j Sa Sslvpn 7.1 Adminguide

Junos Pulse Secure Access Service

Administration Guide

Release

7.1

Published: 2011-06-22

Part Number: , Revision 1

Copyright 2011, Juniper Networks, Inc.

Juniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.net

This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright 1986-1997,Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no partof them is in the public domain.

This product includes memory allocation software developed by Mark Moraes, copyright 1988, 1989, 1993, University of Toronto.

This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentationand software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.

GateD software copyright 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed throughrelease 3.0 by Cornell University and its collaborators. Gated is based on Kirtons EGP, UC Berkeleys routing daemon (routed), and DCNsHELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateDsoftware copyright 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright 1991, D.L. S. Associates.

This product includes software developed by Maker Communications, Inc., copyright 1996, 1997, Maker Communications, Inc.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that areowned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Junos Pulse Secure Access Service Administration Guide

Revision HistoryFebruary 2010Integrate Version 7.0 new features

The information in this document is current as of the date listed in the revision history.

Copyright 2011, Juniper Networks, Inc.ii

ENDUSER LICENSE AGREEMENT

READ THIS ENDUSER LICENSE AGREEMENT (AGREEMENT) BEFORE DOWNLOADING, INSTALLING, ORUSING THE SOFTWARE.BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMSCONTAINED HEREIN, YOU (AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TOBIND THE CUSTOMER) CONSENT TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINEDHEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE, AND (B) YOU MAY CONTACT JUNIPER NETWORKSREGARDING LICENSE TERMS.

1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customers principal office is located in the Americas) orJuniper Networks (Cayman) Limited (if the Customers principal office is located outside the Americas) (such applicable entity being referredto herein as Juniper), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicablelicense(s) for use of the Software (Customer) (collectively, the Parties).

2. The Software. In this Agreement, Software means the program modules and features of the Juniper or Juniper-supplied software, forwhich Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded byJuniper in equipment which Customer purchased from Juniper or an authorized Juniper reseller. Software also includes updates, upgradesand new releases of such software. Embedded Software means Software which Juniper has embedded in or loaded onto the Juniperequipment and any updates, upgrades, additions or replacements which are subsequently embedded in or loaded onto the equipment.

3. LicenseGrant.Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customera non-exclusive and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to thefollowing use restrictions:

a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased byCustomer from Juniper or an authorized Juniper reseller.

b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing unitsfor which Customer has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey AccessClient software only, Customer shall use such Software on a single computer containing a single physical random access memory spaceand containing any number of processors. Use of the Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines(e.g., Solaris zones) requires multiple licenses, regardless of whether such computers or virtualizations are physically contained on a singlechassis.

c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer mayspecify limits to Customers use of the Software. Such limits may restrict use to a maximum number of seats, registered endpoints, concurrentusers, sessions, calls, connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase ofseparate licenses to use particular features, functionalities, services, applications, operations, or capabilities, or provide throughput,performance, configuration, bandwidth, interface, processing, temporal, or geographical limits. In addition, such limits may restrict the useof the Software to managing certain kinds of networks or require the Software to be used only in conjunction with other specific Software.Customers use of the Software shall be subject to all such limitations and purchase of all applicable licenses.

d. For any trial copy of the Software, Customers right to use the Software expires 30 days after download, installation or use of theSoftware. Customer may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may notextend or create an additional trial period by re-installing the Software after the 30-day trial period.

e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customersenterprise network. Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of theSteel-Belted Radius software to support any commercial network access services.

The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchasethe applicable license(s) for the Software from Juniper or an authorized Juniper reseller.

4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agreesnot to and shall not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorizedcopies of the Software (except as necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of theSoftware, in any form, to any third party; (d) remove any proprietary notices, labels, or marks on or in any copy of the Software or any productin which the Software is embedded; (e) distribute any copy of the Software to any third party, including as may be embedded in Juniperequipment sold in the secondhand market; (f) use any locked or key-restricted feature, function, service, application, operation, or capabilitywithout first purchasing the applicable license(s) and obtaining a valid key from Juniper, even if such feature, function, service, application,operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper to any third party; (h) use the

iiiCopyright 2011, Juniper Networks, Inc.

Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper reseller; (i)use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment thatthe Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarkingof the Software to any third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expresslyprovided herein.

5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper,Customer shall furnish such records to Juniper and certify its compliance with this Agreement.

6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper.As such, Customer shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence,which at a minimum includes restricting access to the Software to Customer employees and contractors having a need to use the Softwarefor Customers internal business purposes.

7. Ownership. Juniper and Junipers licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and tothe Software, associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyanceof any right, title, or interest in the Software or associated documentation, or a sale of the Software, associated documentation, or copiesof the Software.

8. Warranty, Limitation of Liability, Disclaimer ofWarranty. The warranty applicable to the Software shall be as set forth in the warrantystatement that accompanies the Software (the Warranty Statement). Nothing in this Agreement shall give rise to any obligation to supportthe Software. Support services may be purchased separately. Any such support shall be governed by a separate, written support servicesagreement. TO THE MAXIMUM EXTENT PERMITTED BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA,OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGESARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPERBE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE.EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW, JUNIPER DISCLAIMS ANYAND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING ANYIMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOESJUNIPER WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUTERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Junipers or its suppliersor licensors liability to Customer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paidby Customer for the Software that gave rise to the claim, or if the Software is embedded in another Juniper product, the price paid byCustomer for such other product. Customer acknowledges and agrees that Juniper has set its prices and entered into this Agreement inreliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk betweenthe Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the sameform an essential basis of the bargain between the Parties.

9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic terminationof the license granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and relateddocumentation in Customers possession or control.

10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising fromthe purchase of the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdictionshall be provided to Juniper prior to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. Allpayments made by Customer shall be net of any applicable withholding tax. Customer will provide reasonable assistance to Juniper inconnection with such withholding taxes by promptly: providing Juniper with valid tax receipts and other required documentation showingCustomers payment of any withholding taxes; completing appropriate applications that would reduce the amount of withholding tax tobe paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder. Customer shall comply withall applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related to anyliability incurred by Juniper as a result of Customers non-compliance or delay with its responsibilities herein. Customers obligations underthis Section shall survive termination or expiration of this Agreement.

11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and anyapplicable foreign agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any suchrestrictions, laws or regulations, or without all necessary approvals. Customer shall be liable for any such violations. The version of theSoftware supplied to Customer may contain encryption or other capabilities restricting Customers ability to export the Software withoutan export license.

Copyright 2011, Juniper Networks, Inc.iv

12. Commercial Computer Software. The Software is commercial computer software and is provided with restricted rights. Use,duplication, or disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS227.7201 through 227.7202-4, FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.

13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customerwith the interface information needed to achieve interoperability between the Software and another independently created program, onpayment of applicable fee, if any. Customer shall observe strict obligations of confidentiality with respect to such information and shall usesuch information in compliance with any applicable terms and conditions upon which Juniper makes such information available.

14. Third Party Software.Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose productsor technology are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement,and such licensor or vendor shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third partysoftware may be provided with the Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extentportions of the Software are distributed under and subject to open source licenses obligating Juniper to make the source code for suchportions publicly available (such as the GNU General Public License (GPL) or the GNU Library General Public License (LGPL)), Juniperwill make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to threeyears from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of the LGPLat http://www.gnu.org/licenses/lgpl.html .

15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of lawsprinciples. The provisions of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputesarising under this Agreement, the Parties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federalcourts within Santa Clara County, California. This Agreement constitutes the entire and sole agreement between Juniper and the Customerwith respect to the Software, and supersedes all prior and contemporaneous agreements relating to the Software, whether oral or written(including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by anauthorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms containedherein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in writingby the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validityof the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and theParties agree that the English version will govern. (For Canada: Les parties aux prsents confirment leur volont que cette convention demme que tous les documents y compris tout avis qui s'y rattach, soient redigs en langue anglaise. (Translation: The parties confirm thatthis Agreement and all related documentation is and will be in the English language)).

vCopyright 2011, Juniper Networks, Inc.

Abbreviated Table of ContentsAbout This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvii

Part 1 Getting StartedChapter 1 Initial Verification and Key Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 2 Introduction to the SA Series Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Part 2 Access Management FrameworkChapter 3 General Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Chapter 4 User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Chapter 5 Resource Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Chapter 6 Virtual Desktop Resource Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Chapter 7 Resource Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Chapter 8 Authentication and Directory Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Chapter 9 Authentication Realms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Chapter 10 Sign-In Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Chapter 11 Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Chapter 12 Synchronizing User Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Part 3 Endpoint DefenseChapter 13 Host Checker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

Chapter 14 Cache Cleaner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Part 4 Remote AccessChapter 15 Hosted Java Applets Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

Chapter 16 Citrix Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Chapter 17 Lotus iNotes Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

Chapter 18 Microsoft OWA Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

Chapter 19 Microsoft Sharepoint Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Chapter 20 Web Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Chapter 21 File Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471

Chapter 22 Secure Application Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493

Chapter 23 Telnet/SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541

Chapter 24 Terminal Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551

viiCopyright 2011, Juniper Networks, Inc.

Chapter 25 Secure Meeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601

Chapter 26 Email Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625

Chapter 27 Network Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633

Part 5 SystemManagementChapter 28 General System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681

Chapter 29 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723

Chapter 30 System Archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 761

Chapter 31 Logging and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803

Chapter 32 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827

Chapter 33 Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841

Chapter 34 Delegating Administrator Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869

Chapter 35 Instant Virtual System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875

Chapter 36 SA Series Appliance and IDP Interoperability . . . . . . . . . . . . . . . . . . . . . . . . 929

Part 6 System ServicesChapter 37 SA Series Appliance Serial Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941

Chapter 38 Customizable Admin and End-User UIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 947

Chapter 39 SA6000 Series Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 949

Chapter 40 SA4500 and SA6500 Series Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . 953

Chapter 41 Secure Access FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963

Chapter 42 SA4500 and SA6500 FIPS Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 975

Chapter 43 Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 983

Chapter 44 Multi-Language Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 987

Chapter 45 Handheld Devices and PDAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 991

Chapter 46 Using IKEv2 with the SA Series Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . 999

Chapter 47 Writing Custom Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1005

Part 7 IndexIndex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1027

Copyright 2011, Juniper Networks, Inc.viii


Table of ContentsAbout This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvii

Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxviiAudience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxviiDocument Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxviiDocumentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxviiiObtaining Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxviiiDocumentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxviiiRequesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxviii

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxixOpening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxix

Part 1 Getting StartedChapter 1 Initial Verification and Key Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Verifying User Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Creating a Test Scenario to Learn SA Series Appliance Concepts and Best

Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Defining a User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Defining a Resource Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Defining an Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Defining an Authentication Realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Defining a Sign-In Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Using the Test Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Default Settings for Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Chapter 2 Introduction to the SA Series Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

SA Series Solution Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Securing Traffic With SA Series Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Authenticating Users With Existing Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Fine-Tuning Access to the SA Series SSL VPN Appliance and the Resources It

Intermediates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Creating a Seamless Integration Between the SA Series SSL VPN Appliance and

the Resources It Intermediates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Protecting Against Infected Computers and Other Security Concerns . . . . . . . . . . 21Ensuring Redundancy in the SA Series Environment . . . . . . . . . . . . . . . . . . . . . . . 22Making the SA Series Interface Match My Companys Look-and-Feel . . . . . . . . . 22Enabling Users on a Variety of Computers and Devices to Use the SA Series SSL

VPN Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Providing Secure Access for My International Users . . . . . . . . . . . . . . . . . . . . . . . . 23Configuring the SA Series SSL VPN Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

ixCopyright 2011, Juniper Networks, Inc.

Network and Security Manager and the Infranet Controller . . . . . . . . . . . . . . . . . . 25How the SA Series SSL VPN Appliance and NSM communicate . . . . . . . . . . 25Available Services and Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . 26DMI Communication with the SA Series SSL VPN Appliance . . . . . . . . . . . . . 27

Configuring Secure Access for the Initial DMI Connection . . . . . . . . . . . . . . . . . . . 27Managing Large Binary Data Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Uploading and Linking Large Binary Data Files With NSM . . . . . . . . . . . . . . . . . . . 30Importing Custom Sign-In Pages With NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Importing Antivirus LiveUpdate Settings With NSM . . . . . . . . . . . . . . . . . . . . . . . . 32Importing Endpoint Security Assessment Plug-in (ESAP) Packages With

NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Uploading a Third-Party Host Checker Policy With NSM . . . . . . . . . . . . . . . . . . . . 34Linking to a Third-Party Host Checker Policy Shared Object With NSM . . . . . . . . 35Linking to a Secure Virtual Workspace Wallpaper Image Shared Object With

NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Importing Hosted Java Applets With NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Importing a Custom Citrix Client .cab File With NSM . . . . . . . . . . . . . . . . . . . . . . . 37Junos Pulse Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Session Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Location Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Security Certificates on Junos Pulse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38User Experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38SA Series Gateway Deployment Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Platform Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Junos Pulse Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Configuring a Role for Junos Pulse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Client Connection Set Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Creating a Client Connection Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Configuring Connection Rules for Location Awareness . . . . . . . . . . . . . . . . . . . . . 48Junos Pulse Component Set Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Creating a Client Component Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Junos Pulse Client Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Installing the Junos Pulse Client from the Web . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Installing the Junos Pulse Client Using a Preconfiguration File . . . . . . . . . . . . . . . 54

Installing the Pulse Client Using Advanced Command Line Options . . . . . . . 55Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Part 2 Access Management FrameworkChapter 3 General Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Access Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Policies, Rules & Restrictions, and Conditions Overview . . . . . . . . . . . . . . . . . . . . 60

Accessing Authentication Realms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Accessing User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Accessing Resource Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Policies, Rules & Restrictions, and Conditions Evaluation . . . . . . . . . . . . . . . . . . . 62Dynamic Policy Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Understanding Dynamic Policy Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Understanding Standard Policy Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Copyright 2011, Juniper Networks, Inc.x


Enabling Dynamic Policy Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Specifying Source IP Access Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Specifying Source IP Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Specifying Browser Access Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Specifying Certificate Access Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Specifying Password Access Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Specifying Session Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73IF-MAP Federation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

IF-MAP Federation Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77IF-MAP Federation Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

IF-MAP Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Task Summary: Configuring IF-MAP Federation . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Configuring IF-MAP Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Configuring the IF-MAP Federation Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82IF-MAP Federation Network Timing Considerations . . . . . . . . . . . . . . . . . . . . . . . 82Session-Export and Session-Import Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Default Session-Export and Session-Import Policy Action . . . . . . . . . . . . . . 85Advanced Session-Export and Session-Import Policies . . . . . . . . . . . . . . . . . 85

Configuring Session-Export Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Session-Import Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Troubleshooting the IF-MAP Federation Network . . . . . . . . . . . . . . . . . . . . . . . . . 88Viewing Active Users on the IF-MAP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Trusted Server List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Administrator and User Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89White List Flow Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Chapter 4 User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

User Roles Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93User Role Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Permissive Merge Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Configuration of User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Configuring General Role Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Role Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Specifying Role-Based Source IP Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Specifying Role Session Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Customizing the SA Series SSL VPN Appliance Welcome Page . . . . . . . . . . . . . 103Defining Default Options for User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Customizing Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Customizing UI Views for User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Chapter 5 Resource Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Resource Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Resource Profile Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114Defining Resource Profile Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Defining Resource Profile Autopolicies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Defining Resource Profile Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Defining Resource Profile Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Resource Profile Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

xiCopyright 2011, Juniper Networks, Inc.

Table of Contents

Chapter 6 Virtual Desktop Resource Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Virtual Desktop Resource Profile Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123Configuring a Citrix XenDesktop Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . 124Configuring a VMware View Manager Resource Profile . . . . . . . . . . . . . . . . . . . . . 125Defining Bookmarks for a Virtual Desktop Profile . . . . . . . . . . . . . . . . . . . . . . . . . 126Configuring the Client Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127Connecting to the Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Chapter 7 Resource Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Resource Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Resource Policy Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Specifying Resources for a Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

General Notes About the Canonical Formats . . . . . . . . . . . . . . . . . . . . . . . . . 133Specifying Server Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Resource Policy Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Creating Detailed Rules for Resource Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Writing a Detailed Rule for Resource Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Customizing Resource Policy UI Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Chapter 8 Authentication and Directory Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

About Authentication and Directory Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142Task Summary: Configuring Authentication Servers . . . . . . . . . . . . . . . . . . . . . . . 143About Anonymous Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Anonymous Server Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Defining an Anonymous Server Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Using an RSA ACE/Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Defining an ACE/Server Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Using Active Directory or NT Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Defining an Active Directory or Windows NT Domain Server Instance . . . . . . . . . 150Multi-Domain User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Windows 2000 and Windows 2003 Multi-Domain Authentication . . . . . . . 152Windows NT4 Multi-Domain Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 152NT User Normalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Using the Kerberos Debugging Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Active Directory and NT Group Lookup Support . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Active Directory Lookup Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154NT4 Group Lookup Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Certificate Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Configuring a Certificate Server Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Using an LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Defining an LDAP Server Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Configuring LDAP Search Attributes for Meeting Creators . . . . . . . . . . . . . . . . . . 160Enabling LDAP Password Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Enabling LDAP Password Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Supported LDAP Directories and Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Troubleshooting LDAP Password Management on the SA Series

Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165Using a Local Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165Defining a Local Authentication Server Instance . . . . . . . . . . . . . . . . . . . . . . . . . 165

Copyright 2011, Juniper Networks, Inc.xii


Creating User Accounts on a Local Authentication Server . . . . . . . . . . . . . . . . . . 168Configuring an NIS Server Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169Configuring a RADIUS Server Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

User Experience for RADIUS Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Using CASQUE Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Defining an SA Series RADIUS Server Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . 172Enabling RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175General RADIUS Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Understanding Clustering Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186Understanding the Interim Update Feature . . . . . . . . . . . . . . . . . . . . . . . . . . 186

eTrust SiteMinder Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187Authentication Using Various Authentication Schemes . . . . . . . . . . . . . . . . 190Determining the Username . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Configuring SiteMinder to Work with the SA Series SSL VPN Appliance . . . . . . . 191Configuring the SiteMinder Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Creating a SiteMinder Authentication Scheme for the SA Series SSL VPN

Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Creating a SiteMinder Domain for the SA Series SSL VPN Appliance . . . . . . . . . 195Creating a SiteMinder Realm for the SA Series SSL VPN Appliance . . . . . . . . . . 195Creating a Rule/Response Pair to Pass Usernames to the SA Series SSL VPN

Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196Configuring Secure Access to Work with SiteMinder . . . . . . . . . . . . . . . . . . . . . . . 197Using SiteMinder User Attributes for Secure Access Role Mapping . . . . . . . . . . . 207Defining a SiteMinder Realm for Automatic Sign-In . . . . . . . . . . . . . . . . . . . . . . . 207Debugging SiteMinder and Secure Access Issues . . . . . . . . . . . . . . . . . . . . . . . . 208Configuring a SAML Server Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Using the Artifact Profile and POST Profile . . . . . . . . . . . . . . . . . . . . . . . . . . 209Using the Artifact Profile Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209Using the POST Profile Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Understanding Assertions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211Creating a new SAML Server Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214Configuring the SAML Server Instance to Use an Artifact Profile . . . . . . . . . . . . . 215Configuring the SAML Server Instance to Use the POST Profile . . . . . . . . . . . . . . 215About SAML 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

About Metadata Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216Using the SA Series Appliance as a Service Provider . . . . . . . . . . . . . . . . . . . 217Using the SA Series Appliance as an Identify Provider . . . . . . . . . . . . . . . . . . 217Using the SA Series Appliance as a Policy Enforcement Point . . . . . . . . . . . 217

Configuring Global SAML 2.0 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217Managing Metadata Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218Configuring the SA Series SSL VPN Appliance as a Service Provider for SAML

2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219Configuring the SA Series SSL VPN Appliance as an Identity Provider . . . . . . . . . 221Configuring the SA Series SSL VPN Appliance as a Policy Enforcement Point . . 223

xiiiCopyright 2011, Juniper Networks, Inc.

Table of Contents

Chapter 9 Authentication Realms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Authentication Realm Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227Creating an Authentication Realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228Defining Authentication Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229Role Mapping Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230Specifying Role Mapping Rules for an Authentication Realm . . . . . . . . . . . . . . . . 231Using the LDAP Server Catalog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233Customizing User Realm UI Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Chapter 10 Sign-In Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

About Sign-In Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239Task Summary: Configuring Sign In Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242About Configuring Sign In Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242Configuring User Sign In Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242Defining authorization-only access policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245Defining Meeting Sign-In Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247Configuring Sign-In pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Configuring Standard Sign-In Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Chapter 11 Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

About Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251About Multiple Sign-In Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Task Summary: Configuring Multiple Authentication Servers . . . . . . . . . . . . . . . 253Task Summary: Enabling SSO to Resources Protected by Basic

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253Task Summary: Enabling SSO to Resources Protected by NTLM . . . . . . . . . . . . 254Multiple Sign-In Credentials Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255Configuring SAML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260Configuring SAML SSO Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263Creating a Single Sign-On POST Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267Creating a SAM Access Control Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . 270Creating a Trust Relationship Between SAML-Enabled Systems . . . . . . . . . . . . . 273

Configuring Trusted Application URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273Configuring an Issuer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274Configuring Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

Configuring SSO Transactions: Artifact Profile . . . . . . . . . . . . . . . . . . . . 274Configuring SSO Transactions: POST Profile . . . . . . . . . . . . . . . . . . . . . 275Configuring Access Control Transactions . . . . . . . . . . . . . . . . . . . . . . . . 276

Configuring User Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

Chapter 12 Synchronizing User Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

About User Record Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279Enabling User Record Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281Configuring the User Record Synchronization Authentication Server . . . . . . . . . 282Configuring the User Record Synchronization Server . . . . . . . . . . . . . . . . . . . . . . 282Configuring the User Record Synchronization Client . . . . . . . . . . . . . . . . . . . . . . 283Configuring the User Record Synchronization Database . . . . . . . . . . . . . . . . . . . 284

Copyright 2011, Juniper Networks, Inc.xiv


Part 3 Endpoint DefenseChapter 13 Host Checker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

Host Checker and Trusted Network Computing . . . . . . . . . . . . . . . . . . . . . . . . . . 290Task Summary: Configuring Host Checker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292Creating Global Host Checker Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293Enabling Enhanced Endpoint Security Functionality . . . . . . . . . . . . . . . . . . . . . . 295Enabling Connection Control Host Checker Policies (Windows Only) . . . . . . . . 297Creating and Configuring New Client-side Host Checker Policies . . . . . . . . . . . . 298Checking for Third-Party Applications Using Predefined Rules (Windows

Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299Configuring a Predefined Antivirus Rule with Remediation Options . . . . . . . . . . 300Configuring a Predefined Firewall Rule with Remediation Options (Windows

Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302Configuring a Predefined AntiSpyware Rule (Windows Only) . . . . . . . . . . . . . . . 303Configuring Virus Signature Version Monitoring and Patch Assessment Data

Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304Patch Management Info Monitoring and Patch Deployment . . . . . . . . . . . . . . . 306

Additional Functionality with Pulse 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307User Experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308Using a System Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

Specifying Customized Requirements Using Custom Rules . . . . . . . . . . . . . . . . . 310Using a Wildcard or Environment Variable in a Host Checker Rule . . . . . . . . . . . . 315Configuring Patch Assessment Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Using a System Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317Configuring Patch Assessment Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319Using Third-party Integrity Measurement Verifiers . . . . . . . . . . . . . . . . . . . . . . . . 321Configuring a Remote IMV Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322Implementing the Third-Party IMV Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328Implementing Host Checker Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Executing Host Checker Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330About Host Checker Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331Remediating Host Checker Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

General Host Checker Remediation User Experience . . . . . . . . . . . . . . . . . . 334Configuring General Host Checker Remediation . . . . . . . . . . . . . . . . . . . . . . . . . 335Upgrading the Endpoint Security Assessment Plug-In . . . . . . . . . . . . . . . . . . . . . 337Defining Host Checker Pre-Authentication Access Tunnels . . . . . . . . . . . . . . . . . 339Specifying Host Checker Pre-Authentication Access Tunnel Definitions . . . . . . 340Specifying General Host Checker Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343Specifying Host Checker Installation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 344Client ActiveX Installation Delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346Using Host Checker with the GINA Automatic Sign-In Function . . . . . . . . . . . . . 346Installing Host Checker Automatically or Manually . . . . . . . . . . . . . . . . . . . . . . . 347Using Host Checker Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348Configuring Host Checker for Windows Mobile . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Requiring Junos Pulse Mobile Security for SA Series Gateway Access . . . . . 349Using Proxy Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

xvCopyright 2011, Juniper Networks, Inc.

Table of Contents

Enabling the Secure Virtual Workspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350Secure Virtual Workspace Restrictions and Defaults . . . . . . . . . . . . . . . . . . . 351Configuring the Secure Virtual Workspace . . . . . . . . . . . . . . . . . . . . . . . . . . 352

Defining Secure Virtual Workspace Permissions . . . . . . . . . . . . . . . . . . . . . . . . . 353Defining a Secure Virtual Workspace Application Policy . . . . . . . . . . . . . . . . . . . 354Defining a Secure Virtual Workspace Security Policy . . . . . . . . . . . . . . . . . . . . . . 355Defining Secure Virtual Workspace Environment Options . . . . . . . . . . . . . . . . . . 356Defining Secure Virtual Workspace Remediation Policy . . . . . . . . . . . . . . . . . . . . 357

Chapter 14 Cache Cleaner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

About Cache Cleaner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359Setting Global Cache Cleaner Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359Implementing Cache Cleaner Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362Specifying Cache Cleaner Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363About Cache Cleaner Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

Part 4 Remote AccessChapter 15 Hosted Java Applets Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

About Hosted Java Applet Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367Task Summary: Hosting Java Applets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368Uploading Java Applets to Secure Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368Signing Uploaded Java Applets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369Creating HTML Pages That Reference Uploaded Java Applets . . . . . . . . . . . . . . 370Accessing Java Applet Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370Creating a Hosted Java Applet Resource Profile . . . . . . . . . . . . . . . . . . . . . . . . . . 371Configuring Hosted Java Applet Resource Profile Bookmarks . . . . . . . . . . . . . . . 372Creating Hosted Java Applets Bookmarks Through the User Roles Page . . . . . . 374Required Attributes for Uploaded Java Applets . . . . . . . . . . . . . . . . . . . . . . . . . . 375Required Parameters for Uploaded Java Applets . . . . . . . . . . . . . . . . . . . . . . . . . 376Use case: Creating a Citrix JICA 9.5 Java Applet Bookmark . . . . . . . . . . . . . . . . . 377

Chapter 16 Citrix Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

About Citrix Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381Comparing Secure Access Access Mechanisms for Configuring Citrix . . . . . . . . 382Creating Resource Profiles Using Citrix Web Applications . . . . . . . . . . . . . . . . . . 385

Chapter 17 Lotus iNotes Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

Creating Resource Profiles Using the Lotus iNotes Template . . . . . . . . . . . . . . . . 391

Chapter 18 Microsoft OWA Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

Creating Resource Profiles Using the Microsoft OWA Template . . . . . . . . . . . . . 395

Chapter 19 Microsoft Sharepoint Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Creating Resource Profiles Using the Microsoft Sharepoint Template . . . . . . . . 399

Chapter 20 Web Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Web Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402Task summary: Configuring the Web Rewriting Feature . . . . . . . . . . . . . . . . . . . 404Remote SSO Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405Passthrough Proxy Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406Creating a Custom Web Application Resource Profile . . . . . . . . . . . . . . . . . . . . . 408

Copyright 2011, Juniper Networks, Inc.xvi


Defining a Web Access Control Autopolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411Defining a Single Sign-On Autopolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411Defining a Caching Autopolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414Defining a Java Access Control Autopolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416Defining a Rewriting Autopolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418Defining a Web Compression Autopolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422Defining Web Resource Profile Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422Specifying Web Browsing Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426Resource Policy Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430Writing a Web Access Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432Defining Single Sign-On Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433About Basic, NTLM and Kerberos Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433Writing the Basic, NTLM and Kerberos Resources . . . . . . . . . . . . . . . . . . . . . . . . 434Writing a Basic Authentication, NTLM or Kerberos Intermediation Resource

Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438Writing a Remote SSO Form POST Resource Policy . . . . . . . . . . . . . . . . . . . . . . 440Writing a Remote SSO Headers/Cookies Resource Policy . . . . . . . . . . . . . . . . . . 443Writing a Web Caching Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444About OWA and Lotus Notes Caching Resource Policies . . . . . . . . . . . . . . . . . . 447Specifying General Caching Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448Writing a Java Access Control Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 448Writing a Java Code Signing Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449Creating a Selective Rewriting Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 451Creating a Passthrough Proxy Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 453Creating a Custom Header Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455Creating an ActiveX Parameter Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 457Restoring the Default SA Series Appliance ActiveX Resource Policies . . . . . . . . 459

Creating Rewriting Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463Writing a Web Compression Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463Defining an OWA Compression Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . 464Writing a Web Proxy Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465Specifying Web Proxy Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466Writing An HTTP 1.1 Protocol Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 466Creating a Cross Domain Access Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468Defining Resource Policies: General Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469Managing Resource Policies: Customizing UI Views . . . . . . . . . . . . . . . . . . . . . . . 470

Chapter 21 File Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471

File Rewriting Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471Creating a File Rewriting Resource Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473Creating a File Access Control Autopolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474Creating a File Compression Autopolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474Creating a Single Sign-On Autopolicy (Windows Only) . . . . . . . . . . . . . . . . . . . . 475Configuring File Resource Profile Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476Creating Windows File Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478Creating Advanced Bookmarks to Windows Resources . . . . . . . . . . . . . . . . . . . . 479Creating Windows Bookmarks that Map to LDAP Servers . . . . . . . . . . . . . . . . . 480

xviiCopyright 2011, Juniper Networks, Inc.

Table of Contents

Defining General Windows File Browsing Options . . . . . . . . . . . . . . . . . . . . . . . . 480Writing a File Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481

Windows File Resources Canonical Format . . . . . . . . . . . . . . . . . . . . . . . . . . 481Writing a Windows Access Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482Writing a Windows SSO Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483Writing a Windows Compression Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . 484Defining General File Writing Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485Creating UNIX File Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486Creating Advanced Bookmarks to UNIX Resources . . . . . . . . . . . . . . . . . . . . . . . 487Defining General UNIX File Browsing Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 488Defining UNIX/NFS File Resource Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488

Canonical Format: UNIX/NFS File Resources . . . . . . . . . . . . . . . . . . . . . . . . 489Writing UNIX/NFS Resource Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490Writing a UNIX/NFS Compression Resource Policy . . . . . . . . . . . . . . . . . . . . . . . 490Defining General UNIX/NFS File Writing Options . . . . . . . . . . . . . . . . . . . . . . . . . 491

Chapter 22 Secure Application Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493

Secure Application Manager Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494Task Summary: Configuring WSAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494Launching Network Connect During a WSAM Session . . . . . . . . . . . . . . . . . . . . 495Debugging WSAM Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496About WSAM Resource Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496Creating WSAM Client Application Resource Profiles . . . . . . . . . . . . . . . . . . . . . 497Creating WSAM Destination Network Resource Profiles . . . . . . . . . . . . . . . . . . . 498Specifying Applications and Servers for WSAM to Secure . . . . . . . . . . . . . . . . . 499Specifying Applications that Need to Bypass WSAM . . . . . . . . . . . . . . . . . . . . . . 501Specifying Role-Level WSAM Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502Specifying Application Servers that Users can Access . . . . . . . . . . . . . . . . . . . . 504Specifying Resource Level WSAM Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505Using the WSAM Launcher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506JSAM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510Task Summary: Configuring JSAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510Using JSAM for Client/Server Communications . . . . . . . . . . . . . . . . . . . . . . . . . . 512

Assigning IP Loopback Addresses to Servers . . . . . . . . . . . . . . . . . . . . . . . . . 513Using Static Loopback Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514IP Loopback Address Considerations When Merging Roles . . . . . . . . . . . . . . 515Resolving Host Names to Localhost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515

Configuring a PC that Connects to the SA Series Appliance Through a ProxyWeb Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516

Determining the SA Series Appliance-Assigned Loopback Address . . . . . . . . . . 517Configuring External DNS Servers and User Machines . . . . . . . . . . . . . . . . . . . . . 518JSAM Linux and Macintosh Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519Standard Application Support: MS Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519

Client/Server Communication Using JSAM . . . . . . . . . . . . . . . . . . . . . . . . . . 520Standard Application Support: Lotus Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521

Client/Server Communication Using JSAM . . . . . . . . . . . . . . . . . . . . . . . . . . 521Configuring the Lotus Notes Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522Standard Application Support: Citrix Web Interface for MetaFrame (NFuse

Classic) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523

Copyright 2011, Juniper Networks, Inc.xviii


Enabling Citrix Published Applications on the Citrix Native Client . . . . . . . . . . . . 524Enabling Citrix Secure Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527Creating a JSAM Application Resource Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . 528Specifying Applications for JSAM to Secure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532Specifying Role Level JSAM Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534Automatically Launching JSAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535Specifying Application Servers that Users Can Access . . . . . . . . . . . . . . . . . . . . . 537Specifying Resource Level JSAM Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538

Chapter 23 Telnet/SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541

About Telnet/SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541Task summary: Configuring the Telnet/SSH Feature . . . . . . . . . . . . . . . . . . . . . . 542Creating a Telnet/SSH Resource Profile: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543Associating Bookmarks with Telnet/SSH Resource Profiles . . . . . . . . . . . . . . . . 544Configuring General Telnet/SSH Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547Writing a Telnet/SSH Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548

Chapter 24 Terminal Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551

About Terminal Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552Terminal Services User Experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552

Task Summary: Configuring the Terminal Services Feature . . . . . . . . . . . . . . . . . 553Terminal Services Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555Configuring Citrix to Support ICA Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . 556About Terminal Services Resource Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558Configuring a Windows Terminal Services Resource Profile . . . . . . . . . . . . . . . . 559Defining a Hosted Java Applet Autopolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560Defining a Bookmark for a Windows Terminal Services Profile . . . . . . . . . . . . . . 563Creating a Windows Terminal Services Bookmark Through the User Roles

Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564Defining Display Options for the Windows Terminal Services Session . . . . . . . . 565Defining SSO Options for the Windows Terminal Services Session . . . . . . . . . . 565Defining Application Settings for the Windows Terminal Services Session . . . . 566Defining Device Connections for the Windows Terminal Services Session . . . . . 567Defining Desktop Settings for the Windows Terminal Services Session . . . . . . . 568Creating a Citrix Terminal Services Resource Profile Using Default ICA

Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569Defining a Bookmark for a Citrix Profile Using Default ICA Settings . . . . . . . . . . 570Defining Display Options for the Citrix Terminal Services Session . . . . . . . . . . . . 572Defining SSO Options for the Citrix Terminal Services Session . . . . . . . . . . . . . . 573Defining Application, Auto-Launch, and Session Reliability Settings for the Citrix

Terminal Services Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574Defining Device Connections for the Citrix Terminal Services Session . . . . . . . . 575Creating a Citrix Resource Profile That Uses a Custom ICA File . . . . . . . . . . . . . . 576Defining a Bookmark for a Citrix Profile Using a Custom ICA File . . . . . . . . . . . . . 578Creating a Citrix Profile That Lists Published Applications . . . . . . . . . . . . . . . . . . 579Defining a Bookmark for a Citrix Profile Listing Applications . . . . . . . . . . . . . . . . 580Creating Session Bookmarks to Your Terminal Server . . . . . . . . . . . . . . . . . . . . . 582Creating Advanced Terminal Services Session Bookmarks . . . . . . . . . . . . . . . . . 583

xixCopyright 2011, Juniper Networks, Inc.

Table of Contents

Creating Links from an External Site to a Terminal Services SessionBookmark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589

Specifying General Terminal Services Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 595Configuring Terminal Services Resource Policies . . . . . . . . . . . . . . . . . . . . . . . . . 598Specifying the Terminal Services Resource Option . . . . . . . . . . . . . . . . . . . . . . . 599Using the Remote Desktop Launcher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599

Chapter 25 Secure Meeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601

Secure Meeting Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601Task Summary: Configuring Secure Meeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603Scheduling Meetings Through the SA Series End-User Console . . . . . . . . . . . . . 604Scheduling Meetings Through Microsoft Outlook . . . . . . . . . . . . . . . . . . . . . . . . 605Sending Notification Emails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606Joining Meetings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607Attending Meetings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609Conducting Meetings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609Presenting Meetings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610About Instant Meetings and Support Meetings . . . . . . . . . . . . . . . . . . . . . . . . . . . 611About MySecureMeeting Meetings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612

Joining MySecureMeeting Meetings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613Enabling and Configuring Secure Meeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613Permissive Merge Guidelines for Secure Meeting . . . . . . . . . . . . . . . . . . . . . . . . . 617Specifying Authentication Servers that Meeting Creators Can Access . . . . . . . . 618Configuring System-Level Meeting Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619Troubleshooting Secure Meeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622

Known Issues with SecureMeeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623Monitoring Secure Meeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624

Chapter 26 Email Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625

About the Email Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625Choosing an Email Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626Working with a Standards-Based Mail Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 627Working with the Microsoft Exchange Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628

Exchange Server and IMAP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628Exchange Server and POP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629Exchange Server and Outlook Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . 629

About Lotus Notes and the Lotus Notes Mail Server . . . . . . . . . . . . . . . . . . . . . . 630Enabling the Email Client at the Role Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630Writing the Email Client Resource Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631

Chapter 27 Network Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633

About Network Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634Task Summary: Configuring Network Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . 635Network Connect Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637Automatically Signing into Network Connect using GINA . . . . . . . . . . . . . . . . . . 639Using GINA Chaining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641Network Connect Credential Provider for Windows Vista and Later . . . . . . . . . . 641Smart Card Credential Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643Launching Network Connect During a Windows Secure Application Manager

Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644

Copyright 2011, Juniper Networks, Inc.xx


Logging In To Windows Through a Secure Tunnel . . . . . . . . . . . . . . . . . . . . . . . . 645Network Connect Connection Profiles with Support for Multiple DNS

Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645Network Connect Incompatibility with Other VPN Client Applications . . . . . . . 646Linux Client Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647Client Side Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647Network Connect Proxy Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647Network Connect Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649Network Connect Multicast Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649Defining Network Connect Role Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650About Network Connect Resource Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653Defining Network Connect Access Control Policies . . . . . . . . . . . . . . . . . . . . . . . 654Creating Network Connect Connection Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . 655Defining Network Connect Split Tunneling Policies . . . . . . . . . . . . . . . . . . . . . . . 662Network Connect Resource Policy Configuration Use Case . . . . . . . . . . . . . . . . 664About Network Connect Bandwidth Management Policies . . . . . . . . . . . . . . . . 665

User is Mapped to Multiple Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668

Writing a Network Connect Bandwidth Management Resource Policy . . . . . . . 668Specifying IP Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669Network Connect installer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670

Network Connect Installation Process Dependencies . . . . . . . . . . . . . . . . . 670Network Connect Un-installation Process Dependencies . . . . . . . . . . . . . . . 671

Network Connect Launcher (NC Launcher) Overview . . . . . . . . . . . . . . . . . . . . . 673Launching Network Connect On Other Platforms . . . . . . . . . . . . . . . . . . . . . . . . 675Troubleshooting Network Connect Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677

nc.windows.app.23792 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677Version Conflict on Downgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677Error When Connecting to a FIPS Appliance . . . . . . . . . . . . . . . . . . . . . . . . . 678

Part 5 SystemManagementChapter 28 General System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681

General Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682Internal and External Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683

Bonding Ports on the SA Series 6000 SSL VPN Appliance . . . . . . . . . . . . . 684Bonding Ports on the SA Series 6500 SSL VPN Appliance . . . . . . . . . . . . . 684

Configuring the Internal and External Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684Configuring SFP Ports on the SA Series 6000 SSL VPN Appliance . . . . . . . . . . 685Configuring the Management Port on the SA Series 6000 SSL VPN

Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686Using VLANs with the SA Series Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687Creating a New VLAN Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689Configuring Virtual Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689Configuring Static Routes for Network Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691Creating ARP Caches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692

xxiCopyright 2011, Juniper Networks, Inc.

Table of Contents

Specifying Host Names for the SA Series Appliance to Resolve Locally . . . . . . . 693Using Central Management Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693

Modifying Central Management Dashboard Graphs . . . . . . . . . . . . . . . . . . 694Configuring System Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696

Reviewing System Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696Upgrading or Downgrading the SA Series Appliance . . . . . . . . . . . . . . . . . . 697Setting System Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698

Downloading Application Installers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700Obtaining, Entering and Upgrading Your License Keys . . . . . . . . . . . . . . . . . . . . . 702Configuring License Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705Upgrading License Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706About Subscription Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 708

Available Subscription Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 708Activating and Deactivating Emergency Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 709Setting Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710

Setting System-Wide Security Options . . . . . . . .

j Sa Sslvpn 7.1 Adminguide

Documents

Transcript of j Sa Sslvpn 7.1 Adminguide