MAG (UAC,SSL) UPDATE Westcon 5 daagse 13 Februari 2012 Dennis de Leest Security Systems Engineer

MAG (UAC,SSL) UPDATE

Westcon 5 daagse13 Februari 2012

Dennis de Leest Security Systems Engineer

2 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

AGENDA

Gartner overview (just published)Junos Pulse Gateways

Licensing Changes


SSL OVERVIEW GARTNER (LAST ONE !!)


UAC OVERVIEW GARTNER


JUNOS PULSE GATEWAYS


JUNOS PULSE GATEWAYS

Introduction

Hardware Fixed Configuration Chassis Application Blades Chassis Management Card

Software Junos JWeb Application Blade Software

Pricing


INTRODUCTION

Junos Pulse Gateway is a universal platform to run SA and IC applications on application blades

Junos Pulse Secure Access Service (SA) Junos Pulse Access Control Service (IC) Other applications in the future

Next Generation purpose-built AABU hardware platforms Smaller form factor

Same performance in half the space Lower power consumption Dual personality

SA today, IC tomorrow Common ACCESS licensing


INTRODUCTION

Includes both fixed and chassis-based systems Two fixed configurations: MAG2600 and MAG4610 Two chassis configurations: MAG6610 and MAG6611

Shared power and cooling Application blades Optional Chassis Management Card (CMC)


MAG2600


MAG2600

Fixed configuration appliance designed to be: Equivalent to SA700/SA2500 New Enterprise Guest Access appliance

Currently Shipping

Capacities SA: 100 Concurrent Users EGA: 200 Concurrent Users

Physical 4” x 7”, < 20W power consumption Single MAG-SM060 Blade embedded

SKUs MAG2600: SA or EGA appliance MAG-PS260: spare/replacement external “brick” power supply

Prepare for SA700 EOL Due to parts shortages, the SA700 will be EOL’d soon (likely March 1st)


MAG4610


MAG4610

Fixed configuration appliance equivalent to: SA4500 IC4500

Capacities SA: 1000 Concurrent Users IC: 5000 Concurrent Users

Physical 1U, ½-width chassis can be deployed side-by-side in 1 RU Single MAG-SM160 Blade embedded

SKUs:MAG4610: SA/IC, 2 node-cluster allowedMAG-RK1U2 = Rack Kit, 1RU x 2 units


MAG6610


MAG6610

Chassis-based appliance, which depending upon the application blade(s) installed is designed to supplement:

SA4500/SA6500 IC4500/IC6500

Capacities Dependent upon application blades installed

Physical 1U modular chassis Up to two application blades One chassis management card (optional) One power supply (AC or DC) One or two hard drives per application blade Two fan trays per application blade


MAG6610 SKUS

Chassis MAG6610: Bare System Chassis with AC PS

Application Blades Max of 2 per chassis MAG-SM160: SA/IC application blade (4500 equiv, 1K/5K users) MAG-SM360: SA/IC application blade (6500 equiv, 10K/15K users)

Management MAG-CM060: Chassis Management Card (optional)

Power Supplies One Required, One Max per chassis MAG-PS661: 250W AC Power Supply MAG-PS663: 560W DC Power Supply

Hard Drive Spares MAG-HD060: Spare HD for SM160 and SM360


MAG6610 APPLICATION BLADE CONFIGURATION

One blade here another blade here

Slot 1 Slot 2CMC slot

Chassis mgmt card fits in front slot


MAG6611


MAG6611

Chassis-based appliance, which depending upon the application blade(s) installed is designed to supplement:

SA4500/SA6500 IC4500/IC6500

Capacities Dependent upon application blades installed

Physical 2U Up to four application blades One chassis management card (optional)


MAG6611 SKUS

Chassis MAG6611: Bare System Chassis with AC PS

Application Blades Max of 4 per chassis

MAG-SM160: SA/IC application blade (4500 equiv, 1K/5K users) MAG-SM360: SA/IC application blade (6500 equiv, 10K/15K users)

Management MAG-CM060: Chassis Management Card (optional)

Power Supplies Max of 2 per chassis, 1 Required per chassis MAG-PS662: 560W AC Power Supply MAG-PS663: 560W DC Power Supply

Hard Drive Spares MAG-HD060: Spare HD for SM160 and SM360


MAG6611 APPLICATION BLADE CONFIGURATION

Slot 1 Slot 2

Slot 3

CMC slot


MAG6611 REAR VIEW

Power supplies, fans, and hard drives are attached in the rear of the chassis

All components are hot-plug CAPABLE, but there is no software support for that function

Application blades should be powered off before replacement In order to power on/off individual application blades, a CMC is

required


APPLICATION BLADES

Port Configuration 1 Serial Port 3 Ethernet Ports

Management (active only when SA) Internal External

Hard Drive Configuration The SM160 includes one hard drive The SM360 includes an onboard RAID controller and multiple hard

drives

Additional hardware SM360 includes Cavium CN1620 on-board Trusted Platform Module (TPM) chip

Not used at this time, reserved for future use


CHASSIS MANAGEMENT AND SINGLE SIGN-ON

Chassis Management Card (CMC) is a daughter card that attaches to one of the application blades

Occupies an even-numbered slot

CMC runs Junos v11.1 and provides Chassis monitoring of “environmentals” such as power and cooling Chassis control of application blades

Slot 1 Slot 2CMC slot


JWEB DASHBOARD


HARDWARE PRICING COMPARISON

Curr HW Cost MAG Equiv Cost Diff

SA700 $1,500 MAG2600 $1,500 0%

SA2500 $2,500 MAG2600 $1,500 -40%

SA4500 $7,000 MAG4610 $7,000 0%

SA4500 $7,000 MAG6610MAG-SM160

$2,500$4,500

0%

SA4500A/P Cluster

$14,000 Chassis + 2 x Blade $11,500 -18%

SA6500 $27,000 MAG6610MAG-SM360

$2,500$21,500

-11%

SA6500A/P Cluster

$54,000 Chassis + 2 x Blade $45,500 -16%


WHAT’S INCLUDED IN THE BOX

SKU Blade Hard Drive Fan

MAG-SM160 MAG-SM160N3-port Non-bypass

MAG-HD060160GB SATA

2 x MAG-FT060

MAG-SM360 MAG-SM360N3-port Non-bypass

2 x MAG-HD060160GB SATA

2 x MAG-FT060

SKU Chassis Power Supply

MAG6610 MAG6610C MAG-PS661 (250W AC)

MAG6611 MAG6611C MAG-PS662 (560W AC)


LICENSING CHANGES


OLD CLUSTER LICENSING

N-node cluster with 10000 concurrent users needs ADD-10000U licenses at one node – the license primary CL-10000U licenses at other N-1 nodes

CL license at other N-1 nodes for IC

Any feature licenses at primary node

Cluster licensed for at least 10000 users under all circumstances Up to N-1 node failures cluster partitions

Each partition licenses to support 10000 users

If cluster is broken into standalone units One node with licenses to support 10000 users Rest of the nodes with no licensed capacity


NEW CLUSTER LICENSING Introduced with SSLVPN 7.0 and UAC 4.1

No CL licenses needed If already present, used in a backward compatible way

Any license can be installed at any node Total concurrent user capacity = sum total of all user count licenses Licenses on unreachable nodes stop contributing towards total cluster capacity if they stay

unreachable for longer than the cluster grace period (5 days) Unless sufficient CL licenses are present

Starting 7.1r2 grace period increased to 10 days

Customers encouraged to distribute ADD user count licenses evenly across the cluster A node removed from a cluster takes its licenses with it

Feature licenses need be present at only one node No change from current behavior

ICE Licenses need be present on all nodes you want to use in case of emergency 2 ICE licenses required for a 2-node cluster


CLUSTER CAPACITY EXAMPLE – GOOD

Two node cluster Node A with 500 user count licenses Node B with 500 user count licenses

Cluster capacity as seen by node A Connected cluster

500A + 500B = 1000

Disconnected Cluster Within grace period of 5 days: 500A + min(500A, 500B) = 1000

Past grace period: 500A = 500

Customer has 5 days to diagnose/remedy the problem

Even license distribution Desirable system behavior during cluster disconnects


CLUSTER CAPACITY EXAMPLE – NOT RECOMMENDED

Two node cluster Node A with 250 user count licenses Node B with 750 user count licenses

Cluster capacity as seen by node A Connected cluster

250A + 750B = 1000

Disconnected Cluster Within grace period of 5 days: 250A + min(250A, 750B) = 500

Past grace period: 250A = 250

Uneven license distribution Undesirable drop in licensed capacity during cluster disconnects


SA2000/4000/6000Old cluster licensing SAx000-ADD-xxU and –CL still valid. New cluster licensing SAx000-ADD-xxU on both nodes starting software 7.0.Remark: 7.1 is last release to be supported on SAx000

SA2500/4500/6500Old cluster licensing SAx500-ADD-xxU and -CL still valid.New cluster licensing SAx500-ADD-xxU on both nodes starting software 7.0. MAGRequires ACCESS-X600 licenses. Licenses have dual personality, SA/IC depending on MAG deployment. Licensing based on new cluster licensing, no –CL licenses available.Minimale software release voor MAG is 7.1 voor SSL en 4.1 voor UAC.

SSLVPN Licensing Review (also for UAC)


Offline verder praten over:

- License server ? (grotere omgevingen)

- Virtuele editie van SSL ?

Do you love VMWARE, we do to !

Documents

MAG (UAC,SSL) UPDATE Westcon 5 daagse 13 Februari 2012 Dennis de Leest Security Systems Engineer