Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SECURE ACCESS DEVICES GUIDE REV 01 Manual
  1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING INTRUSION DETECTION PREVENTION DEVICES GUIDE REV...
  6. Manual
Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SECURE ACCESS DEVICES GUIDE REV 01 Manual

Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SECURE ACCESS DEVICES GUIDE REV 01 Manual

Configuring secure access devices guide
Hide thumbs Also See for NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SECURE ACCESS DEVICES GUIDE REV 01:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Administration Manual, Manual
Network and Security
Manager
Configuring Secure Access Devices Guide
Release
2010.4
Published: 2010-11-17
Revision 01
Copyright © 2010, Juniper Networks, Inc.

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SECURE ACCESS DEVICES GUIDE REV 01 and is the answer not in the manual?

Questions and answers

Related Manuals for Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SECURE ACCESS DEVICES GUIDE REV 01

Summary of Contents for Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SECURE ACCESS DEVICES GUIDE REV 01

  • Page 1 Network and Security Manager Configuring Secure Access Devices Guide Release 2010.4 Published: 2010-11-17 Revision 01 Copyright © 2010, Juniper Networks, Inc.
  • Page 2 Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
  • Page 3 REGARDING LICENSE TERMS. 1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable...
  • Page 4 Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license. Copyright © 2010, Juniper Networks, Inc.
  • Page 5 (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA http://www.gnu.org/licenses/gpl.html...
  • Page 6 Copyright © 2010, Juniper Networks, Inc.

  • Page 7: Table Of Contents

    Using Configuration Summaries ........20 Copyright © 2010, Juniper Networks, Inc.
  • Page 8 Procedure) ........... . 95 viii Copyright © 2010, Juniper Networks, Inc.
  • Page 9 Creating User or Administrator URLs ....... 209 Copyright © 2010, Juniper Networks, Inc.
  • Page 10 Enabling User Record Synchronization (NSM Procedure) ....278 Configuring the Authentication Server (NSM Procedure) ....279 Copyright © 2010, Juniper Networks, Inc.
  • Page 11 Index ............321 Copyright © 2010, Juniper Networks, Inc.
  • Page 12 Configuring Secure Access Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 13: About This Guide

    Objectives Network and Security Manager (NSM) is a software application that centralizes control and management of your Juniper Networks devices. With NSM, Juniper Networks delivers integrated, policy-based security and network management for all security devices. Secure Access (SA) device is the next generation Secure Access SSL VPN appliances in its leading market.
  • Page 14 The angle bracket (>) Indicates navigation paths through the UI Object Manager > User Objects > Local by clicking menu options and links. Objects Table 3 on page xv defines syntax conventions used in this guide. Copyright © 2010, Juniper Networks, Inc.

  • Page 15: List Of Technical Publications

    Online Help user interface. It also includes a brief overview of the NSM system and a description of the GUI elements. Secure Access Administration Guide Provides comprehensive information about configuring the Secure Access appliances. Copyright © 2010, Juniper Networks, Inc.

  • Page 16: Requesting Technical Support

    7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/...
  • Page 17 About This Guide Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico). For international or direct-dial options in countries without toll-free numbers, see http://www.juniper.net/support/requesting-support.html Copyright © 2010, Juniper Networks, Inc. xvii...
  • Page 18 Configuring Secure Access Devices Guide xviii Copyright © 2010, Juniper Networks, Inc.

  • Page 19: Getting Started

    PART 1 Getting Started Understanding Secure Access Device Configuration on page 3 Secure Access Device and NSM Installation Overview on page 7 Copyright © 2010, Juniper Networks, Inc.
  • Page 20 Configuring Secure Access Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 21: Understanding Secure Access Device Configuration

    The Secure Access device and the NSM application communicate through the Device Management Interface (DMI). DMI is a collection of schema-driven protocols that run on a common transport (that is, TCP). DMI is designed to work with Juniper Networks platforms to make device management consistent across all administrative realms.
  • Page 22 To allow NSM to manage the Secure Access device using the DMI protocol, NSM must import the schema and metadata files from the Juniper Networks Schema Repository, a publicly accessible resource that is updated with each device release. In addition to downloading the Secure Access device current schema, NSM may also download upgraded software.

  • Page 23: Secure Access Device Services And Device Configurations Supported In Nsm

    Creating clusters, joining nodes to clusters, or enabling or disabling cluster nodes Packaging log files or debug files for remote analysis Rebooting the Secure Access device Related Communication Between a Secure Access Device and NSM Overview on page 3 Documentation Copyright © 2010, Juniper Networks, Inc.
  • Page 24 Configuring Secure Access Devices Guide NSM and Secure Access Device Management Overview on page 3 Copyright © 2010, Juniper Networks, Inc.

  • Page 25: Secure Access Device And Nsm Installation Overview

    NSM Installation Overview NSM is a software application that enables you to integrate and centralize management of your Juniper Networks environment. You need to install two main software components to run NSM: the NSM management system and the NSM user interface (UI).
  • Page 26 Configuring Secure Access Devices Guide Related Communication Between a Secure Access Device and NSM Overview on page 3 Documentation Secure Access Device Installation Overview on page 7 Copyright © 2010, Juniper Networks, Inc.

  • Page 27: Integrating Secure Access Devices

    PART 2 Integrating Secure Access Devices Adding Secure Access Devices on page 11 Adding Secure Access Clusters on page 23 Working with Secure Access Templates on page 29 Copyright © 2010, Juniper Networks, Inc.
  • Page 28 Configuring Secure Access Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 29: Adding Secure Access Devices

    Configuration on page 14 Installing and Configuring a Secure Access Device Before you add the Secure Access device to NSM, you must install and configure the Secure Access device to have logon credentials for an NSM administrator. Copyright © 2010, Juniper Networks, Inc.

  • Page 30: Adding A Secure Access Device Through Nsm

    Use Device Server Through MIP — Connects the NSM device server through a mapped IP address and port. Click Next, and a unique external ID gets generated automatically. This ID represents the device within the management system. Copyright © 2010, Juniper Networks, Inc.

  • Page 31: Configuring And Activating The Nsm Agent On The Secure Access Device

    Click Save Changes, and the device attempts to establish a session with the NSM application. The device software initiates the TCP connection to NSM and identifies itself using the specified device ID and HMAC. Both sides then engage in SSH Transport Layer interactions Copyright © 2010, Juniper Networks, Inc.

  • Page 32: Configuration

    SSH port must be configured in the Secure Access device. The default SSH port is 22. The DMI agent admin realms must be configured and an admin user must be mapped to a role with full admin privileges. Copyright © 2010, Juniper Networks, Inc.

  • Page 33: Adding A Secure Access Device Through A Reachable Workflow

    Click Finish to add the device to the NSM UI. The Secure Access device appears in the Devices workspace. Related Requirements for Importing a Secure Access Device into NSM Through a Reachable Documentation Workflow on page 14 Importing a Secure Access Device on page 11 Copyright © 2010, Juniper Networks, Inc.

  • Page 34: Importing Multiple Secure Access Devices

    Juniper Networks provides CSV templates in Microsoft Excel format for each type of CSV file. These templates are located in the utils subdirectory where you have stored the program files for the UI client.

  • Page 35: Validating The Csv File

    Select Cancel to quit adding multiple Secure Access devices, or select Add Valid Devices to begin adding the Secure Access devices for which you have provided valid device configurations. Copyright © 2010, Juniper Networks, Inc.

  • Page 36: Adding And Importing Multiple Secure Access Devices

    Secure Access devices and the management system configuration. Related Verifying Imported Device Configurations on page 19 Documentation Adding a Secure Access Cluster Overview on page 23 Adding a Secure Access Cluster with Imported Cluster Members on page 24 Copyright © 2010, Juniper Networks, Inc.

  • Page 37: Verifying Imported Device Configurations

    Imported device administrator name and password are correct for the physical device. NOTE: All passwords handled by NSM are case-sensitive. Imported device interfaces are correct for the physical device. Management system successfully imported all device configuration information, including zones, virtual routers, and routes. Copyright © 2010, Juniper Networks, Inc.

  • Page 38: Using Job Manager

    For a just-imported device, the configuration summary report displays the device configuration that matches the configuration currently running on the physical device. Delta Configuration Summary Copyright © 2010, Juniper Networks, Inc.
  • Page 39 Adding a Secure Access Cluster Overview on page 23 Documentation Adding a Secure Access Cluster with Imported Cluster Members on page 24 Creating and Applying a Secure Access Device Template on page 29 Importing Multiple Secure Access Devices on page 16 Copyright © 2010, Juniper Networks, Inc.
  • Page 40 Configuring Secure Access Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 41: Adding Secure Access Clusters

    Before you can activate a cluster member in NSM, the device administrator must have already created the cluster and added, configured, and enabled the physical cluster member. See the Juniper Network Secure Access Administration Guide for details on creating and configuring clusters. Copyright © 2010, Juniper Networks, Inc.

  • Page 42: Adding A Secure Access Cluster With Imported Cluster Members

    Adding the Cluster in NSM on page 25 Adding the Cluster Members in NSM on page 25 Configuring and Activating the DMI Agent on the Cluster on page 27 Importing Cluster Configuration on page 27 Copyright © 2010, Juniper Networks, Inc.

  • Page 43: Installing And Configuring The Cluster

    Use Device Server Through MIP—Connects to the NSM device server through a mapped IP address and port. Click Next, and a unique external ID gets generated automatically. This ID represents the device within the management system. Enter an admin username for the device admin. Copyright © 2010, Juniper Networks, Inc.
  • Page 44 Enter a new name for the Secure Access device in Device Name to change the host name of the device. Click Finish to add the cluster member to the NSM GUI. The cluster member as a child of the Secure Access cluster in the Devices workspace. Copyright © 2010, Juniper Networks, Inc.

  • Page 45: Configuring And Activating The Dmi Agent On The Cluster

    Related Creating and Applying a Secure Access Device Template on page 29 Documentation Promoting a Secure Access Device Configuration to a Template on page 31 Adding a Secure Access Cluster Overview on page 23 Copyright © 2010, Juniper Networks, Inc.
  • Page 46 Configuring Secure Access Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 47: Working With Secure Access Templates

    Admin user password Click OK to save the template. The newly created templates will appear under the Device Template Tree. Double-click the newly created template to enter the configuration information. The Device Template screen appears. Copyright © 2010, Juniper Networks, Inc.

  • Page 48: Applying The Template

    Does not accept modifications to the templates. Remove conflicting device values Does not add device values that conflict. Report irrelevant template values Reports irrelevant template values. Report conflicts with other templates Reports conflicts with other templates. Copyright © 2010, Juniper Networks, Inc.

  • Page 49: Promoting A Secure Access Device Configuration To A Template

    Select the template to which you want to apply the configuration settings and click OK. The Secure Access device configuration is promoted to the selected template. Related Verifying Imported Device Configurations on page 19 Documentation Creating and Applying a Secure Access Device Template on page 29 Copyright © 2010, Juniper Networks, Inc.
  • Page 50 Configuring Secure Access Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 51: Configuring Secure Access Devices

    Configuring Secure Access Cache Cleaner on page 251 Configuring Secure Access System Management Features on page 257 Configuring Network Settings on page 271 Synchronizing User Records on page 277 Configuring IF-MAP Federation Settings on page 283 Copyright © 2010, Juniper Networks, Inc.
  • Page 52 Configuring Secure Access Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 53: Configuring User Roles And Administrator Roles

    Add or modify settings on the General tab page as specified in Table 7 on page 36. Add or modify global role options on the Global Role Options tab page as specified in Table 8 on page 37. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
  • Page 54 Select General > Telnet/SSH internal server hosts in the to enable this access feature. clear using Telnet protocols or to communicate over an encrypted Secure Shell (SSH) session through a Web-based terminal session emulation. Copyright © 2010, Juniper Networks, Inc.
  • Page 55 Select a color from Color drop down list. Comment` Allows you to specify a comment. Enter the comment. File Name Allows you to upload the shared binary Click Browse and select the data object. file. Copyright © 2010, Juniper Networks, Inc.

  • Page 56: Creating Secure Access Role-Based Source Ip Alias (Nsm Procedure)

    Click the New button and the New dialog box appears. Add or modify settings on the General > VLAN/Source IP as specified in Table 9 on page 39. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.

  • Page 57: Configuring Secure Access General Session Options (Nsm Procedure)

    Click the New button and the New dialog box appears. Click General > Session Options to add or modify settings as specified in Table 10 on page 40. Click one: OK—Saves the changes. Cancel—Cancels the modification. Copyright © 2010, Juniper Networks, Inc.
  • Page 58 Specifies when the Secure Enter the Reminder Time in Access device should prompt minutes. nonadministrative users, warning them of an impending session or idle timeout. Specify in number of minutes before the timeout is reached. Copyright © 2010, Juniper Networks, Inc.
  • Page 59 Users who sign in from one IP address may not continue an active Secure Access device session from another IP address; user sessions are tied to the initial source IP address. Copyright © 2010, Juniper Networks, Inc.
  • Page 60 Enable Upload Logs Enables users to transmit Select the Enable Upload (upload) client logs to the Logs. Secure Access device. Copyright © 2010, Juniper Networks, Inc.

  • Page 61: Creating And Configuring Secure Access Device Administrator Roles

    Table 11: Administrator Role Configuration Details Option Function Your Action General > Overview tab Name Specifies a unique name for Enter a name. the administrator role. Description Describes the administrator Enter a brief description for the role. administrator role. Copyright © 2010, Juniper Networks, Inc.
  • Page 62 Select the user realm. If you only ALL realms administrator can manage all want to allow the administrator user authentication realms. role to manage selected realms, select those realms in the Members list and click Add. Copyright © 2010, Juniper Networks, Inc.
  • Page 63 Administrators role. NOTE: This option appears only when you enable the Manage All admin roles option. Copyright © 2010, Juniper Networks, Inc.
  • Page 64 NOTE: This option only appears when you choose to enable the Manage All admin realms. Copyright © 2010, Juniper Networks, Inc.
  • Page 65 NOTE: The Web, File, SAM, Telnet SSH, Terminal Services, Network Connect, and Email Client tabs are enabled only when you select Custom Settings from the drop down list. Copyright © 2010, Juniper Networks, Inc.
  • Page 66 Delegated Resource Policies > Email Client Access Allows you to pick and Select Deny or Read or Write choose administrator access level for the. privileges (Deny, Read, or Write) for the policy. Delegated Resource Profiles > All tab Copyright © 2010, Juniper Networks, Inc.
  • Page 67 Configuring Access Options using Remote Access Mechanisms Overview on page 65 Documentation Configuring Secure Access General Session Options (NSM Procedure) on page 39 Creating and Applying a Secure Access Device Template on page 29 Copyright © 2010, Juniper Networks, Inc.
  • Page 68 Configuring Secure Access Devices Guide Verifying Imported Device Configurations on page 19 Copyright © 2010, Juniper Networks, Inc.

  • Page 69: Configuring Terminal Services Using Remote Access Mechanism

    WSAM, Network Connect, and hosted Java applets features. Related Terminal Services User Experience on page 61 Documentation Terminal Services Execution on page 62 Configuring Terminal Services on a Secure Access Device User Role (NSM Procedure) on page 52 Copyright © 2010, Juniper Networks, Inc.

  • Page 70: Procedure)

    Auto-launch Enables the Secure Access Select the Auto Launch check device to automatically launch box to enable this feature. the resource for the user when the user signs into the Secure Access device. Copyright © 2010, Juniper Networks, Inc.
  • Page 71 Enter the variable password. password that the Secure Access device uses to validate sign-in credentials. Explicit Password Specifies the explicit SSO Enter the explicit password. password that the Secure Access device uses to validate sign-in credentials. Copyright © 2010, Juniper Networks, Inc.
  • Page 72 Connect smart cards Enables you to allow users to Select the Connect smart use smart cards to cards check box to enable this authenticate their remote feature. desktop sessions. Copyright © 2010, Juniper Networks, Inc.
  • Page 73 Menu and window animation Enables you to animate the Select the Menu and window movement of windows, animation check box to enable menus, and lists. this option. Copyright © 2010, Juniper Networks, Inc.
  • Page 74 Specifies the static SSO Enter the static password. password that the Secure Access device uses to validate sign-in credentials. Terminal Services > Terminal Services Sessions > Type > Citrix using default ICA file > Connection tab Copyright © 2010, Juniper Networks, Inc.
  • Page 75 Select the Connect COM Ports COM ports through the check box to enable this terminal session. feature. Terminal Services > Terminal Services Sessions > Type > Citrix using default ICA file > Session Reliability tab Copyright © 2010, Juniper Networks, Inc.
  • Page 76 Note that you may download and customize the following ICA files from the Secure Access device. Custom ICA Filename Specifies the ICA filename. Enter a name. Terminal Services > Options > Citrix Delivery tab Copyright © 2010, Juniper Networks, Inc.
  • Page 77 Select the Users can connect bookmarks that connect their drives check box to enable this local drives to the terminal option. server, enabling users to copy information from the terminal server to their local client directories. Copyright © 2010, Juniper Networks, Inc.
  • Page 78 Desktop Composition (RDP Specifies that the drawing is Select the Desktop 6.0 onwards) redirected to video memory, Composition (RDP 6.0 which is then rendered into a onwards) check box to enable desktop image. this option. Copyright © 2010, Juniper Networks, Inc.

  • Page 79: Terminal Services User Experience

    Alternatively, enable SSO and the device automatically sends this information to the resource without prompting for username and password. Once the resource verifies the credentials, the device launches the resource. Copyright © 2010, Juniper Networks, Inc.

  • Page 80: Terminal Services Execution

    Ensure that the device has confirmed that a proxy is installed on the user’s computer. This enables Windows client the proxy to attempt to invoke the Windows RDP or ICA client. If successful, the client initiates the user’s terminal services session and the proxy intermediates the session traffic. Copyright © 2010, Juniper Networks, Inc.
  • Page 81 Authentication settings Start application settings Connect Devices settings Display Settings Related Terminal Services User Experience on page 61 Documentation Configuring Terminal Services on a Secure Access Device User Role (NSM Procedure) on page 52 Copyright © 2010, Juniper Networks, Inc.
  • Page 82 Configuring Secure Access Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 83: Configuring Access Options Using Remote Access Mechanisms

    However, you can only access features through a user role if you are licensed for the feature. For instance, if you are using an SA-700 appliance and have not purchased a Core Clientless Access upgrade license, you cannot enable Web rewriting for a user role. Copyright © 2010, Juniper Networks, Inc.

  • Page 84: Configuring File Rewriting On A Secure Access Device User Role (Nsm Procedure)

    Add or modify settings as specified in Table 15 on page 66. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Table 15: User Role File Rewriting Configuration Details Option Function Your Action Files > File Bookmarks > Windows Bookmarks tab Copyright © 2010, Juniper Networks, Inc.
  • Page 85 Server Specifies the server name for Enter the server hostname or the bookmark. IP address. Path Specifies the path for the Enter the path to further restricting access. restrict access. Copyright © 2010, Juniper Networks, Inc.
  • Page 86 Related Configuring Network Connect on a Secure Access Device User Role (NSM Procedure) Documentation on page 69 Configuring Secure Application Manager on a Secure Access Device User Role (NSM Procedure) on page 74 Copyright © 2010, Juniper Networks, Inc.

  • Page 87: Configuring Network Connect On A Secure Access Device User Role

    Add or modify settings as specified in Table 16 on page 69. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Table 16: User Role Network Connect Configuration Details Option Function Your Action Network Connect tab Copyright © 2010, Juniper Networks, Inc.
  • Page 88 Configuring Secure Access Devices Guide Table 16: User Role Network Connect Configuration Details (continued) Option Function Your Action Split Tunneling Modes Allows you to enable split tunneling. Copyright © 2010, Juniper Networks, Inc.
  • Page 89 Enable Split Tunneling with route change monitor— This option retains access to local resources such as printers. Enable Split Tunneling with allowed access to local subnet—This option activates split-tunneling and Copyright © 2010, Juniper Networks, Inc.
  • Page 90 Windows user sign-in. Allow user to decide whether to start NC when logging into Windows—Allows the user to determine, at each Windows startup, whether or not to launch Network Connect after GINA installation. Copyright © 2010, Juniper Networks, Inc.
  • Page 91 Macintosh. Related Configuring Secure Application Manager on a Secure Access Device User Role (NSM Documentation Procedure) on page 74 Configuring Secure Meeting on a Secure Access Device User Role (NSM Procedure) on page 79 Copyright © 2010, Juniper Networks, Inc.

  • Page 92: Configuring Secure Application Manager On A Secure Access Device User Role (Nsm Procedure)

    Specifies the DNS name of the Enter the DNS name or the IP server or the server IP address. address. Server Port Specifies the port on which the Enter the port number. remote server listens for client connections. Copyright © 2010, Juniper Networks, Inc.
  • Page 93 Applications Specifies the applications for Select one of the following which WSAM secures traffic. option Citrix, Lotus Notes, Microsoft Outlook/Exchange, NetBIOS file browsing or Custom from the Applications drop–down list. Copyright © 2010, Juniper Networks, Inc.
  • Page 94 Specifies the application for Enter the application name. which WSAM client does not secure traffic. Path Allows you to provide an Enter the path. absolute path to the application. SAM tab > Options tab Copyright © 2010, Juniper Networks, Inc.
  • Page 95 WSAM session starts. Session end script Enables the Secure Access Enter the name and path for device to run a batch, the file. application, or Win32 service file when the WSAM session ends. Copyright © 2010, Juniper Networks, Inc.
  • Page 96 Configuring Secure Meeting on a Secure Access Device User Role (NSM Procedure) Documentation on page 79 Configuring Terminal Services on a Secure Access Device User Role (NSM Procedure) on page 52 Configuring WSAM Resource Profile (NSM Procedure) on page 131 Copyright © 2010, Juniper Networks, Inc.

  • Page 97: Configuring Secure Meeting On A Secure Access Device User Role (Nsm Procedure)

    URL)—Allows users to create personal meetings without having to schedule them ahead of time. Standard meetings (users can create scheduled meetings)— Allows users to create scheduled meetings through the Meetings tab. Copyright © 2010, Juniper Networks, Inc.
  • Page 98 (even more secure)—Requires the meeting creator to use the password generated by Secure Meeting. Require secure gateway authentication (most secure)—Allows only invited users authenticated against the Secure Access device secure gateway to attend the meetings. Copyright © 2010, Juniper Networks, Inc.
  • Page 99 Hide attendee names—Always hides the names of meeting attendees. NOTE: When you select this option, Secure Meeting still exposes the names of the meeting conductor and presenter to other meeting attendees. Copyright © 2010, Juniper Networks, Inc.
  • Page 100 Password must be different Requires that the password Select the Password must be from username cannot equal the username. different from username check box to enable this feature. Copyright © 2010, Juniper Networks, Inc.
  • Page 101 Auth Servers with Access Specifies whether the Select the authentication Priviledge members of this role may server and click Add. access and search the authentication servers that they are currently authenticated against. Copyright © 2010, Juniper Networks, Inc.

  • Page 102: Configuring Web Rewriting On A Secure Access Device User Role (Nsm Procedure)

    OK—Saves the changes. Cancel—Cancels the modifications. Table 19: User Role Web Rewriting Configuration Details Option Function Your Action Web > Web Bookmarks tab Name Specifies the name for the Enter a name. device home page bookmark. Copyright © 2010, Juniper Networks, Inc.
  • Page 103 Web applications. Applet—Links the user to Java applets that you upload to the Secure Access device through the NSM by selecting Users > Resource Profiles > Web > Hosted Java Applets. Copyright © 2010, Juniper Networks, Inc.
  • Page 104 Users can add bookmarks Enables users to create Select the User can add personal Web bookmarks on bookmarks check box to the Secure Access device enable this feature. welcome page. Copyright © 2010, Juniper Networks, Inc.
  • Page 105 By default, the Secure Access device flushes Web cookies that are stored during a user session. A user can delete cookies through the Advanced Preferences if you enable this option. Copyright © 2010, Juniper Networks, Inc.
  • Page 106 You can avoid this problem either by clearing this option or by uploading a valid production SSL certificate on the servers that serve the non- HTML content. Copyright © 2010, Juniper Networks, Inc.
  • Page 107 Configuring Telnet/SSH on a Secure Access Device User Role (NSM Procedure) on Documentation page 90 Configuring File Rewriting Resource Profiles (NSM Procedure) on page 120 Configuring Web Rewriting Resource Policies (NSM Procedure) on page 151 Copyright © 2010, Juniper Networks, Inc.

  • Page 108: Configuring Telnet/Ssh On A Secure Access Device User Role

    Specifies the username or Enter a username or other other Secure Access Secure Access device-appropriate, session device-appropriate, session variable for Telnet bookmark. variable. Font Size Specifies the font size for the Select the font size. Telnet bookmark. Copyright © 2010, Juniper Networks, Inc.
  • Page 109 Secure Access device welcome page. Related Configuring Access Options using Remote Access Mechanisms Overview on page 65 Documentation Configuring a File Rewriting Resource Policy (NSM Procedure) on page 137 Copyright © 2010, Juniper Networks, Inc.
  • Page 110 Configuring Secure Access Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 111: Procedure)

    Secure Access device for which you want to configure JSAM application resource profile. Click the Configuration tab, and select Users > Resource Profiles > SAM > Client Applications. The corresponding workspace appears. Click the New button and the New dialog box appears. Copyright © 2010, Juniper Networks, Inc.
  • Page 112 Resources Specifies the application server to Enter the application resource which this policy applies. name. Action Allows or denies user access to the Select either Allow or Deny from resources. the Action drop–down list. Copyright © 2010, Juniper Networks, Inc.

  • Page 113: Configuring A Citrix Terminal Services (Custom Ica) Resource Profile

    Click the Configuration tab, and select Users > Resource Profiles > Terminal Services. The corresponding workspace appears. Click the New button and the New dialog box appears. Add or modify settings as specified in Table 22 on page 96. Click one: Copyright © 2010, Juniper Networks, Inc.
  • Page 114 Secure Access device always use them to intermediate traffic. Applet to use Specifies the Java applet that Select a Java applet from the you want to associate with the Applet to use drop–down resource profile. list. Copyright © 2010, Juniper Networks, Inc.
  • Page 115 Specifies the name of the Enter the name. session bookmark. Description Describes the resource profile. Enter a description. Username Specifies the username that the Enter the username. Secure Access device should pass to the terminal server. Copyright © 2010, Juniper Networks, Inc.
  • Page 116 Then select roles from the ALL Selected Roles list and click Add to move them to the Subset of selected roles list. Settings > Role Selections tab Copyright © 2010, Juniper Networks, Inc.

  • Page 117: Procedure)

    Table 23: Citrix Terminal Services (Default ICA) Configuration Details Option Function Your Action Settings tab Name Specifies a unique name for the Enter the name. resource profile. Description Describes the resource profile. Enter the description. Copyright © 2010, Juniper Networks, Inc.
  • Page 118 Allows you to specify the type Select Citrix using default of terminal service. ICA option to configure a citrix terminal services resource profile that uses default ICA. Citrix using default ICA > Settings tab Copyright © 2010, Juniper Networks, Inc.
  • Page 119 NOTE: By default, the Secure Access device sets the color depth to 8-bit. Username Specifies the username that the Enter the username. Secure Access device should pass to the terminal server. Copyright © 2010, Juniper Networks, Inc.
  • Page 120 Allows you to connect the user’s Select the Connect drives local drive to the terminal server, check box to enable this enabling the user to copy feature. information from the terminal server to his local client directories. Copyright © 2010, Juniper Networks, Inc.
  • Page 121 Then select roles from the ALL Selected Roles list and click Add to move them to the Subset of selected roles list. Settings > Role Selections tab Copyright © 2010, Juniper Networks, Inc.

  • Page 122: Configuring A Citrix Listed Application Resource Profile (Nsm Procedure)

    Click one: OK—Saves the changes. Cancel—Cancels the modifications. Table 24: Citrix Listed Application Resource Profile Configuration Details Option Function Your Action Settings tab Name Specifies a unique name for the Enter the name. resource profile. Copyright © 2010, Juniper Networks, Inc.
  • Page 123 NOTE: The maximum size of the HTML that can be specified is 25 KB. Type Specifies the terminal service. Select Citrix Listed Applications option to enable this feature. Citrix Listed Applications > Settings tab Copyright © 2010, Juniper Networks, Inc.
  • Page 124 XML Domain Specifies the domain name for Enter the domain name. connecting to the Citrix Metaframe server where the XML service is running. Citrix Listed Applications > Autopolicy: Terminal Services Access Control > Rules tab Copyright © 2010, Juniper Networks, Inc.
  • Page 125 Specifies the executables to run. Enter the executables. Username Specifies the username that the Enter the username. Secure Access device should pass to the terminal server. You can enter a static username or a variable. Copyright © 2010, Juniper Networks, Inc.
  • Page 126 NOTE: By default, the Secure Access device sets the window size to full screen. Color Depth Changes the color-depth of the Select color depth the terminal session data. drop–down list. Copyright © 2010, Juniper Networks, Inc.
  • Page 127 Subset of Terminal Service Profile roles option from the Applies to roles drop–down list. Related Configuring Custom Web Applications Resource Profile (NSM Procedure) on page 112 Documentation Configuring File Rewriting Resource Profiles (NSM Procedure) on page 120 Copyright © 2010, Juniper Networks, Inc.

  • Page 128: Configuring Citrix Web Applications Resource Profile (Nsm Procedure)

    NFuse), you cannot create a Citrix resource profile through this template. Instead, click the Client Application Profile link beneath this option. Web Interface (NFuse) version Select the required Citrix version from the drop-down list. Copyright © 2010, Juniper Networks, Inc.
  • Page 129 Web Interface (NFuse) URL box. By default, the device automatically creates a policy for you that enables access to the resource and all of its subdirectories. Roles Select the roles to which the Citrix resource profile applies. Copyright © 2010, Juniper Networks, Inc.

  • Page 130: Configuring Custom Web Applications Resource Profile (Nsm Procedure)

    Click the Configuration tab, and select Users > Resource Profiles > Web to create a custom Web resource profile. Click the New button, the New dialog box appears. Add or modify settings as specified in Table 26 on page 113. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
  • Page 131 Enter the path, such as: sign-in page. http://my.domain.com/ public/login.cgi. NOTE: Do not enter wildcard characters in this box. POST URL Specifies the absolute URL Enter the URL, such as: where the application posts http:/ /yourcompany.com/login.cgi. the user’s credentials. Copyright © 2010, Juniper Networks, Inc.
  • Page 132 Value box. User Can Modify—User can specify data for a back-end application. User Must Modify—User must enter additional data to access a back-end application. Autopolicy: Cookies and Headers Single Sign-On Copyright © 2010, Juniper Networks, Inc.
  • Page 133 Specifies the text for the Enter the name. Secure ccess device to send as header data. Header Value Specifies the value for the Enter the value. specified header. Autopolicy: Caching Name Specifies the policy name. Enter a name. Copyright © 2010, Juniper Networks, Inc.
  • Page 134 Autopolicy: Java Applet Access Control Name Specifies the name of the Enter the policy name. policy. Server Resource Specifies the server resources Enter the path using the to which this policy applies. format: host:[ports]. Copyright © 2010, Juniper Networks, Inc.
  • Page 135 If this option. option is disabled, the Secure Access device rewrites only those URLs where the hostname is configured as part of the passthrough proxy policy. Copyright © 2010, Juniper Networks, Inc.
  • Page 136 Web access control policy. You may choose to use this server as-is, modify it, and/or add new servers to the list. Autopolicy: Rewriting Options > No rewriting tab Copyright © 2010, Juniper Networks, Inc.
  • Page 137 Web resource in a option. new browser window. Do Not Display Address Bar Removes the address bar from Select the Do Not Display the browser. Address Bar check box to enable this feature. Copyright © 2010, Juniper Networks, Inc.

  • Page 138: Configuring File Rewriting Resource Profiles (Nsm Procedure)

    Click the Configuration tab, and select Users > Resource Profiles > Windows File Browsing to create a resource profile to control access to Windows server shares. Add or modify settings as specified in Table 27 on page 121. Copyright © 2010, Juniper Networks, Inc.
  • Page 139 Compress—Compresses data from the specified resource. Do not compress—Disables compression for the specified resource. Resources Specifies the resource names for Enter the names. which this policy applies. Autopolicy:Windows Server Single Sign-On Copyright © 2010, Juniper Networks, Inc.
  • Page 140 Specifies the name of the Enter a name. bookmark. Description Describes the bookmark. Enter the description. Server Specifies the server name. Enter the server name. Share Specifies the share name. Enter the share name. Copyright © 2010, Juniper Networks, Inc.
  • Page 141 Related Configuring Windows Terminal Services (NSM Procedure) on page 124 Documentation Configuring a Telnet/SSH Resource Profile (NSM Procedure) on page 129 Configuring Custom Web Applications Resource Profile (NSM Procedure) on page 112 Copyright © 2010, Juniper Networks, Inc.

  • Page 142: Configuring Windows Terminal Services (Nsm Procedure)

    Secure Access device without employing a separate Web server to host them. You can then associate these Java applets with the resource profile and specify that the Secure Access device always use them to intermediate traffic. Copyright © 2010, Juniper Networks, Inc.
  • Page 143 Specifies the size of the terminal Select the screen size from the services window on the user’s drop-down list. workstation. NOTE: By default, the Secure Access device sets the window size to full screen. Copyright © 2010, Juniper Networks, Inc.
  • Page 144 Path to Specifies the path where the Enter the path. application application’s executable file resides For example, you might enter the on the terminal server. following directory for the Microsoft Word application: C:\Program Files\Microsoft Office\Office10\WinWord.exe. Copyright © 2010, Juniper Networks, Inc.
  • Page 145 Select one of the following options: Options session. Disable Sound Options—Disables the sound option. Bring to this computer— Redirects audio to the local computer. Leave at remote computer—Plays the audio only at the server. Copyright © 2010, Juniper Networks, Inc.
  • Page 146 This option only works on onwards) check box to enable this (RDP 6.0 Windows Vista computers running option. onwards) RDP clients that are font smoothing (RDP 6.0 version 6.0 or later. Settings > Role Selections Copyright © 2010, Juniper Networks, Inc.

  • Page 147: Configuring A Telnet/Ssh Resource Profile (Nsm Procedure)

    Specifies the session type for this resource profile. Select Telnet or SSH from the Type drop-down list. Name Specifies the unique name for the resource profile. Enter the name. Description Specifies the description for the resource profile. Enter a description. Copyright © 2010, Juniper Networks, Inc.
  • Page 148 Allows you to specify the roles for which to display Select the role, and then click Add. a bookmark. NOTE: The Role Selections tab is enabled only when you select Selected Roles option from the Applies to roles drop-down list. Copyright © 2010, Juniper Networks, Inc.

  • Page 149: Configuring Wsam Resource Profile (Nsm Procedure)

    Specifies a name for the Enter the name. resource profile. Description Describes the resource profile. Enter the description. Type Allows you to select WSAM. Select the WSAM option to configure a WSAM resource profile. Copyright © 2010, Juniper Networks, Inc.
  • Page 150 Lotus Notes fat client application. Microsoft Outlook/Exchange—WSAM intermediates traffic from the Microsoft Outlook exchange application. NetBIOS file browsing—WSAM intercepts NetBIOS name lookups in the TDI drivers on port 137. Settings > Roles tab Copyright © 2010, Juniper Networks, Inc.
  • Page 151 Specifies the roles to which the Select the role, and then click resource profile applies. Add. Related Configuring a File Rewriting Resource Policy (NSM Procedure) on page 137 Documentation Configuring a JSAM Resource Profile (NSM Procedure) on page 93 Copyright © 2010, Juniper Networks, Inc.

  • Page 152: Configuring Bookmarks For Virtual Desktop Resource Profiles

    Password as the password type. Preferred Client Select Automatic Detection, Citrix Client, or Java from the drop-down list as the preferred client. Session Reliability and Auto-client Select the check box to automatically reconnect the session reliability. reconnect Copyright © 2010, Juniper Networks, Inc.
  • Page 153 Role Selections tab is enabled. Select roles from the Members list and click Add/remove to move them to the Non-members list. Related Configuring WSAM Resource Profile (NSM Procedure) on page 131 Documentation Configuring a Telnet/SSH Resource Profile (NSM Procedure) on page 129 Copyright © 2010, Juniper Networks, Inc.
  • Page 154 Configuring Secure Access Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 155: Procedure)

    Select a policy, and then enter the name, the description, and the resources for the policy. In the Applies to roles list. Select one: All—Applies the policy to all users. Selected—Applies the policy only to users who are mapped to roles in the Role Selection section. Copyright © 2010, Juniper Networks, Inc.
  • Page 156 Allow—Allows access to the resources specified in the Members list. Deny—Denies access to the resources specified in the Members list. Detailed Rules—Allows you to specify one or more detailed rules for this policy. Copyright © 2010, Juniper Networks, Inc.
  • Page 157 Prevents users from saving Select the Read-only check files on the server. box to enable this feature. NOTE: This box is enabled only when you select Allow from the Action drop-down list. Windows SSO > General tab Copyright © 2010, Juniper Networks, Inc.
  • Page 158 Variable Password Specifies a variable password Enter the variable password. to Windows share or directory. NOTE: This box is enabled only when you select the Use Specified Credentials(Variable Password)... option from the Action drop-down list. Copyright © 2010, Juniper Networks, Inc.
  • Page 159 Secure Access device the first time a user attempts to access the share. Detailed Rules—Specifies one or more detailed rules for this policy. Copyright © 2010, Juniper Networks, Inc.
  • Page 160 Do not compress—Secure Access device does not compress the supported content types from the specified resource. Use Detailed Rules—Specifies one or more detailed rules for this policy. File Policy Options Copyright © 2010, Juniper Networks, Inc.
  • Page 161 SSO. attempts Related Configuring SAML SSO Artifact Profile Resource Policy (NSM Procedure) on page 226 Documentation Configuring a SAML Access Control Resource Policy (NSM Procedure) on page 223 Copyright © 2010, Juniper Networks, Inc.

  • Page 162: Configuring A Secure Application Manager Resource Policy

    All—Applies the policy to all users. Selected—Applies the policy only to users who are mapped to roles in the Role Selection section. Except those selected—Specifies one or more detailed rules for this policy. Copyright © 2010, Juniper Networks, Inc.
  • Page 163 A file type, preceded by a path if appropriate or just specify */* .file_extension to indicate files with the specified extension within any path on the server(s) specified on the General tab. Copyright © 2010, Juniper Networks, Inc.

  • Page 164: Procedure)

    Telnet and secure shell resource policy. Click the Configuration tab. Select Users > Resource Policies > Telnet/SSH. Add or modify settings as specified in Table 34 on page 144. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
  • Page 165 Applies to the role drop-down list. Detailed Rules tab Name Specifies the detailed rule name. Enter a name. NOTE: This tab is enabled only when you select Detailed Rules from the Action drop-down list. Copyright © 2010, Juniper Networks, Inc.
  • Page 166 Related Configuring a Terminal Service Resource Policy (NSM Procedure) on page 149 Documentation Configuring Web Rewriting Resource Policies (NSM Procedure) on page 151 Copyright © 2010, Juniper Networks, Inc.

  • Page 167: Configuring A Terminal Service Resource Policy (Nsm Procedure)

    Allow—Allows access to the servers specified in the Resources list. Deny—Denies access to the servers specified in the Resources list. Detailed Rules—Allows you to specify one or more detailed rules for this policy. Copyright © 2010, Juniper Networks, Inc.
  • Page 168 Boolean expressions: Using system variables, write one or more Boolean expressions using the NOT, OR, or AND operators. Custom expressions: Using the custom expression syntax, write one or more custom expressions. Options Copyright © 2010, Juniper Networks, Inc.

  • Page 169: Configuring Web Rewriting Resource Policies (Nsm Procedure)

    In the Action or the Authentication Type list, select any option from the drop-down list for the policy. Select the role, and click Add to move the roles from the Non-members to Members list. Copyright © 2010, Juniper Networks, Inc.
  • Page 170 Specifies the label that appears on Enter the label name. a user’s preferences page in the NOTE: This field is required if you Secure Access device. either enable or require users to modify data to post to back-end applications. Copyright © 2010, Juniper Networks, Inc.
  • Page 171 Use IVE port Allows Secure Access device to Specify a unique Secure Access listen for client requests to the device port in the range application server on the specified 11000-11099. Secure Access device port. Copyright © 2010, Juniper Networks, Inc.
  • Page 172 Specifies the hostname of the Web Enter the hostname. proxy server. Port Specifies the port number at which Enter the port. the proxy server listens. Web Proxy > Web Proxy Policies > General tab Copyright © 2010, Juniper Networks, Inc.

  • Page 173: Configuring A Network Connect Connection Profile Resource Policy

    NC Connection Profile. Click New and then enter the name and the description for the NC connection profile. Add or modify more settings as specified in Table 38 on page 156. Click one: OK—Saves the changes. Copyright © 2010, Juniper Networks, Inc.
  • Page 174 Enter a value for the key lifetime for the bytes that are transferred. The default value (minutes) is 0. Replay Protection Select the check box to enable this option. When enabled, this option helps protect against hostile “repeat attacks” from the network. Copyright © 2010, Juniper Networks, Inc.
  • Page 175 RADIUS role-mapping attribute in this field, such as <userAttr.Framed-IP-Address>. DNS tab Custom DNS settings Select this option to enable the DNS setting options. Upon selecting this option, the DNS settings box gets enabled. Copyright © 2010, Juniper Networks, Inc.
  • Page 176 Select the members from the Members list. You can add or remove the non-members to members by using the Add/Remove options. Related Configuring Web Rewriting Resource Policies (NSM Procedure) on page 151 Documentation Defining Network Connect Split Tunneling Policies (NSM Procedure) on page 159 Copyright © 2010, Juniper Networks, Inc.

  • Page 177: Defining Network Connect Split Tunneling Policies (Nsm Procedure)

    Add or modify more settings as specified in Table 39 on page 159. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Table 39: Configuring Network Connect Split Tunneling Policy Details Options Your Action Resources Enter the new resource name for the split tunnel resource policy. Copyright © 2010, Juniper Networks, Inc.
  • Page 178 Resource list of a policy (or a detailed rule’s), it performs the specified action and stops processing policies. Related Configuring a Network Connect Connection Profile Resource Policy (NSM Procedure) Documentation on page 155 Configuring Web Rewriting Resource Policies (NSM Procedure) on page 151 Copyright © 2010, Juniper Networks, Inc.

  • Page 179: Configuring Authentication And Directory Servers

    PIN. The SoftID plug-in generates a pass phrase by concatenating the user’s PIN and token and passes the pass phrase to the device. For information about enabling the SoftID custom sign-in pages, see the Custom Sign-In Pages Solution Guide. Copyright © 2010, Juniper Networks, Inc.
  • Page 180 Select the configuration file for File importing. importing using the browse button. Server Catalog > Expressions tab name Allows you to enter a name for the Enter the name. user expression in the ACE server user directory. Copyright © 2010, Juniper Networks, Inc.

  • Page 181: Creating A Custom Expression For An Authentication Server

    Variables: This node consists of variables. When a variable is selected, the conditional operators that can be applied to this variable are listed in the center of the Custom Expressions editor. Also, some variables have extensions that are displayed in the Copyright © 2010, Juniper Networks, Inc.

  • Page 182: Configuring A Secure Access Local Authentication Server Instance

    To reuse an existing expression, select the expression and click the Insert Expression button. NOTE: Refer to the Juniper Networks Secure Access Administration Guide for more information on variables and writing custom expressions. Enter a name for the custom expression.
  • Page 183 Specifies if you want users to set Select Local Auth Settings > different from the password to be different from Require password to be different username the username. from username to enable this option. Copyright © 2010, Juniper Networks, Inc.
  • Page 184 Configuring a Secure Access LDAP Server Instance (NSM Procedure) on page 167 Documentation Configuring a Secure Access RADIUS Server Instance (NSM Procedure) on page 171 Configuring a Secure Access ACE Server Instance (NSM Procedure) on page 161 Copyright © 2010, Juniper Networks, Inc.

  • Page 185: Configuring A Secure Access Ldap Server Instance (Nsm Procedure)

    LDAP Port Specifies the port on which the Set the port for the LDAP server. LDAP server responds. NOTE: This port is 389 when using an unencrypted connection and 636 when using SSL. Copyright © 2010, Juniper Networks, Inc.
  • Page 186 Directory Service to perform a LDAP to enable this option. search or to change passwords using the password management feature. Admin DN Performs an anonymous search on Enter the admin DN name. the LDAP server with an authentication. Copyright © 2010, Juniper Networks, Inc.
  • Page 187 Level group to search for the user. time. NOTE: The higher the number, the longer the query time, so we recommend that you specify to perform the search no more than two levels deep. Copyright © 2010, Juniper Networks, Inc.
  • Page 188 LDAP server. Server Catalog > Attributes tab Name Specifies the name that is used to Enter a name for the LDAP attributes. show a list of common LDAP attributes. Server Catalog > Groups tab Copyright © 2010, Juniper Networks, Inc.

  • Page 189: Configuring A Secure Access Radius Server Instance (Nsm Procedure)

    NOTE: If you want to update an existing server instance, click the appropriate link in the Auth Server Name box, and perform the Steps 5 through 8. Click the New button. The New dialog box appears. Copyright © 2010, Juniper Networks, Inc.
  • Page 190 Allows you not to submit the Select Users authenticate using tokens or password entered by the user to using tokens or one-time one-time passwords other SSO enabled applications. passwords check box. Backup Server tab Copyright © 2010, Juniper Networks, Inc.
  • Page 191 Configuring a Secure Access Anonymous Server Instance (NSM Procedure) on page 174 Documentation Configuring a Secure Access eTrust SiteMinder Server Instance (NSM Procedure) on page 174 Configuring a Secure Access LDAP Server Instance (NSM Procedure) on page 167 Copyright © 2010, Juniper Networks, Inc.

  • Page 192: Configuring A Secure Access Anonymous Server Instance (Nsm Procedure)

    To configure the SiteMinder server instance: In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the Secure Access device for which you want to configure eTrust SiteMinder server instance. Copyright © 2010, Juniper Networks, Inc.
  • Page 193 Specifies the SiteMinder agent Enter an agent name. name. NOTE: Shared secret and agent name are case-sensitive. Secret Specifies the shared secret. Enter a shared secret name. NOTE: Shared secret and agent name are case-sensitive. Copyright © 2010, Juniper Networks, Inc.
  • Page 194 You cannot use wildcard characters. For example, if you define “.juniper.net”, the user must access the Secure Access device as “http://secure access device.juniper.net” to ensure that his SMSESSION cookie is sent back to the Secure Access device. Copyright © 2010, Juniper Networks, Inc.
  • Page 195 Secure Access device. NOTE: Users who sign in through the sign-in page are always redirected back to the Secure Access device sign-in page if authentication fails. Copyright © 2010, Juniper Networks, Inc.
  • Page 196 Enter the name of the web agent from which the Secure agent. Access device is to obtain SMSESSION cookies. NOTE: This field is displayed only when you select Form POST option from the Authentication Type drop-down list. Copyright © 2010, Juniper Networks, Inc.
  • Page 197 Web agent’s sign-in page and by the value specified in the Target field. These are the default parameters for login.fcc—if you have made customizations, you may need to change these parameters. Copyright © 2010, Juniper Networks, Inc.
  • Page 198 SiteMinder this option, make sure that you policy server. create the appropriate rules in SiteMinder that start with the server name followed by a forward slash, such as: "www.yahoo.com/", "www.yahoo.com/*", and "www.yahoo.com/r/f1". Copyright © 2010, Juniper Networks, Inc.
  • Page 199 Specifies a name for the user Enter a name. expression in the SiteMinder user directory. Value Specifies a value for the user Enter a value. expression in the SiteMinder user directory. Server Catalog > Attributes tab Copyright © 2010, Juniper Networks, Inc.
  • Page 200 Specifies that the Secure Select Siteminder Settings > Access device should look up Advanced > Authorize while user attributes on the policy Authenticating. server immediately after authentication to determine if the user is truly authenticated. Copyright © 2010, Juniper Networks, Inc.
  • Page 201 Enter the value. entered in this field must match the accounting port value entered through the Policy Server Management Console in the web UI. By default, this field matches the policy server’s default setting of 44441. Copyright © 2010, Juniper Networks, Inc.

  • Page 202: Configuring A Secure Access Certificate Server Instance (Nsm Procedure)

    NOTE: If you want to update an existing server instance, click the appropriate link in the Auth Server Name box, and perform the Steps 5 through 8. Specify a name to identify the server instance. Copyright © 2010, Juniper Networks, Inc.

  • Page 203: Configuring A Secure Access Manual Ca Certificate (Nsm Procedure)

    > Trusted Client CAs tab. Click Trusted Client CA . The New Trusted Client CA page appears. Configure the server using the settings described in Table 47 on page 186. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
  • Page 204 (such as for SAML authenticating client signature verification or machine certificate certificates. validation), disable this option. This indicates that the device must not trust any client certificate issued by this CA. Copyright © 2010, Juniper Networks, Inc.
  • Page 205 Specifies the manual Select the check box to enable this option. configured CDPs. CRL Download Specifies the Select the frequency of the CRL download. The Frequency (minutes) frequency of the CRL default value is 1440. download. Copyright © 2010, Juniper Networks, Inc.

  • Page 206: Configuring A Secure Access Saml Server Instance (Nsm Procedure)

    Specifies the source site inter-site transfer Enter the URL. Inter-Site Transfer service URL. Service URL Issuer Value for Specifies the issuer value for the source site. Enter the URL or hostname Source Site of the issuer of the assertion. Copyright © 2010, Juniper Networks, Inc.
  • Page 207 SAML response from the source site. Issued To Displays name and attributes of the entity to Issued To details is whom the certificate is issued. displayed. Copyright © 2010, Juniper Networks, Inc.

  • Page 208: Configuring A Secure Access Active Directory Or Nt Domain Instance

    8. Click the New button. The New dialog box appears. In the Auth Server Name list, specify a name to identify the server instance. Select AD/NT Server from the Auth Server Type list. Copyright © 2010, Juniper Networks, Inc.
  • Page 209 AD or NT server. for the AD or NT server. Admin Password Specifies an administrator password Enter an administrator password for the AD or NT server. for the AD or NT server. Copyright © 2010, Juniper Networks, Inc.
  • Page 210 Enter a name. Groups Specifies the admin’s domain local Enter a name. groups information. AD Group Specifies the group that contains the Enter a name. administrators to enable centralized administration in an Active Directory domain. Copyright © 2010, Juniper Networks, Inc.

  • Page 211: Configuring A Secure Access Nis Server Instance (Nsm Procedure)

    Specifies the domain name for the NIS Enter the domain name. server. Server Catalog > Expressions tab Name Specifies a name for the user expression in Enter a name. the NIS server user directory. Copyright © 2010, Juniper Networks, Inc.
  • Page 212 Configuring Secure Access Authentication Realms (NSM Procedure) on page 195 Documentation Configuring Secure Access Authentication Policies (NSM Procedure) on page 198 Configuring a Secure Access Active Directory or NT Domain Instance (NSM Procedure) on page 190 Copyright © 2010, Juniper Networks, Inc.

  • Page 213: Configuring Authentication Realms

    Specifies that the Role Mapping tab Select General > When editing, start on the Role is selected when you open the on the Role Mapping page to enable Mapping page realm for editing. this option. Copyright © 2010, Juniper Networks, Inc.
  • Page 214 Secure Access device sign-in process. Predefined user name template—Automatically submits a username to the secondary server during the Secure Access device sign-in process. Predefined User Specifies the predefined username. Enter static text or a valid variable. Name Copyright © 2010, Juniper Networks, Inc.
  • Page 215 Related Configuring Secure Access Authentication Policies (NSM Procedure) on page 198 Documentation Configuring Secure Access Role Mapping Rules (NSM Procedure) on page 203 Configuring Secure Access Sign-In Policies (NSM Procedure) on page 207 Copyright © 2010, Juniper Networks, Inc.

  • Page 216: Configuring Secure Access Authentication Policies (Nsm Procedure)

    Specifies the IP Netmask. Enter the IP netmask. Netmask NOTE: The new button is enabled only when you select Allow or deny users from the following IP addresses option from the Allow drop-down list. Copyright © 2010, Juniper Networks, Inc.
  • Page 217 <browser_string> substring. NOTE: This option is enabled only when you select Browsers whose user-agents pass the matching policies defined below from the Allow drop-down list and then by clicking New. Authentication Policies > Certificate tab Copyright © 2010, Juniper Networks, Inc.
  • Page 218 Only allow users that have passwords of a requirement specified for the minimum length—Requires the user to enter realm. a password with a minimum length of the number specified. Primary Specifies password length Enter the number. password restrictions. minimum length (character) Copyright © 2010, Juniper Networks, Inc.
  • Page 219 Allow access only if all of the Require & Enforce policies succeed—User can access the realm only if he meets all of the requirements in all of the selected policies. Authentication Policies > Cache Cleaner tab Copyright © 2010, Juniper Networks, Inc.
  • Page 220 (0) into the Maximum box, no users are allowed to login to the realm. Related Configuring Secure Access Role Mapping Rules (NSM Procedure) on page 203 Documentation Configuring Secure Access Sign-In Policies (NSM Procedure) on page 207 Copyright © 2010, Juniper Networks, Inc.

  • Page 221: Configuring Secure Access Role Mapping Rules (Nsm Procedure)

    Specifies the list of Select a non-member from the list to assign to if the rule matches non-members whose the authenticated user by adding/removing it >Non-members roles are not matched to/from the Members list. with the rules. Copyright © 2010, Juniper Networks, Inc.
  • Page 222 Select an option from the drop-down list. expression used in the NOTE: This option rule. is enabled only if you select either if username or if certificate has any of the attributes as the role mapping rule type. Copyright © 2010, Juniper Networks, Inc.
  • Page 223 Related Configuring Secure Access Sign-In Policies (NSM Procedure) on page 207 Documentation Configuring Secure Access Authentication Policies (NSM Procedure) on page 198 Copyright © 2010, Juniper Networks, Inc.
  • Page 224 Configuring Secure Access Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 225: Configuring Sign-In Policies And Sign-In

    Secure Access device for which you want to configure an authorization-only policy. Click the Configuration tab, and select Authentication > Signing In > Sign-in Policies > Authorization-Only Policies. The corresponding workspace appears. Copyright © 2010, Juniper Networks, Inc.
  • Page 226 Source IP restrictions (Users > User Roles > RoleName > General > Restrictions). Browser restrictions (Users > User Roles > RoleName > General > Restrictions). Enable Enables or disables the Select Authorization-Only Policies > Enable to individual policy. enable this option. Copyright © 2010, Juniper Networks, Inc.

  • Page 227: Creating User Or Administrator Urls

    Realm Select Specifies the type of the realm that Select the realm select from the you want to choose. drop-down list. Copyright © 2010, Juniper Networks, Inc.

  • Page 228: Creating Meeting Urls

    <path> is any string that you enter. Description Describes of the meeting URL Enter a description of the meeting URL policy. policy. Enable Enables or disables the individual Select Meeting URLs > Enable to enable policy. this option. Copyright © 2010, Juniper Networks, Inc.

  • Page 229: Configuring Secure Access Sign-In Pages (Nsm Procedure)

    Sign-in Page Type Specifies the type of sign-in page. Select any sign-in page type such as Standard or Custom Sign-In Pages. Settings > Sign-in Page Type > Standard > Custom Text tab Copyright © 2010, Juniper Networks, Inc.
  • Page 230 Specifies the custom logo image Select the image file using the browse file for the header. button. Background color Specifies the background color for Select any background color using the the header. color palette. Copyright © 2010, Juniper Networks, Inc.

  • Page 231: Creating Meeting Sign-In Pages

    Click the Configuration tab, select Authentication > Signing In > Sign-in Policies > Meeting Sign-in Pages. The corresponding workspace appears. Add or modify settings on the meeting sign-in page as specified in Table 58 on page 214. Click one: Copyright © 2010, Juniper Networks, Inc.
  • Page 232 Select any background color using the the header. color palette. Settings > Sign-in Page Type > Custom Sign-In Page Templates File Specifies the template file. Select a template file from the drop-down list or use the browse button. Copyright © 2010, Juniper Networks, Inc.
  • Page 233 Automatically displays the file upload the template file. time and it is not editable. Related Configuring a SAML Access Control Resource Policy (NSM Procedure) on page 223 Documentation Configuring Secure Access Sign-In Policies (NSM Procedure) on page 207 Copyright © 2010, Juniper Networks, Inc.
  • Page 234 Configuring Secure Access Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 235: Configuring Single Sign-On

    You can explicitly turn off the basic authentication intermediation in a policy. For Kerberos and NTLM, the device will always be intermediate. Depending on the SSO used, you can view the different fields in the intermediation page and configure the following options: Copyright © 2010, Juniper Networks, Inc.

  • Page 236: Configuring Basic, Ntlm, And Kerberos Resources (Nsm Procedure)

    NOTE: The Active Directory must have the sites defined and DNS must be configured to return the KDCs in the site. Pattern Enter the hostnames mapped to the Kerberos realm. You can enter wildcard characters such as *.y.com, *.kerber.net, or *.* . Copyright © 2010, Juniper Networks, Inc.
  • Page 237 Static—Specifies the username and password exactly as they are entered in the Username and Password boxes. Username Enter the account username. Password Enter the account password. Variable Password Enter the password token if you select Variable as the credential type. Copyright © 2010, Juniper Networks, Inc.
  • Page 238 Variable—Allows tokens such as username and password to be used in the Username and Password boxes. Static—Specifies the username and password exactly as they are entered in the Username and Password boxes. Copyright © 2010, Juniper Networks, Inc.

  • Page 239: Defining A Basic Authentication, Ntlm, Or Kerberos Intermediation Resource Policy (Nsm Procedure)

    Click the Device Tree tab, and then double-click the Secure Access device for which you want to configure a basic, NTLM, or Kerberos intermediation resource policy. Click the Configuration tab. Select Users > Resource Policies > Basic Auth/NTLM SSO. Copyright © 2010, Juniper Networks, Inc.
  • Page 240 Select the Fallback to Kerberos check box to enable this option. Roles tab Roles Select roles to access resource policies. NOTE: This tab is enabled only when you select Selected or Except those selected from the Applies to roles drop-down list. Copyright © 2010, Juniper Networks, Inc.

  • Page 241: Configuring A Saml Access Control Resource Policy (Nsm Procedure)

    SAML ACL > General tab or Detailed Rule tab Name Specifies the name of the policy. Enter the name. Description Describes the policy. Enter the policy. New Resources Specifies the resources to which this Enter the resources. policy applies. Copyright © 2010, Juniper Networks, Inc.
  • Page 242 Secure None—Does not authenticate the Access device. Secure Access device. Username/Password—Authenticates the Secure Access device using a username and password. Certificate—Authenticates the Secure Access device using a certificate signed by a trusted certificate authority. Copyright © 2010, Juniper Networks, Inc.
  • Page 243 Maximum Specifies the amount of time the Enter the time. Cache Time Secure Access device should cache (seconds) the responses (in seconds). Copyright © 2010, Juniper Networks, Inc.

  • Page 244: Configuring Saml Sso Artifact Profile Resource Policy (Nsm Procedure)

    SAML Artifact Profile resource policy. Click the Configuration tab. Select Users > Resource Policies > Web > SAML SSO. Add or modify settings as specified in Table 62 on page 227. Click one: OK—Saves the changes. Copyright © 2010, Juniper Networks, Inc.
  • Page 245 SAML SSO details section. Do not use SAML SSO—Secure Access device does not perform an SSO request. Use Detailed Rules—Specifies one or more detailed rules for this policy. Copyright © 2010, Juniper Networks, Inc.
  • Page 246 Enter a variable. Or, enter static the Secure Access device text. should pass to the assertion consumer service. New Cookie Domain(s) Specifies the list of domains Enter a comma-separated list to which the SSO cookies are of domains. associated. Copyright © 2010, Juniper Networks, Inc.
  • Page 247 Certificate option from the Authentication Type drop-down list. Attribute Value Specifies the attribute values Enter the attribute value. that match the values contained in the assertion consumer service’s certificate. SAML SSO > Role Copyright © 2010, Juniper Networks, Inc.
  • Page 248 Related Setting Up Secure Access Device Host Checker Options (NSM Procedure) on page 231 Documentation Configuring a SAML Access Control Resource Policy (NSM Procedure) on page 223 Copyright © 2010, Juniper Networks, Inc.

  • Page 249: Configuring Secure Access Host Checker Policies

    Click the Configuration tab. In the configuration tree, select Authentication > Endpoint Security > Host Checker > Settings tab. Add or modify Host Checker settings as specified in Table 63 on page 232. Click one: OK—Saves the changes. Copyright © 2010, Juniper Networks, Inc.
  • Page 250 Host Checker. reevaluation to enable this feature. Related Configuring General Host Checker Remediation (NSM Procedure) on page 233 Documentation Configuring Host Checker Third-Party Applications Using Predefined Rules (NSM Procedure) on page 234 Copyright © 2010, Juniper Networks, Inc.

  • Page 251: Configuring General Host Checker Remediation (Nsm Procedure)

    The click Add to move from the alternate policy must be either a third-party Non-members to the Members list. policy that uses a J.E.D.I. package or a Secure Virtual Workspace policy. Copyright © 2010, Juniper Networks, Inc.

  • Page 252: Configuring Host Checker Third-Party Applications Using Predefined Rules

    Host Checker policy requirements. NOTE: This option applies to predefined rules, custom rules, and to third-party IMVs that use extensions in the Juniper Networks TNC SDK. Related Configuring Host Checker Third-Party Applications Using Predefined Rules (NSM...
  • Page 253 (for example, any Symantec product). Enable Scan period check Enables the System scan Select the Enable Scan period for the product. check to enable this feature. Copyright © 2010, Juniper Networks, Inc.
  • Page 254 Add to move the product from the Non-members to the Members list. Selected Products tab Product name Allows you to select the Select the product from the product. Product name drop-down list. Copyright © 2010, Juniper Networks, Inc.
  • Page 255 Turn on firewall for all Turns on the Firewall. Select the Turn on firewall for all supported products supported products to enable this feature. Selected Vendors tab Copyright © 2010, Juniper Networks, Inc.
  • Page 256 Require any supported Checks for any product Select the Require any supported product from a specified (rather than requiring you product from a specific vendor vendor to select every product option to enable this feature. separately). Copyright © 2010, Juniper Networks, Inc.
  • Page 257 Configuring the Remote Integrity Measurement Verifier Server (NSM Procedure) on Documentation page 240 Configuring Host Checker Customized Requirements Using Custom Rules (NSM Procedure) on page 241 Configuring General Host Checker Remediation (NSM Procedure) on page 233 Copyright © 2010, Juniper Networks, Inc.

  • Page 258: Configuring The Remote Integrity Measurement Verifier Server

    Shared secret Specifies the shared secret Enter the same shared secret used in information. the client information entry on the remote IMV server. Copyright © 2010, Juniper Networks, Inc.

  • Page 259: Procedure)

    Click the tab that corresponds to the operating system for which you want to specify Host Checker options—Windows, Mac, Linux, Solaris, or Windows Mobile. In the same policy, you can specify different Host Checker requirements for each operating system. Copyright © 2010, Juniper Networks, Inc.
  • Page 260 Secure Access device. executable file to which you want the policy to apply (optional). 5. Select the Monitor this rule for change in result check box to continuously monitor the policy compliance of endpoints. 6. Click Copyright © 2010, Juniper Networks, Inc.
  • Page 261 7. Select the Set Registry value specified in the criteria check box. 8. Select the Monitor this rule for change in result check box to continuously monitor the policy compliance of endpoints. 9. Click OK. Copyright © 2010, Juniper Networks, Inc.
  • Page 262 3. Enterany additional criteria that Host Checker should use when verifying the machine certificate in the Certificate field and Expected value box. 4. Click OK. Patch Assessment Rules Copyright © 2010, Juniper Networks, Inc.
  • Page 263 Select the Enable SMS patch update check box to update patches using SMS. Related Configuring Global Cache Cleaner Options (NSM Procedure) on page 251 Documentation Configuring a Secure Application Manager Resource Policy (NSM Procedure) on page 144 Copyright © 2010, Juniper Networks, Inc.

  • Page 264: Enabling Advanced Endpoint Defense (Nsm Procedure)

    Advanced Endpoint Defense: Malware Protection to apply to that role or realm. Related Configuring Host Checker Customized Requirements Using Custom Rules (NSM Documentation Procedure) on page 241 Enabling Predefined Client-Side Policies for Windows Only (NSM Procedure) on page 247 Copyright © 2010, Juniper Networks, Inc.

  • Page 265: Enabling Predefined Client-Side Policies For Windows Only

    Related Enabling Predefined Client-Side Policies for Windows Only (NSM Procedure) on page 247 Documentation Configuring Virus Signature Version Monitoring (NSM Procedure) on page 248 Copyright © 2010, Juniper Networks, Inc.

  • Page 266: Configuring Virus Signature Version Monitoring (Nsm Procedure)

    Host Checker policy. You can automatically import either the current Virus signature version monitoring or Patch Management Info Monitoring list from the Juniper Networks staging site at a specified interval. Alternatively, you can download the files from Juniper Networks and use your own staging server.

  • Page 267: Importing Virus Signature Version Monitoring Or Patch Management Version Monitoring List (Nsm Procedure)

    Click either Virus signature version monitoring or Patch Management Info Monitoring. Download the list from the Juniper Networks staging site to a network server or local drive on your computer by entering the Juniper Networks URLs in a browser window.

  • Page 268: Assigning A Proxy Server An Auto-Update Server (Nsm Procedure)

    Select the check box to enable this feature. IP Address Enter the IP address of your proxy server. Port Enter the port that the Juniper Networks Support site will use to communicate with your proxy server. Related Configuring Virus Signature Version Monitoring (NSM Procedure) on page 248...

  • Page 269: Configuring Secure Access Cache Cleaner

    1 to 60 minutes. through the Secure Access device’s Content Intermediation Engine plus the browser cache, files, and folders you specify under the Browser Cache and Files and Folders sections. Copyright © 2010, Juniper Networks, Inc.
  • Page 270 Cache Cleaner > Browser Cache tab Hostname Allows you to enter one or more Enter the hostname or domain. hostnames or domains (wildcards are permitted). Copyright © 2010, Juniper Networks, Inc.
  • Page 271 Clear Subfolders check box to this directory. enable this feature. Related Configuring Cache Cleaner Restrictions (NSM Procedure) on page 254 Documentation Configuring the Network Communications Protocol (NSM Procedure) on page 257 Copyright © 2010, Juniper Networks, Inc.

  • Page 272: Configuring Cache Cleaner Restrictions (Nsm Procedure)

    Configure the cache cleaner restrictions at the role level using the settings described in Table 71 on page 254. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Table 71: Configuring Cache Cleaner Restrictions Details at Realm Level Option Function Your Action Files and Folders Copyright © 2010, Juniper Networks, Inc.
  • Page 273 In the navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the Secure Access device for which you want to configure global Cache Cleaner restrictions at the resource policy level. Copyright © 2010, Juniper Networks, Inc.
  • Page 274 Cache Cleaner needs to be installed or running on the user's workstation. Related Configuring the Network Communications Protocol (NSM Procedure) on page 257 Documentation Configuring Global Cache Cleaner Options (NSM Procedure) on page 251 Copyright © 2010, Juniper Networks, Inc.

  • Page 275: Configuring Secure Access System Management Features

    Click the Configuration tab, and select System > Configuration > NCP. The corresponding workspace appears. Add or modify settings as specified in Table 74 on page 258. Click one: OK—Saves the changes. Cancel—Cancels the modification. Copyright © 2010, Juniper Networks, Inc.
  • Page 276 Secure Access device maintains idle connections for client-side Windows Secure Access methods. Related Configuring General Network Settings (NSM Procedure) on page 271 Documentation Configuring Internet Protocol Filters (NSM Procedure) on page 276 Copyright © 2010, Juniper Networks, Inc.

  • Page 277: Configuring Secure Meetings (Nsm Procedure)

    NOTE: If you select the Upload Logs option, you must also use settings in the System > Log/Monitoring > Client Logs > Settings page of the admin console to enable client-side logging. Copyright © 2010, Juniper Networks, Inc.
  • Page 278 Enter the email address or the address of administrator that secure meeting uses the specified another administrator. address as the sender’s email if the email creator does not configure his own email address on the Secure Access device. Copyright © 2010, Juniper Networks, Inc.

  • Page 279: Configuring Global Security (Nsm Procedure)

    Add or modify settings as specified in Table 76 on page 261. Click one: OK—Saves the changes. Cancel—Cancels the modification. Table 76: Configuring Global Security Details Option Function Your Action SSL Settings > General tab Copyright © 2010, Juniper Networks, Inc.
  • Page 280 256-bit AES and greater) check box to enable this greater) over 3DES. feature. NOTE: This option is displayed only when you select Custom SSL Cipher Selection from the strength drop–down list. Copyright © 2010, Juniper Networks, Inc.
  • Page 281 Prevents a browser with a weak cipher Select the Do not allow connections connections from establishing a connection. from browsers that only accept from browsers weaker ciphers check box to enable that only this feature. accept weaker ciphers Settings Copyright © 2010, Juniper Networks, Inc.
  • Page 282 Allows you to specify the SAML Select SAML 1.0 or SAML 1.1 from the protocol and schema. drop-down list. Related Configuring Sensors (NSM Procedure) on page 265 Documentation Configuring the Network Communications Protocol (NSM Procedure) on page 257 Copyright © 2010, Juniper Networks, Inc.

  • Page 283: Configuring Sensors (Nsm Procedure)

    Enter the IP addresses. monitor > New addresses and address ranges the Addresses to IDP sensor monitors for potential monitor attacks, one entry per line. IDP reports attack information only for the IP addresses that you specify. Copyright © 2010, Juniper Networks, Inc.
  • Page 284 Replace user role—Specifies that the role applied to this user’s profile should change to the role you select from the associated drop-down list. This new role remains assigned to the user profile until the session terminates. Copyright © 2010, Juniper Networks, Inc.
  • Page 285 For example, to check for all critical/highest severity level attacks, enter the following expression: idp.severity >= 4 Related Configuring General Network Settings (NSM Procedure) on page 271 Documentation Configuring Global Security (NSM Procedure) on page 261 Copyright © 2010, Juniper Networks, Inc.

  • Page 286: Creating A Custom Expression For Sensor Settings (Nsm Procedure)

    Juniper IDP variable to display its description and example usage. Click the Juniper IDP variable example displayed to insert it in the Expression area. NOTE: Refer to the Juniper Networks Secure Access Administration Guide for more information on variables and writing custom expressions.
  • Page 287 Sensor Events tab. Click OK to save the sensor events settings. Related Configuring Sensors (NSM Procedure) on page 265 Documentation Configuring User Access, Admin Access, Events and Sensors (NSM Procedure) on page 305 Copyright © 2010, Juniper Networks, Inc.
  • Page 288 Configuring Secure Access Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 289: Configuring Network Settings

    Specifies the fully-qualified host name Enter the name of the Secure network identity of the Secure Access device for network Access device. identity. NOTE: You can enter upto maximum of 30 characters as host name. Copyright © 2010, Juniper Networks, Inc.
  • Page 290 Secure Access device domain that responds to NETBIOS calls and associates workstation names and locations with IP addresses (if applicable). Related Configuring Internal Ports (NSM Procedure) on page 273 Documentation Configuring Hosts (NSM Procedure) on page 275 Copyright © 2010, Juniper Networks, Inc.

  • Page 291: Configuring Internal Ports (Nsm Procedure)

    ARP Ping Specifies how long the Secure Access device Enter the time in seconds. Timeout should wait for responses to Address Resolution (seconds) Protocol (ARP) requests before timing out. Copyright © 2010, Juniper Networks, Inc.
  • Page 292 Specifies the physical address of a network device Enter the physical Address such as a router or backend application server that address. connects to the Secure Access device to determine the physical (MAC) address Copyright © 2010, Juniper Networks, Inc.

  • Page 293: Configuring Hosts (Nsm Procedure)

    IP address. hostnames. Comment Allows you to enter a comment of 200 words or less Enter the comment. (optional). Related Configuring Internet Protocol Filters (NSM Procedure) on page 276 Documentation Copyright © 2010, Juniper Networks, Inc.

  • Page 294: Configuring Internet Protocol Filters (Nsm Procedure)

    IP Address Filters Specifies the IP address filters. Enter the IP address filter. Related Managing Large Binary Data Files (NSM Procedure) on page 295 Documentation Configuring General Network Settings (NSM Procedure) on page 271 Copyright © 2010, Juniper Networks, Inc.

  • Page 295: Synchronizing User Records

    The logical authentication server (LAS) and username combination is what uniquely identifies a user record. The following user records are synchronized between the client and server: Bookmarks File Terminal Services JSAM Preferences Persistent cookies Copyright © 2010, Juniper Networks, Inc.

  • Page 296: Enabling User Record Synchronization (Nsm Procedure)

    Once you enter a name and shared secret, you cannot clear these fields. Related Configuring the Authentication Server (NSM Procedure) on page 279 Documentation Configuring the User Record Synchronization Server (NSM Procedure) on page 279 Copyright © 2010, Juniper Networks, Inc.

  • Page 297: Configuring The Authentication Server (Nsm Procedure)

    Click the Configuration tab, and select System > Configuration > User Record Synchronization > This Server. Under Peer Servers tab, click New. Enter the peer server node name in the Server Node Name. Enter the peer IP address in the Internal Address box. Copyright © 2010, Juniper Networks, Inc.

  • Page 298: Configuring The Client (Nsm Procedure)

    Even if you select Logical Authentication Server Name (or ’Any LAS’), you must enter a primary server IP address. Once added, the primary and backup servers have a colored icon next to their name indicating their connection status. Click OK to save the changes. Copyright © 2010, Juniper Networks, Inc.

  • Page 299: Configuring The Database (Nsm Procedure)

    Enter the number of days user records must be idle before being auto-deleted. The default value is none. Related Configuring the User Record Synchronization Server (NSM Procedure) on page 279 Documentation Configuring the Client (NSM Procedure) on page 280 Copyright © 2010, Juniper Networks, Inc.
  • Page 300 Configuring Secure Access Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 301: Configuring If-Map Federation Settings

    This chapter describes the interoperation between heterogeneous network appliances in a federated network. In a federated network, users providing valid credentials can access resources protected by any number of Juniper Networks security devices without re-authenticating through a different device. Juniper Networks IDP Series Intrusion Detection and Prevention Appliance can be incorporated into a federated network to protect against attacks within the network.

  • Page 302: Configuring If-Map Client Settings On The Secure Access Device

    To add the server, you specify the IF-MAP URL of the server and how to authenticate to the server. Match the URL and security settings to equal those on the IF-MAP server(s) to which the IF-MAP client will connect. Copyright © 2010, Juniper Networks, Inc.

  • Page 303: Procedure)

    Configuring IF-MAP Session Export Policy on the Secure Access Device (NSM Procedure) Session-export policies determine how users are identified on the IF-MAP server when their session is published through IF-MAP. The session-export policy sets the IF-MAP identity. Copyright © 2010, Juniper Networks, Inc.
  • Page 304 Select this option to stop matching roles after a when an IF-MAP client has successful match is found. successfully matched the roles selected for this policy to roles based on session-import policies configured on the target device. Identity tab Copyright © 2010, Juniper Networks, Inc.
  • Page 305 IF-MAP roles data. Set capabilities specified below—Select this option to set the specified capabilities. The Capabilities option appears. From Capabilities, click New and enter a specified capability. Device Attributes tab Copyright © 2010, Juniper Networks, Inc.

  • Page 306: Procedure)

    Click the Configuration tab. In the configuration tree, select System > IF–MAP Federation > Session-Import Policies. Add or modify settings as specified in Table 85 on page 289. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
  • Page 307 Select this action and the following option Attributes should be used as the criteria for assigning appears. roles. Device Attributes—From Device Attributes, click New and enter a specified device attribute. Actions > Assign Roles tab Copyright © 2010, Juniper Networks, Inc.

  • Page 308: Configuring If-Map Server Replicas (Nsm Procedure)

    OK—Saves the changes. Cancel—Cancels the modifications. Table 86: Replica IF–MAP Server Configuration Details Option Function Your Action Name Specifies a unique name for Enter a name for the replica IF-MAP server. the replica IF-MAP server. Copyright © 2010, Juniper Networks, Inc.
  • Page 309 If any restrictions match, for example CN=ic.example.com, the certificate is accepted. Related Configuring IF-MAP Session Import Policy on the Secure Access Device (NSM Documentation Procedure) on page 288 Configuring IF-MAP Servers (NSM Procedure) on page 283 Copyright © 2010, Juniper Networks, Inc.
  • Page 310 Configuring Secure Access Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 311: Part 4 Managing Secure Access Devices

    PART 4 Managing Secure Access Devices Managing Secure Access Devices on page 295 Troubleshooting Secure Access Device Federated Networks on page 301 Copyright © 2010, Juniper Networks, Inc.
  • Page 312 Configuring Secure Access Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 313: Managing Secure Access Devices

    Add icon. In the New Binary Data dialog box, enter a name for the object, select a color for the object icon, add a comment if desired, and select the file you uploaded in Step Copyright © 2010, Juniper Networks, Inc.

  • Page 314: Removing A Secure Access Device From Nsm Management

    If the device is referenced in a firewall rule, this dialog box displays the rules that reference it. You can click the links that appear to display the Security Policies, and to view or edit those references. Copyright © 2010, Juniper Networks, Inc.

  • Page 315: Archiving Secure Meetings (Nsm Procedure)

    Frequency of automatic Specifies how often the archiving Select either Month or Week. cleanup process should run. Copyright © 2010, Juniper Networks, Inc.

  • Page 316: Managing Secure Access Node From A Cluster

    Fails over the VIP to the other node in the active/passive cluster. This option is enabled only if cluster is configured as Active/passive. Member Name Lists all nodes belonging to the cluster. You can click a node to modify its name and network settings. Copyright © 2010, Juniper Networks, Inc.
  • Page 317 NOTE: This option is available only with a Central Manager license. Update Updates the sync rank after you change the precedence of the nodes in the Sync Rank column. Copyright © 2010, Juniper Networks, Inc.
  • Page 318 Configuring Secure Access Devices Guide Related Adding a Secure Access Cluster Overview on page 23 Documentation Managing Large Binary Data Files (NSM Procedure) on page 295 Copyright © 2010, Juniper Networks, Inc.

  • Page 319: Troubleshooting Secure Access Device Federated Networks

    IF-MAP Server Trace should only be enabled for troubleshooting purposes, as running this diagnostic incurs a large performance impact. Related Configuring IF-MAP Servers (NSM Procedure) on page 283 Documentation Configuring IF-MAP Client Settings on the Secure Access Device (NSM Procedure) on page 284 Copyright © 2010, Juniper Networks, Inc.
  • Page 320 Configuring Secure Access Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 321: Part 5 Monitoring Secure Access Devices

    PART 5 Monitoring Secure Access Devices Configuring Logs in Secure Access Devices on page 305 Viewing Logs in Secure Access Devices on page 313 Copyright © 2010, Juniper Networks, Inc.
  • Page 322 Configuring Secure Access Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 323: Configuring Logs In Secure Access Devices

    Max Log Size Specifies the maximum file size for the local Specify the file size. (MB) log file. NOTE: The system log displays data up to the amount specified. (The limit is 200 MB). Copyright © 2010, Juniper Networks, Inc.
  • Page 324 Select Secure Terminal to secure terminals in the local file. enable this feature. Network Connect Captures information about user access to Select Network Connect to Network Connect in the local log file. enable this feature. Copyright © 2010, Juniper Networks, Inc.
  • Page 325 Max Log Size Specifies the maximum file size for the local Enter the file size. (MB) log file. (The limit is 500 MB.) NOTE: The system log displays data up to the amount specified. Copyright © 2010, Juniper Networks, Inc.

  • Page 326: Configuring Custom Filters And Formats For Log Files (Nsm Procedure)

    Enter the start date. which the Secure Access device writes logs in the log file. End Date Specifies the end date in which Enter the end date. the Secure Access device writes logs in the log file. Copyright © 2010, Juniper Networks, Inc.
  • Page 327 Custom from %user%). All other characters are treated as the Format Type drop-down literals. list. Related Configuring Client-Side Logs (NSM Procedure) on page 310 Documentation Viewing Device Status on page 313 Copyright © 2010, Juniper Networks, Inc.

  • Page 328: Configuring Client-Side Logs (Nsm Procedure)

    Configuring Secure Access Devices Guide Configuring Client-Side Logs (NSM Procedure) Client-side logging is useful when working with the Juniper Networks Support team to debug problems with an Secure Access device client-side feature. When you enable logging for a feature, the Secure Access device writes a log to any client computer that uses the feature.

  • Page 329: Configuring Custom Log Filters (Nsm Procedure)

    Option Function Your Action Filter Name Specifies a name for the Enter a name for the filter. filter. Start Date Specifies the date from Enter a start date. which logs have to be written. Copyright © 2010, Juniper Networks, Inc.
  • Page 330 (for example %user%). All other characters in the field are treated as literals. Related Configuring Client-Side Logs (NSM Procedure) on page 310 Documentation Configuring Custom Filters and Formats for Log Files (NSM Procedure) on page 308 Copyright © 2010, Juniper Networks, Inc.

  • Page 331: Viewing Logs In Secure Access Devices

    Unique name assigned to the device in NSM. Domain Domain in NSM in which the device is managed. Platform Model number of the device. OS Version Operating system firmware version running on the device. Copyright © 2010, Juniper Networks, Inc.
  • Page 332 Managed, Sync Pending—Completion of the Update Device directive is suspended and waiting for the device to reconnect. This state occurs only for ScreenOS devices that have the Update When Device Connects option selected during the device update. Copyright © 2010, Juniper Networks, Inc.
  • Page 333 Out Of Sync—The inventory information in the NSM database is not synchronized with the software on the device. N/A—The connected device is a ScreenOS or IDP device, or the device is not connected and imported. Copyright © 2010, Juniper Networks, Inc.

  • Page 334: Viewing Device Monitor Alarm Status

    To retrieve the current alarm status in the device, click the Refresh button. The poll time is derived from the device server time. Related Monitoring the Secure Access as an SNMP Agent (NSM Procedure) on page 317 Documentation Viewing Device Status on page 313 Copyright © 2010, Juniper Networks, Inc.

  • Page 335: Monitoring The Secure Access As An Snmp Agent (Nsm Procedure)

    Network Management Protocol) v2, implements a private MIB (management information base), and defines its own traps. To enable your network management station to process these traps, you need to download the Juniper Networks MIB file and specify the appropriate information to receive the traps.
  • Page 336 Specifies the community string required Enter the string. Community by the network management station. NOTE: To disable the SNMP module, you must disable the SNMP query and SNMP traps. Related Viewing Device Status on page 313 Documentation Copyright © 2010, Juniper Networks, Inc.

  • Page 337: Index

    PART 6 Index Index on page 321 Copyright © 2010, Juniper Networks, Inc.
  • Page 338 Configuring Secure Access Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 339: Index

    Index customer support..............xvi contacting JTAC..............xvi support, technical See technical support technical support contacting JTAC..............xvi Copyright © 2010, Juniper Networks, Inc.
  • Page 340 Configuring Secure Access Devices Guide Copyright © 2010, Juniper Networks, Inc.

This manual is also suitable for:

Network and security manager

Table of Contents