should run.
3. In the Delete meetings older than field, enter howold (in days) meetings must be
before being archived. Meetings older than this number are archived and removed
fromthe system.
4. To archive Secure Meetings in a cluster configuration, select the Archive meeting
records on node option and then select the node that performs the archive.
5. Click Clean Up Nowto performthe archive process immediately. Meetings older than
the specified age are archived and removed fromthe system.
6. Click Save Changes to save your edits.
Once the archive process completes, the archive files are listed in the Secure Meeting
archive table.
To viewor download an archive file, click its name.
Copyright 2011, Juniper Networks, Inc. 794
Junos Pulse Secure Access Service Administration Guide
To delete an archive file, select the checkbox next to its name and click Delete.
Related
Documentation
Secure Meeting Overviewon page 603
795 Copyright 2011, Juniper Networks, Inc.
Chapter 30: SystemArchiving
Copyright 2011, Juniper Networks, Inc. 796
Junos Pulse Secure Access Service Administration Guide
CHAPTER 31
Logging and Monitoring
Logging and Monitoring Overviewon page 797
Viewing and Deleting User Sessions on page 800
Configuring the Log Monitoring Features on page 801
Monitoring the SA Series Appliance as an SNMP Agent on page 804
Viewing SystemStatistics on page 810
About Client-Side Logs on page 811
Enabling and Viewing Client-Side Log Uploads on page 812
Viewing General Status on page 813
Monitoring Active Users on page 817
Viewing and Cancelling Scheduled Meetings on page 818
Adding Real Source IP Addresses to Log Messages on page 819
Logging and Monitoring Overview
The SA Series Appliance provides logging and monitoring capabilities to help you track
events anduser activities. This topicdescribes thevarious loggingandmonitoringfeatures
included with the SA Series Appliance.
Logging and monitoring capabilities are available on all SA Series productsyou do not
need a special license to use them. However, the following advanced logging and
monitoring tools are not available on the SA700 Series Appliance:
Sensors log
Custom&dynamic log filters
Systemcapacity and critical events dashboard graphs
Secure Meeting logging and monitoring
SASeries logfiles aretext files storedonanSASeries Appliancethat track systemevents.
An SA Series Appliance produces the following types of log files:
797 Copyright 2011, Juniper Networks, Inc.
Events logThis log file contains a variety of systemevents, such as session timeouts
(including idle and maximumlength session timeouts), systemerrors and warnings,
requests to check server connectivity, and SA Series Appliance service restart
notifications. (The SA Series Watchdog process periodically checks the SA Series
Appliance and restarts it if the SA Series Appliance does not respond.)
User Access logThis log file contains information about when users access the
appliance, includingthenumber of simultaneous users at eachonehour interval (logged
onthehour), user sign-ins andsign-outs, user filerequests, sessiontimeouts (including
idle and maximumlength session timeouts) and Web requests.
Administrator Access logThis log file contains administration information, including
administrator changes to user, system, and network settings, such as changes to
session timeouts, the option to enable/disable URL browsing and user-created
bookmarks, and machine and server information. It also creates a log entry whenever
an administrator signs in, signs out, or changes licenses on the appliance.
Sensors logThis log file contains informational andattack alert messages generated
by an associated IDP device monitoring client traffic for possible network intrusion.
Client uploadlogThis logfilecontains sessioninitiation, connection, andtermination
log information that you can use to help diagnose and troubleshoot problems users
may have connection to the SA Series Appliance.
The System> Log/Monitoring pages lets you specify which events are logged, the
maximumfile size for the systemlog, and whether to log events to the syslog server in
addition to logging themlocally. The System> Log/Monitoring pages also let you view
the specified number of events, save the log files to a network, and clear the logs.
When one of the logs reaches the configured maximumlog file size (200MB by default),
the current data is rolled over to a backup log file. A new, empty, file is then created for
all subsequent (new) log messages. Using the log viewer, the administrator can see the
most recent 5000logmessages (theviewer's display limit). If thecurrent logfilecontains
less than 5000log messages, older log messages fromthe backup log file are displayed,
up to a total of 5000 log messages. This makes the log files appear as one, even though
they are stored separately, according to the configured maximumlog file size.
When you choose to save the log messages or use the FTP archive function on the
Maintenance >Archiving page, the backup log file is appended to the current log file, and
is then downloaded as one log file. If the log files are not archived or saved by the time
they are rolled over once again, the oldest log messages (saved in the backup log file)
are lost.
Additionally, you can use a network management tool such as HP OpenViewto monitor
an SA Series Appliance as an SNMP agent. The SA Series Appliance supports SNMP v2,
implements a private MIB (management information base), and defines its own traps.
To enable your network management station to process these traps, you need to
downloadtheJuniper Networks MIBfileandspecify theappropriateinformationtoreceive
the traps. You can configure some of the traps to suit your needs. For more information
on setting trap thresholds.
Copyright 2011, Juniper Networks, Inc. 798
Junos Pulse Secure Access Service Administration Guide
To monitor vital systemstatistics, such as CPUutilization, load the UC-Davis MIBfile into
your SNMPmanager application. YoucanobtaintheMIBfilefrom: http://net-snmp.source
forge.net/docs/mibs/UCD-SNMP-MIB.txt.
Log File Severity Levels
Theevents, user access, andadministrator access logfiles rank events accordingtothese
guidelines:
Critical (severity level 10)When the SA Series Appliance cannot serve user and
administrator requests or loses functionality to a majority of subsystems, it writes a
critical event to the log.
Major (severity levels 8-9)When the SA Series Appliance loses functionality in one
or more subsystems, but users can still access the appliance for other access
mechanisms, the SA Series Appliance writes a major event to the log.
Minor (severity levels 5-7)When the SA Series Appliance encounters an error that
does not correspond to a major failure in a subsystem, it writes a minor event to the
log. Minor events generally correspond to individual request failures.
Info (severity levels 1-4)When the SA Series Appliance displays a notification
message, when an end-user makes a request, or when an administrator makes a
modification, the SA Series Appliance writes an informational event to the log.
CustomFilter Log Files
The Central Manager package allows you to filter and format the data in your events,
user access, and administrator access log files.
When you filter log files, the SA Series Appliance only saves those messages specified
within the filter query. For example, you may create a query that only logs entries for a
particular range of IP addresses or for users who are signed into a specific realm. To
create a query, use the SA Series customexpression language.
When you format log files, the SA Series Appliance simply changes the look of the log
messages based on your specifications. Log formats do not affect which data the
appliance saves; formats only affect howthe appliance displays the data. An SA Series
Appliance includes standard, WELF, and W3C log formats, but you may also choose to
create your own customformat. To create a customformat, use log fields.
Dynamic Log Filters
The Central Manager package provides administrators with the ability to quickly change
the log viewby clicking on any data log variable link in the currently viewed log. For
instance, if you want to temporarily viewthe User Access Log based on a particular IP
address, create a quick filter by clicking on any occurrence of that IP address in the
current log and the SA Series Appliance immediately redraws the log to showall entries
containing the specified IPaddress. Furthermore, clicking on additional data log variable
links expands the quick filter and updates the current viewof the log.
As with customlog filters, dynamic log filters change only the current viewof the log
not the data that the SA Series Appliance saves.
799 Copyright 2011, Juniper Networks, Inc.
Chapter 31: Logging and Monitoring
Although quick filters act as temporary filter agents, the SA Series Appliance gives you
the option of saving the temporary query strings as newcustomfilters.
Related
Documentation
Viewing and Deleting User Sessions on page 800
Configuring the Log Monitoring Features on page 801
Viewing and Deleting User Sessions
The configuration page for most SA Series Appliance servers contain a Users tab that
you can use to viewand delete active SA Series user sessions. Authentication server
types that do not display this tab include:
Anonymous serverThe SA Series Appliance cannot display individual session data
about users who sign in through an anonymous server, because it does not collect
usernames or other credentials for users signing in through an anonymous server.
Local authentication serverThe SA Series Appliance displays a Local Users tab
instead of a Users tab for local authentication servers, allowing you to add and delete
user accounts instead of user sessions.
For all other types of authenticationservers, youmay viewanddeleteactiveuser sessions
using the instructions below.
To viewor delete an active user session:
1. In the admin console, select Authentication > Auth. Servers.
2. Click the appropriate link in the Authentication/Authorization Servers list.
3. Select the Users tab.
4. Performany of the following tasks:
Enter a username in the Showusers named field and click Update to search for a
specific user.
Alternately, you can use an * character as a wildcard, where an * represents any
number of zero or more characters. For example, if you want to search for all
usernames that contain the letters jo, enter *jo* in the Showusers named field. The
search is case-sensitive. To display the entire list of accounts again, either enter an
* character, or delete the fields contents and click Update.
Enter a number in the ShowN users field and click Update to control the number
of users displayed on the page.
Click the checkbox next to individual users and click Delete to terminate their SA
Series sessions.
You can find several access statistics for any user account on the Users tab in the Last
Access Statistics columns. These columns appear on any of the Users tabs anywhere
they appear in the admin console. The statistics include the last sign-in date and time a
user successfully signed in and the browser type and version.
Copyright 2011, Juniper Networks, Inc. 800
Junos Pulse Secure Access Service Administration Guide
Related
Documentation
Configuring the Log Monitoring Features on page 801
Configuring the Log Monitoring Features
Log Monitoring features on the SA Series Appliance enable you to monitor events, user
access, and administrator access which you can filter and save for later review.
Additionally, the SA Series Appliance allows you to use SNMP to monitor its activities,
and provides statistics, client-side logs for applications such as Host Checker, Cache
Cleaner, Secure Meeting, WSAM, JSAM, Terminal Services, and Network Connect.
Configuring events, user access, Admin Access, and Sensor Logs
Use the System> Log/Monitoring > Events, User Access, Admin Access, and Sensor,
pages to save log files, create dynamic log queries, specify which events to save in the
log files, and create customfilters and formats.
Theevents, user access, andadminaccess logs arethreedistinct files. Althoughthebasic
configuration instructions for each is the same, modifying the settings for one does not
affect settings for another
To save, view, or clear the events log file:
1. In the admin console, select System> Log/Monitoring.
2. Select either the Events, User Access, Admin Access, or Sensors, and then choose
Log.
3. (Central Management only) Fromthe Viewby filter list, choose the customfilter that
the SA Series Appliance should use to filter data.
4. Enter a number in the Showfield and click Update if you want to change the number
of log entries that the SA Series Appliance displays at one time.
5. Click Save Log As, navigate to the desired network location, enter a file name, and
then click Save to manually save the log file.
Tosave all log filesEvents Log, User Access , AdminAccess, andSensorsclick Save
All Logs. The SA Series Appliance saves the log files in one compressed file. You can
access the Save All Logs button fromany one of the three log tabs.
6. Click Clear Log to clear the local log and log.old file.
When you clear the local log, events recorded by the syslog server are not affected.
Subsequent events are recorded in a newlocal log file.
Creating, Resetting, or Saving a Dynamic Log Query
To create, reset, or save a dynamic log filter query:
1. Select System> Log/Monitoring in the admin console.
2. Select the Events, User Access, Admin Access, or Sensors tab, and then choose Log.
801 Copyright 2011, Juniper Networks, Inc.
Chapter 31: Logging and Monitoring
3. Click on any data log variable link in the current log. The log immediately redraws
based on the chosen variable.
4. Continue adding variables in the same manner (optional). Each data log variable link
you select adds an additional variable to the Edit Query text field and the log updates
with each added variable.
5. Click the Reset Query button to clear the Edit Query text field and reset the log to the
viewdetermined by the filter specified in the Viewby filter field (optional).
6. ClicktheSaveQuerybuttontosavethedynamiclogqueryas acustomfilter (optional).
The Filters tab displays with the Query field pre-populated with the variables you
selected fromthe log. Next:
a. Enter a name for the filter.
b. Make the newfilter the default filter by selecting Make default (optional).
c. Set the start and end dates for the filter:
In the Start Date section, click Earliest Date to write all logs fromthe first
available date stored in the log file. Or, manually enter a start date
In the End Date section, click Latest Date to write all logs up to the last available
date stored in the log file. Or, manually enter a end date.
7. Choose a format in the Export Format section.
8. Select the Save button to save the newfilter.
Specifying Which Events to Save in the Log File
Use options in the Settings tab to specify what the SA Series Appliance writes to the log
file, which syslog servers it uses to store the log files, and the maximumfile size.
You may also use the Archiving page to automatically save the logs to an FTPaccessible
location.
To specify events log settings:
1. In the admin console, select System> Log/Monitoring.
2. Select Events, User Access, AdminAccess, or Sensorstab, andthenchooseSettings.
3. In the MaximumLog Size field, specify the maximumfile size for the local log file. (The
limit is 500 MB.) The systemlog displays data up to the amount specified.
MaximumLog Size is an internal setting that most closely corresponds with the size
of logs formatted with the Standard format. If you choose to use a more verbose
format such as WELF, your log files may exceed the limit that you specify here.
4. Under Select Events to Log, select the checkbox for each type of event that you want
to capture in the local log file.
If you disable the Statistics checkbox in the Events Log tab, the SA Series Appliance
does not write statistics to the log file, but continues to display themin the System>
Log/Monitoring > Statistics tab.
Copyright 2011, Juniper Networks, Inc. 802
Junos Pulse Secure Access Service Administration Guide
5. Under Syslog Servers, enter information about the syslog servers where you want to
store your log files (optional):
a. Enter the name or IP address of the syslog server
b. Enter a facility for the server. The SA Series Appliance provides 8 facilities
(LOCAL0-LOCAL7) which you can map to facilities on your syslog server.
c. (Central Manager only) Choose which filter you want to apply to the log file.
d. Click Add.
e. Repeat for multipleservers if desired, usingdifferent formats andfilters for different
servers and facilities.
Make sure your syslog server accepts messages with the following settings: facility
= LOG_USER and level = LOG_INFO.
6. Click Save Changes.
Creating, Editing, or Deleting Log Filters
Use the controls on the Filters tab to create customlog filters, or to edit or delete the
following set of pre-defined log filters:
Standard (default)This log filter format logs the date, time, node, source IP address,
user, realm, and the SA Series Appliance event ID and message.
WELFThis customized WebTrends Enhanced Log Format (WELF) filter combines
the standard WELF format with information about the SA Series Appliances realms,
roles, and messages.
WELF-SRC-2.0-Access ReportThis filter adds access queries to our customized
WELF filter. You can easily use this filter with NetIQs SRC to generate reports on user
access methods.
W3CThe World Wide Web Consortiums extended log file format is a customizable
ASCII format with a variety of different fields. Visit http://www.w3.org for more
information about this format. Only the User Access log offers this filter as an option.
Creating customfilters and Formats for Your Log Files
Use options in the Filters tab to specify which data is written to your log files as well as
its format. This option is only available with the Central Manager package.
1. In the admin console, select System> Log/Monitoring.
2. Select the Events, User Access, Admin Access, or Sensors tab, and then choose
Filters.
3. Do one of the following:
To modify an existing filter, click its name.
To create a newfilter, click NewFilter.
4. Enter a name for the filter.
803 Copyright 2011, Juniper Networks, Inc.
Chapter 31: Logging and Monitoring
If you select a format and then create a newname for it in the Filter Name field, the
SA Series Appliance does not create a newcustomfilter format that is based on the
existing format. Instead, it overwrites the existing format with the changes you make.
5. Click Make Default to define the selected filter as the default for the log file type. You
may set different default filters for the events, user access, and administrator access
logs.
6. Use options in the Query section to control which subset of data the SA Series
Appliance writes to the log:
a. In the Start Date section, click Earliest Date to write all logs fromthe first available
date stored in the log file. Or, manually enter a start date.
b. In the End Date section, click Latest Date to write all logs up to the last available
date stored in the log file. Or, manually enter a end date.
c. In the Query section, use the SA Series customexpression language to control
which subset of data the SA Series Appliance writes to the log.
Any string (including a * wildcard character) you manually enter in a query, must
be enclosed in double-quotes. For example, the query protocol="UDP" AND
sourceip=172.27.0.0/16 AND port=* must be presented as protocol="UDP" AND
sourceip=172.27.0.0/16 AND port=* or the logging component returns an error.
7. Use one of the options the Export Format section to control the format of the data in
the log:
Select the Standard, WELF, or W3C option to format the log entries using one of
these standardized formats.
Select the Customoption and enter the format you want to use in the Format field.
When entering a format, surround variables with percentage symbols (for example
%user%). All other characters in the field are treated as literals.
8. Click Save Changes.
Related
Documentation
Viewing and Deleting User Sessions on page 800
Monitoring the SASeries Appliance as an SNMP Agent
You can use a network management tool such as HPOpenViewto monitor the SASeries
Appliance as an SNMPagent. The SASeries Appliance supports SNMP(Simple Network
Management Protocol) v2, implements a private MIB (management information base),
and defines its own traps. To enable your network management station to process these
traps, you need to download the Juniper Networks MIB file and specify the appropriate
information to receive the traps.
To monitor vital systemstatistics, such as CPUutilization, load the UC-Davis MIBfile into
your SNMP manager application. You can obtain the MIB file from:
http://net-snmp.sourceforge.net/docs/mibs/UCDSNMP- MIB.txt.
Copyright 2011, Juniper Networks, Inc. 804
Junos Pulse Secure Access Service Administration Guide
The SA Series Appliance supports standard MIB objects, including the systemuptime
(sysUpTime) object.
The systemuptime (sysUpTime) object returns the time elapsed (in hundredths of a
second) since the SNMP agent was started.
To specify SNMP settings:
1. In the admin console, select System> Log/Monitoring > SNMP.
2. Click the Juniper Networks MIB file link to access the MIB file, and then save the file
fromyour browser to a network location. For descriptions of the Get and Trap objects
in the MIB file.
3. Under Agent Properties enter information in the following fields, and then click Save
Changes:
Enter information in the SystemName, SystemLocation, and SystemContact
fields that describes the SA Series agent (optional).
Enter a string in the Community field (required).
To query the SA Series Appliance, your network management station must send
the Community string to the SA Series Appliance.
To stop the SNMP system, clear the Community field.
4. Under Trap Thresholds, set the values for the following traps (optional):
Check Frequency
Log Capacity
Users
Memory
Swap Memory
Disk
Meeting Users
CPU
5. Under Optional traps, select one or both of the following (optional):
Critical Log Events
Major Log Events
6. Under SNMP Servers, specify servers to which you want the SA Series Appliance to
send the traps that it generates by entering information in the following fields, and
then clicking Add:
The servers host name or IP address
The port on which the server listens (typically port 162)
805 Copyright 2011, Juniper Networks, Inc.
Chapter 31: Logging and Monitoring
The community string required by the network management station (if applicable)
7. Click Save Changes.
8. At your network management station:
a. Download the Juniper Networks MIB file.
b. Specify thecommunity stringrequiredwhenqueryingtheSASeries Appliance(see
step 3).
c. Configurethenetworkmanagement softwaretoreceiveSASeries Appliancetraps.
Table 34: Configuration Objects
Description Object
Returns the percentage of the available file size filled by the current log
as a parameter of the logNearlyFull trap.
logFullPercent
Returns thenumber of users signedintotheSASeries Appliancethrough
a Web browser.
signedInWebUsers
Returns the number of users signed in to the Email client. signedInMailUsers
Returns the IP addressblocked due to consecutive failed login
attemptssent by the iveToomanyFailedLoginAttempts trap. The
systemadds the blocked IP address to the blockedIPList table.
blockedIP
Returns the name of an external authentication server sent by the
externalAuthServerUnreachable trap.
authServerName
Returns the SA Series Appliance licensed product name. productName
Returns the SA Series Appliance systemsoftware version. productVersion
Returns the file name sent by the archiveFileTransferFailed trap. fileName
Returns the number of concurrent meeting users sent by the
meetingUserLimit trap.
meetingUserCount
Returns the percentage of CPU used during the interval between two
SNMPpolls. This valueis calculatedby dividingtheamount of CPUused
by the amount of CPU available during the current and previous SNMP
polls. If no previous poll is available, the calculation is based on the
interval between the current poll and systemboot.
iveCpuUtil
Returns the percentage of memory utilized by the SA Series Appliance
at thetimeof anSNMPpoll. Thesystemcalculates this valueby dividing
the number of used memory pages by the number of available memory
pages.
iveMemoryUtil
Returns the total number of users logged in for the SA Series Appliance
node.
iveConcurrentUsers
Copyright 2011, Juniper Networks, Inc. 806
Junos Pulse Secure Access Service Administration Guide
Table 34: Configuration Objects (continued)
Description Object
Returns the total number of users logged in for the cluster. clusterConcurrentUsers
Returns the total number of hits to the SA Series Appliance since last
reboot. Includes total values fromiveFileHits, iveAppletHits, meetingHits,
and iveWebHits.
iveTotalHits
Returns the total number of file hits to the SA Series Appliance since
last reboot.Incremented by the web server with each GET/POST
corresponding to a file browser request.
iveFileHits
Returns the total number of hits by means of the Web interface since
last reboot. Incrementedby thewebserver for eachhttprequest received
by the SA Series Appliance, excluding file hits, applet hits, and meeting
hits.
iveWebHits
Returns the total number of applet hits to the SASeries Appliance since
last reboot.Incremented by the web server for each GET request for a
Java applet.
iveAppletHits
Returns the total number of terminal hits to the SA Series Appliance
since last reboot.
ivetermHits
Returns the name of the log (admin/user/event) for the logNearlyFull
and iveLogFull traps.
logName
Returns the percentage of swap memory pages used by the SA Series
Appliance at the time of an SNMPpoll. The systemcalculates this value
by dividing the number of swap memory pages used, by the number of
available swap memory pages.
iveSwapUtil
Returns the percentage of disk space used in the SA Series Appliance
for theiveDiskNearlyFull trap. Thesystemcalculates this valuebydividing
the number of used disk space blocks by the number of total disk space
blocks.
diskFullPercent
Returns a table with the 10 most recently blocked IP addresses. The
blockedIP MIB adds blocked IP addresses to this table
blockedIPList
An entry in the blockedListIP table containing a blocked IP address and
its index (see IPEntry).
ipEntry
The index (ipIndex) and IP address (ipValue) for an entry in the
blockedIPList table.
IPEntry
Returns the index for the blockedIPList table. ipIndex
A blocked IP address entry in the blockedIPList table. ipValue
Returns the unique ID of the log message sent by the logMessageTrap
trap.
logID
807 Copyright 2011, Juniper Networks, Inc.
Chapter 31: Logging and Monitoring
Table 34: Configuration Objects (continued)
Description Object
Returns a string sent by the logMessageTrap trap stating whether a log
message is major or critical.
logType
Returns a string sent by the logMessageTrap trap stating whether a log
message is major or critical.
logDescription
Returns the name of a virtual system. ivsName
Returns the name of an OCSP responder. ocspResponderURL
Returns the status of the SA Series Appliance fans. fanDescription
Returns the status of the SA Series Appliance power supplies. psDescription
Returns the status of the SA Series Appliance RAID device. raidDescription
The log file (system, user access, or administrator access) specified by
the logName parameter is nearly full. When this trap is sent, the
logFullPercent (%of log file full) parameter is also sent. You can
configure this trap to be sent at any percentage. To disable the trap, set
iveLogNearlyFull to 0%. The traps default value is 90%.
NOTE: When SNMP traps are enabled, the iveLogNearlyFull and
iveLogFull traps are sent when the log files are 90%full and 100%full
respectively, even if the threshold is set to 0 (disabled).
iveLogNearlyFull
The log file (system, user access, or administrator access) specified by
the logName parameter is completely full.
NOTE: When SNMP traps are enabled, the iveLogNearlyFull and
iveLogFull traps are sent when the log files are 90%full and 100%full
respectively, even if the threshold is set to 0 (disabled).
iveLogFull
Maximumnumber or allowed concurrent users are currently signed in.
You can configure this trap to be sent at any percentage. To disable the
trap, set iveMaxConcurrentUsersSignedIn to 0%. The traps default
value is 100%.
iveMaxConcurrentUsersSignedIn
A user with a specific IP address has too many failed signin attempts.
Triggered when a user fails to authenticate according to the settings for
the Lockout options on the Security Options tab.
Whenthesystemtriggers this trap, thesystemalsotriggers theblockedIP
(source IP of login attempts) parameter.
iveTooManyFailedLoginAttempts
An external authentication server is not responding to authentication
requests.
When the systemsends this trap, it also sends the authServerName
(%of log file full) (name of unreachable server) parameter.
externalAuthServerUnreachable
SA Series Appliance has just been turned on. iveStart
Copyright 2011, Juniper Networks, Inc. 808
Junos Pulse Secure Access Service Administration Guide
Table 34: Configuration Objects (continued)
Description Object
SA Series Appliance has just been shut down. iveShutdown
SA Series Appliance has just been rebooted. iveReboot
SA Series Appliance is unable to reach configured FTP or SCP Archive
server.
archiveServerUnreachable
SASeries Appliance is unable to log into configured FTP or SCP Archive
server.
archiveServerLoginFailed
SA Series Appliance is unable to successfully transfer archive to
configured FTPor SCPArchive server. When the systemsends this trap,
it also sends the fileName parameter.
archiveFileTransferFailed
Supplies notification that the SA Series Appliance has restarted
according to the administrators instruction.
iveRestart
Supplies notification that the SA Series Appliances disk drive is nearly
full. When the systemsends this trap, it also sends the diskFullPercent
parameter. You can configure this trap to be sent at any percentage. To
disable the trap, set iveDiskNearlyFull to 0%. This traps default value
is 80%.
iveDiskNearlyFull
Supplies notification that the SA Series Appliances disk drive is full. iveDiskFull
The trap generated froma log message. When the systemsends this
trap, it also sends the logID, logType, and logDescription parameters.
logMessageTrap
Supplies notification that the systemhas met the configured threshold
for memory utilization. To disable the trap, set memUtilNotify to 0. The
threshold is 0%, by default.
memUtilNotify
Supplies notification that the systemhas met the configured threshold
for CPU utilization. To disable the trap, set cpuUtilNotify to 0. The
threshold is 0%, by default.
cpuUtilNotify
Supplies notification that the systemhas met the configured threshold
for swap file memory utilization. To disable the trap, set swapUtilNotify
to 0. The threshold is 0%, by default.
swapUtilNotify
Supplies notification that the OCSP Responder is not responding. ocspResponderUnreachable
Supplied notification that the status of the fans has changed. iveFanNotify
Supplies notificationthat the status of the power supplies has changed. ivePowerSupplyNotify
Supplies notification that the status of the RAID device has changed. iveRaidNotify
809 Copyright 2011, Juniper Networks, Inc.
Chapter 31: Logging and Monitoring
Table 34: Configuration Objects (continued)
Description Object
Supplies the type of event that brought down the external interface.
The nicEvent parameter can contain values of external for an external
event and admin for an administrative action.
iveNetExternalInterfaceDownTrap (nicEvent)
Supplies the type of event that brought down the internal interface. The
nicEvent parameter can contain values of external for an external
event and admin for an administrative action.
iveNetInternalInterfaceDownTrap (nicEvent)
Supplies the name of the cluster that contains disabled nodes, as well
as a string containing the names of all disabled nodes. Node names are
separated by white space in the string.
iveClusterDisableNodeTrap (clusterName,nodeList)
Supplies the status of a virtual IP for the cluster. The vipType indicates
whether the changed VIP was external or internal. The currentVIP
contains the VIP prior to the change, and newVIP contains the VIP after
the change.
iveClusterChangedVIPTrap(vipType, currentVIP,
newVIP)
Supplies the type of event that brought down the management port.
The nicEvent parameter can contain values of external for an external
event and admin for an administrative action.
iveNetManagementInterfaceDownTrap (nicEvent)
Supplies the name of the node on which the cluster delete event was
initiated.
iveClusterDelete(nodeName)
Theoptions for sendingSNMPtraps for critical andmajor events areset toOFFby default,
for security purposes.
Related
Documentation
Viewing SystemStatistics on page 810
Viewing General Status on page 813
Viewing SystemStatistics
Every hour, the SA Series Appliance logs the following data.
Peak load of Web users
Peak load of Mail users
Number of URLs accessed
Number of files accessed
The Statistics page displays that information for the past seven days. The SA Series
Appliance writes that information to the systemlog once a week. Note that upgrading
the SA Series Appliance clears all statistics. If you configure the systemto log statistics
hourly, however, old statistics are still available in the log file after an upgrade.
Copyright 2011, Juniper Networks, Inc. 810
Junos Pulse Secure Access Service Administration Guide
To viewsystemstatistics:
1. In the admin console, select System> Log/Monitoring > Statistics.
2. Scroll the page to viewall four categories of data.
Related
Documentation
Viewing General Status on page 813
About Client-Side Logs
TheSASeriesApplianceincludesthefollowingoptionsfor enablingandviewingclient-side
logs:
Logging activity for individual featuresYou can use options in the System>
Log/Monitoring>Client Logs >Settings pageof theadminconsoletoenableclient-side
logging for individual SA Series client applications such as Host Checker and Network
Connect, to set log limit sizes, and to enable log alerts. You must enable client-side
logs on this page in order to use client-side options.
Uploading log files to the SASeries ApplianceYou can use options in the Users >
User Roles > Select Role > General > Session Options page of the admin console to
configuretheSASeries Appliancetouploadlogfiles totheadminconsolewheninitiated
by an end-user.
Viewing uploaded logsYou can use options in the System> Log/Monitoring > Client
Logs >Uploaded Logs page of the admin console to viewthe logs that end-users push
to the SA Series Appliance.
Enabling Client-Side Logging and Global Options
Client-side logging is useful when working with the Juniper Networks Support teamto
debugproblems withanSASeries Applianceclient-sidefeature. Whenyouenablelogging
for a feature, the SA Series Appliance writes a log to any client computer that uses the
feature. (These settings are global, which means that the SA Series Appliance writes a
logfile toall clients that use the enabledfeature.) The SASeries Appliance thenappends
to the log file each time the feature is invoked during subsequent user sessions. Once
the SA Series Appliance has written a log file to a users computer, it does not remove it.
If users want to remove the log files, they must manually delete themfromtheir
computers.
You can enable client-side logging for the Host Checker, Cache Cleaner, Secure Meeting,
WSAM, JSAMandJavaApplet Rewriter, Network Connect, andTerminal Services features.
For information about where the SA Series Appliance installs log files for each of these
features, see the Client-Side Changes Guide on the Juniper Networks Customer Support
Center.
811 Copyright 2011, Juniper Networks, Inc.
Chapter 31: Logging and Monitoring
NOTE: TheSASeriesApplianceonlylogsinformationfor theNetworkConnect
feature if you enable logging through the admin console using the procedure
that followsandtheend-user enablesloggingthroughtheend-usersNetwork
Connect status window.
When you use the SA Series Appliance as an Instant Virtual System(IVS) appliance,
keep the following guidelines in mind:
The options available in the tabs on the System> Log/Monitoring > Client Logs page
on an SA Series Appliance featuring one or more IVS systems can only be configured
by the root administratorthis right includes disk space allocation and alert settings
on the SA Series Appliance, which are shared among all IVS systems on the SA Series
Appliance.
Each IVSadministrator has rights to enable client-side logging for the roles associated
with the IVS systems user roles.
IVS administrators can only manipulate (save, delete) log files within their respective
IVS systems.
Root administrators can save and delete log files fromall IVS systems.
An IVS administrator can configure the systemto receive a User Access Event when
their IVS log uploads.
Related
Documentation
Enabling and Viewing Client-Side Log Uploads on page 812
Enabling and Viewing Client-Side Log Uploads
If you enable client-side logging for SA Series features, you can also enable automatic
upload of those logs at the role level. When you do, SA Series end-users and Secure
Meeting attendees who are members of the enabled roles can choose to push their log
files up to the SA Series Appliance at will. Then, you can viewthe uploaded files through
the System> Log/Monitoring > Client Logs > Uploaded Logs page of the admin console.
When you upload log files to an SA Series Appliance that is a node in a cluster, keep the
following guidelines in mind:
You can use the Log Node column on the System> Log/Monitoring > Client Logs >
Uploaded Logs tab to viewthe location of existing log files collected by nodes in the
cluster. This is specific to a cluster setup and does not apply to a single SA Series
Appliance deployment.
The user uploads logs to the cluster node to which he is connected.
You can viewupload log entries across all nodes in a cluster. You can save and unzip
your uploadedlogfiles fromtherespectivenodes inthecluster wheretheuser uploaded
the logs.
Copyright 2011, Juniper Networks, Inc. 812
Junos Pulse Secure Access Service Administration Guide
You can viewupload log entries across all nodes in a cluster. You can save and unzip
your uploadedlogfiles fromtherespectivenodes inthecluster wheretheuser uploaded
the logs.
When a node is removed froma cluster, the SA Series Appliance deletes the logs of
that node fromthe Uploaded Log List in the cluster and fromthe node.
To enable end-users to upload logs to the SA Series Appliance:
1. In the admin console, select Users > User Roles > Select Role > General > Session
Options.
2. In the Upload logs section, select the Enable Upload Logs checkbox.
3. Click Save Changes.
Viewing Uploaded Client-Side Logs
If you enable end-users to push log files up to the SA Series Appliance, you can viewthe
uploadedlogs throughtheSystem>Log/Monitoring>Client Logs >UploadedLogs page
of the adminconsole. This page displays alist of uploadedlog files fromclients, featuring
information such as the file name, date, associated user and/or realm, client access
component type, and the log node.
NOTE: The SA Series Appliance does not preserve uploaded logs when you
upgrade the SASeries Appliance. Topreserve the logs, youmay archive them
using options in the Maintenance >Archiving >Archiving Servers page of the
admin console. You can also set the log-related SNMP traps to capture log
events during the log upload using options in the System> Log/Monitoring
> SNMP page of the admin console.
To viewclient log upload details:
1. In the admin console, choose System> Log/Monitoring > Client Logs > Uploaded
Logs.
2. (Optional) Refresh uploaded client log details by clicking the Refresh Logs button.
3. (Optional) Viewor save an uploaded log by clicking on its respective link.
4. (Optional) Delete an uploaded log by clicking the trash can icon in the right side of
the logs column. Note that once you delete a log froma node, those logs are lost.
Related
Documentation
About Client-Side Logs on page 811
Viewing General Status
When you sign in to the admin console, the SA Series Appliance displays the System>
Status page, showing the Overviewtab. This tabsummarizes details about the SASeries
Appliance server and systemusers. When you make changes on other admin console
pages, the SASeries Appliance updates corresponding information on the Overviewtab.
813 Copyright 2011, Juniper Networks, Inc.
Chapter 31: Logging and Monitoring
This tab is the home page for all administrators, including delegated administrators
without read or write access to the System> Status tabs.
Viewing SystemCapacity Utilization
The Central Manager dashboard for SA Series SSL VPN Appliances provides system
capacity utilization graphs that allowyou to easily viewand understand howmuch of
your systemcapacity you are using on a regular basis.
Tousethis informationfor datareportingelsewhere, export it as anXMLfileusingoptions
on the Maintenance > Import/Export > Configuration page.
These graphs are displayed in the System> Status > Overviewtab when you open the
admin console, and allowyou to easily view:
Concurrent UsersThis graph shows the number of meetings that are currently in
progress. Inclusteredenvironments, the graphincludes twolines. The first line displays
the number of meetings running on the node selected fromthe drop-down list and the
second line displays the number meetings running on the entire cluster.
NOTE: The SA Series Appliance averages the numbers it displays in the
concurrent meeting graph, which means it may showfractional numbers
in the display. Also note that the SA Series Appliance sometimes displays
numbers in thousandths (or millis represented by an m). For example,
in order to represent that an average of .5 meetings ran simultaneously
during a given time frame, the SASeries Appliance displays 500m in the
concurrent meetings graph.
Hits Per SecondThis graph shows the number of hits currently being processed by
the SA Series Appliance. In a clustered environment, you may choose an SA Series
Appliance fromthe drop-down list to determine which nodes data is displayed in the
graph. The graph includes four lines: number of hits, number of Web hits, number of
file hits, and number of client/server hits.
CPUand Virtual (Swap) Memory UtilizationThis graph shows the percentage of
the CPU and available memory currently being used. In a clustered environment, you
may choose an SASeries Appliance fromthe dropdown list to determine which nodes
data is displayed in the graph.
ThroughputThis graph shows the amount of data (in KB) currently being processed.
In a clustered environment, you may choose an SA Series Appliance Controller from
the drop-down list to determine which nodes data is displayedin the graph. The graph
includes four lines: external in, external out, internal in, and internal out.
RateThis graph shows the login and connection statistics. The graph contains the
following information:
AttemptedLogin The number of login attempts the SASeries SSL VPNAppliance
received per minute
Successful LoginThenumber of successful loginstheSASeriesSSLVPNAppliance
received per minute
Copyright 2011, Juniper Networks, Inc. 814
Junos Pulse Secure Access Service Administration Guide
Attempted VPN The total number of Network Connect or Pulse connection
attempts the SA Series SSL VPN Appliance received per minute
Successful VPNThenumber of successful Network Connect or Pulseconnections
the SA Series SSL VPN Appliance received per minute
HC The total number of Host Checker updates the SA Series SSL VPN Appliance
received per minute
You may also use the Page Settings windowto configure which graphs the SA Series
Appliance displays in the dashboard and the period of time that the SASeries Appliance
tracks.
To download the graph data to an XML file:
1. In the admin console, select System> Status > Overview.
2. Click the Download link that corresponds to the graph that you want to download.
3. Click Save, specify the directory where you want to save the XML file, and click Save.
Specifying Time Range and Data to Display in Graphs
You can specify the time range and other data to display in the graphs.
1. In the admin console, choose System> Status > Overview.
2. Click Page Settings.
3. Select which utilization graphs to display.
4. Select the range of time that you want to plot in the graphs. Graphing intervals range
from1 hour to 1 year.
5. Indicate howoften you want to refresh the graphs.
6. Click Save Changes.
Configuring Graph Appearance
You can specify colors and line weights, to change the appearance of the graphs on the
Status page.
1. In the admin console, choose System> Status > Overview.
2. Click the Edit link that corresponds to the graph that you want to modify.
3. Use settings in the Graph Settings dialog box to edit the background color, graph line
colors, text color, line color, and line width displayed in the graph.
4. Click Save Changes.
The dashboard for the SA Series Appliance allows you to easily viewthe last 10 critical
systemevents. Using the Event Monitor window, you can quickly access and address any
critical systemproblems. Once you have opened the Event Monitor window, you may
815 Copyright 2011, Juniper Networks, Inc.
Chapter 31: Logging and Monitoring
keep it open and continually monitor systemevents while navigating through the admin
console to performstandard maintenance and configuration tasks.
To quickly reviewcritical systemevents:
1. In the admin console, choose System> Status > Overview.
2. Click Critical Events. The Event Monitor windowdisplays the severity and message
of any critical events recorded in the systems log file.
3. Click Refresh to viewthe most up-to-date events (optional).
4. Click See All to navigate to the System> Log/Monitoring > Events > Log tab, where
all eventsranging frominformational to criticalare displayed (optional).
Viewing Critical SystemEvents
The Central Manager dashboard allows you to easily viewthe last 10 critical system
events. Using the Event Monitor window, you can quickly access and address any critical
systemproblems. Once you have opened the Event Monitor window, you may keep it
openandcontinually monitor systemevents while navigating throughthe adminconsole
to performstandard maintenance and configuration tasks.
To quickly reviewcritical systemevents:
1. In the admin console, choose System> Status > Overview.
2. Click Critical Events. The Event Monitor windowdisplays the severity and message
of any critical events recorded in the systems log file.
3. Click Refresh to viewthe most up-to-date events (optional).
4. Click See All to navigate to the System> Log/Monitoring > Events > Log tab, where
all eventsranging frominformational to criticalare displayed (optional).
Downloading the Current Service Package
You can download the service package currently installed on the SA Series Appliance
for backup and to install it onto another SA Series Appliance.
1. In the admin console, choose System> Status > Overview.
2. Click Download Package (Central Manager versions) or the link next to System
Software Pkg Version.
3. Click Save.
4. Specify a name and location for the service package.
5. Click Save.
Editing the SystemDate and Time
You need to set the server time in order to accurately record systemevents and user file
transfers. You may use a Network Time Protocol (NTP) server to sync the SA Series
Copyright 2011, Juniper Networks, Inc. 816
Junos Pulse Secure Access Service Administration Guide
Appliance with a series of computers, or you may set the SA Series Appliance time
manually.
To edit the systemdate and time:
1. In the admin console, choose System> Status > Overview.
2. In the SystemDate &Time section, click Edit.
3. Select a time zone fromthe Time Zone menu. The SASeries Appliance automatically
adjusts the time for Daylight Saving Time.
4. Set the systemtime using one of these methods:
Use NTP serverSelect the Use NTP Server option, enter the servers IP address
or name, and specify an update interval.
Set Time ManuallySelect the Set Time Manually option and enter values for the
date and time. You can also click Get fromBrowser to populate the Date and Time
fields.
5. Click Save Changes.
Related
Documentation
Configuring the Log Monitoring Features on page 801
Monitoring Active Users
You can monitor users signed in to the SA Series Appliance. Each users name,
authentication realm, role, and sign-in time are listed on the Active Users page.
NOTE: Non-SA Series users who are signed into a secure meeting are listed
as members of the Secure Meeting User Role role. The SASeries Appliance
displays N/A in the Realmand Role columns for non-SA Series users who
are signed in to the SA Series Appliance to attend a Secure Meeting.
To monitor users signed in to the SA Series Appliance:
1. In the admin console, choose System> Status > Active Users.
2. Performthese tasks (optional):
Sign users out of their SA Series Appliance sessions:
To forcibly sign out one or more end-users or administrators, select the checkbox
next to the appropriate names and then click Delete Session.
To forcibly sign out all end-users who are currently signed-in, click Delete All
Sessions.
Performa dynamic policy evaluation of all signed-in users:
817 Copyright 2011, Juniper Networks, Inc.
Chapter 31: Logging and Monitoring
To manually evaluate all authentication policies, role mapping rules, role
restrictions, user roles, and resource policies for all currently signed-in users, click
Refresh Roles. Use this button if you make changes to an authentication policy,
role mapping rules, role restrictions, or resource policies and you want to
immediately refresh the roles of all users.
Configure which data is shown and its order:
To display a specific user, enter the username in the ShowUsers Named field and
click Update. If you do not knowthe users exact username, use the * wildcard
character. For example, if you have a user named Joseph Jones, but you do not
remember if theusernameis Joe or Joseph, enter Jo*intheShowUsersNamed
field. The SA Series Appliance returns a list of all users whose usernames start
with the letters jo.
To control howmany users and administrators are displayed in the Active Users
page, enter a number in the ShowN users field and click Update.
To sort the table of currently signed-in users and administrators, click a column
header
To refresh the pages content, click Update.
Link to related tabs:
To edit a users authentication realm, click the Realmlink next to the name.
To edit a users role, click the Role link next to the name.
Related
Documentation
User Roles Overviewon page 93
Authentication RealmOverviewon page 227
Viewing and Cancelling Scheduled Meetings
Youcanviewall of themeetings currently scheduledontheSASeries Applianceor cancel
meetings.
Copyright 2011, Juniper Networks, Inc. 818
Junos Pulse Secure Access Service Administration Guide
To viewand cancel scheduled meetings:
1. In the admin console, choose System> Status > Meeting Schedule. The SA Series
Appliance displays real-time information about all of the meetings that are currently
running or scheduled, including:
Time and StatusDisplays the time and duration that the meeting is scheduled to
run, as well as the current status of the meeting.
Meeting DetailsDisplays the meeting name, ID, and password requirements. This
column also includes a Details link that you can use to viewinformation about the
meeting and to join the meeting.
Meeting RoleDisplays the role of the meeting creator. If the creator was signed
into multiple roles when he created the meeting (i.e., he is a member of multiple
roles and the appliance is configured for a permissive merge).
Attendee RolesDisplays the roles of the attendees who are signed into the
meeting, the number of attendees signed into each role, and each roles meeting
attendee limit. Note that non-SASeries attendees are displayed under the meeting
creators user role.
2. Use either of the following methods to change the meeting view(optional):
Select a time frame (Daily, Weekly, In Progress, Scheduled) fromthe drop-down
list to control which meetings are displayed.
Clickonany of theunderlinedcolumnheaders tocontrol theorder inwhichcurrently
displayed meetings are sorted.
3. Click the Details link under a meeting to viewinformation about the meeting and
optionally to join the meeting (optional).
4. Choose MySecureMeeting URLs fromthe Viewdrop menu to viewpersonal URLs
your users have created.
5. Click the delete icon in the right column to cancel a meeting or to delete a MySecure
Meeting URL (optional).
Cancelling a meeting permanently deletes fromthe SA Series Appliance. You cannot
restore a meeting after cancelling it.
Related
Documentation
Secure Meeting Overviewon page 603
Adding Real Source IP Addresses to Log Messages
When a Juniper Networks DX appliance or similar load balancer is deployed in front of
the SA Series Appliance in proxy mode, the real client IP address can be preserved in a
DXcustomHTTPheader andpassedtotheSASeries Appliance. This real client IPaddress
can be recorded within the SA Series Appliances logs when a user logs into the SA (or
a user roams), allowing you to audit andreport on the username/real source IPpair using
the SA Series Appliance logs.
819 Copyright 2011, Juniper Networks, Inc.
Chapter 31: Logging and Monitoring
The remainder of this topic refers to Juniper Networks DX appliance. See your load
balancers documentation for information on sending an X-Forwarded-For log header.
The real source IP address is retrieved fromthe DX customheader when a user logs in
and is placed into the session record. The real source IP address is used in place of the
DXIPaddress in the event, user, admin, and sensors log if it is present in the context data.
Otherwise, the source IP address in the context data is used.
To enable the passing of this customheader to the SA Series Appliance, performthe
following tasks on your DX appliance:
1. Create a cluster and configure the VIP and target hosts.
2. Define the target and listen sides on the cluster configuration page.
3. In the DX Server page, set the CustomIP Log Header to X-Forwarded-For.
See your DX documentation for more information on configuring the DX appliance.
The following log message are updated on the SA Series Appliance:
AUT24326 (user and admin login)
AUT20919 (user roaming)
ADM22896 (admin roaming)
Related
Documentation
Logging and Monitoring Overviewon page 797
Copyright 2011, Juniper Networks, Inc. 820
Junos Pulse Secure Access Service Administration Guide
CHAPTER 32
Troubleshooting
About Troubleshooting on page 821
Simulating and Tracking Events on page 822
Simulating Events That Cause a Problemon page 822
Tracking Events Using Policy Tracing on page 824
Recording a Trace File on page 825
Creating Snapshots of the SA Series Appliance SystemState on page 826
Creating TCP Dump Files on page 827
SA Series Appliance Network Connectivity Tools on page 828
Using UNIX Commands to Test Network Connectivity on page 829
Running NSLookup to Test Name Server Connectivity on page 829
Running Debugging Tools Remotely on page 829
Creating Debugging Logs on page 830
Monitoring Cluster Nodes on page 831
Configuring Group Communication Monitoring on a Cluster on page 832
Configuring Network Connectivity Monitoring on a Cluster on page 832
About Troubleshooting
The SA Series Appliance provides several troubleshooting utilities that enable you to
monitor the state of your system, including clusters, if youuse them. These topics provide
an overviewof the various troubleshooting tasks that are available by using the SASeries
Appliance:
Troubleshooting capabilities are available on all SA Series productsyou do not need a
special license to use them. Note, however, that the following advanced features are not
available on the SA700 Series Appliance:
Session recording
Monitoring and configuring clusters
Related
Documentation
Simulating and Tracking Events on page 822
Creating Snapshots of the SA Series Appliance SystemState on page 826
821 Copyright 2011, Juniper Networks, Inc.
Creating TCP Dump Files on page 827
Simulating and Tracking Events
You can determine why your SA Series Appliance does not allowyou to accomplish a
taskthat youdesireby simulatingandtrackingproblematicSASeries events usingsettings
intheMaintenance>Troubleshooting>User Sessions >Policy Tracingpageof theadmin
console.
The events in question are related to authentication, authorization, and access for a
particular user. They are entirely driven by what happens during a user session. This
applies to both simulation and policy tracing.
The events that are captured do not include any other systemrelated events. The SA
Series Appliance merely uses the events as a filtering mechanismto reduce the number
of logs and highlight the problem.
Related
Documentation
Simulating Events That Cause a Problemon page 822
Tracking Events Using Policy Tracing on page 824
Simulating Events That Cause a Problem
The SA Series Appliance allows you to troubleshoot problems by simulating the events
causing the problem. Using the Maintenance > Troubleshooting > User Sessions>
Simulation page, you can create virtual user sessions without requiring actual end-users
to sign in to the SA Series Appliance and recreate their problems. In addition, you can
also use the Simulation tab to test newauthentication and authorization policies before
using themin a production environment.
To use the simulator, you must specify which events you want to simulate (for example,
you can create a virtual session in which John Doe signs into the Users realmat 6:00
AMfroman Internet Explorer browser). Then, you must specify which events you want
to record and log in the simulation. You can log three major types of events to the
simulation log:
Pre-AuthenticationTheSASeries Applianceevents that arecapturedwill not include
any other systemrelated events. Events are merely used as a filtering mechanismto
reduce the number of logs and highlight the problem.
Role MappingThe SA Series Appliance events that are captured will not include any
other systemrelatedevents. Events aremerely usedas afilteringmechanismtoreduce
the number of logs and highlight the problem.
Resource PoliciesThe SA Series Appliance events that are captured will not include
any other systemrelated events. Events are merely used as a filtering mechanismto
reduce the number of logs and highlight the problem.
Copyright 2011, Juniper Networks, Inc. 822
Junos Pulse Secure Access Service Administration Guide
To simulate a user session:
1. In the admin console, choose Maintenance > Troubleshooting > User Sessions>
Simulation.
2. In the Query Name field, enter a name for the query.
3. In the Username field, enter the username of the SA Series user whose experience
you want to simulate. Note that you may use a wildcard character (*) in place of a
username. For example, if your users are signing into an anonymous server, you may
want to use the wildcard character (*) since you cannot knowthe internal username
that the SA Series Appliance will assign to the user.
4. Fromthe Realmdrop down menu, select the realmof the SA Series user whose
experience you want to simulate.
5. If you want to determine whether the SA Series Appliance applies a specific type of
resource policy to a users session, enter the specific resource you want to simulate
in the Resource field and select a policy type fromthe Resource drop-down list. Then:
If you want to determine whether a user can successfully sign in to the SA Series
Appliance, select the Pre-Authentication checkbox.
If you want to determine whether a user can successfully map to a specific role,
select the Role Mapping checkbox. Note that this option controls whether role
mappingresults areloggedtothesimulator log, not whether theSASeries Appliance
runs role mapping rules. The SA Series Appliance always runs role mapping rules,
even if you do not select this checkbox.
Specify the types of policies you want to log using the checkboxes in the Events to
Log section.
For example, if you want to test whether a user can access the Yahoo Web site,
enter http://www.yahoo.com intheResourcefield, select Webfromthedrop-down
list, and select the Access checkbox in the Events to Log section.
6. In the Variables section, use a combination of text and variables to create a custom
expression that reflects the exact same values as in the real session of the user who
is facing a problem. For example, if you want to create a session in which the user
signs intotheSASeries Applianceat 6:00AM, enter time=6:00AM intheVariables
field. For complete instructions on howto create a customexpression. You may also
viewthe syntax for a given variable by clicking the arrownext to it in the Variables
Dictionary.
If you fail to create a customexpression that includes the virtual users IP address,
the SA Series Appliance uses your current IP address instead. Also note that if you
use the role variable to specify the role of the virtual user (for example, role=Users),
theSASeries Applianceignores results fromrolemappingrules andassigns thevirtual
user to the role(s) you specify.
7. Choose one of the following options:
Run SimulationRuns the specified simulation and creates an on-screen log file.
Save QuerySaves the query.
823 Copyright 2011, Juniper Networks, Inc.
Chapter 32: Troubleshooting
Save Query and Run SimulationRuns the specified simulation and also saves it
for later use.
8. After running the simulation, choose Save Log As to save the simulation results to a
text file.
Related
Documentation
Simulating and Tracking Events on page 822
Tracking Events Using Policy Tracing
The SA Series Appliance allows you to troubleshoot problems by tracking events when
a user signs into a realm. The Maintenance > Troubleshooting > User Sessions > Policy
Tracing page allows you record a policy trace file for an individual user, the SA Series
Appliance displays log entries that list the users actions and indicates why he is allowed
or denied access to various functions such as accessing the Web or a file server.
For example, you may create a Human Resources realmand create two role-mapping
rules within the realm:
All EmployeesWithin this role, you only enable web browsing. You map users to the
role using the rule: if username = *, map to All Employees. In other words, any user
who is allowed to sign into the realmautomatically maps to the All Employees role.
Human Resources StaffWithin this role, you enable web, file, and meeting
functionality. Youmapusers totheroleusingtherule: if LDAPgroup=humanresources,
map to Human Resources Staff. In other words, a user must belong to the
humanresources grouponthe LDAPauthenticationserver inorder tomaptothe role.
You may think that Joe should be a member of both roles, but when he signs into the SA
Series Appliance, he cannot access the file browsing or Secure Meeting functionality
enabledintheHumanResources Staff role. Whenyouturnonpolicytracingtodetermine
why Joe cannot access all of expected functionality, you will see log entries.
NOTE: User access logs are only reportedfor policies that are checkedunder
Events to Log.
By reviewing the trace file, you can determine the problem(an example is shown here):
joe(human resources realm)-No match on rule group.humanresources
This entry shows that the SA Series Appliance did not map Joe to the Human Resource
Staff role because he is not a member of the humanresources group on the LDAP
server.
Use this tab if your users are having problems accessing functions they expect to use in
their roles. The events logged in the policy trace file may help you diagnose these
problems.
Copyright 2011, Juniper Networks, Inc. 824
Junos Pulse Secure Access Service Administration Guide
To create a policy trace file:
1. In the admin console, select Maintenance > Troubleshooting > User Sessions >
Policy Tracing.
2. In the User field, enter the SA Series username of the user you want to trace. Note
that you may use a wildcard character (*) in place of a username. For example, if your
users aresigningintoananonymous server, youmaywant tousethewildcardcharacter
(*) since you cannot knowthe internal username that the SA Series Appliance will
assign to the user.
3. In the Realmfield, select the users realm. Note that the SA Series Appliance does
not allowyou to select a realmthat maps to an anonymous authentication server.
4. Under Events to log, select the types of events you want to write to the policy tracing
log file.
5. Click Start Recording. Ask the user to sign into the SASeries Appliance after you have
started recording.
6. Click ViewLog to see the log entries.
7. Click Stop Recording when you have obtained enough information.
8. Reviewmessages inthelogfiletodeterminewhat is causingtheunexpectedbehavior.
If you cannot determine and fix the problem, click Save Log As to save a copy of the
log file to a location on your network. Then, send the file to Juniper Networks Support
for review.
9. Click Clear Log to clear the contents of the log file, or click Delete Trace to clear the
contents of the log file and to remove the default entries fromthe username and
realmfields.
Related
Documentation
Tracking Events Using Policy Tracing on page 824
Creating TCP Dump Files on page 827
Recording a Trace File
When a Web site does not display properly through the SA Series Appliance, the
Maintenance > Troubleshooting > User Sessions > Session Recording tab allows you to
record a trace file that lists a users actions. In addition, you can use this tab when
connecting to a client/server application that does not behave as expected through the
SA Series Appliance.
When you start recording a trace file, the SASeries Appliance signs out the specifieduser
andthenstarts recordingall user actions after theuser signs inagainandis authenticated.
Note that the SASeries Appliance notifies the user after authentication that user actions
are being recorded.
825 Copyright 2011, Juniper Networks, Inc.
Chapter 32: Troubleshooting
To record a trace file:
1. In the admin console, choose Maintenance > Troubleshooting > User Sessions
>Session Recording.
2. Enter the username of the user whose session you want to record.
3. Select the Web (DSRecord) checkbox to record the users web session and then
select the Ignore browser cache checkbox if you want to ignore cached copies of the
problemWeb site, which the SA Series Appliance would not otherwise record as a
part of the trace file (optional).
4. Select theClient/Server (JCP+NCP) checkboxtorecordJavaCommunicationProtocol
and Network Communication Protocol client/server application sessions (optional).
5. Click Start Recording. The SA Series Appliance signs out the user.
6. Instruct the user to sign in again and browse to the problemWeb site or connect to
the client/server application through the SA Series Appliance.
7. Click Stop Recording.
8. Download the trace file(s) fromthe Current Trace File section:
a. Click the DSRecord Log link to download the Web trace file.
b. ClicktheJCPor NCPClient-SideLoglinktodownloadtheclient/server application
trace file.
9. Email the file(s) to Juniper Networks Support for review.
10. Select the Delete button to remove the trace file(s) you just created (optional).
Related
Documentation
Simulating and Tracking Events on page 822
Creating Snapshots of the SASeries Appliance SystemState
The Maintenance > Troubleshooting > SystemSnapshot tab allows you to create a
snapshot of the SA Series Appliance systemstate. When you use this option, the SA
Series Applianceruns various utilities togather details ontheSASeries Appliancesystem
state, suchastheamount of memoryinuse, pagingperformance, thenumber of processes
running, systemuptime, the number of open file descriptors, ports in use, and SA Series
FIPS log messages.
You can choose to include or exclude systemconfiguration and debug logs. However,
debug logs are particularly important in the event of a problem. You will need to set the
debug log at a certain level and add the events list as directed by your Support
representative. Recreate the problemor event and then take a snapshot and send it to
Support. The debug log is encrypted; you cannot viewit.
Copyright 2011, Juniper Networks, Inc. 826
Junos Pulse Secure Access Service Administration Guide
NOTE:
The SA Series Appliance stores up to ten snapshots, which are packaged
intoanencrypteddump filethat youcandownloadtoanetworkmachine
and then email to Juniper Networks Support. If you take more than ten
snapshots, the SA Series Appliance overwrites the oldest snapshot file
with the newsnapshot. If the SA Series Appliance runs out of disk space,
the SA Series Appliance does not store the newest snapshot and logs a
message inthe Event log. Thoughthe SASeries Appliance compresses the
files first and then performs the encryption to minimize file size, we
recommend that you download the snapshots to a network machine in a
timely manner to avoid losing them.
In a cluster, the snapshot occurs on a individual node basis only. That is,
the snapshot settings you specify are not synchronized in all nodes of the
cluster.
Related
Documentation
Tracking Events Using Policy Tracing on page 824
Creating TCP Dump Files on page 827
Creating TCP Dump Files
To sniff network packet headers:
1. In the admin console, choose Maintenance >Troubleshooting >Tools >TCPDump.
2. Select theSASeries Applianceport onwhichyouwant tosniff networkpacket headers.
3. If youare operating withanIVSlicense, youcanalsoselect aVLANport tosniff packet
headers for a subscriber intranet.
4. Turn off Promiscuous mode to sniff only for packets intended for the SA Series
Appliance.
5. Create a customfilter using TCPDump Filter Expressions (optional). This option
provides the ability to filter the sniffed network packets so that the resulting dump
file contains only the information you require.
6. Click Start Sniffing.
7. Click Stop Sniffing to stop the sniffing process and create an encrypted file.
8. Click Download to download the file to a network machine.
9. Email the file to Juniper Networks Support for review.
Related
Documentation
Simulating and Tracking Events on page 822
827 Copyright 2011, Juniper Networks, Inc.
Chapter 32: Troubleshooting
SASeries Appliance Network Connectivity Tools
The Maintenance > Troubleshooting > Tools > Commands tab allows you to run UNIX
commands such as arp, ping, traceroute, and NSlookup to test SA Series Appliance
network connectivity. You can use these connectivity tools to see the network path from
theSASeries Appliancetoaspecifiedserver. If youcanpingor traceroutetotheSASeries
Appliance and the SA Series Appliance can ping the target server, any remote users
should be able to access the server through the SA Series Appliance.
Address Resolution Protocol (ARP)
Use the arp command to map IP network addresses to the hardware addresses. The
Address Resolution Protocol (ARP) allows you to resolve hardware addresses.
To resolve the address of a server in your network, a client process on the SA Series
Appliance sends information about its unique identify to a server process executed on a
server in the intranet. The server process then returns the required address to the client
process.
Ping
Use the ping command to verify that the SA Series Appliance can connect to other
systems on the network. In the event of a network failure between the local and remote
nodes, you will not receive a reply froma pinged device. In that case, contact your LAN
administrator for help.
The ping command sends packets to a server and returns the server response, typically
a set of statistics including the target servers IPaddress, the time spent sending packets
and receiving the response, and other data. You can ping unicast or multicast addresses,
and you must include the target server name in the request.
Traceroute
Use the traceroute commandto discover the path that a packet takes fromthe SASeries
Appliancetoanother host. Traceroutesends apacket toadestinationserver andreceives
an ICMP TIME_EXCEEDED response fromeach gateway along its path. The
TIME_EXCEEDED responses and other data are recorded and displayed in the output,
showing the path of the packet round-trip.
NSlookup
Use NSlookup to get detailed information about a name server on the network. You can
query on several different types of information, including a servers IP address, alias IP
address, start-of-authority record, mail exchange record, user information, well-known
services information, and other types of information.
Related
Documentation
Using UNIX Commands to Test Network Connectivity on page 829
Copyright 2011, Juniper Networks, Inc. 828
Junos Pulse Secure Access Service Administration Guide
Using UNIX Commands to Test Network Connectivity
To run a UNIX command to test SA Series Appliance network connectivity:
1. Intheadminconsole, chooseMaintenance>Troubleshooting>Tools>Commands.
2. Fromthe Command list, select the command to run.
3. In the Target Server field, enter the IP address of the target server.
4. If you are operating on an IVS license, you can select a VLANport, to test connectivity
to a subscriber intranet.
5. Enter other arguments or options.
6. Click OK to run the command.
Related
Documentation
SA Series Appliance Network Connectivity Tools on page 828
Running NSLookup to Test Name Server Connectivity
To run NSLookup to test name server connectivity:
1. In the admin console, choose Maintenance>Troubleshooting>Tools >Commands.
2. Fromthe Command list, select NSLookup.
3. Select the type of query to use fromthe Query Type drop down menu.
4. Enter the query, which is a host name, an IP address, or other information, depending
on your selection of query type.
5. Enter the DNS server name or IP address.
6. If you are operating on an IVS license, you can select a VLANport, to test connectivity
to a subscriber intranet.
7. Enter other options.
8. Click OK to run the command.
Related
Documentation
Troubleshooting VLANs on page 910
Running Debugging Tools Remotely
The Juniper Networks Support teamcan run debugging tools on your production SA
Series Appliance if you configure it to do so through the Maintenance > Troubleshooting
> Remote Debugging page. To enable this option, you must work with Juniper Networks
Support toobtainadebuggingcodeandhost towhichyour SASeries Applianceconnects.
829 Copyright 2011, Juniper Networks, Inc.
Chapter 32: Troubleshooting
To enable remote debugging:
1. Contact Juniper Networks Support toset upthe terms of aremote debugging session.
2. Intheadminconsole, chooseMaintenance>Troubleshooting>RemoteDebugging.
3. Enter the debugging code provided by Juniper Networks Support.
4. Enter the host name provided by Juniper Networks Support.
5. Click Enable Debugging to allowthe Juniper Networks Support teamto access the
Infranet Controller.
6. Notify Juniper Networks Support that your SA Series Appliance is accessible.
7. Click DisableDebuggingwhenJuniper Networks Support notifies youthat theremote
debugging session is over.
Related
Documentation
SA Series Appliance Network Connectivity Tools on page 828
Creating Debugging Logs
If you have a problem, a Juniper Networks Support representative may ask you to create
debugging logs to assist with debugging SA Series Appliance internal issues. When you
enable logging, the SA Series Appliance records certain events and messages based on
event codes you enter into admin console on the Maintenance > Troubleshooting >
Monitoring > Debug Log tab. Using the debug log that results, the support teamcan
identify the code flowfor any discrepancies. Your support representative gives you all of
the information you need to create the log file, including the debug detail log level and
the event codes.
NOTE: Running debug logging can impact your systemperformance and
stability. You should only generate debug logs when directed by your Juniper
Networks Support representative.
To enable the debug log:
1. Inthe adminconsole, choose Maintenance>Troubleshooting>Monitoring>Debug
Log.
2. Select the Debug Logging On checkbox.
3. Enter the MAX debug log size.
4. Enter the Debug log detail level.
NOTE: Settingthe detail level to0displays only Critical messages, it does
not disable logging completely.
5. Select the Include logs check box to include log details.
Copyright 2011, Juniper Networks, Inc. 830
Junos Pulse Secure Access Service Administration Guide
6. Enter the Event Codes specified by Juniper Networks Support.
7. Click Save Changes.
8. Choose the Maintenance > Troubleshooting > SystemSnapshot tab.
9. Check the Include debug log checkbox.
10. Click Take snapshot to create a file that contains the debug log. The SA Series
Appliance compresses the files and then encrypts themto minimize file size.
11. Click Download.
12. Attachthesnapshot fileinanemail messageandsendit toJuniper Networks Support.
Related
Documentation
SA Series Appliance Network Connectivity Tools on page 828
Monitoring Cluster Nodes
If you have a problemwith a cluster, a Juniper Networks Support representative may ask
youtocreateasnapshot that includes nodemonitoringstatistics toassist withdebugging
the cluster problem. When you enable the node monitor on the Maintenance >
Troubleshooting > Monitoring > Node Monitor tab, the SA Series Appliance captures
certain statistics specific to the cluster nodes on your system. Using the snapshot that
results, the support teamcan identify important data, such as network statistics and
CPU usage statistics.
To enable node monitoring:
1. Enable the node monitor on the Maintenance > Troubleshooting > Monitoring >
Node Monitor tab
2. Enter the maximumsize for the node monitor log.
3. Enter the interval, in seconds, at which node statistics are to be captured.
4. Select the Node monitoring enabled checkbox to start monitoring cluster nodes.
5. For Maximumnode monitor log size, enter the maximumsize (in MB) of the log file.
Valid values are 1-30.
6. Specify the interval (in seconds) that defines howoften nodes are to be monitored.
7. Select the commands to use to monitor the node.
If you select dsstatdump, enter its parameters as well.
8. Click Save Changes.
9. If you want to include the node monitoring results in the systemsnapshot, choose
Maintenance > Troubleshooting > SystemSnapshot, and select the Include debug
log checkbox.
10. Take a systemsnapshot to retrieve the results.
831 Copyright 2011, Juniper Networks, Inc.
Chapter 32: Troubleshooting
Related
Documentation
Configuring Group Communication Monitoring on a Cluster on page 832
Configuring Network Connectivity Monitoring on a Cluster on page 832
Task Summary: Deploying a Cluster on page 839
Configuring Group Communication Monitoring on a Cluster
To enable group communication monitoring:
1. Enter the maximumsize for the statistics log.
2. Enter the interval, in seconds, at which events are to be logged.
3. If youwant tomonitor all cluster nodes fromthecurrent local node, select theMonitor
all cluster nodes fromthis node checkbox. If you do not check this option, the group
communication monitor gathers statistics only for the local node.
NOTE: If you select the Monitor all cluster nodes fromthis node option,
the cluster nodes must be able to communicate over UDP port 6543.
4. Select theEnablegroupcommunicationmonitoringcheckbox tostart themonitoring
tool.
5. Click Save Changes.
6. If you want to include the node monitoring results in the systemsnapshot, choose
Maintenance > Troubleshooting > SystemSnapshot, and select the Include debug
log checkbox.
7. Take a systemsnapshot to retrieve the results.
Related
Documentation
Configuring Group Communication Monitoring on a Cluster on page 832
Configuring Network Connectivity Monitoring on a Cluster on page 832
Configuring Network Connectivity Monitoring on a Cluster
If you have a problemwith a cluster, a Juniper Networks Support representative may ask
you to enable the cluster node troubleshooting server. When you enable the server on
the Maintenance > Troubleshooting > Cluster > Network Connectivity tab, the SA Series
Appliance attempts to establish connectivity between the node on which the server
residesandanother nodeyouspecify. Asthenodescommunicate, theSASeriesAppliance
displays network connectivity statistics onthepage. TheMaintenance>Troubleshooting
> Cluster > Network Connectivity tab appears only when you enable clustering on your
system. OnastandaloneSASeries Appliance, youdonot haveaccess totheMaintenance
> Troubleshooting > Cluster > Network Connectivity tab.
Copyright 2011, Juniper Networks, Inc. 832
Junos Pulse Secure Access Service Administration Guide
Use the Network Connectivity page to enable the cluster node troubleshooting server
and to select a node on which to performtroubleshooting tasks. The troubleshooting
tool allows you to determine the network connectivity between cluster nodes.
The server component of this tool runs on the node to which connectivity is being tested.
The client component runs on the node fromwhich connectivity is being tested. The
basic scenario for testing connectivity is this:
The administrator starts the server component on the passive node.
The administrator then tests the connectivity to the server node fromthe Active node,
by starting the client component on the Active node and contacting the Passive node
running the server component.
NOTE: The server component must be run on nodes that are configured as
either standalone, or in a cluster but disabled. Cluster services cannot be
running on the same node as the server component.
To enable network connectivity monitoring:
1. Select the Enable cluster network troubleshooting server checkbox to enable the
server component.
2. Click Save Changes.
3. On another machine, select Maintenance > Troubleshooting > Cluster > Network
Connectivity.
4. Performone of the following steps:
Select a node fromthe drop-down list.
Enter the IP address of the server node.
5. Click Go to begin troubleshooting the machine on which the server component is
running.
6. Click the Details link that appears on the page belowthe fields, to viewthe results.
Related
Documentation
Monitoring Clusters on page 856
833 Copyright 2011, Juniper Networks, Inc.
Chapter 32: Troubleshooting
Copyright 2011, Juniper Networks, Inc. 834
Junos Pulse Secure Access Service Administration Guide
CHAPTER 33
Clustering
About Clustering on page 835
Cluster Licensing on page 836
Task Summary: Deploying a Cluster on page 839
Defining and Initializing a Cluster on page 840
Joining an Existing Cluster on page 841
Re-adding a Node to a Cluster on page 843
Deploying Two Nodes in an Active/Passive Cluster on page 844
Failing Over the VIP to Another Node on page 845
Deploying Two or More Units in an Active/Active Cluster on page 845
Synchronizing the Cluster State on page 847
Specifying Active/Passive, Active/Active, and Other Cluster Settings on page 849
Adding Multiple Cluster Nodes on page 851
General Cluster Maintenance on page 852
Changing the IP Address of a Cluster Node on page 852
Deleting a Cluster on page 853
Restarting or Rebooting Clustered Nodes on page 854
Configuring the External VIP for An Active/Passive Cluster on page 854
Admin Console Procedures on page 854
Monitoring Clusters on page 856
Troubleshooting Clusters on page 857
Serial Console Procedures on page 859
Joining an SA Series Appliance to a Cluster Through Its Serial Console on page 860
Disabling a Clustered SA Series Appliance Using Its Serial Console on page 861
About Clustering
You can purchase a clustering license to deploy two or more SA Series Appliances or SA
Series FIPS Appliances as a cluster. These appliances support Active/Passive or
Active/Activeconfigurations across aLANtoprovidehighavailability, increasedscalability,
and load balancing capabilities.
835 Copyright 2011, Juniper Networks, Inc.
You define a cluster on one SA Series Appliance by specifying three pieces of data:
A name for the cluster
A password for the cluster members to share
A name to identify the machine in the cluster
Entering this information enables you to initiate the first member of your cluster. You
then need to specify which SA Series Appliances you want to add to the cluster. After
an SASeries Appliance is identifiedas an intendedmember, you may addit to the cluster
through either the admin console or the serial console (if the machine is in the initial
factory state).
WhenanSASeries Appliancejoins acluster, it initializes its statefromtheexistingmember
that you specify. The newmember sends a message to the existing member requesting
synchronization. The existing member sends the systemstate to the newmember,
overwriting all systemdata on that machine. After that point, the cluster members
synchronize data when there is a state change on any member. Cluster member
communication is encrypted to prevent attacks frominside the corporate firewall. Each
SA Series Appliance uses the shared password to decrypt communication fromanother
cluster member. For security reasons, the cluster password is not synchronized across
SA Series Appliances.
During synchronization, the newnode receives the service package, which upgrades the
node if it is running an older service package.
Related
Documentation
Viewing General Status on page 813
Task Summary: Deploying a Cluster on page 839
Cluster Licensing on page 836
Defining and Initializing a Cluster on page 840
Joining an Existing Cluster on page 841
Cluster Licensing
SA Series software 7.0 introduces several clustering license changes including:
A license is no longer required to create a cluster.
CL licenses are no longer necessary but are still supported.
A 5 day cluster grace period to provide license fexibility when a node crashes or loses
connectivity with the rest of the cluster.
Juniper Networks recommends that you distribute your ADD licenses equally across
the cluster to avoid losing large number of licenses when a node disconnects fromthe
cluster.
Copyright 2011, Juniper Networks, Inc. 836
Junos Pulse Secure Access Service Administration Guide
NOTE: Theclusteringfeatureis not availableontheSA700Series Appliance.
You can run an SA Series Appliance with an IVS license in a cluster.
If you are content with your current licensing process, you can carry that forward with
the newlicense scheme. Upgrading may result in a fewchanges if you have mismatched
concurrent user and CL licenses. A cluster that was once unqualified may become
qualified andwill be able to support user loads. Your user capacity shouldnot decrease
when upgrading to the newlicensing scheme.
The maximumnumber of concurrent users allowed in a cluster is the sumof all user
licenses of all connected nodes. If a node disconnects fromthe cluster (either A/A or
A/P), up until the grace period ends the maximumlicense per each remaining node is
their current license plus the minimumof their own license and the licenses of the other
nodes. The following examples explain this in more detail.
Example 1: Licenses Distributed Equally Among Nodes
Suppose Node A and Node B are part of a cluster and each node has 500 concurrent
user licenses. As long as both nodes are connected, the maximumnumber of licenses is
1000.
Suppose Node B disconnects fromthe cluster. Up until the clustering grace period ends,
the maximumnumber of licenses on Node A is 500 (fromNode As original license) +
minimum(licenses on Node A (500), licenses on Node B (500)) = 500 + 500 = 1000.
After the grace period ends, the maximumnumber of licenses on Node A reverts to its
original license of 500.
Example 2: Licenses Distributed Unequally Among Nodes
Suppose Node A and Node B are part of a cluster. Node A has 600 ADD licenses and
Node B has 400 ADD licenses. As long as both nodes are connected, the maximum
number of licenses is 1000.
Suppose Node B disconnects fromthe cluster. Up until the clustering grace period ends,
the maximumnumber of licenses on Node A is 600 (fromNode As original license) +
minimum(licenses on Node A (600), licenses on Node B (400)) = 600 + 400 = 1000.
After the grace period ends, the maximumnumber of licenses on Node A is 600.
Suppose Node A disconnects fromthe cluster. Up until the clustering grace period ends,
the maximumnumber of licenses on Node B is 400 (fromNode Bs original license) +
minimum(licenses on Node A (600), licenses on Node B (400)) =400+400 = 800.
After the grace period ends, the maximumnumber of licenses on Node B is 400.
Example 3: Licenses Distributed Unequally Among Nodes (Extreme Case)
Suppose Node A and Node B are part of a cluster. Node A has 1000 ADD licenses and
Node Bhas 0ADDlicenses. As long as both nodes are connected, the maximumnumber
of licenses is 1000.
837 Copyright 2011, Juniper Networks, Inc.
Chapter 33: Clustering
Suppose Node B disconnects fromthe cluster. Up until the clustering grace period ends,
the maximumnumber of licenses on Node A is 1000 (fromNode As original license) +
minimum(licenses on Node A (1000), licenses on Node B (0)) = 1000+ 0= 1000. After
the grace period ends, the maximumnumber of licenses on Node A is 1000.
Suppose Node A disconnects fromthe cluster. Up until the clustering grace period ends,
the maximumnumber of licenses on Node B is 0 (fromNode Bs original license) +
minimum(licenses on Node A(1000), licenses on Node B(0)) =0+0=0. After the grace
period ends, the maximumnumber of licenses on Node B is 0.
Given the scenarios in Examples 2 and 3, we recommend you distribute the licenses
equally amongst the nodes.
Upgrading FromPrevious Versions
Prior to SA series software version 7.0, to create an n-node cluster supporting cccc
concurrent users, you were requred to purchase one ADD-ccccE license for one cluster
node, and n-1 CL licenses (one for each of the remaining cluster nodes). For example, to
create a 4-node cluster supporting 2000 concurrent users, you needed to purchase one
ADD-2000E license and 3 CL licenses.
When upgrading to SA Series software version 7, your existing licenses will continue to
work. The total concurrent user capacity is still the sumtotal of all user licenses as long
asall nodesareconnected. However, whenanodedisconnectsthecapacitycomputation
changes as follows:
Licenses on connected nodes count towards the total cluster capacity.
If user licenses are present on the computing node, that same number of user licenses
canbeborrowedfromeachdisconnectednodethat falls withinthecluster graceperiod.
If CL licenses are present on the computing node, user licenses can be borrowed from
the disconnected nodes so that they total the number of CL licenses.
The following example explains this in more detail.
Suppose you have the following four-node cluster configuration:
Node A with 1000 user licenses is connected to the cluster
Node B with 400 user licenses and 200 CL licenses is connected to the cluster
Node C with 500 user licenses and 500 CL licenses is disconnected fromthe cluster
for 17 hours
Node D with 1000 user licenses is disconnected fromthe cluster for 6 days
The total cluster capacity fromNode Bs point of viewis as follows:
1000 licenses fromNode A because it is connected.
400 licenses fromNode B because thats its own license.
Node C falls within the cluster grace period of 5 days. Using bullet 2 fromthe above
computation notes, since Node B has 400 user licenses it can borrow400 licenses
fromNode Cs 500 licenses.
Copyright 2011, Juniper Networks, Inc. 838
Junos Pulse Secure Access Service Administration Guide
Node B also has 200 CL licenses. However, it already borrowed 400 of Node Cs 500
user licenses so only 100 of Node Cs user licenses remain to be used towards Node
Bs CL license count.
Node B counts 400+100=500 licenses fromNode C.
Since Node D has been disconnected fromthe cluster longer than the cluster grace
period, Node B can not borrowNode Ds user licenses.
Node B has 200 CL licenses. It already borrowed 100 user licenses fromNode C,
therefore it can borrow100 user licenses fromNode D.
Node B counts 100 licenses fromNode D.
The total cluster capacity fromNode Bs point of viewis 1000+400+500+100=2000.
Related
Documentation
Task Summary: Deploying a Cluster on page 839
Task Summary: Deploying a Cluster
We recommend that you deploy a cluster in a staging environment first and then move
to a production environment after testing authentication realm, user role, and resource
policy configurations, as well as any applications your end-users may access.
To create an SA Series Appliance cluster:
1. Ensure that all intended SA Series Appliance nodes use the same hardware platform
(for example, all are SA6500 Series Appliances).
2. Ensure that all intended SASeries Appliance nodes have been initially configured (for
example, SA Series Appliance host name is specified and the internal and external IP
addresses are assigned), and they are running the same service package version.
3. Fromthe admin console. choose System> Configuration > Licensing and enable the
clustering feature on the primary server by entering a stand alone license and any
feature licenses.
4. Fromthe System>Clustering >Create Cluster page, initialize the SASeries Appliance
cluster by defining the cluster name and adding the first/primary SASeries Appliance
to the cluster.
5. Fromthe System> Clustering > Status page, add the names and IP addresses of
future cluster SA Series Appliances to the primary SA Series Appliance.
6. Fromthe System>Clustering>JoinCluster page, populatethe cluster withadditional
SA Series Appliances as necessary.
7. If you are running Network Connect on a multi-site cluster where nodes reside on
different subnets:
a. Configure an IP address pool policy on the Users > Resource Policies > Network
Connect >Network Connect ConnectionProfiles >NewProfile page that accounts
for the different network addresses used by each node in the cluster.
839 Copyright 2011, Juniper Networks, Inc.
Chapter 33: Clustering
b. For each node in the cluster, use settings in the System> Network > Network
Connect page of the admin console to specify an IPfilter that filters out only those
network addresses available to that node.
c. Create a static route on your gateway router that indicates the IP address of the
internal port of each cluster node. Each IP address specified on the router needs
to be in the same subnetwork as the corresponding cluster node.
8. If youarecreatingacluster of SASeries FIPSAppliances, manually updatethesecurity
world on each of the machines.
WhenrunningNetwork Connect onanActive/Activecluster, youmust split theIPaddress
pool across the nodes to ensure proper routing fromthe back end to the NC end-user.
This is a requirement whether the IP address pool is provisioned statically on the SA
Series Appliance or dynamically by way of DHCP.
The client IP pool configuration is synchronized among all nodes in a cluster; however,
administrators may configure each SA Series Appliance to use a certain subset of the
global IP pool. Configure the client IP pool in the Network Settings > Network Connect
tab, using an IP filter match.
Juniper networks recommends that you deploy a cluster in a staging environment first
and then move to a production environment after testing authentication realm, user role,
andresourcepolicy configurations, as well as any applications your end-users may access.
Related
Documentation
Joining an Existing Cluster on page 841
Defining and Initializing a Cluster on page 840
Serial Console Procedures on page 859
Admin Console Procedures on page 854
Defining and Initializing a Cluster
If you are currently running stand alone SA Series Appliances that you want to cluster,
we recommend that before you create a cluster, you first configure systemand user
settings on one machine. After doing so, use the same machine to create the cluster. This
machinejoins thecluster as part of thecreationprocess. Whenother SASeries Appliances
join the cluster, this machine propagates its configuration to the newcluster member.
To define and initialize a cluster:
1. Configure one SA Series Appliance with the appropriate license and system, user,
resource, and application data.
2. Fromthe admin console select System> Clustering > Create and enter a name for
the cluster, a cluster password, and a name for this machine, such as Server-1.
You need to enter the password again when configuring additional SA Series
Appliances to join the cluster. All machines in the cluster use this password to
communicate.
Copyright 2011, Juniper Networks, Inc. 840
Junos Pulse Secure Access Service Administration Guide
3. Click Create Cluster. When prompted to confirmthe cluster creation, click Create.
After the SA Series Appliance initializes the cluster, the Clustering page displays the
Status and Properties tabs. Use the Status tab to specify additional cluster members
before trying to add another SA Series Appliance to the newcluster.
Related
Documentation
Task Summary: Deploying a Cluster on page 839
Joining an Existing Cluster on page 841
Joining an Existing Cluster
The method you use to add an SA Series Appliance to a cluster depends on whether or
not the SA Series Appliance is configured or uninitialized (still in its factory state). For an
SA Series Appliance in its factory state, we recommend that you use the serial console
procedure because it requires you to enter minimal information for the machine to join
a cluster.
NOTE:
If you purchased the Juniper Networks SACentral Manager, you can create
a cluster using the SA Series Appliance running the latest OS version and
thenaddadditional nodes usingtheupgradeandjoin functionality. When
you add a node to a cluster using this feature, the first SASeries Appliance
node upgrades the joining node with the more current service package.
This functionalityworks onlywhenall theSASeries Appliances arerunning
version 4.0 or later of the OS.
If youwant toaddanSASeriesAppliancecurrentlyrunningasastand-alone
machinetoacluster throughitsadminconsole, andyoudonot haveCentral
Manager, it must be running the same or a more recent version service
package on the same hardware platformas the other members.
If youaddanSASeriesAppliancerunningapreviousversionservicepackage
to a cluster, the SA Series Appliance automatically detects the mismatch,
gets the newer package fromthe cluster, and joins the cluster. If the new
node has no license, it is added with cluster status set to Enabled,
Unqualifieduntil youapplyavalidCLlicenseusingthenewnodesmachine
ID.
Existing node-specific settings are erased when an SA Series Appliance
node joins a cluster. These settings include network interface addresses,
route tables, virtual ports, ARP caches, VLANinterface, SNMP settings,
and so forth. The administrator must manually reconfigure these settings
for the newly joinednode. You cannot use the Import systemconfiguration
feature to import these configurations and settings onto an SA Series
Appliance node that has been joined to the cluster.
If themanagement port ontheprimary nodeis configuredandenabledbut
the secondary node is not configured and disabled, the secondary node
becomes enabled once the SA Series Appliance joins the cluster.
841 Copyright 2011, Juniper Networks, Inc.
Chapter 33: Clustering
In an SA Series FIPS environment, you must use the admin console to add an SA Series
Appliance to a cluster. You also must have physical access to:
The cryptographic modules installed in the front panels of the cluster members SA
Series Appliances
A smart card reader
An administrator card that is pre-initialized to the active cluster members security
world
Specifying an SASeries Appliance to Join to a Cluster
Before an SA Series Appliance can join a cluster, you must specify its network identity
on an active cluster member.
To specify an SA Series Appliance that you intend to join to an existing cluster:
1. Fromthe admin console of an active cluster member, select the System>Clustering
> Cluster Status tab.
2. Click Add Members to specify an SA Series Appliance that will join the cluster:
a. Enter a name for the member.
b. Enter the machines internal IP address.
c. Enter the machines external IP address if necessary. Note that the External IP
address field does not appear if you have not enabled the external port on the
System> Network > External Port tab.
d. Change the netmask and gateway settings for the node if necessary.
e. Click Add Node. When prompted to confirmadding the newmember, click Add.
f. Repeat this procedure for each SA Series Appliance you intend to add to a cluster.
Adding an SASeries Appliance to a Cluster Through Its Admin Console
Before you can add an SA Series Appliance to a cluster (either through the Web or serial
console), you need to make its identity known to the cluster. Note that if an SA Series
Appliance has a cluster license key, it has only a Clustering > Join tab.
To add an SA Series Appliance to a cluster through its admin console:
1. Froman existing cluster member, select the System> Clustering > Cluster Status
tab and specify the SA Series Appliance you want to add to the cluster.
2. Fromthe admin console of the SA Series Appliance you want to add to a cluster:
a. Choose the System> Configuration > Licensing tab and enter the correct license
key to enable the clustering feature.
b. Select the System> Clustering > Join tab and enter:
The Name of the cluster to join
Copyright 2011, Juniper Networks, Inc. 842
Junos Pulse Secure Access Service Administration Guide
The cluster Password you specified when defining the cluster
The IP address of an active cluster member
c. Click Join Cluster. When prompted to confirmjoining the cluster, click Join. After
the SA Series Appliance joins the cluster, you may need to sign in again.
3. (SASeries FIPSenvironments only) Initializethenodewiththeactivecluster members
security world.
While the newnode synchronizes its state with the existing cluster member, each nodes
status indicates Enabled, Enabled, Transitioning, or Enabled, Unreachable.
When the newnode finishes joining the cluster, its Clustering page shows the Status and
Properties tabs. The original cluster members state data, including system, user, and
licensing data, exists on the newcluster member. In this example, the original members
user interface coloring is reflected on the newnode.
Related
Documentation
Serial Console Procedures on page 859
SA Series Appliance Licensing
Importing and Exporting SA Series Appliance Configuration Files on page 760
Re-adding a Node to a Cluster
Withsomemaintenanceoperations, it may benecessary toremoveanodefromacluster,
then re-add and re-join it to the cluster.
When an SA Series Appliance node joins a cluster, all of its node-specific settings
(including network interface addresses, route tables, virtual ports, ARP caches, VLAN
interface, SNMP settings) are overwritten by the corresponding configuration setting it
receives fromthe cluster.
To populate the newly joined node with the correct node-specific settings:
1. Add the node to the cluster.
2. Fromany of the existing nodes in the cluster, manually configure the desired
node-specific settings for the newly added node.
3. Join the node to the cluster.
When the node joins the cluster, it receives its newly configured node-specific settings
fromthe cluster.
843 Copyright 2011, Juniper Networks, Inc.
Chapter 33: Clustering
NOTE: You configure the node-specific settings for the newly added node
manually because binary import options are not useful. The only
recommendedbinaryimport optionintoacluster isImport everythingexcept
network settings and licenses fromthe Maintenance > Import/Export >
Configurationpagewhichrestorescluster-wideconfiguration(sign-in, realms,
roles, resource policies etc.) froma backup binary file. Because this option
skips node-specific settings, you must performstep 2 as a manual step in
order to populate the newly-joined node with the right set of node-specific
settings.
Related
Documentation
Joining an Existing Cluster on page 841
Deploying Two Nodes in an Active/Passive Cluster
You can deploy SA Series Appliances as a cluster pair in Active/Passive mode. In this
mode, one SA Series Appliance actively serves user requests while the other SA Series
Appliance runs passively in the background to synchronize state data, including system
state, user profile, and log messages. User requests to the cluster VIP(virtual IPaddress)
are passed to the active SA Series Appliance. If the active SA Series Appliance goes
off-line, the standby SA Series Appliance automatically starts servicing user requests.
Users do not need to sign in again, however some SA Series session information entered
a fewseconds before the active machine went off-line, such as cookies and passwords,
may not have been synchronized on the current SASeries Appliance, in which case users
may need to sign in to back-end Web servers again.
You might need to fail-over the cluster VIP to the other node, manually. You can perform
a manual failover by using the Fail-Over VIP button on the Clustering Status page.
The following figures illustrates an active/passive SA Series Appliance cluster
configuration using two SA Series Appliances that have enabled external ports. Note
that this mode does not increase throughput or user capacity, but provides redundancy
to handle unexpected systemfailure.
User requests are directed to the cluster VIP, which then routes themto the currently
active machine.
Copyright 2011, Juniper Networks, Inc. 844
Junos Pulse Secure Access Service Administration Guide
Figure 22: Active/Passive Cluster Pair
Related
Documentation
Failing Over the VIP to Another Node on page 845
Specifying Active/Passive, Active/Active, and Other Cluster Settings on page 849
Using Device Certificates on page 719
Failing Over the VIP to Another Node
In an active/passive cluster, you might need to fail-over the VIP to the other node,
regardless of which node you are currently using.
To failover the VIP:
1. Select System> Clustering > Cluster Status fromthe admin console.
2. Click the Fail-Over VIP button to move to the other node. The Fail-Over VIP button
is a toggle button, so you can move fromone node to the other, regardless of which
is the leader.
The failover occurs immediately.
NOTE: VIP failover does not occur when the management port fails.
Related
Documentation
Deploying Two Nodes in an Active/Passive Cluster on page 844
Deploying Two or More Units in an Active/Active Cluster
In Active/Active mode, all the machines in the cluster actively handle user requests sent
by an external load balancer. The load balancer hosts the cluster VIP and routes user
requests toanSASeries Appliancedefinedinits cluster groupbasedonsource-IProuting.
If an SA Series Appliance goes off-line, the load balancer adjusts the load on the active
SASeries Appliances. Users donot needtosigninagain, however someSASeries session
information entered a fewseconds before the active machine went off-line, such as
845 Copyright 2011, Juniper Networks, Inc.
Chapter 33: Clustering
cookies and passwords, may not have been synchronized on the current SA Series
Appliance, in which case users may need to sign in to back-end Web servers again.
NOTE:
When choosing and configuring a load balancer for your cluster, we
recommend that you ensure the load balancer:
Supports IPsec
Listens for traffic on multiple ports
Canbeconfiguredtomanagetrafficusingassignedsourceanddestination
IP addresses (not destination port)
The SA Series cluster itself does not performany automatic fail-over or load-balancing
operations, but it does synchronize state data(system, user, andlog data) among cluster
members. When an off-line SA Series Appliance comes back online, the load balancer
adjusts the load again to distribute it among all active members. This mode provides
increasedthroughput andperformanceduringpeakloadbut doesnot increasescalability
beyond the total number of licensed users.
The SA Series Appliance synchronizes state data on all nodes if you add or delete the
host entry by using the Network Settings pages. If you add or delete the host entry using
the Clustering tab for a cluster member, the state data only affects the node and the SA
Series Appliance does not synchronize the data across the entire cluster.
The SA Series Appliance hosts an HTML page that provides service status for each SA
Series Applianceinacluster. External loadbalancers cancheck this resourcetodetermine
howto effectively distribute the load among all the cluster nodes.
To performthe Layer 7 health check for a node:
Froma browserEnter the URL:
https://<SA Series Appliance
Controller-Hostname>/dana-na/healthcheck/healthcheck.cgi
Froman external load balancerConfigure a health check policy that sends the
following request to cluster nodes:
GET /dana-na/healthcheck/healthcheck.cgi HTTP/1.1\r\nHost: localhost\r\n\r\n
The node returns one of two values:
Security gateway is accessible stringThis value means the node is active.
500This value denotes an error and cluster SA Series Appliances stop forwarding
user requests to the node.
[xref target has no title] illustrates an active/active SA Series Appliance cluster
configuration in which the SA Series Appliances have enabled external ports.
Copyright 2011, Juniper Networks, Inc. 846
Junos Pulse Secure Access Service Administration Guide
This active/active cluster configuration is deployed behind an external load balancer.
You can deploy a cluster pair or multi-unit cluster in active/active mode. SA Series user
requests are directed to the cluster VIP defined on the load balancer, which routes them
to the appropriate machine.
Figure 23: Active/Active Configuration
Related
Documentation
Specifying Active/Passive, Active/Active, and Other Cluster Settings on page 849
Synchronizing the Cluster State on page 847
Using Device Certificates on page 719
Synchronizing the Cluster State
SA Series state synchronization occurs only by means of the internal network interface
cards (NICs), and each cluster member is required to possess the cluster password to
communicate with other members. Cluster members synchronize data when there is a
state change on any member. SA Series Appliance cluster state data is either
persistentpermanently stored on the SASeries Applianceor transientstored on the
SA Series Appliance only for the users session. SA Series state data is divided into the
following major categories:
SystemstateThis state is persistent and does not change often.
Network settings
Authentication server configurations
Authorizationgroupconfigurations, suchas access control list, bookmark, messaging,
and application data
User profileThis data can be either persistent or transient, depending on whether or
not you have enabled persistent cookies and persistent password caching. If you have
not enabled these features, then the data is transient and falls into the next category.
User bookmarkspersistent
847 Copyright 2011, Juniper Networks, Inc.
Chapter 33: Clustering
Persistent user cookiesif the persistent cookies feature is enabled, the SA Series
Appliance stores user cookies for Web sites that issue persistent cookies
Persistent user passwordsif the password caching feature is enabled, the user can
choose to store her credentials for applications and Web sites
User sessionThis state is transient and dynamic. The user session consists of the
following data:
The user SA Series Appliance session cookie
Transient user profile information, which includes cookies and passwords stored
only for during the users session
Monitoring stateThis persistent information consists of log messages.
Whether you deploy a cluster in Active/Passive or Active/Active mode, the SA Series
Appliance is responsible for synchronizing data between cluster members. The SA
Series Appliance synchronizes all systemdata, user profile data, and the SA Series
user session cookies immediately, so if one cluster member goes off-line, users do not
need to sign in to the SA Series Appliance again. A small amount of latency occurs
when the SA Series Appliance synchronizes user session profile and monitoring state
data, so if a member goes off-line, the user may needto sign in to some back-endWeb
applications again and administrators may not have access to the logs on the failed
machine.
If you notice too much latency occurring on one or more nodes, you might need to
change the Clustering Timeouts Settings.
When you add an SA Series Appliance to a cluster, the cluster leader does not send
log messages to the newmember. Log messages are also not synchronized between
cluster members when one member restarts its services or when an offline machine
comes back online. Once all machines are online, however, log messages are
synchronized.
NOTE: If you are running an active/active cluster, you must not allowthe
cluster to switch to active/passive mode unless the active/active and
active/passive clusters share compatible spread timeout settings.
You may also configure synchronization settings to improve performance:
Specify the synchronization protocolWhen running three or more SA Series
Appliances in a multi-unit or multi-site cluster, you can choose to use the
synchronizationprotocol (Unicast, Multicast, or Broadcast) that best suits your network
topology.
SynchronizelogmessagesLogmessages may createahugepayloadonthenetwork
and affect cluster performance. This option is disabled by default.
Copyright 2011, Juniper Networks, Inc. 848
Junos Pulse Secure Access Service Administration Guide
Synchronize user sessionsThis option synchronizes all user session information
(instances of access to intranet services, for example) among all SASeries Appliances
in the cluster.
Synchronize last access time for user sessionsThis option allows you to propagate
user access information in the cluster. If this option is the sole synchronization item
among the cluster nodes, you can significantly reduce CPU impact among the cluster
SA Series Appliances.
NOTE:
If youconfigureyour cluster asactive/passive, theSynchronizeuser sessions
and Synchronize last access time for user sessions options are
automatically checked.
If youselect boththebothSynchronizelogmessages andSynchronizeuser
sessionscheckboxes, everythingisreplicatedonthecluster nodes, including
networking information. Even though networking information, including
syslog and SNMPsettings, can be configured per node or per cluster, all of
the networking information is synchronized between nodes when these
two options are set.
If your cluster node configurations have diverged due to changes made to
one node while another is disabledor unavailable, the SASeries Appliance
manages the remerging of the configurations automatically, for up to 16
updates. Beyond the maximumnumber of allowable updates, you may
need to intervene and remerge the configurations manually. In some
instances, the SA Series Appliance may be unable to remerge the
configurations if thereis not enoughoverlappingconfigurationinformation
between two nodes to manage the internode communication.
For example, given a two-node cluster in which the two nodes are
partitioned fromeach other because of a network outage, if the internal
networkIPaddressof oneof thenodesgetschangedinoneof thepartitions,
the two partitions are unable to rejoin, even when the network is repaired.
In such a case, you must manually remerge the configurations.
Related
Documentation
Deploying Two Nodes in an Active/Passive Cluster on page 844
Deploying Two or More Units in an Active/Active Cluster on page 845
Specifying Active/Passive, Active/Active, and Other Cluster Settings on page 849
Specifying Active/Passive, Active/Active, and Other Cluster Settings
Use the Properties page to change the name of a cluster, specify in which configuration
to run a cluster (active/passive or active/active), specify synchronization and network
healthcheck settings, or delete a cluster.
849 Copyright 2011, Juniper Networks, Inc.
Chapter 33: Clustering
To modify cluster properties:
1. Fromthe admin console of an active cluster member, select the System>Clustering
> Cluster Properties page.
2. Edit the name of the cluster in the Cluster Name field to change the clusters name
(optional).
3. Under Configuration Settings, select one of the following options:
Active/Passivetorunacluster pair inactive/passivemode. Then, specify aninternal
VIP (virtual IP address) and an external VIP if the external port is enabled.
NOTE: To run a two-unit cluster in active/passive mode, the SA Series
Appliances must reside on the same subnet.
Active/Active runs a cluster of two or more nodes in active/active mode using an
external load balancer.
NOTE: To change a two-unit active/passive cluster to an active/active
cluster with more than two nodes, first change the configuration of the
two-unit cluster to active/active and then add the additional nodes.
4. Under Synchronization Settings, specify one or more types of data to synchronize
using the following options:
Synchronize log messagesPropagates all log messages among all of the SA
Series Appliances in the cluster.
Synchronize user sessionsSynchronizes all user session information (instances
of access to intranet services, for example) among all SA Series Appliances in the
cluster.
Synchronizelast access timefor user sessionsPropagates the latest user access
information across the cluster.
Copyright 2011, Juniper Networks, Inc. 850
Junos Pulse Secure Access Service Administration Guide
NOTE:
If you select both Synchronize log messages and Synchronize user
sessions check boxes, everything is replicated on the cluster nodes,
includingnetworkinginformation. Eventhoughnetworkinginformation,
including syslog and SNMP settings, can be configured per node or
per cluster, all of thenetworkinginformationis synchronizedbetween
nodes when these two options are set.
If you are using a load balancer in conjunction with the SA Series
Appliance, werecommendyouclear theSynchronizelast access time
for user sessions check box.
Clearing the Synchronize last access time for user sessions check box
to disable it off can greatly improve cluster synchronization
performance, disabling this option while users are connected to the
SA Series Appliance can result in client-side warnings informing the
user that the session is about to expire. These warnings are
automatically generated because of time-stamp mismatches and
the user sessions do not actually disconnect.
5. Under NetworkHealthcheckSettings, specifythenumber of ARPpingfailuresallowed
before the SA Series Appliances internal interface is disabled and whether or not to
disable the SA Series Appliances external interface if the internal interface fails.
6. Select the Advanced Settings check box to specify the timeouts for the underlying
cluster system. Do not change any values under this setting unless instructed to do
so by Juniper Networks Technical Support.
7. Click Save Changes.
Related
Documentation
Task Summary: Deploying a Cluster on page 839
Deploying Two Nodes in an Active/Passive Cluster on page 844
Deploying Two or More Units in an Active/Active Cluster on page 845
Adding Multiple Cluster Nodes
To add multiple nodes to a cluster:
1. Select System> Clustering > Cluster Status.
2. Click Add Members.
3. Enter the node name and internal IP address.
4. Modify or add the default internal netmask and internal gateway addresses, if
necessary.
5. Click Add.
851 Copyright 2011, Juniper Networks, Inc.
Chapter 33: Clustering
6. Repeat the process until you have added all of the nodes.
7. Click Save Changes to save the node configurations.
The SA Series Appliance automatically enables the added clusters, even if they are
unreachable.
Related
Documentation
Task Summary: Deploying a Cluster on page 839
Deploying Two Nodes in an Active/Passive Cluster on page 844
Deploying Two or More Units in an Active/Active Cluster on page 845
General Cluster Maintenance
Managing Network Settings for Cluster Nodes
To modify the network settings for a cluster or each individual node in a cluster, click
System> Network. You can make your changes on the Network Settings pages. After
you create a cluster, these pages provide a drop-down list fromwhich you can select the
entire cluster or a specific node to modify. When you save changes on a Network page,
the settings are saved for the specified cluster or cluster node. If you change network
settings for an entire cluster, they propagate to every node in the cluster.
You can access a node-specific Network page by clicking System> Clustering > Cluster
Status on the nodes name in the Member Name column.
Upgrading Clustered Nodes
The SA Series Appliance offers the ability to easily upgrade every node in a cluster. You
simply install a newer service package on one node and, once the installation completes
and the node reboots, the node pushes the service package to all nodes in the cluster.
Upgrading the Cluster Service Package
Install a newer service package on one cluster node only. When the installation process
completes and the cluster node reboots, it instructs the other nodes to upgrade.
Related
Documentation
Synchronizing the Cluster State on page 847
Adding Multiple Cluster Nodes on page 851
Changing the IP Address of a Cluster Node
Changing the IPaddress of acluster while it belongs toacluster is not supported. Inorder
to change the IPaddress, you must first remove it fromthe cluster, update the IPaddress
and then add it back.
NOTE: If you attempt to change the IP address of a node while it belongs to
a cluster, you may experience unpredictable results.
Copyright 2011, Juniper Networks, Inc. 852
Junos Pulse Secure Access Service Administration Guide
For example:
1. Select System> Clustering > Cluster status.
2. Select the check box next to the name of the node whose IP address you want to
change.
3. Click Remove.
4. After the node is removed, sign in to that node, change its IP address and click Save
Changes.
5. In the main node, add the changed node to the cluster configs.
6. Log in to the changed node and rejoin the cluster.
The following is an example for changing both node IP addresses in an active/passive
cluster:
1. Select System> Clustering > Cluster status.
2. Click Delete Cluster.
3. Change the IP address of each node.
4. Log in to the main node and re-create the cluster, changing fromactive/active to
active/passive and defining the internal and/or external VIP addresses.
5. Add the other node to the cluster configs.
6. Log in to the passive node and join it to the cluster.
Related
Documentation
Deploying Two Nodes in an Active/Passive Cluster on page 844
General Cluster Maintenance on page 852
Deleting a Cluster on page 853
Deleting a Cluster
If youdelete acluster, all of the nodes beginrunning as standalone SASeries Appliances.
To delete a cluster:
1. Fromthe admin console of an active cluster member, select the System>Clustering
> Cluster Status page.
2. Select the checkbox next to each cluster node you want to delete.
3. Click the Remove Cluster button.
4. When prompted, click Remove.
Related
Documentation
General Cluster Maintenance on page 852
853 Copyright 2011, Juniper Networks, Inc.
Chapter 33: Clustering
Restarting or Rebooting Clustered Nodes
When you create a cluster of two or more SA Series Appliances, the clustered SA Series
Appliances act as alogical entity. As such, whenyourestart or reboot oneof theclustered
SA Series Appliances using either the serial console or the admin console, all SA Series
Appliances in the cluster restart or reboot.
Related
Documentation
Serial Console Procedures on page 859
Configuring the External VIP for An Active/Passive Cluster
To add an external VIP to an existing A/P cluster:
1. Create an A/P cluster with only the internal port configured.
2. Select System> Clustering > Clustering Properties and add the internal VIP.
3. Select System> Network > External Port.
4. Fromthe Settings for menu, select entire cluster.
5. Add the Netmask and Default Gateway but leave the external port disabled.
6. For each node, select System> Network > External Port and configure the external
port IP address but leave the external port disabled.
7. Add the external cluster VIP.
8. Select System> Network > External Port, select entire cluster fromthe Settings
for menu and enable the external port.
Related
Documentation
Specifying Active/Passive, Active/Active, and Other Cluster Settings on page 849
Admin Console Procedures
Table 35 on page 854 describes the information displayed on the Status tab and the
various management tasks you can perform, including disabling, enabling, and removing
an SA Series Appliance node froma cluster.
Table 35: Cluster Status Page Information
Description User Interface Element
Screen displays the cluster name, type, configuration, internal VIP,
and external VIP for an active/passive cluster.
Status Information labels
Click this button to specify an SA Series Appliance that will join the
cluster. Youmust performthis stepfor SASeries Applianceyouintend
to add to the cluster. By clicking this button, you can add multiple
nodes at the same time.
Add Members button
Copyright 2011, Juniper Networks, Inc. 854
Junos Pulse Secure Access Service Administration Guide
Table 35: Cluster Status Page Information (continued)
Description User Interface Element
Click this button to add a node that was previously disabled. When
you add a node, all state information is synchronized on the node.
Enable button
Clickthis buttontodisableanodewithinthecluster. Thenoderetains
awareness of the cluster, but does not participate in state
synchronizations or receive user requests unless members sign in to
the node, directly.
Disable button
Click this button to remove the selected node or nodes fromthe
cluster. Once removed, the node runs in stand-alone mode.
Remove button
Click this button to fail-over the VIP to the other node in the
active/passive cluster. Only available if cluster is configured as
active/passive.
Fail-Over VIP button
Lists all nodes belonging to the cluster. You can click on a nodes
name to modify its name and network settings.
Member Name column
Shows the internal IPaddress of the cluster member using Classless
Inter Domain Routing (CIDR) notation.
Internal Address column
Shows the external IP address of the cluster member using CIDR
notation. Note that this column only shows the external IP address
of the cluster leader unless you specify a different address for the
node on its individual network settings page, which is accessible by
clicking on its name in the Member Name column. If you change the
external IP address on the Network > Network Settings page, the
change affects all cluster nodes.
External Address column
Shows the current state of the node:
Green light/enabledThe node is handling user requests and
participating in cluster synchronization.
Yellowlight/transitioningThe node is joining cluster.
Red light/disabledThe node is not handling user requests or
participating in cluster synchronization.
Red light/enabled, unreachableThe node is enabled, but due
to a network issue, it cannot be reached.
Note: A nodes state is considered stand-alone when it is
deployedoutsideof acluster or after beingremovedfromacluster.
Status column
Shows the status of the nodes connection to the cluster:
OKThe node is actively participating in the cluster.
TransitioningThe node is switching fromthe stand-alone state
to the enabled state.
UnreachableThe node is not aware of the cluster. A cluster
member may be unreachable even when its online and can be
pinged. Possiblereasons include: its passwordis incorrect, it doesnt
knowabout all cluster nodes, its configuredwith a different group
communication mode, its running a different service package
version, or the machine is turned off.
Notes column
855 Copyright 2011, Juniper Networks, Inc.
Chapter 33: Clustering
Table 35: Cluster Status Page Information (continued)
Description User Interface Element
Specifies thesynchronizationorder for nodes whenrejoiningacluster.
Accepts sync ranks from0 (lowest rank) to 255 (highest rank). The
highest rank takes precedence. Where twonodes have identical sync
ranks, the alpha-numeric rank of the member name is used to
determine precedence.
Note:
Sync Rank column
Updates the sync rank after you change the precedence of the nodes
in the Sync Rank column.
Update button
Related
Documentation
Task Summary: Deploying a Cluster on page 839
General Cluster Maintenance on page 852
Monitoring Clusters on page 856
Monitoring Clusters
You can monitor clusters using the standard logging tools provided by the SA Series
Appliance. In particular, you can use several cluster-specific SNMP traps to monitor
events that occur on your cluster nodes, such as:
External interface down
Internal interface down
Disabled node
Changed virtual IP (VIP)
Deleted cluster node (cluster stop)
NOTE: Generally, it is desirable to configure your SNMP traps on a
cluster-wide basis, so that any given cluster node can send its generated
traps to the right target. Setting up cluster-wide configuration for the traps
is particularly important whenyoualsousealoadbalancer, becauseyoumay
not knowwhich node is responsible for a specific operation. In that case, the
loadbalancer may independently determinewhichcluster nodecanmanage
an administrative session.
Copyright 2011, Juniper Networks, Inc. 856
Junos Pulse Secure Access Service Administration Guide
You can use SNMP traps that are included in the Juniper Networks Standard MIB to
monitor these events. These traps include:
iveNetExternalInterfaceDownTrapSupplies type of event that brought down the
external interface.
iveNetInternalInterfaceDownTrapSupplies type of event that brought down the
internal interface.
iveClusterDisableNodeTrapSupplies the cluster name on which nodes have been
disabled, along with a space separated list of disabled node names.
iveClusterChangedVIPTrapSupplies thetypeof theVIP, whether external or internal,
and its value before and after the change.
iveClusterDeleteSupplies the name of the cluster node on which the cluster delete
event was initiated.
These traps are always enabled and available in the MIB. You cannot disable the traps.
Related
Documentation
Defining and Initializing a Cluster on page 840
Synchronizing the Cluster State on page 847
Troubleshooting Clusters on page 857
Troubleshooting Clusters
When you have problems with cluster communication, you may be directed by your
Juniper Networks Support representative to use the cluster node troubleshooting tools.
To use the cluster node troubleshooting tools:
Fromthe admin console, select Maintenance > Troubleshooting > Monitoring > Node
Monitor, in Maintenance > Troubleshooting > Clustering Network Connectivity, and in
Maintenance > Troubleshooting > Clustering Group Communication.
You can use a built-in feature on the clustering Status page to identify the status of each
cluster node. Pause the mouse pointer over the Status light icon and the systemdisplays
a tool tip containing a hexadecimal number. The hexadecimal number is a snapshot of
the status of the SA series Appliance. It is a bit mask indicating a number of states as
shown in Table 36 on page 857.
Table 36: Cluster Status
Meaning Value
SA series Appliance is in standalone mode. 0x000001
SA series Appliance is in cluster disabled state. 0x000002
SA series Appliance is in cluster enabled state. 0x000004
857 Copyright 2011, Juniper Networks, Inc.
Chapter 33: Clustering
Table 36: Cluster Status (continued)
Meaning Value
Unable to communicate (because it is offline, has wrong password, has
different cluster definition, different version, or a related problem).
0x000008
The node owns the VIPs (on) or not (off). 0x00002000
SAseries Appliance is syncingstate fromanother SAseries Appliance (initial
syncing phase).
0x000100
SA series Appliance is transitioning fromone state to another. 0x000200
The group communication subsystems at the local and remote nodes are
disconnected fromeach other.
0x00020000
Management interface (mgt0) appears disconnected. 0x00040000
Management gateway is unreachable for ARP ping. 0x00080000
SA series Appliance int0 appears disconnected (no carrier). 0x000800
This node is configured to be a cluster member. 0x001000
SA series Appliance is syncing its state to another SA series Appliance that
is joining.
0x002000
Initial Synchronization as master or slave is taking place. 0x004000
This SA series Appliance is the leader of the cluster. 0x008000
The group communication subsystemis functional. 0x010000
The gateway on int0 is unreachable for ARP pings (see log file). 0x020000
The gateway on int1 is unreachable for ARP pings (see log file). 0x040000
Leader election is taking place. 0x080000
Server life cycle process (dsmon) is busy. 0x100000
Systemperforms post state synchronization activities. 0x200000
The group communication subsystemis functional.
The gateway on int0 is unreachable for ARP pings (see log file).
SA series Appliance is in cluster enabled state.
0x30004
Cluster keystore or security world has not been associated with the FIPS
card.
0x80000000
Copyright 2011, Juniper Networks, Inc. 858
Junos Pulse Secure Access Service Administration Guide
Each code, as you see it in the SA series Appliance, may relate specifically to one state.
However, each code may represent a combination of states, and so the actual code does
not appear in Table 36 on page 857. Instead, the code you see in the SAseries Appliance
is the sumof several of the hexadecimal numbers shown in Table 36 on page 857. You
will need to factor out the codes, as in the following example:
0x38004The right-most digit (4) in this hexadecimal number corresponds to:
0x000004 The SA series Appliance is in cluster enabled state.
0x038004The digit in the fourth position fromthe right (8) corresponds to:
0x008000 This SA series Appliance is the leader of the cluster.
0x38004The left-most digit (3) in this hexadecimal number does not exist in the
table, which indicates that it corresponds to the sumof two other digits, in this case, 1
and 2, as shown in the following codes:
0x020000The gateway on int0 is unreachable for ARP pings (see log file).
0x010000The group communication subsystemis functional.
Management IP Address Differs Fromthe Management IP Address Error Message
If you receive the following error when joining a standalone SA6000/SA6500 node to
a cluster even though the management port is configured and enabled:
Management IP address (x.x.x.x) for the local systemdiffers fromthe Management IP
address (not entered) configured for this systemin the remote system.
then performthe following steps to add the node:
1. Fromtheadminconsoleof theprimarynode, select System>Network>Management
Port.
2. Select the node to add fromthe drop down list next to the Setting for label.
3. Enable the management port andenter the IPaddress, netmask anddefault gateway
for the joining node.
4. Click Save Changes.
5. Fromthe admin console of the joining node, join the cluster again.
Related
Documentation
Monitoring Clusters on page 856
Serial Console Procedures
You can add an SA Series Appliance to a cluster through its serial console, except when
running an SA Series FIPS environment, which requires that you add each SA Series
Appliance through its admin console.
If you are adding a factory-set SA Series Appliance to a cluster, we recommend that you
usetheserial console, whichenables youtojoinanexistingcluster duringtheinitialization
859 Copyright 2011, Juniper Networks, Inc.
Chapter 33: Clustering
process by entering minimal information. When an SA Series Appliance joins a cluster,
it receives the cluster state settings, which overwrites all settings on a machine with an
existing configuration and provides newmachines with the required preliminary
information.
YoucanalsouseanSASeries Appliance serial consoletodisableanSASeries Appliance
within a cluster. If an SA Series Appliance is in synchronization state, you cannot access
its admin console. Therefore, if you need to upgrade or reboot the SA Series Appliance,
for example, you need to first disable the SA Series Appliance froma cluster through its
serial console.
Related
Documentation
Joining an SA Series Appliance to a Cluster Through Its Serial Console on page 860
Disabling a Clustered SA Series Appliance Using Its Serial Console on page 861
Joining an SASeries Appliance to a Cluster Through Its Serial Console
Before a configured or factory-set SA Series Appliance can join a cluster, you need to
make its identity known to the cluster.
NOTE:
If youwant toaddanSASeriesAppliancecurrentlyrunningasastand-alone
machinetoacluster throughitsadminconsole, it must berunningthesame
or a more recent version service package on the same hardware platform
as the other members.
If youaddanSASeriesAppliancerunningapreviousversionservicepackage
to a cluster, the SA Series Appliance automatically detects the mismatch,
gets the newer package fromthe cluster, and joins the cluster.
To add an SA Series Appliance to a cluster through its serial console:
1. Fromtheadminconsoleof anexistingcluster member, select theSystem>Clustering
> Cluster Status tab and specify the SA Series Appliance you want to add to the
cluster.
2. Connect to the serial console of the machine you want to add to the cluster.
3. Reboot the machine and watch its serial console. After the systemsoftware starts, a
message displays stating that the machine is about toboot as a standalone SASeries
Appliance and to press the Tab key for clustering options. Press the Tab key as soon
as you see this option.
NOTE: The interval to press the Tab key is five seconds. If the machine
begins to boot in stand alone mode, wait for it to finish and then reboot
again.
4. Enter the number instructing the SA Series Appliance to join an existing cluster.
Copyright 2011, Juniper Networks, Inc. 860
Junos Pulse Secure Access Service Administration Guide
5. Enter the requested information, including:
The internal IP address of an active member in the cluster
The cluster password, which is the password you entered when defining the cluster
The name of the machine you wish to add
The internal IP address of the machine you wish to add
The netmask of the machine you wish to add
The gateway of the machine you wish to add
Theactivecluster member verifiesthecluster passwordandthat thenewmachines
name and IP address match what you specified in the admin console by clicking
System> Clustering > Cluster Status > Add Cluster Member. If the credentials are
valid, the active member copies all of its state data to the newcluster member,
including license key, certificate, user, and systemdata.
6. Enter the number instructing the SA Series Appliance to continue the join cluster
operation. When you see the message confirming that the machine has joined the
cluster, click System> Clustering > Cluster Status tab in the admin console of any
active cluster member to confirmthat the newmembers Status is green, indicating
that the SA Series Appliance is an enabled node of the cluster.
Related
Documentation
Defining and Initializing a Cluster on page 840
Serial Console Procedures on page 859
Disabling a Clustered SA Series Appliance Using Its Serial Console on page 861
Disabling a Clustered SASeries Appliance Using Its Serial Console
To disable an SA Series Appliance within a cluster using its serial console:
1. Connect to the serial console of the machine you want to disable within the cluster.
2. Enter thenumber correspondingtotheSASeriesAppliance SystemOperationsoption.
3. Enter the number corresponding to the Disable Node option.
4. Enter y when the serial console prompts if you are sure you want to disable the node.
5. Verify that the SA Series Appliance has been disabled within the cluster by selecting
System> Clustering > Status in the admin console of any active cluster member to
confirmthat the disabled members Status is red.
Related
Documentation
Serial Console Procedures on page 859
861 Copyright 2011, Juniper Networks, Inc.
Chapter 33: Clustering
Copyright 2011, Juniper Networks, Inc. 862
Junos Pulse Secure Access Service Administration Guide
CHAPTER 34
Delegating Administrator Roles
About Delegating Administrator Roles on page 863
Creating and Configuring Administrator Roles on page 864
Specifying Management Tasks to Delegate on page 865
About Delegating Administrator Roles
The SA access management systemenables you to delegate various SA management
tasks to different administrators through systemadministrator roles and security
administrator roles. Systemand security administrator roles are defined entities that
specify SA management functions and session properties for administrators who are
mapped to those roles. You can customize an administrator role by selecting the SA
feature sets, user roles, authentication realms, resource policies, and resource profiles
that members of the administrator role are allowed to viewand manage. Note that
systemadministrators may only manage user roles, realms, and resource policies; only
security administrators can manage administrator components.
For example, youcancreateasystemadministrator rolecalledHelpDeskAdministrators
and assign users to this role who are responsible for fielding tier 1 support calls, such as
helping users understand why they cannot access a Web application or SApage. In order
tohelpwithtroubleshooting, youmayconfiguresettingsfor theHelpDeskAdministrators
role as follows:
Allowthe help desk administrators Write access to the System> Log/Monitoring page
so they can viewand filter the SAlogs, tracking down critical events in individual users
session histories, as well as the Maintenance >Troubleshooting page sothey can trace
problems on individual users systems.
Allowthe help desk administrators Read access to the Users > User Roles pages so
they can understand which bookmarks, shares, and applications are available to
individual users roles, as well as the Resource Policy or Resource Profile pages so they
can viewthe policies that may be denying individual users access to their bookmarks,
shares, and applications.
Deny the help desk administrators any access to the remaining Systempages and
Maintenancepages, whichareprimarilyusedfor configuringsystem-widesettingssuch
as installing licenses and service packagesnot for troubleshooting individual users
problems.
863 Copyright 2011, Juniper Networks, Inc.
NOTE: In addition to any delegated administrator roles that you may create,
the SAalso includes two basic types of administrators: super administrators
(.Administrators role), who can performany administration task through the
admin console and read-only administrators (.Read-only Administrators
role), who can viewbut not changethe entire SA Series Appliance
configuration through the admin console.
You can also create a security administrator role called Help Desk Manager and assign
users to this role who are responsible for managing the Help Desk Administrators. You
might configuresettings for theHelpDesk Manager roletoallowtheHelpDesk Manager
tocreate anddelete administrator roles on his own. The HelpDesk Manager might create
administrator roles that segment responsibilities by functional areas of the SA. For
example, oneadministrator rolemight beresponsiblefor all logmonitoringissues. Another
might be responsible for all Network Connect problems.
The delegated administration feature is not available on the SA 700 appliance. Note,
however, that all SA Series SSL VPN Appliances allowmembers of the .Administrators
role to configure general role settings, access management options, and session options
for the .Administrators and .Read-Only Administrators roles.
NOTE: On certain pages, such as the role mapping page, the delegated
administrator can viewthe role names even though the administrator does
not have read/write access. However, the delegated administrator can not
viewthe details of that role.
Related
Documentation
Creating and Configuring Administrator Roles on page 864
Specifying Management Tasks to Delegate on page 865
Creating and Configuring Administrator Roles
When you navigate to Administrators > Admin Roles, you can find the Administrators
page. Fromthis page, youcanset default sessionanduser interfaceoptions for delegated
administrator roles.
To create individual administrator accounts, you must add the users through the
appropriate authentication server (not the role). For example, to create an individual
administrator account, you may use settings in the Authentication > Auth. Servers >
Administrators > Users page of the admin console. For detailed instructions on howto
create users on the Administrators server and other local authentication servers. For
instructions on howto create users on third-party servers, see the documentation that
comes with that product.
Copyright 2011, Juniper Networks, Inc. 864
Junos Pulse Secure Access Service Administration Guide
To create an administrator role:
1. In the admin console, choose Administrators > Admin Roles.
2. Do one of the following:
Click NewRole to create a newadministrator role with the default settings.
Select the checkbox next to an existing administrator role and click Duplicate to
copy theroleandits custompermissions. Notethat youcannot duplicatethesystem
default roles (.Administrators and .Read-Only Administrators).
3. Enter a Name (required) and Description (optional) for the newrole and click Save
Changes.
4. Modify settings for the role per the instructions in the sections that follow.
NOTE: If you select one of the SA Series Appliances default administrator
roles (.Administrators or .Read-Only Administrators), you can only modify
settings in the General tab (since the default SA Series Appliance
administrators roles always have access to the functions defined through
the System, Users, Administrators, and Resource Policies tabs).
You cannot delete the.Administrators and.Read Only Administrators roles
since they are default roles defined on the SA Series Appliance.
Related
Documentation
Specifying Management Tasks to Delegate on page 865
Specifying Management Tasks to Delegate
This topiccontains informationabout delegatingmanagement tasks tovarious delegated
administrator roles.
Delegating SystemManagement Tasks
Use the Administrators > Admin Roles > Select Role > Systemtab to delegate various
SA Series Appliance systemmanagement tasks to different administrator roles. When
delegating privileges, note that:
The SA Series Appliance allows all administrators read-access (at minimum) to the
admin console home page (System> Status > Overview), regardless of the privilege
level you choose.
The SA Series Appliance does not allowdelegated administrators write-access to
pages where they can change their own privileges. Only those administrator roles that
come with the system(.Administrators and.Read-Only Administrators) may access
these pages:
Maintenance > Import/Export (Within this page,.Read-Only Administrators can
export settings, but cannot import them.)
865 Copyright 2011, Juniper Networks, Inc.
Chapter 34: Delegating Administrator Roles
Maintenance > Push Config
Maintenance > Archiving > Local Backups
Delegation access to the Meeting Schedule page is controlled through the Meetings
option on the Administrators > Admin Roles > Select Role > Resource Policies page.
Delegating User and Role Management
Use the Administrators >Admin Roles > Select Role >Users >Roles sub-tab to specify
which user roles the administrator role can manage. When delegating role management
privileges, note that:
Delegated administrators can only manage user roles.
Delegated administrators cannot create newuser roles, copy existing roles, or delete
existing roles.
If you allowthe delegated administrator to read or write to any feature within a user
role, the SA Series Appliance also grants the delegated administrator read access to
the Users > User Roles > Select Role > General > Overviewpage for that role.
If you grant a delegated administrator write access to a resource policy through the
Administrators > Admin Roles > Select Administrator Role > Resource Policies page,
he may create a resource policy that applies to any user role, even if you do not grant
himread access to the role.
Delegating User RealmManagement
Use the Administrators > Admin Roles > Select Role > Users > Authentication Realms
tabtospecify whichuser authenticationrealms theadministrator rolecanmanage. When
delegating realmmanagement privileges, note that:
Systemadministrators can only manage user realms.
Systemadministrators cannot create newuser realms, copy existing realms, or delete
existing realms.
If you allowthe systemadministrator to read or write to any user realmpage, the SA
Series Appliance alsogrants the systemadministrator read-access tothe Users >User
Realms > Select Realm> General page for that role.
Delegating Administrative Management
Use the Administrators > Admin Roles > Select Roles > Administrators tab to specify
whichsystemadministrator roles andrealms thesecurity administrator rolecanmanage.
When delegating security administrative privileges, note that:
Thesecurity administrator roleprovides control over all administrativeroles andrealms.
You can give a security administrator control exclusively over administrator roles, over
administrator realms, or over both.
You can restrict or grant the security administrator the permission to add and delete
administrator roles and administrator realms.
Copyright 2011, Juniper Networks, Inc. 866
Junos Pulse Secure Access Service Administration Guide
Delegating Resource Policy Management
Use the Administrators > Admin Roles > Resource Policies tab to specify which user
resource policies the administrator role can manage. When delegating resource policy
management privileges, note that delegated systemadministrators cannot modify the
following characteristics of resource policies:
The resource itself (that is, the IP address or host name).
The order in which the SA Series Appliance evaluates the resource policies.
Delegating Resource Profile Management
Use the Administrators > Admin Roles > Resource Profiles tab to specify which user
resource profiles the administrator role can manage. When delegating resource profile
management privileges, note that delegated systemadministrators cannot modify the
following characteristics of resource profiles:
The resource itself (that is, the IP address or host name)
The order in which the SA Series Appliance evaluates the resource policies.
Delegating Access to IVS Systems
If you are running an IVS license, you can also delegate administrative access and
responsibilities to specific IVS systems. You can delegate read/write access or read-only
access to all IVS systems, or to selected IVS systems..
Related
Documentation
About Delegating Administrator Roles on page 863
867 Copyright 2011, Juniper Networks, Inc.
Chapter 34: Delegating Administrator Roles
Copyright 2011, Juniper Networks, Inc. 868
Junos Pulse Secure Access Service Administration Guide
CHAPTER 35
Instant Virtual System
Instant Virtual System(IVS) Overviewon page 870
Deploying an IVS on page 871
Virtualized SA Series Appliance Architecture on page 873
Signing In to the Root Systemor the IVS on page 875
Navigating to the IVS on page 878
IVS Configuration Worksheet on page 878
Administering the Root Systemon page 881
Configuring the Root Administrator on page 881
IVS Provisioning Process Overviewon page 882
Configuring Sign-In Ports for IVS on page 883
Virtual Local Area Network (VLAN) on Subscriber IVS on page 885
Configuring VLANs on the Virtualized SA Series Appliance on page 886
Adding Static Routes to the VLAN Route Table on page 887
Deleting a VLAN on page 888
Loading the Certificates Server on page 889
Creating a Virtual System(IVS Profile) on page 889
IVS Initial Config Via Copy fromthe Root Systemor Another IVS on page 891
Signing In Directly to the IVS as an IVS Administrator on page 893
About Role-Based Source IP Aliasing on page 894
Associating Roles with Source IP Addresses in an IVS on page 894
Configuring Policy Routing Rules on the IVS on page 895
Clustering a Virtualized SA Series Appliance on page 897
Accessing a DNS Server on the MSP Network on page 898
Accessing a DNS Server on a Subscriber Company intranet on page 899
ConfiguringNetworkConnect for UseonaVirtualizedSASeriesApplianceonpage900
Configuring a Centralized DHCP Server on page 903
About Authentication Servers on page 904
Delegating Administrative Access to IVS Systems on page 906
869 Copyright 2011, Juniper Networks, Inc.
Accessing Standalone Installers on an IVS Systemon page 907
Exporting and Importing IVS Configuration Files on page 907
Using XML Import and XML Export on IVS Systems on page 909
Monitoring Subscribers on page 910
Troubleshooting VLANs on page 910
IVS Use Case: Policy Routing Rules Resolution on page 911
Use Case: Configuring a Global Authentication Server for Multiple
Subscribers on page 917
Use Case: Configuring a DNS/WINS Server IP Address per Subscriber on page 918
Use Case: Configuring Access to Web Applications and Web Browsing for Each
Subscriber on page 918
Use Case: Configuring File Browsing Access for Each Subscriber on page 919
Use Case: Setting Up Multiple Subnet IP Addresses for a Subscribers
End-Users on page 920
Use Case: Configuring Multiple IVS Systems to AllowAccess to Shared
Server on page 921
Instant Virtual System(IVS) Overview
TheInstant Virtual System(IVS) gives managedserviceproviders (MSPs) theopportunity
to offer cost-effective secure remote access, disaster recovery and managed extranet
services to small and mediumsized companies. To meet this opportunity, MSPs can
deliver managed security solutions fromequipment that is located on the subscriber
companys premises (Customer Premises Edgerouter-based) or withintheMSPnetwork
(Carrier Edgerouter-basedor network-based). Network-basedmanagedsecuritysolutions
centralize the security gateway equipment in the MSP network. A virtualized SA Series
Appliance allows the MSP to provide managed, network-based SSL VPN services to
multiple customers fromthe same equipment. The basic business model might work
something like this:
The MSP manages the SSL VPN equipment at the MSP site.
Small and medium-sized companies subscribe to monthly services fromthe MSP.
The MSP is responsible for the management of the equipment, but delegates portal
administration to an IVS administrator designated by each subscriber company.
Thevirtual systemsupportsandenforcesanarchitectural andadministrativeseparation
between subscriber companies, providing a completely secure and individualized view
for each subscriber.
This systemprovides a number of benefits to service providers:
Copyright 2011, Juniper Networks, Inc. 870
Junos Pulse Secure Access Service Administration Guide
Expand market shareThe ability to provide secure SSL VPN capabilities to many
subscriber companies fromone SA Series Appliance offers the MSP economies of
scale and the opportunity to expand market share with services targeting small and
mediumsized businesses.
Simplify administrationEach subscriber administrator can manage their companys
IVSinstancewithnovisibilityintoanother subscriber companysadministrativeinterface.
The MSProot administrator can manage all hosted companies and can easily monitor
or configure hosted company systems.
Enhancesubscriber securityEachsubscriber companymaintainscompleteseparation
fromother subscriber companies. As far as the subscriber administrator or subscriber
users are concerned, they are operating on a completely independent and protected
SSL VPN system.
Optimize traffic managementTraffic fromend-users or corporate intranet servers
stays within each companys VLAN. Subscriber end-users never see services located
on another subscribers intranet.
The standalone client installers are not accessible directly fromthe admin UI of an IVS.
As a workaround, the root administrator can make the following link available to IVS
administrators if the IVS administrators need to download standalone installers:
https://myive/dana-admin/sysinfo/installers.cgi
where myive is the hostname of your SA Series Appliance.
NOTE: IVS does not support Junos Pulse for Windows.
You must have an IVS license to create IVS systems. (Note that IVS licenses are not
available for SA 700 or SA 2000 appliances.)
You must have both an IVSlicense and a Network Connect license to provide centralized
DHCP support to your subscribers.
Related
Documentation
Deploying an IVS on page 871
IVS Provisioning Process Overviewon page 882
Creating a Virtual System(IVS Profile) on page 889
IVS Use Case: Policy Routing Rules Resolution on page 911
Deploying an IVS
For eachsubscriber company, thevirtualizedSASeries Applianceprovides asecureportal
for the companys end-users (mobile employees, customers, or partners) to access its
internal resources. Authentication servers that reside either on the subscribers premises
or intheMSPnetwork, authenticateend-users whosignintotheIVS. Onceauthenticated,
end-users establish secure sessions through the IVS to their respective companys
back-end servers.
871 Copyright 2011, Juniper Networks, Inc.
Chapter 35: Instant Virtual System
Figure 24: MSP Deployment Scenario
The following numbered list items correspond to the labeled objects in the above figure.
1. End-users sign in todifferent subscriber company intranets on specifiedIPaddresses.
2. End-users sign-in over an Internet connection using a standard SSL-enabled Web
browser.
3. All traffic is directed into the Managed Service Providers (MSP) network. The MSP is
the customer who holds the license to the virtualized SA Series Appliance hardware
and software.
4. All traffic is directedtothe virtualizedSASeries Appliance. Eachmessage is evaluated
based on its sign-in IPaddress and, by the virtualized SASeries Appliance, is assigned
a VLAN tag containing a VLAN ID that corresponds to a subscriber company. The SA
Series Appliance supports up to 240 IVS systems, each one representing a single
subscriber company SA Series Appliance. The subscriber is any company that
subscribes to hosted SSL VPN services fromthe MSP.
Thenumber of VLANs supporteddepends onthenumber of IVSsystems. Thenumber
of IVS systems plus the number of VLANs must be less than or equal to 240.
Although you can create up to 240 IVS systems, it is strongly recommended that you
do not create and use more than 16 IVS systems without first consulting the
PerformanceMetrics andTestingapplicationnote. Contact Juniper Networks Technical
Support for more information on this application note.
5. The MSP carrier-edge (CE) router or other Layer 2 device acts as a VLANtermination
point, and routes traffic over a secure tunnel to a customer premises edge (CPE)
router. BasedontheVLANID, therouter directs thetraffictotheappropriatesubscriber
intranet. Duringthis part of theprocess, theCErouter removes theVLANtagcontaining
the VLAN ID, as once the message is correctly destined for the appropriate intranet,
the ID and tag are no longer needed. The termsubscriber intranet is interchangeable
with the termcompany intranet.
6. The CE router routes messages over the service provider backbone to the appropriate
customers premises edge routers through encrypted tunnels, such as IPsec, GRE,
Copyright 2011, Juniper Networks, Inc. 872
Junos Pulse Secure Access Service Administration Guide
PPP, and MPLS tunnels. Untagged traffic is sent over these tunnels to the customer
intranet.
7. The CPE routers within the customer intranet on the customer premises can act as a
VLAN termination point and routes traffic fromthe secure tunnel connected to the
CE Router, to the customer intranet.
8. The end-user traffic reaches the correct subscriber companys backend resources.
The SA Series Appliance processes any return messages to the end-users fromthe
subscriber intranets following a similar set of steps.
In a typical MSP deployment, firewalls are present in front of the SA Series Appliance in
the MSP's DMZ, behindthe SASeries Appliance, in the MSPnetwork or in the customer's
intranet DMZ, or both. Note that a virtualized firewall could potentially exist behind the
SASeries Appliance (a Vsys cluster, for example), in which case it should have the ability
to accept VLANtagged traffic fromthe SA Series Appliance and forward it to the proper
customer VLAN (and vice versa). Also, most, if not all deployments have Domain Name
Server (DNS) or Applicationservers locatedeither intheMSPnetworkor onthecustomer
intranet.
In a virtualized SASeries Appliance deployment, the front-end is considered the external
interface and is the end-user or Internet-facing interface. The back-end is considered
the internal interface and is the subscriber company intranet-facing interface.
The SASeries Appliance tags inbound traffic sent by end-users and destined for a server
inthesubscriber intranet or MSPnetwork, withVLANtagscontainingtheVLANID. Inbound
traffic can arrive over the SA Series Appliances internal interface or external interface.
Outbound traffic, which is traffic transmitted over the SA Series Appliance backend and
destined for servers located on MSP network or subscriber intranet, can be sourced by
the SA Series Appliance itself. For example, traffic destined for authentication, DNS, or
applicationservers, is outboundtraffic, as is traffic forwardedby the SASeries Appliance,
such as Network Connect traffic.
If the traffic arrives as inbound traffic to an IP address that has been designated for an
IVS systemthat uses a VLAN, that traffic is tagged with the VLAN tag on arrival. When
it has been identified and directed to the proper backend destination, the VLAN
termination device strips the VLANtag fromthe Ethernet frame and forwards the traffic
to the backend destination.
Related
Documentation
Signing In Directly to the IVS as an IVS Administrator on page 893
Signing In to the Root Systemor the IVS on page 875
IVS Configuration Worksheet on page 878
Virtualized SASeries Appliance Architecture
The virtualized SA Series Appliance framework consists of a root systemand any
subscriber IVS systems the MSP root administrator creates subsequently. Subscriber
IVS administrators can only manage resources on their particular IVS system. The root
administrator can manage resources on all IVS systems on the appliance.
873 Copyright 2011, Juniper Networks, Inc.
Chapter 35: Instant Virtual System
The IVS license converts the SA Series Appliance to a root systemthat is functionally
identical to the SA Series Appliance, with the added capability of provisioning virtual
systems. The root systemconsists of system-level global data and a single default root
IVS, which encompasses the access management subsystem.
Figure 25: IVS Architecture
Theroot administrator (root administrator) is thesuper-administrator of theroot system.
Often, the root administrator is the same thing as the SASeries Appliance administrator.
The root administrator has administrative control over the root systemand all subscriber
IVSsystems. The root administrator canprovisionIVSsystems onthe root system, create
IVS administrators, edit IVS configuration. The root administrator can override
configuration changes made by any IVS administrator.
NOTE: The instructions for configuring the root and IVS systems are meant
tobereadbyaroot administrator. Thepronounyou, inthesesections, denotes
the root administrator. If a task can be performed by someone in a role other
than the root administrator, the text makes a distinct reference to the role in
the task description.
As shown in the above figure:
1. TheSASeries Applianceadministrator applies anIVSlicensetoanSASeries Appliance
containing an SA Series license.
2. Theresultingsystemcontains theroot global dataandaroot IVS, ineffect, avirtualized
SA Series Appliance.
3. Fromthe root IVS, the root administrator can create multiple subscriber IVS systems,
each IVS completely separate fromany other IVS.
The root systemcontains a superset of all capabilities of the system. You, as the root
administrator, define all global network settings and root administrator settings on the
root system. For each subscriber, you provision one or more IVS systems and manage
themfromthe root system.
The subscriber IVS contains a unique instance of the access management framework.
WhenyoucreateanIVSfor eachsubscriber company, youalsocreateanIVSadministrator
(IVS administrator) account. The IVS administrator has complete administrative control
Copyright 2011, Juniper Networks, Inc. 874
Junos Pulse Secure Access Service Administration Guide
over the IVS. The IVS administrator uses an administrative admin console that contains
a subset of the root administrator capabilities.
Related
Documentation
Signing In to the Root Systemor the IVS on page 875
Deploying an IVS on page 871
Signing In to the Root Systemor the IVS
You can configure sign-in URLs using different methods:
Sign-in URL prefix per IVS
Virtual ports
VLAN ports
You can use all of these methods on the same IVS.
Signing-In Using the Sign-In URL Prefix
This feature enables end-users to access an IVS by way of a single hostname and and
IVS-specific sign-in URL prefix. By using this method, administrators can ensure that
users can access multiple IVS systems by way of a single IP address on the SA Series
Appliance.
Additionally, the use of path-based URLs results in:
Savings in certificate costsYou need only supply one device certificate.
Fewer DNS entriesYou need only one DNS entry across all IVS systems hosted on a
single SA Series Appliance.
Administrators and end-users can sign into an IVS systemusing sign-in URLs similar to
the following (assuming the managed service provider URL is www.msp.com):
Company A sign-in URL: www.msp.com/companyA
Company B sign-in URL: www.msp.com/companyB
Company A IVS administrator sign-in URL: www.msp.com/companyA/admin
Company B IVS administrator sign-in URL: www.msp.com/companyB/admin
You can continue to restrict access by implementing additional sign-in URLs that are
segregated by certain criteria, as follows:
www.msp.com/companyA/sales
www.msp.com/companyA/finance
www.msp.com/companyA/hr
875 Copyright 2011, Juniper Networks, Inc.
Chapter 35: Instant Virtual System
If you do not specify a URL prefix, the SA Series Appliance defaults to sign-in over virtual
ports. If you do specify a path-based sign-in URL prefix, the following rules apply:
You cannot specify a multilevel path for the URL prefix, by using the / character.
End-users and administrators can sign in to an IVS on the internal port, external port,
VLAN interface, or virtual port that has not already been assigned to an IVS using the
selected URL prefix, in other words, where the hostname is the DNS name assigned
to one of the interface IP addresses.
For example, assume that your SA Series Appliance ports are assigned to specific DNS
names, as follows:
Internal Port = MSP-internal
External Port = MSP-external
VLAN Port 10 = MSP-vlan10
Virtual Port X = MSP-virtualx
Now, consider that VLANPort 10and Virtual Port Xare not assigned to an IVS. If you host
the Company A IVS, and the Company A sign-in URL prefix is specified as companyA in
theIVSprofile, thenend-users cansign-intotheCompany AIVSusingany of thefollowing
URLs:
MSP-internal/companyA
MSP-external/companyA
MSP-vlan10/companyA
MSP-virtualx/companyA
The path-based URL feature carries a fewrestrictions, as follows:
An end-user or administrator can sign into only one IVS froma given browser instance.
If youattempt tosignintoanother IVSfromanewbrowser windowof thesamebrowser
instance, your sign in attempt is rejected. You must create a newbrowser instance to
sign in to multiple IVS systems.
Youcannot establishmultipleconcurrent sessions, withall sessions usingHost Checker,
fromthe same end-point to different SA Series Appliances. You cannot establish
multiple concurrent sessions fromthe same end-point to multiple IVS systems,
regardless of the sign-in method.
If you configure an IVS with a path-based sign-in URL prefix, you cannot use the
persistent session cookie (DSID) and maintain the ability to sign in to multiple IVS
systems fromthe same browser using the URL prefix. The limitation does not apply to
users signing in to the IVS with a sign-in IP address, because the systemcreates a
different DSID per target IVS in that case.
Pass-through proxy based on port numbers is supported. However, you cannot specify
a pass-through proxy policy when using virtual hosts, unless the virtual host DNSentry
maps to the IVSsign-in IPaddress. If the virtual host DNSentry points to the SASeries
Appliance, when the user signs in he will sign-in to the root IVS sign-in page.
Copyright 2011, Juniper Networks, Inc. 876
Junos Pulse Secure Access Service Administration Guide
When using Secure Meeting, if a user is not already signed in to their IVS and you have
enabled the option require SASeries Appliance users, all meeting invitation emails will
contain a link to the root IVS sign-in page.
If an IVS user bookmarks pages while using web rewriting, signs out, then reopens the
browser and selects the bookmark, he will display the root IVS sign-in page.
Signing-In Over Virtual Ports
You may have reasons for configuring virtual ports for sign in. Virtual ports provide
significant segregation of traffic. If you choose to use virtual ports, keep in mind that:
Must providemultiplecertificatesYouneedtosupply onedevicecertificateper virtual
port address.
Must configure multiple DNS entriesYou need to supply DNS entries for each IVS
systemhosted on a single SA Series Appliance.
If multiple IVS's share the same virtual port for sign-in, the security settings of either
IVS (allowed SSL/TLS version or encryption strength) can be associated to the virtual
port. Once an IVSs security settings are associated to the virtual port, these settings
areeffectivefor sign-ins (ieSSLsessions) tothat virtual port. Toguaranteedeterministic
selection/association of security settings to virtual ports, IVSs that share the same
virtual port for sign-in should have the same security settings.
If an IVS is configured to have different security settings relative to the root system,
the security settings of the root take effect for sign-in to the IVS via sign-in URL prefix,
whereas the security settings of the IVS take effect for sign-in to the IVS via sign-in
over virtual ports. For an IVS with strong encryption (such as AES) on an SA Series
Appliancewitharoot systemhavingweaker encryptionsettings thefollowingsituation
occurs: Signing in to the IVS via sign-in over virtual ports froman IE6 browser fails
becausetheeffectivesecuritysettings for theSSLsessionis AES, whichis not supported
by IE6. However, the same user signing in to the same IVS fromthe same IE 6 browser
through the sign-in URL prefix can succeed if the browser security settings are
compatible with the root systems weaker security settings.
The sign-in requests target IP address drives the sign-in to the root systemor IVS. To
sign in to the root systemor an IVS, users browse to a hostname-based URL. You map
the URL, by way of external DNS, to the IP address or to an IP alias of the SA Series
Appliances external interface.
For example, consider anMSPwithhost namemsp.com, that provides SSLVPNgateway
services to two subscribers: s1 and s2.
Root administrator sign-in URL: http://www.msp.com
S1 sign-in URL: http://www.s1.com
S2 sign-in URL: http://www.s2.com
External DNS must map these URLs to unique IP addresses, which must correspond to
IPaddresses or aliases hosted on the SASeries Appliance, typically a virtual port defined
on either the internal or external port.
877 Copyright 2011, Juniper Networks, Inc.
Chapter 35: Instant Virtual System
To summarize signing-in, IVS users can sign in on:
A virtual port configured on the external interface of the SA Series Appliance.
Avirtual port configuredontheinternal interfaceof theSASeries Appliance(untagged).
A VLAN interface configured on the internal interface (tagged).
Root systemusers can also sign in directly over the internal or external interface.
Signing-In Over a VLANInterface
In addition to the sign-in capabilities provided over the external interface (or the internal
interface, if configured) by the root administrator, end-users can sign in over any VLAN
interface the root administrator assigns to their IVS. In other words, the IVSadministrator
can provide the VLAN port IP address to end-users for sign-in.
You cannot map an explicit device certificate to any IP addresses mapped to a VLAN.
When signing in over a VLAN interface, the systemchooses the device certificate that is
already assigned to the IVS. If there is no certificate associated with the IVS, the system
assigns the certificate fromthe top of the SASeries Appliance device certificate list. This
list can be re-ordered when a certificate is added or removed, which can result in an
unpredictable certificate during configuration. Once an IVS is in a production state, this
should not present a problem, as the IVS VIP is mapped to a specific certificate.
Related
Documentation
Using VLANs with the SA Series Appliances on page 689
Navigating to the IVS on page 878
Navigating to the IVS
Only root administrators can navigate to an IVS fromthe root system. On the virtualized
SA Series Appliance, the admin console navigation for the root systemincludes an
additional drop-down menu listing the configured IVS systems, on all page headers. You
can navigate to an IVS and administer it by selecting an IVS fromthe drop-down menu.
IVS administrators must sign-in directly to the IVS through a standard administrative
sign-in page.
The root administrator creates the initial IVSadministrator account. AnIVSadministrator
can create additional IVS administrator accounts, using the standard procedure for
creating administrator accounts.
Related
Documentation
Signing In to the Root Systemor the IVS on page 875
IVS Configuration Worksheet
In order to configure the systemto properly steer inboundtraffic to the correct subscriber
IVS, and outbound traffic to the correct VLAN, the MSP root administrator needs to
compile a profile for each subscriber company.
Copyright 2011, Juniper Networks, Inc. 878
Junos Pulse Secure Access Service Administration Guide
When creating a newvirtual system, you must create a number of other systemobjects,
and specify several pieces of data, including IP addresses, VLAN IDs, virtual ports, and
DNSsettings. Youcanuse this worksheet toplanandkeeptrack of the systemdatawhile
creating each IVS. The worksheet presents data in the general order in which you should
define the IVS.
Dependingonthe specific topology of the subscribers' networks, youmay needtocollect
additional information, or may not use all of the information listed on the form.
Created By: Date:
Subscriber:
Account #:
Comment:
Subscriber VLAN(System> Network > VLANs)
VLAN Settings
VLAN Port Name:
VLAN ID (1-4094):
VLAN Port Information
IP Address:
Netmask:
Default Gateway:
Subscriber Sign-in Virtual Port Configuration
(System> Network > Port 1 > Virtual Ports > NewVirtual Port)
External Virtual Port Name
(for sign-in):
IP Address:
Internal Virtual Port Name
(optional):
IP Address:
Install Device Certificate for IVS hostname
IVS Hostname:
Internal Port:
879 Copyright 2011, Juniper Networks, Inc.
Chapter 35: Instant Virtual System
External Port:
Subscriber IVS (System> Virtual Systems > NewVirtual System)
Name (Subscriber):
Description:
IVS Hostname:
Administrator
Username:
Password (at least 6
characters in length):
Properties
Max Concurrent Users:
Default VLAN:
Selected Virtual Ports:
(Internal Interface)
Selected Virtual Ports:
(External Interface)
Network Connect IP Pool:
Static Routes (System> Network > Routes > NewRoutes)
Destination Network/IP:
Netmask:
Gateway:
Interface:
Metric:
DNS Settings (Subscriber IVS > System> Network > Overview)
Hostname:
Primary DNS:
Secondary DNS:
Copyright 2011, Juniper Networks, Inc. 880
Junos Pulse Secure Access Service Administration Guide
DNS Domain(s):
WINS:
Related
Documentation
Deploying an IVS on page 871
Administering the Root System
Once you apply the IVS license to the SA Series Appliance, the newVirtual Systems tab
appears in the administrator UI. After you apply the IVS license, you can see an explicit
display of the root systemin the drop down menu that appears in the admin console
header area.
Setting up the systemrequires a series of basic procedures. Once the hardware is
connected:
1. Boot the system.
2. Apply theIVSlicensethroughtheMaintenance>System>Upgrade/Downgradepage
of the admin console.
3. Configure the root systemfromthe admin console.
Regardless of howmany subscriber administrators you define on the subscriber IVS
systems, you always maintain control over the entire systemand have visibility into the
settings on all IVS systems.
Related
Documentation
Signing In to the Root Systemor the IVS on page 875
Configuring the Root Administrator
Configuring the root administrator is similar to the task of creating a newadministrator
on a standalone SA Series Appliance. You can create an administrator account through
the Authentication > Auth. Servers > Administrators > Users page of the admin console,
or by using the serial console.
If you upgrade froman older SA Series Appliance software version to the 5.1 version or
later, the systemconsiders any administrator in the root systemwho maps to the
.Administrators roletobearoot administrator for theSASeries Appliance. If youre-image
the SA Series Appliance or install a brand newpiece of hardware, you create a primary
administrator during the initial configuration steps, in the serial console.
Related
Documentation
Creating and Configuring Administrator Roles on page 864
Configuring the Root Administrator on page 881
Signing In Directly to the IVS as an IVS Administrator on page 893
881 Copyright 2011, Juniper Networks, Inc.
Chapter 35: Instant Virtual System
IVS Provisioning Process Overview
The following figure illustrates the basic tasks required to provision an IVS.
Copyright 2011, Juniper Networks, Inc. 882
Junos Pulse Secure Access Service Administration Guide
Provisioning an IVS consists of the following steps:
1. Configure one or more clusters, if needed, through the System> Clustering > Create
Cluster page.
2. Configure and enable external port. The external port is in a disabled state, by default.
You must enable the port and configure it, to provide sign-in capabilities fromoutside
the network.
3. Create at least one VLANport for each subscriber company. You must define a unique
ID for each VLAN. A subscriber company can have multiple VLANs on the SA Series
Appliance.
4. Configure at least one virtual port on the external port to enable end-users to sign in.
You can also configure virtual ports on the internal port, for signing in frombehind the
firewall, if needed.
5. Load one certificate server per subscriber company.
6. If you intend to use virtual ports, for example, to support IP sourcing, create themat
this point in the process.
7. Create an IVS profile for each subscriber company. The IVS profile establishes the
connection between the company, the VLAN, and the available virtual ports.
8. Configure static routes to backend servers. If you intend to provide shared access to
resources on the MSP network, you add static routes to the VLAN route tables that
point to those resources.
9. Configure DNSsettings, so that any traffic destinedfor resources on the MSPnetwork
first goes through the MSPs DNS server.
10. Log in as the IVS administrator.
11. Configure users, roles, realms, and resource policies for the IVS.
When you create the IVS, the IVS name appears in the drop down menu located in the
header of the admin console. You can performoperations on each IVS by selecting the
IVS name in the drop down menu and clicking the Go button.
Related
Documentation
Deploying an IVS on page 871
Signing In to the Root Systemor the IVS on page 875
Configuring Sign-In Ports for IVS
Youmust configurevirtual ports by whichend-users cansignintothesubscriber company
intranet. Avirtual port activates anIPalias onaphysical port andshares all of thenetwork
settings of that port.
Configuring the External Port
883 Copyright 2011, Juniper Networks, Inc.
Chapter 35: Instant Virtual System
To enable and configure the external port:
1. Make sure you are in the root context. If the IVSdropdown menu in the admin console
header bar displays something other than Root, select Root fromthe menu and click
Go.
2. Select System> Network > Port 1 > Settings.
3. Select Enabled.
4. Enter a valid IP address for the external port.
5. Enter a valid netmask for the IP address.
6. Enter the default gateway address.
7. Click Save Changes.
The systemenables the port.
Configuring a Virtual Port for Sign-In on the External Port
You need to configure a virtual port to enable IVS end-users to sign-in fromoutside the
network over the external port. For example, if users sign in over the Internet, they use
the virtual port defined on the external port.
To configure the virtual port for sign-in:
1. Make sure you are in the root context. If the IVSdropdown menu in the admin console
header bar displays something other than Root, select Root fromthe menu and click
Go.
2. Select System> Network > Port 1 > Virtual Ports.
3. Click NewPort.
4. Enter a unique name for the virtual port.
5. Enter a valid IP address, provisioned by the subscriber companys network
administrator.
6. Click Save Changes.
Thesystemadds theport, displays theVirtual Ports tab, andrestarts thenetwork services.
You can assign this virtual port to an IVS profile. Define as many virtual ports as needed
for sign-in.
Configuring a Virtual Port for Sign-In on the Internal Port
You need to enable and configure the internal port to allowIVS end-users to sign in from
inside the network.
Copyright 2011, Juniper Networks, Inc. 884
Junos Pulse Secure Access Service Administration Guide
To configure the virtual port for sign-in:
1. Make sure you are in the root context. If the IVSdropdown menu in the admin console
header bar displays something other than Root, select Root fromthe menu and click
Go.
2. Select System> Network > Internal Port > Virtual Ports.
3. Click NewPort.
4. Enter a unique name for the virtual port.
5. Enter a valid IP address, provisioned by the subscriber companys network
administrator.
6. Click Save Changes.
Thesystemadds theport, displays theVirtual Ports tab, andrestarts thenetwork services.
You can assign this virtual port to an IVS profile. Define as many virtual ports as needed
for sign-in.
Related
Documentation
IVS Provisioning Process Overviewon page 882
Virtual Local Area Network (VLAN) on Subscriber IVS on page 885
Configuring VLANs on the Virtualized SA Series Appliance on page 886
Virtual Local Area Network (VLAN) on Subscriber IVS
By defining at least one Virtual Local Area Network (VLAN) on each subscriber IVS, the
MSP can take advantage of VLAN tagging, by which the virtualized SA Series Appliance
tags traffic with 802.1QVLAN IDs before transmitting the traffic over the backend. The
carrier infrastructureuses theVLANtagtodirect thepackets totheappropriatesubscriber
intranet.
VLAN tagging provides separation of the traffic the SA Series Appliance transmits over
the backend, destined for subscriber intranets. Traffic coming in over the front-endthat
is, inbound trafficdoes not have VLAN tags. The IVS adds the tag to a message upon
its arrival over one of the SA Series Appliance ports.
Each VLAN is assigned a VLAN ID which is part of an IEEE 802.1Q-compliant tag that is
added to each outgoing Ethernet frame. The VLANIDuniquely identifies each subscriber
and all subscriber traffic. This tagging allows the systemto direct all traffic to the
appropriate VLAN and to apply respective policies to that traffic.
The VLAN termination point is any device on which VLAN-tagged traffic is identified,
stripped of the VLAN tag, and forwarded to the appropriate tunnel to the backend. The
VLANtermination point can be a CErouter, CPErouter, L2 switch, firewall, or other device
capable of VLAN routing.
You must define a VLANport for each VLAN. The root administrator assigns the specific
VLAN ID when defining the VLAN port.
885 Copyright 2011, Juniper Networks, Inc.
Chapter 35: Instant Virtual System
For each VLAN you configure, the virtualized SA Series Appliance provisions a unique,
logical VLANinterface, or port, on the internal interface. There is no relationship between
the internal port IP address and any VLAN port IP address. Each VLAN port has its own
route table.
Each VLAN port definition consists of:
Port NameMust be unique across all VLAN ports that you define on the virtualized
SA Series Appliance or cluster.
VLAN IDAn integer in the range from1 to 4095 that uniquely identifies the
subscriber/customer VLAN.
IP Address/NetmaskMust be an IP address or netmask fromthe same network as
the VLAN termination point, because the virtualized SA Series Appliance connects to
the VLANtermination point on a Layer 2 network connection. VLANIPaddresses must
be unique. You cannot configure a VLANtohave the same network as the internal port.
For example, if the internal port is 10.64.4.30/16 and you configure a VLAN as
10.64.3.30/16, you may get unpredictable results and errors.
Default gatewayThe IP address of the default router, typically the CE or CPE router.
The default gateway could act as the VLAN termination point, or could reside behind
the VLAN termination point.
Other network settingsInherited fromthe internal port.
NOTE: If you do not specify a VLANfor the subscriber company, you must
configure the IVS to transmit traffic over the internal interface by selecting
it as the default VLAN.
Configuring VLANs on the Virtualized SASeries Appliance
The relationship between a VLAN and a given IVS allows the root systemto separate
and direct traffic to different subscribers.
Configuring a VLANPort
Beforecreatinganewvirtual system, createaVLANport toidentify thespecificsubscriber
traffic.
To create a VLAN port:
1. Make sure you are in the root context. If the IVSdropdown menu in the admin console
header bar displays something other than Root, select Root fromthe menu and click
Go.
2. Select System> Network > VLANs to open the VLAN Network Settings tab.
3. Click NewPort.
4. Under VLAN settings, enter a name for the VLAN port.
5. Enter a VLAN ID.
Copyright 2011, Juniper Networks, Inc. 886
Junos Pulse Secure Access Service Administration Guide
The VLAN ID must be between 1 and 4095 and must be unique on the system. The
root systemuses untagged traffic and cannot be changed.
6. Enter the IP address for the VLAN.
7. Enter a netmask for the VLAN.
8. Enter a default gateway for the VLAN.
9. Click Save Changes.
Assigning a VLANto the Root IVS
In order to assign a VLAN to a role, you must first assign the VLAN to the root IVS. If you
have not assigned a VLAN to the root IVS, the VLAN is not available in the VLAN drop
down menu in the Users > User Roles > Select Role > VLAN/Source IP page.
To assign a VLAN to the root IVS
1. Select System> Virtual Systems > Root.
2. Under Properties, select the VLAN fromthe Available VLANs list.
3. Click Add -> to move the VLAN name to the Selected VLANs list.
4. Click Save Changes.
Related
Documentation
Using VLANs with the SA Series Appliances on page 689
Configuring VLANs on the Virtualized SA Series Appliance on page 886
Adding Static Routes to the VLANRoute Table
When you create a newVLAN port, the systemcreates two static routes, by default:
The default route for the VLAN, pointing to the default gateway.
The interface route to the directly connected network.
In addition, you can static routes to shared servers in the MSP network.
To add static routes to a VLAN route table:
1. Make sure you are in the root context. If the IVSdropdown menu in the admin console
header bar displays something other than Root, select Root fromthe menu and click
Go.
2. Select System> Network > VLANs.
3. Either click NewPort or select an existing VLAN for which to add a static route.
4. At the bottomof the VLAN port page, click the Static Routes link.
5. Fromthe drop-down menu, select the VLAN for which to create static routes, if not
already selected.
6. Click NewRoute.
887 Copyright 2011, Juniper Networks, Inc.
Chapter 35: Instant Virtual System
7. On the NewRoute page, enter the destination network/IP address.
8. Enter the destination netmask.
9. Enter the destination gateway.
10. Select the interface fromthe Interface drop down menu.
11. Enter the metric.
The metric is a number between 0 and 15, and usually signifies the number of hops
that traffic can make between hosts. You can set the metric of each route to specify
precedence. The lower the number, the higher the precedence. Therefore, the device
chooses a route with a metric of 1 over a route with a metric of 2. A router that uses
metrics compares a dynamic route metric with the static route metric and chooses
the route with the lowest metric.
12. If you want to add static routes to shared services, for example, you should perform
one of the following steps:
Click Add to [VLAN] route table, where [VLAN] is the name of an available VLAN,
to add the route to a selected VLAN. This action adds the static route to a particular
subscriber companys VLANroute table and excludes access fromall other VLANs,
including fromusers of the MSP network.
Click Add to all VLANroute tables to add the route to all VLANs defined on the
system. For example, if the root administrator wants to share some service among
all end-users of all subscriber companys, select this option.
You can also use static routes if you want to configure shared services on the MSP
network. To accomplish this:
Add a static route to the shared resource in either your own VLAN route table, if the
root systemhas a VLAN, or in the main SA Series Appliance route table, if the root
systemuses the internal interface.
Click Add to all VLANroute tables, which populates all VLAN route tables with the
static route. When you add the static route to all VLAN route tables, all IVS profiles
can access the shared services.
Related
Documentation
Adding Static Routes to the Management Route Table on page 712
Deleting a VLAN
You cannot delete a VLAN that is associated with an IVS. First, you must either delete
the IVS or remove the relationship between the IVS and the VLAN port.
To delete a VLAN:
1. Select System> Network > VLANs.
2. Select the checkbox next to the name of the VLAN to delete.
3. Click Delete.
Copyright 2011, Juniper Networks, Inc. 888
Junos Pulse Secure Access Service Administration Guide
Related
Documentation
Creating a Virtual System(IVS Profile) on page 889
Loading the Certificates Server
On the root system, you can load certificates. You must associate the virtual ports that
you have defined as sign-in ports for IVS end-users with the device certificate. You can
specify virtual ports on the Certificate Details page.
On an IVS, you can only import Trusted Client CAs and Trusted Server CAs.
NOTE: You cannot share certificates across IVS systems. You must have a
unique IP and certificate for each IVS.
You can only configure the root IVS to re-sign applets/controls in the admin
console. The admin consoles for subscriber IVS systems do not showthe
re-signing option. You should take note of the following information:
All root and subscriber end-users see the same applets/controls: either all
of the default Juniper controls, or all of the controls signed by the root IVS.
If you do not want subscriber IVS systems to see controls signed by the
certificate fromthe root IVS, then you should not re-sign the controls. If
you re-sign the controls, the subscriber IVS systems have access to them.
Related
Documentation
Importing Certificates Into the SA Series Appliance on page 720
Using a Trusted Client CA on page 727
Using Trusted Server CAs on page 743
Creating a Virtual System(IVS Profile)
The IVS profile defines the subscriber IVS and any elements required to reach the
subscriber's intranet, such as DNS settings and authentication servers.
To define the IVS profile:
1. Make sure you are in the root context. If the IVSdropdown menu in the admin console
header bar displays something other than Root, select Root fromthe menu and click
Go.
2. Select System> Virtual Systems.
3. Click NewVirtual Systemto display the IVS - Instant Virtual Systempage.
4. Enter the name of the subscriber company.
5. Enter a description (optional).
6. Select Enabled, if it is not already selected.
889 Copyright 2011, Juniper Networks, Inc.
Chapter 35: Instant Virtual System
If youever needtoprohibit asubscriber andthesubscribers end-users fromaccessing
the IVS due to billing or other problems, disable their account here. By disabling the
account, you can resolve any customer issues and then enable access without having
to delete the subscriber account and lose all the configuration data.
7. Under Initial Configuration, select the configuration to initialize the IVS.
Default ConfigurationPopulates the IVS with system-generated defaults,
RootCopies the root systemconfiguration to the newIVS, or any of the existing
IVSs on the system
IVS nameCopies the configuration fromthe selected IVS to the newIVS.
8. Under Administrator, create a username and password for the IVS administrator.
The IVSadministrator username and password are available in the IVSprofile the first
timeyoucreatetheIVS. Subsequently, if youedit theIVS, thesefields arenot available,
for security purposes. However, if you need to access the IVS administrator username
and password, you can do so through the IVS configuration page, by going to the
Administrators authentication server.
9. Under User Allocation, youcanlimit thenumber of concurrent users ontheIVS. Specify
the limit values for these options:
MinimumGuaranteed UsersYou can specify any number of users between one
(1) and the maximumnumber of concurrent users defined by the SA Series
Appliances user license.
Burstable MaximumUsers (optional)You can specify any number of concurrent
users fromthe minimumnumber you specified up to the maximumnumber of
licensedusers. If left blank, the MinimumGuaranteedUsers value limits the number
of concurrent users on the IVS.
NOTE: If you later reduce the Burstable MaximumUsers setting, you
must also edit the realmlimits. The realmlimits are not automatically
updated when you change the Burstable MaximumUsers setting.
10. Under Properties, specify the sign-in properties, VLAN, and port settings for the IVS.
a. Select a VLAN fromthe Available list box and click Add -> to move the name of
the VLAN to the Selected VLANs list box. You can add multiple VLANs to an IVS.
You can select the internal port as a VLAN even if you have added other VLANs to
the Selected VLANs list. Unlike other VLAN interfaces, you can add the internal
port to multiple IVS profiles. If you have not defined a VLAN, you must select the
internal interface instead.
b. To specify the default VLAN for the IVS, select the VLAN name in the Selected
VLANs list box, then click Set Default VLAN. The IVS marks the VLAN name with
anasterisk(*). ThevirtualizedSASeries Applianceuses thedefault VLANtoprovide
authenticationserver access. The SASeries Appliance consults the default VLANs
route table to look up the route to authentication servers for a given IVS.
Copyright 2011, Juniper Networks, Inc. 890
Junos Pulse Secure Access Service Administration Guide
Youmust specify adefault VLANfor eachIVS. Thesignificanceof thedefault VLAN
for a given IVS is that when an end-user attempts to sign into a particular realm
within that IVS, the IVS sends traffic to the authentication server for that realm
over the default VLAN interface.
NOTE: You must specify the internal port as the default VLANfor the
root IVS.
c. If you want todefine a sign-in URL prefix that your end-users can sign in over rather
than over a virtual port, add the prefix to the Sign-in URL Prefix field. The prefix is
the equivalent of the first node in the URL, for example, companyAin the following
URL:
http://www.mycompany.com/companyA
d. If you have defined virtual ports for either the internal interface or the external
interface, you can select themin the Available list boxes and click Add -> to move
themto the Selected Virtual Ports list boxes for the respective interfaces.
e. Enter the address or range of IP addresses that are available for Network Connect
clients (end-users). If you intend to configure a DNS server on the IVS, for a server
located on the subscriber intranet, you must add the available Network Connect
IP address pool values here.
NOTE: Unlike the NC Profile page, you can not specify a subnet range
in the IVS profile page. In other words, entering 172.19.48.0/24 is not
allowed. You can however, specify arbitrarily large IP ranges such as
172.19.48.0-172.19.48.255.
11. Click Save Changes.
Related
Documentation
Configuring Virtual Ports on page 692
Signing In Directly to the IVS as an IVS Administrator on page 893
IVS Initial Config Via Copy fromthe Root Systemor Another IVS
When creating a newIVS profile, you have the option to copy the configuration of a root
systemor an existing IVS to initialize the newIVS. The resulting IVS combines the
information you specify in the newIVS profile along with the configuration copied from
the root systemor existing IVS. Settings in the IVS profile override the copied settings.
Note that the copy is a one-time operation, with no on-going relationship between the
source of the copy and the target of the copy. Subsequent configuration changes in the
copy source are not reflected in the copy target or vice-versa.
Caveats
891 Copyright 2011, Juniper Networks, Inc.
Chapter 35: Instant Virtual System
After performing an IVS config copy, some manual reconfiguration is required on the
target.
DNS settings are always left blank regardless of whether or not the configuration was
copied fromanother IVS.
When copying froman existing IVS, you should check all references to VLANs and
virtual ports. For example, you may need to update the association of roles to VLAN
interfaces or virtual ports.
When copying froman existing IVS, you should check all NC connection profiles and
reconfigure them, as needed, to meet the requirements of the NC IP range in the IVS
profile.
When copying froma root system, you must configure the admin roles and admin
realmrole mappings manually. These settings are not copied fromthe root system.
Based on license restrictions of the newIVS, some admin and user realmlimits may
get reset. Check the admin and user realms and configure as needed.
The Initial Configuration option allows you to select the configuration to initialize the
IVS. This option does not copy the configurations of the archive servers regardless of
whether you select the root systemor any other IVS.
The copy operationcanresult inpopulating the target IVSwithunsuitable settings. When
an IVS is configured by copying the configuration fromthe root systemor another IVS,
the entire configuration fromthe source is copied to the target, including ACLs, resource
policies, resource profiles, PAC files, and so forth, which frequently refer to specific
backend servers by name, URL or IP address. In the common case, these resources tend
to be company/department intranet-specific (that is, private to a particular IVS), and
should not be exposed to end-users of other IVSs.
It is the responsibility of the root admin to go through the entire target IVS configuration
manually and purge references to any backend network resources and IP addresses that
are not applicable to the target IVS.
Use Cases for IVS Initial Config Via Copy
An IVS is created froma template IVS
An example of this use case is provisioning virtual systems. A service provider may want
to provision three categories of subscribers: Gold, Silver and Bronze. The administrator
creates three IVSs (called Gold, Silver, and Bronze) and manually configures the
authenticationservers, roles, resourcepolicies, etc. appropriatetothesubscriber category.
These IVSs are not actually used in production, but as sample configuration templates
that can be applied to real subscriber IVSs. When provisioning a newsubscriber IVS, the
administrator clones the template by copying initial configuration for the newIVS from
the Gold, Silver or Bronze template IVS.
It is the responsibility of the root admin to carefully craft the template IVSs to contain
only those settings that are meant to be shared across multiple IVSs, such as centralized
auth servers, host checker policies etc.The template IVSs should not contain references
Copyright 2011, Juniper Networks, Inc. 892
Junos Pulse Secure Access Service Administration Guide
to private resources that are not meant to be exposed to/reachable fromthe real
subscriber IVSs.
An SASeries Appliance deployment is converted to an IVS deployment
This usecaseis for copyingtheconfigfromtheroot system. Whenanexistingstandalone
SA Series Appliance deployment is converted to an IVS deployment by applying an IVS
license and then creating multiple IVSs, the newIVSs can be configured by copying the
configurationfromtheroot systemor other IVSs, andthenfollowingthesteps mentioned
in the caveats above.
Related
Documentation
Importing and Exporting IVS Configuration Settings on page 764
Signing In Directly to the IVS as an IVS Administrator
Signing in directly to the IVSas an IVSadministrator is different than picking the IVSfrom
the virtual systemdrop down menu in the Web-based administrator UI console. If you,
as the root administrator, want to sign in the same way that all IVS administrators must
sign in to the IVS, performthe following steps:
1. Sign-out of the root SA Series Appliance.
2. Enter the sign-in URL in the address bar of a valid browser, using either the hostname
or the IP address. For example:
https://www.company.com/admin
https://10.9.0.1/admin
This example assumes that you assigned the IP address 10.9.0.1 as a virtual port for
sign-in. The format depends on whether or not you defineda DNSentry for the sign-in
host name. When logging in, the administrator can enter the host name or the IP
address defined as the virtual port for sign-in. If the administrator signs in fromwithin
thenetwork, heshouldusetheIPaddress youconfiguredfor signinginover theinternal
port. If theadministrator signs infromoutsidethenetwork, heshouldusetheIPaddress
you configured for signing in over the external port.
3. Press Enter.
4. Enter the IVS administrator username.
5. Enter the IVS password.
6. Click the Sign in button.
Assuming the credentials are valid, the SystemStatus page for the IVS appears.
When either the root or an IVS administrator exits the IVS, the appliance immediately
severs the connection.
Related
Documentation
Signing In to the Root Systemor the IVS on page 875
Navigating to the IVS on page 878
893 Copyright 2011, Juniper Networks, Inc.
Chapter 35: Instant Virtual System
About Role-Based Source IP Aliasing
If the subscriber company employs policy evaluation devices/firewalls in their network
for the purpose of separating traffic based on the source IP address as it enters the
intranet fromthe IVS, you, the root administrator, must configure the IVS to generate
traffic with different source IP addresses. The role-based source IP aliasing feature, also
known as VIP sourcing, provides the capability to map end-user roles to VLANs and
specific source IPaddresses (the IPaddress of any one of the virtual ports hosted on the
VLAN interface). All traffic generated by the IVS over the back-end on behalf of the
end-user carries the source IP address configured for the end-user's role.
For example, assume that the traffic to a particular subscriber intranet needs to be
differentiated based on whether it originates fromcustomers, partners, or employees.
There are two ways to accomplish this:
Provision three different VLANs for the subscriber, create three roles corresponding to
customers, partners and employees, and map each role to a different VLAN.
Provision a single VLAN for the subscriber, configure three virtual ports with unique IP
addresses, and map customers, partners and employee roles to the same VLAN but
to different source IP addresses.
You can use role-based source IP aliasing whether or not you have defined a VLAN. In
the case of a non-VLAN configuration, you define a virtual port, then assign that port to
a roles source IP.
When using a VLAN, you can set the source IP address of a role to either the VLAN port
IP address or to an IP alias configured on a VLAN port.
Related
Documentation
Associating Roles with Source IP Addresses in an IVS on page 894
Configuring Virtual Ports on page 692
Associating Roles with Source IP Addresses in an IVS
Assuming that the root administrator has already configured a VLAN, virtual ports for
the VLAN, and the IVS, the IVS administrator can associate roles with the virtual ports
as follows:
1. Log in to the IVS as the IVS administrator.
2. Choose Users > User Roles.
3. Click NewRole.
4. Enter a name for the role.
5. Select the Source IP checkbox.
6. Select any other options and the features you want a user with this role to be able to
access (Optional).
7. Click Save Changes.
Copyright 2011, Juniper Networks, Inc. 894
Junos Pulse Secure Access Service Administration Guide
The page refreshes and a set of tabs nowappears.
8. Select the VLAN/Source IP tab.
9. Select the VLAN, if the root administrator has defined more than one VLAN for this
IVS.
10. Select the source IP fromthe Select Source IP drop down menu.
11. Click Save Changes.
12. Repeat the process for each newrole.
When creating newusers, the IVS administrator can then assign each user to one of the
roles, which determines what source IP address each user can access.
Related
Documentation
About Role-Based Source IP Aliasing on page 894
Configuring Policy Routing Rules on the IVS
The virtualized SA Series Appliance uses a policy routing framework that depends on
rules, route tables, and route entries that are configured on the system.
When you create a VLAN, the systemprovisions a newroute table for that VLAN. VLAN
route tables exist in addition to the main route table for the SA Series Appliance. Only
the root administrator can manage VLAN route tables. IVS administrators cannot view
or access the route tables.
Each VLAN route table contains the following route entries:
Automatically-created route entries
Manually-created route entries
Automatically-Created Route Entries
The default route 0.0.0.0. points to the default gateway you have configured for the
VLANinterface. The SA Series Appliance creates this route internally when it creates the
VLAN interface. End-users can reach most of their companys resources through the
default route.
The interface route is the network route corresponding to the VLANinterface IP address.
Manually-Created Route Entries
Static routes to servers within the same VLAN that are accessible through routers other
than the default gateway.
Static routes to server IP addresses on other VLAN ports within the same subscriber
company intranet, or VLANports within the MSPnetwork. For example, you might define
in a VLANroute table static routes to DNSor authentication servers in either a subscriber
company intranet or in the MSP network.
895 Copyright 2011, Juniper Networks, Inc.
Chapter 35: Instant Virtual System
Static routes to server IP addresses accessible through the internal interface. These are
usually required if your MSP network is connected to the internal interface.
Routing Rules
A number of rules have been built into the systemto enable the correct routing of traffic
to the appropriate subscriber intranets. For example, rules exist to map:
The Network Connect IP pool address for each Network Connect end-user session to
a corresponding VLAN route table.
To construct this rule, the systemdetermines an end-users role when the user
establishes an Network Connect session. The systemcan then search the role for the
associated VLAN.
A configured source IP address to a corresponding VLAN route table.
The systemcreates this rule whenever you configure a virtual port or source IP alias
on a VLAN port.
There are no explicit rules governing the flowof traffic between the subscriber or MSP
networks and end-users. Traffic arriving at the SASeries Appliance over the backend has
adestinationIPaddress set totheconfiguredIPaddress of oneof thenetwork interfaces,
either the external interface, VLAN interface, or a Network Connect tunnel interface. An
SA Series Appliance application automatically handles the processing.
You cannot access the rules table. This section includes a description of the rules table
and howrules are constructed to help you understand howthe systemoperates.
Overlapping IP Address Spaces
The virtualized SA Series Appliance supports overlapping IP addresses in subscriber
intranets, and overlapping source IP addresses for Network Connect. At this time, the
virtualized SASeries Appliance does not support multiple VLANinterfaces with identical
IP addresses.
The virtualized SASeries Appliance supports overlapping IPaddresses among customer
networks that are tied to VLANs in different IVS systems, because IVS systems do not
share route tables.
Assumethat Company1 andCompany2bothhaveinternal networksthat useIPaddresses
10.64.0.0/16. Because these addresses are internal to each companys network, and
because each company has a completely separate IVS, identified by a unique VLAN ID,
the MSP can support them, even though, technically, they overlap.
Define Resource Policies
Both you, as the root administrator, and the IVS administrator can create policies for
end-users.
You can also customize which policies are visible to IVS administrators. However, you
must customize each IVS independently. Also, if you are in the root IVS context and you
customize the admin console, you are only customizing the console as it appears to you
Copyright 2011, Juniper Networks, Inc. 896
Junos Pulse Secure Access Service Administration Guide
or other administrators who are permitted to viewthe root IVS console. To customize
any IVS admin console, you must be in the context of that IVS.
Related
Documentation
Configuring Policy Routing Rules on the IVS on page 895
Resource Policy Components on page 132
Customizable Admin and End-User UIs on page 941
Clustering a Virtualized SASeries Appliance
You can cluster the entire SA Series Appliance, including all IVS systems. You cannot
cluster an individual IVS system. The clustering rules and conditions in a standard SA
Series Appliance network also apply to clusters in an IVS network, with the following
exceptions:
Virtual port replicationAny virtual port you define on the Active node is replicated to
the Passive node. The virtual ports name and address is the same on both Active and
Passive nodes.
Virtual port source IPGivenanend-user whomaps toaparticular role, andabackend
connection fromany node on behalf of that end-user, the source IP of the backend
connectionis the same as the source IPof the virtual port configuredfor the end-users
role.
VLAN port replicationWhen you create or delete a VLAN port on an Active cluster
node, the SA Series Appliance automatically adds or deletes the VLAN port on the
Passive node.
VLAN definitionFor any given VLAN port, the slot, logical name, VLAN ID, netmask,
and default gateway are the same across all cluster nodes.
VLAN port IP addressThe IP address for each VLAN port is node-specific.
Corresponding VLAN ports on an Active/Passive cluster are configured on the same
IP network. You can only configure an IP address/netmask combination for a VLAN
port on the standby node if the resulting network corresponds to the VLANport in the
Active cluster node. VLANIP addresses must be unique. You cannot configure a VLAN
to have the same network as the internal port. For example, if the internal port is
10.64.4.30/16 and you configure a VLANas 10.64.3.30/16, unpredictable behavior and
errors can occur.
Policy routingYou can configure route settings per node and per interface, either
physical or VLAN, however, those route settings are synchronized across the cluster
when you edit them.
IVS profilesIVS profiles are replicated across cluster nodes, and are not partitioned
across cluster nodes.
NetworkConnectIf youdeploythevirtualizedSASeriesApplianceasanActive/Passive
cluster, the Network Connect connection profile that you or an IVS administrator
configures within each IVS is propagated to the standby node.
897 Copyright 2011, Juniper Networks, Inc.
Chapter 35: Instant Virtual System
Network Connect in Active/Active clusterIn an Active/Active cluster, the Network
Connect IP address pool for each IVS is split across individual cluster nodes by way of
role-level settings.
Failover behaviorIn the event of a failover, the VLAN interface does not disappear.
Both Active and Passive nodes should contain the VLAN interface.
NOTE: When using Network Connect, you should always define virtual ports
for each VLANport you create. If you have defined a Network Connect IP
address pool, and you are running in Active/Passive cluster mode, you must
configure your routers to direct traffic to one of the VLANs virtual ports as
thenext-hopgateway. Otherwise, NetworkConnect sessionsmaynot recover
gracefully froma failover.
Related
Documentation
About Clustering on page 835
Accessing a DNS Server on the MSP Network
In the root system, you can configure access so that any traffic destined for resources
on the MSP network goes through the DNS server on the MSP network.
To access a DNS server on the MSP network:
1. In the admin console, choose System> Network > Overview.
2. Under DNSnameresolution, providetheprimaryDNSaddress, secondaryDNSaddress,
and the DNS domains.
When you add the DNS addresses, each one is added to the resolv.conf file on the SA
Series Appliance, in a nameserver directive.
3. If you are using WINS, provide the WINS server address.
4. Click Save Changes.
5. Configure the Network Connect connection profile.
You can provide DNS services to non-Network Connect users by specifying a global
DNS/WINS server in the MSP network. The global DNS/WINS server hosts DNS for all
participating subscriber companies. As an alternative, you can configure a HOSTS file
on the SA Series Appliance with DNS entries for all participating subscriber companies.
When you configure a global DNS/WINS server in this way, it provides DNS services to
any requesting entity, including fromNetwork Connect users of participating subscriber
companies that do not have DNS servers in their intranets.
Related
Documentation
Creating Network Connect Connection Profiles on page 657
Copyright 2011, Juniper Networks, Inc. 898
Junos Pulse Secure Access Service Administration Guide
Accessing a DNS Server on a Subscriber Company intranet
In each IVS system, you can configure access so that any traffic destined for resources
on the IVS subscribers network goes through the DNS server on their internal company
network.
To access a DNS server on a subscriber intranet:
1. If you did not add a valid Network Connect IP address pool to the IVS profile when
you created the virtual system, modify the IVS profile to include the Network Connect
IP addresses.
2. Inthe adminconsole, select the name of the subscriber IVSfromthe dropdownmenu
in the console header bar.
3. Click Go.
4. On the subscriber IVS admin console page, choose System> Network > Overview.
5. Under DNSnameresolution, providetheprimaryDNSaddress, secondaryDNSaddress,
and the DNS domains.
6. If you are using WINS, provide the WINS server address.
7. Click Save Changes.
8. Configure the Network Connect Connection Profiles.
a. Choose Users > Resource Policies > Network Connect > Network Connect
Connection Profiles.
b. Click NewProfile.
c. Provide a name for the Connection Profile.
d. In the IP Address Pool field, enter the range of IP addresses available for use by
Network Connect users.
e. Select any other connection settings, or take the defaults.
f. Choose a role to which to apply the settings, if necessary. By default, if you do not
choose a role, the policy applies to all roles.
g. Click Save Changes.
h. Click the DNS tab.
i. Select the Use CustomSettings checkbox.
j. Add the Primary DNS, Secondary DNS (optional), the DNS domain name, and
WINS server IP addresses.
899 Copyright 2011, Juniper Networks, Inc.
Chapter 35: Instant Virtual System
k. Select the DNS search order. When you enter customsettings for the IVS, the root
systemsearches the subscriber DNS server first, then the MSP DNS server, by
default.
l. Click Save Changes.
NOTE: You must performthis task for every IVS.
Related
Documentation
IVS Provisioning Process Overviewon page 882
Configuring Network Connect for Use on a Virtualized SASeries Appliance
You, as theroot administrator, must work withtheIVSadministrator toconfigureNetwork
Connect so that end-users can send traffic to the subscriber intranet and receive traffic
back fromthe subscriber intranet.
If you want to use Network Connect on a subscriber companys IVS (rather than just by
way of Network Connect running on the MSP network) you must configure a DNS server
on the IVS.
For clients to be able to establish Network Connect sessions to an IVS, DNS settings
must be set for the IVS. Otherwise, the Network Connect session initiation fails and
displays an error message.
Configuring the Network Connect Connection Profile
Configure the Network Connect connection profile using the IPaddresses fromthe range
specified in the Network Connect IP pool in the IVS profile.
1. Select Users>ResourcePolicies>NetworkConnect >NetworkConnect Connection
Profiles.
2. Click NewProfile.
3. Enter the IP addresses in the IP Address Pool text box, one address per line. The Help
text in the admin console shows examples of valid ranges.
4. Change the transport, encryption, and compression settings fromthe defaults, if
necessary.
5. Add the appropriate role fromthe Available roles listbox to the Selected roles listbox.
6. Click Save Changes.
Configuring Network Connect on Backend Routers
Both you, as the root administrator, and the IVS administrator must configure static
routes on the backend to ensure that each Network Connect end-user can be reached
fromthe subscriber intranet, and if needed, the MSP network.
Copyright 2011, Juniper Networks, Inc. 900
Junos Pulse Secure Access Service Administration Guide
If you want Network Connect users to be able to access the MSP networks DNS server,
configure a static route in the route table of each application server or DNS server to the
end-users Network Connect IPpool address. Set thenext-hopgateway totheIPaddress
of the root systems internal interface.
Figure 26: Setting a Static Route in MSP Network DNS or Application
Servers
1. End-users sign in over an Internet connection, using an IP address froma Network
Connect IP address pool, to reach the DNS server on the MSP network.
2. The root administrator specifies a static route in the DNS server route table to point
to an IPaddress fromthe Network Connect IPaddress pool. The subscriber company
must define the Network Connect IP address pool in its intranet.
3. The DNSserver resides on the MSPnetwork and serves all end-users of all subscriber
companies.
4. TheDNSservers routetablecontains astaticroutetotheNetwork Connect IPaddress
pool and the next-hop gateway IP address.
5. The SA Series Appliances internal interface is the DNS servers next-hop gateway
address.
6. The subscribers CPE routers performthe proper traffic routing to the subscriber
company intranets.
7. Each subscriber company that intends its users to pass through the MSP DNS or
application servers must define a corresponding Network Connect IP address pool.
As shown the following figure, the IVS administrator can configure the subscriber CPE
router with a static route to the end-users IP address, with the next-hop gateway set to
the IP address of the corresponding CE router on the MSP network.
Alternately, the subscriber can configure a default route on the CPE router to point to
theMSPCErouter as thenext-hopgateway. Inthis case, youdonot needtoaddindividual
static routes to the Network Connect IP pool addresses.
901 Copyright 2011, Juniper Networks, Inc.
Chapter 35: Instant Virtual System
1. End-users sign in over an Internet connection using an IP address agreed upon by the
MSP and the subscriber company.
2. Specify a static route in the subscriber companys CPE routers route table to point
to the end-user sign-in IP addresses.
3. You must also specify the next-hop gateway in the CPE routers route table.
4. You use the MSP CE routers IP address as the next-hop IP in the CPE routers route
table.
5. The CPE router resides on the subscriber companys intranet. Using this arrangement,
each subscriber company must specify the static route to their own end-user sign-in
address and must specify the MSPs CE router IP as the next-hop gateway in the CPE
route table.
6. Once the MSP VLAN termination point (in this example, a CE router) determines the
intendedsubscriber intranet, theterminationpoint directs thetraffictotheappropriate
CPE router, which sends the traffic to the proper resource in the subscriber intranet.
As shown in the following figure, you can configure a static route in the CE router to point
to the end-users IP address, with the next-hop gateway set to the IP address of the
subscribers VLAN port.
Alternately, youcanconfigureadefault routeontheCErouter withthenext-hopegateway
set to the IP address of the subscriber VLAN port. In this case, you do not need to add
individual static routes to the Network Connect IP pool addresses.
You can also allocate an entire network to an Network Connect IP address pool.
1. End-users sign in over an Internet connection using an IP address agreed upon by the
MSP and the subscriber company.
2. Specify a static route in the MSPs VLAN termination point (in this example, a CE
router) route table to point to the end-user sign-in IP addresses for each subscriber
company.
3. You must also specify the next-hop gateway in the CE routers route table.
Copyright 2011, Juniper Networks, Inc. 902
Junos Pulse Secure Access Service Administration Guide
4. In the CE route table, specify all end-user sign-in IP addresses as static routes, and
all corresponding VLAN port IP addresses as defined in the virtualized SA Series
Appliance.
5. Defineat least oneuniqueVLANIDfor eachsubscriber company. UsetheIPaddresses
of each VLAN as the next-hop gateway addresses in the CE routers route table.
6. The subscribers CPE routers performthe proper traffic routing to the subscriber
company intranets.
7. Each subscriber company must provide sign-in pages for the IP addresses defined as
static routes for end-user sign-in.
Once the MSP VLAN termination point (in this example, a CE router) determines the
intended subscriber intranet, the termination point directs the traffic to the appropriate
CPE router, which sends the traffic to the proper resource in the subscriber intranet.
Related
Documentation
About Network Connect on page 636
Configuring a Centralized DHCP Server
You can configure one or more centralized DHCP servers if you want to provide Network
Connect IVS users with dynamic IP addressing, without requiring each IVS subscriber to
support an IVS-specific DHCP server.
The DHCP server maintains separate IP address pools for each IVS, using the IVS name
property, defined in the IVS profile, to uniquely identify the IVS-specific pools.
Upon receiving a request froman IVS, the DHCP server selects an IP address based on
the IVS name and the IP address of the node fromwhich the request originated, which
is delivered in the giaddr field of the request. Using this combination of data points, the
DHCP server picks an available IP address fromthe appropriate pool and returns the
address in the DHCP offer.
To configure your systemto support a centralized DHCP server
The following notes apply tothe use of a centralizedDHCPserver in an IVSconfiguration:
You can configure the same DHCP server IP address for Network Connect roles in
multiple IVS systems.
Within a Network Connect role, if you configure both an NC IP pool and a DHCP server
for the same role, the DHCP server takes precedence.
DHCP IP address assignment can co-exist with IP address assignment by way of NC
IP pools within an IVS.
You can employ multiple DHCP servers in the service provider network, with different
groups of IVS systems pointing to different central servers.
1. Configure the DHCP server entry in the Network Connect Connection Profile, for each
Network Connect role that will acquire IP addresses by way of DHCP.
903 Copyright 2011, Juniper Networks, Inc.
Chapter 35: Instant Virtual System
2. Configure the DHCP server itself, by configuring classes and subclasses on the DHCP
server to distinguish between requests fromdifferent IVS systems and to provide IP
addresses fromIVS-specific IP address pools.
To configure the DHCP server entry in the Network Connect Connection Profile
1. In the Root context, choose Users > Resource Policies > Network Connect.
2. Click the NC Connection Profiles tab.
3. Click NewProfile.
4. Enter a name for the profile.
5. Under IP address assignment, select the DHCP Server radio button.
6. Enter the DHCP server name or IP address.
7. Under Roles, select the applicable roles in the Available roles list box and click Add
to move themto the Selected roles list box.
8. Click Save Changes.
9. Repeat the procedure for each IVS that should use the DHCP server., making sure to
enter the same DHCP server name or IP address that you entered for the Root.
Related
Documentation
Creating Network Connect Connection Profiles on page 657
About Authentication Servers
You can configure authentication servers, such as RADIUS and Active Directory, on both
the MSP network and the subscriber company intranets. The authentication server
authenticates the incoming traffic differently depending on whether the traffic is
authenticated when it comes into the MSP network or when it reaches the customer
intranet.
NOTE: If you connect an authentication server to the internal port, you must
set the default VLANto the internal port when configuring the IVS.
The following authentication servers are supported on a subscriber IVS:
Local Authentication
LDAP Server
RADIUS Server
Active Directory/Windows NT
Anonymous Server
Certificate Server
Copyright 2011, Juniper Networks, Inc. 904
Junos Pulse Secure Access Service Administration Guide
The following authentication servers are supported on the root system:
Local Authentication
LDAP Server
NIS Server
ACE Server
RADIUS Server
Active Directory/Windows NT
Anonymous Server
SiteMinder Server
Certificate Server
Rules Governing Access to Authentication Servers
The following rules apply to the access of authentication servers on the MSP network or
on the subscriber company network. Each IVS profile must include settings for:
The default VLAN, which can also be the internal port, if provisioned as the default
VLAN.
The default VLAN interface IP is the source IP address used to contact the
authentication server.
Static routes in the VLAN that point to the appropriate authentication servers, which
can reside in the MSP network (with an assigned VLAN ID or untagged on the internal
port), or on the subscriber company network.
Configuring Authentication on a RADIUS Server
You must configure the RADIUS server in each IVS. If you have a RADIUS server on the
MSP network as well, all of the IVS RADIUS servers can point to the same MSP RADIUS
IP address.
To configure the RADIUS server:
1. Select the context:
If you are in an IVS context, and you want to define a RADIUS server on the MSP
network, select Root fromthecontext dropdownmenuintheadminconsoleheader
bar and click Go.
If youareintheroot context, andyouwant todefineaRADIUSserver onasubscriber
intranet, select theIVSnamefromthecontext dropdownmenuintheadminconsole
header bar and click Go.
2. Followthe same steps as you would for configuring a RADIUS server instance.
905 Copyright 2011, Juniper Networks, Inc.
Chapter 35: Instant Virtual System
NOTE: Inthecurrent release, ACEauthenticationisnot availablefor individual
IVS systems. If you want to use RSA 2 factor token-based authentication,
you should use RADIUS fromthe IVS to access RSA ACE.
Configuring Authentication on Active Directory
You must configure the AD/NT server in each IVS. If you have an AD/NT server on the
MSP network as well, all of the IVS AD/NT servers can point to the same MSP AD/NT IP
address.
To configure the Active Directory server:
1. Select the context:
If you are in an IVS context, and you want to define an AD/NT server on the MSP
network, select Root fromthecontext dropdownmenuintheadminconsoleheader
bar and click Go.
If youareintheroot context, andyouwant todefineanAD/NTserver onasubscriber
intranet, select theIVSnamefromthecontext dropdownmenuintheadminconsole
header bar and click Go.
2. Followthe same steps as you would for configuring an Active Directory or NT Domain
instance.
Related
Documentation
Configuring a RADIUS Server Instance on page 170
Defining an Active Directory or Windows NT Domain Server Instance on page 150
Delegating Administrative Access to IVS Systems
As the root administrator, you can delegate administrative access and responsibilities
to specific IVS systems. You can delegate read/write access or read-only access to all
IVS systems, or to selected IVS systems.
To delegate administrative access to IVS systems
1. Select Administrators > Admin Roles > Role where Role indicates one of the listed
administrator roles. You can also create a newadministrator role, if you prefer.
2. Click the IVS tab.
3. To give the administrator read/write access to the IVS, select one of the following:
To give the administrator read/write access to all IVS systems, select the
Administrator can manage ALL IVSs checkbox.
Tolimit the administrators access tospecific IVSsystems, select the Administrator
can manage SELECTEDIVSs checkbox, then select the IVS systems fromthe
Available IVSs list and click Add to move themto the Selected IVSs list.
4. To give the administrator read only access to the IVS, select one of the following:
Copyright 2011, Juniper Networks, Inc. 906
Junos Pulse Secure Access Service Administration Guide
If you want to give the administrator read only access to all IVS systems, select the
Administrator can view(but not modify) ALL IVSs checkbox.
If you want to limit the administrators access to specific IVS systems, select the
Administrator can view(but not modify) SELECTEDIVSs checkbox, then select
the IVS systems fromthe Available IVSs list and click Add to move themto the
Selected IVSs list.
5. Click Save Changes.
By adding these access rights to a given role, you can exercise different levels of control
over different MSP administrators.
Related
Documentation
Creating and Configuring Administrator Roles on page 864
Accessing Standalone Installers on an IVS System
TheIVSadministrator might needtoaccess theHost Checker, WSAM, or other standalone
installers. To give IVS administrators access to the installers, which are located on the
Maintenance > System> Installers page, you can delegate the access to themby way
of the Administrators > Admin Roles > SelectRole > IVS page. Once you have delegated
access, the IVS administrator can see the Installers page fromwithin the context of the
IVS admin console.
Related
Documentation
Downloading Application Installers on page 703
Exporting and Importing IVS Configuration Files
Use the SA Series Appliance binary import/export feature to export and import root
systemand user settings, and also to export and import subscriber IVS settings and
profiles. The two types of operations are mutually exclusive: if exporting IVSsettings, the
exportedconfigurationfiledoes not containroot systemsettings; if exportingroot system
settings, the exported configuration file does not contain subscriber IVS settings.
Use the XML import/export feature to export and import systemconfiguration. This
featureenablesyoutomakesignificant changestoyour systemconfigurationandprovides
a number of benefits, particularly when it comes to make a large number of repetitive
changes, or when you want to update configuration data all at once.
You performexport and import operations fromthe context of the root system. On the
Maintenance > Import/Export > Import/Export Configuration page, the Maintenance >
Import/Export > Import XML and Export XML pages, and on the Maintenance >
Import/Export > Import/Export Users page, you can find the standard controls for
exporting root systemand user configuration. A subscriber IVS administrator cannot
export or import data fromor to a subscriber IVS. Only you, as the root administrator,
can performthese tasks.
907 Copyright 2011, Juniper Networks, Inc.
Chapter 35: Instant Virtual System
Note the following:
You can only import/export all IVS systems in a single operation. You cannot
import/export an individual IVS systems configuration.
When creating an IVS using XML import, an XML containing the IVS profile should be
imported first before importing the IVS configuration.
The schema for XML import/export of a root IVS (click the Download the schema files
link in the XML export page) is different fromthe XML import/export schema of a
non-root IVS.
You can also use the SA Series Appliance binary archiving feature to performlocal
backups of your IVS system.
Exporting IVS Configurations
To export IVS configurations:
1. Select Maintenance > Import/Export > Import/Export IVS.
2. Enter a password to password protect the configuration file.
3. Click Save Config As.
4. Click Save.
5. Provide a file name and target location for the file.
6. Click Save and Close, if necessary.
The saved configuration file contains the following settings for all IVS systems:
IVS Profiles
IVS SystemSettings
IVS Signing In Settings
IVS Administrators
IVS Users
IVS Resource Policies
IVS Maintenance Settings
Importing IVS Configurations
To import IVS configurations:
1. Select Maintenance > Import/Export > Import/Export IVS.
2. Click Browse.
3. Locate and select the file and click Open.
4. Enter a password to password protect the configuration file.
5. To import the network settings in the IVSprofile, such as VLANports and virtual ports,
select the Import IVS Profile Network Settings checkbox.
Copyright 2011, Juniper Networks, Inc. 908
Junos Pulse Secure Access Service Administration Guide
NOTE: Importing network settings as describedinabove only works if you
export the systemand IVS configurations fromthe same system.
Thenetwork settings themselves donot get imported; only thereferences
to the network settings get imported. Network settings are only
imported/exported when importing/exporting the root systemsettings.
6. Click Import Config.
The IVS provides a confirmation message if the import operation succeeds. The IVS
then restarts certain services, which may require several minutes.
NOTE: You can use the XML Import/Export feature to export and import
XML-based configuration files on the root IVS.
You can use Push Config to copy one root IVS configuration to another
root IVS. You cannot use Push Config to copy configuration data between
subscriber IVS systems or froma root IVS to a subscriber IVS.
Related
Documentation
Importing and Exporting XML Configuration Files on page 765
Using XML Import and XML Export on IVS Systems
XML import and export provides a way to make a large number of repetitive changes all
at oncebyimportingandexportingsystemconfiguration. As withthebinaryimport/export,
a subscriber IVS administrator cannot export or import data fromor to a subscriber IVS.
Only the root administrator can performthis task. You can not create or delete an IVS
through XML import.
The process for importing and exporting IVS systemconfiguration is the same as for an
SA Series Appliance and will not be described here. Note that you will see fewer XML
export options on the IVS as compared to the SA Series Appliance as not all SA Series
Appliance options are applicable to IVS.
As with the SA Series Appliance, some services might be restarted after performing an
IVS XML import due to changes in configuration. The following configuration changes
result in service restarts:
NCP option changes
Windows/Unix file browsing config changes
Security option changes
The IVS root administrator can restrict IVS administrators fromchanging configuration
data that can cause service restarts (both fromthe admin console and through XML
import) by selecting System> Virtual Systems > Virtual Systems and then selecting the
Restrict IVS administrator access to configuration without system-wide impact option.
909 Copyright 2011, Juniper Networks, Inc.
Chapter 35: Instant Virtual System
Related
Documentation
Importing and Exporting XML Configuration Files on page 765
Monitoring Subscribers
Log files contain detailed information about events, user access, administrator access
andmore. Thelogentries specify thecontext of eachentry, whether theentry was caused
by a root action or an action on one of the IVSsystems. The root entries contain the word
Root. For example, the following entries showaccess by two administrators, the first
being Root and the second, an administrator called Test:
ADM20716 2005-05-10 10:52:19 - ive - [10.11.254.160]
Root::administrator(administrator Users)[.Administrators] - User Accounts modified.
Added Unspecified Name with username testuser1 to authentication server System
Local.
Info ADM20716 2005-05-10 10:35:26 - ive - [10.11.254.160]
Test::administrator(administrator Users)[.Administrators]!Root - User Accounts
modified. Added IVE Platform Administrator with username omiadmin to authentication
server Administrators.
Suspending Subscriber Access to the IVS
To suspend subscriber access to the IVS:
1. Select System> Virtual Systems.
2. Click the Disabled radio button.
By performing this step, you make the IVS unavailable to any user of the IVS, including
the IVS administrator. To provide access to the IVS, set the radio button to the Enabled
state.
Related
Documentation
Virtual Local Area Network (VLAN) on Subscriber IVS on page 885
Troubleshooting VLANs
Inadditiontothestandardtroubleshootingfeatures providedby theSASeries Appliance,
the virtualized SA Series Appliance provides several enhancements, specifically for
managing IVS systems. You can use the following troubleshooting features on either the
root systemor each IVS, separately:
Policy simulation
Policy tracing
Session recording
Functionally, theseutilities arethesameas thestandardSASeries Appliancecapabilities.
The key difference is a matter of context. If you initiate one of these three utilities from
theroot systemcontext, youget results for users, policies, andsessions ontheroot system
or fromthe MSP network. If you initiate the utilities froma subscriber IVS context, you
get results for users, policies, and sessions on the IVS or the subscriber intranet.
Copyright 2011, Juniper Networks, Inc. 910
Junos Pulse Secure Access Service Administration Guide
The TCPDump, Ping, Traceroute, NSLookup, and ARP commands are enhanced for use
in virtualized SA Series Appliance systems. You can initiate these commands on the
internal and external ports, as well as on selected VLANports, which you might do if you
want to troubleshoot traffic on a subscriber VLAN. The basic functionality of the
commands is unchanged, except for the ability to specify a VLAN port
Running TCPDump on a VLAN
To performa TCPDump on a VLAN:
1. If you are not in the root systemcontext, select Root fromthe IVS drop down menu
in the admin console header, and then click Go.
2. Choose Maintenance > Troubleshooting > Tools > TCP Dump.
3. With Internal Port selected, select the VLAN fromthe VLAN Port drop down menu.
4. (optional) Add a filter to the Filter text box.
5. Click Start Sniffing.
6. To retrieve the results, click Stop Sniffing.
7. Choose the type of Dump file fromthe Dump File drop down menu.
8. Click Get.
9. Open the file with the appropriate editor.
Using Ping, traceroute, NSLookup, ARP Commands on a VLAN
1. If you are not in the root systemcontext, select Root fromthe IVS drop down menu
in the admin console header, and then click Go.
2. Choose Maintenance > Troubleshooting > Tools > Commands.
3. Select a command fromthe Command drop down menu.
4. Enter the target server.
5. Select the VLAN fromthe VLAN Port drop down menu.
6. Enter the other settings, depending on the command you choose.
7. Click OK.
8.
Related
Documentation
About Troubleshooting on page 821
Creating TCP Dump Files on page 827
IVS Use Case: Policy Routing Rules Resolution
This use case illustrates howpolicy routing takes place in an MSP deployment. The first
part of the use case details two subscriber company configurations and howend-users
access their respective subscriber company networks. The second part of the use case
911 Copyright 2011, Juniper Networks, Inc.
Chapter 35: Instant Virtual System
describes what happens when you create a VLANon the MSPnetwork to provide shared
services to the subscriber companies end-users.
Company 1 and Company 2 are hosted companies on the MSP network. The followoing
table shows the VLANs, VLAN IDs, interfaces and roles defined for each company.
Company 1 has defined two VLANs, one for Sales and one for Human Resources. Each
company has an associated role defined for each VLAN. The root administrator creates
each VLAN, providing a unique VLANIDfor each, and indicating a given port. In this case,
the root administrator has created all four VLANs on the internal interface
Role Interface VLANID VLAN
SALES int0.1 1 Sales Company 1
HR int0.2 2 HR
EMPLOYEE int0.3 3 Employee Company 2
PARTNER int0.4 4 Partner
NOTE: Thelabels for ports havebeenchanged. Theport nameeth0(internal
port) is nowcalled int0 and eth1 (external port) is nowext0. You can only
see the route table device names (such as int0.1) fromthe serial console.
Youcanviewtheroutetableby selectingmenuitem1, thenmenuitem2from
the serial console.
The following figure illustrates the MSP and subscriber company deployments.
Copyright 2011, Juniper Networks, Inc. 912
Junos Pulse Secure Access Service Administration Guide
NOTE: IVS VLANs are not explicitly tied to subscriber intranets by
configuration on the SA Series Appliance. The association of a VLANto a
subscriber intranet is accomplished by mapping VLANinterfaces to private
tunnels in the subscriber intranet within the CE->CPE router framework.
In the above figure, Network Connect end-users get their source IP addresses from
configured Network Connect IP address pools that the root administrator has defined
for the IVS. Also, in the figure, non-Network Connect users can still access specified
realms based on their roles and on role-based source IP (VIP sourcing) addresses that
you define as virtual ports on the VLAN.
The following list describes each itemthat is marked with a numbered label in the above
figure.
913 Copyright 2011, Juniper Networks, Inc.
Chapter 35: Instant Virtual System
The following list describes each itemthat is marked with a numbered label in the above
figure.
1. Network Connect end-users get IP addresses fromNetwork Connect IP pools. Traffic
fromthese users is routedthrough the appropriate subscriber VLAN, which you define
on the internal port.
2. Non-Network Connect end-users get IP addresses fromvirtual IP (VIP) pools. Traffic
fromthese users is sourced through the appropriate subscriber VLAN.
3. InFigure67, thisnumberedboxrepresentsasubscriber IVS, whichcontainstwoVLANs
that are defined on ports int0.1 and int0.2.
4. In Figure 67, this numbered box represents a second subscriber IVS, which contains
two VLANs that are defined on ports int0.3 and int0.4.
5. The subscriber defines a role for Sales on VLAN1. End-users signing in to IP 13.10.0.1
over the Internet are routed to the Company 1 intranet, to the appropriate backend
resources located in the Sales realmat 10.10.0.0/16. End-users signing in on IP
13.11.0.1 are VIP sourced to the Company 1 intranet, also to the appropriate backend
resources located in the Sales realmat 10.10.0.0/16.
6. The subscriber defines a role for HR on VLAN2. End-users signing in on IP 13.12.0.1
over the Internet are routed to the Company 1 intranet, to the appropriate backend
resources located in the HR realmat 10.11.0.0/16. End-users signing in on IP 13.13.0.1
are VIPsourced to the Company 1 intranet, also to the appropriate backend resources
located in the HR realmat 10.11.0.0/16.
7. The subscriber defines a role for Employee on VLAN3. End-users signing in on IP
14.10.0.1 over the Internet are routed to the Company 2 intranet, to the appropriate
backendresources locatedin the Employee realmat 10.10.0.0/16. End-users signing
in on IP 14.11.0.1 are VIP sourced to the Company 2 intranet, also to the appropriate
backend resources located in the Employee realmat 10.10.0.0/16.
8. Thesubscriber defines arolefor Partner onVLAN4. End-users signinginonIP14.12.0.1
over the Internet are routed to the Company 2 intranet, to the appropriate backend
resources located in the Partner realmat 10.11.0.0/16. End-users signing in on IP
14.13.0.1 are VIP sourced to the Company 2 intranet, also to the appropriate backend
resources located in the Partner realmat 10.11.0.0/16.
9. The Company 1 intranet supports two realms: Sales at 10.10.0.0/16 and HR at
10.11.0.0/16. These realms correspond to the roles defined on VLAN1 and VLAN2/
10. TheCompany2intranet supportstworealms: Employee at 10.10.0.0/16andPartner
at 10.11.0.0/16.
NOTE: The realms are valid even though they contain overlapping IP
addresses. Because the roles are defined for different VLANs, the VLANIDs
provide the separation that allows themto overlap without danger of mixed
traffic.
The route tables for each VLAN appear as follows:
Copyright 2011, Juniper Networks, Inc. 914
Junos Pulse Secure Access Service Administration Guide
Table 37: VLAN1 Route Table
Output Port Gateway Destination IP
int0.1 Default gateway on VLAN1 0.0.0.0
int0.1 0.0.0.0 10.10.0.0/16
Table 38: VLAN2 Route Table
Output Port Gateway Destination IP
int0.2 Default gateway on VLAN2 0.0.0.0
int0.2 0.0.0.0 10.10.0.0/16
Table 39: VLAN3 Route Table
Output Port Gateway Destination IP
int0.3 Default gateway on VLAN3 0.0.0.0
int0.3 0.0.0.0 10.10.0.0/16
Table 40: VLAN4 Route Table
Output Port Gateway Destination IP
int0.4 Default gateway on VLAN4 0.0.0.0
int0.4 0.0.0.0 10.10.0.0/16
Nowconsider the situation in which the MSP decides to provide shared services to
end-users of Company 1 and Company 2. Assume the MSP network is also on a VLAN
(VLAN5). If youwant toprovideservices on10.64.0.0/16tobothCompany 1 andCompany
2, and services on 10.65.0.0/16 to Company 2 only, you can configure either Network
Connect pools or virtual ports for those addresses.
Figure 68 illustrates this situation. Some details fromthis figure have been removed or
greyed out to improve readability.
915 Copyright 2011, Juniper Networks, Inc.
Chapter 35: Instant Virtual System
1. Company1 end-users sign-inover theInternet totheMSPnetworkandtheMSPVLAN,
VLAN5 (represented as number 3 in the illustration).
2. Company 2end-users sign-inover theInternet totheMSPnetworkandtheMSPVLAN,
VLAN5 (represented as number 3 in the illustration).
3. The MSP VLAN5 provides access to shared services on the MSP network.
4. You must define separate IP addresses for each subscriber companys end-users,
even though they share MSP services.
Once you configure routes to support users who have access to shared services on the
MSP network and to support users who also have access to restricted MSP network
services, the VLAN route tables appear as follows.
Table 41: VLAN1 Route Table
Output Port Gateway Destination IP
Copyright 2011, Juniper Networks, Inc. 916
Junos Pulse Secure Access Service Administration Guide
Table 41: VLAN1 Route Table (continued)
int0.1 Default gateway on VLAN1 0.0.0.0
int0.5 Router on VLAN5 10.64.0.0
Table 42: VLAN2 route table
Output Port Gateway Destination IP
int0.2 Default gateway on VLAN2 0.0.0.0
int0.5 Router on VLAN5 10.64.0.0
Table 43: VLAN3 route table
Output Port Gateway Destination IP
int0.1 Default gateway on VLAN3 0.0.0.0
int0.5 Router on VLAN5 10.64.0.0
int0.5 Router on VLAN5 10.65.0.0
Table 44: VLAN4 route table
Output Port Gateway Destination IP
int0.2 Default gateway on VLAN4 0.0.0.0
int0.5 Router on VLAN5 10.64.0.0
int0.5 Router on VLAN5 10.65.0.0
If the MSP network is connected to the untagged port (internal), the route entries are
similar, but the output port is int0 only.
Related
Documentation
IVS Provisioning Process Overviewon page 882
Use Case: Configuring a Global Authentication Server for Multiple Subscribers
If your subscriber companies prefer to lease or purchase authentication services from
you, theserviceprovider, youcanconfigureaglobal authenticationserver onyour network.
In that case, you must performseveral tasks:
1. Configure one or more authentication servers on your MSP network.
2. Configure path-based URLs or virtual ports for sign-in on your MSP network.
3. Configure VLANs and IVS systems to map to the authentication servers on the MSP
network.
917 Copyright 2011, Juniper Networks, Inc.
Chapter 35: Instant Virtual System
Related
Documentation
IVS Provisioning Process Overviewon page 882
Use Case: Configuring a DNS/WINS Server IP Address per Subscriber
If you want to configure a particular DNS/WINSserver IPaddress per subscriber, you can
do so fromwithin each IVS.
To configure a DNS/WINS server IP address:
1. Configure your IVS systems.
2. Select an IVS fromthe systemdrop down menu in the admin console header area
and then click Go. Within the IVS context, the header color changes and displays the
name of the subscriber.
3. Select System> Network > Overview.
4. Enter the DNS/WINS settings that correspond to the DNS/WINS server on the
subscriber intranet.
5. Click Save Changes.
Related
Documentation
IVS Provisioning Process Overviewon page 882
Use Case: Configuring Access to Web Applications and Web Browsing for Each
Subscriber
The IVS administrator may want to configure specific Web browsing policies for the IVS
end-users.
ToconfigureWebbrowsingaccess, theIVSadministrator needstoconfigurethefollowing
pages:
Users > User Roles > RoleName > Web
Users > Resource Policies > Web
Configuring Web Browsing Access
To configure Web browsing access:
1. Choose Users > User Roles > RoleName > Web.
2. Select the Bookmarks tab.
3. Click NewBookmark.
4. Supply settings to configure the bookmark to a given Web URL.
5. Click Save Changes or Save + Newif you want to add multiple bookmarks.
The bookmarks you define here appear in the SA Series SSL VPN Appliance Web
bookmarks section to which end-users have access.
Copyright 2011, Juniper Networks, Inc. 918
Junos Pulse Secure Access Service Administration Guide
6. Select the Options tab.
7. Select the Web browsing privileges you want to provide to your end-users.
8. Choose the other options you want, including setting the timeout value for the HTTP
connection.
9. Click Save Changes.
Configuring Web Browsing Access Policies
To configure Web browsing access policies:
1. Choose Users > Resource Policies > Web.
2. Supply the appropriate settings on each of the tabs.
Related
Documentation
IVS Provisioning Process Overviewon page 882
Use Case: Configuring File Browsing Access for Each Subscriber
The IVS administrator may want to configure specific file-browsing access policies for
the IVS end-users. The IVS administrator can performthis type of operation based on
roles.
To configure file browsing, the IVS administrator needs to configure the following pages:
Users > User Roles > RoleName > General
Users > User Roles > RoleName > Files
Users > Resource Policies > Files
Configuring File Browsing Access
To configure file browsing access:
1. Choose Users > User Roles > RoleName > General.
2. Under Access Features, select the Files checkbox (for Windows).
3. Click Save Changes.
4. Select the Files tab.
5. Select the Options page.
6. Depending on the file systemtype, select the options that apply to the IVS end-user
access.
7. Click Save Changes.
Configuring File SystemAccess Policies
919 Copyright 2011, Juniper Networks, Inc.
Chapter 35: Instant Virtual System
To configure file systemaccess policies:
1. Make sure you are in the IVS context. If the IVS drop down menu in the admin console
header bar displays Root, select the IVS name fromthe menu and click Go.
2. Select Users > Resource Policies > Files > Access > Windows.
3. Choose the role fromthe Showpolicies that apply to drop down menu, and click
Update.
4. Click NewPolicy.
5. Supply the appropriate settings.
6. Click Save Changes.
7. Select the Credentials tab.
8. Supply the appropriate settings.
9. Click Save Changes.
10. Repeat these steps for each role.
11. Select the Encoding tab to select the language encoding and click Save Changes.
12. Select the Options tabtoset options, suchas IPbasedmatchingfor Hostname based
policy resources and click Save Changes.
NOTE: UNIX/NFS file resource policies are supported only on the root IVS.
Related
Documentation
IVS Provisioning Process Overviewon page 882
Use Case: Setting Up Multiple Subnet IP Addresses for a Subscribers End-Users
Assume that the subscriber wants to create subnets within the intranet to support traffic
separation between subscriber end-users fromthree different departments: Marketing,
Finance, and Engineering. The procedures needed to accomplish this task are divided
between those performed by the root administrator and those performed by the IVS
administrator.
Tasks Performed by the Root Administrator
1. Create subscriber VLAN.
2. Create subscriber IVS.
3. Create path-based URLs or virtual ports for sign-in.
4. Create virtual ports for role-based source IP aliasing.
Tasks Performed by the IVS Administrator
1. Create users.
Copyright 2011, Juniper Networks, Inc. 920
Junos Pulse Secure Access Service Administration Guide
2. Assign roles to VLAN/Source IP.
3. Assign users to roles.
Related
Documentation
IVS Provisioning Process Overviewon page 882
Configuring VLANs on the Virtualized SA Series Appliance on page 886
Creating a Virtual System(IVS Profile) on page 889
Configuring Virtual Ports on page 692
About Role-Based Source IP Aliasing on page 894
User Roles Overviewon page 93
Associating Roles with Source IP Addresses in an IVS on page 894
Creating User Accounts on a Local Authentication Server on page 168
Use Case: Configuring Multiple IVS Systems to AllowAccess to Shared Server
There may be cases in which you want to provide end-users of multiple subscriber
companies to access a shared server on the MSP network.
The following steps describe a simple use case and solutions.
Solution #1
To configure access to a shared server, assuming two IVS systems for two subscribers:
1. Add the internal port to the IVS1 list of selected VLANs.
2. Add the internal port to the IVS2 list of selected VLANs.
3. Edit the internal ports route table and configure a static route pointing to the shared
server, with the internal interface as the output port.
Solution #2
To configure access to a shared server, assuming two IVS systems for two subscribers:
1. Add VLAN1 to the IVS1 selected VLAN list and set it as the default VLAN.
2. Add VLAN2 to the IVS2 selected VLAN list and set it as the default VLAN.
3. Edit the route tables for both VLAN1 and VLAN2 and configure a static route in each
that points to the shared server, with the internal interface as the output port.
Related
Documentation
Configuring VLANs on the Virtualized SA Series Appliance on page 886
IVS Provisioning Process Overviewon page 882
Creating a Virtual System(IVS Profile) on page 889
921 Copyright 2011, Juniper Networks, Inc.
Chapter 35: Instant Virtual System
Copyright 2011, Juniper Networks, Inc. 922
Junos Pulse Secure Access Service Administration Guide
CHAPTER 36
SA Series Appliance and IDP
Interoperability
About IDP on page 923
IDP Deployment Scenarios on page 924
Configuring the SA Series SSL VPN Appliance to Interoperate with IDP on page 925
Configuring IDP Sensor Policies on page 926
Configuring the SA Series SSL VPN Appliance to Interoperate with IDP on page 928
Defining Automatic Response Sensor Event Policies on page 929
Identifying and Managing Quarantined Users Manually on page 931
About IDP
Securing intranet work application and resource traffic is vital to protecting your network
fromhostile outside intrusion. You can add levels of application security to your remote
access network by integrating a Juniper Networks SA Series SSL VPN Appliance with a
Juniper Networks Intrusion Detection and Prevention (IDP) Sensor. The IDP device may
provide the following types of protection in this solution (some forms of protection
depend upon the specific configuration):
The IDP sensor monitors the network on which the IDP systemis installed. The sensors
primary task is to detect suspicious and anomalous network traffic based on specific
rules defined in IDP rulebases.
The IDP device provides the following types of protection (some forms of protection
depend upon the specific configuration):
Protects against attacks fromuser to application and fromapplication to user (from
a server-side endpoint)
Detects and blocks most network worms based on software vulnerabilities
Detects and blocks non-file-based Trojan Horses
Detects and blocks effects of spyware. adware, and key loggers
Detects and blocks many types of malware
Detects and blocks zero day attacks through the use of anomaly detection
923 Copyright 2011, Juniper Networks, Inc.
NOTE: An IDP Sensor can send logs to one SA Series SSL VPNAppliance
only. However, anSASeries SSLVPNAppliancecanreceivelogs frommore
than one IDP Sensor.
You do not need a special license fromJuniper Networks to enable interaction between
the SA Series Appliance and the IDP.
Using the SA Series SSL VPN Appliance admin console, you can configure and manage
interaction attributes between the SA Series SSL VPN Appliance and an IDP, including
the following:
Global configurationparameters suchas the IDPhostname or IPaddress, the TCPport
over which the sensor communicates with the SA Series Appliance, and the one-time
password the SA Series Appliance and IDP use to authenticate with one another.
Dynamically changing the IDPconfiguration fromthe SASeries Appliance and alerting
the IDP of changes in the IP address pool available to remote users.
Various levels of attack severity warnings.
The IDPsits behindthe SASeries Appliance onyour internal network andmonitors traffic
flowing fromthe SA Series Appliance into the LAN. Any abnormal events detected by
the IDP Sensor are reported to the SA Series Appliance, which you configure to take
appropriate action based on the severity level of the reported events. The IDP Sensor
performsreportingfunctionsinadditiontoanynormal loggingtheIDPhasbeenconfigured
to undertake.
You can use an IDP Sensor on an SA Series Appliance cluster, if the cluster is configured
with a virtual IP (VIP) address.
Licensing: IDP Availability
The IDP integration feature is not available on the SA 700.
Related
Documentation
IDP Deployment Scenarios on page 924
Configuring the SA Series SSL VPN Appliance to Interoperate with IDP on page 925
Configuring IDP Sensor Policies on page 926
IDP Deployment Scenarios
The two most likely deployment scenarios are as follows:
Customer use of the SASeries SSL VPNAppliance for extended enterprise access and
IDP for security of all perimeter traffic including but not limited to traffic fromthe SA
Series SSL VPN Appliance. The following figure illustrates this scenario, in which the
SA Series SSL VPN Appliances is deployed in the DMZ or on the LAN and the IDP is
deployed in-line behind the firewall and in front of the LAN.
Copyright 2011, Juniper Networks, Inc. 924
Junos Pulse Secure Access Service Administration Guide
Figure 27: SASeries Appliance and IDP Topology Scenario 1
In the second deployment scenario, IDP is only used to protect traffic that comes
through the SA Series SSL VPN Appliance but not in-line with other perimeter traffic.
The following figure illustrates this deployment scenario.
Figure 28: SASeries Appliance and IDP Topology Scenario 2
Related
Documentation
About IDP on page 923
Configuring the SA Series SSL VPN Appliance to Interoperate with IDP on page 925
Configuring the SASeries SSL VPNAppliance to Interoperate with IDP
The IDP Sensor is a powerful tool to counter users who initiate attacks. Integration with
the SA Series allows you to configure automatic responses as well as manually monitor
and manage users.
To configure the SA Series to interoperate with an associated standalone IDP Sensor,
youmust first ensuretheIDPhas beenconfiguredaccordingtotheinstructions described
in the Signaling Setup appendix of the Intrusion Detection and Prevention Concepts &
Examples Guide.
Once the IDP Sensor has been set up, you can specify the events you want the IDP to
watchfor andtheactions that theSASeries takes onceaparticular event has beennoted
and reported.
There are two locations on the SA Series where you can specify actions to be taken in
response to users that performattacks:
Sensor Event policies pageDefine the policy on this page to generate an automatic
response to users who performattacks.
925 Copyright 2011, Juniper Networks, Inc.
Chapter 36: SA Series Appliance and IDP Interoperability
Users pageManually identify andquarantine or disable users onthe System>Status
> Active Users page, which lists users who have performed attacks.
Interaction Between the IC Series and IDP
The SASeries reads attack informationas it is being sent by the IDPsensor. The SASeries
receives the source and destination IPaddresses and port numbers of the attacking host
and the resource against which the attack was launched, along with the attack identifier,
severity of the attack, and the time at which the attack was launched.
The SA Series incorporates and displays the attack information received fromthe IDP
sensor on the System> Status > Active Users page. Based on the attackers IP address
and port number, the SA Series can uniquely identify the users session.
You can choose automatic or manual actions for attacks detected by the IDP sensor. For
manual action, youlook uptheinformationavailableontheActiveUsers pageanddecide
on an action. For automatic action, you configure the action in advance when you define
your IDP policies.
Related
Documentation
Configuring IDP Sensor Policies on page 926
Configuring IDP Sensor Policies
The Sensors tab allows you to specify the systemsettings the SA Series SSL VPN
Appliance uses to establish a connection to a Juniper Networks Intrusion Detection and
Prevention (IDP) device.
Use the System> Configuration > Sensors > Sensors tab to performa number of tasks
relatedtoconfiguringandmanaginginteractionbetweentheSASeries andanIDPSensor.
The main Sensor page displays the sensor, the network address, the state (enabled),
the version, and the status of any configured sensors.
Creating a NewIDP Sensor Entry In IDP versions prior to 5.0, the SA Series sends only
the user IP address. With version 5.0, the SA Series sends session information including
the user, user role and IP address.
To enable or disable existing IDP Sensor entries on the SA Series SSL VPN Appliance:
1. In the admin console, choose System> Configuration > Sensors.
NOTE: To use the IDP sensor with the SA Series you must enable logging
for the applicable policies.
2. Click NewSensor. The admin console displays the NewSensor page.
3. Under Sensor Properties, specify the following information:
NameA name the SA Series uses to identify the newconnection entry
HostnameThe hostname or IP address of the IDP Sensor to which the SA Series
connects in order to receive application and resource attack alert messages
Copyright 2011, Juniper Networks, Inc. 926
Junos Pulse Secure Access Service Administration Guide
PortThe TCPport on the IDPSensor to which the SASeries listens when receiving
application and resource attack alert messages
One-timepasswordTheencryptedpasswordtheSASeries uses whenconducting
the initial Transport Layer Security (TLS) handshake with the IDPSensor. You must
enter the encrypted SA Series OTP password as displayed on the IDP ACM
configuration summary screen.
NOTE: The hostname, TCP port, and one-time password must already
be configured on the IDP Sensor before this configuration can be
successful.
4. Under Monitoring Options, specify IP addresses to monitor and the minimumalert
severity level the IDP Sensor will record and submit to the SA Series appliance:
IntheAddresses toMonitor field, specify individual IPaddresses andaddress ranges,
one entry per line. IDP reports attack information only for the IP addresses that you
specify. If you want IDP to report all events to the SA Series appliance, enter
0.0.0.0/0. If you want IDP to report only selected events, enter <default> to permit
IDP to report events for events with source IPs that have an active user session on
the SA Series, and /or enter one or more addresses or address ranges for any
endpoint that you want the IDP sensor to report.
Select one of the severity options available in the Severity filter drop down list. The
severity level is a number on a scale from1 to 5, where 1 is informational and 5 is
critical. This option represents the severity of messages the IDP should send to the
SA Series appliance.
5. Click Save Changes.
Enabling or Disabling IDP Sensors
To enable or disable existing IDP Sensor entries on the SA Series appliance:
1. In the admin console, choose System> Configuration > Sensors.
2. Select the checkbox next to one or more IDP Sensor entries you want to enable or
disable.
3. Click Enable or Disable to enable or disable the specified IDP Sensor entries,
respectively.
You can delete existing IDP Sensor entries that define a connection between the SA
Series and an IDP Sensor.
To delete one or more existing IDP Sensor entries fromthe SA Series:
1. In the admin console, choose System> Configuration > Sensors.
2. Select the checkbox next to the IDP Sensor entry or entries you want to delete.
3. Click Delete and then confirmthat you want to delete the sensor entry or entries.
927 Copyright 2011, Juniper Networks, Inc.
Chapter 36: SA Series Appliance and IDP Interoperability
Reconnecting to an IDP Sensor
When the connection to an IDP Sensor is down, you can use the admin console on the
SA Series to re-establish the connection. You can also use the admin console to refresh
the status of existing connections between the SA Series and the IDP Sensor.
If you need to re-establish communication with an IDP Sensor, you must generate a new
One-time Password.
To reconnect to an associated IDP Sensor:
1. In the admin console, choose System> Configuration > Sensors.
2. Select the checkbox next to the IDP Sensor to which you want to reconnect.
3. Click Reconnect.
The admin console displays a message informing you that the SA Series is currently
attempting to re-establish connection to the specified IDP Sensor. This page
automatically refreshes each secondduring the reconnection process. Otherwise, the
connection status page automatically refreshes once every 30 seconds.
Refreshing and Displaying the Connection Status
To refresh and display the connection status for the specified IDP Sensor:
1. In the admin console, choose System> Configuration > Sensors.
2. Select the checkbox next to one or more IDP Sensor entries for which you want to
display current connection status.
3. Click Refresh.
Related
Documentation
About IDP on page 923
Configuring the SA Series SSL VPN Appliance to Interoperate with IDP on page 925
Configuring the SASeries SSL VPNAppliance to Interoperate with IDP
The IDP Sensor is a powerful tool to counter users who initiate attacks. Integration with
the SA Series allows you to configure automatic responses as well as manually monitor
and manage users.
To configure the SA Series to interoperate with an associated standalone IDP Sensor,
youmust first ensuretheIDPhas beenconfiguredaccordingtotheinstructions described
in the Signaling Setup appendix of the Intrusion Detection and Prevention Concepts &
Examples Guide.
Once the IDP Sensor has been set up, you can specify the events you want the IDP to
watchfor andtheactions that theSASeries takes onceaparticular event has beennoted
and reported.
Copyright 2011, Juniper Networks, Inc. 928
Junos Pulse Secure Access Service Administration Guide
There are two locations on the SA Series where you can specify actions to be taken in
response to users that performattacks:
Sensor Event policies pageDefine the policy on this page to generate an automatic
response to users who performattacks.
Users pageManually identify andquarantine or disable users onthe System>Status
> Active Users page, which lists users who have performed attacks.
Interaction Between the IC Series and IDP
The SASeries reads attack informationas it is being sent by the IDPsensor. The SASeries
receives the source and destination IPaddresses and port numbers of the attacking host
and the resource against which the attack was launched, along with the attack identifier,
severity of the attack, and the time at which the attack was launched.
The SA Series incorporates and displays the attack information received fromthe IDP
sensor on the System> Status > Active Users page. Based on the attackers IP address
and port number, the SA Series can uniquely identify the users session.
You can choose automatic or manual actions for attacks detected by the IDP sensor. For
manual action, youlook uptheinformationavailableontheActiveUsers pageanddecide
on an action. For automatic action, you configure the action in advance when you define
your IDP policies.
Related
Documentation
Configuring IDP Sensor Policies on page 926
Defining Automatic Response Sensor Event Policies
Use the System> Configuration > Sensors > Sensor Event Policies tab to specify one
or more rules that specify the action(s) the SA Series takes when it receives attack alert
messages froman IDP Sensor.
To create a newIDP rule:
1. In the admin console, select System> Configuration > Sensors > Sensor Event
Policies.
2. On the Sensor Event Policies page, click NewRules.
3. On the Juniper IDP Rule page, in the Rule: On Receiving... section:
Select an existing event fromthe Event drop-down list.
Click Events to edit an existing event or create a newtype of event and add it to the
options in the Events drop-down list:
a. Specify a name for the event.
b. Populate the Expressions field by manually entering expressions or by selecting
oneor moreclauses fromtheExpressions Dictionary andclickingInsert Expression.
929 Copyright 2011, Juniper Networks, Inc.
Chapter 36: SA Series Appliance and IDP Interoperability
For example, to check for all critical/highest severity level attacks, enter the
following expression:
idp.severity >= 4
To check for all critical/highest severity level attacks for HTTP traffic, enter the
following expression:
idp.severity >= 4 AND idp.attackStr = *HTTP*
For more information on building IDP policies, see:
Juniper Networks TechNote IDP Policy Building Primer, available at http://www.juni
per.net/solutions/literature/tech_note/552035.pdf.
c. When you have finished entering the expressions you want to apply to this event,
click Add Expression.
d. Click Close.
4. In the Count this many times section, specify a number between 1 and 256 to
determine the number of times an event must occur before action is taken.
5. In the ...then performthis action section, specify one of the following actions:
Ignore (just log the event)Specifies that the SA Series should log the event, but
take no further action against the user profile to which this rule applies. This option
is best used to deal with very minor informational attack alert messages that
come fromthe IDP Sensor.
TerminateUser SessionSpecifiesthat theSASeriesshouldimmediatelyterminate
the user session and require the user to sign in to the SA Series appliance again.
Disable user accountSpecifies that the SA Series should disable the user profile
associated with this attack alert message, thus rendering the client unable to sign
in to the SA Series appliance until the administrator re-enables the user account.
(This option is only applicable for users who have a local SA Series user account.)
Replace users role with this oneSpecifies that the role applied to this users
profile should change to the role you select fromthe associated dropdown list. This
newrole remains assigned to the user profile until the session terminates. This
feature allows you to assign a user to a specific controlledrole of your choice, based
on specific IDP events. For example, if the user performs attacks, you might assign
the user to a restricted role that limits the users access and activities.
Choose to make this role assignment:
PermanentUser remains in the quarantined state across subsequent logins
until the administrator releases the user fromthe quarantined state.
For this session onlyDefault. User can log in to another session.
6. In the Roles section, specify:
Policy applies to ALL rolesTo apply this policy to all users.
Copyright 2011, Juniper Networks, Inc. 930
Junos Pulse Secure Access Service Administration Guide
Policy applies to SELECTEDrolesTo apply this policy only to users who are
mapped to roles in the Selected roles list. Make sure to add roles to this list from
the Available roles list.
Policyappliestoall rolesOTHERTHANthoseselectedbelowToapply this policy
to all users except for those who are mapped to the roles in the Selected roles list.
Make sure to add roles to this list fromthe Available roles list.
7. Click Save Changes.
Related
Documentation
Configuring the SA Series SSL VPN Appliance to Interoperate with IDP on page 925
Identifying and Managing Quarantined Users Manually
When the SA Series appliance quarantines a user based on an attack, you can display
and manage the states by locating the user link in the System> Status > Active Users
page.
A small warning icon displayed in front of the user name.
The hyperlinked user name.
An enabled Quarantined option button on the specific users page. If the user is not
quarantined, the option button is disabled.
To manage quarantined users:
1. Identify quarantined users at System> Status > Active Users.
2. Locate the quarantined user and click on the username link. The user page opens,
showing a number of options.
3. Click Disabled to disallowa user fromauthenticating.
4. Click Quarantined to leave a user in a quarantined state. The Quarantined option is
only enabled if the user is already quarantined.
NOTE: The SA Series assigns quarantined users to the quarantined role,
regardless of their login realm.
5. Click Save Changes.
6. To re-enable previously quarantined or disabled users, select Authentication > Auth.
Servers > Select Server > Users and click the link for the given user.
NOTE: You can also disable users fromthis location.
7. Click Enabled to release the user fromquarantine.
8. Click Save Changes.
931 Copyright 2011, Juniper Networks, Inc.
Chapter 36: SA Series Appliance and IDP Interoperability
All Sensor events are logged at System> Log/Monitoring > Sensors > Log.
Related
Documentation
Defining Automatic Response Sensor Event Policies on page 929
Monitoring Active Users on page 817
Copyright 2011, Juniper Networks, Inc. 932
Junos Pulse Secure Access Service Administration Guide
PART 6
SystemServices
SA Series Appliance Serial Console on page 935
Customizable Admin and End-User UIs on page 941
SA6000 Series Appliance on page 943
SA4500 and SA6500 Series Appliances on page 947
Secure Access FIPS on page 957
SA4500 and SA6500 FIPS Appliances on page 969
Compression on page 979
Multi-Language Support on page 983
Handheld Devices and PDAs on page 987
Using IKEv2 with the SA Series Appliance on page 995
Writing CustomExpressions on page 1001
933 Copyright 2011, Juniper Networks, Inc.
Copyright 2011, Juniper Networks, Inc. 934
Junos Pulse Secure Access Service Administration Guide
CHAPTER 37
SA Series Appliance Serial Console
Using the Serial Console on page 935
Rolling Back to a Previous SystemState Through the Serial Console on page 936
ResettinganSASeriesDevicetotheFactorySettingUsingtheSerial Consoleonpage937
Performing Common Recovery Tasks with the Serial Console on page 938
Using the Serial Console
The serial console provides a limited set of powerful capabilities to help you manage
your SA Series SSL VPN appliance, and is available through your operating systems
command window.
Before performing any tasks through an SA Series SSL VPN appliances serial console,
you need to connect to the console using a terminal console or laptop.
To connect to a SA Series appliances serial console:
1. Plug a null modemcrossover cable froma console terminal or laptopinto the Infranet
Controller appliance. This cable is provided in the product box. Do not use a straight
serial cable.
2. Configure a terminal emulation utility, such as HyperTerminal, to use these serial
connection parameters:
9600 bits per second
8-bit No Parity (8N1)
1 Stop Bit
No flowcontrol
3. Press Enter until the Infranet Controller serial console appears.
NOTE: If you are running an SA Series FIPS machine and are connecting
to the serial console for the first time, you must also set the mode switch
on the cryptographic module to I (initialization mode).
935 Copyright 2011, Juniper Networks, Inc.
Figure 29: SASeries Serial Console
Related
Documentation
Rolling Back to a Previous SystemState Through the Serial Console on page 936
ResettinganSASeriesDevicetotheFactorySettingUsingtheSerial Consoleonpage937
Performing Common Recovery Tasks with the Serial Console on page 938
Rolling Back to a Previous SystemState Through the Serial Console
If youcannot access theadminconsole, connect totheserial consoletoperformasystem
rollback to the previous systemstate.
If you have not yet performed an SA Series OS service package upgrade, there is no
previous state to roll back to and this option is not available. If you have performed an
SA Series OS service package upgrade, any systemand user configuration data created
after the upgrade is lost unless you export the most current configuration files before
rolling back the systemand then import themafterwards.
To roll back to the previous SA Series OS service package:
1. Connect to your SA Series appliances serial console.
2. In a browser window, sign in to the admin console.
3. Select Maintenance > System> Platform.
4. ClickReboot Nowandthengobacktotheconsoleutility window. Thewindowdisplays
a message that the systemis restarting.
5. After several moments, you are prompted to hit the Tab key for options. Press the
Tab key, and when prompted for the configuration to load, type rollback and then
press the Enter key.
After clicking Reboot Nowon the Maintenance > System> Platformpage, the servers
rollback status is output to the screen, and when complete, you are prompted to hit the
Returnkey (Enter) tomodify systemsettings, whichreturns youtotheinitial setupoptions.
When you are finished entering data, simply close the utility window.
Copyright 2011, Juniper Networks, Inc. 936
Junos Pulse Secure Access Service Administration Guide
If you wait more than 5 seconds to enter your choice, the current systemconfiguration
is automatically loadedandyoull needtogoback tothe adminconsole andclick Reboot
Nowto start the process again. If you have already performed a systemrollback, the
rollback option is not available again until you upgrade the SASeries OSservice package
again.
Related
Documentation
Using the Serial Console on page 935
Resetting an SASeries Device to the Factory Setting Using the Serial Console
Inrarecases, youmay needtoreset your SASeries appliancetoits original factory settings.
Before performing this advanced systemrecovery option, please contact Juniper
(http://www.juniper.net/support/). If possible, export the most current systemand user
configuration data before performing a factory reset.
To performa factory-reset:
1. Connect to the serial console.
2. In a browser window, sign in to the admin console.
3. Select Maintenance > System> Platform.
4. Click Reboot and then go back to the console utility window. The windowdisplays a
message that the systemis restarting.
5. After several moments, you are prompted to hit the Tab key for options. Press the
Tab key, and when prompted for the configuration to load, type factory-reset and then
press the Enter key.
If you wait more than 5seconds to enter your choice, the current systemconfiguration
is automatically loaded and youll need to go back to the admin console and click
Reboot Nowto start the process again.
6. When you are promptedto confirmperforming a factory-reset, type proceed andthen
press Enter.
The systembegins the process of resetting the machine to its original settings and
outputs several screens of data. After several minutes, you are prompted to hit the
Tab key to choose configuration choices.
7. When prompted to hit the Tab key, either:
Wait for the default selection (current) to automatically start, or
Press Tab, type current, and then press Enter.
You are then prompted to enter the initial machine configuration settings. For details
on howto proceed, see the Getting Started Guide provided in the product packaging
or on the Juniper Networks Support site.
After completing the initialization process, you may upgrade to the latest SA Series
OS service package and import saved systemand user configuration files to return to
the last good working state of your machine.
937 Copyright 2011, Juniper Networks, Inc.
Chapter 37: SA Series Appliance Serial Console
You might receive errors fromthe SA Series appliance during the initial setup or on a
factory reset. Before the SA Series appliance starts services it monitors the network port
for a maximumof 120 seconds. The SA Series appliance checks the link status and
performs an ARPing on the default gateway. If there is a problem, after 5 seconds, the
SA Series appliance displays a message on the serial console that starts with NIC:...... If
the link recovers within 120 seconds, the startup process continues. If the link does not
recover, the following message appears:
Internal NIC: ................[Down code=0x1]
Two codes can appear:
0x1 means that the interface link status reported by the NIC remains off (for example,
a disconnected cable or a cable in the wrong port).
0x2 means that the gateway is unreachable. The SA Series appliance boots but is not
reachable fromIP addresses bound to that network port.
Related
Documentation
Using the Serial Console on page 935
Performing Common Recovery Tasks with the Serial Console
If you forget your SA Series administrator username and/or password, lock yourself out
of your machineduetoconfigurationerrors, or changetheSASeries applianceIPaddress
and can no longer reach the machine, you can modify the machine settings through the
serial console. Connect the serial cable and then choose the appropriate configuration
task.
Network Settings and ToolsEnables you to change standard network settings; print
a routing table; print or clear an ARP cache; ping another server, trace a route to a
server, remove static routes, and add an ARP entry.
Create admin username and passwordEnables you to create a new
superadministrator account.
Display logEnables you to display systemconfiguration, user logs, or administrator
access logs through the serial console. Note that must enter q to return to serial
console options after viewing the logs.
SystemOperationsEnables you to reboot, shutdown, restart, rollback, or factory
reset the Infranet Controller appliance without using the admin console.
Toggle password protection for the consoleEnables you to password protect the
serial console. Whenyoutogglethis optiontoon, only superadministrators areallowed
access.
Create aSuper AdminsessionEnables you to create a recovery session to the admin
console, even if you have configured the SA Series appliance to block access to all
administrators. When you select this option, the appliance generates a temporary
token that is valid for 3 minutes. Enter the following URL into a browser window:
https://<SA-Series-host>/dana-na/auth/recover.cgi
Then, enter thetemporary tokenwhenpromptedinorder tosignintotheadminconsole.
Copyright 2011, Juniper Networks, Inc. 938
Junos Pulse Secure Access Service Administration Guide
When you choose this option, the SA Series appliance blocks any additional
administrators fromsigning in to the admin console until you sign in to the specified
URL and initiate a session using your token. The appliance blocks additional sign-in
attempts so that you can fix any configuration problems that the Infranet Controller
may have encountered without conflicting with another session.
SystemSnapshotEnables you to take a systemsnapshot without using the admin
console. When you choose this option, the SA Series appliance takes the snapshot
immediately. You can then send the snapshot file, by way of SCP, to a remote system.
The systemprompts you for the destination server port, user ID, password, and the
destination path to the remote directory.
If youchoose not tosendthe snapshot file toaremote system, the SASeries appliance
saves the file locally. The next time you log in to the admin console, the System
Snapshot tab contains a link to the snapshot file.
Replace Administrator Card Set (SA FIPS Series only)Enables you to create
additional administrator cards for asecurity world. Seethefollowingsectionfor details.
NOTE: If you are running an SA FIPS Series appliance and you press the
clear switch on the cryptographic module, set the cryptographic modules
mode switch to O(operational mode) and restart the system. You do not
need to access the serial console for recovery.
Related
Documentation
Using the Serial Console on page 935
939 Copyright 2011, Juniper Networks, Inc.
Chapter 37: SA Series Appliance Serial Console
Copyright 2011, Juniper Networks, Inc. 940
Junos Pulse Secure Access Service Administration Guide
CHAPTER 38
Customizable Admin and End-User UIs
Customizable Admin and End-User UIs on page 941
Customizable Admin and End-User UIs
The SASeries SSL VPNAppliance enables youtocustomize avariety of elements inboth
the admin console and the end-user interface. This section contains information about
whichelements youcancustomize andwhere youcanfindthe appropriate configuration
options.
The SA Series SSL VPN Appliance enables you to customize the look and feel of the
following user interface elements in the admin console:
Sign-inpages(default andcustom)Youcancustomizethepagethat administrators
seewhenthey signintotheadminconsoleusingsettings intheAuthentication>Signing
In>Sign-inPages page. Usingsettings inthis page, youcancreate welcome messages,
signout messages andother instructions; control page headers; customize select error
messages; and create a link to a customhelp page within the default SASeries sign-in
page. Or, you can upload your own customsign-in page to the SA Series SSL VPN
Appliance. For more information, see the CustomSign-In Pages Solution Guide.
UI look andfeelYou can customize the header, background color, and logo displayed
in the admin console using settings in the Administrators > Admin Roles > Select Role
>General >UI Options page. You can also use settings in this page to enable or disable
the fly out hierarchical menus that appear when you mouse over one of the menus
in the left panel of the admin console.
Systemutilization graphsYou can choose which systemutilization graphs the SA
Series SSL VPN Appliance displays on the opening page of the admin console using
settings in the System>Status >Overviewpage. You can also use settings in this page
to fine-tune the look and data within each of the graphs.
Showauto-allowoptionsYou can showor hide the auto-allowoption fromyourself
or other administrators who create newbookmarks for roles using settings in the
Maintenance > System> Options page.
User role viewsYou can use customization options on the Users > User Roles page
to quickly viewthe settings that are associated with a specific role or set of roles.
941 Copyright 2011, Juniper Networks, Inc.
User realmviewsYou can use customization options on the Users > User Realms
page to quickly viewthe settings that are associated with a specific user realmor set
of user realms.
Resource policy viewsYou can limit which resource policies the SA Series SSL VPN
Appliance displays on any given resource policy page basedon user roles. For instance,
you can configure the Users > Resource Policies > Web page of the admin console to
only display those resource policies that are assigned to the Sales user role. You can
customize these using settings in the Users > Resource Policies > Select Policy Type
page of the admin console.
Web resource policy viewsYou can limit which Web resource policy configuration
pages the SA Series SSL VPN Appliance displays using settings in Users > Resource
Policies > Web > Policy Type of the admin console.
Administrator rolesYou can delegate select responsibilities to other administrators
using settings in the Administrators > Admin Roles section of the admin console. In
doing so, you can restrict the visibility of certain options and capabilities to those other
administrators.
Customizable End-User Interface Elements Overview
The SA Series SSL VPN Appliance enables you to customize the look and feel of the
following elements in the end-user interface:
Sign-in pages (default and custom)You can customize the page that users see
when they sign into the admin console using settings in the Authentication > Signing
In>Sign-inPages page. Usingsettings inthis page, youcancreate welcome messages,
signout messages andother instructions; control page headers; customize select error
messages; and create a link to a customhelp page within the default SA Series SSL
VPN Appliance sign-in page. Or, you can upload your own customsign-in page to the
SA Series SSL VPNAppliance. For instructions, see the CustomSign-In Pages Solution
Guide.
UI look andfeelYou can customize the header, background color, and logo displayed
in the admin console using settings in the Users > User Roles > Select Role > General
> UI Options page. You can also use settings in this page to specify the first page the
users see after they sign into the SA Series SSL VPN Appliance, the order in which the
SA Series SSL VPNAppliance displays bookmarks, the help systemthat the SA Series
SSL VPN Appliance displays to users, and various toolbar settings.
Default messages and UI look and feelYou can specify what the default look and
feel should be for all user roles using settings in Users >User Roles >[Default Options]
pages of the admin console. You can also use settings in these pages to define the
default errors that users see when they try to access a blocked site, SSOfails, or SSL
is disabled.
Copyright 2011, Juniper Networks, Inc. 942
Junos Pulse Secure Access Service Administration Guide
CHAPTER 39
SA6000 Series Appliance
SA6000 Series Appliance on page 943
SA6000 Field-Replaceable Units on page 944
SA6000Series Appliance
The Juniper Networks SA6000Series Appliance is anext-generationappliance featuring
a number of notable hardware design upgrades relative to the other members of the SA
Series family.
The SA6000 chassis features the following hardware components:
Console portYou can use the console port to initially set up the SA6000 before you
fully integrate it as the secure gateway to your internal network. You can also use the
console port to performcertain configuration and clustering tasks after the SA Series
SSL VPN Appliance begins operating as the secure gateway.
Port 0 (internal) and Port 1 (external) Ethernet portsThe SA6000s primary
connections to the corporate network and the outside world are the internal and
external Ethernet ports, respectively. You can configure the internal and external
interfaces via the System> Network page of the admin console.
Management portThe SA6000s management port is nowavailable and:
Enables seamless integration into a dedicated Management Network.
Provides continuously available management access to the SA Series SSL VPN
Appliance.
Enables you to performmanagement activities without impacting user traffic.
Allows you to separate administrative access fromuser access between the SA
Series SSL VPN Appliance and Enterprise devices on the internal network.
You can configure the Management port information and advanced settings via the
admin console, just as you would configure the internal port.
Dual SFPportsTheSA6000includes twoSmall Form-factor Pluggable(SFP) Gigabit
Ethernet ports (designated ports 2 and 3 on the front of the SA 6000) that offer you
the ability to further increase your connectivity to internal network components.
Status LEDsThe front of the SA 6000 chassis features the following LEDs:
943 Copyright 2011, Juniper Networks, Inc.
PWR (green)Indicates that the appliance has power and is turned on.
HD (amber)Indicates that the hard disk is in use (writing or reading data).
TEMP (red)Ablinking LEDindicates that one of the fans has failed or is not seated
properly in its port, or that a fan has failed and needs to be replaced. A solid LED
indicates a high internal temperature reading that may result in systemfailure if not
addressed.
PSFAIL(red)Indicates that oneof thepower supplies is faulty, has beenunplugged,
or has experienced an outright failure.
Port 0 1000 and Port 1 1000 (green)Indicates that the link speed of the INT 0
(internal) or INT 1 (external) Ethernet interfaces is a Gigabit Ethernet connection.
Port 0100andPort 1 100(green)Indicates that thelink speedof theINT0(internal)
or INT 1 (external) Ethernet interfaces is a 100BaseT Ethernet connection.
NOTE: If both the Port 0 1000 and Port 0 100 (internal) or Port 1 1000
andPort 1 100(external) LEDs areactive, thelink speedfor that interface
is 10BaseT.
Internal and external Ethernet LINK TX/RX (green)Indicates that the internal or
external Ethernet interface is currently transmitting or receiving data
SFP port 2 and 3 LINK (green)Indicates that SFP port 2 or 3 is enabled.
SFPport 2and3TX/RX(green)Indicates that SFPport 2or 3is sendingor receiving
traffic.
Related
Documentation
SA6000 Field-Replaceable Units on page 944
SA6000Field-Replaceable Units
The SA6000chassis features three types of field-replaceable units (FRUs) that you can
add or replace. The FRUs are hot-swappable, meaning you do not have to first shut
down the SA6000 before adding or replacing any of the FRUs.
Hard disksThe SA6000 ships with one hard disk, however, you can add an optional
second hard disk to the SA6000 chassis to offer component redundancy and help
minimize the SA Series SSL VPN Appliance down time. When a second (redundant)
harddisk is installed, it maintains anexact copy of thesoftwareimageandconfiguration
information on the working hard disk. Therefore, if the working hard disk fails, the
redundant hard disk immediately assumes responsibility for all SA Series operations.
This function is referred to as the Redundant Array of Independent Disks (RAID)
mirroring process.
Copyright 2011, Juniper Networks, Inc. 944
Junos Pulse Secure Access Service Administration Guide
NOTE: TheSA6000harddiskmodulesarehot-swappable. Youmust make
surethat theSASeriesAppliancefinishesbootingandisoperatingcorrectly
before removing, replacing, or upgrading a hard disk module. Once a new
harddiskmoduleisinserted, youmust wait until theRAIDmirroringprocess
is completely finishedwhich takes approximately 40 minutesbefore
rebooting or turning off the SA Series SSL VPNAppliance.
Power suppliesThe SA6000 ships with one AC power supply installed in the back
of the chassis. You can add an optional second power supply to support redundancy
andload-sharing features. Inaddition, if youneedtoreplace one of the power supplies,
you can swap the faulty power supply for a replacement while the optional second
power supply assumes responsibility for theentirepower load, thus avoidingasituation
where you have to power off the SA Series SSL VPN Appliance before replacing the
removable unit.
Cooling fansThe SA6000 ships with two cooling fans installed in the back of the
chassis. If you need to replace one of the cooling fans, you can swap the faulty fan
for areplacement duringoperationinamatter of moments. Youcanpurchaseadditional
cooling fans fromyour vendor whenyouorder your SA6000, or youcanpurchase them
in the future to replace faulty or failed cooling fans, as necessary, in the future. Juniper
strongly recommends that you run the SA 6000 with two cooling fans.
For information about installing or replacing any of the hardware mentioned here, see
the SA6000 Field Replaceable Units Removal and Installation Guide on the Juniper
Networks Customer Support Center.
Related
Documentation
SA6000 Series Appliance on page 943
945 Copyright 2011, Juniper Networks, Inc.
Chapter 39: SA6000 Series Appliance
Copyright 2011, Juniper Networks, Inc. 946
Junos Pulse Secure Access Service Administration Guide
CHAPTER 40
SA4500 and SA6500 Series Appliances
SA4500 and SA6500 on page 947
Device Status LED Behavior on page 949
Ethernet Port LED Behavior on page 950
Replacing the Cooling Fans on page 951
Replacing a Hard Drive on page 952
Replacing IOC Modules on page 952
Replacing a Power Supply on page 954
SA4500and SA6500
The SA4500 and SA6500 (SA 4500/6500) are next-generation appliances featuring
a number of notable hardware features.
Standard Hardware
The SA 4500/6500 chassis features the following hardware components:
Console portYou use the console port to initially set up the SA 4500/6500 before
you fully integrate it as the secure gateway to your internal network. You can also use
the console port to performcertain configuration and clustering tasks after the SA
Series SSL VPN Appliance begins operating as the secure gateway.
Bonding portsBy default, on the SA6500 only, the SA Series SSL VPN Appliance
uses bonding of the multiple ports to provide failover protection. Bonding two ports
on the SA Series SSL VPNAppliance automatically shifts traffic to the secondary port
when the primary port fails.
The SA6500 appliance bonds ports as follows:
Internal port = Port 0+Port 1
947 Copyright 2011, Juniper Networks, Inc.
External port = Port 2+Port 3
The SA Series SSL VPN Appliance indicates in a message on the System> Network >
Overviewpage of the administrator admin console whether or not the failover
functionality is enabled.
Bonding ports cannot span separate networks (multi-homed).
Management portThe SA6500s management port:
Enables seamless integration into a dedicated Management Network.
Provides continuously available management access to the SA Series SSL VPN
Appliance.
Enables you to performmanagement activities without impacting user traffic.
Allows you to separate administrative access fromuser access between the SA
Series SSL VPN Appliance and Enterprise devices on the internal network.
You can configure the Management port information and advanced settings via the
admin console, just as you would configure the internal port.
SFPports4-port Small Form-factor Pluggable(SFP) portsareavailableasanoptional
feature for link redundancy to internal switches.
Status LEDsThree device status LEDs are located on the left-side of the front panel
to display power, hard disk access and fault status.
Ethernet Port LEDsThe Ethernet port LEDs showthe status of each Ethernet port.
The appliance supports up to four node active/active clusters or 2 node active/passive.
SASeries 6500Field-Replaceable Units
The SA6500chassis features three types of field-replaceable units (FRUs) that you can
add or replace. The FRUs are hot-swappable, meaning you do not have to first shut
down the SA 6500 before adding or replacing any of the FRUs. The SA4500 has a
cold-swappable power supply.
For safety information, refer to the Juniper Networks Products Safety Guide available on
the Juniper Networks Support site.
Hard disksThe SA6500 ships with one hard disk, however, you can add an optional
second hard disk to the SA6500 chassis to offer component redundancy and help
Copyright 2011, Juniper Networks, Inc. 948
Junos Pulse Secure Access Service Administration Guide
minimize the SA Series SSL VPN Appliance down time. When a second (redundant)
harddisk is installed, it maintains anexact copy of thesoftwareimageandconfiguration
information on the working hard disk. Therefore, if the working hard disk fails, the
redundant hard disk immediately assumes responsibility for all SA Series operations.
This function is referred to as the Redundant Array of Independent Disks (RAID)
mirroring process.
NOTE: TheSA6500harddiskmodulesarehot-swappable. Youmust make
surethat theSASeriesSSLVPNAppliancefinishesbootingandisoperating
correctlybeforeremoving, replacing, or upgradingaharddiskmodule. After
you insert a newhard disk module, you must wait until the RAID mirroring
process is completely finishedwhich takes approximately 40
minutesbeforerebootingor turningoff theSASeriesSSLVPNAppliance.
Power suppliesThe SA6500 ships with one AC power supply installed in the back
of the chassis. You can add an optional second power supply to support redundancy
andload-sharing features. Inaddition, if youneedtoreplace one of the power supplies,
you can swap the faulty power supply for a replacement while the optional second
power supply assumes responsibility for theentirepower load, thus avoidingasituation
where you have to power off the SA Series SSL VPN Appliance before replacing the
removable unit.
Cooling fansThe SA6500 ships with two cooling fans installed in the back of the
chassis. If you need to replace one of the cooling fans, you can swap the faulty fan
for areplacement duringoperationinamatter of moments. Youcanpurchaseadditional
cooling fans fromyour vendor when you order your SA6500, or you can purchase them
in the future to replace faulty or failed cooling fans, as necessary, in the future.
Related
Documentation
Device Status LED Behavior on page 949
Ethernet Port LED Behavior on page 950
Replacing the Cooling Fans on page 951
Replacing a Hard Drive on page 952
Replacing IOC Modules on page 952
Replacing a Power Supply on page 954
Device Status LEDBehavior
Startup takes approximately one minute to complete. If you want to turn the device off
and on again, we recommend you wait a fewseconds between shutting it down and
powering it back up.
There are three device status LEDs located on the left-side of the front panel:
Power
Hard disk access
949 Copyright 2011, Juniper Networks, Inc.
Chapter 40: SA4500 and SA6500 Series Appliances
Fault
Table 45 on page 950lists the name, color, status, and description of each device status
LED.
Table 45: Device Status LEDs
Description State Color Name
Device is not receiving power Off Green POWER
Device is receiving power On Steady
Hard disk is idle Off Yellow HARD DISK ACCESS
Hard disk is being accessed Blinking
Device is operating normally Off Red FAULT
Power supply fault Slow
blinking
Fan failure Fast blinking
Thermal failure Solid
Related
Documentation
SA4500 and SA6500 on page 947
Ethernet Port LED Behavior on page 950
Replacing the Cooling Fans on page 951
Replacing a Hard Drive on page 952
Replacing IOC Modules on page 952
Replacing a Power Supply on page 954
Ethernet Port LEDBehavior
The Ethernet port LEDs showthe status of each Ethernet port.
Table 46: 4-Port Copper Gigabit Ethernet LEDs (available on IC4500
and IC6500)
Description Color and State LED
Link Green Link/Activity
Activity Blinking green
Copyright 2011, Juniper Networks, Inc. 950
Junos Pulse Secure Access Service Administration Guide
Table 46: 4-Port Copper Gigabit Ethernet LEDs (available on IC4500
and IC6500) (continued)
Description Color and State LED
10 Mbps Off Link Speed
100 Mbps Green
1 Gbps Yellow
Related
Documentation
SA4500 and SA6500 on page 947
Device Status LED Behavior on page 949
Replacing the Cooling Fans on page 951
Replacing a Hard Drive on page 952
Replacing IOC Modules on page 952
Replacing a Power Supply on page 954
Replacing the Cooling Fans
The SA 6500 ships with two cooling fans installed in the back of the chassis. If you need
to replace one of the cooling fans, you can hot-swap the faulty fan for a replacement
during operation in a matter of moments. You can purchase additional cooling fans from
your authorized Juniper reseller, or you can purchase themin the future to replace faulty
or failed cooling fans, as necessary.
To remove and install a cooling fan module:
1. To release the cooling fan module, do one of the following:
Press and slide the release trigger toward the center of the cooling fan module
Loosen the thumbscrews
2. Grasp the cooling fan module and carefully pull it out.
CAUTION: Once you remove the cooling fan module, it is important that
you replace it with a replacement cooling fan. The second fan is required
for proper air flowacross the chassiss internal components; it is not a
redundant fan.
3. Line the a cooling fan module up with an empty cooling fan port on the back of the
chassis.
4. Slowly slide the module into the chassis until it clicks into place.
5. If your cooling fan is equipped with thumb screws, tighten the screws.
951 Copyright 2011, Juniper Networks, Inc.
Chapter 40: SA4500 and SA6500 Series Appliances
Related
Documentation
SA4500 and SA6500 on page 947
Replacing a Hard Drive on page 952
Replacing IOC Modules on page 952
Replacing a Power Supply on page 954
Replacing a Hard Drive
The SA 6500 ships with two standard hard drives to offer component redundancy and
help minimize down time. The second (redundant) hard disk maintains an exact copy of
the software image and configuration information on the working hard disk. Therefore,
if theworkingharddisk fails, theredundant harddisk immediately assumes responsibility
for all operations. This function is referred to as the Redundant Array of Independent
Disks (RAID) mirroring process.
NOTE: The hard disk modules are hot-swappable. Once a newhard disk
module is inserted, you should wait until the RAID mirroring process has
completed before rebooting or turning off the appliance.
To remove and install a hard drive:
1. On the hard drive module, press the blue handle release trigger in and to the right to
release the insertion and removal handle.
2. Grasp the handle and pull the hard drive module straight out of the chassis.
Onceyouhaveremovedtheharddrivemodule, besuretoreplaceit withareplacement
hard drive.
3. With the insertion and removal handle on the hard drive module in the released/out
position, line the hard drive module up with an empty hard drive port on the front of
the chassis.
4. Carefully slide the hard drive module into the chassis until it is clicks into place.
Retract the handle by swinging it back across the face of the hard drive until it is
completely flush with the face of the hard drive module.
Related
Documentation
SA4500 and SA6500 on page 947
Replacing the Cooling Fans on page 951
Replacing IOC Modules on page 952
Replacing a Power Supply on page 954
Replacing IOC Modules
This section contains information about removing and installing IOC Modules (IOMs) in
the SA 6500.
Copyright 2011, Juniper Networks, Inc. 952
Junos Pulse Secure Access Service Administration Guide
CAUTION: Power off the device before removing or installing IOMs. IOMs are
not hot-swappable.
Removing a Blank IOMFaceplate
To maintain proper airflowthrough the device, leave blank faceplates in place over slots
that do not contain IOMs. Do not remove a blank faceplate unless you are installing an
IOMin the empty slot.
To remove a blank faceplate:
1. Unplug the power cord.
2. Loosen the thumbscrews on each side of the faceplate.
3. Grasp the thumbscrews and pull to remove the faceplate.
Installing an IOM
1. Unplug the power cord.
2. Line the IOMup with an empty port on the front of the chassis.
3. Carefully slide the IOMin until it seats firmly in the device.
4. Tighten the screws on each side of the IOMfaceplate.
5. Insert the appropriate cables into the cable connectors on the IOM.
6. If necessary, arrange the cables to prevent themfromdislodging or developing stress
points:
Secure the cable so that it is not supporting its own weight as it hangs to the floor.
Place excess cable out of the way in a neatly coiled loop.
Use fasteners to maintain the shape of cable loops.
7. Insert the power cord into the AC power receptacle.
Removing an IOM
To remove an IOM:
1. Unplug the power cord.
2. Disconnect the cables fromthe IOM.
3. If necessary, arrange the cables to prevent themfromdislodging or developing stress
points.
4. Loosen the thumb screws on each side of the IOMfaceplate.
5. Grasp the thumbscrews and pull to remove the IOM.
If you are not reinstalling an IOMinto the empty slot, install a blank IOMfaceplate over
the empty slot to maintain proper airflow.
953 Copyright 2011, Juniper Networks, Inc.
Chapter 40: SA4500 and SA6500 Series Appliances
Related
Documentation
SA4500 and SA6500 on page 947
Replacing a Hard Drive on page 952
Replacing a Hard Drive on page 952
Replacing a Power Supply on page 954
Replacing a Power Supply
Removing and Installing an AC Power Supply
The Juniper Networks appliance ships with one AC power supply installed in the back of
the chassis. You can add an optional second power supply to support redundancy and
load-sharing features. In addition, if you need to replace one of the power supplies, you
can hot-swap the faulty power supply for a replacement while the optional second
power supply assumes responsibility for the entire power load, thus avoiding a situation
where you have to power off the Infranet Controller before replacing the removable unit.
To remove and install an AC power supply module:
1. Press the release trigger in and to the right to release the module.
2. Grasp the insertion and removal handle and pull the power supply module straight
out of the chassis.
Once you have removed the supply module, be sure to replace it with a replacement
power supply or the dummy power supply port cover installed in your chassis at the
time of shipping.
3. Line the newpower supply module up with an empty power supply port on the back
of the chassis.
4. Slowly slide the power supply module into the chassis until it clicks into place.
Removing and Installing a DC Power Supply
To remove and install a DC power supply module:
1. Unplug the power cord.
2. Disconnect the DC supply wires fromthe lugs on the DC power supply.
3. Press the release trigger in and to the right to release the module.
4. Grasp the power supply module and pull it straight out of the chassis.
5. Slowly slide the newmodule into the chassis until it clicks into place.
6. Connect theDCsupply wires tothemoduleusingthelugs. Besuretoattachtheground
wire.
7. Attach the power cord
Related
Documentation
SA4500 and SA6500 on page 947
Copyright 2011, Juniper Networks, Inc. 954
Junos Pulse Secure Access Service Administration Guide
Replacing the Cooling Fans on page 951
Replacing a Hard Drive on page 952
Replacing IOC Modules on page 952
955 Copyright 2011, Juniper Networks, Inc.
Chapter 40: SA4500 and SA6500 Series Appliances
Copyright 2011, Juniper Networks, Inc. 956
Junos Pulse Secure Access Service Administration Guide
CHAPTER 41
Secure Access FIPS
SA FIPS on page 957
SA FIPS Execution on page 958
Creating Administrator Cards on page 959
Deploying a Cluster in a Secure Access FIPS Environment on page 960
Creating a NewSecurity World on page 962
Recovering an Archived Security World on page 965
SAFIPS
FIPS, or Federal Information Processing Standards, are National Institute of Standards
and Technology regulations for handling keys and encrypting data. Juniper Networks SA
FIPSis astandardSA4000or SA6000NetScreenInstant Virtual Extranet equippedwith
a FIPS-certified cryptographic module. The tamper-proof hardware security module
installedonanSAFIPSSeries Applianceis certifiedtomeet theFIPS140-2level 3security
benchmark. The module handles private cryptographic key management and SSL
handshakes, simultaneously, ensuring FIPS compliance and off-loading CPU-intensive
publickey infrastructure(PKI) tasks fromtheSASeries SSLVPNAppliancetoadedicated
module.
The configuration process for SA FIPS administrators is almost exactly the same as for
the non-SA FIPS administrators, requiring only minor configuration changes during the
initialization, clustering, and certificate generation processes. In the fewcases where
administration tasks are different, this guide includes the appropriate instructions for
both SA and SA FIPS administrators. For end-users, SA FIPS is exactly the same as a
standard SA Series SSL VPN Appliance system.
SA FIPS is a hardware feature that is built into selected SA Series SSL VPN Appliances.
It is not available on SA700 Series Appliances.
Related
Documentation
SA FIPS Execution on page 958
Creating Administrator Cards on page 959
Creating a NewSecurity World on page 962
Recovering an Archived Security World on page 965
SA FIPS Execution on page 958
957 Copyright 2011, Juniper Networks, Inc.
SAFIPS Execution
When you first install an SA FIPS system, the SA Series serial console walks you through
the process of creating a security world through the serial console. A security world is a
key management systemused by SA FIPS consisting of the following elements:
CryptographicmoduleThecryptographicmodule(alsosometimescalledthehardware
security module, or HSM) included with SA FIPS Appliance includes hardware and
firmware installed directly on the appliance. A security world may contain a single
cryptographic module (standard environment) or multiple modules (clustered
environment). However, a single Secure Access FIPS appliance is always equipped
with a single cryptographic module.
Security world keyA security world key is a unique Triple DES encrypted key that
protects all other application keys within a security world. As required by the Federal
InformationProcessingStandards, youcannot import this key intoasecurity worldyou
must directly create it froma cryptographic module. In a clustered environment, all of
the modules within the security world share the same security world key.
Smart cardsA smart card is a removable key device that looks like a credit card. A
smart card authenticates users, allowing themaccess to various data and processes
controlled by the cryptographic hardware module. During the initialization process,
you must insert one of your smart cards into the reader (built-in or external, depending
uponwhichdevice model youown). As part of the initializationprocess, the smart card
is transformed into an administrator card that allows the card holder access to the
security world.
Encrypted dataEncrypted host data in a Secure Access FIPS environment includes
keys and other data required to share information in a secure manner.
These elements interlock to create a comprehensive security world. When you start the
appliance, it confirms that the security world is valid and that the cryptographic module
is in operational mode before starting normal operations.
You can set the cryptographic module into operational mode using a hardware switch
on the outside of the module. The switchs settings include:
IInitialization mode. Use this setting when initializing the cryptographic module with
a newsecurity world or when adding a module to an existing security world in a Secure
Access cluster. Note that once you set the switch to I and begin initialization, you must
completetheprocess. Otherwise, your security worldis only partially initialized, making
it unusable.
OOperational mode. Use this setting to place the cryptographic module into
operational mode after initialization. Note that you must set the switch to Obefore
the module powers up in order to alert the unit that you want to begin day-to-day
processing. Otherwise, the module prompts you through the serial console to join the
existing security world or initialize a newone.
MMaintenance mode. In future releases, this setting will be used to upgrade the
firmware on the cryptographic module. (Not yet supported.)
Copyright 2011, Juniper Networks, Inc. 958
Junos Pulse Secure Access Service Administration Guide
Related
Documentation
SA FIPS on page 957
Creating Administrator Cards on page 959
Creating a NewSecurity World on page 962
Recovering an Archived Security World on page 965
Creating Administrator Cards
When you receive your Secure Access FIPS product, you receive 6 smart cards as part
of the package. Asmart card is a removable key device that you must use in order to gain
access tosomeof thecritical dataandprocesses controlledby thecryptographicmodule.
Secure Access FIPS first requires you to use one of your smart cards while initializing the
cryptographic module through the serial console. During this process, Secure Access
FIPS creates a security world and transforms the smart card into an administrator card
that gives the holder access only to that security world.
Once the module is initialized, you do not need the administrator card for normal Secure
Access operations. However, you are required to use the administrator card whenever
you want to add another Secure Access FIPS machine to a cluster, reinitialize a module
with a newor different security world or replace administrator cards.
As a rule-of-thumb, any Secure Access FIPS operation that you must execute through
the Secure Access serial console requires an administrator card.
NOTE: Whenever you change your security world, you must determine how
to handle your existing administrator cards. Your choices include:
Reset your existing administrator cards to the newsecurity world.
Use administrator cards that are pre-initialized to the newsecurity world
and leave your existing administrator cards unchanged. Note that if you
choose this option, however, you cannot use the old, unchanged cards to
access the newsecurity world.
Administrator Card Precautions
Sinceadministrator cards aresocritical toSecureAccess FIPSoperations andthesecurity
of thekeys withinyour security world, westrongly recommendthat youtakethefollowing
precautions:
959 Copyright 2011, Juniper Networks, Inc.
Chapter 41: Secure Access FIPS
Create multiple administrator cardsYou cannot replace an administrator card unless
youhaveanother validcardandthepass phrasefor that card; thecryptographicmodule
does not store administrator card recovery data. Therefore, we strongly recommend
that you create at least one administrator card for standard administrative operations
and another for backup purposes. Otherwise, you run the risk of losing your only
administrator card and subsequently losing access to your security world and all the
data it stores. You can only create a set of administrator cards, all at once. You cannot
add additional cards to an existing set.
Store a backup administrator card in a secure locationAlways keep your backup
administrator card(s) in a secure location separate fromthe card you use for standard
administrative operations to ensure that you do not lose all of your administrator cards
to the same event (such as a fire or theft).
Overwrite all remaining administrator cards if one gets lostIf you lose or damage an
administrator card, immediately createanewsecurity worldandoverwriteall remaining
cards fromthe old security world. Otherwise, an attacker with an old administrator
card may be able to access old host data stored on a backup tape or another host.
With the old host data and an old card, the attacker may then be able to re-create your
keys.
Protect the administrator cards pass phraseFor maximumsecurity, youshouldnever
write down your pass phrase, tell it to untrusted users, or use a pass phrase that is easy
to guess. Protecting your pass phrase adds an extra level of security to your operations.
Only use your administrator card with known, trusted sourcesAlways obtain smart
cards froma trusted source, never insert a smart card into an untrusted smart card
reader, and never insert untrusted smart cards into your smart reader.
Related
Documentation
SA FIPS on page 957
Creating a NewSecurity World on page 962
Recovering an Archived Security World on page 965
Deploying a Cluster in a Secure Access FIPS Environment
In addition to sharing state, user profile, user session, and monitoring state data, the
members of an Secure Access FIPS cluster also share security world data. All cluster
members share the same private key and are accessible using the same administrator
cards. Sincechangingasecurity worldrequires physical access toacryptographicmodule,
however, Secure Access FIPS cluster members cannot share all of their data using the
standard Secure Access synchronization process. Instead, to create an Secure Access
FIPS cluster, you must:
Create a cluster of Secure Access FIPS machines through the admin consoleAs with
a standard Secure Access cluster, each cluster node in an Secure Access FIPS cluster
is initialized using systemstate data fromthe specified cluster member, overwriting
all existing data on the node machine.
Manually update the security world on each of the machinesAfter creating a cluster,
you must initialize each cluster node with the specified members security world using
Copyright 2011, Juniper Networks, Inc. 960
Junos Pulse Secure Access Service Administration Guide
an administrator card that is pre-initialized to the security world and the serial console.
Prior to joining a cluster, each node is in its own security world. As a consequence, after
a node joins the cluster, the administrator card fromthe joining node will be invalid.
Only the administrator card set fromthe cluster will be valid.
Similarly, if youwant tomodify anexistingsecurity worldonacluster, youmust individually
update each cluster members cryptographic module using an administrator card and
the Secure Access serial console.
The basic process for creating a cluster follows these high-level steps:
1. Initialize one Secure Access fromthe serial console, creating administrator cards.
2. Create the cluster fromthis Secure Access admin console.
3. Add nodes to the cluster fromthis Secure Access admin console.
4. Reboot the joining node fromthe serial console.
5. When prompted, supply the cluster details, including the current nodes IP address,
netmask, and domain.
6. When prompted, insert an administrator card fromthe clusters set of cards. The
nodes administrator card, if any, will become invalid as the node joins the security
world of the cluster.
To initialize a FIPS cluster members security world via the serial console:
1. Insert an administrator card that is pre-initialized with the active cluster members
security world into the smart card slot with the contacts facing up.
NOTE: If youhavealreadyperformedtheproceduresrequiredtoconfigure
the FIPS appliance, as described in the Quick Start Guide, you might be
able to skip this step.
2. Switch the cryptographic modules mode switch to I (initialization mode) if it is not
already in that position.
3. Connect to the machines serial console.
4. Cycle the power to reboot the machine and watch its serial console. After the system
software starts, you will see a message that the machine is about to boot as a
stand-alone Secure Access and to hit Tab for clustering options. Press the Tab key
as soon as you see this option.
NOTE: The interval to press the Tab key is five seconds. If the machine
begins to boot in stand-alone mode, wait for it to finish and then reboot
again.
5. Enter the number 2 to join the existing cluster or 1 to continue as a standalone Secure
Access.
961 Copyright 2011, Juniper Networks, Inc.
Chapter 41: Secure Access FIPS
6. Enter the initialization information as prompted, including:
Cluster name
Cluster password
IP address of a node in the cluster
IP address of the node you are adding
Netmask
Gateway IP address
NOTE: After you initialize members of an Secure Access FIPScluster with
thesamesecurityworld, youmaydisableandre-enablethecluster through
the admin console. You are no longer required to use the serial console
once the cluster members are all members of the same security world.
7. Select 1 to continue joining the cluster.
8. After the FIPS appliance initializes the card, switch the cryptographic modules mode
switch to O(operational mode).
Related
Documentation
Using the Serial Console on page 935
Creating a NewSecurity World
You cannot begin using an Secure Access FIPS machine until you create a security world
on it. However, in some case you may need to overwrite that security world with a new
one. For example, if you lose an administrator card, we recommend that you create a
brand newsecurity world to prevent an untrusted source fromfinding the card and
accessing your security world. You may also need to create a newsecurity world if you
cannot remember your original administrator cards pass phrases.
In order to create a newsecurity world, you must have physical access to:
The cryptographic module(s) that belong to the security world.
A smart card reader (if you use an older model Secure Access device that does not
contain a built-in card reader).
One or more unformatted smart cards or administrator cards containing data that you
can safely overwrite.
Copyright 2011, Juniper Networks, Inc. 962
Junos Pulse Secure Access Service Administration Guide
NOTE: Your oldadministrator cards will not work withthenewsecurity world
until you reformat themwith the newsecurity worlds data. Also note that
once you set the switch to I and begin initialization, you must complete the
process. Otherwise, your security world is only partially initialized, making it
unusable.
WARNING: You must obtain one or more newdevice certificates fromyour
CA whenever you create a newsecurity world.
Creating a Security World on a Stand-Alone Secure Access
To create a newsecurity world on a stand-alone Secure Access:
1. Insert an un-formatted smart card or an administrator card containing data that you
can safely overwrite into the card slot with the card contacts facing up.
2. Set the mode switch on the cryptographic module to I (initialization mode).
3. Access the Secure Access serial console and reboot the Secure Access device. After
the Secure Access device reboots, you are prompted on the serial console with the
following question: Do you want to use the currently installed security world (y/n)?
4. Performone of the following:
If you want to create a newsecurity world, then:
a. Enter n and press Enter.
b. You are asked to confirmthis choice with the prompt "Are you sure you want to
delete your existing Security World (including server certificates) (y/n)?". If you
choose to continue enter y and press Enter.
c. Enter the number of administrator cards you want to create and press Enter.
d. Enter y and press Enter to confirmthe number of cards you want to create.
If you want to use the currently installed security world, then:
a. Enter y and press Enter.
b. Proceed to the next numbered step in this procedure.
5. Reset the cryptographic modules mode switch to O(operational mode).
6. Add the common name and company name when prompted. The systemuses the
existing self-signed certificate temporarily.
7. Create a newdevice certificate that shares the newsecurity worlds private key.
963 Copyright 2011, Juniper Networks, Inc.
Chapter 41: Secure Access FIPS
WARNING: You must obtain one or more newserver certificates fromyour
CA whenever you create a newsecurity world.
Creating a Security World in a Clustered Environment
To create a newsecurity world in a clustered environment:
1. Sign in to the admin console of a cluster node. To access a nodes admin console,
enter its internal IP address followed by /admin in a browser. For example:
https://x.x.x.x/admin
2. On the System>Clustering >Status tab, select the checkbox for all nodes other than
the current node in the Cluster Members column and then click Disable.
3. Initialize the cluster member with a security world. If this is the first node in the cluster,
create a newsecurity world.
4. Return to the nodes System> Clustering > Status tab, select the checkbox next to
disabled nodes in the Cluster Members column, and then click Enable.
5. Wait for all the cluster members to go into an "Enabled" state.
6. Set the mode switch on the cryptographic modules of cluster members that were
earlier disabled to I (initialization mode).
7. Reboot each of these nodes fromthe serial console.
8. After a node joins the security world, reset its cryptographic module's mode switch
to O(operational mode).
Replacing Administrator Cards
You can replace an administrator card by selecting the Replace Administrator Card Set
option fromthe serial console. You cannot increase the number of administrator cards
in an existing set. If you want to do this, you have to create a newsecurity world which
replaces all of the existing cards in a set and allowyou to create a set with a larger or
smaller number of cards.
NOTE: Replacing administrator cards restarts services on your standalone
Secure Access device or cluster.
If you need to replace administrator cards for a security world, you must have physical
access to:
A cryptographic module that belongs to the security world.
A smart card reader (if you use an older model Secure Access device that does not
contain a built-in card reader).
An administrator card that is pre-initialized with the security world.
Copyright 2011, Juniper Networks, Inc. 964
Junos Pulse Secure Access Service Administration Guide
An un-formatted smart card or administrator card containing data that you can safely
overwrite.
The same number of unformatted smart cards or administrator cards as in the original
set containing data that you can safely overwrite.
NOTE: If youneedtoreplaceadministrator cards, youmust replacethesame
number of cards that you first initialized for the security world. You cannot
replace a subset of the cards.
NOTE: If you require additional smart cards, please contact your Secure
Access Reseller.
To replace all administrator cards or to create a larger number of cards for a security
world:
1. Create a newsecurity world.
2. Choose Replace Administrator Card Set fromthe list of configuration tasks.
3. Enter the pass phrase for the security world.
4. When prompted, insert an un-formatted smart card or an administrator card whose
data you can safely overwrite into the smart card reader with the contacts facing up.
5. Enter the additional initialization information for which you are prompted.
6. Repeat steps 4 and 5 for as many cards as you want to create.
7. Store at least one of the administrator cards in a secure location.
Related
Documentation
Recovering an Archived Security World on page 965
Recovering an Archived Security World
In rare cases, you may need to recover your systemusing an archived security world. The
archived security world may be an older version of the security world that already exists
onyour systemor thesameversion. Inorder torecover your system, youmust haveaccess
to the systemconfiguration file (by default, system.cfg) that holds the archived security
world and its corresponding certificate.
In addition, if you are overwriting your security world with a different security world, you
must have physical access to:
All of the cryptographic modules that belong to the security world.
A smart card reader (if you use an older model Secure Access device that does not
contain a built-in card reader).
965 Copyright 2011, Juniper Networks, Inc.
Chapter 41: Secure Access FIPS
An administrator card that is pre-initialized with the security world and administrator
passphrase that you want to import.
Importing a Security World Into a Stand-Alone Secure Access Device
To import an existing security world into a stand-alone Secure Access device:
1. Import the systemconfiguration file that contains the archived security world and its
correspondingcertificateintotheSecureAccess device, andtheninitializethesecurity
world if necessary. If the configuration file contains an archive of:
The same security world that was already present on the machine, no further
configuration is required.
A different security world than was already present on the machine, you must
initialize the newsecurity world.
NOTE: If you import a configuration file containing a different security
world, note that your existing administrator cards will not work with the
imported security world until you reformat themwith the newsecurity
worlds data. Also note that once you set the switch to I and begin
initialization, you must complete the process. Otherwise, your security
world is only partially initialized, making it unusable.
2. Insert an administrator card that is pre-initialized with the imported security world
into the smart card reader slot with the contacts facing up.
3. Set the mode switch on the cryptographic module to I (initialization mode).
4. Access theSecureAccess devices serial consoleandreboot theSecureAccess device.
5. Reset the cryptographic modules mode switch to O(operational mode) when
prompted.
Importing a Security World Into a Cluster
To import an existing security world into a cluster:
1. Sign in to the admin console of a cluster node. To access a nodes admin console,
enter its internal IP address followed by /admin in a browser. For example:
https://x.x.x.x/admin
2. On the System>Clustering >Status tab, select the checkbox for all nodes other than
the current node in the Cluster Members column and then click Disable.
3. Import an archived security world in to the cluster member.
4. When the installation process completes, return to the nodes System> Clustering >
Status tab, select the checkbox next to the disabled nodes in the Cluster Members
column, and then click Enable.
5. Wait for all the cluster members to go into the "Enabled" state.
Copyright 2011, Juniper Networks, Inc. 966
Junos Pulse Secure Access Service Administration Guide
6. Set the mode switch on the cryptographic modules of cluster members' that were
earlier disabled to I (initialization mode).
7. Reboot each of these nodes fromthe serial console.
8. After a node joins the security world, reset its cryptographic module's mode switch
to O(operational mode).
Related
Documentation
Creating a NewSecurity World on page 962
967 Copyright 2011, Juniper Networks, Inc.
Chapter 41: Secure Access FIPS
Copyright 2011, Juniper Networks, Inc. 968
Junos Pulse Secure Access Service Administration Guide
CHAPTER 42
SA4500 and SA6500 FIPS Appliances
FIPS Overviewon page 969
Name and Password Restrictions on page 970
Initializing a Keystore on page 971
Reinitializing the Keystore on page 971
Joining a Cluster on page 972
Importing Device Certificates on page 973
Changing the Security Officer Password on page 973
Changing the Web User Password on page 974
Resetting the HSMCard In Case Of An Error on page 974
Upgrading the HSMFirmware on page 974
Binary Importing and Exporting of the Keystore on page 975
FIPS Device Status LED Behavior on page 975
FIPS Overview
The Juniper Networks SA 4500 and 6500 FIPS is a standard SA4500 or SA6500
appliance equipped with a FIPS-compliant crypto card. The tamper-proof hardware
security module installed on an Secure Access FIPS systemis certified to meet the FIPS
140-2 level 3 security benchmark.
The configuration process for Secure Access FIPS administrators is almost exactly the
sameas for thenon-FIPSSecureAccess administrators, requiringonly minor configuration
changes during the initialization, clustering, and certificate generation processes. In the
fewcases where administration tasks are different, this guide includes the appropriate
instructions for bothSecureAccess andSecureAccess FIPSadministrators. For end-users,
Secure Access FIPS is exactly the same as a standard Secure Access system.
The FIPS-compliant crypto card is a host bus adapter card that combines IPsec and SSL
cryptographic acceleration with Hardware Security Module (HSM) features. This
combination of a dedicated HSM, advanced cryptographic security and secure key
management meet the security and performance needs for any service.
This cardhas twomainroles: asecurity officer andauser role. TheFIPS-compliant crypto
card replaces the need for administrator cards with the concept of a security officer who
969 Copyright 2011, Juniper Networks, Inc.
is responsiblefor keyandpasswordmanagement. Thesecurityofficer credential protects
the keystore frombeing exported and imported onto another FIPS-compliant crypto
card.
User roles performcryptographic operations such as accessing keying material within
the keystore as well as performing bulk encryption operations.
The security officer credentials, user credentials, and RSA private keys are stored in the
HSMencrypted keystore located on the Secure Access disk. You are prompted to provide
thesecredentialswhenever anyoperationrequiresthem. Credentialsarenot automatically
retrieved fromthe HSMkeystore.
Keystores are stored on the disk and are encrypted with a master key. The master key is
storedinthecrytocardfirmwareandcanbebackedupby asecurity officer usingarestore
password. This restore password can then be used to restore the master key onto the
same or different FIPS-compliant crypto cards allowing the keystore to be shared across
a cluster, for example.
Related
Documentation
Name and Password Restrictions on page 970
Initializing a Keystore on page 971
Reinitializing the Keystore on page 971
Joining a Cluster on page 972
Importing Device Certificates on page 973
Changing the Security Officer Password on page 973
Changing the Web User Password on page 974
Resetting the HSMCard In Case Of An Error on page 974
Upgrading the HSMFirmware on page 974
Binary Importing and Exporting of the Keystore on page 975
Name and Password Restrictions
Security officer names and usernames must adhere to the following requirements:
Description Requirement
At least one character MinimumLength
63 characters MaximumLength
Alphanumeric, underscore (_), dash (-) and period (.) Valid Characters
Must be alphabetic First Character
Passwords must be at least six characters and no more than 63 characters. Three
characters must be alphabetic and one character must be non-alphabetic.
Copyright 2011, Juniper Networks, Inc. 970
Junos Pulse Secure Access Service Administration Guide
Related
Documentation
FIPS Overviewon page 969
Initializing a Keystore
When the FIPS appliance is powered on froma factory-reset or when its configuration
is reset, the serial console requires the initialization of a keystore anda self-signeddevice
certificate. The steps for initialization are:
During the boot process, the current releases HSMfirmware is installed on the
FIPS-compliant crypto card HSM.
You are prompted to create a newkeystore. As part of the newkeystore creation, you
must provide the following data:
The security officer name and password. Save these credentials as they are required
for suchtasks as creatingnewrestorepasswords andfor changingthesecurity officer
password.
The keystore restore or HSMmaster key backup password. Every time you export
thesystemconfiguration, savethecurrent restorepasswordfor thearchivedkeystore.
Webusernameandpasswordfor runningcryptographicoperations usingkeys stored
in the HSMs keystore.
The self-signed certificate creation proceeds as normal except that the HSMis used
to generate a secure RSA private key which is stored in the HSMs database.
Related
Documentation
FIPS Overviewon page 969
Reinitializing the Keystore
If there is a change in the security policy of the deployment that requires the creation of
newRSAkey pairs andcorrespondingcertificates, youwill needtoreinitializethekeystore.
You can reinitialize the keystore fromeither a stand-alone node or froma cluster.
To reinitialize the keystore froma stand-alone node:
1. Reboot the stand-alone node.
During the boot process, you are prompted to re-initialize the keystore.
2. Press y to delete the current keystore and server certificates.
NOTE: If you do not press y within 10 seconds, the appliance will proceed to
boot normally.
971 Copyright 2011, Juniper Networks, Inc.
Chapter 42: SA4500 and SA6500 FIPS Appliances
To reinitialize the keystore froma cluster:
1. Reboot a node within the cluster.
During the boot process, you are prompted to re-initialize the keystore.
2. Press y to delete the current keystore and server certificates. A newkeystore is
initialized.
NOTE: If you do not press y within 10seconds, the appliance will proceed
to boot normally.
3. On the node that you rebooted, open the cluster status page in the admin console
and wait for all nodes to exit fromthe Transitioning state.
4. For all other nodes in the cluster, connect to the serial console and enter 9 to select
FIPSOptions and then 1 to select Complete import of keystore and server certificates.
5. Enter the restore password when prompted.
Related
Documentation
FIPS Overviewon page 969
Joining a Cluster
Joining a cluster involves using both the admin console and serial console. To join a
cluster:
1. If you have not already done so, define and initialize a cluster
If you are currently running stand alone appliances that you want to cluster, we
recommend that before you create a cluster, you first configure systemand user
settings on one machine. After doing so, use the same machine to create the cluster.
This machine joins the cluster as part of the creation process. When other Secure
Access devices join the cluster, this machine propagates its configuration to the new
cluster member.
2. Before you can add an appliance to a cluster, you need to make its identity known to
the cluster.
3. Join the appliance to the cluster through the admin console or through the serial
console.
When joining a node to a cluster using the serial console, you are prompted for the
cluster keystores restore password. If the restore password fails, enter 9 to select
FIPS Option and then enter 1 to select Complete import of keystore and server
certificates.
When a cluster is created on a node, the nodes keystore becomes the clusters
keystore. Any node joining the cluster must import the clusters keystore. You need
the current keystore restore password to do this.
Copyright 2011, Juniper Networks, Inc. 972
Junos Pulse Secure Access Service Administration Guide
4. When you see the message confirming that the machine has joined the cluster, click
theSystem>Clustering>Cluster Status tabintheadminconsoleof any activecluster
member.
5. Whenall nodes haveexitedfromtheTransitioning state, connect totheserial console
of each node that has a non-CL license and enter 9 to select FIPS Options and then
1 to select Complete import of keystore and server certificates.
6. Enter the cluster keystore restore password.
Related
Documentation
FIPS Overviewon page 969
Importing Device Certificates
To import a device certificate, generate a CSR fromthe appliance and then import its
corresponding certificate after it is validated by a CA. Each CSR request generates a new
RSA key pair.
NOTE: Device certificates without a CSRrequest fromthe appliance cannot
be imported.
Related
Documentation
FIPS Overviewon page 969
Changing the Security Officer Password
Occasionally you may want to change the security officer password. In a cluster, you can
performthis operation fromany node. The newsecurity officer password is updated to
the other nodes automatically.
NOTE: Changing the security officer password restarts the web server.
To change the security officer password:
1. Connect to the serial console of the FIPS appliance you want to reset.
2. Enter 9 to select FIPS Option.
3. Enter 2 to select Change security officer password.
4. Enter the existing security officer password.
5. Enter the newpassword.
6. Re-enter the newpassword when prompted to confirm.
Related
Documentation
FIPS Overviewon page 969
973 Copyright 2011, Juniper Networks, Inc.
Chapter 42: SA4500 and SA6500 FIPS Appliances
Changing the Web User Password
The web username and password are used to securely store the RSA private keys in the
HSMs encrypted database. These credentials are used by the SA Series Appliance
processes to carry out RSA operations. The keys will never be available for use outside
the HSM. You can later change the web password but not the web username.
In a cluster, you can performthis operation fromany node. The newpassword is updated
to the other nodes automatically.
NOTE: Changing the web user password restarts the web server.
To change the web password:
1. Connect to the serial console of the FIPS appliance you want to reset.
2. Enter 9 to select FIPS Option.
3. Enter 3 to select Change web user password.
4. Enter the existing web user password.
5. Enter the newpassword.
Related
Documentation
FIPS Overviewon page 969
Resetting the HSMCard In Case Of An Error
If the FIPS card LEDs indicates an error or fault, try resetting the HSMcard prior to
rebooting your appliance.
To reset the HSMcard:
1. Connect to the serial console of the FIPS appliance you want to reset.
2. Enter 9 to select FIPS Option.
3. Enter 5 to select Reset the HSM.
4. Observe the LEDS on the FIPS card. If they do not eventually turn green, reboot your
appliance.
Related
Documentation
FIPS Overviewon page 969
Upgrading the HSMFirmware
Some systemsoftware upgrades may also require firmware updates. Typically, firmware
upgrades occur during the boot process. After the systemsoftware updates, the serial
console prompts you for the keystore restore password before upgrading the HSMs
Copyright 2011, Juniper Networks, Inc. 974
Junos Pulse Secure Access Service Administration Guide
firmware.If you do not remember the password, you have the option of upgrading the
firmwareat alater dateusingtheserial console. Notethat thewebserver may not function
properly if the firmware upgrade is required and is not updated.
To upgrade the firmware using the serial console:
1. Click System>Clustering >Cluster Status tab in the admin console and wait for the
node to be in the FIPS disassociated state.
2. Open a serial console and enter 9 to select the FIPS option.
3. Enter 6 to select Load Firmware.
Related
Documentation
FIPS Overviewon page 969
Binary Importing and Exporting of the Keystore
Select Maintenance > Import/Export fromthe admin console to import and export the
keystore. You can do this froma stand-alone node or froma node within a cluster. The
keystore is exported as part of the systemsettings configuration file. Safely store the
restore password associated with the archived keystore as you will need it for various
FIPS operations. If you forget the restore password you can create a newone fromthe
serial console and then re-export the configuration.
To import the keystore, select the Import Key Store and Device Certificate(s) checkbox
and import your configuration. After the import process has completed, open a serial
consolefor that FIPSapplianceandenter 9for FIPSOptions andthen1 toselect Complete
import of keystoreandserver certificates. If thekeystoreis different fromtheoneinstalled
on the HSMyou will be prompted for the keystores restore password.
NOTE: If youreboot theFIPSappliancewithout performingtheserial console
stepabove, youarepromptedtoimport thekeystoreduringtheboot process.
Enter y to import the keystore. If you do not enter y within five seconds, the
FIPS appliance continues to boot normally. If this occurs, performthe serial
console step after the FIPS appliance completes its boot process.
If the FIPS appliance is in a cluster, go to each node within the cluster and performthe
serial console step above to complete the keystore import process.
Related
Documentation
FIPS Overviewon page 969
FIPS Device Status LEDBehavior
There are three device status LEDs located on the FIPS card:
S (Status)
F (FIPS)
975 Copyright 2011, Juniper Networks, Inc.
Chapter 42: SA4500 and SA6500 FIPS Appliances
I (INIT)
Table 47: Status LED
Description Color and State LED
Bootstrap
firmware is
executing
Off STATUS
IDLE,
OPERATIONAL,
or FAILSAFE
state
Blinking green
POST or
DISABLEDstate
(driver not
attached)
Green
Error occurred
during boot
process
Blinking red
HALTED (fatal
error) state or
when a
low-level
hardware
initialization
failure occurred
Red
Operating in
non-FIPS mode
Off FIPS
Operating in
FIPS mode
Green
Zeroize jumper
is present
Blinking yellow
Board is not
initialized
Off INIT
Boardinitialized
by security
officer
Green
POST,
DIAGNOSTIC or
FAILSAFE
(firmware not
upgraded) state
Yellow
Running
diagnostics
Blinking yellow
Copyright 2011, Juniper Networks, Inc. 976
Junos Pulse Secure Access Service Administration Guide
Related
Documentation
FIPS Overviewon page 969
977 Copyright 2011, Juniper Networks, Inc.
Chapter 42: SA4500 and SA6500 FIPS Appliances
Copyright 2011, Juniper Networks, Inc. 978
Junos Pulse Secure Access Service Administration Guide
CHAPTER 43
Compression
About Compression on page 979
Enabling System-Level Compression on page 981
About Compression
Secure Access improves performance by compressing common types of Web and file
data such as HTML files, Word documents, and images.
Secure Access determines whether it should compress the data accessed by users by
using the following process:
1. Secure Access verifies that the accessed data is a compressible type. Secure Access
supports compressing many common data types such as such as HTML files, and
Word documents.
2. If the user is accessing Web data, Secure Access verifies that the users browser
supports compression of the selected data type.
Secure Access determines compression supportability based on the browsers
user-agent andtheaccept-encodingheader. SecureAccess supports thecompression
of all of thestandardWebdatatypes if it determines that theuser-agent is compatible
with Mozilla 5, Internet Explorer 5, or Internet Explorer 6. Secure Access only supports
compressing HTML data, however, if it determines that the browsers user-agent is
only compatible with Mozilla 4.
3. SecureAccess verifies that compressionis enabledat thesystemlevel. Youcanenable
system-level compression through the Maintenance > System> Options page of the
admin console.
4. Secure Access verifies that compression resource policies or autopolicies are enabled
for the selecteddatatype. Secure Access comes withresource policies that compress
data. You may enable these policies or create your own through the following pages
of the admin console:
Users > Resource Policies > Web > Compression.
Users > Resource Policies > Files > Compression.
You may also create resource profile compression autopolices through the Users >
Resource Profiles > Web > Web Applications/Pages page of the admin console.
979 Copyright 2011, Juniper Networks, Inc.
If all of these conditions are met, the SA Series SSL VPNAppliance runs the appropriate
resource policy either compresses or does not compress the data accessed by the user
based on the configured action.
If all of these conditions are not met, the SA Series SSL VPNAppliance does not run the
appropriate resource policy andnoresource policy items appear inthe SASeries log files.
The SASeries SSL VPNAppliance comes pre-equipped with three resource policies that
compress Web and file data. If you are upgrading froma pre-4.2 version of the SA Series
SSLVPNAppliancesoftwareandyoupreviously hadcompressionenabled, thesepolicies
are enabled. Otherwise, if you previously had compression disabled, these policies are
disabled.
The Web and file resource policies created during the upgrade process specify that the
SASeries SSL VPNAppliance shouldcompress all supportedtypes of WebandFile data,
including types that were not compressed by previous versions of the appliance. All data
types that werenot compressedby previous product versions aremarkedwithanasterisk
(*) in the supported data types list below.
The SASeries SSL VPNAppliance supports compressing the following types of Weband
file data:
text/plain (.txt)
text/ascii (.txt)*
text/html (.html, .htm)
text/css (.css)
text/rtf (.rtf)
text/javascript (.js)
text/xml (.xml)*
application/x-javascript (.js)
application/msword (.doc)
application/ms-word (.doc)*
application/vnd.ms-word (.doc)*
application/msexcel (.xls)*
application/ms-excel (.xls)*
application/x-excel (.xls)*
application/vnd.ms-excel (.xls)*
application/ms-powerpoint (.ppt)*
application/vnd.ms-powerpoint (.ppt)*
Copyright 2011, Juniper Networks, Inc. 980
Junos Pulse Secure Access Service Administration Guide
NOTE: The data types denoted by an asterisk * were not compressed by
pre-4.2 versions of the SA Series SSL VPNAppliance software.
Alsonotethat theSASeries SSLVPNAppliancedoes not compress files that
you uploadonly files that you download fromthe SA Series SSL VPN
Appliance.
Additionally, theSASeries SSLVPNAppliancesupports compressingthefollowingtypes
of files:
text/html (.html, .htm)
application/x-javascript (.js)
text/javascript (.js)
text/css (.css)
application/perl (.cgi)
Related
Documentation
Enabling System-Level Compression on page 981
Enabling System-Level Compression
To enable system-level compression:
1. In the admin console, choose Maintenance > System> Options.
2. Select the Enable gzip compression checkbox to reduce the amount of data sent to
browsers that support HTTPcompression. Note that after you enable this option, you
must also configure Web and file resource policies specifying which types of data the
SA Series SSL VPN Appliance should compress.
3. Click Save Changes.
Related
Documentation
About Compression on page 979
981 Copyright 2011, Juniper Networks, Inc.
Chapter 43: Compression
Copyright 2011, Juniper Networks, Inc. 982
Junos Pulse Secure Access Service Administration Guide
CHAPTER 44
Multi-Language Support
About Multi-Language Support for the SA Series SSL VPN Appliance on page 983
Encoding Files for Multi-Language Support on page 984
Localizing the User Interface on page 984
Localizing CustomSign-In and SystemPages on page 985
About Multi-Language Support for the SASeries SSL VPNAppliance
SASeries SSLVPNAppliances providemulti-languagesupport for fileencoding, end-user
interface display, and customized sign-in and systempages. The SSL VPN appliances
support the following languages:
English (US)
Chinese (Simplified)
Chinese (Traditional)
French
German
Japanese
Korean
Spanish
NOTE: Juniper Networks translates the SASeries end-user console and help
systems into the languages listed above. Note, however, that the translated
end-user help is not available in the first release of the product. Juniper
Networks makes a translated version of the help available in the first
maintenance release after the general availability release.
Related
Documentation
Encoding Files for Multi-Language Support on page 984
Localizing the User Interface on page 984
Localizing CustomSign-In and SystemPages on page 985
983 Copyright 2011, Juniper Networks, Inc.
Encoding Files for Multi-Language Support
Character encoding is a mapping of characters and symbols used in written language
into a binary format used by computers. Character encoding affects howyou store and
transmit data. TheencodingoptioninUsers >ResourcePolicies >Files >Encodingallows
you to specify the encoding to use when communicating with Windows and NFS file
shares. The encoding option does not affect the end-user language environment.
To specify the internationalization encoding for SA Series traffic:
1. In the admin console, choose Users > Resource Policies > Files > Encoding.
2. Select the appropriate option:
Western European (ISO-8859-1) (default) (Includes English, French, German,
Spanish)
Simplified Chinese (CP936)
Simplified Chinese (GB2312)
Traditional Chinese (CP950)
Traditional Chinese (Big5)
Japanese (Shift-JIS)
Korean
3. Click Save Changes.
Related
Documentation
About Multi-Language Support for the SA Series SSL VPN Appliance on page 983
Localizing the User Interface on page 984
Localizing CustomSign-In and SystemPages on page 985
Localizing the User Interface
The SA Series SSL VPNAppliance provides a means to display the end-user interface in
oneof thesupportedlanguages. Combiningthis featurewith(custom) sign-inandsystem
pages and a localized operating systemprovides a fully localized user experience.
Whenyouspecifyalanguage, theSASeriesSSLVPNAppliancedisplaystheuser interface,
including all menu items, dialogs generated by the SA Series SSL VPN Appliance, and
the help file in the chosen language for all users regardless of which realmthey sign in
to.
To configure localization options:
1. In the admin console, choose Maintenance > System> Options.
Copyright 2011, Juniper Networks, Inc. 984
Junos Pulse Secure Access Service Administration Guide
2. Use the End-user Localization drop-down list to specify the language in which to
display theend-user interface(optional). If youdonot specify alanguage, theend-user
interface displays based on the settings of the browser.
3. Click Save Changes.
Related
Documentation
About Multi-Language Support for the SA Series SSL VPN Appliance on page 983
Encoding Files for Multi-Language Support on page 984
Localizing CustomSign-In and SystemPages on page 985
Localizing CustomSign-In and SystemPages
The SA Series SSL VPN Appliance provides several zip files that contain different sets
of sample template files for various pages that may appear during the sign-in process.
Use these template files along with the template toolkit language to create localized
customsign-in and systempages for your end-users. For more information about the zip
files andthetemplatefiles they contain, as well as informationabout thetemplatetoolkit
language, see the CustomSign-In Pages Solution Guide.
Editing the default sign-in page using text in the language of your choice is a quick way
to provide your users with a localized sign-in page.
Related
Documentation
About Multi-Language Support for the SA Series SSL VPN Appliance on page 983
Encoding Files for Multi-Language Support on page 984
Localizing the User Interface on page 984
985 Copyright 2011, Juniper Networks, Inc.
Chapter 44: Multi-Language Support
Copyright 2011, Juniper Networks, Inc. 986
Junos Pulse Secure Access Service Administration Guide
CHAPTER 45
Handheld Devices and PDAs
Handheld Devices and PDAs on page 987
Task Summary: Configuring the SA Series SSL VPN Appliance for PDAs and
Handhelds on page 988
Defining Client Types on page 990
Enabling WSAMon PDAs on page 991
Enabling ActiveSync For Handheld PDAs on page 992
Handheld Devices and PDAs
In addition to allowing users to access the SA Series SSL VPN Appliance fromstandard
workstations and kiosks, the SA Series SSL VPN Appliance also allows end-users to
access the SA Series SSL VPN Appliance fromconnected PDAs, handhelds and smart
phones such as i-mode and Pocket PC. When a user connects froma PDA or handheld
device, the SA Series SSL VPN Appliance determines which pages and functionality to
display basedonsettings inthe System>Configuration>Client Types page of the admin
console. By default, settings in this page specify that when accessing the SA Series SSL
VPN Appliance using a(n):
i-mode deviceThe SA Series SSL VPN Appliance displays compact HTML (cHMTL)
pages without tables, images, JavaScript, Java, or frames to the user. Depending on
which features you enable through the admin console, the end-user may browse the
Web, link to Web bookmarks, single sign-on to other applications, and edit their
preferences (includingclearingtheir cacheandeditingtheir SASeries/LDAPpassword).
The SA Series SSL VPN Appliance allows i-mode users to access supported features
using access keys on their phones keypad as well as through standard
browse-and-select navigation.
Pocket PC deviceThe SA Series SSL VPN Appliance displays mobile HTML pages
with tables, images, JavaScript and frames, but does not process Java. Depending on
whichfeatures youenablethroughtheadminconsole, theend-user may access Mobile
Notes and OWA email applications, browse the Web, link to Web bookmarks, single
sign-on to other applications, and edit their preferences (including clearing their cache
and editing their SA Series/LDAP password).
PDA and handheld users cannot access the admin console or most of the SA Series
advancedoptions, includingfilebrowsing, NetworkConnect, SecureMeeting, Telnet/SSH,
987 Copyright 2011, Juniper Networks, Inc.
Email Client, Host Checker, and Cache Cleaner, since PDA and handheld devices do not
generallysupport theActiveX, Java, or JavaScript controls onwhichthesefeatures depend.
Also note that i-mode users cannot access cookie-based options, including session
cookies and SiteMinder authentication and authorization, since most i-mode browsers
do not support HTTP cookies. The SA Series SSL VPN Appliance rewrites hyperlinks to
include the session ID in the URL instead of using cookies. The SA Series SSL VPN
Appliance reads the session ID when the user accesses the URL.
NOTE: In order to improve the response time, the following icons are not
displayed when accessing the SA Series home page: help, sign out, open
bookmark in newpage, and WSAM.
Related
Documentation
Task Summary: ConfiguringtheSASeries SSLVPNAppliancefor PDAs andHandhelds
on page 988