Table of Contents
Advertisement
Network and Security Manager Administration Guide
456
User—Select the User object that represents the user you want to authenticate.
User Group—Select the User Group object that represents the users you want to
authenticate.
Group Expression—Select the Group Expression object.
Allow Any—Use this option to authenticate any user or user group.
To authenticate RAS users with Authentication, you must include HTTP, FTP, or Telnet
service objects in the Service column of the rule. You can include other services as well,
or select any to specify all services. To make a connection to the destination IP address
in the rule, the RAS user first initiates an HTTP, FTP, or Telnet connection to the destination
address; the security device intercepts the request packet and responds with a login
prompt for user credentials.
If the destination address is a subnet, the remote user must authenticate for each IP
address in that subnet.
If the source address supports multiple remote user accounts (such as a Unix host
running Telnet) OR is located behind a NAT device that uses a single IP address for all
NAT assignments, only the first remote user from that source address must initiate
and authenticate an HTTP, FTP, or Telnet connection. All subsequent remote users
from that source address do not need to authenticate, and can pass matching network
traffic to the destination address.
To authentication RAS users with Web Authentication, you must include HTTP service
object in the Service column of the rule. To make a connection to the destination address
in the rule, the RAS user first initiates an HTTP connection to the Web Authentication
server. The security device responds with a login prompt for user credentials.
Configuring Antivirus for Firewall Rules
To configure Antivirus protection for a firewall rule:
None—No Antivirus protection enabled.
Use External AV Server—Uses an external antivirus scanner. Select an external policy
object that defines an external scanner.
Use Scan Manager—Scan Manager is an embedded scanning engine. To use Scan
Manager, the security device you install the policy on must be a NetScreen-5GT or
NetScreen-Hardware Security Client device running ScreenOS 5.0 - 5.2. If you install
a policy that uses Scan Manager on a different device, the device executes and
processes traffic according to the rule, but does not detect viruses using the embedded
scanning engine.
Use Scan Manager with Profile—Scan Manager is an embedded scanning engine. This
setting tells the device to use the global profile specified. This setting only works for
devices running ScreenOS 5.3.
Use ICAP Profile—ICAP is a method of redirecting traffic to an ICAP-capable server
running AV software. This feature is available on devices running ScreenOS 5.4 and
higher.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
