Setting Up Nsm To Work With Infranet Controller And Infranet Enforcer; Avoiding Naming Conflicts Of The Authorization Server Object - Juniper NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1 Administration Manual

Setting Up NSM to Work With Infranet Controller and Infranet Enforcer

Avoiding Naming Conflicts of the Authorization Server Object

Copyright © 2010, Juniper Networks, Inc.
A ScreenOS firewall that is managed by NSM can also be configured as an Infranet
Enforcer in a UAC solution.
The Infranet Controller specifies an authorization server $infranet for each Infranet
Enforcer in its list. This name is required for correct operation between the Infranet
Controller and the Infranet Enforcer. Conversely, if NSM has multiple Infranet Enforcers
in its global domain, it will distinguish among them by renaming additional Infranet
Enforcers $infranet_1, $infranet_2, and so on. To resolve this naming conflict, you must
move each Infranet Controller to a separate NSM domain.
In addition, because the Infranet Controller regularly changes its NACN password with
the Infranet Enforcer, you should always import the Infranet Enforcer into NSM before
performing a device update to it.
The following procedures prevent these conflicts between NSM and the Infranet
Controller:
Avoiding Naming Conflicts of the Authorization Server Object on page 181
Avoiding NACN Password Conflicts on page 183
To avoid naming conflicts with the authorization server objects, follow these steps:
On the Infranet Controller, create the Infranet Enforcer instances:
1.
On the Infranet Controller, select UAC -> Infranet Enforcer -> Connection.
a.
Click New Enforcer.
b.
Fill out the information requested in the display.
c.
Enter an NACN password. Remember it because you will need to use it again
while setting up the Infranet Enforcer. If you are setting up a cluster instead of
a single device, enter all the serial numbers in the cluster, one per line.
Click Save Changes.
d.
Repeat Steps b through d until all of your Infranet Enforcers have been entered.
e.
If you do not have one already, create a CA certificate for each Infranet Enforcer.
2.
Create a certificate signing request (CSR) for an Infranet Controller server
a.
certificate, and use the CA certificate to sign the server certificate.
Import the server certificate into the Infranet Controller.
b.
Import the CA certificate into the Infranet Enforcer.
c.
Chapter 4: Adding Devices
181