Solution for SRX Series Services Gateways...Title: Solution for SRX Series Services Gateways Author: Juniper Networks Created Date: 20131120133055Z

Junos® Pulse

Solution for SRX Series Services Gateways

Release

5.0

Published: 2013-11-20

Copyright © 2013, Juniper Networks, Inc.

Juniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.net

Copyright © 2013, Juniper Networks, Inc. All rights reserved.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.

Junos® Pulse Solution for SRX Series Services Gateways

Release 5.0Copyright © 2013, Juniper Networks, Inc.All rights reserved.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.

ENDUSER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted athttp://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions ofthat EULA.

Copyright © 2013, Juniper Networks, Inc.ii

http://www.juniper.net/support/eula.html

Table of Contents

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Part 1 Overview

Chapter 1 SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Junos Pulse and SRX Series Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

SRX Series Gateway Deployment Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Part 2 Configuration

Chapter 2 Dynamic VPN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Junos Pulse and Dynamic VPN Configuration Overview . . . . . . . . . . . . . . . . . . . . . . 7

Part 3 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

iiiCopyright © 2013, Juniper Networks, Inc.

Copyright © 2013, Juniper Networks, Inc.iv


List of Tables

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

vCopyright © 2013, Juniper Networks, Inc.

Copyright © 2013, Juniper Networks, Inc.vi


About the Documentation

• Documentation and Release Notes on page vii

• Supported Platforms on page vii

• Documentation Conventions on page vii

• Documentation Feedback on page ix

• Requesting Technical Support on page ix

Documentation and Release Notes

To obtain the most current version of all Juniper Networks®technical documentation,

see the product documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/.

If the information in the latest release notes differs from the information in the

documentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject

matter experts. These books go beyond the technical documentation to explore the

nuances of network architecture, deployment, and administration. The current list can

be viewed at http://www.juniper.net/books.

Supported Platforms

For the features described in this document, the following platforms are supported:

• SRX Series

Documentation Conventions

Table 1 on page viii defines notice icons used in this guide.

viiCopyright © 2013, Juniper Networks, Inc.

http://www.juniper.net/techpubs/

http://www.juniper.net/books

http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/srx-series/product/index.html

Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Table 2 on page viii defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

ExamplesDescriptionConvention

To enter configuration mode, type theconfigure command:

user@host> configure

Represents text that you type.Bold text like this

user@host> show chassis alarms

No alarms currently active

Represents output that appears on theterminal screen.

Fixed-width text like this

• A policy term is a named structurethat defines match conditions andactions.

• Junos OS CLI User Guide

• RFC 1997,BGPCommunities Attribute

• Introduces or emphasizes importantnew terms.

• Identifies guide names.

• Identifies RFC and Internet draft titles.

Italic text like this

Configure themachine’s domain name:

[edit]root@# set system domain-namedomain-name

Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.

Italic text like this

• To configure a stub area, include thestub statement at the [edit protocolsospf area area-id] hierarchy level.

• Theconsoleport is labeledCONSOLE.

Represents names of configurationstatements, commands, files, anddirectories; configurationhierarchy levels;or labels on routing platformcomponents.

Text like this

stub <default-metricmetric>;Encloses optional keywords or variables.< > (angle brackets)

Copyright © 2013, Juniper Networks, Inc.viii


Table 2: Text and Syntax Conventions (continued)

ExamplesDescriptionConvention

broadcast | multicast

(string1 | string2 | string3)

Indicates a choice between themutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.

| (pipe symbol)

rsvp { # Required for dynamicMPLS onlyIndicates a comment specified on thesame lineas theconfiguration statementto which it applies.

# (pound sign)

community namemembers [community-ids ]

Encloses a variable for which you cansubstitute one or more values.

[ ] (square brackets)

[edit]routing-options {static {route default {nexthop address;retain;

}}

}

Identifies a level in the configurationhierarchy.

Indention and braces ( { } )

Identifies a leaf statement at aconfiguration hierarchy level.

; (semicolon)

GUI Conventions

• In the Logical Interfaces box, selectAll Interfaces.

• To cancel the configuration, clickCancel.

Representsgraphicaluser interface(GUI)items you click or select.

Bold text like this

In the configuration editor hierarchy,select Protocols>Ospf.

Separates levels in a hierarchy of menuselections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can

improve the documentation. You can send your comments to

[email protected], or fill out the documentation feedback form at

https://www.juniper.net/cgi-bin/docbugreport/ . If you are using e-mail, be sure to include

the following information with your comments:

• Document or topic name

• URL or page number

• Software release version (if applicable)

Requesting Technical Support

Technical product support is available through the JuniperNetworksTechnicalAssistance

Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,

ixCopyright © 2013, Juniper Networks, Inc.

About the Documentation

mailto:[email protected]

https://www.juniper.net/cgi-bin/docbugreport/

or are covered under warranty, and need post-sales technical support, you can access

our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,

7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides youwith the

following features:

• Find CSC offerings: http://www.juniper.net/customers/support/

• Search for known bugs: http://www2.juniper.net/kb/

• Find product documentation: http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

• Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

• Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement

(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Casewith JTAC

You can open a case with JTAC on theWeb or by telephone.

• Use the Case Management tool in the CSC at http://www.juniper.net/cm/.

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting-support.html.

Copyright © 2013, Juniper Networks, Inc.x


http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf

http://www.juniper.net/support/warranty/

http://www.juniper.net/customers/support/

http://www2.juniper.net/kb/

http://www.juniper.net/techpubs/

http://kb.juniper.net/

http://www.juniper.net/customers/csc/software/

https://www.juniper.net/alerts/

http://www.juniper.net/company/communities/

http://www.juniper.net/cm/

https://tools.juniper.net/SerialNumberEntitlementSearch/

http://www.juniper.net/cm/

http://www.juniper.net/support/requesting-support.html

PART 1

Overview

• SRX Series Services Gateways on page 3

1Copyright © 2013, Juniper Networks, Inc.

Copyright © 2013, Juniper Networks, Inc.2


CHAPTER 1

SRX Series Services Gateways

• Junos Pulse and SRX Series Gateways on page 3

• SRX Series Gateway Deployment Options on page 4

Junos Pulse and SRX Series Gateways

The dynamic virtual private network (VPN) feature of SRX Series gateways simplifies

remote access by enabling users to establish Internet Protocol Security (IPsec) VPN

tunnels without having to manually configure VPN settings on their endpoints. Junos

Pulse supports dynamic VPN connectivity to SRXSeries gateways. The VPN settings are

part of a Pulse SRX connection. Depending on the version of Junos OS on the SRX

gateway, youmight be able to deploy Pulse to endpoints from the SRX Series gateway

through aWeb portal. A remote client accesses theWeb portal and, after being

authenticated, downloadsand installsPulse. The installation includesaPulse connection

to the SRX Series gateway. Alternatively, you can create and deploy firewall connections

fromPulse Access Control Service and Pulse Secure Access Service. See the Junos Pulse

Supported Platform Guide for details on the Junos OS versions that are able to deploy

Pulse.

To configure a firewall access environment for Pulse clients, youmust configure the VPN

settings on the SRX Series gateway and create and deploy an SRX connection on the

Junos Pulse client.

NOTE: JunosPulse formobiledevicescanaccessPulseSecureAccessServiceonly.

For SRX Series gateways that cannot deploy Junos Pulse client software, you have the

following configuration and deployment options:

• In an environment that includesPulseSecureAccessService andPulseAccessControl

Service, create connections of the type SRXwith a target address of your SRX Series

Services gateway. Users could then install the Junos Pulse client software and the

connection configurations by logging in to theWeb portal of the Pulse Secure Access

Service or Pulse Access Control Service and being assigned to a role that installs Junos

Pulse. After the installation, the endpoint has the Junos Pulse client software and the

connection information required to connect to the SRX Series Services gateways.


• Install the default Junos Pulse software package, and then have users create new

connections that point to the SRX Series gateway.

SRX Series gateways supported an earlier access client called Juniper Networks Access

Manager. Youmust uninstall Access Manager before you deploy Junos Pulse to

endpoints.The Pulse installation program checks for AccessManager. If AccessManager

is present, the program displays a message instructing the user to uninstall Access

Manager before installing Pulse.

NOTE: The automatic update feature is supported on Pulse Secure Accessand Pulse Access Control servers only. SRX gateways do not supportautomatic Pulse software updates.

RelatedDocumentation

Junos Pulse and Dynamic VPN Configuration Overview on page 7•

SRX Series Gateway Deployment Options

Endpoints can use Junos Pulse client software to connect to SRX Series gateways that

are running Junos OS Release 10.2, and that have dynamic VPN access enabled and

configured. The following describes deployment options for SRX Series gateway

connections:

• You can create connections that use the connection type “Firewall” and deploy these

connections from Pulse Secure Access Service or Junos Pulse Access Control Service.

• Youcandownload the JunosPulse installer fromaPulse server or the JuniperNetworks

Weband install it using local distributionmethods such asSMS/SCCM. After installing

Pulse, users create a connection to an SRX gateway.


• Understanding Session Migration



PART 2

Configuration

• Dynamic VPN Configuration on page 7




CHAPTER 2

Dynamic VPN Configuration

• Junos Pulse and Dynamic VPN Configuration Overview on page 7

Junos Pulse and Dynamic VPN Configuration Overview

A dynamic VPN allows administrators to provide IPsec access for Windows endpoints

to a Pulse server on a Juniper Networks device while also providing a way to distribute

the Dynamic VPN software to remote clients through the use of aWeb portal.

The following procedure lists the tasks for configuring a dynamic VPN. For detailed

information on these topics, see the Junos OS documentation.

1. Configure authentication and address assignment for the remote clients:

a. Configure an XAuth profile to authenticate users and assign addresses. You can

use local authenticationor anexternal RADIUSserver. Use theprofile configuration

statement at the [edit access] hierarchy level to configure the XAuth profile.

To use the XAuth profile for Web authentication, use theweb-authentication

configuration statementat the [editaccess firewall-authentication] hierarchy level.

b. Assign IP addresses from a local address pool if local authentication is used. Use

theaddress-assignmentpoolconfiguration statementat the [editaccess] hierarchy

level. You can specify a subnet or a range of IP addresses. Or you can specify IP

addresses for DNS andWINS servers.

2. Configure the VPN tunnel:

a. Configure the IKE policy. Themodemust be aggressive. You can use basic,

compatible, or standard proposal sets. Only preshared keys are supported for

phase 1 authentication. Use the policy configuration statement at the [edit security

ike] hierarchy level.

b. Configure the IKE gateway. Either shared or group IKE IDs can be used. You can

configure themaximumnumber of simultaneous connections to the gateway. Use

the gateway configuration statement at the [edit security ike] hierarchy level.

c. Configure the IPsecVPN. You can use basic, compatible, or standard proposal sets

with the policy configuration statement at the [edit security ipsec] hierarchy level.

Use the vpn configuration statement at the [edit security ipsec] hierarchy level to

configure the IPsec gateway and policy.


d. Configure a security policy to allow traffic from the remote clients to the IKE

gateway. Use the policy configuration statement at the [edit security policies

from-zone zone to-zone zone] hierarchy level.

NOTE: The placement of this security policy is important. Youmustplace it abovemore specific, non-VPN policies so that traffic that isintended to be sent over the VPN tunnel is processed correctly.

e. Configure host inbound traffic to allow specific traffic to reach the device from

systems that are connected to its interfaces. For example, IKE and HTTPS traffic

must be allowed.

f. (Optional) If the client address pool belongs to a subnet that is directly connected

to the device, the device would need to respond to ARP requests to addresses in

the pool from other devices in the same zone. Use the proxy-arp configuration

statementat the [edit securitynat] hierarchy level. Specify the interface thatdirectly

connects the subnet to the device and the addresses in the pool.

3. Associate the dynamic VPNwith remote clients:

a. Specify the access profile for use with dynamic VPN. Use the access-profile

configuration statement at the [edit security dynamic-vpn] hierarchy level.

b. Configure the clients who can use the dynamic VPN. Specify protected resources

(traffic to theprotected resource travels through thespecifieddynamicVPNtunnel

and is therefore protected by the firewall’s security policies) or exceptions to the

protected resources list (traffic that does not travel through the dynamic VPN

tunnel and is sent in clear text). These options control the routes that are pushed

to the client when the tunnel is up, therefore controlling the traffic that is send

through the tunnel. Use the clients configuration statement at the [edit security

dynamic-vpn] hierarchy level.


• Junos Pulse Client Installation Overview



PART 3

Index

• Index on page 11




Index

Symbols#, comments in configuration statements.....................ix

( ), in syntax descriptions.......................................................ix

< >, in syntax descriptions...................................................viii

[ ], in configuration statements...........................................ix

{ }, in configuration statements..........................................ix

| (pipe), in syntax descriptions............................................ix

AAccess Manager.........................................................................4

Bbraces, in configuration statements..................................ix

brackets

angle, in syntax descriptions......................................viii

square, in configuration statements.........................ix

Ccomments, in configuration statements.........................ix

conventions

text and syntax................................................................viii

curly braces, in configuration statements.......................ix

customer support.....................................................................ix

contacting JTAC................................................................ix

Ddocumentation

comments on....................................................................ix

dynamic VPNs

configuration overview....................................................7

Ffirewall access

configuring on SRX...........................................................3

font conventions.....................................................................viii

Mmanuals

comments on....................................................................ix

Pparentheses, in syntax descriptions..................................ix

SSRX Series gateways

deployment option..........................................................4

support, technical See technical support

syntax conventions................................................................viii

Ttechnical support

contacting JTAC................................................................ix

VVPN.................................................................................................3




Documents

Solution for SRX Series Services Gateways...Title: Solution for SRX Series Services Gateways Author: Juniper Networks Created Date: 20131120133055Z