View
23
Download
0
Category
Preview:
Citation preview
Junos® Pulse
Solution for SRX Series Services Gateways
Release
5.0
Published: 2013-11-20
Copyright © 2013, Juniper Networks, Inc.
Juniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.net
Copyright © 2013, Juniper Networks, Inc. All rights reserved.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.
Junos® Pulse Solution for SRX Series Services Gateways
Release 5.0Copyright © 2013, Juniper Networks, Inc.All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.
ENDUSER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted athttp://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions ofthat EULA.
Copyright © 2013, Juniper Networks, Inc.ii
Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Part 1 Overview
Chapter 1 SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Junos Pulse and SRX Series Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
SRX Series Gateway Deployment Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Part 2 Configuration
Chapter 2 Dynamic VPN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Junos Pulse and Dynamic VPN Configuration Overview . . . . . . . . . . . . . . . . . . . . . . 7
Part 3 Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
iiiCopyright © 2013, Juniper Networks, Inc.
Copyright © 2013, Juniper Networks, Inc.iv
Solution for SRX Series Services Gateways
List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
vCopyright © 2013, Juniper Networks, Inc.
Copyright © 2013, Juniper Networks, Inc.vi
Solution for SRX Series Services Gateways
About the Documentation
• Documentation and Release Notes on page vii
• Supported Platforms on page vii
• Documentation Conventions on page vii
• Documentation Feedback on page ix
• Requesting Technical Support on page ix
Documentation and Release Notes
To obtain the most current version of all Juniper Networks®technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at http://www.juniper.net/books.
Supported Platforms
For the features described in this document, the following platforms are supported:
• SRX Series
Documentation Conventions
Table 1 on page viii defines notice icons used in this guide.
viiCopyright © 2013, Juniper Networks, Inc.
Table 1: Notice Icons
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Indicates a situation that might result in loss of data or hardware damage.Caution
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
Table 2 on page viii defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
ExamplesDescriptionConvention
To enter configuration mode, type theconfigure command:
user@host> configure
Represents text that you type.Bold text like this
user@host> show chassis alarms
No alarms currently active
Represents output that appears on theterminal screen.
Fixed-width text like this
• A policy term is a named structurethat defines match conditions andactions.
• Junos OS CLI User Guide
• RFC 1997,BGPCommunities Attribute
• Introduces or emphasizes importantnew terms.
• Identifies guide names.
• Identifies RFC and Internet draft titles.
Italic text like this
Configure themachine’s domain name:
[edit]root@# set system domain-namedomain-name
Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.
Italic text like this
• To configure a stub area, include thestub statement at the [edit protocolsospf area area-id] hierarchy level.
• Theconsoleport is labeledCONSOLE.
Represents names of configurationstatements, commands, files, anddirectories; configurationhierarchy levels;or labels on routing platformcomponents.
Text like this
stub <default-metricmetric>;Encloses optional keywords or variables.< > (angle brackets)
Copyright © 2013, Juniper Networks, Inc.viii
Solution for SRX Series Services Gateways
Table 2: Text and Syntax Conventions (continued)
ExamplesDescriptionConvention
broadcast | multicast
(string1 | string2 | string3)
Indicates a choice between themutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.
| (pipe symbol)
rsvp { # Required for dynamicMPLS onlyIndicates a comment specified on thesame lineas theconfiguration statementto which it applies.
# (pound sign)
community namemembers [community-ids ]
Encloses a variable for which you cansubstitute one or more values.
[ ] (square brackets)
[edit]routing-options {static {route default {nexthop address;retain;
}}
}
Identifies a level in the configurationhierarchy.
Indention and braces ( { } )
Identifies a leaf statement at aconfiguration hierarchy level.
; (semicolon)
GUI Conventions
• In the Logical Interfaces box, selectAll Interfaces.
• To cancel the configuration, clickCancel.
Representsgraphicaluser interface(GUI)items you click or select.
Bold text like this
In the configuration editor hierarchy,select Protocols>Ospf.
Separates levels in a hierarchy of menuselections.
> (bold right angle bracket)
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can send your comments to
techpubs-comments@juniper.net, or fill out the documentation feedback form at
https://www.juniper.net/cgi-bin/docbugreport/ . If you are using e-mail, be sure to include
the following information with your comments:
• Document or topic name
• URL or page number
• Software release version (if applicable)
Requesting Technical Support
Technical product support is available through the JuniperNetworksTechnicalAssistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
ixCopyright © 2013, Juniper Networks, Inc.
About the Documentation
or are covered under warranty, and need post-sales technical support, you can access
our tools and resources online or open a case with JTAC.
• JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
• Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides youwith the
following features:
• Find CSC offerings: http://www.juniper.net/customers/support/
• Search for known bugs: http://www2.juniper.net/kb/
• Find product documentation: http://www.juniper.net/techpubs/
• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
• Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications:
https://www.juniper.net/alerts/
• Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Casewith JTAC
You can open a case with JTAC on theWeb or by telephone.
• Use the Case Management tool in the CSC at http://www.juniper.net/cm/.
• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting-support.html.
Copyright © 2013, Juniper Networks, Inc.x
Solution for SRX Series Services Gateways
PART 1
Overview
• SRX Series Services Gateways on page 3
1Copyright © 2013, Juniper Networks, Inc.
Copyright © 2013, Juniper Networks, Inc.2
Solution for SRX Series Services Gateways
CHAPTER 1
SRX Series Services Gateways
• Junos Pulse and SRX Series Gateways on page 3
• SRX Series Gateway Deployment Options on page 4
Junos Pulse and SRX Series Gateways
The dynamic virtual private network (VPN) feature of SRX Series gateways simplifies
remote access by enabling users to establish Internet Protocol Security (IPsec) VPN
tunnels without having to manually configure VPN settings on their endpoints. Junos
Pulse supports dynamic VPN connectivity to SRXSeries gateways. The VPN settings are
part of a Pulse SRX connection. Depending on the version of Junos OS on the SRX
gateway, youmight be able to deploy Pulse to endpoints from the SRX Series gateway
through aWeb portal. A remote client accesses theWeb portal and, after being
authenticated, downloadsand installsPulse. The installation includesaPulse connection
to the SRX Series gateway. Alternatively, you can create and deploy firewall connections
fromPulse Access Control Service and Pulse Secure Access Service. See the Junos Pulse
Supported Platform Guide for details on the Junos OS versions that are able to deploy
Pulse.
To configure a firewall access environment for Pulse clients, youmust configure the VPN
settings on the SRX Series gateway and create and deploy an SRX connection on the
Junos Pulse client.
NOTE: JunosPulse formobiledevicescanaccessPulseSecureAccessServiceonly.
For SRX Series gateways that cannot deploy Junos Pulse client software, you have the
following configuration and deployment options:
• In an environment that includesPulseSecureAccessService andPulseAccessControl
Service, create connections of the type SRXwith a target address of your SRX Series
Services gateway. Users could then install the Junos Pulse client software and the
connection configurations by logging in to theWeb portal of the Pulse Secure Access
Service or Pulse Access Control Service and being assigned to a role that installs Junos
Pulse. After the installation, the endpoint has the Junos Pulse client software and the
connection information required to connect to the SRX Series Services gateways.
3Copyright © 2013, Juniper Networks, Inc.
• Install the default Junos Pulse software package, and then have users create new
connections that point to the SRX Series gateway.
SRX Series gateways supported an earlier access client called Juniper Networks Access
Manager. Youmust uninstall Access Manager before you deploy Junos Pulse to
endpoints.The Pulse installation program checks for AccessManager. If AccessManager
is present, the program displays a message instructing the user to uninstall Access
Manager before installing Pulse.
NOTE: The automatic update feature is supported on Pulse Secure Accessand Pulse Access Control servers only. SRX gateways do not supportautomatic Pulse software updates.
RelatedDocumentation
Junos Pulse and Dynamic VPN Configuration Overview on page 7•
SRX Series Gateway Deployment Options
Endpoints can use Junos Pulse client software to connect to SRX Series gateways that
are running Junos OS Release 10.2, and that have dynamic VPN access enabled and
configured. The following describes deployment options for SRX Series gateway
connections:
• You can create connections that use the connection type “Firewall” and deploy these
connections from Pulse Secure Access Service or Junos Pulse Access Control Service.
• Youcandownload the JunosPulse installer fromaPulse server or the JuniperNetworks
Weband install it using local distributionmethods such asSMS/SCCM. After installing
Pulse, users create a connection to an SRX gateway.
RelatedDocumentation
• Understanding Session Migration
Copyright © 2013, Juniper Networks, Inc.4
Solution for SRX Series Services Gateways
PART 2
Configuration
• Dynamic VPN Configuration on page 7
5Copyright © 2013, Juniper Networks, Inc.
Copyright © 2013, Juniper Networks, Inc.6
Solution for SRX Series Services Gateways
CHAPTER 2
Dynamic VPN Configuration
• Junos Pulse and Dynamic VPN Configuration Overview on page 7
Junos Pulse and Dynamic VPN Configuration Overview
A dynamic VPN allows administrators to provide IPsec access for Windows endpoints
to a Pulse server on a Juniper Networks device while also providing a way to distribute
the Dynamic VPN software to remote clients through the use of aWeb portal.
The following procedure lists the tasks for configuring a dynamic VPN. For detailed
information on these topics, see the Junos OS documentation.
1. Configure authentication and address assignment for the remote clients:
a. Configure an XAuth profile to authenticate users and assign addresses. You can
use local authenticationor anexternal RADIUSserver. Use theprofile configuration
statement at the [edit access] hierarchy level to configure the XAuth profile.
To use the XAuth profile for Web authentication, use theweb-authentication
configuration statementat the [editaccess firewall-authentication] hierarchy level.
b. Assign IP addresses from a local address pool if local authentication is used. Use
theaddress-assignmentpoolconfiguration statementat the [editaccess] hierarchy
level. You can specify a subnet or a range of IP addresses. Or you can specify IP
addresses for DNS andWINS servers.
2. Configure the VPN tunnel:
a. Configure the IKE policy. Themodemust be aggressive. You can use basic,
compatible, or standard proposal sets. Only preshared keys are supported for
phase 1 authentication. Use the policy configuration statement at the [edit security
ike] hierarchy level.
b. Configure the IKE gateway. Either shared or group IKE IDs can be used. You can
configure themaximumnumber of simultaneous connections to the gateway. Use
the gateway configuration statement at the [edit security ike] hierarchy level.
c. Configure the IPsecVPN. You can use basic, compatible, or standard proposal sets
with the policy configuration statement at the [edit security ipsec] hierarchy level.
Use the vpn configuration statement at the [edit security ipsec] hierarchy level to
configure the IPsec gateway and policy.
7Copyright © 2013, Juniper Networks, Inc.
d. Configure a security policy to allow traffic from the remote clients to the IKE
gateway. Use the policy configuration statement at the [edit security policies
from-zone zone to-zone zone] hierarchy level.
NOTE: The placement of this security policy is important. Youmustplace it abovemore specific, non-VPN policies so that traffic that isintended to be sent over the VPN tunnel is processed correctly.
e. Configure host inbound traffic to allow specific traffic to reach the device from
systems that are connected to its interfaces. For example, IKE and HTTPS traffic
must be allowed.
f. (Optional) If the client address pool belongs to a subnet that is directly connected
to the device, the device would need to respond to ARP requests to addresses in
the pool from other devices in the same zone. Use the proxy-arp configuration
statementat the [edit securitynat] hierarchy level. Specify the interface thatdirectly
connects the subnet to the device and the addresses in the pool.
3. Associate the dynamic VPNwith remote clients:
a. Specify the access profile for use with dynamic VPN. Use the access-profile
configuration statement at the [edit security dynamic-vpn] hierarchy level.
b. Configure the clients who can use the dynamic VPN. Specify protected resources
(traffic to theprotected resource travels through thespecifieddynamicVPNtunnel
and is therefore protected by the firewall’s security policies) or exceptions to the
protected resources list (traffic that does not travel through the dynamic VPN
tunnel and is sent in clear text). These options control the routes that are pushed
to the client when the tunnel is up, therefore controlling the traffic that is send
through the tunnel. Use the clients configuration statement at the [edit security
dynamic-vpn] hierarchy level.
RelatedDocumentation
• Junos Pulse Client Installation Overview
Copyright © 2013, Juniper Networks, Inc.8
Solution for SRX Series Services Gateways
PART 3
Index
• Index on page 11
9Copyright © 2013, Juniper Networks, Inc.
Copyright © 2013, Juniper Networks, Inc.10
Solution for SRX Series Services Gateways
Index
Symbols#, comments in configuration statements.....................ix
( ), in syntax descriptions.......................................................ix
< >, in syntax descriptions...................................................viii
[ ], in configuration statements...........................................ix
{ }, in configuration statements..........................................ix
| (pipe), in syntax descriptions............................................ix
AAccess Manager.........................................................................4
Bbraces, in configuration statements..................................ix
brackets
angle, in syntax descriptions......................................viii
square, in configuration statements.........................ix
Ccomments, in configuration statements.........................ix
conventions
text and syntax................................................................viii
curly braces, in configuration statements.......................ix
customer support.....................................................................ix
contacting JTAC................................................................ix
Ddocumentation
comments on....................................................................ix
dynamic VPNs
configuration overview....................................................7
Ffirewall access
configuring on SRX...........................................................3
font conventions.....................................................................viii
Mmanuals
comments on....................................................................ix
Pparentheses, in syntax descriptions..................................ix
SSRX Series gateways
deployment option..........................................................4
support, technical See technical support
syntax conventions................................................................viii
Ttechnical support
contacting JTAC................................................................ix
VVPN.................................................................................................3
11Copyright © 2013, Juniper Networks, Inc.
Copyright © 2013, Juniper Networks, Inc.12
Solution for SRX Series Services Gateways
Recommended