Page 2 Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Page 3 REGARDING LICENSE TERMS. 1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable...
Page 4 Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license. Copyright © 2010, Juniper Networks, Inc.
Page 5 (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA http://www.gnu.org/licenses/gpl.html...
Page 13: About This Guide
Objectives Network and Security Manager (NSM) is a software application that centralizes control and management of your Juniper Networks devices. With NSM, Juniper Networks delivers integrated, policy-based security and network management for all security devices. Unified Access Control (UAC) solution is an IP-based enterprise infrastructure that...
Page 14 The angle bracket (>) Indicates navigation paths through the UI Object Manager > User Objects > Local by clicking menu options and links. Objects Table 3 on page xv defines syntax conventions used in this guide. Copyright © 2010, Juniper Networks, Inc.
Page 15: List Of Technical Publications
Provides comprehensive information about configuring the Unified Access Control Administration Guide solution and the Infranet Controller 4500 and 6500 appliances. Unified Access Control Quick Start Provides an example of configuring the Unified Access Control solution for a front-end Guide server deployment scenario. Copyright © 2010, Juniper Networks, Inc.
Page 16: Requesting Technical Support
7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/...
Page 17 About this Guide Use the Case Management tool in the CSC at http://www.juniper.net/cm/ Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico). For international or direct-dial options in countries without toll-free numbers, see http://www.juniper.net/support/requesting-support.html Copyright © 2010, Juniper Networks, Inc. xvii...
Page 19: Getting Started
PART 1 Getting Started Understanding an Infranet Controller Configuration on page 3 Infranet Controller and NSM Installation Overview on page 7 Copyright © 2010, Juniper Networks, Inc.
Page 21: Understanding An Infranet Controller Configuration
The Infranet Controller and the NSM application communicate through the Device Management Interface (DMI). DMI is a collection of schema-driven protocols that run on a common transport (that is, TCP). DMI is designed to work with Juniper Networks platforms to make device management consistent across all administrative realms.
Page 22 To allow NSM to manage the Infranet Controller using the DMI protocol, NSM must import the schema and metadata files from the Juniper Networks Schema Repository, a publicly accessible resource that is updated with each device release. In addition to downloading the Infranet Controller’s current schema, NSM may also download upgraded software.
Page 23: Infranet Controller Services And Device Configurations Supported In Nsm
Editing licensing information, although licenses can be viewed Packaging log files or debug files for remote analysis Related NSM and Device Management Overview on page 3 Documentation Communication Between an Infranet Controller and NSM Overview on page 3 Copyright © 2010, Juniper Networks, Inc.
Page 25: Infranet Controller And Nsm Installation Overview
Configure an SSL connection between the Infranet Controller appliance and your Infranet Enforcer appliances and/or 802.1X switches. See the Juniper Networks Unified Access Control Quick Start Guide or Part 1, “Getting Started,” of the Juniper Networks Unified Access Control Administration Guide.
Page 26: Nsm Installation Overview
NSM Installation Overview NSM is a software application that enables you to integrate and centralize management of your Juniper Networks environment. You need to install two main software components to run NSM: the NSM management system and the NSM user interface (UI).
Page 27: Integrating Infranet Controllers
PART 2 Integrating Infranet Controllers Adding Infranet Controllers on page 11 Adding Infranet Controller Clusters on page 23 Using Templates on page 29 Copyright © 2010, Juniper Networks, Inc.
Page 29: Adding Infranet Controllers
Adding the Infranet Controller Device Through NSM on page 12 Configuring and Enabling the DMI Agent on the Infranet Controller Device on page 13 Confirming Connectivity and Importing the Infranet Controller Device Configuration on page 14 Copyright © 2010, Juniper Networks, Inc.
Page 30: Installing And Configuring The Infranet Controller Device
DMI agent role or realms. For complete details on installing and configuring Infranet Controller devices, see the Juniper Networks Unified Access Control Administration Guide. Adding the Infranet Controller Device Through NSM To add the Infranet Controller device through the NSM UI: From the left pane of the NSM UI, click Configure.
Page 31: Device
Under DMI settings for outbound connections, enter the device server's IP address in the Primary Server box.. Enter 7804 in the Primary Port box. Fill in the Backup Server and Backup Port boxes, if a device server is configured for high availability. Copyright © 2010, Juniper Networks, Inc.
Page 32 Device Manager in NSM. See “Verifying Imported Device Configurations (NSM Procedure)” for details. Related Importing an Infranet Controller Through Reachable Workflow on page 15 Documentation Creating and Applying an Infranet Controller Template on page 29 Verifying Imported Device Configurations on page 19 Copyright © 2010, Juniper Networks, Inc.
Page 33: Requirements For Importing An Infranet Controller Into Nsm Through A Reachable
Click Next to accept the fingerprint. The Detecting Device dialog box opens. After the wizard displays the autodetected device information, verify that the device type, OS version, and the device serial number are correct. The wizard also detects Copyright © 2010, Juniper Networks, Inc.
Page 34: Importing Multiple Infranet Controllers
Controllers are deployed on your network but also on the device family. Juniper Networks provides CSV templates in Microsoft Excel format for each type of CSV file. These templates are located in the utils subdirectory where you have stored the program files for the UI client.
Page 35 Ic-6000, blue, ic, IC-6000, none, root, 2.2, netscreen Ic-6500, pink, ic, IC-6500, none, root, 2.2, netscreen Ic-4000, cyan, ic, IC-4000, none, root, 2.2, netscreen Ic-4500, pink, ic, IC-4500, none, root, 2.2, netscreen Save the file as a .csv file. Copyright © 2010, Juniper Networks, Inc.
Page 36: Validating The Csv File
.cli file on the physical security device. Click Next. The Add Device wizard validates the CSV file and provides a validation report. Select Cancel to quit the Add Many Devices process. Copyright © 2010, Juniper Networks, Inc.
Page 37: Verifying Imported Device Configurations
Investigate, expand Realtime Monitor, and select Device Monitor. From the Device Monitor workspace, check the following parameters for your imported device: The Configured Status column says “Managed In Sync”. The Connection Status column says “Up”. Copyright © 2010, Juniper Networks, Inc.
Page 38: Using Device Manager
Select the device you just imported and click OK. NSM analyzes the UI device object configuration and generates a summary report that lists the CLI commands or XML messages to send to the physical device during the next device update. Copyright © 2010, Juniper Networks, Inc.
Page 39 Related Importing an Infranet Controller Device Through Not Reachable Workflow on page 11 Documentation Importing an Infranet Controller Through Reachable Workflow on page 15 Copyright © 2010, Juniper Networks, Inc.
Page 41: Adding Infranet Controller Clusters
Before you can add a cluster member in NSM, the device administrator must have already created the cluster and added, configured, and enabled the physical cluster member. See the Juniper Networks Unified Access Control Administration Guide for details on creating and configuring clusters.
Page 42: Adding An Infranet Controller Cluster With Imported Cluster Members
Expand Device Manager and select Devices. The Devices workspace appears on the right side of the screen. Click the Device Tree tab, click the New button, and select Cluster. The New - Cluster dialog box appears. Copyright © 2010, Juniper Networks, Inc.
Page 43: Adding The Cluster Members In Nsm
Enter a admin user name for the device admin. Set the admin user password and the first connection one-time password: Select the corresponding Set Password box and enter a new password. Confirm the new password and click OK. Copyright © 2010, Juniper Networks, Inc.
Page 44 NOTE: The ssh port number for cluster member is 22 by default and the port number cannot be modified. Click Next, The Infranet Controller device is detected and the Infranet Controller details are displayed. Copyright © 2010, Juniper Networks, Inc.
Page 45: Configuring And Enabling The Dmi Agent On The Cluster
Importing an Infranet Controller Through Reachable Workflow on page 15 Creating and Applying an Infranet Controller Template on page 29 Verifying Imported Device Configurations on page 19 Infranet Controllers Clusters in NSM Overview on page 23 Copyright © 2010, Juniper Networks, Inc.
Page 47: Using Templates
Name the Infranet Controller template, and select a color for the template. Enter the following basic information: Device description IP address Admin user name Admin user password Click OK to save the template. The newly created templates will appear under the Device Template Tree. Copyright © 2010, Juniper Networks, Inc.
Page 48: Applying The Template
To apply the settings to the device itself, run the Update Device directive to push the configuration to the device. Related Promoting an Infranet Controller Configuration to a Template on page 31 Documentation Verifying Imported Device Configurations on page 19 Copyright © 2010, Juniper Networks, Inc.
Page 49: Promoting An Infranet Controller Configuration To A Template
Click OK. The Infranet Controller configuration reverts to the template default values. Related Creating and Applying an Infranet Controller Template on page 29 Documentation Promoting an Infranet Controller Configuration to a Template on page 31 Copyright © 2010, Juniper Networks, Inc.
Page 51: Configuring An Infranet Controller
Configuring Infranet Enforcer Policies on page 93 Configuring Host Enforcer Policies on page 105 Configuring IF-MAP Federation Settings on page 107 Configuring Authentication Servers on page 117 Configuring Sign-In Policies on page 149 Configuring Host Checker Policies on page 155 Copyright © 2010, Juniper Networks, Inc.
Page 53: Configuring User Roles And Administrator Roles
Click the New button, the New dialog box appears. Add or modify settings on the General tab as specified in Table 6 on page 36. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 54 Specifies certificate restrictions. See "Configuring Infranet Controller Restrictions Certificate Access Restrictions (NSM Procedure)." Host Checker Specifies Host Checker restrictions. See "Configuring Infranet Controller Restrictions Host Checker Access Restrictions (NSM Procedure)." General > Session Options tab Copyright © 2010, Juniper Networks, Inc.
Page 55 Heartbeat Specifies the amount of time that the Enter the heartbeat timeout in Timeout Infranet Controller should “wait” seconds. (seconds) before terminating a session when the endpoint does not send a heartbeat response. Copyright © 2010, Juniper Networks, Inc.
Page 56 Displays the background color for the Type the hexadecimal number for the Background header area of the Infranet Controller background color, or click the Color color welcome page. Palette icon and pick the desired color. Copyright © 2010, Juniper Networks, Inc.
Page 57 Configuring OAC Settings for a User Role (NSM Procedure) on page 42 Creating and Configuring Infranet Controller Administrator Roles (NSM Procedure) on page 48 Delegating Management Tasks to Infranet Controller Administrator Roles (NSM Procedure) on page 55 Verifying Imported Device Configurations on page 19 Copyright © 2010, Juniper Networks, Inc.
Page 58: Configuring Access Options On An Infranet Controller User Role
Install Java Agent Allows the user to Select this option to install Java agent for this role. for this role download and install the lightweight Java agent for Macintosh or Linux platforms. Copyright © 2010, Juniper Networks, Inc.
Page 59: Procedure)
%USERNAME% in the script path name. For example: \\abc\users\%USERNAME%\myscript.bat odyssey-settings Specifies the IC Access Click the odyssey-settings button. See “Configuring and Preconfigured OAC Settings for a User Role (NSM Procedure)”. Installer settings Agentless tab Copyright © 2010, Juniper Networks, Inc.
Page 60: Configuring Oac Settings For A User Role (Nsm Procedure)
Click the Configuration tab. In the configuration tree, select Users > User Roles. Add or open a user role and click the Agent tab. Click the odyssey–settings button and configure the settings as specified in Table 8 on page 43. Copyright © 2010, Juniper Networks, Inc.
Page 61 Infranet Controller Controller and prevents the user from disconnecting from this Infranet Controller. The user also cannot delete the properties of this Infranet Controller from the Odyssey Access Client configuration. Copyright © 2010, Juniper Networks, Inc.
Page 63 If you credentials are secure leave the Anonymous name box blank, Odyssey from eavesdropping and Access Client passes the user’s login name (inner the user’s inner identity is identity) as the outer identity. protected. Copyright © 2010, Juniper Networks, Inc.
Page 64 Wi-Fi Protected Access (WPA). WPA—Connects to a network through an access point that implements WPA. WPA2—Connects to a network through an access point that implements WPA2, the second generation of WPA that satisfies 802.11i. Copyright © 2010, Juniper Networks, Inc.
Page 65 Configuring Infranet Controller User Roles (NSM Procedure) on page 35 Configuring Access Options on an Infranet Controller User Role (NSM Procedure) on page 40 Delegating Management Tasks to Infranet Controller Administrator Roles (NSM Procedure) on page 55 Copyright © 2010, Juniper Networks, Inc.
Page 66: Creating And Configuring Infranet Controller Administrator Roles
UI Options Specifies the logo, color, Select General > UI Options to apply the navigation menus and the settings to the role. copyright notice. Copyright © 2010, Juniper Networks, Inc.
Page 67 Select Deny access to prevent users from using a browser that has a user-agent header containing the <browser_string> substring. Admin Role > General > Restrictions >Certificate Restrictions tab Copyright © 2010, Juniper Networks, Inc.
Page 69 Users realm. Admin Role > General > Delegated Administrator Settings > Management of Admin roles Manage ALL Manages all admin roles. Select to manage all the admin roles. admin roles Copyright © 2010, Juniper Networks, Inc.
Page 70 NOTE: All administrators that can manage admin roles and realms have at least read-only access to the admin role’s Name and Description and to the realm's Name and Description, as displayed on the General page. Copyright © 2010, Juniper Networks, Inc.
Page 71 The minimum is 6 minutes. The default time limit for an administrator session is sixty minutes, after which the Infranet Controller ends the session and logs the event in the system log. Copyright © 2010, Juniper Networks, Inc.
Page 73: Delegating Management Tasks To Infranet Controller Administrator Roles
ALL roles all roles roles, select those roles in the Non-members list and click Add to move it to the Members list. Copyright © 2010, Juniper Networks, Inc.
Page 74 Delegate User Realms, and then select the Users role on the Delegate As Read-Only Realms page, then the Infranet Controller allows the delegated administrator role full management privileges to the Users realm. Copyright © 2010, Juniper Networks, Inc.
Page 75 (Deny, Read, or Write) for the individual features within the category. Delegated Administrator Settings > Management of Admin realms Manage ALL Manages all admin realms. Select to manage all the admin realms. admin realms Copyright © 2010, Juniper Networks, Inc.
Page 76 Select the access level for the policy (Deny, Access Policies for an individual policy Read, or Write.) Policies Provides custom access Select the resource policy for which you want level. to provide a custom access level, and click Add. Copyright © 2010, Juniper Networks, Inc.
Page 77 Configuring Infranet Controller User Roles (NSM Procedure) on page 35 Configuring OAC Settings for a User Role (NSM Procedure) on page 42 Configuring Access Options on an Infranet Controller User Role (NSM Procedure) on page 40 Copyright © 2010, Juniper Networks, Inc.
Page 79: Configuring Security Requirements For Administrators And Users
Administrators > Admin Roles > Select Role > General > Restrictions > Source IP Restrictions to configure source IP access restrictions for admin roles. Administrators > Admin Realms > Select Realm > Authentication Policies > Source IP to configure source IP access restrictions for admin realms. Copyright © 2010, Juniper Networks, Inc.
Page 80 Configuring Infranet Controller Browser Access Restrictions (NSM Procedure) on Documentation page 63 Configuring Infranet Controller Certificate Access Restrictions (NSM Procedure) on page 64 Configuring Infranet Controller Password Access Restrictions (NSM Procedure) on page 66 Copyright © 2010, Juniper Networks, Inc.
Page 81: Configuring Infranet Controller Browser Access Restrictions
Users > User Roles > Select Role > General > Restrictions > Browser Restrictions to configure browser access restrictions for user roles. Add or modify settings as specified in Table 12 on page 64. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 82: Procedure)
Creating and Configuring Infranet Controller Administrator Roles (NSM Procedure) on page 48 Configuring Infranet Controller Certificate Access Restrictions (NSM Procedure) Certificate access restrictions restrict Infranet Controller and resource access by requiring client side certificates. Copyright © 2010, Juniper Networks, Inc.
Page 83 NOTE: This option is applicable for admin and user realms. Certificate Specifies the certificate field Enter the certificate field information. Field information for the field/value pair. Copyright © 2010, Juniper Networks, Inc.
Page 84: Configuring Infranet Controller Password Access Restrictions
Users > User Realms >Select Realm > Authentication Policies > Password to configure password access restrictions for user realms. Add or modify settings as specified in Table 14 on page 67. Click one: OK—Saves the changes. Copyright © 2010, Juniper Networks, Inc.
Page 85: Procedure)
Click the Device tree tab, and then double-click the Infranet Controller device for which you want to configure Host Checker access restrictions. Click the Configuration tab. In the configuration tree, select the level at which you want to implement Host Checker access restrictions: Realm level—Select: Copyright © 2010, Juniper Networks, Inc.
Page 86 Table 16: Host Checker Access Restrictions for Realm Level Configuration Details Field Function Your Action Evaluate ALL Specifies if all policies must Select to evaluate all policies. policies be evaluated. Copyright © 2010, Juniper Networks, Inc.
Page 87: Configuring Infranet Controller Radius Request Attribute Restrictions For User
You can create RADIUS request attribute policies to require authentication requests to contain specific RADIUS attribute values. If an endpoint attempts to access a realm with a RADIUS request attribute policy, the endpoint must meet the conditions specified in the policy. Copyright © 2010, Juniper Networks, Inc.
Page 88: Configuring The Number Of Concurrent Sessions And Concurrent Users For Infranet Controller Users (Nsm Procedure)
Controller users. A user who enters a URL to one of this realm’s sign-in pages must meet any access management and concurrent user requirements specified for the authentication policy before the Infranet Controller presents the sign-in page to the user. Copyright © 2010, Juniper Networks, Inc.
Page 89 Limit the Specifies whether the number of Select this option to limit the number number of concurrent sessions per user is of concurrent sessions per user. concurrent limited. sessions per user Copyright © 2010, Juniper Networks, Inc.
Page 90 Configuring Infranet Controller Host Checker Access Restrictions (NSM Procedure) on page 67 Configuring Infranet Controller User Roles (NSM Procedure) on page 35 Creating and Configuring Infranet Controller Administrator Roles (NSM Procedure) on page 48 Copyright © 2010, Juniper Networks, Inc.
Page 91: Configuring The Infranet Controller Radius Server And Layer 2 Access
Click the Device Tree tab, and then double-click the Infranet Controller device for which you want to configure authentication protocol sets. Click the Configuration tab. In the configuration tree, select Authentication > Signing In > Authentication Protocols. Copyright © 2010, Juniper Networks, Inc.
Page 92 Authentication Protocol > TTLS New TTLS Specifies the inner If you select EAP-TTLS as the main authentication protocol. authentication protocol, under TTLS click Add and select an inner authentication protocol from the New TTLS list. Copyright © 2010, Juniper Networks, Inc.
Page 93: Using Radius Proxy
To configure the Infranet Controller as a RADIUS server for an 802.1X network access device, perform these tasks: Configuring Location Groups (NSM Procedure) Configuring RADIUS Clients (NSM Procedure) Configuring a New RADIUS Vendor (NSM Procedure) Copyright © 2010, Juniper Networks, Inc.
Page 94: Configuring Location Groups (Nsm Procedure)
Enter a brief description for the location group. Sign-in Policy Specifies the sign-in policy you want Select the sign-in policy. to associate with the location group. MAC Authentication Specifies the MAC authentication Select the MAC authentication Realm realm. realm. Copyright © 2010, Juniper Networks, Inc.
Page 95: Configuring Radius Clients (Nsm Procedure)
You can modify the downloaded dictionary, and then upload it as a new make or model. Table 20: RADIUS Dictionary Configuration Details Option Function Your Action Name Specifies the RADIUS dictionary name. Enter a name for the RADIUS dictionary. Copyright © 2010, Juniper Networks, Inc.
Page 96: Creating A Radius Dictionary Based On An Existing Model
Click the Configuration tab. In the configuration tree, select UAC > Network Access > RADIUS Vendors. Add or modify RADIUS vendors on the RADIUS Vendors tab as specified in Table 21 on page 79. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 97: Creating A Radius Client
Enter the IP address range. Range the IP address range for the network You can specify a range up to a access devices, starting with the address maximum of 32,768 addresses. specified for IP address. Copyright © 2010, Juniper Networks, Inc.
Page 98: Configuring Radius Return Attributes Policies (Nsm Procedure)
To configure RADIUS attributes policies: In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the Infranet Controller device for which you want to configure RADIUS return attributes policies. Copyright © 2010, Juniper Networks, Inc.
Page 99 Specify the existing VLAN ID. on the network infrastructure that you want to use for the role(s) to which this policy applies. Enable Return Attribute Enables the return-attribute Select this option to enable option. return attributes. Copyright © 2010, Juniper Networks, Inc.
Page 100 RADIUS attributes policies should use the IP address of the Infranet Controller's internal interface. Select External if the endpoints on the configured VLAN should use the IP address of the Infranet Controller's external interface. Copyright © 2010, Juniper Networks, Inc.
Page 101: Configuring Radius Request Attributes Policies (Nsm Procedure)
Click the Configuration tab. In the configuration tree, select UAC > Network Access > RADIUS Attributes > RADIUS Request Attributes Policies. Add or modify RADIUS request attributes policies as specified in Table 24 on page 84. Click one: OK—Saves the changes. Copyright © 2010, Juniper Networks, Inc.
Page 102: Configuring An Infranet Enforcer As A Radius Client Of The Infranet Controller (Nsm Procedure)
Infranet Enforcer. When you use the following instructions, the Infranet Controller automatically creates an internal RADIUS client for the Infranet Enforcer that you cannot change. This RADIUS client for the Infranet Enforcer is not displayed in the Infranet Controller admin console. Copyright © 2010, Juniper Networks, Inc.
Page 103: Non-Juniper 802.1X Supplicant Configuration Overview
JUAC protocol. To configure a non-Juniper supplicant: Configure authentication protocols on the third-party supplicant per the instructions in the vendor’s documentation. Configure corresponding protocols on the Infranet Controller. See “Configuring Authentication Protocol Sets (NSM Procedure).” Copyright © 2010, Juniper Networks, Inc.
Page 104 Complete the remaining steps in “Using the Infranet Controller for 802.1X Network Access (NSM Procedure).” Related Configuring Location Groups (NSM Procedure) on page 76 Documentation Configuring RADIUS Clients (NSM Procedure) on page 77 Configuring a New RADIUS Vendor (NSM Procedure) on page 78 Copyright © 2010, Juniper Networks, Inc.
Page 105: Configuring Authentication Realms
When editing, start Specifies whether the Role Select this option to start editing on the Role on the Role Mapping tab should be Mapping page. Mapping page selected when you open the realm for editing. Copyright © 2010, Juniper Networks, Inc.
Page 106 You can find messages and warnings in the event log files. When an attribute server is down, user authentication does not fail. Instead, the groups or attributes list for role mapping and policy evaluation is empty. Copyright © 2010, Juniper Networks, Inc.
Page 107 Specify the number of minutes (5 to 1440). Related Configuring Role Mapping Rules (NSM Procedure) on page 90 Documentation Configuring Infranet Controller Source IP Access Restrictions (NSM Procedure) on page 61 Copyright © 2010, Juniper Networks, Inc.
Page 108: Configuring Role Mapping Rules (Nsm Procedure)
Stops evaluating role Select this option to stop evaluating role mapping rules when this mapping rules if the rules when specific conditions are met. rule matches user meets the conditions specified for this rule. Copyright © 2010, Juniper Networks, Inc.
Page 109 Select this option to specify that the rule is based the sets of is based on sets of on sets of merged roles. merged roles merged roles. assigned by each rule Related Creating an Authentication Realm (NSM Procedure) on page 87 Documentation Copyright © 2010, Juniper Networks, Inc.
Page 110: Configuring Infranet Controller Authentication Policies (Nsm Procedure)
67 Configuring the Number of Concurrent Sessions and Concurrent Users for Infranet Controller Users (NSM Procedure) on page 70 Configuring Infranet Controller RADIUS Request Attribute Restrictions for User Realms (NSM Procedure) on page 69 Copyright © 2010, Juniper Networks, Inc.
Page 111: Configuring Infranet Enforcer Policies
Click one: OK—Saves the changes. Cancel—Cancels the modifications. Table 27: Resource Access Policies Configuration Details Option Function Your Action Name Specifies the resource Enter a name for the resource access access policy name. policy. Copyright © 2010, Juniper Networks, Inc.
Page 112 If you want to record deny actions in the User Access Log, select the Enforcer Deny Messages check box on the Log/monitoring > User Access > Settings page. The log records the user, source IP, destination IP, protocol, and destination port. Copyright © 2010, Juniper Networks, Inc.
Page 113: Configuring Infranet Controller Ipsec Routing Policies (Nsm Procedure)
Click the Device Tree tab, and then double-click the Infranet Controller for which you want to configure IPsec routing policies. Click the Configuration tab. In the configuration tree, select UAC > Infranet Enforcer > IPsec Routing. Copyright © 2010, Juniper Networks, Inc.
Page 114 Enter the destination zone that is zone where the protected configured on the Infranet Enforcer. resources specified in this For example: enter trust. IPsec routing policy are located. This destination zone is configured on the Infranet Controller. Copyright © 2010, Juniper Networks, Inc.
Page 115 Members list before applying the policies to the roles. Related Configuring Infranet Controller IP Address Pool Policies (NSM Procedure) on page 98 Documentation Configuring Infranet Enforcer Resource Access Policies (NSM Procedure) on page 93 Copyright © 2010, Juniper Networks, Inc.
Page 116: Configuring Infranet Controller Ip Address Pool Policies (Nsm Procedure)
Non-members list and click Add to move it to the Members list. To apply the policy to all Infranet Enforcers, do not add any Infranet Enforcers and leave the default setting (all). Copyright © 2010, Juniper Networks, Inc.
Page 117: Configuring Infranet Controller Source Interface Policies (Nsm Procedure)
Configuring Infranet Controller Source Interface Policies (NSM Procedure) A source interface policy specifies the source interface on the Infranet Enforcer that receives traffic from endpoints. The use cases for configuring source interface policies are limited. Copyright © 2010, Juniper Networks, Inc.
Page 118 Source Interface Specifies the interface on Specify the interface. To view the zone the Infranet Enforcer to table on the Infranet Enforcer, enter which traffic from the following command: get zone endpoints connects. Copyright © 2010, Juniper Networks, Inc.
Page 119: Configuring An Infranet Controller To Connect To A Screenos Enforcer
Click the Configuration tab. In the configuration tree, select UAC > Infranet Enforcer > Connection. Click New (+). The New Infranet Enforcer dialog box appears. Select the ScreenOS option button from the Platform area. The ScreenOS Enforcer page appears. Enter a name for the ScreenOS Enforcer. Copyright © 2010, Juniper Networks, Inc.
Page 120: Procedure)
See the Unified Access Control Supported Platforms document for compatibility. The JUNOS Enforcer connects with the Infranet Enforcer over an SSL connection. To initiate the connection between the two appliances, you must specify the password and serial number of the JUNOS Enforcer. Copyright © 2010, Juniper Networks, Inc.
Page 121: Procedure)
Configuring an Infranet Controller to Connect to a ScreenOS Enforcer (NSM Procedure) Documentation on page 101 Configuring Infranet Controller Source IP Access Restrictions (NSM Procedure) on page 61 Configuring Infranet Controller Host Enforcer Policies (NSM Procedure) on page 105 Copyright © 2010, Juniper Networks, Inc.
Page 123: Configuring Host Enforcer Policies
Enforcer policy. Enforcer policy. collection-of-resources Specifies the traffic you Click collection-of-resources and add want to allow or deny on or modify resources, one rule per line the endpoints. using the following syntax: [<protocol>’://’]<host>[’/’<net-mask>]’:’ <DestinationPorts>[{{’:’<SourcePorts>] Copyright © 2010, Juniper Networks, Inc.
Page 124 Configuring Infranet Enforcer Resource Access Policies (NSM Procedure) on page 93 Documentation Configuring Infranet Controller IP Address Pool Policies (NSM Procedure) on page 98 Configuring Infranet Controller IPsec Routing Policies (NSM Procedure) on page 95 Copyright © 2010, Juniper Networks, Inc.
Page 125: Configuring If-Map Federation Settings
Click the Configuration tab. In the configuration tree, select System > IF–MAP Federation > Overview. From the IF-MAP Configuration list, select IF-MAP Server. Click the OK button to save the changes. From the This Server tab, select Clients and Replicas and click the New button. Copyright © 2010, Juniper Networks, Inc.
Page 126: Configuring If-Map Client Settings On The Infranet Controller
Click the Device Tree tab, and then double-click the Infranet Controller for which you want to configure IF-MAP client settings. Click the Configuration tab. In the configuration tree, select System > IF–MAP Federation > Overview. From the IF-MAP Configuration list, select IF-MAP Client. Copyright © 2010, Juniper Networks, Inc.
Page 127: Configuring If-Map Session Export Policy On The Infranet Controller
Click the Device Tree tab, and then double-click the Infranet Controller for which you want to configure a session-export policy. Click the Configuration tab. In the configuration tree, select System > IF–MAP Federation > Session-Export Policies. Copyright © 2010, Juniper Networks, Inc.
Page 128 Select this option to stop matching roles after a when an IF-MAP client has successful match is found. successfully matched the roles selected for this policy to roles based on session-import policies configured on the target device. Identity tab Copyright © 2010, Juniper Networks, Inc.
Page 129 IF-MAP roles data. Set capabilities specified below—Select this option to set the specified capabilities. The Capabilities option appears. From Capabilities, click New and enter a specified capability. Device Attributes tab Copyright © 2010, Juniper Networks, Inc.
Page 130: Configuring If-Map Session Import Policy On The Infranet Controller
Click the Device Tree tab, and then double-click the Infranet Controller for which you want to configure a session-import policy. Click the Configuration tab. In the configuration tree, select System > IF–MAP Federation > Session-Import Policies. Copyright © 2010, Juniper Networks, Inc.
Page 131 Match Criteria > Capabilities tab Match IF-MAP Specifies that capability Select this action and the following option Capabilities match should be used as appears. the criteria for assigning Capabilities—From Capabilities, click New roles. and enter a specified capability. Copyright © 2010, Juniper Networks, Inc.
Page 132: Procedure)
For example, if you have a network in Boston and a network in London, you can run IF-MAP servers in both places and configure the IF-MAP servers in both locations to replicate data to one another. These connected IF-MAP servers are known as replicas. Copyright © 2010, Juniper Networks, Inc.
Page 134 Configuring IF-MAP Session Import Policy on the Infranet Controller (NSM Procedure) on page 112 Configuring IF-MAP Server Settings on the Infranet Controller (NSM Procedure) on page 107 Configuring IF-MAP Client Settings on the Infranet Controller (NSM Procedure) on page 108 Copyright © 2010, Juniper Networks, Inc.
Page 135: Configuring Authentication Servers
Click the Device Tree tab, and then double-click the Infranet Controller for which you want to configure an anonymous server instance. Click the Configuration tab. In the configuration tree, select Authentication > Auth Servers. Copyright © 2010, Juniper Networks, Inc.
Page 136: Creating A Custom Expression For An Authentication Server
Select a logical operator and click the Insert Expression button to insert logical operators in expressions. Prebuilt Expressions: This node consists of expressions that function as templates for custom expressions. Select a prebuilt expression and click the Insert Expression Copyright © 2010, Juniper Networks, Inc.
Page 137: Configuring An Infranet Controller Rsa Ace/Server Instance
To reuse an existing expression, select the expression and click the Insert Expression button. NOTE: Refer to the Juniper Networks Unified Access Control Administration Guide for more information on variables and writing custom expressions. Enter a name for the custom expression.
Page 138 Infranet Controller. Server Catalog > Expressions tab name Specifies a name for the Enter a name for the user expression. user expression in the ACE/Server user directory. Copyright © 2010, Juniper Networks, Inc.
Page 139: Procedure)
Your Action Auth Server Name Specifies a name for the Enter a name for the auth server. auth server. Auth Server Type Specifies the auth server Select AD/NT Server. type. AD/NT Settings > General tab Copyright © 2010, Juniper Networks, Inc.
Page 140 >NTLMV2 (moderately secure) to credentials to NTLMv2. enable this feature. NTLMV1 (least secure) Allows the Infranet Select AD/NT Settings > General Controller to send user >NTLMV1 (least secure) to enable this credentials to NTLMv1. feature. Copyright © 2010, Juniper Networks, Inc.
Page 141 Enter the name for the admin domain domain local groups local group. information. AD Group Specifies the group that Enter the name for the administrators contains the Active Directory group. administrators to enable centralized administration in an Active Directory domain. Copyright © 2010, Juniper Networks, Inc.
Page 142: Configuring An Infranet Controller Certificate Server Instance
Server Catalog > Expressions tab Name Specifies a name for the Enter a name for the user expression. user expression in the certificate server user directory. Copyright © 2010, Juniper Networks, Inc.
Page 143: Configuring An Infranet Controller Ldap Server Instance (Nsm Procedure)
Auth Server Name Specifies a name for the Enter a name for the auth server. auth server. Auth Server Type Specifies the auth server Select LDAP server. type. LDAP Settings > Basic Settings tab Copyright © 2010, Juniper Networks, Inc.
Page 144 Set the time required for the (seconds) want the Infranet connection to time out. Controller to wait for a connection to the primary LDAP server first, and then each backup LDAP server in turn. Copyright © 2010, Juniper Networks, Inc.
Page 145 LDAP server’s rate-limiting feature is bypassed. LDAP Settings > Finding User Entries tab Base DN Searches for user entries. Enter a base DN name. For example, enter DC=eng, DC=Juniper, DC=com. Copyright © 2010, Juniper Networks, Inc.
Page 148: Configuring An Infranet Controller Local Authentication Server Instance
Click the Device Tree tab, and then double-click the Infranet Controller for which you want to configure a local authentication server instance. Click the Configuration tab. In the configuration tree, select Authentication > Auth Servers. Copyright © 2010, Juniper Networks, Inc.
Page 149 Allow users to change Specifies that users can change Select Local Auth Settings> their passwords their passwords. Allow users to change their passwords to enable this option. Copyright © 2010, Juniper Networks, Inc.
Page 150 Specifies the username of the user Enter the username. who you want to manage accounts for the selected authentication server. This user does not need to be added as a local user on the server. Copyright © 2010, Juniper Networks, Inc.
Page 151: Configuring An Infranet Controller Nis Server Instance (Nsm Procedure)
OK—Saves the changes. Cancel—Cancels the modifications. Table 43: Infranet Controller NIS Server Instance Configuration Details Option Function Your Action Auth Server Name Specifies a name for the Enter a name for the auth server. auth server. Copyright © 2010, Juniper Networks, Inc.
Page 152: Configuring An Infranet Controller Radius Server Instance (Nsm Procedure)
Click the Configuration tab. In the configuration tree, select Authentication > Auth Servers. Add or modify RADIUS server settings as specified in Table 44 on page 135. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 153 Users authenticate using Specifies that the Select the Users authenticate using tokens or one-time password entered by the tokens or one-time passwords check passwords user cannot be submitted box. to other SSO enabled applications. Copyright © 2010, Juniper Networks, Inc.
Page 154 Specifies that the IP Select the Use NC assigned IP Address for address returned from the Address for FRAMED-IP-ADDRESS FRAMED-IP-ADDRESS Infranet Controller is used attribute check box. attribute for the framed-IP-address attribute. Server Catalog > Expressions tab Copyright © 2010, Juniper Networks, Inc.
Page 155: Configuring An Infranet Controller Etrust Siteminder Server Instance
Click the Configuration tab. In the configuration tree, select Authentication > Auth Servers. Add or modify eTrust SiteMinder server settings as specified in Table 45 on page 138. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 156 Specifies a URL to which Enter a URL. users are redirected when they sign out of the Infranet Controller (optional). If you leave this box empty, users see the default Infranet Controller sign-in page. Copyright © 2010, Juniper Networks, Inc.
Page 157 Specifies that you to send Select the Protocol from the drop cookies either securely or down list: nonsecurely. HTTPS— Sends cookies securely if other Web agents are set up to accept secure cookies. HTTP—Sends cookies nonsecurely. Copyright © 2010, Juniper Networks, Inc.
Page 158 Web agent that you have Type > Form POST to contact the already configured rather policy server to determine the than contacting the appropriate sign-in page to display to SiteMinder policy server the user. directly. Copyright © 2010, Juniper Networks, Inc.
Page 159 Specifies the port for the Enter port 80 for HTTP or port 443 for protocol. HTTPS. NOTE: This box is displayed only when you select the Form POST option from the Authentication Type drop-down list. Copyright © 2010, Juniper Networks, Inc.
Page 160 Infranet Controller. The Infranet Controller then automatically signs in the user and establishes an Infranet Controller session. Siteminder Settings > Advanced tab Copyright © 2010, Juniper Networks, Inc.
Page 161 Specifies that the Infranet Select Siteminder Settings > Authenticating Controller should look up Advanced > Authorize while user attributes on the Authenticating. policy server immediately after authentication to determine if the user is truly authenticated. Copyright © 2010, Juniper Networks, Inc.
Page 162 URL, the request should not fail. For example, if you enable the Ignore Query Data option, both of the following URLs are considered the same resource: http:/ /foo/bar?param=value1 http:/ /foo/bar?param=value2 Copyright © 2010, Juniper Networks, Inc.
Page 163 SiteMinder user directory. Related Configuring an Infranet Controller Certificate Server Instance (NSM Procedure) on Documentation page 124 Configuring an Infranet Controller Anonymous Server Instance (NSM Procedure) on page 117 Copyright © 2010, Juniper Networks, Inc.
Page 164: Configuring An Infranet Controller Mac Address Authentication Server For Unmanageable Devices (Nsm Procedure)
00:11:22*:*:* (a single asterisk represents two characters). Action Specifies if the MAC address is Select Allow to grant authenticated. authentication. Select Deny to refuse authentication. MAC Address Authentication Server > MAC Adresses > Attributes Copyright © 2010, Juniper Networks, Inc.
Page 165 Associates the MAC address with a Enter a value. particular group or organization. For example: dept=eng represents that this MAC address belongs to engineering. Related Configuring an Infranet Controller LDAP Server Instance (NSM Procedure) on page 125 Documentation Copyright © 2010, Juniper Networks, Inc.
Page 167: Configuring Sign-In Policies
Click the Configuration tab. In the configuration tree, select Authentication > Signing In > Sign-in Policies > User/Administrator URLs. Add or modify the settings for the User/Administrator URLs as specified in Table 47 on page 150. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 168 Select the sign-in page. want to associate with the sign-in policy. User Type Specifies the user type. Select Administrator, and click Add to move the required Admin Realms from the Non-members list to the Members list. Copyright © 2010, Juniper Networks, Inc.
Page 169: Configuring User Sign-In Policies
Click the Configuration tab. In the configuration tree, select Authentication > Signing In > Sign-in Policies > User/Administrator URLs. Add or modify the settings for the User/Administrator URLs as specified in Table 48 on page 152. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 170 Select this option. before passing to their credentials with a authentication server suffix to send the user name without the suffix. Most authentication servers are not compatible with a realm suffix or decorated username. Copyright © 2010, Juniper Networks, Inc.
Page 171: Configuring Infranet Controller Standard Sign-In Pages (Nsm Procedure)
HTML tags: <i>, <b>, <br>, <font> and <a href>. Header Appearance tab Specifies the logo and Browse and select the logo image and background color in the select the background color. screen header Copyright © 2010, Juniper Networks, Inc.
Page 172 HTML file to upload to the Infranet Controller. NOTE: For information on customized sign-in pages, see the Custom Sign-In Pages Solution Guide. Related Configuring Infranet Controller Sign-in Policies (NSM Procedure) on page 149 Documentation Copyright © 2010, Juniper Networks, Inc.
Page 173: Configuring Host Checker Policies
Infranet Controller. To use Host Checker as a policy enforcement tool for managing endpoints, you must create global Host Checker policies through the NSM UI, and then implement the policies at the realm or role levels. Copyright © 2010, Juniper Networks, Inc.
Page 174 NOTE: To use Host Checker with Linux or Solaris, you must use the Firefox browser. Related Configuring Advanced Endpoint Defense Policy (NSM Procedure) on page 157 Documentation Specifying Customized Requirements Using Custom Rules (NSM Procedure) on page 161 Enabling Customized Server-Side Policies (NSM Procedure) on page 168 Copyright © 2010, Juniper Networks, Inc.
Page 175: Configuring Advanced Endpoint Defense Policy (Nsm Procedure)
You can also create Host Checker policies that use third-party integrity measurement verifiers (IMVs) and third-party DLLs, or check for ports, processes, files, registry keys, and the NetBIOS name, MAC addresses, or certificate of the client machine. Copyright © 2010, Juniper Networks, Inc.
Page 176: Configuring Virus Signature Version Monitoring And Patch Assessment
To configure the Infranet Controller to automatically import the current virus signature version monitoring and patch management version from the Juniper Networks staging site: In the NSM navigation tree, select Device Manager > Devices.
Page 177 Download Path Specifies the URL of the The default url of the Juniper Networks staging sites. staging site is displayed. Download Interval Specifies how often you Select the interval.
Page 178 Select this option to automatically Management data is automatically updated. update the patch management data. Download Path Specifies the URL of the The default url of the Juniper Networks staging sites. staging site is displayed. Download Interval Specifies how often you Select the interval.
Page 179: Specifying Customized Requirements Using Custom Rules (Nsm Procedure)
2. Select the IMV option. that a client must run to verify a particular aspect 3. Click OK. of the client’s integrity, such as the client’s operating system, patch level, or virus protection. Copyright © 2010, Juniper Networks, Inc.
Page 182 The name can be up to 15 characters in length. You can use wildcard characters in the name and it is not case-sensitive. For example: md*, m*xp and *xp all match MDXP. 4. Click OK. Copyright © 2010, Juniper Networks, Inc.
Page 183: Configuring A Patch Assessment Custom Rule (Nsm Procedure)
To configure a patch assessment custom rule: In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the Infranet Controller for which you want to configure a patch assessment custom rule. Copyright © 2010, Juniper Networks, Inc.
Page 184 Select patches from the Non-members area and click Add to move the patches to the Members area. Select Enable SMS patch update to direct the Infranet Controller to notify the SMS server to update the client in the event of a failed patch assessment rule. SMS Copyright © 2010, Juniper Networks, Inc.
Page 185: Configuring The Remote Imv Server (Nsm Procedure)
Enter a name for the remote IMV remote IMV server. server. Description Describes the server. Enter a brief description about the server. Host Specifies the host. Enter either the IP address or hostname as defined in the server certificate. Copyright © 2010, Juniper Networks, Inc.
Page 186: Enabling Customized Server-Side Policies (Nsm Procedure)
Enabling Customized Server-Side Policies (NSM Procedure) For Windows clients, you can create global Host Checker policies that take a third-party J.E.D.I. DLL that you upload to the Infranet Controller and run on client machines. Copyright © 2010, Juniper Networks, Inc.
Page 188: Executing Host Checker Policies
Configuring Infranet Controller Host Checker Access Restrictions (NSM Procedure) on page 67 Executing Host Checker Policies When the user tries to access the Infranet Controller, Host Checker evaluates its policies in the following order: Copyright © 2010, Juniper Networks, Inc.
Page 189 Infranet Enforcer resource access policy or Host Enforcer policy. When he does, the Infranet Enforcer or Odyssey Access Client determines whether or not to allow or deny the user access to the protected resource based on the user’s assigned role. Copyright © 2010, Juniper Networks, Inc.
Page 190: Implementing Infranet Controller Host Checker Policies (Nsm Procedure)
If the user’s computer does not meet the requirements, then the Infranet Controller denies access to the user unless you configure remediation actions to help the user bring his computer into compliance. Copyright © 2010, Juniper Networks, Inc.
Page 191: Configuring Host Checker Restrictions
Users > User Roles > Select Role > General > Restriction to configure user role-level restrictions. Configure role-level restrictions. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Configuring Host Checker Restrictions To configure Host Checker restrictions: Copyright © 2010, Juniper Networks, Inc.
Page 192: Remediating Infranet Controller Host Checker Policies
If you do not enable custom instructions or reason strings for a policy that fails, Host Checker does not display the remediation page to the user. Instead, a message appears telling the user that no additional information has been provided and to Copyright © 2010, Juniper Networks, Inc.
Page 193: Configuring Infranet Controller General Host Checker Options
Click the Configuration tab. In the configuration tree, select Authentication > Endpoint Security > Host Checker > Settings tab. Add or modify Host Checker settings as specified in Table 54 on page 176. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 194: Configuring Host Checker Automatic Installation (Nsm Procedure)
You can configure the Infranet Controller to automatically install Host Checker on client computers only for agentless access deployments. NOTE: To install Host Checker, users must have appropriate privileges, as described in the Client-Side Changes Guide on the Juniper Networks Support site. To automatically install Host Checker on client computers: In the NSM navigation tree, select Device Manager >...
Page 195: Configuring Infranet Controller Host Checker Logs (Nsm Procedure)
Select the Host Checker check box. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Related Configuring Infranet Controller Host Checker Access Restrictions (NSM Procedure) on Documentation page 67 Creating Infranet Controller Global Host Checker Policies Overview on page 155 Copyright © 2010, Juniper Networks, Inc.
Page 197: Managing An Infranet Controller
Unified Access Control Manager on page 181 Using System Management Features in an Infranet Controller on page 187 Configuring the Infranet Controller to Interoperate with IDP on page 193 Troubleshooting an Infranet Controller on page 201 Copyright © 2010, Juniper Networks, Inc.
Page 199: Unified Access Control Manager
Controllers and port details. NSM displays only EX-series switches managed by a current domain in the enforcement point table. Selecting an enforcement point causes NSM to populate relevant information in the tab views. From the Infranet Controller tab view, Copyright © 2010, Juniper Networks, Inc.
Page 200: Manager
Select the Ex-series switch to which the association has to be made, and move it to the Selected Enforcement Points list. Enter the RADIUS secret shared between the Infranet Controller and enforcement points. Copyright © 2010, Juniper Networks, Inc.
Page 201: Disassociating The Configuration Between An Enforcement Point And An Infranet
Select Run “Update Device” task to push configuration changes on both the Infranet Controller and enforcement points. The configuration status of the enforcement points changes to Managed, InSync. Copyright © 2010, Juniper Networks, Inc.
Page 202: Enabling Dot1X Ports On The Enforcement Points Using The Uac Manager
Multiple—Multiple hosts are individually authenticated. Single—Only the first host is authenticated. All the remaining hosts use the same authentication made by the first host. Select Enable reauthentication to allow reauthentication in case of authentication failures. Copyright © 2010, Juniper Networks, Inc.
Page 203: Disabling The Dot1X Ports On An Enforcement Point Using The Uac Manager
Related Enabling Dot1x Ports on the Enforcement Points Using the UAC Manager on page 184 Documentation Associating Enforcement Points with an Infranet Controller Using the UAC Manager on page 182 Copyright © 2010, Juniper Networks, Inc.
Page 204 NSM Infranet Controller Configuration Guide Disassociating the Configuration Between an Enforcement Point and an Infranet Controller on page 183 UAC Manager in NSM Overview on page 181 Copyright © 2010, Juniper Networks, Inc.
Page 205: Using System Management Features In An Infranet Controller
Add icon. In the Binary Data dialog box, enter a name for the object, select a color for the object icon, add a comment if desired, and select the file you uploaded in Step 2. Copyright © 2010, Juniper Networks, Inc.
Page 206: Configuring Infranet Controller System Options (Nsm Procedure)
Click the Configuration tab. In the configuration tree, select System > Maintenance > System Maintenance Options. Add or modify settings as specified in Table 55 on page 189. Click one: OK—Saves the changes. Copyright © 2010, Juniper Networks, Inc.
Page 207 Monitoring about critical software patches and updates. notifications of critical To do this, it reports to Juniper Networks the software patches and updates. following data: your company name, an MD5 hash of your license settings, and information describing the current software version.
Page 208: Removing An Infranet Controller From Nsm Management (Nsm Procedure)
> DMI Agent. In the DMI Agent page, clear the Enabled check box. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Related Removing an Infranet Controller from NSM Management (NSM Procedure) on page 190 Documentation Copyright © 2010, Juniper Networks, Inc.
Page 211: Configuring The Infranet Controller To Interoperate With Idp
Select IDP for this IC’s sessions only to restrict ISG-IDP to report attacks from end points whose authentication table entries are present on ISG-IDP. Do not select this option, if you want attack alerts for attacks generated by unknown users to be published to IF-MAP. Copyright © 2010, Juniper Networks, Inc.
Page 212: Configuring Infranet Controller Sensor Settings For Connecting To A Standalone Idp Device (Nsm Procedure)
You can specify system settings that the Infranet Controller uses to establish a connection to a Juniper Networks Intrusion Detection and Prevention (IDP) device. The sensor settings allow you to perform a number of tasks related to configuring and managing interaction between the Infranet Controller and an IDP device.
Page 213: Enabling Or Disabling The Connection To An Existing Idp Device
Click the Configuration tab. In the configuration tree, select System > Configuration > Sensors. Select the Sensors tab. The corresponding workspace appears. Click the IDP device entry you want to enable or disable. From the IDP device workspace, select the Enable/Disable Sensor option. Click one: Copyright © 2010, Juniper Networks, Inc.
Page 214: Configuring Sensor Event Policies (Nsm Procedure)
Event Specifies an existing Select an existing event. event. Event Determines the number Enter a number between 1 and 256. Count of times an event must occur before action is taken. Copyright © 2010, Juniper Networks, Inc.
Page 215 Except for those selected—To apply this policy to all users except for those who are mapped to the roles in the Members list. Make sure to add roles to this list from the Non-members list. Copyright © 2010, Juniper Networks, Inc.
Page 216: Creating A Custom Expression For Sensor Settings (Nsm Procedure)
Expressions editor. Also, some variables have extensions that are displayed in the drop-down list next to the variable. Double-click a variable to display its description and example usage. Click the example variable to insert it in the Expression area. Copyright © 2010, Juniper Networks, Inc.
Page 217 Juniper IDP variable to display its description and example usage. Click the Juniper IDP variable example displayed to insert it in the Expression area. NOTE: Refer to the Juniper Networks Unified Access Control Administration Guide for more information on variables and writing custom expressions.
Page 219: Troubleshooting An Infranet Controller
OK—Saves the changes. Cancel—Cancels the modifications. Related Configuring IF-MAP Client Settings on the Infranet Controller (NSM Procedure) on Documentation page 108 Configuring IF-MAP Server Settings on the Infranet Controller (NSM Procedure) on page 107 Copyright © 2010, Juniper Networks, Inc.
Page 221: Monitoring And Configuring Logs In An Infranet Controller
PART 5 Monitoring and Configuring Logs in an Infranet Controller Monitoring an Infranet Controller on page 205 Configuring Logs in an Infranet Controller on page 211 Copyright © 2010, Juniper Networks, Inc.
Page 223: Monitoring An Infranet Controller
Viewing Device Status on page 205 Documentation Viewing Device Monitor Alarm Status on page 208 Viewing Device Status Table 58 on page 206 lists and describes device information that you can view through the Device Monitor. Copyright © 2010, Juniper Networks, Inc.
Page 224 A device in this state cannot connect to NSM. Update Needed—An update to this device is required. Managed—The device is currently being managed by NSM. Managed, In Sync—The physical device configuration is synced with the modeled configuration in NSM. Copyright © 2010, Juniper Networks, Inc.
Page 225 N/A—The device's alarm is not pollable or discoverable, for example, this column shows N/A for ScreenOS and IDP devices. Alarm is color-coded: Red for Major. Orange for Minor. Green for Ignore, None, Unknown, or N/A. Copyright © 2010, Juniper Networks, Inc.
Page 226: Viewing Device Monitor Alarm Status
From Device Monitor, right-click the device row entry and select the View Alarm option. The device Alarm Status dialog box displays the alarm list and polling time for the device. Retrieve the current alarm status in the device by clicking the Refresh button. Copyright © 2010, Juniper Networks, Inc.
Page 227 Chapter 20: Monitoring an Infranet Controller The poll time is derived from the device server time. Related Viewing Device Status on page 205 Documentation Realtime Monitor Overview on page 205 Copyright © 2010, Juniper Networks, Inc.
Page 229: Configuring Logs In An Infranet Controller
Select Authentication Reject Log Message to record events with unsuccessful authentication attempts. From the Non-members area, select the attribute for which unsuccessful authentication attempts should be recorded and then move it to the Members area. Click one: OK—Saves the changes. Copyright © 2010, Juniper Networks, Inc.
Page 230: Configuring Event Logs (Nsm Procedure)
Logs the system errors. Select this option to log system error details. Statistics Logs the statistical Select this option to log statistical information. details. Performance Logs the performance Select this option to log performance information. details. Copyright © 2010, Juniper Networks, Inc.
Page 231: Configuring User Access Logs (Nsm Procedure)
Click the Configuration tab. In the configuration tree, select System > Log/Monitoring > User Access. Add or modify settings as specified in Table 60 on page 214. Click one: Copyright © 2010, Juniper Networks, Inc.
Page 232: Configuring Administrator Access Logs (Nsm Procedure)
It also creates a log entry whenever an administrator signs in, signs out, or changes licenses on the appliance. Copyright © 2010, Juniper Networks, Inc.
Page 233 Filter Specifies the filter that you Select the filter. want to apply to the log file. Related Configuring Client-Side Logs (NSM Procedure) on page 216 Documentation Copyright © 2010, Juniper Networks, Inc.
Page 234: Configuring Client-Side Logs (Nsm Procedure)
The Infranet Controller supports Simple Network Management Protocol version 2 (SNMPv2), implements a private MIB, and defines its own traps. To enable your network management station to process these traps, you need to download the Juniper Networks MIB file and specify the appropriate information to receive the traps.
Page 235 Enter the hostname or IP address, port which you want the number, and community. Infranet Controller to send the traps that it generates. Settings SNMP Queries Specifies the SNMP Select this option. queries for the Infranet Controller. Copyright © 2010, Juniper Networks, Inc.
Page 236: Configuring Custom Log Filters (Nsm Procedure)
Add or modify settings as specified in Table 63 on page 218. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Table 63: Log Filter Configuration Details Option Function Your Action Filter Name Specifies a name for the Enter a name for the filter. filter. Copyright © 2010, Juniper Networks, Inc.
Page 237 Custom: Enter the format you want to use in Custom Format. When entering a format, surround variables with percentage symbols (for example %user%). All other characters in the field are treated as literals. Copyright © 2010, Juniper Networks, Inc.
Page 238 Configuring Client-Side Logs (NSM Procedure) on page 216 Documentation Configuring User Access Logs (NSM Procedure) on page 213 Configuring Administrator Access Logs (NSM Procedure) on page 214 Configuring the Infranet Controller as an SNMP Agent (NSM Procedure) on page 216 Copyright © 2010, Juniper Networks, Inc.
Page 241: Index
Index customer support..............xvi contacting JTAC..............xvi support, technical See technical support technical support contacting JTAC..............xvi Copyright © 2010, Juniper Networks, Inc.

Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING INFRANET CONTROLLER GUIDE REV 01 Manual

Chapter 1 Understanding an Infranet Controller Configuration

Chapter 2 Infranet Controller and NSM Installation Overview

Chapter 3 Adding Infranet Controllers

Chapter 4 Adding Infranet Controller Clusters

Chapter 5 Using Templates

Chapter 6 Configuring User Roles and Administrator Roles

Chapter 7 Configuring Security Requirements for Administrators and Users

Chapter 8 Configuring the Infranet Controller RADIUS Server and Layer 2 Access

Chapter 9 Configuring Authentication Realms

Chapter 10 Configuring Infranet Enforcer Policies

Chapter 11 Configuring Host Enforcer Policies

Chapter 12 Configuring IF-MAP Federation Settings

Chapter 13 Configuring Authentication Servers

Chapter 14 Configuring Sign-In Policies

Chapter 15 Configuring Host Checker Policies

Chapter 16 Unified Access Control Manager

Chapter 17 Controller

Chapter 20 Monitoring an Infranet Controller

Chapter 21 Configuring Logs in an Infranet Controller

Quick Links

Related Manuals for Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING INFRANET CONTROLLER GUIDE REV 01

Summary of Contents for Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING INFRANET CONTROLLER GUIDE REV 01

Table of Contents