You are previewing Juniper(r) Networks Secure Access SSL VPN Configuration Guide.
O'Reilly logo
Juniper(r) Networks Secure Access SSL VPN Configuration Guide

Book Description

Juniper Networks Secure Access SSL VPN appliances provide a complete range of remote access appliances for the smallest companies up to the largest service providers. As a system administrator or security professional, this comprehensive configuration guide will allow you to configure these appliances to allow remote and mobile access for employees. If you manage and secure a larger enterprise, this book will help you to provide remote and/or extranet access, for employees, partners, and customers from a single platform.

* Complete coverage of the Juniper Networks Secure Access SSL VPN line including the 700, 2000, 4000, 6000, and 6000 SP.
* Learn to scale your appliances to meet the demands of remote workers and offices.
* Use the NEW coordinated threat control with Juniper Networks IDP to manage the security of your entire enterprise.

Table of Contents

  1. Copyright
  2. Technical Editor and Contributing Author
  3. Contributors
  4. Introduction
    1. Why This Book Was Written
    2. Juniper Networks and the SSL VPN
      1. Resources Beyond This Book
    3. Introduction to VPNs
      1. IPSec
    4. SSL
    5. IPSec VPN vs. SSL VPN
    6. What Is the IVE?
      1. Where Is the IVE Deployed?
        1. One-Arm, No DMZ
        2. Two-Arm, DMZ
        3. Two-Arm, Two DMZ
      2. IVE Platforms
        1. Secure Access 700
        2. Secure Access 2000
        3. Secure Access 4000
        4. Secure Access 6000
      3. License Types
    7. Summary
  5. 1. Defining a Firewall
    1. Introduction
    2. Why Have Different Types of Firewalls?
      1. Physical Security
        1. Network Security
        2. Attacks
        3. Recognizing Network Security Threats
          1. Understanding Intruder Motivations
        4. Recreational Hackers
        5. Profit-Motivated Hackers
        6. Vengeful Hackers
        7. Hybrid Hackers
    3. Back to Basics: Transmission Control Protocol/Internet Protocol
      1. TCP/IP Header
        1. IP Addresses
          1. IP Half-Scan Attack
          2. IP Spoofing
          3. Denial-of-Service Attacks
          4. Source-Routing Attack
        2. TCP/UDP Ports
          1. Port Scanning
          2. Other Protocol Exploits
        3. Data Packet
          1. System and Software Exploits
          2. Trojans, Viruses, and Worms, Oh My!
          3. Buffer Overflow
    4. Firewall Types
    5. Application Proxy
      1. Pros
        1. High Security
        2. Refined Control
      2. Cons
        1. Slower Network Performance
        2. Update Schedule Governed by Vendors
        3. Limited Control, Depending on Vendor
    6. Gateway
      1. Packet Filters
        1. Technical Description
        2. Pros
          1. Speed
          2. Rapid Implementation
        3. Cons
          1. Less Secure
          2. Port Limitations
      2. Stateful Inspection
        1. Technical Description
          1. The Inspection Process
          2. Stateful Inspection Gateway Features
        2. Pros
          1. Networking Standard
          2. Performance and Protection
        3. Cons
          1. Lower Data Transfer Rates Than a Packet Filter
          2. Lack of Fine Control
    7. Summary
    8. Solutions Fast Track
      1. Why Have Different Types of Firewalls?
      2. Back to Basics: Transmission Control Protocol/Internet Protocol
      3. Firewall Types
    9. Frequently Asked Questions
  6. 2. Setup
    1. Introduction
    2. Initial CLI Setup
      1. IVE Console Setup
        1. Configuring HyperTerminal for Connecting to the IVE Console Port
        2. Initial Configuration
    3. Initial Web Setup
      1. Accessing the IVE through the WebUI
      2. Configuring Date and Time
      3. Configuring Licensing on the IVE
        1. Generating a License on the Juniper Web Site
      4. Network Settings in the AdminUI
        1. Configuring IVE Interfaces in the WebUI
          1. Configuring the IVE Physical Ports
          2. Configuring Virtual Ports
          3. Configuring Static ARP Entries
          4. Configuring Static Routes
          5. Configuring Static Host (Name) Entries
    4. Certificates
      1. Generating a CSR
        1. Importing a Signed Certificate (without CSR)
          1. Assigning a Certificate to a Port
      2. Other Certificates
        1. Trusted Server CAs
    5. Security and System Settings
      1. Security Settings
      2. System Options
    6. Summary
    7. Solutions Fast Track
      1. Initial CLI Setup
      2. Initial Web Setup
      3. Certificates
      4. Security and System Settings
    8. Frequently Asked Questions
  7. 3. Realms, Roles, and Resources
    1. Introducing Realms, Roles, and Resources
    2. Configuring Realms
      1. Selecting and Configuring General Settings
        1. Directory/Attribute
        2. Accounting
        3. Additional Authentication Server
        4. Dynamic Policy Evaluation
      2. Selecting and Configuring Authentication Policies
        1. Password Management: Realm Restriction
          1. Host Checker: Realm Restriction
          2. Limits: Realm Restriction
      3. Selecting and Configuring Role Mapping
      4. Optimizing User Attributes
      5. Admin Realms
    3. Configuring Roles
      1. User Roles
      2. General Settings
        1. Role Restrictions
        2. VLAN/Source IP
        3. Session Options
        4. UI Options
          1. Headers
          2. Start Page
          3. Bookmarks Panel Arrangement
          4. Personalized Greeting
      3. Standard Options
      4. Meeting Options
      5. Admin Roles
    4. Configuring Resources
      1. Introducing Resource Profiles
      2. Introducing Resource Policies
    5. Summary
    6. Solutions Fast Track
      1. Introducing Realms, Roles, and Resources
      2. Configuring Realms
      3. Configuring Roles
      4. Configuring Resources
    7. Frequently Asked Questions
  8. 4. Authentication Servers
    1. Introduction
    2. Local Authentication
    3. LDAP
    4. NIS
    5. ACE
    6. Radius
    7. AD/NT
    8. Anonymous
    9. SiteMinder
    10. Certificate
    11. SAML
    12. Summary
    13. Solutions Fast Track
      1. Local Authentication
      2. LDAP
      3. NIS
      4. ACE
      5. Radius
      6. AD/NT
      7. Anonymous
      8. SiteMinder
      9. Certificate
      10. SAML
    14. Frequently Asked Questions
  9. 5. Secure Application Manager
    1. Introduction
      1. Why Use SAM?
      2. Feature Availability
      3. Chapter Overview
    2. Secure Application Manager
      1. SAM Versions
        1. WSAM
        2. JSAM
        3. Version Comparison
      2. How to Deploy the SAM Applet to Connecting Computers?
        1. Web Install/Upgrade
        2. Autonomous Installers
        3. Juniper Installer Service
    3. Secure Application Manager Implementation
      1. Enabling SAM and Configuring Role Options
        1. Configuring SAM Role Options
        2. Configuring Windows SAM Role Options
        3. Configuring Java SAM Role Options
        4. Configuring Role Session Options that Affect SAM
      2. Configuring SAM on a Role
        1. Adding a WSAM Supported Application to a Role
        2. Adding a WSAM Allowed Server to a Role
        3. Adding a WSAM Bypass Application to a Role
        4. Adding a JSAM-Supported Application to a Role
      3. Configuring SAM Resource Policies
        1. Configuring a SAM Resource Policy for Access Control
        2. Configuring SAM Resource Policy Options
        3. Configuring JSAM Autolaunch Policies
      4. Configuring SAM Resource Profiles
        1. Configuring WSAM Client Applications Resource Profiles
        2. Configuring WSAM Destination Resource Profiles
        3. Configuring JSAM Client Applications Resource Profiles
        4. Configuring SAM Rewriting Bypass with Web Application Resource Profiles
    4. Secure Application Manager User Experience
    5. Troubleshooting
      1. Secure Application Manager Troubleshooting
        1. IVE-Side Troubleshooting
          1. Concentrator Logs
          2. Example One
          3. Policy Trace of SAM Policies
          4. Example Two
          5. Simulation of SAM Policies
        2. Client-Side Troubleshooting
          1. Client Logs
          2. WSAM Client Logs
          3. Example Three
          4. JSAM Client Logs
          5. Example Four
        3. Client Tools
          1. WSAM Tools
          2. Example Five
          3. JSAM Tools
    6. Summary
    7. Solutions Fast Track
      1. Secure Application Manager
      2. Secure Application Manager Implementation
      3. Secure Application Manager User Experience
      4. Troubleshooting
    8. Frequently Asked Questions
  10. 6. Terminal Services and Citrix
    1. Introduction
      1. Why Use the Juniper Citrix Terminal Services Proxy?
      2. Feature Availability
      3. Chapter Overview
    2. Terminal Services
      1. Terminal Services Implementation
        1. Enabling Terminal Services Proxy and Configuring Role Options
          1. Configuring Terminal Services Role Options
          2. Configuring Role Session Options That Affect Terminal Services
          3. Configuring a Windows Terminal Services or Citrix Session on a Role
          4. Configuring Windows Terminal Services or Citrix Using the Default ICA
          5. Configuring Citrix Using a Custom ICA
        2. Terminal Services Session Bookmarks
      2. Configuring Terminal Services Resource Policies
        1. Configuring a Terminal Services Resource Policy for Access Control
        2. Configuring Terminal Services Policy Options
      3. Configuring Terminal Services Resource Profiles
      4. Configuring Terminal Services and Citrix Using a Hosted Java Applet
      5. Terminal Services User Experience
    3. Citrix
      1. Citrix Client Types
        1. Citrix Load Balancing
        2. Citrix Single Sign-on
      2. Citrix Implementation
        1. Configuring Citrix with a Web Template (Resource Profile)
      3. Citrix User Experience
      4. Launching Terminal Services Sessions and Java Applets from an External Site
        1. Terminal Services Syntax
    4. Terminal Services and Citrix Troubleshooting
      1. IVE-Side Troubleshooting
        1. IVE Logs
          1. Example 1
          2. Policy Trace of Terminal Services Policies
        2. Client-Side Troubleshooting
          1. Terminal Services Client Logs
          2. Example 2
          3. Citrix Client Logs
    5. Summary
    6. Solutions Fast Track
      1. Terminal Services
      2. Citrix
      3. Terminal Services and Citrix Troubleshooting
    7. Frequently Asked Questions
  11. 7. Network Connect
    1. Introduction
      1. Why Use Network Connect?
      2. Feature Availability
      3. Chapter Overview
    2. Network Connect
      1. Network Connect Implementation
        1. Network Connect Global Configuration
        2. Enabling Network Connect and Configuring Role Options
          1. Configuring Network Connect Role Options
          2. Configuring Role Session Options that Affect Network Connect
          3. Configuring Other Role Options that Affect Network Connect
      2. Configuring Network Connect Resource Policies
        1. Configuring a Network Connect Resource Policy for Access Control
        2. Configuring a Network Connect Connection Profile
          1. Configuring NC Connection Profile DNS Information
          2. Configuring NC Connection Profile Proxy Information
        3. Configuring Network Connect Split-Tunneling Networks
      3. Network Connect Implementation Options
        1. Using GINA with Network Connect
        2. Using the Network Connect Command Line Launcher
        3. Using Network Connect in an Active/Active Multisite Cluster
      4. Network Connect Client Distribution
        1. Web Install/Upgrade
        2. Autonomous Installers
        3. Juniper Installer Service
    3. Network Connect Troubleshooting
      1. IVE-Side Troubleshooting
        1. IVE Logs
        2. Example One
        3. Policy Trace of Network Connect Policies
      2. Client-Side Troubleshooting
        1. Network Connect Client Logs
        2. Example Two
    4. Summary
    5. Solutions Fast Track
      1. Network Connect
      2. Network Connect Troubleshooting
    6. Frequently Asked Questions
  12. 8. Endpoint Security
    1. Introduction
    2. Host Checker
      1. Host Checker Functionality
      2. Host Checker Components
        1. Host Checker Policies and Rule Types
          1. Windows Host Checks
          2. Mac Host Checks
          3. Linux Host Checks
        2. Host Checker Policy Logic and Remediation
          1. Remediation Actions
        3. Host Checker Options
        4. Host Checker Definition Updates
          1. Virus Signature Version Monitoring
          2. Endpoint Security Assessment Plug-in Update
      3. Configuring Host Checker Rules
        1. Configuring a Host Checker Policy
        2. Host Checker Policies or Rules?
          1. Configuring a Predefined Antivirus Rule
          2. Configuring a Predefined Firewall Rule
          3. Configuring a Predefined Antispyware Rule
          4. Configuring a Predefined Operating System Check Rule
          5. Configuring a Custom Port Rule
          6. Configuring a Custom Process Rule
          7. Configuring a Custom File Check
          8. Creating a Custom Registry Key Check
          9. Configuring a NetBIOS Check
          10. Configuring a Custom MAC Address Check
          11. Configuring a Custom Machine Certificate Check
          12. Configuring a Third-Party NHC Check
          13. Uploading a Third-Party Host Checker Policy to the IVE
        3. Host Checker TNC Architecture
          1. Configuring an IMV Server
          2. Configuring an IMV Policy
          3. Configuring IMV Rules
          4. Configuring Policy Logic to Evaluate Multiple Host Checker Rules
          5. Configuring Policy Chaining
        4. Advanced Endpoint Defense
          1. Enabling Advanced Endpoint Defense
          2. Applying Advanced Endpoint Defense Policies
      4. Applying Host Checker Policies to the IVE
        1. Applying Host Checker to the Realm Level
          1. Configuring Host Checker Enforcement at the Realm Level
        2. Applying Host Checker Policies to the Role Mapping Level
          1. Configuring a Host Check Policy Evaluation at the Role Mapping Level
        3. Applying Host Checker Policies to the Role Level
          1. Configuring Host Checker at the Role Level
        4. Applying Host Checker Policies at the Resource Level
          1. Configuring a Resource Policy Level Host Check
      5. Troubleshooting Host Checker
    3. Cache Cleaner
      1. Cache Cleaner Deployment
        1. Cache Cleaner Options
          1. Cache Cleaner Content Clearing Techniques
      2. Implementing Cache Cleaner
        1. Applying Cache Cleaner at the Realm Level
        2. Configuring Cache Cleaner Checks at the Role Mapping Level
        3. Configuring Cache Cleaner at the Role Level
        4. Configuring a Cache Cleaner Check at the Resource Policy Level
    4. Secure Virtual Workspace
      1. Secure Virtual Workspace Options
        1. Configuring a Secure Virtual Workspace Policy
        2. Applying a Secure Virtual Workspace Policy
    5. IVE/IDP Integration
      1. IDP/IVE Signaling
        1. Configuring the IVE for IDP Integration
          1. Establishing Communication
      2. IVE/IDP Sensor Policies
        1. Events
        2. Configuring IDP Event Expressions
    6. Summary
    7. Solutions Fast Track
      1. Host Checker
      2. Cache Cleaner
      3. Secure Virtual Workspace
      4. IVE/IDP Integration
    8. Frequently Asked Questions
  13. 9. Web/File/Telnet/SSH
    1. Introduction
    2. Clientless Remote Access Overview
      1. Web Access Overview
      2. File Access Overview
      3. Telnet/SSH Access Overview
    3. Web Access
      1. Web Bookmarks
        1. Creating Web Bookmarks
        2. Web Options
          1. User Browsing and Bookmark Options
          2. Advanced Web Options
      2. Web Resource Policies
        1. Web ACL
        2. Java ACL
        3. Java Code Signing
        4. Caching
        5. Web Rewriting
        6. Web Compression
        7. Single Sign On
          1. Basic SSO Authentication Example
          2. NTLM SSO Authentication Example
          3. Form POST SSO Example
          4. SSO Headers/Cookies Authentication Example
        8. Pass-through Proxy
          1. Pass-through Proxy Components
          2. Properties of a Pass-through Proxy Resource Policy
          3. Example: Configuring Virtual Hostname Pass-through Proxy
          4. Example: Pass-through Proxy with IVE Ports
        9. Custom Headers
        10. ActiveX Parameter Rewriting
        11. Web Proxy
        12. Launch JSAM
        13. HTTP 1.1
        14. Options
      3. Web Resource Profiles
      4. Web Resource Profile Types
        1. Configuring Custom Resource Profiles
        2. Host Java Applet Resource Profile
        3. Outlook Web Access 2007 Example
        4. Citrix/nFuse Resource Profiles
    4. File Access
      1. File Bookmarks
        1. Configuring Windows File Shares
        2. Configuring UNIX File Shares
        3. File Options
      2. File Resource Policies
        1. Windows ACL
        2. UNIX/NFS ACLs
        3. Windows SSO
        4. Windows/UNIX Compression
        5. Encoding
        6. Options
      3. File Resource Profiles
        1. Creating Windows File Resource Profiles
        2. Creating UNIX File Resource Profiles
    5. Telnet/SSH Access
      1. Telnet/SSH Sessions
        1. Creating a Telnet/SSH Session
        2. Telnet/SSH Options
      2. Telnet/SSH Resource Policies
        1. Telnet/SSH Options
        2. Creating Telnet/SSH Resource Profiles
    6. Summary
    7. Solutions Fast Track
      1. Clientless Access Overview
      2. Web Access
      3. File Access
      4. Telnet/SSH Access
    8. Frequently Asked Questions
  14. 10. Maintenance Section
    1. Introduction
    2. System
      1. Platform
        1. Restarting Services
        2. Reboot/Shutdown
        3. Rollback
      2. Upgrade/Downgrade
      3. Options
      4. Installers
    3. Import/Export
      1. System (Binary) Import/Export
      2. User Accounts (Binary) Import/Export
      3. IVS Import/Export
      4. XML Import/Export
    4. Push Configuration
      1. Targets
      2. Results
      3. Push Config Transport
    5. Archiving
      1. Archiving Servers
      2. Local Backups
    6. Troubleshooting
      1. System Status and Resource Trending
      2. User Sessions: Policy Tracing and Simulation
        1. Policy Tracing
        2. Simulation
      3. Session Recording
      4. System Snapshot
      5. TCP Dump
      6. Commands
      7. Remote Debugging
      8. Debug Logs
      9. Node Monitor
      10. Cluster: Network Connectivity
    7. Summary
    8. Solutions Fast Track
      1. System
      2. Import/Export
      3. Push Configuration
      4. Archiving
      5. Troubleshooting
    9. Frequently Asked Questions
    10. Links to Sites
  15. 11. System Section
    1. Introduction
    2. Status
      1. Active Users
      2. Meeting Schedule
    3. Configuration
      1. Licensing
      2. Security
      3. Certificates
        1. Device Certificates
        2. Trusted Client CAs
        3. Trusted Server CAs
        4. Code-Signing Certificates
      4. NCP
      5. Sensors (IDP)
        1. Sensors
        2. Sensor Event Policies
      6. Client Types
      7. Secure Meeting
    4. Network
      1. Overview
      2. Internal + External Port Management
        1. Virtual Ports
        2. The ARP Cache
      3. VLANs
      4. Routes
      5. Hosts
      6. Network Connect
    5. Clustering
      1. Status
      2. Cluster Properties
    6. Virtual Systems
      1. Management
    7. Logging/Monitoring
      1. Logging
      2. Sensor Logging
      3. Client Logs
      4. SNMP
      5. Statistics
    8. Summary
    9. Solutions Fast Track
      1. Status
      2. Configuration
      3. Network
      4. Clustering
      5. Virtual Systems
      6. Logging/Monitoring
    10. Frequently Asked Questions
  16. 12. Sign-in Policies
    1. Introduction
    2. IVE Sign-in Structure
      1. IVE Licensing
    3. Sign-in Pages
      1. Standard Sign-in Pages
      2. Secure Meeting Sign-in Pages
      3. Configuring a Standard Sign-in Page
      4. Custom Sign-in Pages
        1. Sample Custom Sign-in Pages
        2. Why Does the IVE Use Templates for Custom Sign-in Pages?
        3. Introduction to Template Toolkit
        4. Resources for Custom Sign-in Pages
        5. Uploading a Custom Page
    4. Sign-in Policies
      1. IVE Licensing
      2. Sign-in Policy Types and Properties
        1. Components Available to Different Policy Types
      3. Sign-in Policy Evaluation
        1. Sign-in Policy Order
        2. Sign-in Policy Examples
          1. Example 1: Matching Wildcard Sign-in Policies
          2. Example 2: Matching Admin, User, and Meeting Sign-in URLs
      4. Creating Sign-in Policies
        1. Creating an Administrator Sign-in Policy
        2. Creating a User Sign-in Policy
        3. Creating a Secure Meeting Sign-in Policy
      5. Sign-in Policy Maintenance
    5. Summary
    6. Solutions Fast Track
      1. IVE Sign-in Structure
      2. Sign-in Pages
      3. Sign-in Policies
    7. Frequently Asked Questions
  17. 13. Logging
    1. Introduction
    2. Log Types and Facilities
      1. Log Severity Levels
      2. Event Logs
        1. Event Log Settings
      3. User Access Logs
        1. User Access Log Settings
      4. Admin Access Logs
        1. Admin Access Log Settings
      5. Sensor Logs
      6. Client Logs
        1. Client Log Settings
      7. Active User Logs
      8. Meeting Schedule
    3. Log Filtering
      1. Log Formats
        1. Standard Log Format
        2. WebTrends Enhanced Log File
        3. W3C Format
        4. Custom Log Format
      2. Log Filtering
        1. Applying Log Filters
        2. Dynamic Log Filtering
          1. Custom Expressions within Log Filter Queries
          2. Editing the Log Query String
    4. Log Management
      1. Saving Logs
      2. Deleting Logs
    5. Syslog Exporting
      1. Setting Up Syslog Exporting
    6. SNMP Management
      1. SNMP Configuration on the IVE
        1. SNMP Trap Thresholds
          1. Optional Traps
        2. SNMP Server
      2. SNMP Objects
        1. SNMP Management Systems
    7. System Resource Monitoring
      1. System Statistics
      2. Central Management Graphs
        1. Common Graph Settings
          1. Page Settings
        2. Concurrent Users
        3. Concurrent Meeting
        4. Hits Per Second
        5. CPU and (Virtual) Swap Memory Utilization
        6. Throughput
    8. Reporting
      1. ClearView Reporter Feature Overview
      2. Other Reporting Tools
    9. Summary
    10. Solutions Fast Track
      1. Log Types and Facilities
      2. Log Filtering
      3. Log Management
      4. Syslog Exporting
      5. SNMP Management
      6. System Resource Monitoring
      7. Reporting
    11. Frequently Asked Questions
  18. 14. Enterprise Features
    1. Introduction
    2. Instant Virtual Systems
    3. VLANs and Source Routing
    4. Administration Techniques
    5. Network Connect Considerations
    6. Clustering
    7. Understanding Cluster Communication and Status
    8. Summary
    9. Solutions Fast Track
      1. Instant Virtual Systems
      2. VLANs and Source Routing
      3. Administration Techniques
      4. Network Connect Considerations
      5. Clustering
      6. Understanding Cluster Communication and Status
      7. Frequently Asked Questions