Juniper Networks Secure Access Administration Guide 8 5.5 IVEAdmin

User Manual: 8

Open the PDF directly: View PDF PDF.
Page Count: 918 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Part Number: 55A031207
Juniper Networks Secure Access
Administration Guide
Release 5.5
This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright © 1986–1997, Epilogue
Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public
domain.
This product includes memory allocation software developed by Mark Moraes, copyright © 1988, 1989, 1993, University of Toronto.
This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software
included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by The Regents of the University of California. Copyright © 1979, 1980, 1983, 1986, 1988,
1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.
GateD software copyright © 1995, The Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by
Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’s HELLO routing protocol.
Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright © 1988, Regents of the
University of California. All rights reserved. Portions of the GateD software copyright © 1991, D. L. S. Associates.
Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, the NetScreen logo, NetScreen-Global Pro, ScreenOS, and GigaScreen are
registered trademarks of Juniper Networks, Inc. in the United States and other countries.
The following are trademarks of Juniper Networks, Inc.: ERX, E-series, ESP, Instant Virtual Extranet, Internet Processor, J2300, J4300, J6300, J-Protect,
J-series, J-Web, JUNOS, JUNOScope, JUNOScript, JUNOSe, M5, M7i, M10, M10i, M20, M40, M40e, M160, M320, M-series, MMD, NetScreen-5GT,
NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-5200, NetScreen-5400,
NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-SA 1000 Series,
NetScreen-SA 3000 Series, NetScreen-SA 5000 Series, NetScreen-SA Central Manager, NetScreen Secure Access, NetScreen-SM 3000, NetScreen-Security
Manager, NMC-RX, SDX, Stateful Signature, T320, T640, T-series, and TX Matrix. All other trademarks, service marks, registered trademarks, or registered
service marks are the property of their respective owners. All specifications are subject to change without notice.
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed
to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347,
6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Copyright © 2006, Juniper Networks, Inc.
All rights reserved. Printed in USA.
Juniper Networks Secure Access Administration Guide, Release 5.5
Writers: Paul Battaglia, Gary Beichler, Claudette Hobbart, Mark Smallwood
Editor: Claudette Hobbart
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or
otherwise revise this publication without notice.
Year 2000 Notice
Juniper Networks hardware and software products are Year 2000 compliant. The JUNOS software has no known time-related limitations through the year
2038. However, the NTP application is known to have some difficulty in the year 2036.
Software License
The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchase order or, to the
extent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks. By using this software, you
indicate that you understand and agree to be bound by those terms and conditions.
Generally speaking, the software license restricts the manner in which you are permitted to use the software and may contain prohibitions against certain
uses. The software license may state conditions under which the license is automatically terminated. You should consult the license for further details.
For complete product documentation, please see the Juniper Networks Web site at www.juniper.net/techpubs.
End User License Agreement
READ THIS END USER LICENSE AGREEMENT ("AGREEMENT") BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. BY
DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU
(AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE
BOUND BY THIS AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR
USE THE SOFTWARE, AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.
1. The Parties. The parties to this Agreement are Juniper Networks, Inc. and its subsidiaries (collectively “Juniper”), and the person or organization that
originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (“Customer”) (collectively, the “Parties”).
2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, and updates and
releases of such software, for which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller.
3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer a non-exclusive
and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:
a. Customer shall use the Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniper or an
authorized Juniper reseller, unless the applicable Juniper documentation expressly permits installation on non-Juniper equipment.
b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer
has paid the applicable license fees.
c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limits to
Customer’s use of the Software. Such limits may restrict use to a maximum number of seats, registered endpoints, concurrent users, sessions, calls,
connections, subscribers, clusters, nodes, or transactions, or require the purchase of separate licenses to use particular features, functionalities, services,
applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing, temporal, or geographical
limits. Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable licenses.
The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable
license(s) for the Software from Juniper or an authorized Juniper reseller.
4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall
not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as
necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software, in any form, to any third party; (d) remove
any proprietary notices, labels, or marks on or in any copy of the Software or any product in which the Software is embedded; (e) distribute any copy of the
Software to any third party, including as may be embedded in Juniper equipment sold in the secondhand market; (f) use any ‘locked’ or key-restricted
feature, function, service, application, operation, or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even
if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper to
any third party; (h) use the Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper
reseller; (i) use the Software on non-Juniper equipment where the Juniper documentation does not expressly permit installation on non-Juniper equipment;
(j) use the Software (or make it available for use) on Juniper equipment that the Customer did not originally purchase from Juniper or an authorized Juniper
reseller; or (k) use the Software in any manner other than as expressly provided herein.
5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish
such records to Juniper and certify its compliance with this Agreement.
6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer
shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includes
restricting access to the Software to Customer employees and contractors having a need to use the Software for Customer’s internal business purposes.
7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software,
associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in
the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.
8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statement that
accompanies the Software (the “Warranty Statement”). Nothing in this Agreement shall give rise to any obligation to support the Software. Support services
may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT
PERMITTED BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY
JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER
USE OF ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT
PERMITTED BY LAW, JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR
OTHERWISE), INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO
EVENT DOES JUNIPER WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT
ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’ or licensors’
liability to Customer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software
that gave rise to the claim, or if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer
acknowledges and agrees that Juniper has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of
liability set forth herein, that the same reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential
purpose and cause consequential loss), and that the same form an essential basis of the bargain between the Parties.
9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license
granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer’s
possession or control.
10. Taxes. All license fees for the Software are exclusive of taxes, withholdings, duties, or levies (collectively “Taxes”). Customer shall be responsible for
paying Taxes arising from the purchase of the license, or importation or use of the Software.
11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign
agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or
without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption
or other capabilities restricting Customer’s ability to export the Software without an export license.
12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use, duplication, or
disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS 227.7201 through 227.7202-4,
FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.
13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface
information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any.
Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any
applicable terms and conditions upon which Juniper makes such information available.
14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technology
are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor
shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with the
Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and
subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License
(“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate)
available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194
N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of
the LGPL at http://www.gnu.org/licenses/lgpl.html.
15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The
provisions of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the
Parties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This
Agreement constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and
contemporaneous agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except
that the terms of a separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are
inconsistent or conflict with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless
expressly assented to in writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not
affect the validity of the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the
Parties agree that the English version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de même que tous
les documents y compris tout avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that this Agreement and all related
documentation is and will be in the English language)).
Table of Contents vii
Table of Contents
About This Guide xxiii
Audience..................................................................................................... xxiii
Where to find additional information.......................................................... xxiii
Administrator and developer documentation ....................................... xxiii
Error Message Documentation ............................................................. xxiv
Hardware documentation..................................................................... xxiv
Product downloads............................................................................... xxiv
Conventions................................................................................................ xxiv
Documentation ............................................................................................ xxv
Release Notes ........................................................................................ xxv
Web Access ........................................................................................... xxv
Contacting Customer Support ...................................................................... xxv
Part 1 Getting started
Chapter 1 Initial Verification and Key Concepts 3
Verifying user accessibility ...............................................................................3
Creating a test scenario to learn IVE concepts and best practices ....................5
Defining a user role ...................................................................................6
Defining a resource profile ........................................................................8
Defining an authentication server............................................................10
Defining an authentication realm ............................................................13
Defining a sign-in policy ..........................................................................16
Using the test scenario ............................................................................19
Configuring default settings for administrators ..............................................22
Chapter 2 Introduction to the IVE 23
What is the IVE?.............................................................................................23
What can I do with the IVE?...........................................................................25
Can I use the IVE to secure traffic to all of my company’s applications,
servers, and Web pages?...................................................................25
Can I use my existing servers to authenticate IVE users?.........................27
Can I fine-tune access to the IVE and the resources it intermediates?......27
Can I create a seamless integration between the IVE and the resources it
intermediates? ..................................................................................28
Can I use the IVE to protect against infected computers and other security
concerns?..........................................................................................29
Can I ensure redundancy in my IVE environment?..................................29
Can I make the IVE interface match my company’s look-and-feel?..........29
viii Table of Contents
Juniper Networks Secure Access Administration Guide
Can I enable users on a variety of computers and devices to use the IVE?...
30
Can I provide secure access for my international users?..........................30
How do I start configuring the IVE?................................................................31
Part 2 Access management framework
Chapter 3 General access management 35
Licensing: Access management availability....................................................35
Policies, rules & restrictions, and conditions overview ...................................35
Accessing authentication realms..............................................................36
Accessing user roles ................................................................................37
Accessing resource policies......................................................................37
Policies, rules & restrictions, and conditions evaluation .................................38
Dynamic policy evaluation.............................................................................40
Understanding dynamic policy evaluation ...............................................40
Understanding standard policy evaluation...............................................41
Enabling dynamic policy evaluation ........................................................42
Configuring security requirements .................................................................42
Specifying source IP access restrictions ...................................................43
Specifying browser access restrictions.....................................................44
Specifying certificate access restrictions ..................................................47
Specifying password access restrictions...................................................48
Specifying Host Checker access restrictions.............................................49
Specifying Cache Cleaner access restrictions ...........................................49
Specifying limits restrictions....................................................................49
Chapter 4 User roles 51
Licensing: User roles availability ....................................................................52
User role evaluation .......................................................................................52
Permissive merge guidelines ...................................................................53
Configuring user roles ....................................................................................54
Configuring general role options..............................................................55
Configuring role restrictions ....................................................................56
Specifying role-based source IP aliases ....................................................57
Specifying session options.......................................................................57
Specifying customized UI settings............................................................60
Defining default options for user roles.....................................................64
Customizing user roles UI views.....................................................................66
Chapter 5 Resource profiles 71
Licensing: Resource profile availability...........................................................72
Task summary: Configuring resource profiles ................................................72
Resource profile components.........................................................................72
Defining resources...................................................................................75
Defining autopolicies ...............................................................................76
Defining roles ..........................................................................................77
Defining bookmarks ................................................................................78
Resource profile templates.............................................................................79
Table of Contents
Table of Contents ix
Chapter 6 Resource policies 81
Licensing: Resource policies availability .........................................................82
Resource policy components .........................................................................82
Specifying resources for a resource policy ...............................................83
Resource policy evaluation.............................................................................86
Creating detailed rules for resource policies ...................................................87
Writing a detailed rule .............................................................................88
Customizing resource policy UI views ............................................................89
Chapter 7 Authentication and directory servers 91
Licensing: Authentication server availability...................................................92
Task summary: Configuring authentication servers........................................92
Defining an authentication server instance ....................................................93
Defining an authentication server instance..............................................94
Modifying an existing authentication server instance ..............................94
Configuring an anonymous server instance ...................................................94
Anonymous server restrictions ................................................................95
Defining an anonymous server instance..................................................95
Configuring an ACE/Server instance...............................................................96
Defining an ACE/Server instance .............................................................97
Generating an ACE/Agent configuration file .............................................98
Configuring an Active Directory or NT Domain instance ................................99
Defining an Active Directory or Windows NT domain server instance...100
Multi-domain user authentication ..........................................................102
Active Directory and NT group lookup support ......................................104
Configuring a certificate server instance........................................................... 105
Configuring an LDAP server instance ...........................................................106
Defining an LDAP server instance .........................................................107
Configuring LDAP search attributes for meeting creators ......................110
Monitoring and deleting active user sessions.........................................110
Enabling LDAP password management .................................................111
Configuring a local authentication server instance .......................................115
Defining a local authentication server instance......................................115
Creating user accounts on a local authentication server.........................117
Managing user accounts ........................................................................118
Delegating user administration rights to end-users ................................119
Configuring an NIS server instance ..............................................................120
Configuring a RADIUS server instance .........................................................120
User experience for RADIUS users.........................................................121
Configuring the IVE to work with a RADIUS server................................122
Enabling RADIUS accounting.................................................................125
Configuring an eTrust SiteMinder server instance ........................................133
eTrust SiteMinder overview ...................................................................134
Configuring SiteMinder to work with the IVE.........................................138
Configuring the IVE to work with SiteMinder.........................................144
Debugging SiteMinder and IVE issues....................................................156
Configuring a SAML Server instance.............................................................156
Using the artifact profile and the POST profile.......................................157
Creating a new SAML Server instance....................................................161
Chapter 8 Authentication realms 165
Licensing: Authentication realms availability................................................166
Creating an authentication realm .................................................................166
xTable of Contents
Juniper Networks Secure Access Administration Guide
Defining authentication policies ...................................................................168
Creating role mapping rules .........................................................................169
Specifying role mapping rules for an authentication realm ....................170
Customizing user realm UI views .................................................................178
Chapter 9 Sign-in policies 181
Licensing: Sign-in policies and pages availability..........................................183
Task summary: Configuring sign-in policies .................................................183
Configuring sign-in policies ..........................................................................183
Defining user sign in policies.................................................................183
Defining meeting sign-in policies...........................................................185
Enabling and disabling sign-in policies ..................................................186
Specifying the order in which sign-in policies are evaluated ..................187
Configuring sign-in pages.............................................................................187
Configuring standard sign-in pages........................................................188
Chapter 10 Single sign-on 191
Licensing: Single sign-on availability ............................................................191
Single sign-on overview ...............................................................................191
Multiple sign-in credentials overview ...........................................................193
Task Summary: Configuring multiple authentication servers .................193
Task Summary: Enabling SSO to resources protected by basic
authentication.................................................................................194
Task Summary: Enabling SSO to resources protected by NTLM.............194
Multiple sign-in credentials execution....................................................196
Configuring SAML ........................................................................................201
Configuring SAML SSO profiles ....................................................................204
Creating an artifact profile .....................................................................204
Creating a POST profile .........................................................................208
Creating an access control policy...........................................................211
Creating a trust relationship between SAML-enabled systems ...............214
Part 3 Endpoint defense
Chapter 11 Host Checker 223
Licensing: Host Checker availability .............................................................224
Task summary: Configuring Host Checker ...................................................224
Creating global Host Checker policies ..........................................................226
Enabling pre-defined client-side policies (Windows only) ......................227
Creating and configuring new client-side policies ..................................231
Enabling customized server-side policies...............................................242
Enabling the Secure Virtual Workspace........................................................244
Secure Virtual Workspace features ........................................................245
Secure Virtual Workspace restrictions and defaults ...............................245
Configuring the Secure Virtual Workspace.............................................246
Implementing Host Checker policies............................................................251
Executing Host Checker policies ............................................................252
Configuring Host Checker restrictions....................................................253
Remediating Host Checker policies ..............................................................255
Host Checker remediation user experience ...........................................256
Table of Contents
Table of Contents xi
Configuring Host Checker remediation ..................................................257
Defining Host Checker pre-authentication access tunnels ............................258
Specifying Host Checker pre-authentication access tunnel definitions ...259
Specifying general Host Checker options .....................................................262
Specifying Host Checker installation options................................................264
Removing the Juniper ActiveX Control...................................................265
Using Host Checker with the GINA automatic sign-in function...............266
Automatically install Host Checker ........................................................266
Manually install Host Checker................................................................267
Using Host Checker logs...............................................................................267
Chapter 12 Cache Cleaner 269
Licensing: Cache Cleaner availability............................................................269
Setting global Cache Cleaner options ...........................................................270
Implementing Cache Cleaner options ..........................................................273
Executing Cache Cleaner .......................................................................273
Specifying Cache Cleaner restrictions ....................................................275
Specifying Cache Cleaner installation options ..............................................277
Using Cache Cleaner logs .............................................................................278
Part 4 Remote access
Chapter 13 Web rewriting 281
Licensing: Web rewriting availability............................................................282
Task summary: Configuring the Web rewriting feature................................282
Web URL rewriting overview .......................................................................283
Remote SSO overview ...........................................................................285
Passthrough-proxy overview..................................................................286
Defining resource profiles: Custom Web applications ..................................288
Defining base URLs ...............................................................................290
Defining a Web access control autopolicy..............................................290
Defining Web resources ........................................................................291
Defining a single sign-on autopolicy ......................................................292
Defining a caching autopolicy................................................................296
Defining a Java access control autopolicy ..............................................298
Defining a rewriting autopolicy..............................................................300
Defining a Web compression autopolicy................................................304
Defining a Web bookmark.....................................................................305
Defining resource profiles: Citrix Web applications......................................307
Defining resource profiles: Microsoft OWA ..................................................311
Defining resource profiles: Lotus iNotes .......................................................313
Defining resource profiles: Microsoft Sharepoint..........................................315
Defining role settings: Web URLs .................................................................316
Creating bookmarks through existing resource profiles .........................317
Creating standard Web bookmarks .......................................................317
Specifying general Web browsing options .............................................319
Defining resource policies: Overview ...........................................................322
Defining resource policies: Web access........................................................324
Defining resource policies: Single sign-on ....................................................325
Writing a Basic Authentication or NTLM Intermediation resource policy326
xii Table of Contents
Juniper Networks Secure Access Administration Guide
Writing a remote SSO Form POST resource policy ................................328
Writing a remote SSO Headers/Cookies resource policy ........................330
Defining resource policies: Caching..............................................................332
Writing a caching resource policy..........................................................332
Creating OWA and Lotus Notes caching resource policies .....................335
Specifying general caching options........................................................335
Defining resource policies: External Java applets .........................................336
Writing a Java access control resource policy ........................................336
Writing a Java code signing resource policy...........................................338
Defining resource policies: Rewriting ...........................................................339
Creating a selective rewriting resource policy ........................................340
Creating a pass-through proxy resource policy ......................................342
Creating a custom header resource policy .............................................344
Creating an ActiveX parameter resource policy .....................................346
Restoring the default IVE ActiveX resource policies ...............................348
Creating rewriting filters........................................................................349
Defining resource policies: Web compression..............................................349
Writing a Web compression resource policy..........................................350
Defining an OWA compression resource policy.....................................351
Defining resource policies: Web proxy.........................................................351
Writing a Web proxy resource policy.....................................................351
Specifying Web proxy servers ...............................................................353
Defining resource policies: HTTP 1.1 protocol..............................................354
Defining resource policies: General options..................................................355
Managing resource policies: Customizing UI views.......................................356
Chapter 14 Hosted Java applets 357
Licensing: Hosted Java applets availability ...................................................357
Task Summary: Hosting Java applets ...........................................................357
Hosted Java applets overview.......................................................................358
Uploading Java applets to the IVE ..........................................................359
Signing uploaded Java applets ...............................................................360
Creating HTML pages that reference uploaded Java applets...................361
Accessing Java applet bookmarks ..........................................................361
Defining resource profiles: Hosted Java applets............................................362
Defining a hosted Java applet bookmark ...............................................363
Use case: Creating a Citrix JICA 8.0 Java applet bookmark...........................368
Chapter 15 File rewriting 371
Licensing: File rewriting availability .............................................................371
Defining resource profiles: File rewriting......................................................371
Defining file resources...........................................................................373
Defining a file access control autopolicy ................................................374
Defining a file compression autopolicy ..................................................374
Defining a single sign-on autopolicy (Windows only).............................375
Defining a file bookmark .......................................................................376
Defining role settings: Windows resources...................................................378
Creating advanced bookmarks to Windows resources...........................379
Creating Windows bookmarks that map to LDAP servers......................380
Defining general file browsing options ..................................................381
Defining resource policies: Windows file resources......................................381
Canonical format: Windows file resources.............................................382
Writing a Windows access resource policy ............................................383
Table of Contents
Table of Contents xiii
Writing a Windows SSO resource policy................................................384
Writing a Windows compression resource policy ..................................386
Defining general file writing options......................................................387
Defining role settings: UNIX/NFS file resources ............................................387
Creating advanced bookmarks to UNIX resources .................................388
Defining general file browsing options ..................................................389
Defining resource policies: UNIX/NFS file resources.....................................389
Canonical format: UNIX/NFS file resources............................................390
Writing UNIX/NFS resource policies.......................................................391
Writing a Unix/NFS compression resource policy ..................................392
Defining general file writing options......................................................393
Chapter 16 Secure Application Manager 395
Licensing: Secure Application Manager availability ......................................396
Task Summary: Configuring WSAM .............................................................396
W-SAM overview..........................................................................................397
Securing client/server traffic using WSAM .............................................397
Antivirus and VPN client application compatibility ................................400
Launching Network Connect during a WSAM session ............................401
Debugging WSAM issues .......................................................................401
Defining resource profiles: WSAM................................................................401
Creating WSAM client application resource profiles...............................402
Creating WSAM destination network resource profiles ..........................403
Defining role settings: WSAM.......................................................................404
Specifying applications and servers for WSAM to secure .......................405
Specifying applications that need to bypass WSAM ...............................407
Specifying role-level WSAM options.......................................................408
Downloading WSAM applications ..........................................................410
Defining resource policies: WSAM................................................................410
Specifying application servers that users can access..............................410
Specifying resource level WSAM options ...............................................412
Using the W-SAM launcher...........................................................................413
Running scripts manually ......................................................................414
Running scripts automatically................................................................415
Task Summary: Configuring JSAM................................................................416
J-SAM overview ............................................................................................417
Using JSAM for client/server communications .......................................418
Linux and Macintosh support ................................................................426
Standard application support: MS Outlook.............................................427
Standard application support: Lotus Notes.............................................428
Standard application support: Citrix Web Interface for MetaFrame (NFuse
Classic)............................................................................................430
Custom application support: Citrix published applications configured from
the native client ..............................................................................431
Custom application support: Citrix secure gateways..............................434
Defining resource profiles: JSAM ..................................................................435
Defining role settings: JSAM .........................................................................439
Specifying applications for JSAM to secure ............................................439
Specifying role level JSAM options .........................................................442
Defining resource policies: JSAM..................................................................443
Automatically launching JSAM ...............................................................443
Specifying application servers that users can access..............................445
Specifying resource level JSAM options..................................................447
xiv Table of Contents
Juniper Networks Secure Access Administration Guide
Chapter 17 Telnet/SSH 449
Licensing: Telnet/SSH availability .................................................................450
Task summary: Configuring the Telnet/SSH feature .....................................450
Defining resource profiles: Telnet/SSH .........................................................450
Defining a Telnet/SSH resource profile bookmark..................................452
Defining role settings: Telnet/SSH ................................................................454
Creating advanced session bookmarks ..................................................454
Configuring general Telnet/SSH options.................................................455
Defining resource policies: Telnet/SSH .........................................................456
Writing Telnet/SSH resource policies .....................................................457
Matching IP addresses to host names....................................................458
Chapter 18 Terminal Services 461
Licensing: Terminal Services availability ......................................................461
Task Summary: Configuring the Terminal Services feature ..........................461
Terminal Services overview .........................................................................463
Terminal Services user experience ........................................................463
Terminal Services execution..................................................................464
Configuring Citrix to support ICA load balancing ...................................467
Comparing IVE access mechanisms for configuring Citrix .....................469
Defining resource profiles: Terminal Services .............................................470
Defining a Windows profile or Citrix profile using default ICA settings ..470
Defining a Citrix profile using a custom ICA settings .............................476
Defining role settings: Terminal Services .....................................................480
Creating advanced Terminal Services session bookmarks .....................481
Creating links from an external site to a terminal services session bookmark
485
Specifying general Terminal Services options ........................................487
Defining resource policies: Terminal Services ..............................................489
Configuring Terminal Services resource policies....................................489
Specifying the Terminal Services resource option..................................490
Chapter 19 Secure Meeting 493
Licensing: Secure Meeting availability ..........................................................493
Task Summary: Configuring Secure Meeting................................................494
Secure Meeting overview .............................................................................495
Scheduling meetings..............................................................................496
Sending notification emails ...................................................................497
Joining meetings....................................................................................498
Attending meetings ...............................................................................500
Conducting meetings.............................................................................500
Presenting meetings ..............................................................................501
Creating instant meetings and support meetings...................................501
Defining role settings: Secure Meeting .........................................................503
Enabling and configuring Secure Meeting..............................................503
Permissive merge guidelines for Secure Meeting ...................................506
Specifying authentication servers that meeting creators can access ......507
Defining resource policies: Secure Meeting ..................................................508
Troubleshooting Secure Meeting ..................................................................511
Monitoring Secure Meeting ..........................................................................512
Table of Contents
Table of Contents xv
Chapter 20 Email Client 513
Licensing: Email Client availability ...............................................................514
Email Client overview ..................................................................................514
Choosing an email client .......................................................................514
Working with a standards-based mail server .........................................515
Working with the Microsoft Exchange Server ........................................515
Working with Lotus Notes and the Lotus Notes Mail Server ...................517
Defining role settings: Email Client ..............................................................517
Defining resource policies: Email Client .......................................................518
Chapter 21 Network Connect 521
Licensing: Network Connect availability.......................................................523
Task Summary: Configuring Network Connect.............................................523
Network Connect overview ..........................................................................524
Network Connect execution ..................................................................525
Network Connect Connection Profiles with support for multiple DNS
settings ...........................................................................................530
Provisioning your network for Network Connect ...................................531
Client-side logging .................................................................................532
Network Connect proxy support............................................................532
Network Connect Quality of Service ......................................................533
Network Connect Multicast Support.......................................................533
Defining role settings: Network Connect ......................................................534
Defining resource policies: Network Connect...............................................536
Defining Network Connect access control policies.................................537
Defining Network Connect logging policies............................................538
Creating Network Connect connection profiles......................................539
Defining Network Connect split tunneling policies.................................544
Use case: Network Connect resource policy configuration.....................546
Defining system settings: Network Connect.................................................547
Specifying IP filters................................................................................547
Downloading the Network Connect installer..........................................548
Network Connect Installation Process Dependencies.............................549
Network Connect Un-installation Process Dependencies .......................551
Using the Network Connect Launcher (NC Launcher)...................................552
Troubleshooting Network Connect errors.....................................................553
nc.windows.app.23792 .........................................................................553
Version conflict on downgrade ..............................................................554
Part 5 System management
Chapter 22 General system management 557
Licensing: System management availability.................................................557
Task summary: Configuring management capabilities .................................558
Configuring network settings .......................................................................558
Bonding ports ........................................................................................559
Configuring general network settings ....................................................559
Configuring internal and external ports .................................................561
Configuring SFP ports............................................................................563
Configuring the Management Port.........................................................564
xvi Table of Contents
Juniper Networks Secure Access Administration Guide
Configuring VLANs ................................................................................565
Configuring virtual ports........................................................................566
Task Summary: Defining Subnet Destinations Based on Roles ..............568
Configuring static routes for network traffic ..........................................569
Creating ARP caches..............................................................................570
Specifying host names for the IVE to resolve locally ..............................571
Specifying IP filters................................................................................571
Using central management features.............................................................571
Modifying Central Management dashboard graphs................................572
Configuring system utilities..........................................................................574
Reviewing system data..........................................................................574
Upgrading or downgrading the IVE .......................................................575
Setting system options ..........................................................................575
Downloading application installers ........................................................577
Configuring licensing, security, and NCP......................................................580
Entering or upgrading IVE licenses ........................................................580
Activating and deactivating emergency mode .......................................586
Setting security options .........................................................................587
Configuring NCP and JCP.......................................................................589
Installing a Juniper software service package.........................................590
Configuring and using the Management Port ...............................................591
Configuring Management Port network settings ....................................592
Adding static routes to the management route table .............................593
Assigning certificate to Management Port..............................................593
Controlling administrator sign-in access ................................................594
Signing in over the Management Port....................................................595
Setting role-mapping rules using custom expressions............................595
Troubleshooting the Management Port..................................................596
Using the Management Port on a cluster ...............................................597
Importing configurations to a system with the Management Port enabled ..
597
Chapter 23 Certificates 599
Licensing: Certificate availability ..................................................................600
Using device certificates...............................................................................600
Importing certificates into the IVE .........................................................601
Downloading a device certificate from the IVE ......................................603
Creating a certificate signing request (CSR) for a new certificate ...........604
Using intermediate server CA certificates ..............................................605
Using multiple IVE device certificates ....................................................605
Using trusted client CAs ...............................................................................607
Enabling trusted client CAs....................................................................608
Enabling client CA hierarchies ...............................................................614
Enabling CRLs .......................................................................................615
Enabling OCSP ......................................................................................619
Using trusted server CAs ..............................................................................621
Uploading trusted server CA certificates ................................................621
Renewing a trusted server CA certificate ...............................................622
Deleting a trusted server CA certificate..................................................622
Viewing trusted server CA certificate details ..........................................623
Using code-signing certificates .....................................................................623
Additional considerations for SUN JVM users.........................................625
Task Summary: Configuring the IVE to sign or re-sign java applets .......625
Importing a code-signing certificate.......................................................626
Table of Contents
Table of Contents xvii
Chapter 24 System archiving 627
Licensing: System archiving availability .......................................................627
Archiving IVE binary configuration files .......................................................628
Creating local backups of IVE configuration files ..........................................630
Importing and exporting IVE configuration files...........................................632
Exporting a system configuration file ....................................................632
Importing a system configuration file ....................................................633
Exporting local user accounts or resource policies.................................634
Importing local user accounts or resource policies.................................635
Importing and exporting XML configuration files .........................................635
Creating and modifying XML instances .................................................637
Referential integrity constraints.............................................................641
Mapping the XML instance to UI components .......................................642
XML import modes................................................................................643
Downloading the schema file ................................................................645
Strategies for working with XML instances ............................................646
XML Import/Export use cases ................................................................650
Importing to a system with the Management Port.................................656
Pushing configurations from one IVE to another..........................................656
Defining the target IVEs.........................................................................657
Pushing the configuration settings.........................................................658
Chapter 25 Logging and monitoring 663
Licensing: Logging and monitoring availability.............................................663
Logging and Monitoring overview ................................................................664
Log file severity levels............................................................................665
Custom filter log files.............................................................................666
Dynamic log filters ................................................................................666
Viewing and deleting user sessions........................................................666
Configuring the Log Monitoring features ......................................................668
Configuring events, user access, admin access, IDP sensor, and NC packet logs
668
Creating, resetting, or saving a dynamic log query ................................669
Specifying which events to save in the log file .......................................670
Creating, editing, or deleting log filters ..................................................672
Creating custom filters and formats for your log files ............................672
Monitoring the IVE as an SNMP agent..........................................................673
Viewing system statistics .............................................................................679
Enabling client-side logs...............................................................................679
Enabling client-side logging and global options......................................680
Enabling client-side log uploads.............................................................681
Viewing uploaded client-side logs ..........................................................682
Viewing general status .................................................................................683
Viewing system capacity utilization .......................................................683
Specifying time range and data to display in graphs..............................684
Configuring graph appearance...............................................................684
Viewing critical system events...............................................................685
Downloading the current service package .............................................685
Editing the system date and time ..........................................................685
Monitoring active users................................................................................686
Viewing and cancelling scheduled meetings.................................................687
xviii Table of Contents
Juniper Networks Secure Access Administration Guide
Chapter 26 Troubleshooting 689
Licensing: Troubleshooting availability.........................................................689
Simulating or tracking events.......................................................................690
Simulating events that cause a problem ................................................690
Tracking events using policy tracing......................................................692
Recording sessions.......................................................................................694
Creating snapshots of the IVE system state..................................................695
Creating TCP dump files...............................................................................696
Testing IVE network connectivity.................................................................697
Address Resolution Protocol (ARP) ........................................................697
Ping.......................................................................................................697
Traceroute .............................................................................................698
NSlookup...............................................................................................698
Running debugging tools remotely...............................................................699
Creating debugging logs...............................................................................699
Monitoring cluster nodes..............................................................................700
Configuring group communication monitoring on a cluster .........................701
Configuring network connectivity monitoring on a cluster...........................702
Chapter 27 Clustering 705
Licensing: Clustering availability ..................................................................706
Task summary: Deploying a cluster .............................................................706
Creating and configuring a cluster................................................................707
Defining and initializing a cluster...........................................................708
Joining an existing cluster......................................................................710
Configuring cluster properties ......................................................................712
Deploying two nodes in an Active/Passive cluster..................................712
Deploying two or more units in an Active/Active cluster........................714
Synchronizing the cluster state ..............................................................715
Configuring cluster properties................................................................718
Managing and configuring clusters...............................................................720
Adding multiple cluster nodes ...............................................................720
Managing network settings for cluster nodes.........................................721
Upgrading clustered nodes ....................................................................721
Upgrading the cluster service package...................................................722
Deleting a cluster...................................................................................723
Restarting or rebooting clustered nodes ................................................723
Admin console procedures ....................................................................724
Monitoring clusters................................................................................725
Troubleshooting clusters........................................................................726
Serial console procedures.............................................................................728
Chapter 28 Delegating administrator roles 733
Licensing: Delegated administration role availability....................................734
Creating and configuring administrator roles ...............................................734
Creating administrator roles ..................................................................735
Modifying administrator roles................................................................735
Deleting administrator roles ..................................................................736
Specifying management tasks to delegate....................................................736
Delegating system management tasks...................................................737
Delegating user and role management ..................................................737
Delegating user realm management ......................................................738
Delegating administrative management ................................................739
Table of Contents
Table of Contents xix
Delegating resource policy management...............................................741
Delegating resource profile management ..............................................742
Defining general system administrator role settings ....................................743
Defining default options for administrator roles ....................................743
Managing general role settings and options...........................................743
Specifying access management options for the role ..............................744
Specifying general session options ........................................................744
Specifying UI options.............................................................................745
Delegating access to IVS systems ..........................................................746
Chapter 29 Instant Virtual System (IVS) 747
Licensing: IVS availability.............................................................................748
Deploying an IVS .........................................................................................748
Virtualized IVE architecture ...................................................................750
Signing in to the root system or the IVS .......................................................751
Signing-in using the sign-in URL prefix ..................................................751
Signing-in over virtual ports...................................................................753
Signing-in over a VLAN interface ...........................................................754
Navigating to the IVS .............................................................................754
Determining the subscriber profile...............................................................754
IVS Configuration Worksheet.................................................................754
Administering the root system ..............................................................756
Configuring the root administrator ........................................................757
Provisioning an IVS ......................................................................................757
Understanding the provisioning process ......................................................758
Configuring sign-in ports..............................................................................760
Configuring the external port.................................................................760
Configuring a virtual port for sign-in on the external port......................761
Configuring a virtual port for sign-in on the internal port.......................761
Configuring a Virtual Local Area Network (VLAN).........................................762
Configuring VLANs on the virtualized IVE..............................................763
Adding static routes to the VLAN route table .........................................764
Deleting a VLAN ....................................................................................765
Loading the certificates server......................................................................766
Creating a virtual system (IVS profile) ..........................................................766
Creating a new IVS profile .....................................................................766
Signing in directly to the IVS as an IVS administrator...................................768
Configuring role-based source IP aliasing .....................................................769
Associating roles with VLANs and the source IP address........................770
Configuring virtual ports for a VLAN ......................................................770
Associating roles with source IP addresses in an IVS .............................770
Configuring policy routing rules on the IVS ..................................................771
Routing Rules ........................................................................................772
Overlapping IP address spaces ..............................................................773
Define Resource policies........................................................................773
Clustering a virtualized IVE ..........................................................................773
Configuring DNS for the IVS.........................................................................774
Accessing a DNS server on the MSP network.........................................775
Accessing a DNS server on a subscriber company intranet....................775
Configuring Network Connect for use on a virtualized IVE ...........................777
Configuring the Network Connect connection profile ............................777
Configuring Network Connect on backend routers ................................777
Configuring a centralized DHCP server ........................................................780
Configuring authentication servers...............................................................782
xx Table of Contents
Juniper Networks Secure Access Administration Guide
Rules governing access to authentication servers ..................................782
Configuring authentication on a RADIUS server.....................................783
Configuring authentication on Active Directory .....................................783
Delegating administrative access to IVS systems..........................................784
Accessing standalone installers ....................................................................784
Performing export and import of IVS configuration files ..............................785
Exporting and importing the root system configuration ........................785
Monitoring subscribers.................................................................................787
Suspending subscriber access to the IVS................................................787
Troubleshooting VLANs................................................................................788
Performing TCPDump on a VLAN..........................................................788
Using commands on a VLAN (Ping, traceroute, NSLookup, ARP)...........789
IVS use cases................................................................................................789
Policy routing rules resolution use case for IVS......................................789
Configuring a global authentication server for multiple subscribers.......795
Configuring a DNS/WINS server IP address per subscriber ....................795
Configuring access to Web applications and Web browsing for each
subscriber .......................................................................................796
Configuring file browsing access for each subscriber.............................797
Setting up multiple subnet IP addresses for a subscriber’s end-users.....798
Configuring multiple IVS systems to allow access to shared server........799
Chapter 30 IVE and IDP Interoperability 801
Licensing: IDP availability ............................................................................802
Deployment scenarios .................................................................................802
Configuring the IVE to Interoperate with an IDP ..........................................803
Configuring IDP connections .................................................................803
Identifying and managing quarantined users manually .........................807
Part 6 System services
Chapter 31 IVE serial console 811
Licensing: Serial console availability.............................................................811
Connecting to an IVE appliance’s serial console...........................................811
Rolling back to a previous system state........................................................812
Rolling back to a previous system state through the admin console ......813
Rolling back to a previous system state through the serial console ........813
Resetting an IVE appliance to the factory setting .........................................814
Performing common recovery tasks ............................................................817
Chapter 32 Customizable admin and end-user UIs 819
Licensing: Customizable UI availability ........................................................819
Customizable admin console elements overview .........................................819
Customizable end-user interface elements overview....................................821
Chapter 33 Secure Access 6000 823
Standard hardware ......................................................................................823
Secure Access 6000 field-replaceable units ..................................................824
Table of Contents
Table of Contents xxi
Chapter 34 Secure Access FIPS 827
Licensing: Secure Access FIPS availability ....................................................827
Secure Access FIPS execution ......................................................................828
Creating administrator cards........................................................................829
Administrator card precautions .............................................................830
Deploying a cluster in an Secure Access FIPS environment..........................830
Creating a new security world......................................................................832
Creating a security world on a stand-alone IVE......................................833
Creating a security world in a clustered environment............................834
Replacing administrator cards ...............................................................834
Recovering an archived security world.........................................................835
Importing a security world into a stand-alone IVE............................... 836
Importing a security world into a cluster ...............................................837
Chapter 35 Compression 839
Licensing: Compression availability .............................................................839
Compression execution................................................................................839
Supported data types ...................................................................................840
Enabling compression at the system level....................................................841
Creating compression resource profiles and policies....................................842
Chapter 36 Multi-language support 843
Licensing: Multi-language support availability ..............................................844
Encoding files ..............................................................................................844
Localizing the user interface.........................................................................844
Localizing custom sign-in and system pages ................................................845
Chapter 37 Handheld devices and PDAs 847
Licensing: Handheld and PDA support availability .......................................848
Task summary: Configuring the IVE for PDAs and handhelds ......................848
Defining client types ....................................................................................849
Enabling WSAM on PDAs.............................................................................851
Part 7 Supplemental information
Appendix A Writing custom expressions 855
Licensing: Custom expressions availability...................................................855
Custom expressions.....................................................................................855
Wildcard matching ................................................................................859
DN variables and functions....................................................................859
System variables and examples ...................................................................860
Using system variables in realms, roles, and resource policies.....................869
Using multi-valued attributes .................................................................870
Specifying fetch attributes in a realm ....................................................871
Specifying the homeDirectory attribute for LDAP ..................................872
xxii Table of Contents
Juniper Networks Secure Access Administration Guide
Audience xxiii
About This Guide
This guide provides the information you need to understand, configure, and
maintain a Juniper Networks Instant Virtual Extranet (IVE) appliance, including:
Overview material to familiarize yourself with Secure Access products and the
underlying access management system
Overview material describing baseline and advanced features, as well as
upgrade options
Instructions for configuring and managing your IVE appliance or cluster
Audience
This guide is for the system administrator responsible for configuring Secure Access
and Secure Access FIPS products.
Where to find additional information
Administrator and developer documentation
To download a PDF version of this administration guide, go to the IVE OS
Product Documentation page of the Juniper Networks Customer Support Center.
For information about the changes that Secure Access clients make to client
computers, including installed files and registry changes, and for information
about the rights required to install and run Secure Access clients, refer to the
Client-side Changes Guide.
For information on how to develop Web applications that are compliant with
the IVE Content Intermediation Engine, refer to the Content Intermediation
Engine Best Practices Guide.
For information on how to personalize the look-and-feel of the pre-
authentication, password management, and Secure Meeting pages that the IVE
displays to end-users and administrators, refer to the Custom Sign-In Pages
Solution Guide.
Juniper Networks Secure Access Administration Guide
xxiv Conventions
For information on how to write and implement solutions through Host
Checker client and server APIs, and for information about how to check for
specific third-party solutions through Host Checker, refer to the J.E.D.I. Solution
Guide.
Error Message Documentation
For information about error messages that Network Connect and WSAM
displays to end-users, refer to Network Connect and WSAM Error Messages.
For information about error messages that Secure Meeting displays to
administrators end-users, refer to Secure Meeting Error Messages.
Hardware documentation
For help during installation, refer to the Quick Start Guide that comes with the
product.
For Secure Access and Secure Access FIPS safety information, refer to the
Juniper Networks Security Products Safety Guide.
For information on how to install hard disks, power supplies, and cooling fans
on Secure Access 6000 appliances, refer to the Secure Access 6000 Field
Replaceable Units Guide.
Product downloads
To download the latest build of the Secure Access and Secure Access FIPS OS
and release notes, go to the IVE OS Software page of the Juniper Networks
Customer Support Center.
Conventions
Table 1 defines notice icons used in this guide, and Table 2 defines text
conventions used throughout the book.
Table 1: Notice icons
Icon Meaning Description
Informational note Indicates important features or instructions.
Caution Indicates that you may risk losing data or damaging your
hardware.
Warning Alerts you to the risk of personal injury.
Documentation xxv
About This Guide
Documentation
Release Notes
Release notes are included with the product software and are available on the Web.
In the Release Notes, you can find the latest information about features, changes,
known problems, and resolved problems. If the information in the Release Notes
differs from the information found in the documentation set, follow the Release
Notes.
Web Access
To view the documentation on the Web, go to:
http://www.juniper.net/techpubs/
Contacting Customer Support
For technical support, contact Juniper Networks at support@juniper.net, or at 1-888-
314-JTAC (within the United States) or 408-745-9500 (from outside the United
States).
Table 2: Text conventions (except for command syntax)
Convention Description Examples
Bold typeface Indicates buttons, field names, dialog
box names, and other user interface
elements.
Use the Scheduling and Appointment tabs to
schedule a meeting.
Plain sans serif typeface Represents:
Code, commands, and keywords
URLs, file names, and directories
Examples:
Code:
certAttr.OU = 'Retail Products Group'
URL:
Download the JRE application from:
http://java.sun.com/j2se/
Italics Identifies:
Terms defined in text
Variable elements
Book names
Examples:
Defined term:
An RDP client is a Windows component that
enables a connection between a Windows
server and a user’s machine.
Variable element:
Use settings in the Users > User Roles >
Select Role > Terminal Services page to create
a terminal emulation session.
Book name:
See the IVE Supported Platforms document.
Juniper Networks Secure Access Administration Guide
xxvi Contacting Customer Support
1
Part 1
Getting started
The IVE is a hardened network appliance that provides robust security by
intermediating the data streams that flow between external users and internal
resources. This section contains the following information about beginning to use
and understand the IVE:
“Initial Verification and Key Concepts” on page 3
“Introduction to the IVE” on page 23
Juniper Networks Secure Access Administration Guide
2
Verifying user accessibility 3
Chapter 1
Initial Verification and Key Concepts
This section describes the tasks designed to follow initially installing and
configuring your IVE. The contents in this section assume that you have already
followed the Task Guide in the admin console to update your software image and
generate and apply your Secure Access license key.
Verifying user accessibility
You can easily create a user account in the system authentication server for use in
verifying user accessibility to your IVE. After creating the account through the
admin console, sign in as the user on IVE user sign-in page.
To verify user accessibility:
1. In the admin console, choose Authentication > Auth. Servers.
2. Select System Local.
3. Select the Users tab.
4. Click New.
5. On the New Local User page, enter “testuser1” as the username and a
password, and then click Save Changes. The IVE creates the testuser1 account.
6. In another browser window, enter the machine’s URL to access the user sign-in
page. The URL is in the format: https://a.b.c.d, where a.b.c.d is the machine IP
address you entered in the serial console when you initially configured your
IVE. When prompted with the security alert to proceed without a signed
certificate, click Yes. If the user sign-in page appears, you have successfully
connected to your IVE appliance.
Juniper Networks Secure Access Administration Guide
4Verifying user accessibility
Figure 1: User Sign-in Page
7. On the sign-in page, enter the username and password you created for the user
account and then click Sign In to access the IVE home page for users.
Figure 2: User Home Page (default)
8. In the browser Address field, enter the URL to an internal Web server and click
Browse. The IVE opens the Web page in the same browser window, so to
return to the IVE home page, click the center icon in the browsing toolbar that
appears on the target Web page.
Creating a test scenario to learn IVE concepts and best practices 5
Chapter 1: Initial Verification and Key Concepts
Figure 3: Example Internal Web Page with Browsing Toolbar
9. On the IVE home page, enter the URL to your external corporate site and click
Browse. The IVE opens the Web page in the same browser window, so use the
browsing toolbar to return to the IVE home page.
10. On the IVE home page, click Browsing > Windows Files to browse available
Windows file shares or Browsing > UNIX/NFS Files to browse available
UNIX/NFS file shares.
After verifying user accessibility, return to the admin console to go through an
introduction of key concepts, as described in “Creating a test scenario to learn IVE
concepts and best practices” on page 5.
Creating a test scenario to learn
IVE
concepts and best practices
The IVE provides a flexible access management system that makes it easy to
customize a user’s remote access experience through the use of roles, resource
policies, authentication servers, authentication realms, and sign-in policies. To
enable you to quickly begin working with these entities, the IVE ships with system
defaults for each. This section describes these system defaults and shows you how
to create each access management entity by performing the following tasks:
“Defining a user role” on page 6
“Defining a resource profile” on page 8
“Defining an authentication server” on page 10
“Defining an authentication realm” on page 13
“Defining a sign-in policy” on page 16
Juniper Networks Secure Access Administration Guide
6Creating a test scenario to learn IVE concepts and best practices
“Using the test scenario” on page 19
Defining a user role
The IVE is pre-configured with one user role called “Users.” This pre-defined role
enables the Web and file browsing access features, enabling any user mapped to the
Users role to access the Internet, corporate Web servers, and any available Windows
and UNIX/NFS file servers. You can view this role on the
Users > User Roles
page.
To define a user role:
1. In the admin console, choose Users > User Roles.
2. On the Roles page, click New Role.
3. On the New Role page, enter “Test Role” in the Name field and then click Save
Changes. Wait for the IVE to display the General > Overview page for Test
Role.
4. On the Overview page, select the Web checkbox under Access features and
then click Save Changes.
5. Choose Web > Options.
6. Select the User can type URLs in the IVE browser bar checkbox, and then
click Save Changes.
NOTE: The IVE supports two types of users:
Administrators
—An
administrator
is a person who may view or modify IVE
configuration settings. You create the first administrator account through the
serial console.
Users—A user is a person who uses the IVE to gain access to corporate
resources as configured by an administrator. You create the first user account
(testuser1) in “Verifying user accessibility” on page 3.
The following test scenario focuses on using the IVE access management elements
to configure access parameters for a user. For information about the system
default settings for administrators, see “Configuring default settings for
administrators” on page 22.
NOTE: After you enable an access feature for a role (on the Users > User Roles >
Role Name page), configure the appropriate corresponding options that are
accessible from the access feature’s configuration tab.
Creating a test scenario to learn IVE concepts and best practices 7
Chapter 1: Initial Verification and Key Concepts
After completing these steps, you have defined a user role. When you create
resource profiles, you can apply them to this role. You can also map users to this
role through role mapping rules defined for an authentication realm.
Figure 4: Users > User Roles > New Role page
NOTE: To quickly create a user role that enables Web and file browsing, duplicate
the Users role, and then enable additional access features as desired.
Juniper Networks Secure Access Administration Guide
8Creating a test scenario to learn IVE concepts and best practices
Figure 5: Users > User Roles > Test Role > General > Overview
Defining a resource profile
A resource profile is a set of configuration options that contains all of the resource
policies, role assignments, and end-user bookmarks required to provide access to
an individual resource.
Within a resource profile, a resource policy specifies the resources to which the
policy applies (such as URLs, servers, and files) and whether the IVE grants access
to a resource or performs an action. Note that the IVE is pre-configured with two
types of resource policies:
Web Access—The pre-defined Web Access resource policy enables all users to
access the Internet and all corporate Web servers through the IVE. By default,
this resource policy applies to the Users role.
Windows Access—The pre-defined Windows Access resource policy enables
all users mapped to the Users role to access all corporate Windows file servers.
By default, this resource policy applies to the Users role.
Creating a test scenario to learn IVE concepts and best practices 9
Chapter 1: Initial Verification and Key Concepts
To define a resource profile:
1. In the admin console, choose Users > Resource Profiles > Web > Web
Applications/Pages.
2. On the Web Applications Resource Profile page, click New Profile.
3. On the New Web Applications Resource Profile page:
a. In the Type field, keep the default option (Custom)
b. In the Name field, enter “Test Web Access”
c. In the Base URL field, enter “http://www.google.com”
d. In the Autopolicy: Web Access Control section, select the checkbox next
to the default policy created by the IVE (http://www.google.com:80/*) and
choose Delete.
e. In the Autopolicy: Web Access Control section, enter
“http://www.google.com” in the Resource field, select Deny from the
Action list, and click Add.
f. Click Save and Continue.
4. In the Roles tab:
a. Select “Test Role” in the Available Roles field and click Add to move it to
the Selected Roles field.
b. Click Save Changes.
The IVE adds “Test Web Access” to the Web Application Resource Policies page
and automatically creates a corresponding bookmark that links to google.com.
After completing these steps, you have configured a Web Access resource profile.
Note that even though the IVE comes with a resource policy that enables access to
all Web resources, users mapped to Test Role are still prohibited from accessing
http://www.google.com. These users are denied access because the autopolicy you
created during the resource profile configuration takes precedence over the default
Web access policy that comes with the IVE.
NOTE: Delete the default Web Access and Windows Access resource policies if you
are concerned about users having access to all of your Web and file content. You
can access the default Web and file resource policies on the Users > Resource
Policies > Web > Access and Users > Resource Policies > Files > Access >
Windows pages.
Juniper Networks Secure Access Administration Guide
10 Creating a test scenario to learn IVE concepts and best practices
Figure 6: Users > Resource Profiles > Web > Web Applications/Pages > New Profile
Defining an authentication server
An authentication server is a database that stores user credentials—username and
password—and typically group and attribute information. When a user signs in to
an IVE, the user specifies an authentication realm, which is associated with an
authentication server. The IVE forwards the user’s credentials to this authentication
server to verify the user’s identity.
The IVE supports the most common authentication servers, including Windows NT
Domain, Active Directory, RADIUS, LDAP, NIS, RSA ACE/Server, SAML Server, and
eTrust SiteMinder, and enables you to create one or more local databases of users
who are authenticated by the IVE. The IVE is pre-configured with one local
authentication server for users called “System Local.” This pre-defined local
authentication server is an IVE database that enables you to quickly create user
accounts for user authentication. This ability provides flexibility for testing
purposes and for providing third-party access by eliminating the need to create
user accounts in an external authentication server.
Creating a test scenario to learn IVE concepts and best practices 11
Chapter 1: Initial Verification and Key Concepts
You can view the default local authentication server on the Authentication >
Auth. Servers page.
To define an authentication server:
1. In the admin console, choose Authentication > Auth. Servers.
2. On the Authentication Servers page, choose Local Authentication from the
New list and then click New Server.
3. On the New Local Authentication page, enter “Test Server” in the Name field
and then click Save Changes. Wait for the IVE to notify you that the changes
are saved, after which additional configuration tabs appear.
4. Click the Users tab and then click New.
5. On the New Local User page, enter “testuser2” in the Username field, enter a
password, and then click Save Changes to create the user’s account in the Test
Server authentication server.
After completing these steps, you have created an authentication server that
contains one user account. This user can sign in to an authentication realm that
uses the Test Server authentication server.
NOTE: The IVE also supports authorization servers. An authorization server (or
directory server) is a database that stores user attribute and group information.
You can configure an authentication realm to use a directory server to retrieve
user attribute or group information for use in role mapping rules and resource
policies.
NOTE: The admin console provides last access statistics for each user account on
the respective authentication servers pages, on the Users tab under a set of
columns titled Last Sign-in Statistic. The statistics reported include the last
successful sign-in date and time for each user, the user’s IP address, and the agent
or browser type and version.
Juniper Networks Secure Access Administration Guide
12 Creating a test scenario to learn IVE concepts and best practices
Figure 7: Authentication > Auth. Servers > New Server
Figure 8: Authentication > Auth. Servers > Test Server > Users > New
Creating a test scenario to learn IVE concepts and best practices 13
Chapter 1: Initial Verification and Key Concepts
Figure 9: Authentication > Auth. Servers > Test Server > Users
Defining an authentication realm
An authentication realm is a grouping of authentication resources, including:
An authentication server, which verifies a user’s identity. The IVE forwards
credentials submitted on a sign-in page to an authentication server.
An authentication policy, which specifies realm security requirements that
need to be met before the IVE submits credentials to an authentication server
for verification.
A directory server, which is an LDAP server that provides user and group
attribute information to the IVE for use in role mapping rules and resource
policies (optional).
Role mapping rules, which are conditions a user must meet in order for the IVE
to map a user to one or more roles. These conditions are based on information
returned by the realm's directory server, the person’s username, or certificate
attributes.
Juniper Networks Secure Access Administration Guide
14 Creating a test scenario to learn IVE concepts and best practices
The IVE is pre-configured with one user realm called “Users.” This pre-defined
realm uses the System Local authentication server, an authentication policy that
requires a minimum password length of four characters, no directory server, and
contains one role mapping rule that maps all users who sign in to the Users realm
to the Users role. The “testuser1” account you create in “Verifying user
accessibility” on page 3 is part of the Users realm, because this account is created
in the System Local authentication server. The “testuser2” account you create in
“Defining an authentication server” on page 10 is not part of the Users realm,
because you create the user account in the new “Test Server” authentication server,
which is not used by the Users realm.
You can view the default user authentication realm on the
Users > User Realms
page.
To define an authentication realm:
1. In the admin console, choose User Realms.
2. On the User Authentication Realms page, click New.
3. On the New Authentication Realm page:
a. In the Name field, enter: Test Realm
b. Under Servers, choose “Test Server” from the Authentication list.
c. Click Save Changes. Wait for the IVE to notify you that the changes are
saved and to display the realm’s configuration tabs.
4. On the Role Mapping tab, click New Rule.
5. On the Role Mapping Rule page:
a. Under Rule: If username..., enter “testuser2” in the value field.
b. Under ...then assign these roles, select “Test Role” in the Available Roles
field and click Add to move it to the Selected Roles field.
c. Click Save Changes.
After completing these steps, you have finished creating an authentication realm.
This realm uses Test Server to authenticate users and a role mapping rule to map
“testuser2” to Test Role. Because the Test Web Access resource policy applies to
Test Role, any user mapped to this role cannot access http://www.google.com.
Creating a test scenario to learn IVE concepts and best practices 15
Chapter 1: Initial Verification and Key Concepts
Figure 10: Users > User Realms > New Realm
Juniper Networks Secure Access Administration Guide
16 Creating a test scenario to learn IVE concepts and best practices
Figure 11: Users > User Realms > Test Server > New Rule
Defining a sign-in policy
A sign-in policy is a system rule that specifies:
A URL at which a user may sign in to the IVE
A sign-in page to display to the user
Whether or not the user needs to type or select an authentication realm to
which the IVE submits credentials
The authentication realms to which the sign-in policy applies
All Secure Access and Secure Access FIPS IVEs are pre-configured with one sign-in
policy that applies to users: */. This default user sign-in policy (*/) specifies that
when a user enters the URL to the IVE, the IVE displays the default sign-in page for
users and requires the user to select an authentication realm (if more than one
realm exists). The */ sign-in policy is configured to apply to the Users authentication
realm, therefore this sign-in policy does not apply to the authentication realm you
create in “Defining an authentication realm” on page 13.
Creating a test scenario to learn IVE concepts and best practices 17
Chapter 1: Initial Verification and Key Concepts
You can view the default user sign-in policy on the Authentication >
Authentication > Signing In Policies page. If your IVE has the Secure Meeting
Upgrade license, the */meeting sign-in policy is also listed on this page. This policy
enables you to customize the sign-in page for secure meetings.
To define a sign-in policy:
1. In the admin console, choose
Authentication > Signing in > Sign-in Policies
.
2. On the Sign-in Policies page, click */.
3. On the */ page:
a. In the Sign-in URL field, enter “test” after “*/.”
b. Under Authentication realm, select User picks from a list of
authentication realms, and then select “Test Realm” in the Available
Roles field and click Add to move it to the Selected Realms field. (Repeat
this process for the Users role if it is not already in the Selected Realms
field.)
c. Click Save Changes.
After completing these steps, you have finished modifying the default users sign-in
policy.
Optional:
1. Choose Authentication > Authentication > Signing In Pages, and then click
New Page.
2. On the
New Sign-In Page
page, enter “Test Sign-in Page” in the
Name
field,
enter “#FF0000” (red) in the
Background color
field, and then click
Save
Changes
.
3. Choose Authentication > Authentication > Signing In Policies, and then
click New URL.
4. On the New Sign-in Policy page, enter “*/test/” in the Name field, select
Default Sign-in Page in the Sign-in Page field, and click Save Changes.
5. Choose Authentication > Authentication > Signing In Policies, and then
click */test/ under User URLs.
6. On the */test/ page, choose “Test Sign-in Page” from the Sign-in page list and
then click Save Changes.
After completing these optional steps, you have finished defining a new sign-in
page that is associated with the “*/test/” sign-in policy.
The default sign-in policy applies to all users. You can modify the URL to the IVE user
sign-in page by adding to the path, such as “*/employees,” but you cannot create
additional sign-in policies unless you purchase the Advanced license for your IVE.
Juniper Networks Secure Access Administration Guide
18 Creating a test scenario to learn IVE concepts and best practices
Figure 12: Authentication > Authentication > Signing In Policies > */
Figure 13: Authentication > Authentication > Signing In Policies > */test/ — Using New
Creating a test scenario to learn IVE concepts and best practices 19
Chapter 1: Initial Verification and Key Concepts
Sign-in Page
Using the test scenario
The test scenario enables you to:
Access the user console using the modified default sign-in policy
Sign in as the user created in Test Server to the Test Realm
Test your Web browsing capabilities, which are dependent upon the proper
configuration of Test Role and Test Web Access
To use the test scenario:
1. In a browser, enter the machine’s URL followed by “/test” to access the user
sign-in page. The URL is in the format: https://a.b.c.d/test, where a.b.c.d is the
machine IP address you entered in the serial console during initial
configuration. When prompted with the security alert to proceed without a
signed certificate, click Yes. If the user sign-in page appears, you have
successfully connected to your IVE appliance.
Juniper Networks Secure Access Administration Guide
20 Creating a test scenario to learn IVE concepts and best practices
Figure 14: User Sign-in Page
2. On the sign-in page, enter the username and password you created for the user
account in Test Server, specify “Test Realm” in the Realm field, and then click
Sign In to access the IVE home page for users.
The IVE forwards the credentials to Test Realm, which is configured to use Test
Server. Upon successful verification by this authentication server, the IVE
processes the role mapping rule defined for Test Realm, which maps “testuser2”
to Test Role. Test Role enables Web browsing for users.
Figure 15: User Home Page
NOTE: If you performed the optional configuration steps in “Defining a sign-in
policy” on page 16, the header color is red.
Creating a test scenario to learn IVE concepts and best practices 21
Chapter 1: Initial Verification and Key Concepts
3. In the browser Address field, enter the URL to your corporate Web site and
click Browse. The IVE opens the Web page in the same browser window, so to
return to the IVE home page, click the center icon in the browsing toolbar that
appears on the target Web page.
4. On the IVE home page, enter “www.google.com” and click Browse. The IVE
displays an error message, because the Test Web Access resource policy denies
access to this site for users mapped to Test Role.
Figure 16: Example Error Message for Denied Resource
5. Return to the IVE home page, click Sign Out, and then return to the user sign-in
page.
6. Enter the credentials for testuser1, specify the Users realm, and then click Sign
In.
7. On the IVE home page, enter “www.google.com” and click Browse. The IVE
opens the Web page in the same browser window.
The test scenario demonstrates the basic IVE access management mechanisms.
You can create very sophisticated role mapping rules and resource policies that
control user access depending on factors such as a realm’s authentication policy, a
user’s group membership, and other variables. To learn more about IVE access
management, we recommend that you take a few minutes to review the online
Help to familiarize yourself with its contents.
NOTE:
When you configure the IVE for your enterprise, we recommend that you
perform user access configuration in the order presented in this section.
For detailed configuration information, see the instructions in other sections of
this guide.
Before you make your IVE available from external locations, we recommend
that you import a signed digital certificate
from a trusted certificate authority
(CA).
Juniper Networks Secure Access Administration Guide
22 Configuring default settings for administrators
Configuring default settings for administrators
Just like for users, the IVE provides default settings that enable you to quickly
configure accounts for administrators. This list summarizes the system default
settings for administrators:
Administrator roles
.Administrators — This built-in role permits administrators to manage all
aspects of the IVE. The administrator user you create in the serial console
is mapped to this role.
.Read-Only Administrators — This built-in role permits users mapped to
the role to view (but not configure) all IVE settings. You need to map
administrators to this role if you want to restrict their access.
Administrators local authentication server — The Administrators
authentication server is an IVE database that stores administrator accounts.
You create the first administrator account in this server through the serial
console. (The IVE adds all administrator accounts created through the serial
console to this server.) You cannot delete this local server.
Admin Users authentication realm — The Admin Users authentication realm
uses the default Administrators authentication server, an authentication policy
that requires a minimum password length of four characters, no directory
server, and contains one role mapping rule that maps all users who sign in to
the Admin Users realm to the .Administrators role. The administrator account
you create in the serial console is part of the Admin Users realm.
*/admin sign-in policy The default administrator sign-in policy (*/admin)
specifies that when a user enters the URL to the IVE followed by /admin,” the
IVE displays the default sign-in page for administrators. This policy also
requires the administrator to select an authentication realm (if more than one
realm exists). The */admin sign-in policy is configured to apply to the Admin
Users authentication realm, therefore this sign-in policy applies to the
administrator account you create through the serial console.
NOTE: You need the Advanced license in order to create additional administrator
roles.
What is the IVE? 23
Chapter 2
Introduction to the IVE
The Juniper Networks Instant Virtual Extranet (IVE) platform serves as the
underlying hardware and software for the Juniper Networks SSL VPN appliances.
These products enable you to give employees, partners, and customers secure and
controlled access to your corporate data and applications including file servers,
Web servers, native messaging and email clients, hosted servers, and more from
outside your trusted network using just a Web browser.
This section contains the following information about the IVE:
“What is the IVE?” on page 23
“What can I do with the IVE?” on page 25
“How do I start configuring the IVE?” on page 31
What is the IVE?
The IVE is a hardened network operating system that acts as the platform for all
Juniper Networks Secure Access products. These appliances provide a range of
enterprise-class scalability, high availability, and security features that extend
secure, remote access to network resources.
The IVE provides robust security by intermediating the data that flows between
external users and your company’s internal resources. Users gain authenticated
access to authorized resources via an extranet session hosted by the appliance.
During intermediation, the IVE receives secure requests from the external,
authenticated users and then makes requests to the internal resources on behalf of
those users. By intermediating content in this way, the IVE eliminates the need to
deploy extranet toolkits in a traditional DMZ or provision a remote access VPN for
employees.
To access the intuitive IVE home page, your employees, partners, and customers
need only a Web browser that supports SSL and an Internet connection. This page
provides the window from which your users can securely browse Web or file
servers, use HTML-enabled enterprise applications, start the client/server
application proxy, begin a Windows, Citrix, or Telnet/SSH terminal session, access
corporate email servers, start a secured layer three tunnel, or schedule or attend a
secure online meeting.1
1. These capabilities depend upon the Juniper Networks Secure Access product and upgrade options you have
purchased.
Juniper Networks Secure Access Administration Guide
24 What is the IVE?
Figure 17: The IVE working within a LAN
You can configure a Juniper Networks Secure Access appliance to:
Provide users with secure access to a variety of resources. The IVE
intermediates access to multiple types of applications and resources such as
Web-based enterprise applications, Java applications, file shares, terminal
hosts, and other client/server applications such as Microsoft Outlook, Lotus
Notes, the Citrix ICA Client, and pcAnywhere. Additionally, administrators can
provision an access method that allows full Layer 3 connectivity, providing the
same level of access that a user would get if they were on the corporate LAN.
Fine-tune user access to the appliance, resource types, or individual resources
based on factors such as group membership, source IP address, certificate
attributes, and endpoint security status. For instance, you can use dual-factor
authentication and client-side digital certificates to authenticate users to the IVE
and use LDAP group membership to authorize users’ ability to access individual
applications.
Assess the security status of your users’ computers by checking for endpoint
defense tools such as current antivirus software, firewalls, and security patches.
You can then allow or deny users access to the appliance, resource types, or
individual resources based on the computer’s security status.
The IVE acts as a secure, application-layer gateway intermediating all requests
between the public Internet and internal corporate resources. All requests that
enter the IVE are already encrypted by the end user's browser, using SSL/HTTPS
128-bit or 168-bit encryption—unencrypted requests are dropped. Since the IVE
provides a robust security layer between the public Internet and internal resources,
administrators do not need to constantly manage security policies and patch
security vulnerabilities for numerous different application and Web servers
deployed in the public-facing DMZ.
What can I do with the IVE? 25
Chapter 2: Introduction to the IVE
What can I do with the IVE?
The IVE offers a wide variety of features that you can use to secure your company’s
resources and easily maintain your environment. The following sections answer
questions you may have about the IVE’s security and management capabilities:
“Can I use the IVE to secure traffic to all of my company’s applications, servers,
and Web pages?” on page 25
“Can I use my existing servers to authenticate IVE users?” on page 27
“Can I fine-tune access to the IVE and the resources it intermediates?” on
page 27
“Can I create a seamless integration between the IVE and the resources it
intermediates?” on page 28
“Can I use the IVE to protect against infected computers and other security
concerns?” on page 29
“Can I ensure redundancy in my IVE environment?” on page 29
“Can I make the IVE interface match my company’s look-and-feel?” on page 29
“Can I enable users on a variety of computers and devices to use the IVE?” on
page 30
“Can I provide secure access for my international users?” on page 30
Can I use the IVE to secure traffic to all of my company’s applications, servers, and Web
pages?
The IVE enables you to secure access to a wide variety of applications, servers, and
other resources through its remote access mechanisms. Once you have chosen
which resource you want to secure, you can then choose the appropriate access
mechanism.
For instance, if you want to secure access to Microsoft Outlook, you can use the
Secure Application Manager (SAM). The Secure Application Manager intermediates
traffic to client/server applications including Microsoft Outlook, Lotus Notes, and
Citrix. Or, if you want to secure access to your company Intranet, you can use the
Web rewriting feature. This feature uses the IVE’s Content Intermediation Engine to
intermediate traffic to Web-based applications and Web pages.
Juniper Networks Secure Access Administration Guide
26 What can I do with the IVE?
The IVE includes remote access mechanisms that intermediate the following types
of traffic:
Web-based traffic, including Web pages and Web-based applications: Use
the Web rewriting feature to intermediate this type of content. The Web
rewriting feature includes templates that enable you to easily configure access
to applications such as Citrix, OWA, Lotus iNotes, and Sharepoint. In addition,
you can use the Web rewriting custom configuration option to intermediate
traffic from a wide variety of additional Web-based applications and Web
pages, including custom-built Web applications.
Java applets, including Web applications that use Java applets: Use the
hosted Java applets feature to intermediate this type of content. This feature
enables you to host Java applets and the HTML pages that they reference
directly on the IVE rather than maintaining a separate Java server.
File traffic, including file servers and directories: Use the file rewriting
feature to intermediate and dynamically “webify” access to file shares. The file
rewriting feature enables you to secure traffic to a variety of Windows and Unix
based servers, directories, and file shares.
Client/server applications: Use the Secure Application Manager feature to
intermediate this type of content. The Secure Application Manager comes in
two varieties (Windows and Java versions, or WSAM and JSAM). The WSAM
and JSAM features include templates that enable you to easily configure access
to applications such as Lotus Notes, Microsoft Outlook, NetBIOS file browsing,
and Citrix. In addition, you can use the WSAM and JSAM custom configuration
options to intermediate traffic from a wide variety of additional client/server
applications and destination networks.
Telnet and SSH terminal emulation sessions: Use the Telnet/SSH feature to
intermediate this type of content. This feature enables you to easily configure
access to a variety of networked devices that utilize terminal sessions including
UNIX servers, networking devices, and other legacy applications.
Windows Terminal Servers and Citrix server terminal emulation sessions:
Use the Terminal Services feature to intermediate this type of content. This
feature enables you to easily configure access to Windows Terminal Servers,
Citrix MetaFrame Servers, and Citrix Presentation Servers (formerly known as
Nfuse servers). You can also use this feature to deliver the terminal services
clients directly from the IVE, eliminating the need to use another Web server to
host the clients.
Email clients based on the IMAP4, POP3, and SMTP protocols: Use the email
client feature to intermediate this type of content. This feature enables you to
easily configure access to any corporate mail server based on the IMAP4,
POP3, and SMTP protocols, such as Microsoft Exchange Server and Lotus Notes
Mail servers.
All network traffic: Use the Network Connect feature to create a secure, layer
3 tunnel over the SSL connection, allowing access to any type of application
available on the corporate network. This feature enables you to easily connect
remote users into your network by tunneling network traffic over port 443,
enabling users full access to all of your network resources without configuring
access to individual servers, applications, and resources.
What can I do with the IVE? 27
Chapter 2: Introduction to the IVE
For more information about securing traffic using the IVE remote access
mechanisms, see “Remote access” on page 279.
Can I use my existing servers to authenticate IVE users?
You can easily configure the IVE to use your company’s existing servers to
authenticate your end-users—Users do not need to learn a new username and
password to access the IVE. The IVE supports integration with LDAP, RADIUS, NIS,
Windows NT Domain, Active Directory, eTrust SiteMinder, SAML, and RSA
ACE/Servers.
Or, if you do not want to use one of these standard servers, you can store
usernames and credentials directly on the IVE and use the IVE itself as an
authentication server. In addition, you can choose to authenticate users based on
attributes contained in authentication assertions generated by SAML authorities or
client-side certificates. Or, if you do not want to require your users to sign into the
IVE, you can use the IVE anonymous authentication server, which allows users to
access the IVE without providing a username or password.
For more information about protecting access to the IVE using authentication
servers, see “Authentication and directory servers” on page 91.
Can I fine-tune access to the IVE and the resources it intermediates?
In addition to using authentication servers to control access to the IVE, you can
control access to the IVE and the resources it intermediates using a variety of
additional client-side checks. The IVE enables you to create a multi-layered
approach to protect the IVE and your resources:
1. First, you can perform pre-authentication checks that control user access to the
IVE sign-in page. For instance, you might configure the IVE to check whether or
not the user’s computer is running a particular version of Norton Antivirus. If it
is not running, you can determine that the user’s computer is unsecure and
disable access to the IVE sign-in page until the user has updated the computer’s
antivirus software.
2. Once a user has successfully accessed the IVE sign-in page, you can perform
realm-level checks to determine whether he can access the IVE end-user home
page. The most common realm-level check is performed by an authentication
server. (The server determines whether the user enters a valid username and
password.) You can perform other types of realm-level checks, however, such
as checking that the user’s IP address is in your network or that the user is
using the Web browser type that you specify.
If a user passes the realm-level checks that you specify, he can access the IVE
end-user home page. Otherwise, the IVE does not enable him to sign in, or the
IVE displays a “stripped down” version of the IVE home page that you create.
Generally, this stripped down version contains significantly less functionality
than is available to your standard users because the user has not passed all of
your authentication criteria. The IVE provides extremely flexible policy
definitions, enabling you to dynamically alter end-user resource access based
on corporate security policies.
Juniper Networks Secure Access Administration Guide
28 What can I do with the IVE?
3. After the IVE successfully assigns a user to a realm, the appliance maps him to
a role based on your selection criteria. A role specifies which access
mechanisms a selected group of users can access. It also controls session and
UI options for that group of users. You can use a wide variety of criteria to map
users to roles. For instance, you can map users to different roles based on
endpoint security checks or on attributes obtained from an LDAP server or
client-side certificate.
4. In most cases, a user’s role assignments control which individual resources he
can access. For instance, you might configure access to your company’s
Intranet page using a Web resource profile and then specify that all members
of the “Employees” role can access that resource.
However, you can choose to further fine-tune access to individual resources.
For instance, you may enable members of the “Employees” role to access your
company’s Intranet (as described above), but add a resource policy detailed
rule that requires users to meet additional criteria in order to access the
resource. For example, you may require users to be members of the
“Employees” role and to sign into the IVE during business hours in order to
access your company Intranet.
For more information about fine-tuning access to the IVE and the resources it
intermediates, see “Access management framework” on page 33.
Can I create a seamless integration between the IVE and the resources it intermediates?
In a typical IVE configuration, you could add bookmarks directly to the IVE end-
user home page. These bookmarks are links to the resources that you configure the
IVE to intermediate. Adding these bookmarks enables users to sign into a single
place (the IVE) and find a consolidated list of all of the resources available to them.
Within this typical configuration, you can streamline the integration between the
IVE and the intermediated resources by enabling single sign-on (SSO). SSO is a
process that allows pre-authenticated IVE users to access other applications or
resources that are protected by another access management system without having
to re-enter their credentials. During IVE configuration, you can enable SSO by
specifying user credentials that you want the IVE to pass to the intermediated
resources. For more information, see “Single sign-on” on page 191.
Or, if you do not want to centralize user resources on the IVE end-user home page,
you could create links to the IVE-intermediated resources from another Web page.
For instance, you can configure bookmarks on the IVE, and then add links to those
bookmarks from your company’s Intranet. Your users can then sign into your
company Intranet and click the links there to access the intermediated resources
without going through the IVE home page. As with standard IVE bookmarks, you
can enable SSO for these external links.
What can I do with the IVE? 29
Chapter 2: Introduction to the IVE
Can I use the IVE to protect against infected computers and other security concerns?
The IVE enables you to protect against viruses, attacks, and other security concerns
using the Host Checker feature. Host Checker performs security checks on the
clients that connect to the IVE. For instance, you can use Host Checker verify that
end-user systems contain up-to-date antivirus software, firewalls, critical software
hotfixes, and other applications that protect your users’ computers. You can then
enable or deny users access to the IVE sign-in pages, realms, roles, and resources
based on the results that Host Checker returns. Or, you can display remediation
instructions to users so they can bring their computers into compliance.
You can also use Host Checker to create a protected workspace on clients running
Windows 2000 or Windows XP. Through Host Checker, you can enable the Secure
Virtual Workspace (SVW) feature which creates a protected workspace on the client
desktop, ensuring that any end-user signing in to your intranet must perform all
interactions within a completely protected environment. Secure Virtual Workspace
encrypts information that applications write to disk or the registry and then
destroys all information pertaining to itself or the IVE session when the session is
complete.
You can also secure your network from hostile outside intrusion by integrating your
IVE with a Juniper Networks Intrusion Detection and Prevention (IDP) Sensor. You
can use IDP devices to detect and block most network worms based on software
vulnerabilities, non-file-based Trojan Horses, the effects of Spyware, Adware, and
Key Loggers, many types of malware, and zero day attacks through the use of
anomaly detection.
For more information about Host Checker and other native IVE endpoint defense
mechanisms, see “Endpoint defense” on page 221. For more information about
integrating the IVE with IDP, see “IVE and IDP Interoperability” on page 801.
Can I ensure redundancy in my IVE environment?
You can ensure redundancy in your IVE environment using the IVE clustering
feature. With this feature, you can deploy two or more appliances as a cluster,
ensuring no user downtime in the rare event of failure and stateful peering that
synchronizes user settings, system settings, and user session data.
These appliances support Active/Passive or Active/Active configurations across a
LAN or a WAN. In Active/Passive mode, one IVE actively serves user requests while
the other IVE runs passively in the background to synchronize state data. If the
active IVE goes off-line, the standby IVE automatically starts servicing user
requests. In Active/Active mode, all the machines in the cluster actively handle user
requests sent by an external load balancer or Round-Robin DNS. The load balancer
hosts the cluster VIP and routes user requests to an IVE defined in its cluster group
based on source-IP routing. If an IVE goes off-line, the load balancer adjusts the
load on the active IVEs.
Can I make the IVE interface match my company’s look-and-feel?
The IVE enables you to customize a variety of elements in the end-user interface.
Using these customization features, you can update the look-and-feel of the IVE
end-user console so it will look like one of your standard company Web pages or
applications.
Juniper Networks Secure Access Administration Guide
30 What can I do with the IVE?
For instance, you can easily customize the headers, background colors, and logos
that the IVE displays in the IVE sign-in page and end-user console to match your
company’s style. You can also easily customize the order in which the IVE displays
bookmarks and the help system that the IVE displays to users.
Or, if you do not want to display the IVE end-user home page to users (either in
standard or customized form), you can choose to redirect users to a different page
(such as your company Intranet) when users first sign into the IVE console. If you
choose to use this option, you may want to add links to your IVE bookmarks on the
new page, as explained in “Can I create a seamless integration between the IVE
and the resources it intermediates?” on page 28.
If you want to further customize the IVE sign-in page, you can use the IVE’s custom
sign-in pages feature. Unlike the standard customization options that you can
configure through the IVE administration console, the custom sign-in pages feature
does not limit the number of customizations you can make to your pages. Using
this feature, you can use an HTML editor to develop a sign-in page that exactly
matches your specifications.
For more information about customizing the look-and-feel of the IVE, see
“Customizable admin and end-user UIs” on page 819.
Can I enable users on a variety of computers and devices to use the IVE?
In addition to allowing users to access the IVE from standard workstations and
kiosks running Windows, Macintosh, and Linux operating systems, the IVE also
allows end-users to access the IVE from connected PDAs, handhelds and smart
phones such as i-mode and Pocket PC. When a user connects from a PDA or
handheld device, the IVE determines which IVE pages and functionality to display
based on settings that you configure.
For more information about specifying which pages the IVE displays to different
devices, see the IVE Supported Platforms Document available on the IVE OS
Software page of the Juniper Networks Customer Support Center.
For more information about the exact operating systems, PDAs, and handheld
devices that the IVE supports, see “Handheld devices and PDAs” on page 847.
Can I provide secure access for my international users?
The IVE supports English (US), French, German, Spanish, Simplified Chinese,
Traditional Chinese, Japanese, and Korean. When your users sign into the IVE, the
IVE automatically detects the correct language to display based on the user’s Web
browser setting. Or, you can use end-user localization and custom sign-in pages
options to manually specify the language that you want to display to your end-
users.
For more information about localization, see “Multi-language support” on
page 843.
How do I start configuring the IVE? 31
Chapter 2: Introduction to the IVE
How do I start configuring the IVE?
To enable users to start using your Secure Access appliance, you must complete the
following basic steps:
1. Plug in the appliance, connect it to your network, and configure its initial
system and network settings. This quick and easy process is detailed in the
Secure Access Quick Start Guide.
2. After you connect the IVE to your network, you need to set the system date and
time, upgrade to the latest service package, and install your product licenses.
When you first sign into the administration console, the IVE displays an initial
configuration task guide that quickly walks you through this process.
3. After you install your product licenses, you need to set up your access
management framework to enable your users to authenticate and access
resources. Configuration steps include:
a. Define an authentication server that verifies the names and passwords of
your users.
b. Create user roles that enable access mechanisms, session options, and UI
options for user groups.
c. Create a user authentication realm that specifies the conditions that users
must meet in order to sign into the IVE.
d. Define a sign-in policy that specifies the URL that users must access in
order to sign into the IVE and the page that they see when they sign in.
e. Create resource profiles that control access to resources, specify which
user roles can access them, and include bookmarks that link to the
resources.
The IVE includes a task guide in its administration console that quickly walks
you through this process. To access this task guide, click the Guidance link.
Then, under Recommended Task Guides, select Base Configuration. Or, you
can use the tutorial included in this guide. For more information, see “Initial
Verification and Key Concepts” on page 3.
Once you have completed these basic steps, your Secure Access appliance is ready
for use. You can start using it as is, or configure additional advanced features such
as endpoint defense and clustering.
Juniper Networks Secure Access Administration Guide
32 How do I start configuring the IVE?
33
Part 2
Access management framework
The IVE protects resources by using the following access management
mechanisms:
Authentication realm—Resource accessibility begins with the authentication
realm. An authentication realm specify conditions that users must meet in order
to sign into the IVE. An authentication realm specification includes several
components, including an authentication server which verifies that the user is
who he claims to be. The user must meet the security requirements you define
for a realm's authentication policy or else the IVE does not forward the user's
credentials to the authentication server.
User roles—A role's configuration serves as the second level of resource access
control. A role is a defined entity that specifies IVE session properties for users
who are mapped to the role. Not only does a role specify the access
mechanisms available to a user, but you can also specify restrictions with
which users must comply before they are mapped to a role.
Resource policies—A resource policy serves as the third level of resource
access control. A resource policy is a set of resource names (such as URLs, host
names, and IP address/netmask combinations) to which you grant or deny
access or other resource-specific actions, such as rewriting and caching. While
a role may grant access to certain types of access features and resources (such
as bookmarks and applications), whether or not a user can access a specific
resource is controlled by resource policies. Note that you can create separate
resource policies or you can create automatic resource policies (called
autopolicies) during resource profile configuration (recommended).
This section contains the following information about the IVE access management
framework:
“General access management” on page 35
“User roles” on page 51
“Resource profiles” on page 71
“Resource policies” on page 81
“Authentication and directory servers” on page 91
“Authentication realms” on page 165
Juniper Networks Secure Access Administration Guide
34
“Sign-in policies” on page 181
“Single sign-on” on page 191
Licensing: Access management availability 35
Chapter 3
General access management
The IVE enables you to secure your company resources using authentication
realms, user roles, and resource policies. These three levels of accessibility allow
you to control access from a very broad level (controlling who may sign into the
IVE) down to a very granular level (controlling which authenticated users may
access a particular URL or file). You can specify security requirements that users
must meet to sign in to the IVE, to gain access to IVE features, and even to access
specific URLs, files, and other server resources. The IVE enforces the policies, rules
and restrictions, and conditions that you configure to prevent users from
connecting to or downloading unauthorized resources and content.
This section contains the following information about the access management
framework:
“Licensing: Access management availability” on page 35
“Policies, rules & restrictions, and conditions overview” on page 35
“Policies, rules & restrictions, and conditions evaluation” on page 38
“Dynamic policy evaluation” on page 40
“Configuring security requirements” on page 42
Licensing: Access management availability
The IVE access management framework is available on all Secure Access products.
The access management features, including realms, roles, resource policies, and
servers, are the base of the IVE platform on which all Secure Access products are
built.
Policies, rules & restrictions, and conditions overview
The IVE enables you to secure your company resources using authentication
realms, user roles, and resource policies. These three levels of accessibility allow
you to control access from a very broad level (controlling who may sign into the
IVE) down to a very granular level (controlling which authenticated users may
access a particular URL or file).
Juniper Networks Secure Access Administration Guide
36 Policies, rules & restrictions, and conditions overview
This section contains the following information about access management policies,
rules, restrictions, and conditions:
“Accessing authentication realms” on page 36
“Accessing user roles” on page 37
“Accessing resource policies” on page 37
Accessing authentication realms
Resource accessibility begins with the authentication realm. An authentication realm
is a grouping of authentication resources, including:
An authentication server, which verifies that the user is who he claims to be.
The IVE forwards credentials that a user submits on a sign-in page to an
authentication server. For more information, see “Authentication and directory
servers” on page 91.
An authentication policy, which specifies realm security requirements that
need to be met before the IVE submits a user's credentials to an authentication
server for verification. For more information, see “Defining authentication
policies” on page 168.
A directory server, which is an LDAP server that provides user and group
information to the IVE that the IVE uses to map users to one or more user roles.
For more information, see “Authentication and directory servers” on page 91.
Role mapping rules, which are conditions a user must meet in order for the
IVE to map the user to one or more user roles. These conditions are based on
either user information returned by the realm's directory server or the user's
username. For more information, see “Creating role mapping rules” on
page 169.
You can associate one or more authentication realms with an IVE sign-in page.
When more than one realm exists for a sign-in page, a user must specify a realm
before submitting her credentials. When the user submits her credentials, the IVE
checks the authentication policy defined for the chosen realm. The user must meet
the security requirements you define for a realm's authentication policy or else the
IVE does not forward the user's credentials to the authentication server.
At the realm level, you can specify security requirements based on various
elements such as the user's source IP address or the possession of a client-side
certificate. If the user meets the requirements specified by the realm's
authentication policy, then the IVE forwards the user's credentials to the
appropriate authentication server. If this server successfully authenticates the user,
then the IVE evaluates the role mapping rules defined for the realm to determine
which roles to assign to the user.
For more information, see “Authentication realms” on page 165.
Policies, rules & restrictions, and conditions overview 37
Chapter 3: General access management
Accessing user roles
A role is a defined entity that specifies IVE session properties for users who are
mapped to the role. These session properties include information such as session
time-outs and enabled access features. A role's configuration serves as the second
level of resource access control. Not only does a role specify the access
mechanisms available to a user, but you can also specify restrictions with which
users must comply before they are mapped to a role. The user must meet these
security requirements or else the IVE does not map the user to a role.
At the role level, you can specify security requirements based on elements such as
the user's source IP address and possession of a client-side certificate. If the user
meets the requirements specified either by a role mapping rule or a role's
restrictions, then the IVE maps the user to the role. When a user makes a request to
the backend resources available to the role, the IVE evaluates the corresponding
access feature resource policies.
Note that you may specify security requirements for a role in two places—in the
role mapping rules of an authentication realm (using custom expressions) or by
defining restrictions in the role definition. The IVE evaluates the requirements
specified in both areas to make sure the user complies before it maps the user to a
role.
For more information, see “User roles” on page 51.
Accessing resource policies
A resource policy is a set of resource names (such as URLs, host names, and IP
address/netmask combinations) to which you grant or deny access or other
resource-specific actions, such as rewriting and caching. A resource policy serves as
the third level of resource access control. While a role may grant access to certain
types of access features and resources (such as bookmarks and applications),
whether or not a user can access a specific resource is controlled by resource
policies. These policies may even specify conditions that, if met, either deny or
grant user access to a server share or file. These conditions may be based on
security requirements that you specify. The user must meet these security
requirements or else the IVE does not process the user's request.
At the resource level, you can specify security requirements based elements such
as the user's source IP address or possession of a client-side certificate. If the user
meets the requirements specified by a resource policy's conditions, then the IVE
either denies or grants access to the requested resource. You may enable Web
access at the role level, for example, and a user mapped to the role may make a
Web request. You may also configure a Web resource policy to deny requests to a
particular URL or path when Host Checker finds an unacceptable file on the user's
machine. In this scenario, the IVE checks to see if Host Checker is running and
indicates that the user's machine complies with the required Host Checker policy. If
the user's machine complies, meaning the unacceptable file is not found, then the
IVE grants the user access to the requested Web resource.
Note that you can create separate resource policies or you can create automatic
resource policies (called autopolicies) during resource profile configuration
(recommended). For more information, see:
“Resource policies” on page 81
Juniper Networks Secure Access Administration Guide
38 Policies, rules & restrictions, and conditions evaluation
“Resource profile components” on page 72
Policies, rules & restrictions, and conditions evaluation
The following diagram illustrates the access management security checks that the
IVE performs when a user tries to access resources through the IVE. A detailed
description of each step follows after the diagram.
Figure 18: Security checks performed by the IVE during a user session
1. The user enters the URL of the IVE end-user console (such as
http://employees.yourcompany.com/marketing) in a Web browser.
2. The IVE evaluates its sign-in policies (starting with the administrator URLs and
continuing to user URLs) until it matches the hostname entered by the user.
Policies, rules & restrictions, and conditions evaluation 39
Chapter 3: General access management
3. The IVE evaluates pre-authentication restrictions and determines if the user’s
system passes host checks and other requirements. If the pre-authentication
checks fail, the IVE denies the user access. If the checks pass, the IVE prompts
the user to enter the username and password for the realms whose pre-
authentication checks succeeded. (If required by the realm, the IVE prompts
the user to enter two sets of credentials.) If more than one realm exists, the
user must enter a realm or choose one from a list.
4. The IVE evaluates the post-authentication restrictions and determines whether
the user’s password conforms to specified limits and requirements. If the post-
authentication checks fail, the IVE denies the user access. If the checks pass,
the IVE passes the user’s credentials to the realm’s authentication server.
5. The IVE forwards the user’s username and password to the authentication
server, which returns success or failure. (A RADIUS or SiteMinder
authentication server also returns attributes for the IVE to use in role mapping.)
If the authentication server returns failure, the IVE denies the user access. If the
server returns success, the IVE stores the user’s credentials. If the realm has a
separate LDAP authorization server, the IVE also queries the LDAP server for
attribute and group information and saves the information returned by LDAP.
If the realm includes a secondary authentication server, the IVE repeats this
process with the secondary server.
6. The IVE evaluates the realm’s role mapping rules and determines the roles for
which the user is eligible. The IVE determines eligibility using information from
the LDAP or RADIUS server or the user’s username.
7. The IVE evaluates the restrictions of the eligible roles, enabling the user to
access those roles whose restrictions the user’s computer meets. Restrictions
may include source IP, browser type, client-side certificate, Host Checker, and
Cache Cleaner.
8. The IVE creates a “session role,” determining the user’s session permissions. If
you enable permissive merging, the IVE determines session permissions by
merging all valid roles and granting the allowed resources from each valid role.
If you disable merging, the IVE assigns the user to the first role to which he is
mapped. For more information, see “User role evaluation” on page 52.
9. When the user requests a resource, the IVE checks whether the corresponding
access feature is enabled for the session user role. If not, the IVE denies the
user access. If the access feature is enabled, the evaluates resource policies.
10. The IVE evaluates resource profiles and policies related to the user’s request,
sequentially processing each until it finds the profile or policy whose resource
list and designated roles match the user’s request. The IVE denies user access
to the resource if specified by the profile or policy. Otherwise, the IVE
intermediates the user request if the profile or policy enables access. For more
information, see “Resource policy evaluation” on page 86.
11. The IVE intermediates the user request, forwarding the user’s request and
credentials (if necessary) to the appropriate server. Then, the IVE forwards the
the server’s response to the user.
Juniper Networks Secure Access Administration Guide
40 Dynamic policy evaluation
12. The user accesses the requested resource or application server. The user
session ends when the user signs out or his session times out due to time limits
or inactivity. The IVE may also force the user out if the session if you enable
dynamic policy evaluation and the user fails a policy. For more information,
see “Dynamic policy evaluation” on page 40.
Dynamic policy evaluation
Dynamic policy evaluation allows you to automatically or manually refresh the
assigned roles of users by evaluating a realm’s authentication policy, role
mappings, role restrictions, and resource policies. When the IVE performs a
dynamic evaluation, it checks whether the client’s status has changed. (For
instance, the client’s Host Checker status may have changed. Or, if the user is
roaming, the computer’s IP address may have changed.) If the status has changed,
the IVE enables or denies the user access to the dependent realms, roles, or
resource policies accordingly.
This section contains the following information about dynamic policy evaluation:
“Understanding dynamic policy evaluation” on page 40
“Understanding standard policy evaluation” on page 41
“Enabling dynamic policy evaluation” on page 42
Understanding dynamic policy evaluation
During dynamic policy evaluation, the IVE evaluates the following types of resource
policies:
Windows Secure Application Manager
Java Secure Application Manager
Network Connect
Telnet/SSH
Terminal services (Windows and Citrix)
Java Access
NOTE: If you enable dynamic policy evaluation, the IVE performs additional
checks beyond the ones mentioned here. For more information, see “Dynamic
policy evaluation” on page 40.
NOTE: The IVE does not check for changes in user attributes from a RADIUS,
LDAP, or SiteMinder server when performing dynamic policy evaluation. Instead,
the IVE re-evaluates rules and policies based on the original user attributes that it
obtained when the user signed into the IVE.
Dynamic policy evaluation 41
Chapter 3: General access management
Code signing (for java applet)
If the IVE determines after a dynamic policy evaluation that a user no longer meets
the security requirements of a policy or role, the IVE terminates the connection
immediately with the user. The user may see the closing of a TCP or application
connection, or the termination of a user session for Network Connect, Secure
Application Manager, Terminal or Telnet/SSH. The user must take the necessary
steps to meet the security requirements of the policy or role, and then sign into the
IVE again.
The IVE logs information about policy evaluation and changes in roles or access in
the Event log.
Understanding standard policy evaluation
If you do not use dynamic policy evaluation, the IVE evaluates policies and roles
only when the following events occur:
When the user first tries to access the IVE sign-in page, the IVE evaluates the
Host Checker and Cache Cleaner policies (if any) for a realm.
Immediately after the user’s initial authentication, the IVE evaluates the user’s
realm restrictions in the authentication policy, role mapping rules, and role
restrictions.
Whenever the user makes a request for a resource, the IVE evaluates resource
policies.
Whenever the Host Checker and Cache Cleaner status of the user’s machine
changes, the IVE evaluates the Host Checker and Cache Cleaner policies (if any)
for a role.
If you do not use dynamic policy evaluation and you make changes to an
authentication policy, role mapping rules, role restrictions, or resource policies, the
IVE enforces those changes only when the events described above occur. (For more
information, see “Policies, rules & restrictions, and conditions evaluation” on
page 38.)
If you do use dynamic policy evaluation, the IVE enforces changes when the events
described above occur and it also enforces changes at the times you specify. For
more information, see “Enabling dynamic policy evaluation” on page 42.
NOTE: Because the IVE evaluates Web and Files resource policies whenever the
user makes a request for a resource, dynamic policy evaluation is unnecessary for
Web and Files. The IVE does not use dynamic policy evaluation for Meetings
resource policies and Email Client resource policies.
Juniper Networks Secure Access Administration Guide
42 Configuring security requirements
Enabling dynamic policy evaluation
You can use dynamic policy evaluation in the following ways:
Evaluate all signed-in users in a realm—You can automatically or manually
refresh the roles of all currently signed-in users of a realm by using the General
tab of the Administrators > Admin Realms > Select Realm or Users > User
Realms > Select Realm page. You can trigger the IVE to perform a dynamic
policy evaluation at the realm level based on:
An automatic timer—You can specify a refresh interval that determines
how often the IVE performs an automatic policy evaluation of all currently
signed-in realm users, such as every 30 minutes. When using the refresh
interval, you can also fine-tune IVE performance by specifying whether or
not you want to refresh roles and resource policies as well as the
authentication policy, role mapping rules, and role restrictions.
On-demand—At any time, you can manually evaluate the authentication
policy, role mapping rules, role restrictions, and resource policies of all
currently signed-in realm users. This technique is especially useful if you
make changes to an authentication policy, role mapping rules, role
restrictions, or resource policies and you want to immediately refresh the
roles of a realm’s users.
Evaluate all signed-in users in all realms—At any time, you can manually
refresh the roles of all currently signed-in users in all realms by using settings in
the System > Status >Active Users page. For information, see “Monitoring
active users” on page 686.
Evaluate individual usersYou can automatically refresh the roles of
individual users by enabling dynamic policy evaluation for Host Checker on the
Authentication > Endpoint Security > Host Checker page. Host Checker can
trigger the IVE to evaluate resource policies whenever a user’s Host Checker
status changes. (If you do not enable dynamic policy evaluation for Host
Checker, the IVE does not evaluate resource policies but it does evaluate the
authentication policy, role mapping rules, and role restrictions whenever a
user’s Host Checker status changes.) For more information, see “Specifying
general Host Checker options” on page 262.
Configuring security requirements
An IVE makes it easy to specify security requirements for administrators and users
through the options and features described in the following sections:
“Specifying source IP access restrictions” on page 43
“Specifying browser access restrictions” on page 44
“Specifying certificate access restrictions” on page 47
“Specifying password access restrictions” on page 48
“Specifying Host Checker access restrictions” on page 49
Configuring security requirements 43
Chapter 3: General access management
“Specifying Cache Cleaner access restrictions” on page 49
Specifying source IP access restrictions
Use a source IP restriction to control from which IP addresses users can access an
IVE sign-in page, be mapped to a role, or access a resource.
You can restrict resource access by source IP:
When administrators or users try to sign in to the IVE —The user must sign
in from a machine whose IP address/netmask combination meets the specified
source IP requirements for the selected authentication realm. If the user's
machine does not have the IP address/netmask combination required by the
realm, the IVE does not forward the user's credentials to the authentication
server and the user is denied access to the IVE. You can allow or deny access to
any specific IP address/netmask combination. For example, you can deny
access to all users on a wireless network (10.64.4.100), and allow access to all
other network users (0.0.0.0).
When administrators or users are mapped to a role—The authenticated user
must be signed in from a machine whose IP address/netmask combination
meets the specified Source IP requirements for each role to which the IVE may
map the user. If the user's machine does not have the IP address/netmask
combination required by a role, then the IVE does not map the user to that
role.
When users request a resource—The authenticated, authorized user must
make a resource request from a machine whose IP address/netmask
combination meets the specified Source IP requirements for the resource
policy corresponding to the user's request. If the user's machine does not have
the required IP address/netmask combination required by the resource, then
the IVE does not allow the user to access the resource.
To specify source IP restrictions:
1. Select the level at which you want to implement IP restrictions:
Realm level—navigate to:
Administrators > Admin Realms > SelectRealm > Authentication
Policy > Source IP
Users > User Realms > SelectRealm > Authentication Policy >
Source IP
Role level—Navigate to:
Administrators > Admin Roles > Select Role > General >
Restrictions > Source IP
Users > User Roles > Select Role > General > Restrictions >
Source IP
Juniper Networks Secure Access Administration Guide
44 Configuring security requirements
Resource policy level—Navigate to: Users > Resource Policies > Select
Resource > Select Policy > Detailed Rules > Select|CreateRule >
Condition Field
2. Choose one of the following options:
Allow users to sign in from any IP address — Enables users to sign into
the IVE from any IP address in order to satisfy the access management
requirement.
Allow or deny users from the following IP addresses — Specifies
whether to allow or deny users access to the IVE from all of the listed IP
addresses, based on their settings. To specify access from an IP address:
i. Enter the IP address and netmask.
ii. Select either:
Allow to allow users to sign in from the specified IP address.
Deny to prevent users from signing in from the specified IP address.
iii. Click Add.
iv. If you add multiple IP addresses, move the highest priority restrictions
to the top of the list by selecting the checkbox next to the IP address,
and then clicking the up arrow button. For example, to deny access to
all users on a wireless network (10.64.4.100) and allow access to all
other network users (0.0.0.0), move the wireless network address
(10.64.4.100) to the top of the list and move the (0.0.0.0) network
below the wireless network.
Enable administrators to sign in on the external port — Enables
administrators to sign in to the IVE from the external interface. You must
enable the external port before setting this option.
3. Click Save Changes to save your settings.
Specifying browser access restrictions
Use a browser restriction to control from which Web browsers users can access an
IVE sign-in page, be mapped to a role, or access a resource. If a user tries to sign in
to the IVE using an unsupported browser, the sign-in attempt fails and a message
displays stating that an unsupported browser is being used. This feature also
enables you to ensure that users sign in to the IVE from browsers that are
compatible with corporate applications or are approved by corporate security
policies.
Configuring security requirements 45
Chapter 3: General access management
You can restrict IVE and resource access by browser-type:
When administrators or users try to sign in to the IVE—The user must sign in
from a browser whose user-agent string meets the specified user-agent string
pattern requirements for the selected authentication realm. If the realm
“allows” the browser's user-agent string, then the IVE submits the user's
credentials to the authentication server. If the realm “denies” the browser's
user-agent string, then the IVE does not submit the user's credentials to the
authentication server.
When administrators or users are mapped to a role—The authenticated user
must be signed in from a browser whose user-agent string meets the specified
user-agent string pattern requirements for each role to which the IVE may map
the user. If the user-agent string does not meet the “allowed” or “denied”
requirements for a role, then the IVE does not map the user to that role.
When users request a resource—The authenticated, authorized user must
make a resource request from a browser whose user-agent string meets the
specified “allowed” or “denied” requirements for the resource policy
corresponding to the user's request. If the user-agent string does not meet the
“allowed” or “denied” requirements for a resource, then the IVE does not allow
the user to access the resource.
Specifying browser restrictions
To specify browser restrictions:
1. Select the level at which you want to implement browser restrictions:
Realm level—Navigate to:
Administrators > Admin Realms > Select Realm > Authentication
Policy > Browser
Users > User Realms > Select Realm > Authentication Policy >
Browser
Role level—Navigate to:
Administrators > Admin Realms > Select Realm > Role Mapping >
Select|Create Rule > Custom Expressions
Administrators > Admin Roles > Select Role > General >
Restrictions > Browser
Users > User Realms > Select Realm > Role Mapping >
Select|Create Rule > Custom Expression
NOTE: The browser restrictions feature is not intended as a strict access control
since browser user-agent strings can be changed by a technical user. It serves as
an advisory access control for normal usage scenarios.
Juniper Networks Secure Access Administration Guide
46 Configuring security requirements
Users > User Roles > Select Role > General > Restrictions >
Browser
Resource policy level—Navigate to: Users > Resource Policies > Select
Resource > Select Policy > Detailed Rules > Select|Create Rule >
Condition Field
2. Choose one of the following options:
Allow all users matching any user-agent string sent by the browser
Allows users to access the IVE or resources using any of the supported Web
browsers.
Only allow users matching the following User-agent policy—Allows you
to define browser access control rules. To create a rule:
i. For the User-agent string pattern, enter a string in the format
*<browser_string>*
where start (*) is an optional character used to match any character
and <browser_string> is a case-sensitive pattern that must match a
substring in the user-agent header sent by the browser. Note that you
cannot include escape characters (\) in browser restrictions.
ii. Select either:
Allow to allow users to use a browser that has a user-agent header
containing the <browser_string> substring
Deny to prevent users from using a browser that has a user-agent
header containing the <browser_string> substring.
iii. Click Add.
3. Click Save Changes to save your settings.
For example, the string *Netscape* matches any user-agent string that contains the
substring Netscape.
The following rule set grants resource access only when users are signed in using
Internet Explorer 5.5x or Internet Explorer 6.x. This example takes into account
some major non-IE browsers that send the 'MSIE' substring in their user-agent
headers:
*Opera*Deny
*AOL*Deny
NOTE:
Rules are applied in order, so the first matched rule applies.
Literal characters in rules are case sensitive, and spaces are allowed as literal
characters.
Configuring security requirements 47
Chapter 3: General access management
*MSIE 5.5*Allow
*MSIE 6.*Allow
* Deny
Specifying certificate access restrictions
When you install a client-side certificate on the IVE through the System >
Configuration > Certificates > Trusted Client CAs page of the admin console,
you can restrict IVE and resource access by requiring client-side certificates:
When administrators or users try to sign in to the IVE—The user must sign in
from a machine that possesses the specified client-side certificate (from the
proper certificate authority (CA) and possessing any optionally specified
field/value pair requirements). If the user's machine does not possess the
certificate information required by the realm, the user can access the sign-in
page, but once the IVE determines that the user's browser does not possess the
certificate, the IVE does not submit the user's credentials to the authentication
server and the user cannot access features on the IVE.
To implement certificate restrictions at the realm level, navigate to:
Administrators > Admin Realms > SelectRealm > Authentication
Policy > Certificate
Users > User Realms > SelectRealm > Authentication Policy >
Certificate
When administrators or users are mapped to a role—The authenticated user
must be signed in from a machine that meets the specified client-side
certificate requirements (proper certificate authority (CA) and optionally
specified field/value pair requirements) for each role to which the IVE may map
the user. If the user's machine does not possess the certificate information
required by a role, then the IVE does not map the user to that role.
To implement certificate restrictions at the role level, navigate to:
Administrators > Admin Roles > SelectRole > General > Restrictions
> Certificate
Users > User Realms > SelectRealm > Role Mapping >
Select|CreateRule > CustomExpression
Users > User Roles > SelectRole > General > Restrictions >
Certificate
When users request a resource—The authenticated, authorized user must
make a resource request from a machine that meets the specified client-side
certificate requirements (proper certificate authority (CA) and optionally
specified field/value pair requirements) for the resource policy corresponding
to the user's request. If the user's machine does not possess the certificate
information required by a resource, then the IVE does not allow the user to
access the resource.
Juniper Networks Secure Access Administration Guide
48 Configuring security requirements
To implement certificate restrictions at the resource policy level, navigate to:
Users > Resource Policies > SelectResource > SelectPolicy > Detailed Rules
> Select|CreateRule > ConditionField
Specifying password access restrictions
You can restrict IVE and resource access by password-length when administrators
or users try to sign in to an IVE. The user must enter a password whose length
meets the minimum password-length requirement specified for the realm. Note
that local user and administrator records are stored in the IVE authentication
server. This server requires that passwords are a minimum length of 6 characters,
regardless of the value you specify for the realm's authentication policy.
To specify password restrictions:
1. Select an administrator or user realm for which you want to implement
password restrictions.
Navigate to:
Administrators > Admin Realms > Select Realm > Authentication
Policy > Password
Users > User Realms > Select Realm > Authentication Policy >
Password
2. Choose one of the following options:
Allow all users (passwords of any length) — Does not apply password
length restrictions to users signing in to the IVE.
Only allow users that have passwords of a minimum length — Requires
the user to enter a password with a minimum length of the number
specified.
3. Select Enable Password Management if you want to enable password
management. You must also configure password management on the IVE
authentication server configuration page (local authentication server) or
through an LDAP server. For more information about password management,
see “Enabling LDAP password management” on page 111.
4. If you have enabled a secondary authentication server, specify password length
restrictions using the restrictions above as a guideline.
5. Click Save Changes to save your settings.
NOTE: By default, the IVE requires that user passwords entered on the sign-in page
be a minimum of four characters. The authentication server used to validate a
user’s credentials may require a different minimum length. The IVE local
authentication database, for example, requires user passwords to be a minimum
length of six characters.
Configuring security requirements 49
Chapter 3: General access management
Specifying Host Checker access restrictions
For information about restricting a user’s access to the IVE, a role, or a resource
based on his Host Checker status, see “Implementing Host Checker policies” on
page 251.
Specifying Cache Cleaner access restrictions
For information about restricting a user’s access to the IVE, a role, or a resource
based on his Cache Cleaner status, see “Implementing Cache Cleaner options” on
page 273.
Specifying limits restrictions
In addition to the access management options you may specify for an
authentication policy, you may also specify a limit for concurrent users. A user who
enters a URL to one of this realm’s sign-in pages must meet any access
management and concurrent user requirements specified for the authentication
policy before the IVE presents the sign-in page to the user.
Use limits restrictions to set minimum and maximum concurrent users on the
realm.
To specify the limits restrictions:
1. Select an administrator or user realm for which you want to implement limits
restrictions.
Navigate to:
Administrators > Admin Realms > SelectRealm > Authentication
Policy > Limits
Users > User Realms > SelectRealm > Authentication Policy > Limits
2. To limit the number of concurrent users on the realm, select Limit the number
of concurrent users and then specify limit values for these options:
a. Guaranteed minimum—You can specify any number of users between
zero (0) and the maximum number of concurrent users defined for the
realm, or you can set the number up to the maximum allowed by your
license if there is no realm maximum.
b. Maximum (optional)—You can specify any number of concurrent users
from the minimum number you specified up to the maximum number of
licensed users. If you enter a zero (0) into the Maximum field, no users are
allowed to login to the realm.
3. Click Save Changes.
Juniper Networks Secure Access Administration Guide
50 Configuring security requirements
51
Chapter 4
User roles
A user role is an entity that defines user session parameters (session settings and
options), personalization settings (user interface customization and bookmarks),
and enabled access features (Web, file, application, telnet/SSH, terminal services,
network, meeting, and email access). A user role does not specify resource access
control or other resource-based options for an individual request. For example, a
user role may define whether or not a user can perform Web browsing, however,
the individual Web resources that a user may access are defined by the Web
resource policies that you configure separately.
The IVE supports two types of user roles:
Administrators—An administrator role is an entity that specifies IVE
management functions and session properties for administrators who map to
the role. You can customize an administrator role by selecting the IVE feature
sets and user roles that members of the administrator role are allowed to view
and manage. You can create and configure administrator roles through the
Administrators > Admin Roles page of the admin console.
Users—A user role is an entity that defines user session parameters,
personalization settings, and enabled access features. You can customize a
user role by enabling specific IVE access features, defining Web, application,
and session bookmarks, and configuring session settings for the enabled access
features. You can create and configure user roles through the Users > User
Roles page of the admin console.
This section includes the following information about roles:
“Licensing: User roles availability” on page 52
“User role evaluation” on page 52
“Configuring user roles” on page 54
“Customizing user roles UI views” on page 66
Juniper Networks Secure Access Administration Guide
52 Licensing: User roles availability
Licensing: User roles availability
User roles are an integral part of the IVE access management framework, and
therefore are available on all Secure Access products. However, you can only access
features through a user role if you are licensed for the feature. For instance, if you
are using an SA-700 appliance and have not purchased a Core Clientless Access
upgrade license, you cannot enable Web rewriting for a user role.
User role evaluation
The IVE’s role mapping engine determines a user’s session role, or combined
permissions valid for a user session, as illustrated in the following diagram. A
detailed description of each step follows after the diagram.
Figure 19: Security checks performed by the IVE to create a session role
1. The IVE begins rule evaluation with the first rule on the Role Mapping tab of
the authentication realm to which the user successfully signs in. During the
evaluation, the IVE determines if the user meets the rule conditions. If so, then:
a. The IVE adds the corresponding roles to a list of “eligible roles” available to
the user.
b. The IVE considers whether or not the “stop on match” option is configured.
If so, then the engine jumps to step 5.
User role evaluation 53
Chapter 4: User roles
2. The IVE evaluates the next rule on the authentication realm’s Role Mapping
tab according to the process in the previous step and repeats this process for
each subsequent rule. When the IVE evaluates all role mapping rules, it
compiles a comprehensive list of eligible roles.
3. The IVE evaluates the definition for each role in the eligibility list to determine
if the user complies with any role restrictions. The IVE then uses this
information to compile a list of valid roles, whose requirements the user also
meets.
If the list of valid roles contains only one role, then the IVE assigns the user to
that role. Otherwise, the IVE continues the evaluation process.
4. The IVE evaluates the setting specified on the Role Mapping tab for users who
are assigned to more than one role:
Merge settings for all assigned roles—If you choose this option, then the
IVE performs a permissive merge of all the valid user roles to determine
the overall (net) session role for a user session.
User must select from among assigned roles—If you choose this option,
then the IVE presents a list of eligible roles to an authenticated user. The
user must select a role from the list, and the IVE assigns the user to that
role for the duration of the user session.
User must select the sets of merged roles assigned by each rule—If you
choose this option, the IVE presents a list of eligible rules to an
authenticated user (that is, rules whose conditions the user has met). The
user must select a rule from the list, and the IVE performs a permissive
merge of all the roles that map to that rule.
Permissive merge guidelines
A permissive merge is a merge of two or more roles that combines enabled features
and settings following these guidelines:
Any enabled access feature in one role takes precedence over the same feature
set to disabled in another role. For example, if a user maps to two roles, one of
which disables Secure Meeting while the other role enables Secure Meeting, the
IVE allows the user to use Secure Meeting for that session.
In the case of Secure Application Manager, the IVE enables the version
corresponding to first role that enables this feature. Furthermore, the IVE
merges the settings from all the roles that correspond to the selected version.
In the case of user interface options, the IVE applies the settings that
correspond to the user’s first role.
NOTE: If you use automatic (time-based) dynamic policy evaluation or you
perform a manual policy evaluation, the IVE repeats the role evaluation process
described in this section. For more information, see “Dynamic policy evaluation”
on page 40.
Juniper Networks Secure Access Administration Guide
54 Configuring user roles
In the case of session timeouts, the IVE applies the greatest value from all of
the roles to the user’s session.
If more than role enables the Roaming Session feature, then the IVE merges
the netmasks to formulate a greater netmask for the session.
When merging two roles a user is mapped to—one in which bookmarks open
in a new window and one in which bookmarks open in the same window—the
merged role opens bookmarks in the same window.
When merging two roles in which the first role disables the browsing toolbar
and the second role enables either the framed or standard toolbar, the merged
role uses the settings from the second role and displays the specified browsing
toolbar.
The merged role uses the highest value listed for the HTTP Connection
Timeout on the Users > User Roles > Select Role > Web > Options page.
Configuring user roles
To create a user role:
1. In the admin console, choose Users > User Roles.
2. Click New Role and then enter a name and optionally a description. This name
appears in the list of Roles on the Roles page.
Once you have created a role, you can click the role’s name to begin configuring it
using the instructions in the following sections:
“Configuring general role options” on page 55
“Configuring role restrictions” on page 56
“Specifying role-based source IP aliases” on page 57
“Specifying session options” on page 57
“Specifying customized UI settings” on page 60
“Defining default options for user roles” on page 64
Configuring user roles 55
Chapter 4: User roles
Configuring general role options
Use the Overview tab to edit a role’s name and description, toggle session and user
interface options on and off, and enable access features. When you enable an
access feature, make sure to create corresponding resource policies.
To manage general role settings and options:
1. In the admin console, choose Users > User Roles > RoleName > General >
Overview.
2. Revise the name and description and then click Save Changes. (optional)
3. Under Options, check the role-specific options that you want to enable for the
role. If you do not select role-specific options, the IVE uses default settings
instead, as described in “Defining default options for user roles” on page 64.
Role-specific options include:
VLAN/Source IP—Select this option to apply the settings configured in the
General > VLAN/Source IP tab to the role. For more information, see
“Specifying role-based source IP aliases” on page 57.
Session Options—Select this option to apply the settings in the General >
Session Options tab to the role. For more information, see “Specifying
session options” on page 57.
UI Options—Select this option to apply the settings in the General > UI
Options tab to the role. For more information, see “Specifying customized
UI settings” on page 60.
4. Under Access features, check the features you want to enable for the role.
Options include:
Web—For more information, see “Web rewriting” on page 281
NOTE:
When you delete a role, the personal bookmarks, SAM settings, and other
settings may not be removed. Therefore, if you add a new role with the same
name, any users added to that new role may acquire the old bookmarks and
settings. In general, the IVE enforces referential integrity rules and does not
allow you to delete any objects if they are referenced elsewhere. For example,
if a role is used in any of the realm's role mapping rules, then the IVE rejects
the deletion of the role unless you modify or delete the mapping rules.
To create individual user accounts, you must add the users through the
appropriate authentication server (not the role). For instructions, see
“Creating user accounts on a local authentication server” on page 117 for
local authentication servers. Or for instructions on how to create users on
third-party servers, see the documentation that comes with that product.
Juniper Networks Secure Access Administration Guide
56 Configuring user roles
Files (Windows or UNIX/NFS version)—For more information, see “File
rewriting” on page 371
Secure Application Manager (Windows version or Java version)—For
more information, see “Secure Application Manager” on page 395
Telnet/SSH—For more information, see “Telnet/SSH” on page 449
Terminal Services—For more information, see “Terminal Services” on
page 461
Meetings—For more information, see “Secure Meeting” on page 493
Email Client—For more information, see “Email Client” on page 513
Network Connect—For more information, see “Network Connect” on
page 521
5. Click Save Changes to apply the settings to the role.
Configuring role restrictions
Use the Restrictions tab to specify access management options for the role. The
IVE considers these restrictions when determining whether or not to map a user to
the role. The IVE does not map users to this role unless they meet the specified
restrictions. For more information, see “General access management” on page 35.
You may configure any number of access management options for the role. If a
user does not conform to all of the restrictions, then the IVE does not map the user
to the role.
To specify access management options for the role:
1. In the admin console, choose Users > User Roles > RoleName > General >
Restrictions.
2. Click the tab corresponding to the option you want to configure for the role,
and then configure it using instructions in the following sections:
“Specifying source IP access restrictions” on page 43
“Specifying browser access restrictions” on page 44
“Specifying certificate access restrictions” on page 47
“Specifying password access restrictions” on page 48
“Specifying Host Checker access restrictions” on page 49
“Specifying Cache Cleaner access restrictions” on page 49
Configuring user roles 57
Chapter 4: User roles
Specifying role-based source IP aliases
Use the VLAN/Source IP tab to define role-based source IP aliases. If you want to
direct traffic to specific sites based on roles, you can define a source IP alias for
each role. You use these aliases to configure virtual ports you define for the internal
interface source IP address. A back-end device can then direct end-user traffic
based on these aliases, as long as you configure the back-end device, such as a
firewall, to expect the aliases in place of the internal interface source IP address.
This capability enables you to direct various end-users to defined sites based on
their roles, even though all of the end-user traffic has the same internal interface
source IP address.
To specify a source IP alias for the role:
1. In the admin console, choose Users > User Roles > RoleName > General >
VLAN/Source IP.
2. Select the VLAN you want to use from the VLAN drop-down menu, if you have
defined VLAN ports on your system.
If you have not defined VLAN ports, the option defaults to the Internal Port IP
address. If you have provisioned IVS systems, and you have defined VLAN
ports and you want any of those VLAN ports to appear in this drop-down menu,
you must include the VLAN ports in the Selected VLANs text box on the Root
IVS configuration page.
3. Select a source IP address from the drop-down menu.
4. Click Save Changes to apply the settings to the role.
Specifying session options
Use the Session tab to specify session time limits, roaming capabilities, session and
password persistency, request follow-through options, and idle timeout application
activity. Check the Session Options checkbox on the Overview tab to enable these
settings for the role.
NOTE: You must define virtual ports to take advantage of the role-based Source IP
aliases. For more information on virtual ports, see “Configuring internal and
external ports” on page 561 and “Configuring virtual ports” on page 566.
NOTE:
If an end-user is mapped to multiple roles and the IVE merges roles, the IVE
associates the source IP address configured for the first role in the list with the
merged role.
You can specify the same Source IP address for multiple roles. You cannot
specify multiple Source IP addresses for one role.
Juniper Networks Secure Access Administration Guide
58 Configuring user roles
To specify general session options:
1. In the admin console, choose Users > User Roles > RoleName > General >
Session Options.
2. Under Session Lifetime, specify values for:
Idle Timeout—Specify the number of minutes a non-administrative user
session may remain idle before ending. The minimum is 5 minutes. The
default idle session limit is ten minutes, which means that if a user’s
session is inactive for ten minutes, the IVE ends the user session and logs
the event in the system log (unless you enable session timeout warnings
described below).
Max. Session Length—Specify the number of minutes an active non-
administrative user session may remain open before ending. The
minimum is 6 minutes. The default time limit for a user session is sixty
minutes, after which the IVE ends the user session and logs the event in
the system log. During an end-user session, prior to the expiration of the
maximum session length, the IVE prompts the user to re-enter
authentication credentials, which avoids the problem of terminating the
user session without warning.
Reminder Time—Specify when the IVE should prompt non-administrative
users, warning them of an impending session or idle timeout. Specify in
number of minutes before the timeout is reached.
3. Under Enable session timeout warning:
a. Select Enabled to notify non-administrative users when they are about to
reach a session or idle timeout limit.
These warnings prompt users to take the appropriate action when they are
close to exceeding their session limits or idle timeouts, helping them save
any in-progress form data that would otherwise be lost. Users approaching
the idle timeout limit are prompted to reactivate their session. Users
approaching the session time limit are prompted to save data.
For example, an IVE user may unknowingly reach the idle timeout set for
his role while using an email client configured to work with the IVE,
because the IVE does not receive data while the user composes email. If
the session timeout warning is enabled, however, IVE prompts the user to
reactivate his IVE session before the session times out and forces the user’s
IVE session to end. This warning gives the user the opportunity to save his
partially composed email.
NOTE: If you are using Secure Meeting, you can configure meeting session limits
through the Users > Resource Policies > Meetings page of the admin console.
For more information, see “Defining resource policies: Secure Meeting” on
page 508.
Configuring user roles 59
Chapter 4: User roles
b. Check the Display sign-in page on max session time out checkbox if you
want to display a new browser sign-in page to the end-user when their
session times out. This option only appears when you choose to enable the
session timeout warning.
4. Under Roaming session, specify:
Enabled—To enable roaming user sessions for users mapped to this role. A
roaming user session works across source IP addresses, which allows
mobile users (laptop users) with dynamic IP addresses to sign in to the IVE
from one location and continue working from another. However, some
browsers may have vulnerabilities that can allow malicious code to steal
user cookies. A malicious user could then use a stolen IVE session cookie to
sign in to the IVE.
Limit to subnet—To limit the roaming session to the local subnet specified
in the Netmask field. Users may sign in from one IP address and continue
using their sessions with another IP address as long as the new IP address
is within the same subnet.
Disabled—To disable roaming user sessions for users mapped to this role.
Users who sign in from one IP address may not continue an active IVE
session from another IP address; user sessions are tied to the initial source
IP address.
5. Under Persistent session, select Enabled to write the IVE session cookie to the
client hard disk so that the user’s IVE credentials are saved for the duration of
the IVE session.
By default, the IVE session cookie is flushed from the browser’s memory when
the browser is closed. The IVE session length is determined by both the idle
timeout value and maximum session length value that you specify for the role.
The IVE session does not terminate when a user closes the browser; an IVE
session only terminates when a user signs out of the IVE.
NOTE:
If you do not select this option, the IVE only displays expiration messages to
users—it does not give them the option to extend their sessions. Instead,
users need to access the IVE sign-in page and authenticate into a new session.
This option only applies to expiration messages displayed by the end-user's
browser, not by other clients such as WSAM or Network Connect.
NOTE: If you enable the Persistent session option and a user closes the browser
window without signing out, any user may open another instance of the same
browser to access the IVE without submitting valid credentials, posing a potential
security risk. We recommend that you enable this feature only for roles whose
members need access to applications that require IVE credentials and that you
make sure these users understand the importance of signing out of the IVE when
they are finished.
Juniper Networks Secure Access Administration Guide
60 Configuring user roles
6. Under Persistent password caching, select Enabled to allow cached
passwords to persist across sessions for a role.
The IVE supports NTLM and HTTP Basic Authentication and supports servers
that are set up to accept both NTLM and anonymous sign-in. The IVE caches
NTLM and HTTP Basic Authentication passwords provided by users so that the
users are not repeatedly prompted to enter the same credentials used to sign in
to the IVE server or another resource in the NT domain. By default, the IVE
server flushes cached passwords when a user signs out. A user can delete
cached passwords through the Advanced Preferences page.
7. Under Browser request follow-through, select Enabled to allow the IVE to
complete a user request made after an expired user session after the user re-
authenticates.
8. Under Idle timeout application activity, select Enabled to ignore activities
initiated by Web applications (such as polling for emails) when determining
whether a session is active. If you disable this option, periodic pinging or other
application activity may prevent an idle timeout.
9. Under Upload Logs, select the Enable Upload Logs option to allow the user to
transmit (upload) client logs to the IVE.
10. Click Save Changes to apply the settings to the role.
Specifying customized UI settings
Use the UI Options tab to specify customized settings for the IVE welcome page
and the browsing toolbar for users mapped to this role. The IVE welcome page (or
home page) is the Web interface presented to authenticated IVE users. Check the
UI Options checkbox on the Overview tab to enable custom settings for the role;
otherwise, the IVE uses the default settings.
Personalization settings including the sign-in page, page header, page footer, and
whether or not to display the browsing toolbar. If the user maps to more than one
role, then the IVE displays the user interface corresponding to the first role to which
a user is mapped.
To customize the IVE welcome page for role users:
1. Choose Users > User Roles > RoleName > General > UI Options.
2. Under Header, specify a custom logo and alternate background color for the
header area of the IVE welcome page (optional):
Click the Browse