Juniper NETWORK AND SECURITY MANAGER, Manual

Page 1: ...Network and Security Manager Configuring Secure Access Devices Guide Release 2010 4 Published 2010 11 17 Revision 01 Copyright 2010 Juniper Networks Inc...

Page 2: ...1991 D L S Associates This product includes software developed by Maker Communications Inc copyright 1996 1997 Maker Communications Inc Juniper Networks Junos Steel Belted Radius NetScreen and ScreenO...

Page 3: ...re physically contained on a single chassis c Product purchase documents paper or electronic user documentation and or the particular licenses purchased by Customer may specify limits to Customer s us...

Page 4: ...ATE WITHOUT ERROR OR INTERRUPTION OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK In no event shall Juniper s or its suppliers or licensors liability to Customer whether in contract tort inclu...

Page 5: ...ree years from the date of distribution Such request can be made in writing to Juniper Networks Inc 1194 N Mathilda Ave Sunnyvale CA 94089 ATTN General Counsel You may obtain a copy of the GPL at http...

Page 6: ...Copyright 2010 Juniper Networks Inc vi...

Page 7: ...ntegrating Secure Access Devices Chapter 3 Adding Secure Access Devices 11 Importing a Secure Access Device 11 Installing and Configuring a Secure Access Device 11 Adding a Secure Access Device Throug...

Page 8: ...pter 7 Configuring Terminal Services Using Remote Access Mechanism 51 Terminal Services Overview 51 Configuring Terminal Services on a Secure Access Device User Role NSM Procedure 52 Terminal Services...

Page 9: ...irectory Servers 161 Configuring a Secure Access ACE Server Instance NSM Procedure 161 Creating a Custom Expression for an Authentication Server NSM Procedure 163 Configuring a Secure Access Local Aut...

Page 10: ...e Policies for Windows Only NSM Procedure 247 Enabling Connection Control Policies 247 Configuring Virus Signature Version Monitoring NSM Procedure 248 Importing Virus Signature Version Monitoring or...

Page 11: ...emoving a Secure Access Device from NSM Management NSM Procedure 296 Archiving Secure Meetings NSM Procedure 297 Managing Secure Access Node from a Cluster 298 Chapter 22 Troubleshooting Secure Access...

Page 12: ...Copyright 2010 Juniper Networks Inc xii Configuring Secure Access Devices Guide...

Page 13: ...ng market It enables a solution tailoring to meet the remote and extranet access requirements This guide provides the various steps to configure and manage Secure Access using NSM This guide also help...

Page 14: ...ements Bold typeface like this user input Represents text that the user must type Bold typeface like this host1 show ip ospf Routing Process OSPF 2 with Router ID 5 5 0 250 Router is an area Border Ro...

Page 15: ...Describes how to use and configure key management features in the NSM It provides conceptual information suggested workflows and examples where applicable This guide is best used in conjunction with...

Page 16: ...and easy problem resolution Juniper Networks has designed an online self service portal called the Customer Support Center CSC that provides you with the following features Find CSC offerings http ww...

Page 17: ...toll free in the USA Canada and Mexico For international or direct dial options in countries without toll free numbers see http www juniper net support requesting support html xvii Copyright 2010 Jun...

Page 18: ...Copyright 2010 Juniper Networks Inc xviii Configuring Secure Access Devices Guide...

Page 19: ...PART 1 Getting Started Understanding Secure Access Device Configuration on page 3 Secure Access Device and NSM Installation Overview on page 7 1 Copyright 2010 Juniper Networks Inc...

Page 20: ...Copyright 2010 Juniper Networks Inc 2 Configuring Secure Access Devices Guide...

Page 21: ...onfiguration screens rendered through NSM are similar to the screens in the Secure Access device admin console NSM incorporates a broad configuration management framework that allows co management usi...

Page 22: ...licensing and password administration If you have several Secure Access devices that will be configured in a clustering environment the cluster abstraction must first be created in the NSM Cluster Ma...

Page 23: ...ce supports the following services in NSM Inventory management service Enables management of the Secure Access software hardware and licensing details Adding or deleting licenses or upgrading or downg...

Page 24: ...NSM and Secure Access Device Management Overview on page 3 Copyright 2010 Juniper Networks Inc 6 Configuring Secure Access Devices Guide...

Page 25: ...nfigure a Secure Access device Related Documentation NSM Installation Overview on page 7 Communication Between a Secure Access Device and NSM Overview on page 3 NSM Installation Overview NSM is a soft...

Page 26: ...mentation Communication Between a Secure Access Device and NSM Overview on page 3 Secure Access Device Installation Overview on page 7 Copyright 2010 Juniper Networks Inc 8 Configuring Secure Access D...

Page 27: ...2 Integrating Secure Access Devices Adding Secure Access Devices on page 11 Adding Secure Access Clusters on page 23 Working with Secure Access Templates on page 29 9 Copyright 2010 Juniper Networks...

Page 28: ...Copyright 2010 Juniper Networks Inc 10 Configuring Secure Access Devices Guide...

Page 29: ...ing network by using NSM and importing its configurations Using the Add Device Wizard you can configure a connection between the management system and the physical device and then import all device pa...

Page 30: ...ing Secure Access devices see the Juniper Networks Secure Access Administration Guide Adding a Secure Access Device Through NSM To add the Secure Access device through the NSM UI 1 From the left pane...

Page 31: ...ecure Access Device You must configure and activate the NSM agent on the Secure Access device It establishes the SSH communications with the NSM application and controls the Secure Access device from...

Page 32: ...es to save policy or VPN changes The Device Import Option dialog box appears 4 Select Run Summarize Delta Config click OK and Yes The Job Information dialog box displays the progress of the delta conf...

Page 33: ...lick Next The Verify Device Authenticity dialog box opens The Add Device wizard displays the RSA Key FingerPrint information To prevent man in the middle attacks you should verify the fingerprint usin...

Page 34: ...er Networks provides CSV templates in Microsoft Excel format for each type of CSV file These templates are located in the utils subdirectory where you have stored the program files for the UI client F...

Page 35: ...devices create a text file with the following text 1 Open a Text file and add the Secure Access devices and its parameters as follows SA 4000 blue SA SA 4000 none root 6 3 netscreen SA 4500 pink SA SA...

Page 36: ...is saved to the following GUI server directory usr netscreen GuiSvr var ManyDevicesOutput inputFile_YYYYMMDDHHMM Before the Secure Access devices can be managed by NSM you must enter the CLI commands...

Page 37: ...nitor workspace check the following parameters for your imported device The Config Status must be Managed The Conn Status must be Up Using Device Manager Using the Device Manager in NSM you can verify...

Page 38: ...vice maintenance particularly for devices on which a local device administrator has been troubleshooting using CLI commands or the Web UI Because the device object configuration in the NSM UI can over...

Page 39: ...reate VPN abstractions for your VPN policies Get Running Configuration A running configuration summary shows you the exact CLI commands or XML messages that were used to create the current device conf...

Page 40: ...Copyright 2010 Juniper Networks Inc 22 Configuring Secure Access Devices Guide...

Page 41: ...tive active Network Connect NC deployments we recommend that you do the following Split the NC IP pool into node specific subpools Perform static route configuration on the backend router infrastructu...

Page 42: ...e synchronized by the cluster across all cluster members Similarly changes to a Secure Access cluster membership that occur through administrator action on the native device UI will be reflected back...

Page 43: ...adding standalone devices Adding Cluster Members through Not Reachable Workflow To add a cluster member through the non reachable workflow 1 From the left pane of the NSM UI click Configure 2 Expand D...

Page 44: ...le Workflow To add a cluster member 1 From the left pane of the NSM UI click Configure 2 Expand Device Manager and select Devices The Devices workspace appears on the right side of the screen 3 Click...

Page 45: ...k the Device Tree tab Right click the cluster to which you want to import the configurations and select Import Device NSM starts to import the configuration and a job window reports the progress of th...

Page 46: ...Copyright 2010 Juniper Networks Inc 28 Configuring Secure Access Devices Guide...

Page 47: ...the left pane of the NSM UI click Configure 2 Expand Device Manager and select Device Templates The Device Templates workspace appears on the right side of the screen 3 Click the Device Template Tree...

Page 48: ...con The Edit Templates dialog box appears 6 Select the required template from the list and click OK in the Edit Templates dialog box 7 In the templates configuration screen select Retain template valu...

Page 49: ...o promote a Secure Access device configuration to a template 1 From the Devices workspace in NSM double click the Secure Access device whose configuration settings you want to promote to a template Th...

Page 50: ...Copyright 2010 Juniper Networks Inc 32 Configuring Secure Access Devices Guide...

Page 51: ...onfiguring Authentication and Directory Servers on page 161 Configuring Authentication Realms on page 195 Configuring Sign in Policies and Sign in Pages on page 207 Configuring Single Sign On on page...

Page 52: ...Copyright 2010 Juniper Networks Inc 34 Configuring Secure Access Devices Guide...

Page 53: ...tion and session bookmarks and configuring session settings for the enabled access features You can create and configure user roles through the User Roles page from the Secure Access device configurat...

Page 54: ...age and the browsing toolbar for users mapped to this role UI Options Select General Web to enable this access feature for the role Enables you to intermediate Web URLs through the Content Intermediat...

Page 55: ...ovides secure SSL based network level remote access to all enterprise application resources using the Secure Access device over port 443 Network Connect Table 8 Global User Role Configuration Details...

Page 56: ...back end device can then direct end user traffic based on these aliases as long as you configure the back end device such as a firewall to expect the aliases in place of the internal interface source...

Page 57: ...n Options NSM Procedure on page 39 Creating and Configuring Secure Access Device Administrator Roles NSM Procedure on page 43 Creating and Applying a Secure Access Device Template on page 29 Verifying...

Page 58: ...e nonadministrativeusersession may remain open before ending The minimum is six minutes The default time limit for a user session is 60 minutes after which the Secure Access device ends the user sessi...

Page 59: ...rs mapped to this role Limit to subnet Limits the roaming session to the local subnet specified in the Netmask box Disabled Disables roaming user sessions for users mapped to this role Allows users to...

Page 60: ...onymous sign in The Secure Access device caches NTLM and HTTP Basic Authentication passwords provided by users so that the users are not repeatedly prompted to enter the same credentials used to sign...

Page 61: ...e appropriate authentication server not the role For example to create an individual administrator account you may use settings in the Authentication Auth Servers Administrators Users page of the admi...

Page 62: ...inistrator role can modify all user role pages Select Custom Settings to allow you to pick and choose administrator privileges Deny Read or Write for the individual user role pages Specifies which use...

Page 63: ...and read only access for an authentication realm page the Secure Access device grants the most permissive access Allows the administrator to view the user authentication realms but not modify Adminis...

Page 64: ...es the level of access that you want to allow the security administrator role to set for system administrators NOTE This option appears only when you enable the Manage All admin roles option Access De...

Page 65: ...e pages NOTE This option appears only when you enable the Manage All admin realm option Access Delegated Resource Policies All tab Select an access option Deny All Specifies that membersoftheadministr...

Page 66: ...o individual policy For example if you want to control access to a resource policy that controls access to www google com Additional Access Policies Select Read or Write access level for the policy Al...

Page 67: ...urce Profiles Access Delegated Resource Profiles Web File SAM Telnet SSH Terminal Services Select Deny or Read or Write access level for the type of resource Allows you to pick and choose administrato...

Page 68: ...Verifying Imported Device Configurations on page 19 Copyright 2010 Juniper Networks Inc 50 Configuring Secure Access Devices Guide...

Page 69: ...e server or Citrix Metaframe server You can also use this feature to deliver the terminal services through the Secure Access device eliminating the need to use another Web server to host the clients N...

Page 70: ...dialog box appears 4 Add or modify settings as specified in Table 12 on page 52 5 Click one OK Saves the changes Cancel Cancels the modifications Table 12 User Role Terminal Services Configuration Det...

Page 71: ...ccess device sprimaryauthentication server Or use the following syntax to submit the username for the secondary authentication server username Secondary ServerName or username 2 Specifies the username...

Page 72: ...nect the user s local drive to the terminal server enabling the user to copy information from the terminal server to his local client directories Connect drives Select the Connect printers check box t...

Page 73: ...nal server listens to the user client Server Port Select Full Screen 800x600 1024x768 or 1280x1024 from the drop down list Allows you to change the size of the terminal services window on the user s w...

Page 74: ...r windows Themes Select the Font smoothing RDP 6 0 onwards check box to enable this option Allows users to make text smoother and easier to read This option only works on Windows Vista computers runni...

Page 75: ...epth Terminal Services Terminal Services Sessions Type Citrix using default ICA file Start Application tab Enter the path Specifies where the application s executable file resides on the terminal serv...

Page 76: ...it Password Allows you to specify a static password or select a variable password Password Type Enter the variable password Specifies the SSO variable password that the Secure Access device uses to va...

Page 77: ...ent Download and Citrix Client Download Version boxes are displayed only when you select Downloaded from a URL option from the Citrix Client Delivery Method drop down list Citrix Client Download URL E...

Page 78: ...ers to use smart card readers connected to their system for authenticating their remote desktop session User can connect smart cards Select the User can connect sound devices check box to enable this...

Page 79: ...pective accessing secured terminal services resources through the Secure Access device is simple When you enable the Terminal Services feature for a user role the enduser needs to perform the followin...

Page 80: ...ave uploaded a client to the device and specified that the device always use it to run your users terminal sessions the device launches the specified Java client The device checks for a Java client En...

Page 81: ...e then stores the user s preference as a persistent cookie Once the Java client is installed the client initiates the user s terminal services session and the proxy intermediates the session traffic T...

Page 82: ...Copyright 2010 Juniper Networks Inc 64 Configuring Secure Access Devices Guide...

Page 83: ...to various applications servers and other resources using remote access mechanisms When you enable an access feature make sure to create corresponding resource policies To enable access features See...

Page 84: ...e on page 66 Configuring Network Connect on a Secure Access Device User Role NSM Procedure on page 69 Configuring File Rewriting on a Secure Access Device User Role NSM Procedure A file resource profi...

Page 85: ...nd file browsing The bookmark appears both on a user s welcome page and when browsing network files Appear in file browsing only The bookmark appearsonlywhenbrowsing network files Specifies the bookma...

Page 86: ...te bookmarks to resources on available Windows file shares Users can add bookmarks Files Unix network files options tab Select the User can browse network file shares check box to enable this feature...

Page 87: ...e Tree tab and then double click the Secure Access device for which you want to configure a user role access option 2 Click the Configuration tab Select Users User Roles 3 Click the New button The New...

Page 88: ...le Network Connect Configuration Details continued Your Action Function Option Allows you to enable split tunneling Split Tunneling Modes Copyright 2010 Juniper Networks Inc 70 Configuring Secure Acce...

Page 89: ...cess to local resources such as printers If needed you can add entries to the client s route table during the Network Connect session The Secure Access device does not terminate the session This is th...

Page 90: ...r to the outer IP packet header Enable TOS Bits Copy Select the Multicast check box to enable this feature Specifies whether or not you want Network Connect to operate in multicast mode Multicast Sele...

Page 91: ...r the start script location Specifies the location of Network Connect start scripts for Linux Linux Session start script location Enter the end script location Specifies the location of Network Connec...

Page 92: ...17 User Role SAM Configuration Details Your Action Function Option SAM JSAM Applications tab Enter the name of the application Displays the application name in the Client Application Sessions area of...

Page 93: ...umber Specifies the ports on which the Metaframe servers listen New Allowed Citrix Ports Type Microsoft Outlook Exchange Enter the server name Specifies the application servers for client application...

Page 94: ...erver Enter the port numbers Allows you to specify multiple ports for a host as separate entries Ports SAM WSAM Bypass Applications tab Enter the name of the application Displays the application name...

Page 95: ...dentials before connecting to sites on their internal network This option changes Internet Explorer s intranet zone setting so that Internet Explorer prompts the user for network sign in credentials w...

Page 96: ...e permissions to look at their registries If JSAM tries to look at their registries then users see an error that they do not have permission This option ensures that users do not see this message Skip...

Page 97: ...role 2 Click the Configuration tab Select Users User Roles 3 Click the New button The New dialog box appears 4 Add or modify settings as specified in Table 18 on page 79 5 Click one OK Saves the chang...

Page 98: ...sers to create an additional meetingID Users can create additional meeting URLs under their personal URL Meetings Options Meeting Options tab Select one of the following types from the drop down list...

Page 99: ...automatically distribute the meeting password to meeting invitees Specifies the distribution method that you want meeting creators to employ Password Distribution Select one of the following options...

Page 100: ...t the minimum character length for passwords Allows you to set the minimum character length for passwords Minimum length characters Set the maximum character length for passwords Allows you to set the...

Page 101: ...check box to enable this feature Allows you to specify the maximumnumberofmeetings that may be held by at any given time by members of the role Limit number of simultaneous meetings Select the Limit n...

Page 102: ...n a Secure Access Device User Role NSM Procedure The Secure Access device Web rewriting feature enables you to intermediate Web URLs through the Content Intermediation Engine You can intermediate URLs...

Page 103: ...play Tool Bar check box to enable this feature Allows all Web traffic through the Secure Access device by precluding users in the specified role from typing a new URL in the tool bar This option is di...

Page 104: ...plet HTML and Multi Valued User Attributes fields are displayed only when you select Applet from the Bookmark Type drop down list Applet HTML Enter multiple attributes Allows you to specify multiple a...

Page 105: ...un application such as the Virtual Network Computing VNC Java client Citrix NFuse Java client WRQ Reflection Web client and Lotus WebMail Allow Java applets Select the AllowFlashcontent check box to e...

Page 106: ...se cases the Warn users about the certificate problems option must be disabled Enables users to access untrusted Web sites through the Secure Access device Allow browsing untrusted SSL websites Select...

Page 107: ...x to enable this feature Allows the configuration of a Secure Access device to rewrite file URLs so that they are routed through the Secure Access device s file browsing CGI Rewrite file URLs Select t...

Page 108: ...ations Table 20 User Role Telnet SSH Configuration Details Your Action Function Option Telnet SSH Telnet Bookmarks tab Enter the name for the bookmark Specifies the name for the Terminal Sessions page...

Page 109: ...ers to define their own session bookmarks and to allow users to browse to a terminal session using the following syntax telnet ssh dana term newlaunchterm cgi The Add Terminal Session button appears o...

Page 110: ...Copyright 2010 Juniper Networks Inc 92 Configuring Secure Access Devices Guide...

Page 111: ...n page 129 Configuring WSAM Resource Profile NSM Procedure on page 131 Configuring Bookmarks for Virtual Desktop Resource Profiles NSM Procedure on page 134 Configuring a JSAM Resource Profile NSM Pro...

Page 112: ...Client Port Select the Create an access control policy allowing SAM access to these servers check box to enable this feature Allows access to the list of servers specified in the Server Port column C...

Page 113: ...role from the Non members to the Members list Specifies the roles to which the resource profile applies Roles Selections Related Documentation Configuring a Citrix Terminal Services Custom ICA Resour...

Page 114: ...s device to fall back to the applets when other terminal services clients are not available on the user s system Always use Java applet Allows a Secure Access device to store terminal services Java cl...

Page 115: ...ame Specifies the unique name for the custom ICA file Custom ICA Filename Citrix using Custom ICA Autopolicy Terminal Services Access control Rules tab Enter a name Specifies the name of a policy that...

Page 116: ...le Password Enter the explicit password Specifies the explicit password Explicit Password Select the Auto launch check box to enable this feature Allows you to automatically launch this terminal servi...

Page 117: ...ng settings that you specify in a default Citrix file ICA To configure a Citrix terminal services resource profile that uses default ICA settings 1 In the NSM navigation tree select Device Manager Dev...

Page 118: ...hen associate these Java applets with the resource profile and specify that the Secure Access device always use them to intermediate traffic Allows you to enable or disable Java applet support Java Su...

Page 119: ...the selected resource profile Specifies the existing host of the resource profile that connects to a Citrix terminal server on the Secure Access device Host The Secure Access device automatically popu...

Page 120: ...you might enter the following directory for the Microsoft Word application C Program Files Microsoft Office Office10 WinWord exe Specifies where the application s executable file resides on the termin...

Page 121: ...he application they are using until the network connectivity resumes or the session reliability time out has expired the time out value is defined by the Citrix product Session Reliability and Auto cl...

Page 122: ...h published applications only applications that are allowed to be run are published With the Secure Access device these published applications are displayed on the Secure Access device index page as t...

Page 123: ...e without employing a separate Web server to host them You can then associate these Java applets with the resource profile and specify that the Secure Access device always use them to intermediate tra...

Page 124: ...ecting to the Citrix Metaframe server Specifies the username for connecting to the Citrix Metaframe server where the XML service is running XML Username Select either Variable Password or Password fro...

Page 125: ...profile Description Select one of the following options from the Applications drop down list ALL applications Allows all executables on the server to be available to the end user Subset of selected ap...

Page 126: ...can use the domain credentials to pass the user s cached domain credentials to the Windows Terminal server Password Type Enter the password variable Or use the following syntax to submit the password...

Page 127: ...e drop down list All Terminal Service Profileroles Displays the session bookmark to all of the roles associated with the resource profile Subset of Terminal Service Profile roles Displays the session...

Page 128: ...ort path For instance enter the URL of an NFuse server the Web interface for a Citrix Metaframe Presentation Server or a Web server from which the device can download Citrix Java applets or Citrix cab...

Page 129: ...y if you have deployed Citrix using a Java ICA client When you select this option the device uses all of the allow values that you enter in the resource profile s Web access control autopolicy to auto...

Page 130: ...ce NFuse URL defined in the Web Interface NFuse URL field and displays it to all users assigned to the role specified in the Roles tab Related Documentation Configuring a Citrix Listed Application Res...

Page 131: ...se URL box Name Select Allow or Deny from the Action drop down list Allows or denies user access to the resource Action Enter the resource name Specifies the resource for which this policy applies Res...

Page 132: ...ltiple POSTs to this resource POST Variables Enter the label name Specifies the label that appears on a user s preferences page in the Secure Access device This field is required if you either enable...

Page 133: ...to the specified URL when a user makes a request to a resource Resource Enter the name Specifies the text for the Secure ccess device to send as header data Header name Enter the value Specifies the...

Page 134: ...n the browser Don t Cache send Pragma No Cache Prevents the user s browser from caching files to the disk Unchanged do not add modify caching headers Secure Access device forwards the origin server s...

Page 135: ...When the Secure Access device receives a client request for the application server hostname alias it forwards the request to the specified application server port in the Base URL box Use virtual host...

Page 136: ...for client connections Server Port Enter the IP address Specifies a static loopback address If you do not provide a static IP loopback address the Secure Access device assigns an IP loopback address...

Page 137: ...ype for the specified resource Action Enter the resource name Specifies the resources to which this policy applies Resource Settings tab Type Custom Bookmarks General Enter the name Specifies the name...

Page 138: ...gs tab Type Custom Bookmarks Role Selections Select the role and click Add Specifies the roles to which the resource profile applies Role Selections Related Documentation Configuring File Rewriting Re...

Page 139: ...resource Name Select Allow or Deny from the Action drop down list Allows or denies user access to resource Action Select the Read only check box to enable this option Allows users to view but not edit...

Page 140: ...ed in the Secure Access device If the credentials later fail the Secure Access device again prompts the user for the credentials Specifies the type of credentials to pass to the Windows share or direc...

Page 141: ...leroles Bookmark appears both on a user s welcome page and when browsing network files Subset of File Profile roles Bookmark appears only when users are browsing network files Specifies the roles to w...

Page 142: ...rceProfileDetails Your Action Function Option Settings tab Enter the name Specifies the name for the resource profile that becomes the default session bookmark s name Name Enter the description Descri...

Page 143: ...access the server specified in the Server Port box enabled by default Create an access control policy Bookmarks tab Enter the name Specifies the name of the session bookmark Name Enter a description...

Page 144: ...he secondary authentication server Password SecondaryServerName or Password 2 Specifies the variable password Variable Password Enter the explicit password Specifies the explicit password Explicit Pas...

Page 145: ...o connect the user s local printers to the terminal server enabling the user to print information from the terminal server to his local printer Connect printers Select the Connect COM Ports check box...

Page 146: ...ap Caching check box to enable this option Improves performance by minimizing the amount of display information that is passed over a connection Bitmap Caching Select the Desktop Composition RDP 6 0 o...

Page 147: ...ell session through a Web based terminal session emulation To configure a Telnet SSH resource profile 1 In the NSM navigation tree select Device Manager Devices Click the Device Tree tab and then doub...

Page 148: ...s the bookmark Description Enter a size from 8 to 36 pixels or scroll to the required number By default the Secure Access device sets the font size to 12 Specifies the size of the bookmark Font Size S...

Page 149: ...esses running on the client that are connecting to the specified internal hosts To configure a WSAM application resource profile 1 In the NSM navigation tree select Device Manager Devices Click the De...

Page 150: ...ts the specified application Action Settings tab Settings tab Select one of the following options Custom You must manually enter your custom application s executable file name such as telnet exe Addit...

Page 151: ...cations Table 31 Configuring WSAM Destination Resource Profile Details Your Action Function Option Settings tab Enter the name Specifies a name for the resource profile Name Enter the description Desc...

Page 152: ...Click OK to save the changes Table 32 Bookmarks for Virtual Desktop Resource Profile Details Your Action Options Enter the session bookmark name Name Enter the session bookmark description Descriptio...

Page 153: ...want to display the session bookmarks if you are configuring the session bookmark through the resource profile pages Select one of the following options from the drop down list All Virtual Desktops P...

Page 154: ...Copyright 2010 Juniper Networks Inc 136 Configuring Secure Access Devices Guide...

Page 155: ...ws and NFS file shares When a user makes a file request the Secure Access device evaluates the resource policies corresponding to the request such as Windows access resource policies for a request to...

Page 156: ...4 7 Specify one or more expressions in the Conditions box to evaluate in order to perform the action 8 To specify actions and additional settings on the file rewriting policy using Table 33 on page 1...

Page 157: ...ing options from the drop down list Allow Allows the user access to the resource Deny Denies the user access to the resource Specifies the action to perform if the user request matches a resource in t...

Page 158: ...tailed rules for this policy Specifies the action to take when a resource requires credentials Action Enter a variable For example enter USERNAME orastatic username For example administrator to submit...

Page 159: ...Variable Password Secure Access device uses specified credentials with variable password to pass to the Windows share or directory Use Specified Credentials Fixed Password Secure Access device uses sp...

Page 160: ...ly when you select the Use Specified Credentials Variable Password option from the Action drop down list Variable Password Enter the static password Specifies a static password to the Windows share or...

Page 161: ...sensitive path component Case sensitive matching for the path component in File resources Select from the drop down list Specifies the encoding to use when communicating with Windows and NFS file sha...

Page 162: ...cess device for which you want to configure a Secure Application Manager resource policy 2 Click the Configuration tab Select Users Resource Policies SAM 3 Add or modify settings as specified in Table...

Page 163: ...ifies the detailed rule name NOTE The Detailed Rules tab is displayed only when you select the Detailed Rules option from the Action drop down list Name Select one of the following options from the dr...

Page 164: ...tion Configuring a Telnet and Secure Shell Resource Policy NSM Procedure on page 146 Configuring a Terminal Service Resource Policy NSM Procedure on page 149 Configuring a Telnet and Secure Shell Reso...

Page 165: ...elect one of the following options from the drop down list Allow Allows access to the servers specified in the Resources list Deny Denies access to the servers specified in the Resources list Detailed...

Page 166: ...one or more Boolean expressions using the NOT OR or AND operators Custom expressions Using the custom expression syntax write one or more custom expressions Specifies one or more expressions to evalu...

Page 167: ...Enter the description Describes the policy Description Enter the server path Specifies the servers to which this policy applies Resources Select one of the following options from the drop down list Al...

Page 168: ...form if the user request matches a resource in the Resource list optional Action Specify one of the following options The same or a partial list of the resources specified on the General tab A specifi...

Page 169: ...and wildcards to efficiently specify multiple hostnames and paths For resources that you specify by hostname you can also choose either HTTP HTTPS or both protocols To configure Web rewriting resource...

Page 170: ...r example http yourcompany com login cgi NOTE The Secure Access device does not accept wildcard characters in this field Specifies the absolute URL where the application posts the user s credentials s...

Page 171: ...Specifies the size of the image Images are cached if it is less than the specified size Client should cache all images less than in KB Selective Rewriting General tab Select any one value from the dr...

Page 172: ...s Enter the class ID Specifies class ID of the ActiveX control that you want to control with the policy Class Id Enter the description Describes the policy Description Enter the parameters Specifies t...

Page 173: ...Procedure on page 137 Configuring a Network Connect Connection Profile Resource Policy NSM Procedure Use the Network Connect NC Connection Profiles tab to create an NC resource profile When a Secure A...

Page 174: ...gh which you intend to direct UDP connection traffic The default port number is 4500 UDP Port Enter a value for the ESP to NCP fallback time out This option provides a period of time in seconds to fal...

Page 175: ...wing options from the drop down list DHCP server This option allows you to specify the hostname or IP address of a network Dynamic Host Configuration Protocol DHCP server responsible for handling clie...

Page 176: ...ies the URL of the server on which the PAC file resides and the frequency in minutes with which Network Connect polls the server for an updated version of the PAC file Manual configuration Specifies t...

Page 177: ...ass through the NC tunnel The 10 204 68 0 24 network will not pass through the NC tunnel If split tunneling is enabled and the include route contains 10 204 64 0 24 subnet of the excluded route and th...

Page 178: ...This option denies the Network IP address netmask combinations specified in the Resources field not to pass through the NC tunnel Action Roles Selection tab Select the members from the Members list Y...

Page 179: ...Access SAML Server Instance NSM Procedure on page 188 Configuring a Secure Access Active Directory or NT Domain Instance NSM Procedure on page 190 Configuring a Secure Access NIS Server Instance NSM...

Page 180: ...e modifications Table 40 Secure Access ACE Server Instance Configuration Details Your Action Function Option ACE Settings Select a default port number NOTE The Secure Access device uses only this sett...

Page 181: ...ration tab In the configuration tree select Authentication Auth Servers 4 Add or modify an auth server instance and then select Server Catalog The Expressions tab appears 5 Click New to create a custo...

Page 182: ...lidate button is not enabled in the Custom Expressions editor of device templates 9 Click OK to save the custom expression The new custom expression is displayed under the Expressions tab of the serve...

Page 183: ...um length There is no maximum limit to the length Specifiesthemaximumcharacter length for passwords NOTE This is optional Maximum password length Set the minimum number of digits that is required in t...

Page 184: ...r the username Specifies the username Username Enter the user s full name Specifies the user s full name Full name Enter the password Specifies the password Password Select Users One time user to enab...

Page 185: ...ing server instance click the appropriate link in the Auth Server Name box and perform the Steps 5 through 8 4 Click the New button The New dialog box appears 5 Specify a name to identify the server i...

Page 186: ...ticate users against LDAP Server Type Select the type of connection from the drop down list Specifies whether or not the connection between the Secure Access device and LDAP Directory Service should b...

Page 187: ...ps Base DN Enter a filter value Fine tunes the search for a user group Filter Enter a name if you want to identify all the members of a static group For example entermemberuniquemember iPlanet specifi...

Page 188: ...ies the e mail attribute for the LDAP server Email Address Enter a name For example to help the meeting creator easily distinguish between multiple invitees with the same name you may want to expose a...

Page 189: ...nfiguring a Secure Access RADIUS Server Instance NSM Procedure A Remote Authentication Dial In User Service RADIUS server is a type of server that allows you to centralize authentication and accountin...

Page 190: ...ort Enter a string for the shared secret Specifies a string for the shared secret Shared Secret Enter the port value NOTE Typically this port is 1813 but some legacy servers might use 1646 Specifies t...

Page 191: ...ROLE Logs the user s Secure Access device role to the accounting server If the user is assigned to more than one role the Secure Access device comma separates them Specifies the user information that...

Page 192: ...box and perform the Steps 5 through 8 4 Click the New button The New dialog box appears 5 Specify a name to identify the server instance 6 Select Anonymous Server from the Auth Server Type list 7 Cli...

Page 193: ...SiteMinder Configuration Details Your Action Function Option Siteminder Settings Basic Settings tab Enter a name or IP address Specifies the name or IP address of the SiteMinder policy server Policy...

Page 194: ...cted resource If you do not create sign in policies for SiteMinder the Secure Access device uses this default URL to set the user s protection level for the session The Secure Access device also uses...

Page 195: ...n realm from the drop down list Specifies an authentication realm for automatically signed in users The Secure Access device maps the user to a role based on the role mapping rules defined in the sele...

Page 196: ...L Specifies the target URL NOTE The form post target form post protocol form post Webagent form post port form post path and form post parameters field are displayed only when you select Form POST opt...

Page 197: ...the Form POST option from the Authentication Type drop down list Form POST Path Enter the post parameters CommonSiteMindervariables that you can use include _ _USER_ _ _ _PASS_ _ and _ _TARGET_ _ The...

Page 198: ...ard agent an SMSESSION cookie is set in the user s browser and the user is redirected back to the Secure Access device The Secure Access device then automatically signs in the user and establishes a S...

Page 199: ...redirect to Enter a URL Specifies a resource on the Web agent to which the Secure Access device redirects users when they do not have the appropriate permissions Resource for insufficient protection...

Page 200: ...Enter a number Controls the maximum number of requests that the policy server connection handles before the Secure Access device ends the connection If necessary tune to increase performance NOTE The...

Page 201: ...o not select this option the Secure Access device checks the user s SMSESSION cookie on each request Enable Session Grace Period Enter the time period in seconds Specifies the time period for the Secu...

Page 202: ...ure Access Certificate Server Instance NSM Procedure The certificate server feature allows users to authenticate based on attributes contained in client side certificates You may use the certificate s...

Page 203: ...Access SAML Server Instance NSM Procedure on page 188 Configuring a Secure Access Active Directory or NT Domain Instance NSM Procedure on page 190 Configuring a Secure Access eTrust SiteMinder Server...

Page 204: ...e OCSP validation method when possible but attempt to validate client certificates using CRLs should the OCSP method fail for example if the link to the OCSP Responder fails After you select this opti...

Page 205: ...P Settings tab Select a value from the drop down list The list includes Responder specified in CA certificate Manually configured responders Responder specified in Client certificate Specifies the OCS...

Page 206: ...er instance 3 Click the Configuration tab and select Authentication Auth Servers The corresponding workspace appears NOTE If you want to update an existing server instance click the appropriate link i...

Page 207: ...nt authentication Password Select a device certificate the drop down list Specifies the device certificate Device Certificate SAML Settings POST SSO tab Enter the name or browse to locate the response...

Page 208: ...ectory or NT Domain Instance NSM Procedure on page 190 Configuring a Secure Access NIS Server Instance NSM Procedure on page 193 Configuring a Secure Access Certificate Server Instance NSM Procedure o...

Page 209: ...in Select AD NT Settings General Allow domain to be specified as part of username to enable this feature Allows users to sign in by entering a domain name in the Username box in the format domain user...

Page 210: ...m name AD NT Settings Advanced tab Select AD NT Settings Advanced User may belong to Domain Local Groups across trust boundaries to enable this feature Specifies that the selected user belongs to the...

Page 211: ...ication Auth Servers The corresponding workspace appears NOTE If you want to update an existing server instance click the appropriate link in the Auth Server Name box and perform the Steps 5 through 8...

Page 212: ...erver user directory Value Related Documentation Configuring Secure Access Authentication Realms NSM Procedure on page 195 Configuring Secure Access Authentication Policies NSM Procedure on page 198 C...

Page 213: ...want to configure authentication realms 2 Click the Configuration tab select Administrators Admin Realms or Users User Realms The corresponding workspace appears 3 Click the New button The New dialog...

Page 214: ...evice NOTE You cannot choose an anonymous server certificate server or eTrust SiteMinder server Additional Authentication Server Select General End session if authentication against this server fails...

Page 215: ...apping rules and role restrictions Uses dynamic policy evaluation for this realm Enable Dynamic policy evaluation Select General Refresh roles to enable this option Refreshes the roles of all users in...

Page 216: ...le 52 Authentication Realm Policies Configuration Details Your Action Function Option Authentication Policies Source IP tab Select any one of the following options from the drop down list Usersfromany...

Page 217: ...to a role or access a resource You are prompted with a sign in attempt failed error message when you try to sign in to the device using an unsupported browser Allow Enter a string in the format browse...

Page 218: ...drop down list and by clicking New Specifies any additional criteria that the admin realm should use when verifying the policies Certificate Field Enter a variable for example enter userAttr uid NOTE...

Page 219: ...access Evaluate ALL policies Select Authentication Policies Host Checker Enforce ALL policies to enable this feature Enforces all the policies on the client for the user to log in to the specified re...

Page 220: ...ache Cleaner to the client machine before the user may access the Secure Access device sign in page Specifies the cache cleaner restrictions NOTE The Cache Cleaner tab is displayed only when you confi...

Page 221: ...in Table 53 on page 203 6 Click one OK Saves the changes Cancel Cancels the modifications Table 53 Role Mapping Rules Configuration Details Your Action Function Option Role Mapping Rules tab Select Ad...

Page 222: ...ressions button appears 1 Click the collection of expressions button to assign expressions The expressions that were created for the selected authentication server appears 2 Select an existing express...

Page 223: ...ate has any of the attributes as role mapping rule type Specifies the rules that are used for matching New Enter an attribute name Specifies the role mapping role attributes NOTE This option is enable...

Page 224: ...Copyright 2010 Juniper Networks Inc 206 Configuring Secure Access Devices Guide...

Page 225: ...trator URLs on page 209 3 Creating Meeting URLs on page 210 Creating Authorization Only Policies The authorization only policy is similar to a reverse proxy Typically a reverse proxy is a proxy server...

Page 226: ...his URL The request from the virtual hostname gets transformed as a request to this URL Backend URL Enter a description for the policy Specifies the description of the policy Description Select the co...

Page 227: ...entication Signing In Sign in Policies User Administrator URLs The corresponding workspace appears 3 Add or modify settings on the user administrator URL as specified in Table 55 on page 209 4 Click o...

Page 228: ...t to configure a meeting URL 2 Click the Configuration tab and select Authentication Signing In Sign in Policies Meeting URLs The corresponding workspace appears 3 Add or modify settings on the meetin...

Page 229: ...n in Pages To configure a user or administrator sign in page 1 In the NSM navigation tree select Device Manager Devices Click the Device Tree tab and then double click the Secure Access device for whi...

Page 230: ...the sign in page Realm Enter the alternate or the secondary username Specifies the alternate or the secondary username Secondary username Enter the password for the secondary username Specifies the p...

Page 231: ...espective Help file from its location using the browse button Allows the administrator to select the HTML file that needs to be displayed when the user clicks the Help button on the page HTML File Set...

Page 232: ...e to show in the secure meeting sign in page Submit button Enter an appropriate message for the user to perform while signing in for the secure meeting For example enter Please sign in to begin your s...

Page 233: ...ates File Automatically displays the file upload time and it is not editable Specifies the time taken to upload the template file File Upload Time Related Documentation Configuring a SAML Access Contr...

Page 234: ...Copyright 2010 Juniper Networks Inc 216 Configuring Secure Access Devices Guide...

Page 235: ...s if challenged with the negotiate header NTLM if challenged with the NTLM header and basic authentication if challenged with the basic resource If the device receives multiple challenges the order of...

Page 236: ...ich you want to configure the basic NTLM and Kerberos resources 3 Click the Configuration tab Select Users Resource Policies Web General 4 Click the New icon to configure the options as described in T...

Page 237: ...erberos Constrained Delegation Constrained Delegation Services List New Constrained Delegation Service List Enter a unique identification number for the constrained delegation service list Id Enter a...

Page 238: ...xes Static Specifies the username and password exactly as they are entered in the Username and Password boxes Credential Type Enter the account username If you select Variable as the credential type y...

Page 239: ...page to collect the credentials for the Web resource and then rewrites the credentials along with the entire challenge or response sequence With the Kerberos intermediation resource policy backend Web...

Page 240: ...ediation method to control the SSO behavior Disable Intermediation Not valid for web proxies Specifies that in selecting this option the device does not intermediate the challenge or response sequence...

Page 241: ...control transactions to a trusted access management system theSecureAccessdeviceandtrustedaccessmanagementsystemexchangesinformation To configure a SAML access control resource policy 1 In the navigat...

Page 242: ...Detailed Rules Specifies one or more detailed rules for this policy Allows or denies the Secure Access device to perform an access control check Action Enter the URL using the format https hostname w...

Page 243: ...owing options from the drop down list Other Sends the username in another format agreed upon by the Secure Access device and the SAML Web service DN Sends the username in the format of a DN distinguis...

Page 244: ...ustom expressions Specifies one or more expressions to evaluate to perform the action Conditions Related Documentation Configuring SAML SSO Artifact Profile Resource Policy NSM Procedure on page 226 S...

Page 245: ...Selection section Policy applies to all roles OTHER THAN those selectedbelow Appliesthe policy to all users except for those who mapped to the roles in the Role Selection section Specifies the roles t...

Page 246: ...Secure Access device can use to identify itself when it generates assertions Issuer Select one of the following options from the drop down list Other Sendstheusername in another format DN Sends the us...

Page 247: ...device NOTE The username and password boxes are displayed only when you select the Username Password option from the Authentication Type drop down list Username Enter the password Specifies the passw...

Page 248: ...down list Role SAML SSO Detailed Role Specify one of the following options Boolean expressions Using system variables write one ormoreBooleanexpressions using the NOT OR or AND operators Custom expre...

Page 249: ...g Virus Signature Version Monitoring or Patch Management Version Monitoring List NSM Procedure on page 249 Assigning a Proxy Server an Auto Update Server NSM Procedure on page 250 Setting Up Secure Ac...

Page 250: ...nloading Host Checker over a slow connection increase the interval to allow enough time for the download to complete Client side process login inactivity timeout minutes Select the Auto upgrade HostCh...

Page 251: ...in Table 64 on page 233 to specify the remediation actions that you want Host Checker to perform if a user s computer does not meet the requirements of the current policy 7 Click one OK Saves the cha...

Page 252: ...eason strings Related Documentation Configuring Host Checker Third Party Applications Using Predefined Rules NSM Procedure on page 234 Configuring the Remote Integrity Measurement Verifier Server NSM...

Page 253: ...the name for Antivirus rule Rule Name Select one of the following options Require any supported product Specifies the software vendor s product that is supported for the system scan check Require spe...

Page 254: ...nitor this rule for change in result Select the EnableDownloadlatest virus definition files for all supported products to enable this feature Allows you to download latest virus definition files for a...

Page 255: ...ific vendor for the system scan check Allows you to select your firewall vendor s and product s Select Products Select the Require any supported product from a specific vendor to enable this feature C...

Page 256: ...Name Select the Monitor this role for change in result to enable this feature Continuously monitors the policy compliance of endpoints Monitor this role for change in result Select the product and the...

Page 257: ...oducts Selected tab Select the product and then click Add to move the product from the Non memberstotheMemberslist Allows you to select specific products Specific Products Selected Selected Products S...

Page 258: ...In the configuration tree select Authentication Endpoint Security Host Checker 4 Add or modify settings as specified in Table 66 on page 240 5 Click one OK Saves the changes Cancel Cancels the modifi...

Page 259: ...licy NSMProcedure onpage144 Configuring Host Checker Customized Requirements Using Custom Rules NSM Procedure You can create custom rules within a Host Checker policy to define requirements that users...

Page 260: ...nsiders the rule met NHCRules 1 Enter the rule name 2 Select the Required option to specify that these ports are open or closed 3 Enter a comma delimited port list without spaces of ports or port rang...

Page 261: ...You may also use file checks to evaluate the age and content through MD5 checksums of required files and allow or deny access accordingly File Rules 1 Enter the rule name 2 Select the registry root k...

Page 262: ...specify 3 Enter a comma delimited list without spaces of MAC addresses in the form XX XX XX XX XX XX where the X s are hexadecimal numbers For example 00 0e 1b 04 40 29 4 Click OK Windows only Use thi...

Page 263: ...y level of the patches that you wish to ignore Select the Enable SMS patch update check box to update patches using SMS Configures a policy based on specific products Scan for Specific products Enter...

Page 264: ...figuration tree select Authentication Endpoint Security Host Checker 3 Select Settings Policies and then click New 4 Enter a name for the policy in the Policy Name box 5 In the Policy Type list select...

Page 265: ...trator privileges for the Host Checker to enforce the connection control policy on the client computer To enable the predefined Host Checker connection control policy 1 In the NSM navigation tree sele...

Page 266: ...igation tree select Device Manager Devices Click the Device Tree tab and then double click the Secure Access device for which you want to configure the device to automatically import the current signa...

Page 267: ...ion tab and select Authentication Endpoint Security Host Checker 3 Click either Virussignatureversionmonitoring or PatchManagementInfoMonitoring 4 Download the list from the Juniper Networks staging s...

Page 268: ...ate Server details Your Action Options Specifies the existing URLs of the staging sites where the current lists are stored The default URLs are the paths to the Juniper Networks staging site https dow...

Page 269: ...ick the Secure Access device for which you want to configure global Cache Cleaner options 3 Click the Configuration tab and select Authentication Endpoint Security Cache Cleaner The corresponding work...

Page 270: ...hat Internet Explorer has cached on the user s system Flush all existing AutoComplete passwords Select one of the following options from the drop down list For the IVE session only Secure Access devic...

Page 271: ...ar folders only at the end of session Enter the name of the file Specifies the name of a file that you want Cache Cleaner to remove File or folder path Select the Files and Folders Clear Subfolders ch...

Page 272: ...s not already running Cache Cleaner then the Secure Access device does not map the user to that role Resource policy When a user requests a resource the Secure Access device evaluates the resource pol...

Page 273: ...to meet the access requirement Cache Cleaner option To configure cache cleaner restrictions at the role level 1 In the navigation tree select Device Manager Devices 2 Click the Device Tree tab and the...

Page 274: ...m the drop down list Specifies the action to allow the Secure Access device to access the resource if the user s machine does not meet the Cache Cleaner requirement Action Enter specific URL directory...

Page 275: ...Network Communications Protocol is used to communicate between the Secure Access device server and client applications To configure the Network Communications Protocol 1 In the NSM navigation tree sel...

Page 276: ...client applications NCP Auto Select Set the idle connection interval Allows you to specify the timeout interval for Java clients 15 to 120 seconds Note that this value does not apply to user inactivit...

Page 277: ...gs 2 Click the Configuration tab and select System Configuration Secure Meeting The corresponding workspace appears 3 Add or modify settings as specified in Table 75 on page 259 4 Click one OK Saves t...

Page 278: ...uniqueness For example meeting_room1 meeting_room2 Meeting room number prefix Specify an expresion Allows you to specify an expression such as userAttr lname to the meeting URL If the attribute is no...

Page 279: ...uring Global Security NSM Procedure on page 261 Configuring Sensors NSM Procedure on page 265 Configuring Global Security NSM Procedure The default global security settings provide maximum security Ho...

Page 280: ...f the following options from the drop down list Accept only 168 bit and greater maximize security Secure Access device gives preference to 256 bit AES over 3DES Accept only 128 bit and greater securit...

Page 281: ...etween 128 bit and 168 bit check box to enable this feature Allows Secure Access device to use 168 bit or higher ciphers for backend rewriter connections and device gives preference to 256 bit AES enc...

Page 282: ...ssion termination Preserve cookies at session termination Secure Access device preserves cookies at session termination Allows Secure Access device to set persistent cookies on the user s machine to s...

Page 283: ...ection entry Name Enter the hostname or IP address Specifies the hostname or IP address of the IDP sensor to which the Secure Access device connects to receive application and resource attack alert me...

Page 284: ...rop down list Ignore just log the event Secure Access device logs the event and takes no further action against the user profile to which this rule applies Terminate user session Secure Access device...

Page 285: ...users who are mapped to roles in the Selected roles list Make sure to add roles to this list from the Available roles list Except those selected Applies this policy to all users except for those who a...

Page 286: ...expressions Select a prebuilt expression and click the Insert Expression button The prebuilt expression is displayed in the Expression area Modify the values to create your own custom expression Vari...

Page 287: ...s NOTE You can create a custom expression in a device template but you cannot validate the custom expression The Validate button is not enabled in the Custom Expressions editor of device templates 9 C...

Page 288: ...Copyright 2010 Juniper Networks Inc 270 Configuring Secure Access Devices Guide...

Page 289: ...al network settings 1 In the NSM navigation tree select Device Manager Devices Click the Device Tree tab and then double click the Secure Access device for which you want to configure general network...

Page 290: ...WINS server that you use to associate workstation names and locations with IP addresses if applicable WINS Windows networking tab SelectWindowsnetworkingtab Enable network discovery allows detection...

Page 291: ...for the individual Secure Access device By default these boxes are populated with the settings entered during initial Secure Access device setup IP Address Enter the netmask Specifies the netmask for...

Page 292: ...uests Routes Interface Enter the metric Specifies metric for comparing multiple routes to establish precedence NOTE Generally the lower the number from 1 to 15 the higher the precedence So a route wit...

Page 293: ...then double click the Secure Access device for which you want to configure hosts 2 Click the Configuration tab and select System Network Settings Hosts The corresponding workspace appears 3 Add or mo...

Page 294: ...Add or modify settings as specified in Table 81 on page 276 4 Click one OK Saves the changes Cancel Cancels the modification Table 81 Configuring Internet Protocol Filters Details Your Action Function...

Page 295: ...he same user For example SA1 is an ACE authentication server with user1 who creates a bookmark to www juniper net SA2 is an Active Directory authentication server with the same user1 For the www junip...

Page 296: ...nchronization 1 In the NSM navigation tree select Device Manager Devices Click the Device Tree tab and then double click the Secure Access device for which you want to enable user record synchronizati...

Page 297: ...authentication server you are implicitly assigning it to all users that authenticate with that authentication server The combination of the user login name and its LAS name uniquely identifies the use...

Page 298: ...hronize with To configure the client 1 In the NSM navigation tree select Device Manager Devices Click the Device Tree tab and then double click the Secure Access device for which you want to configure...

Page 299: ...records from the cache The device performs a check every 15 minutes and deletes user records that meet all of the following criteria There are no active user sessions associated with the user record...

Page 300: ...Copyright 2010 Juniper Networks Inc 282 Configuring Secure Access Devices Guide...

Page 301: ...sion Export Policy on the Secure Access Device NSM Procedure on page 285 Configuring IF MAP Session Import Policy on the Secure Access Device NSM Procedure on page 288 Configuring IF MAP Server Replic...

Page 302: ...uted through a different network interface Listing all of the IP addresses maximizes the probability that IF MAP Federation still works in the event of a failure 9 Under Authentication Type select the...

Page 303: ...use to verify the certificate for this client Optionally specify certificate attributes or restrictions to require values for certain client certificate attributes Ensure that the certificate of the...

Page 304: ...Name Enter a brief description for the policy Describes the policy Description Type the administrative domain for the session export policy If you want different aspects of a user session to be export...

Page 305: ...copy all of the roles from the user session to the IF MAP capabilities data Set roles specified below Select this option to set the specified roles The Roles option appears From Roles click New and e...

Page 306: ...er Session import policies specify how the Secure Access device derives a set of roles and a username from the IF MAP data in the IF MAP server Session import policies establish rules for importing us...

Page 307: ...f the IF MAP identity name type and administrative domain must exactly match the session import policy Specifies that identity should be used as the criteria for assigning roles Match IF MAP Identity...

Page 308: ...rver Replicas NSM Procedure You can configure an IF MAP server to replicate all of its IF MAP data to other IF MAP servers For example if you have a network in Boston and a network in London you can r...

Page 309: ...te connections to this server If the replica is standalone for survivability list both the internal and external network interfaces If the replica is a cluster for survivability list the internal and...

Page 310: ...Copyright 2010 Juniper Networks Inc 292 Configuring Secure Access Devices Guide...

Page 311: ...PART 4 Managing Secure Access Devices Managing Secure Access Devices on page 295 Troubleshooting Secure Access Device Federated Networks on page 301 293 Copyright 2010 Juniper Networks Inc...

Page 312: ...Copyright 2010 Juniper Networks Inc 294 Configuring Secure Access Devices Guide...

Page 313: ...nd link that file into the Secure Access or Infranet Controller device configuration tree 1 In the Device Manager right click the device icon and select Import Device from the list to import the Secur...

Page 314: ...RemovingaSecureAccessDevicefromNSMManagement NSMProcedure onpage296 Archiving Secure Meetings NSM Procedure on page 297 Configuring Secure Access Sign In Pages NSM Procedure on page 211 Configuring Ho...

Page 315: ...number of days are archived Define which node in a cluster performs the archive To archive secure meetings 1 In the navigation tree select Device Manager Devices Click the Device Tree tab and then do...

Page 316: ...mation Description User Interface Element Displays the cluster name type configuration internal VIP and external VIP for an active passive cluster Status Information Specifies a device to add the clus...

Page 317: ...rent state of the node light color does not reflect failures in the external interface connectivity Such failures are logged as events NOTE A node s state is considered standalone when it is deployed...

Page 318: ...d Documentation Adding a Secure Access Cluster Overview on page 23 Managing Large Binary Data Files NSM Procedure on page 295 Copyright 2010 Juniper Networks Inc 300 Configuring Secure Access Devices...

Page 319: ...IF MAP Client User Messages from Log Monitoring User Access Settings on the SA Series appliances IF MAP client IF MAP Server Trace On the IF MAP server logs the XML for all IF MAP requests and respon...

Page 320: ...Copyright 2010 Juniper Networks Inc 302 Configuring Secure Access Devices Guide...

Page 321: ...PART 5 Monitoring Secure Access Devices Configuring Logs in Secure Access Devices on page 305 Viewing Logs in Secure Access Devices on page 313 303 Copyright 2010 Juniper Networks Inc...

Page 322: ...Copyright 2010 Juniper Networks Inc 304 Configuring Secure Access Devices Guide...

Page 323: ...ich you want to configure user access admin access sensors and events 2 Click the Configuration tab and select System Log Monitoring The corresponding workspace appears 3 Add or modify settings as spe...

Page 324: ...the reverse proxy information of the event Reverse Proxy Select Meeting Events to enable this feature Captures the meeting information of events Meeting Events User Access Settings tab Specify the fi...

Page 325: ...Client User Messages Admin Access Settings tab Enter the file size Specifies the maximum file size for the local log file The limit is 500 MB NOTE The system log displays data up to the amount specifi...

Page 326: ...o configure custom filters and formats for log files 1 In the NSM navigation tree select Device Manager Devices Click the Device Tree tab and then double click the Secure Access device for which you w...

Page 327: ...The World Wide Web Consortium s extended log file format is a customizable ASCII format with a variety of different fields Visit http www w3 org for more information about this format Only the User Ac...

Page 328: ...stem Log Monitoring Client Logs 3 Add or modify settings as specified in Table 92 on page 310 4 Click one OK Saves the changes Cancel Cancels the modifications Table 92 Configuring Client Side Logs De...

Page 329: ...05 Configuring Custom Log Filters NSM Procedure You can create custom log filters or edit the set of predefined log filters to specify which data is written to your log files as well as its format To...

Page 330: ...cure Access device event ID and message WELF ThiscustomizedWebTrends EnhancedLogFormat WELF filter combines the standard WELF format with information about the Secure Access device s realms roles and...

Page 331: ...vice Status Table 94 on page 313 lists and describes device information that you can view through the Device Monitor Table 94 Device Status Information Description Column Unique name assigned to the d...

Page 332: ...ether the device is part of a vsys device part of a cluster or part of a virtual chassis A device in this state cannot connect to NSM Detected duplicate serial number The device has the same sequence...

Page 333: ...Major or Minor None The device has no alarms Unknown The device status is unknown For example the device might not be connected N A The device s alarm is not pollable or discoverable for example this...

Page 334: ...device disconnected from the NSM Device Server Latest Disconnect Related Documentation Viewing Device Monitor Alarm Status on page 316 Monitoring the Secure Access as an SNMP Agent NSM Procedure on p...

Page 335: ...g workspace appears 3 Add or modify settings as specified in Table 95 on page 317 4 Click one OK Saves the changes Cancel Cancels the modification Table 95 Monitoring Secure Access Device as SNMP Agen...

Page 336: ...for Critical Log Events check box to enable this feature Allows you to send traps for critical log events Send Traps for Critical Log Events Select the Send Traps for Major Log Events check box to ena...

Page 337: ...PART 6 Index Index on page 321 319 Copyright 2010 Juniper Networks Inc...

Page 338: ...Copyright 2010 Juniper Networks Inc 320 Configuring Secure Access Devices Guide...

Page 339: ...Index C customer support xvi contacting JTAC xvi S support technical See technical support T technical support contacting JTAC xvi 321 Copyright 2010 Juniper Networks Inc...

Page 340: ...Copyright 2010 Juniper Networks Inc 322 Configuring Secure Access Devices Guide...