Secure Access
Service Provider Virtual Appliance ManagementGuide
Release
Published: 2010-07-06
Part Number: , Revision 1
Copyright © 2010, Juniper Networks, Inc.
Juniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.net
This product includes the Envoy SNMPEngine, developed by Epilogue Technology, an IntegratedSystemsCompany. Copyright© 1986-1997,Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no partof them is in the public domain.
This product includes memory allocation software developed by Mark Moraes, copyright © 1988, 1989, 1993, University of Toronto.
This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentationand software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright ©1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.
GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed throughrelease 3.0 by Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’sHELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateDsoftware copyright © 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright © 1991, D.L. S. Associates.
This product includes software developed by Maker Communications, Inc., copyright © 1996, 1997, Maker Communications, Inc.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that areowned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Secure Access Service Provider Virtual Appliance Management Guide
Revision History2010—Revised for SA release 7.0.
The information in this document is current as of the date listed in the revision history.
Copyright © 2010, Juniper Networks, Inc.ii
ENDUSER LICENSE AGREEMENT
READ THIS ENDUSER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, ORUSING THE SOFTWARE.BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OROTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMSCONTAINED HEREIN, YOU (AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TOBINDTHECUSTOMER)CONSENTTOBEBOUNDBYTHISAGREEMENT. IF YOUDONOTORCANNOTAGREETOTHETERMSCONTAINEDHEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE, AND (B) YOUMAY CONTACT JUNIPER NETWORKSREGARDING LICENSE TERMS.
1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) orJuniperNetworks (Cayman)Limited (if theCustomer’sprincipal office is locatedoutside theAmericas) (suchapplicableentitybeing referredtohereinas “Juniper”), and (ii) thepersonororganization thatoriginally purchased fromJuniper or anauthorized Juniper reseller theapplicablelicense(s) for use of the Software (“Customer”) (collectively, the “Parties”).
2. The Software. In this Agreement, “Software” means the programmodules and features of the Juniper or Juniper-supplied software, forwhich Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded byJuniper in equipment which Customer purchased from Juniper or an authorized Juniper reseller. “Software” also includes updates, upgradesand new releases of such software. “Embedded Software” means Software which Juniper has embedded in or loaded onto the Juniperequipment and any updates, upgrades, additions or replacements which are subsequently embedded in or loaded onto the equipment.
3. LicenseGrant.Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customera non-exclusive and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to thefollowing use restrictions:
a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased byCustomer from Juniper or an authorized Juniper reseller.
b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing unitsfor which Customer has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey AccessClient software only, Customer shall use such Software on a single computer containing a single physical random access memory spaceand containing any number of processors. Use of the Steel-Belted Radius or IMS AAA software onmultiple computers or virtual machines(e.g., Solaris zones) requires multiple licenses, regardless of whether such computers or virtualizations are physically contained on a singlechassis.
c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer mayspecify limits toCustomer’s useof theSoftware. Such limitsmay restrict use toamaximumnumberof seats, registeredendpoints, concurrentusers, sessions, calls, connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase ofseparate licenses to use particular features, functionalities, services, applications, operations, or capabilities, or provide throughput,performance, configuration, bandwidth, interface, processing, temporal, or geographical limits. In addition, such limits may restrict the useof the Software to managing certain kinds of networks or require the Software to be used only in conjunction with other specific Software.Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable licenses.
d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of theSoftware. Customer may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may notextend or create an additional trial period by re-installing the Software after the 30-day trial period.
e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’senterprise network. Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of theSteel-Belted Radius software to support any commercial network access services.
The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchasethe applicable license(s) for the Software from Juniper or an authorized Juniper reseller.
4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agreesnot to and shall not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorizedcopies of the Software (except as necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of theSoftware, in any form, to any third party; (d) remove any proprietary notices, labels, ormarks on or in any copy of theSoftware or any productin which the Software is embedded; (e) distribute any copy of the Software to any third party, including as may be embedded in Juniperequipment sold in thesecondhandmarket; (f) useany ‘locked’ or key-restricted feature, function, service, application, operation, or capabilitywithout first purchasing the applicable license(s) and obtaining a valid key from Juniper, even if such feature, function, service, application,operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper to any third party; (h) use the
iiiCopyright © 2010, Juniper Networks, Inc.
Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper reseller; (i)use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment thatthe Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarkingof the Software to any third party without the prior written consent of Juniper; or (l) use the Software in anymanner other than as expresslyprovided herein.
5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper,Customer shall furnish such records to Juniper and certify its compliance with this Agreement.
6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper.As such, Customer shall exercise all reasonable commercial efforts tomaintain the Software and associated documentation in confidence,which at aminimum includes restricting access to the Software to Customer employees and contractors having a need to use the Softwarefor Customer’s internal business purposes.
7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and tothe Software, associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyanceof any right, title, or interest in the Software or associated documentation, or a sale of the Software, associated documentation, or copiesof the Software.
8. Warranty, Limitation of Liability, Disclaimer ofWarranty. The warranty applicable to the Software shall be as set forth in the warrantystatement thataccompanies theSoftware (the “WarrantyStatement”).Nothing in thisAgreement shall give rise toanyobligation to supportthe Software. Support services may be purchased separately. Any such support shall be governed by a separate, written support servicesagreement. TO THEMAXIMUM EXTENT PERMITTED BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA,ORCOSTSORPROCUREMENTOFSUBSTITUTEGOODSORSERVICES,ORFORANYSPECIAL, INDIRECT,ORCONSEQUENTIALDAMAGESARISINGOUTOFTHISAGREEMENT,THESOFTWARE,ORANYJUNIPERORJUNIPER-SUPPLIEDSOFTWARE. INNOEVENTSHALLJUNIPERBE LIABLE FOR DAMAGES ARISING FROMUNAUTHORIZED OR IMPROPER USE OF ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE.EXCEPT AS EXPRESSLY PROVIDED IN THEWARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW, JUNIPER DISCLAIMS ANYAND ALLWARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING ANYIMPLIEDWARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOESJUNIPERWARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATEWITHOUTERROROR INTERRUPTION, ORWILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’or licensors’ liability to Customer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paidby Customer for the Software that gave rise to the claim, or if the Software is embedded in another Juniper product, the price paid byCustomer for such other product. Customer acknowledges and agrees that Juniper has set its prices and entered into this Agreement inreliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk betweenthe Parties (including the risk that a contract remedymay fail of its essential purpose and cause consequential loss), and that the sameform an essential basis of the bargain between the Parties.
9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic terminationof the license granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and relateddocumentation in Customer’s possession or control.
10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising fromthe purchase of the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdictionshall be provided to Juniper prior to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. Allpayments made by Customer shall be net of any applicable withholding tax. Customer will provide reasonable assistance to Juniper inconnection with such withholding taxes by promptly: providing Juniper with valid tax receipts and other required documentation showingCustomer’s payment of any withholding taxes; completing appropriate applications that would reduce the amount of withholding tax tobe paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder. Customer shall comply withall applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related to anyliability incurred by Juniper as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligations underthis Section shall survive termination or expiration of this Agreement.
11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and anyapplicable foreign agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any suchrestrictions, laws or regulations, or without all necessary approvals. Customer shall be liable for any such violations. The version of theSoftware supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software withoutan export license.
Copyright © 2010, Juniper Networks, Inc.iv
12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use,duplication, or disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS227.7201 through 227.7202-4, FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.
13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customerwith the interface information needed to achieve interoperability between the Software and another independently created program, onpayment of applicable fee, if any. Customer shall observe strict obligations of confidentiality with respect to such information and shall usesuch information in compliance with any applicable terms and conditions upon which Juniper makes such information available.
14. Third Party Software.Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose productsor technology are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement,and such licensor or vendor shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third partysoftwaremay be provided with the Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extentportions of the Software are distributed under and subject to open source licenses obligating Juniper to make the source code for suchportions publicly available (such as the GNU General Public License (“GPL”) or the GNU Library General Public License (“LGPL”)), Juniperwill make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to threeyears from the date of distribution. Such request can bemade in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA
94089, ATTN: General Counsel. Youmay obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of the LGPLat http://www.gnu.org/licenses/lgpl.html .
15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of lawsprinciples. The provisions of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputesarising under this Agreement, the Parties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federalcourts within Santa Clara County, California. This Agreement constitutes the entire and sole agreement between Juniper and the Customerwith respect to the Software, and supersedes all prior and contemporaneous agreements relating to the Software, whether oral or written(including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by anauthorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms containedherein. Nomodification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in writingby the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validityof the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and theParties agree that the English version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention demême que tous les documents y compris tout avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm thatthis Agreement and all related documentation is and will be in the English language)).
vCopyright © 2010, Juniper Networks, Inc.
Abbreviated Table of Contents
Front Part . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Part 1 License Servers and Virtual Appliances
Chapter 1 Virtual Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 2 License Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Chapter 3 Disabled Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Part 2 Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
viiCopyright © 2010, Juniper Networks, Inc.
Table of Contents
Front Part . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Part 1 License Servers and Virtual Appliances
Chapter 1 Virtual Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
About Virtual Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Virtual Appliance Editions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Hardware and Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Virtual Appliances Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Virtual Appliance Package Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Task Summary: Setting Up and Configuring a Virtual Appliance . . . . . . . . . . . . . . . 6
Importing the Virtual Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Configuring the Initial Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Using DMI With Virtual Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Chapter 2 License Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
About License Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
About License Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Allocating Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Leasing Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Disabled Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Updating Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Subscription Licenses Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Available Subscription Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Importing and Exporting Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Configuring a Device as a License Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Configuring a Device as a License Server Client . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Licensing Virtual Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Chapter 3 Disabled Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Disabled Secure Access Features on a License Server . . . . . . . . . . . . . . . . . . . . . . 19
Part 2 Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
ixCopyright © 2010, Juniper Networks, Inc.
List of Tables
Front Part . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Part 1 License Servers and Virtual Appliances
Chapter 1 Virtual Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Table 2: create-va.exp Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Table 3: init-network-config.exp Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
xiCopyright © 2010, Juniper Networks, Inc.
Front Part
• Related Documentation on page xiii
• Document Conventions on page xiii
• Requesting Technical Support on page xiv
Related Documentation
• TodownloadaPDFversionof theSecureAccessAdministrationGuide, go to theSecure
Access/SSL VPN Product Documentation page of the Juniper Networks Customer
Support Center.
• For informationabout thechanges thatSecureAccessclientsmake toclient computers,
including installed files and registry changes, and for information about the rights
required to install and runSecureAccess clients, refer to theClient-sideChangesGuide.
• For informationonhowtodevelopWebapplications thatarecompliantwith theSecure
AccessContent IntermediationEngine, refer to theContent IntermediationEngineBest
Practices Guide.
Document Conventions
Table 1 on page xiii defines notice icons used in this guide.
Table 1: Notice Icons
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Indicates a situation that might result in loss of data or hardware damage.Caution
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
xiiiCopyright © 2010, Juniper Networks, Inc.
Requesting Technical Support
Technical product support is available through the JuniperNetworksTechnicalAssistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
or are covered under warranty, and need post-sales technical support, you can access
our tools and resources online or open a case with JTAC.
• JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .
• Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/ .
• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides youwith the
following features:
• Find CSC offerings: http://www.juniper.net/customers/support/
• Search for known bugs: http://www2.juniper.net/kb/
• Find product documentation: http://www.juniper.net/techpubs/
• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
• Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications:
https://www.juniper.net/alerts/
• Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Casewith JTAC
You can open a case with JTAC on theWeb or by telephone.
• Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .
• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting-support.html .
Copyright © 2010, Juniper Networks, Inc.xiv
Service Provider Virtual Appliance Management Guide
PART 1
License Servers and Virtual Appliances
• Virtual Appliances on page 3
• License Management on page 13
• Disabled Features on page 19
1Copyright © 2010, Juniper Networks, Inc.
CHAPTER 1
Virtual Appliances
• About Virtual Appliances on page 3
• Virtual Appliances Supported Features on page 4
• Virtual Appliance Package Information on page 4
• Task Summary: Setting Up and Configuring a Virtual Appliance on page 6
• Importing the Virtual Appliance on page 7
• Configuring the Initial Network Settings on page 8
• Using DMIWith Virtual Appliances on page 11
About Virtual Appliances
Running Secure Access software in a VMware virtual machine as a Virtual Appliance
provides service providers (SPs) with robust scalability and isolation. The ESX server
software fromVMware supports several virtualmachines on a high-endmulti-processor
platform.Deployingadedicatedvirtual appliance for eachcustomerguaranteescomplete
isolation between systems.
Virtual Appliance Editions
Two types of Secure Access virtual appliances are available:
• Demonstration and Training Edition (DTE)
• Service Provider Edition (SPE)
The DTE is targeted for demonstration, initial evaluation and training purposes. DTE is
not a supported product; Juniper Networks Technical Support will not assist you with
anyquestionsorproblems. If youare interested in theDTE, contact your JuniperNetworks
sales team or reseller for more information.
TheSPE is targeted for serviceproviderswhoare interested inprovisioning remoteaccess
solution for a large number of customers.
Hardware and Software Requirements
Juniper Networks virtual appliance was tested with the following products:
• IBM BladeServer H chassis
3Copyright © 2010, Juniper Networks, Inc.
• BladeCenter HS blade server
• vSphere 4.0
Any blade product compliant with the above should be suitable for use with virtual
appliances.
Virtual Appliances Supported Features
All features of Secure Access are available on virtual appliances with the exception of
the following:
• IVS
• Clustering
• User record synchronization
A new option is available for switching between virtual terminal and serial console.
Switching between these options requires a restart of the virtual appliance.
Virtual appliances do not allow licenses to be installed directly on them. As such, virtual
appliancescanbeonly licenseclients.All virtualappliance licensesaresubscription-based.
NOTE: The License summary page displays a number under the Installed column on avirtual appliance SPE edition even though you can not install licenses on a virtualappliance. This number is the “implicit count” available on all devices that do not haveinstalled licenses.
Virtual Appliance Package Information
The SPE downloadable zip contains the following files:
• README-SPE.txt—A quick start guide for the SPE virtual appliance.
• README-scripts.txt—Contains up-to-date information on the contents of the zip file
and how to run the scripts.
• VA-SPE-release-buildnumber-SERIAL-disk1.vmdk—a virtual disk file that contains the
SAsoftware. TheSERIALversionassumesusingaserial port to setup the initial network
configuration.
• VA-SPE-release-buildnumber-SERIAL.ovf—aOVF specification that defines the virtual
appliance and contains a reference to the disk image.
• VA-SPE-release-buildnumber-VT-disk1.vmdk—a virtual disk file that contains the SA
software. The VT version assumes using a virtual terminal to set up the initial network
configuration.
• VA-SPE-release-buildnumber-VT.ovf—a OVF specification that defines the virtual
appliance and contains a reference to the disk image.
• init-network-config.exp—Script to configure the initial network settings.
Copyright © 2010, Juniper Networks, Inc.4
Service Provider Virtual Appliance Management Guide
• create-va.exp—Script to import theOVF file into theESXserver andconfigure the initial
network settings (the create-va.exp script is a superset of the init-network-config.exp
script.)
• setupva.conf—Example configuration file for the create-va.exp and
init-network-config.exp scripts.
The DTE downloadable zip contains the following files:
• README-DTE.txt—A quick start guide for the SPE virtual appliance.
• VA-DTE-release-buildnumber-VT-disk1.vmdk—a virtual disk file that contains the SA
software. The VT version assumes using a virtual terminal to set up the initial network
configuration.
• VA-DTE-release-buildnumber-VT.ovf—a OVF specification that defines the virtual
appliance and contains a reference to the disk image.
The Secure Access virtual appliance is delivered in Open Virtualization Format (OVF)
and is preconfigured as follows.
• 20G Virtual SCSI disk
• 1 Virtual CPU
• 512Mmemory
• Three virtual network interfaces
• Roughly 400MB in size
You can change this configuration by editing the OVF prior to importing it or by editing
the virtual machine properties once it is created.
NOTE: When customizing the configuration, do not reduce the disk size.
The OVF specification defines three logical networks:
• InternalNetwork
• ExternalNetwork
• ManagementNetwork
When importing the OVF file, these three networks must bemapped to the appropriate
virtual networks on the ESX server.
The OVF file does not include any virtual serial port configuration. If the SERIAL OVF
image is used, the virtual machine specification needs to be updated with the desired
virtual serial port configuration before the virtual appliance is powered up for the first
time.
When the virtual appliance is powered on for the first time, it expands the software
package and performs the installation. We recommend you export a copy of the fully
5Copyright © 2010, Juniper Networks, Inc.
Chapter 1: Virtual Appliances
installed SPE virtual appliance and use that to instantiate additional SPE virtual
appliances.
Onceconfigured, youcanuseanyof the followingmethods tomanage theSecureAccess
portion of the virtual appliance:
• Juniper Network’s Device Management Interface (DMI)
• Secure Access administrator console
• Secure Access serial and virtual terminal console menus
For informationonDMI, see theDMISolutionGuideon JuniperNetwork’s supportwebsite.
Task Summary: Setting Up and Configuring a Virtual Appliance
To set up and configure a Secure Access virtual appliance, youmust:
1. Import the virtual appliance into the ESX server.
2. Configure the initial network settings.
The remainder of this topic describes the process using the provided create-va.exp and
init-network-config.exp scripts. These steps assume that you have already configured a
serial console or a virtual terminal to the ESX server. Note that if you have your own
custom scripts to perform these tasks or prefer to do the initial network configuration
manually, you are not required to use Juniper Networks’ scripts.
After configuring your virtual appliance, use VMware’s tools to manage the device, such
as starting and stopping the virtual appliance.
Using the Juniper Networks Scripts
The init-network-config.exp and create-va.exp scripts accept input from command-line
arguments or from a configuration file.
NOTE: These scripts can be run only when using the serial console.
On the command-line, parameters are passed using the format:
- - paramname paramvalue
The configuration file use the format:
paramname: paramvalue
You can specify only one parameter per line in the configuration file. Lines starting with
the pound symbol (#) are treated as comments.
Please note the following when using these scripts:
Copyright © 2010, Juniper Networks, Inc.6
Service Provider Virtual Appliance Management Guide
• If a parameter is defined both in the command-line and in the configuration file, the
command-line value is used.
• If parameters are not given in the command line, the script uses the values defined in
the configuration script.
• If you do not specify a configuration file in the command line, setupva.conf is used as
the default configuration file.
• The scripts do not perform any parameter validation.
• The scripts do not process any errors returned by the terminal service. It is your
responsibility to ensure that noother users or applications are using the terminal server
or serial port.
• Youmust verify that the serial console of the virtual appliance you are configuring in
the ESX server is mapped to the physical serial port and no other virtual appliances
are using the serial port. create-va.exp does not perform this verification.
• You can have as many simultaneously active serial consoles as there are serial ports
on the virtual appliance platform.
• Thecreate-va.expscript isa supersetof init-network-config.exp. If youusecreate-va.exp
to import the OVF, it also performs the initial network configuration; you do not need
to run init-network-config.exp.
Importing the Virtual Appliance
Use the create-va.exp script to import the virtual applianceOVF into the ESX server. This
script logs in to the ESX server, imports theOVF source file, registers the virtual appliance
and then starts the virtual appliance.
NOTE: ovftool 1.0must be installed in the ESX and the OVF and VMDK files must becopied to the ESX server before running create-va.exp.
The create-va.exp command syntax is:
./create-va.exp [- -parameter value]
NOTE: When typing the string “- -” do not put a space between the hyphens. The spaceshown here is for visual purposes only.
Table 2: create-va.exp Parameters
ESX Server-Related Parameters
ESX administrator username. The script uses this username to log in to the ESXserver. This user must have super user privileges.
- -exadmin <ESX username>
DNS name or the IP address of the ESX server where the virtual appliance is to beinstantiated.
- -esxhost <esxhost>
7Copyright © 2010, Juniper Networks, Inc.
Chapter 1: Virtual Appliances
Table 2: create-va.exp Parameters (continued)
Administrator password to log in to the ESX server.- -esxpasswd <ESX password>
Parameters Used to Locate Resources at The ESX Server
The serial console to use for communicating with the ESX server. For example-esxserialtty /dev/ttyS0.
- -esxserial <serialdevice>
AMappingofa logical networkname in theOVFspecification toanactual networkon theESXserver. TheOVFspecificationhas the following logical networksdefined- InternalNetwork, ExternalNetwork and ManagementNetwork.
- -netmap <ovfnet=esxnet>
The location of the OVF image at the ESX server.- -ovfpath <ovf path>
If there are multiple target datastores on the ESX server, this parameter specifiesthe datastore where the virtual appliance is to be created.
- -storage <ESX datastore>
Parameters Specifying Virtual Appliance Properties
Switches console from serial to terminal service after configuring the virtualappliance. The default is “yes”, meaning switch to terminal service.
- -switchconsole <yes/no>
Name of the virtual appliance to create.- -vaname <VA name>
Example 1: Providing parameters both in the command line and in a configuration file
This example lists all parameters and values on the command line.
./create-va.exp - -esxhost as23.juniper.net - -esxadmin admin - --esxpassword passwd
- -esxovfpath /root/ovfs/IVE-70-VA.ovf - -esxserial /dev/ttyS0 - -file vadata.conf
Example 2: Providing parameters in a configuration file
In this example, vadata.conf is the configuration file and is passed to create-va.exp on
the command line.
./create-va.exp - -file vadata.conf
Configuring the Initial Network Settings
Once the virtual appliance is started in the ESX server, use the init-network-config.exp
script to define the administrator login and configure the virtual appliance initial network
settings.
NOTE: If you use create-va.exp to import the OVF, it also performs the initial networkconfiguration; you do not need to run init-network-config.exp.
The init-network-config.exp script interactswithSecureAccess through its serial console
which is connected to a terminal server or directly to any Unix or Linux system.
Copyright © 2010, Juniper Networks, Inc.8
Service Provider Virtual Appliance Management Guide
The init-network-config.exp command syntax is:
./init-network-config.exp [- -parameter value]
NOTE: When typing the string “- -” do not put a space between the hyphens. The spaceshown here is for visual purposes only.
Table 3: init-network-config.exp Parameters
Parameters for Configuration File
The configuration file. If this parameter is not present, setupva.conf is used.Specifying a configuration file is optional.
- -file <filename>
Parameters for Serial Console Access
The serial device to open in order to access the virtual appliance serial console.This parameter is valid only when ctype is set to “serial”.
- -cport <serial port device>
The serial console connection. Valid values are “terminal server” or “serial”. Youmust place the value in double-quotes. For example, - -ctype “serial”.
Use “terminal server” if the virtual appliance serial console is accessed through atelnet connection to a terminal server. Use "serial" if the virtual appliance serialconsole is accessed by directly opening a serial device at the system running thescript.
- -ctype <connecttype>
The terminal service IP address. This parameter is valid only when ctype is set to“terminal server”.
- -tsip <terminal server ip>
The telnet port at the terminal server used to access the virtual appliance serialconsole.
- -tsport <terminal server port>
Parameters for Secure Access Virtual Appliance Initial Configuration
Administrator user name to be configured at the virtual appliance.- -adminusr <adminuser>
Administrator password for the administrator account to be configured at thevirtual appliance.
- -adminpwd <adminpwd>
IP address to be assigned to the virtual appliance internal port.- -ip <ipaddress>
Virtual appliance internal port netmask.- -mask <netmask>
Default gateway for the virtual appliance internal port.- -dgw <default gateway>
IP address of the Primary DNS server to be configured at the virtual appliance.- -pridns <primary dns>
Optional IP address of the Secondary DNS server to be configured at the virtualappliance.
- -secdns <secondary dns>
Optional WINS server IP address.- -wins <wins>
9Copyright © 2010, Juniper Networks, Inc.
Chapter 1: Virtual Appliances
Table 3: init-network-config.exp Parameters (continued)
Common name for the virtual appliance.- -cname <common name>
Domain name to be configured at the virtual appliance.- -domain <domain>
Organization name to be configured at the virtual appliance.- -orgname <organization name>
Random text used for generating a self signed certificate at the virtual appliance.- -rtxt <random text>
Once the initial network configuration is finishedandamachine ID is generated, youmust
complete the rest of the configuration which includes, but is not limited to, the following
(you can also use DMI to perform these tasks):
• Installing device certificates.
• Configuringwhich licenses to lease fromthe license server.Note that virtual appliances
are pre-configured with two concurrent user licenses.
• Configuring the time zone and NTP.
• Configuring internal, external and optionally the management network interfaces.
• Advanced network configurations such as virtual ports, VLANs.
• Configuring the authentication server, syslog server, and so forth.
Example 1: Providing parameters in the command line
This example lists all parameters and values on the command line.
./init-network-config.exp - -ip 100.10.11.11 - -mask255.255.255.0 - -dgw100.10.11.1 - -pridns
100.50.10.1 - -secdns 100.20.10.1 - -domain company.com - -wins 111.11.1.11 - -cname
aaa.company.com- -orgname "Company Inc" - -rtxt "Somerandomtext123" - -adminusr
admin - -adminpwd a9827fwe - -ctype "terminal server" - -tsip ts.comp.com - -tsport
9999
Example 2: Providing parameters in a configuration file
In this example, vadata.conf is the configuration file and is passed to
init-network-config.exp on the command line.
./init-network-config.exp - -file vadata.conf
Example 3: Providing parameters from both the command line and in a configurationfile
In this example, all configuration parameters are defined in vadata.conf. Since IP address
is defined on the command line, that value is used regardless of whether it is defined in
vadata.conf.
./init-network-config.exp - -file vadata.conf - -ip 100.10.11.12
Copyright © 2010, Juniper Networks, Inc.10
Service Provider Virtual Appliance Management Guide
Using DMIWith Virtual Appliances
TheDeviceManagement Interface (DMI) isanXML-RPC-basedprotocolused tomanage
Juniper devices. This protocol allows administrators and third-party applications to
configureandmanage Juniperdevicesbypassing their native interfaces.VirtualAppliances
are compliant with DMI. By default, the inbound DMI is enabled in Virtual Appliances.
For more information on using DMI with Virtual Appliances, see the DMI Solution Guide
available on the Juniper Networks SSL VPN support page.
11Copyright © 2010, Juniper Networks, Inc.
Chapter 1: Virtual Appliances
CHAPTER 2
License Management
• About License Management on page 13
• Updating Client Configuration on page 15
• Subscription Licenses Overview on page 15
• Importing and Exporting Configuration Files on page 16
• Configuring a Device as a License Server on page 16
• Configuring a Device as a License Server Client on page 18
• Licensing Virtual Appliances on page 18
About LicenseManagement
Secure Access 7.0 introduces a new licensemanagement system that lets you configure
a Secure Access device as a license server to allow administrators to view all configured
systemsandmove those licensesasneeded.OtherSecureAccessdeviceson thenetwork
lease licenses from the central license server. Unused licenses are returned to the license
server which can lease them out to other devices that needmore capacity.
When configuring a device as a license server, that device functions only as a license
server. Several Secure Access features are disabled.
About License Server
The license server software can be run on any SAx000 and SAx500 Series appliances
that can run the 7.0 and later software and has the license server license. You can
configure more than one license server however each client is limited to one license
server.
NOTE: Only administrators can log in to a license server. Virtual appliances can not beconfigured as license servers.
The license server manages and leases licenses associated with a user count, such asbasic concurrent user licenses, EES and RDP licenses. A license server can not leaselicenses from another license server.
13Copyright © 2010, Juniper Networks, Inc.
Allocating Licenses
Before a device can lease licenses from the license server, youmust first allocate licenses
to that particular device. License allocation information consists of the following:
• License client ID—Youmust assign a unique ID to each license client to identify that
client. The client sends this IDwith everymessage to the license server to identify itself.
• The following 3-tuple for each type of user count license:
• Reserved user count (RUC)—The number of user count licenses reserved for this
client. A license leased to this client can not be less than the RUC number.
• Maximum user count (MUC)—Themaximum number of user count licenses this
client is allowed to request. This number must be greater than or equal to the RUC.
Requests for licenses greater than the RUC are granted only if the license server has
additional licenses available at the time of the request.
• Incremental Lease Quantum (ILQ)—Clients can request an increase or decrease its
user count lease only in multiples of this number. The incremental lease quantum
must be at least 25 unless the difference between theMUC and the RUC is less than
25. The incremental lease quantummust also be at least 10% of the difference
between the MUC and the RUC. This restriction eases excessive protocol traffic.
• Expiration date—The date when the client configuration expires. When the client
configuration expires, the server no longer accepts lease requests from the client. You
can use this, for example, to define a 2 year service to a customer.
As you allocate licenses, the license server does not allow the sum total of the reserved
user count to exceed the total license count installed on the license server.
Leasing Licenses
Clients are configured as to which license server to communicate with. The client then
requests the licenses (over SSL) that are allocated to it. If the concurrent user count is
greater than its leased license limit, it requests the license server to increase its capacity
until the maximum lease limit (MUC) is met.
When the number of concurrent user drops, the client relinquishes the leases it no longer
needs. When the license server receives a license lease requests, it first verifies that the
client has been allocated the licenses it is requesting. The license server then checks that
it has sufficient licenses before granting the request.
Reserved licenses are leased for 5 days at a time. Incremental leases are leased from a
configurable time of 24 hours to amaximum of 5 days. Clients can renew their licenses
at any time before the lease expires. The reply sent by the license server includes a new
leaseexpirationdatewhich is theminimumof thecurrent timeplus the incremental lease
time and the license allocation expiration date. If a client does not renewa license before
the lease expires, the license server reclaims the license. A lease renewal interval can be
configured on the client to renew its licenses leases. The renewal interval can be 4 hours
to amaximum of 24 hours.
Copyright © 2010, Juniper Networks, Inc.14
Service Provider Virtual Appliance Management Guide
Aminimum lease interval of 24 hours is built-in. Once a client acquires an incremental
license lease, it is kept for at least 24 hours even if the load diminishes on the client.
Disabled Features
Only administrators can log in to a Secure Access device configured as a license server.
An error message is displayed to non-administrator users attempting to log in to the
license server. All existingend-user sessionsare terminatedwhenaSecureAccessdevice
is configured as a license server.
SomeSecure Access features andwindows are disabled on a license server as described
in the appendix.
Updating Client Configuration
With the current release, there is no explicit recall operation. However, you can change
a client configuration at any time. This change is communicated to the client when it
contacts the license server for the next renewal. If desired, you can click the Pull State
from Server button in the client’s admin GUI to register the change immediately.
If you reduce the MUC value for a feature at a client, the current leased count is reduced
immediately without waiting for the client to contact the server. An increase to the RUC
orMUC value does not impact the current leased count until after the client contacts the
license server. If you remove all licenses leased to a client, those licenses are available
immediately at the license server.
Subscription Licenses Overview
Subscription licenses and renewal licenses (identified by a -R appended to the license
name) have a start and end date embedded within them. Customers initially purchase
a subscription license that is valid until a specified date.When the license expiration date
nears, customers can renew their licenses.
When the license is installed, the start and end date are interpreted relative to the local
timeand time zoneon themachine. The start date begins at 12:00am; the enddate ends
at midnight of the end date (12:00 am of the following day). If the start date is in the
future, the subscription or renewal license is not activated till the start date. A renewal
license can be activated only if there is a corresponding expired subscription license in
the license server.
A subscription license can only be renewed by a corresponding renewal license and a
renewal can be activated only by the expiration of a corresponding subscription license.
NOTE: Subscription licensesand licenseserversaresupportedonlywithSecureAccess7.0 and later software.
Available Subscription Licenses
Subscriptionand renewal licensescanbe installedonlyonSASeriesSSL-VPNappliances.
These licenses can be leased to virtual appliances but not installed on them.
15Copyright © 2010, Juniper Networks, Inc.
Chapter 2: License Management
The following subscription licenses are available (X and Z will be replaced by the
appropriate number of user and/or year count):
• ACCESS-EES-XU-ZYR—Enhanced endpoint security
• ACCESS-RDP-XU-ZYR—Embedded RDP applet
• ACCESS-XU-ZYR—Concurrent user count subscription
• ACCESS-SUB-SVR-ZYR—Allows a device to be a license server
Both capacity-based licenses (such as ACCESS-EES) and time-base licenses (such as
ACCESS-SUB) stack. For example:
• If you purchase two ACCESS-ES-10K-1YR licenses, they stack to 20K for 1 year.
• If you purchase both a one ACCESS-10K-1YR license and one ACCESS-ESS-10K-2YR
license, they stack for 20K for 1 year and 10K for the second year.
• If you purchase both an ACCESS-SUB-SVR-1YR and an ACCESS-SUB-SVR-2YR
licenses, they stack to a three year license.
Note the following:
• ACCESS-SUB-SVR licenses have amaximum of 3 years. LMSwill reject requests that
stack ACCESS-SUB-SVR licenses to more than 3 years.
• Renewal licenses must match the license being renewed. For example, if your
ACCESS-ESS-10K-1YR licenses is about to expire, you can only renew another
ACCESS-ESS-10K-1YR license. You can not renew it as an ACCESS-ESS-10K-2YR
license.
Importing and Exporting Configuration Files
License information will not be imported when importing a configuration file containing
the new license scheme on a device running software prior to Secure Access 7.0. Devices
will continue to run with their current license scheme.
Existing permanent licenses are overwritten for devices running Secure Access 7.0 (and
later) and importing configuration files containing the new license scheme. Time-based
licenses are merged with the licenses in the imported configuration file.
Configuring a Device as a License Server
The following outlines the steps to configuring a device as a license server. These steps
assume that you have already performed the license key generation and activation steps
outlined in the Secure Access Administration Guide and Unified Access Controller
Administration Guide.
Copyright © 2010, Juniper Networks, Inc.16
Service Provider Virtual Appliance Management Guide
After you download or receive your license keys by using email:
1. In the admin console, choose System > Configuration > Licensing > LicensingSummary.
2. Click on the license agreement link. Read the license agreement and, if you agree to
the terms, continue to the next step.
3. Enter your license key(s) and click Add.
4. Click the Configure Clients tab.
5. Select the Enable Licensing server checkbox.
6. (optional) Click Advanced Settings and enter the following values:
• Incremental Lease Duration
• Lease Renewal Interval
The following steps describe how to add the Secure Access device that leases licenses
from this license server.
1. In the admin console, choose System > Configuration > Licensing > ConfigureClients.
2. Click New Client.
3. Enter theClient ID.The ID isdefinedon theclientdeviceunderSystem>Configuration
> Licensing > Configure Server.
4. Enter theclientpasswordandconfirm it. Thepassword isdefinedon theclientdevice
under System > Configuration > Licensing > Configure Server.
5. (optional) Enter the license expiration date. Licenses expire at midnight on the date
you enter.
6. Select the client’s platform from the list.
7. For each feature you want to lease to this client, enter:
• ReservedCount—Enter thenumberof licenses to reserve for this client. The reserve
count must be less than the available amount displayed.
• Incremental Count—Enter the incremental number of licenses to grant when the
client requests more licenses. If the number of licenses on the client plus this
incremental value is greater than themaximum count, no additional licenses are
granted.
• Maximum Count—Enter the maximum number of licenses a client can receive for
this feature. This value must be equal to or greater than the reserved count.
8. Click Save Changes.
17Copyright © 2010, Juniper Networks, Inc.
Chapter 2: License Management
Configuring a Device as a License Server Client
The following outlines the steps to configuring a device as a license server. These steps
assume that you have already performed the license key generation and activation steps
outlined in the Secure Access Administration Guide and Unified Access Controller
Administration Guide.
1. In the admin console, choose System > Configuration > Licensing > LicensingSummary.
The Available Licenses table shows the features and number of licenses enabled
for this device.
2. Click the Configure Server tab.
3. Enter the name of the license server. You can specify the IP address or hostname.
4. Enter a unique ID for this client. This ID is used to communicate and verify this client
with the license server. This ID is different from the authentication server name for
this device.
IDs can contain alphanumeric characters. There is no restriction on the number of
characters.
You will need to enter this ID on the license server when adding clients.
5. Enter and confirm a password for this client.
You will need to enter this password on the license server when adding clients.
6. Select the preferred network to communicate with the license server from the
Preferred Network menu. By default, the internal network is used.
7. Select the Verify SSL Certificate checkbox if youwant the client to verify the server’s
SSL certificate when establishing communication with it.
Licensing Virtual Appliances
Virtual appliances do not allow licenses to be installed directly on them. As such, virtual
appliancescanbeonly licenseclientsandnot licenseservers.All virtual appliance licenses
are subscription-based.
Copyright © 2010, Juniper Networks, Inc.18
Service Provider Virtual Appliance Management Guide
CHAPTER 3
Disabled Features
• Disabled Secure Access Features on a License Server on page 19
Disabled Secure Access Features on a License Server
The following windows and features are disabled in the Secure Access administrator
console when a device is configured as a license server:
• System > Status> Meeting Schedule
• System > Status > Virtual Desktop Sessions
• System > Configuration > Secure Meeting
• System > Configuration > User Record Synchronization
• System > Configuration > Sensors
• System > Configuration > Virtual Desktops
• System > Configuration > NCP
• System > Network > Network Connect
• System > Clustering
• System > Virtual Systems
• System > IF-MAP Federation
• System > Log/Monitoring > Sensors
• System > Log/Monitoring > User Access
• System > Log/Monitoring > Client Logs
• Maintenance > Push Config
• Maintenance > Troubleshooting > Monitoring > Cluster
• Maintenance > Troubleshooting > User Session
• Maintenance > Archiving > Secure Meetings
• Maintenance > Import/Export > IVS
• UAC (Infranet Controller device only) Users
19Copyright © 2010, Juniper Networks, Inc.
In addition, the following services are halted on the license server:
• Mail proxy services
• Meeting processes
• Agentman daemon
• Federation server
• Federation client
Copyright © 2010, Juniper Networks, Inc.20
Service Provider Virtual Appliance Management Guide
Index
Ccustomer support...................................................................xiv
contacting JTAC..............................................................xiv
Ssupport, technical See technical support
Ttechnical support
contacting JTAC..............................................................xiv
23Copyright © 2010, Juniper Networks, Inc.