Subasish Junos Admin Guide
-
Upload
subhasish-biswal -
Category
Documents
-
view
218 -
download
0
Transcript of Subasish Junos Admin Guide
-
7/30/2019 Subasish Junos Admin Guide
1/130
Junos Pulse Application AccelerationService
Administration Guide
Release
6.2
Published: 2011-10-20
Copyright 2011, Juniper Networks, Inc.
-
7/30/2019 Subasish Junos Admin Guide
2/130
Juniper Networks, Inc.1194North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.net
Thisproduct includesthe Envoy SNMPEngine, developed by EpilogueTechnology,an IntegratedSystems Company.Copyright 1986-1997,
Epilogue Technology Corporation.All rights reserved. This program and its documentation were developed at privateexpense, and no part
of them is in thepublic domain.
This product includes memory allocation software developed by Mark Moraes,copyright 1988, 1989, 1993, University of Toronto.
This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation
and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright
1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.
GateD software copyright 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through
release 3.0 by Cornell University and its collaborators. Gated is based on Kirtons EGP, UC Berkeleys routing daemon (routed), and DCNs
HELLO routing protocol. Development of Gated has beensupported in part by the National Science Foundation. Portions of the GateD
software copyright 1988, Regentsof theUniversityof California.All rights reserved. Portionsof theGateD software copyright 1991, D.
L. S. Associates.
This product includes software developed by Maker Communications, Inc., copyright 1996, 1997, Maker Communications, Inc.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc.in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc.All other
trademarks, service marks, registered trademarks, or registered service marks are the property of theirrespective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
Products made or sold byJuniper Networks or components thereof might be covered by oneor more of thefollowingpatents that are
owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440,6,192,051, 6,333,650, 6,359,479, 6,406,312,
6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Junos PulseApplication AccelerationServiceAdministrationGuideCopyright 2011, Juniper Networks, Inc.
All rights reserved.
Revision History
October 2011Revision 01
The informationin this document is currentas of thedatelisted in the revisionhistory.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
year 2038. However,the NTPapplicationis known to have some difficulty in theyear2036.
SOFTWARE LICENSE
The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchase
order or, to the extent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks.
By using this software, you indicate that you understand and agree to be bound by those termsand conditions.Generallyspeaking, the
software license restricts the manner in which you are permitted to use the software and may contain prohibitions against certain uses.
The software license maystate conditions under which the license is automatically terminated. You should consult the license for further
details. For complete product documentation, please see the Juniper Networks website at www.juniper.net/techpubs.
Copyright 2011, Juniper Networks, Inc.ii
-
7/30/2019 Subasish Junos Admin Guide
3/130
END USER LICENSE AGREEMENT
The Juniper Networks product that is thesubject of this technical documentationconsists of (or is intended for usewith)Juniper Networks
software. Useof such software is subject to theterms and conditions of theEnd User License Agreement (EULA) posted at
http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to theterms and conditions
of that EULA.
iiiCopyright 2011, Juniper Networks, Inc.
http://www.juniper.net/support/eula.htmlhttp://www.juniper.net/support/eula.html -
7/30/2019 Subasish Junos Admin Guide
4/130
Copyright 2011, Juniper Networks, Inc.iv
-
7/30/2019 Subasish Junos Admin Guide
5/130
Table of Contents
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
List of Technical Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Part 1 Getting Started
Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Junos Pulse Application Acceleration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Application Acceleration Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Application Acceleration Features and Benefits . . . . . . . . . . . . . . . . . . . . . . . . 4
New Features in JWOS Release 6.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Sample Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Inline Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Off-Path Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Deployment with VPN Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Chapter 2 Installing Junos Pulse Application Acceleration Gateways . . . . . . . . . . . . . . . 9
Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Preinstallation Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Interface Speeds and Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Installation Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Inline and Off-Path Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Running Quick Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Postinstallation Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Part 2 Configuration and Management
Chapter 3 Configuring Setup Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Using the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Logging In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Understanding the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Using Special Characters in Object Names . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Configuring Basic Setup Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Configuring the Device Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Configuring the Bridge Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Configuring the Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
vCopyright 2011, Juniper Networks, Inc.
-
7/30/2019 Subasish Junos Admin Guide
6/130
Configuring the Domain Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Configuring the Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Obtaining a Permanent License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configuring the Community Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configuring AAA Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Defining Local User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Securing Front Panel Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Loading the SSO Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Configuring ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Configuring SNMP Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Configuring Syslog Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Configuring Packet Interception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Chapter 4 Configuring Acceleration Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Types of Application Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Overview of TCP Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Overview of Microsoft CIFS and Exchange Acceleration . . . . . . . . . . . . . . . . 30Overview of SSL Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Configuring Application Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Configuring Application Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Configuring SMB Signing for CIFS Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Configuring the Keystore Passphrase for SSL Optimization . . . . . . . . . . . . . . . . . 40
Managing SSL Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Chapter 5 Viewing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Viewing and Printing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Executive Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
WAN Accelerated Throughput Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Application Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Compression Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Sessions Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
MAPI Sessions Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Chapter 6 Managing Junos Pulse Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Junos Pulse Client Hardware and Software Requirements . . . . . . . . . . . . . . . . . . 49
Installing the Junos Pulse Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Configuring Personal Firewalls for Junos Pulse Acceleration . . . . . . . . . . . . . 50
Downloading the Junos Pulse Client from a Pulse Secure Access Server . . . . 51
Downloading the Junos Pulse Client from a Pulse Application Acceleration
Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Uninstalling the Junos Pulse Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Managing Junos Pulse Client Software, Configurations, and Policies . . . . . . . . . . 52
Enabling Pulse Client Downloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Enabling Pulse Client Adjacencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Configuring Pulse Client Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Viewing the Status of Pulse Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Defining the Pulse Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Viewing the Pulse Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Copyright 2011, Juniper Networks, Inc.vi
Junos Pulse Application Acceleration Service Administration Guide
-
7/30/2019 Subasish Junos Admin Guide
7/130
Uploading Pulse Client Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Distributing the Pulse Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Distributing the Pulse Client Through an SA Series Gateway . . . . . . . . . 57
Distributing the Pulse Client Through SMS . . . . . . . . . . . . . . . . . . . . . . . 58
Chapter 7 Maintaining Junos Pulse Application Acceleration Gateways . . . . . . . . . . . 59
Maintaining Configurations and Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Saving a Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Viewing the Gateway Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Loading a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Loading a Software Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Clearing Monitoring Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Restoring the Factory Default Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Rebooting or Shutting Down a Gateway or Junos Pulse Module . . . . . . . . . . 64
Maintaining the Disk Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Viewing the Gateway Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Using Maintenance Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Using the Ping Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Using the Traceroute Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Using the Packet Capture Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Viewing and Saving System Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Viewing and Saving Access Control Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Exporting Performance Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Creating a Diagnostic File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Viewing Flow Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Troubleshooting Passthrough Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Detecting Passthrough Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Using the Web Interface to Recover from Passthrough Mode . . . . . . . . . . . . . 72
Using the Console to Recover from Passthrough Mode . . . . . . . . . . . . . . . . . . 72
Part 3 Specifications
Appendix A Specifications for Application Acceleration Service Gateways . . . . . . . . . . 77
Platform Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
General Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Specifications for MAG-SM161, MAG4611, and MAG-SM361 . . . . . . . . . . . . . . 79
DB9 Console Port Pinouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Appendix B SNMP Traps and SyslogMessages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
System Events and SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Syslog Message Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Appendix C Exported Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Exported Performance Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
General Device Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Data Section Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
System Session Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Compression Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
WAN Performance Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
viiCopyright 2011, Juniper Networks, Inc.
Table of Contents
-
7/30/2019 Subasish Junos Admin Guide
8/130
TCP Flow Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Exported Flow Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Appendix D Copyrights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Traceroute Copyright License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97OpenSSL Copyright License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
GNU GENERAL PUBLIC LICENSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Part 4 Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Copyright 2011, Juniper Networks, Inc.viii
Junos Pulse Application Acceleration Service Administration Guide
-
7/30/2019 Subasish Junos Admin Guide
9/130
List of Figures
Part 1 Getting Started
Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Figure 1: Typical Inline Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Figure 2: Off-Path Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Figure 3: VPN Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Part 2 Configuration and Management
Chapter 3 Configuring Setup Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 4: JWOS Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
ixCopyright 2011, Juniper Networks, Inc.
-
7/30/2019 Subasish Junos Admin Guide
10/130
Copyright 2011, Juniper Networks, Inc.x
Junos Pulse Application Acceleration Service Administration Guide
-
7/30/2019 Subasish Junos Admin Guide
11/130
List of Tables
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Table 1: Notice icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Table 2: Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Table 3: GUI Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Part 2 Configuration and Management
Chapter 3 Configuring Setup Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Table 4: Interface Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Chapter 4 Configuring Acceleration Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Table 5: Default Application Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Table 6: DSCP and IP Precedence Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Chapter 6 Managing Junos Pulse Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Table 7: Personal Firewall Exceptions for Pulse Acceleration . . . . . . . . . . . . . . . . 50
Chapter 7 Maintaining Junos Pulse Application Acceleration Gateways . . . . . . . . . . . 59
Table 8: Passthrough Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Part 3 Specifications
Table 9: General Specifications for All Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Table 10: MAG Series Module Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Table 11: Pinouts for DB9-to-DB9 Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Table 12: Pinouts for DB9-to-DB25 Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Table 13: System Events and SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Table 14: General Device Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Table 15: Data Section Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Table 16: System Session Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Table 17: Compression Session Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Table 18: WAN Performance Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Table 19: TCP Flow Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Table 20: Flow Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Appendix A Specifications for Application Acceleration Service Gateways . . . . . . . . . . 77
Table 9: General Specifications for All Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Table 10: MAG Series Module Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Table 11: Pinouts for DB9-to-DB9 Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Table 12: Pinouts for DB9-to-DB25 Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Appendix B SNMP Traps and SyslogMessages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Table 13: System Events and SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
xiCopyright 2011, Juniper Networks, Inc.
-
7/30/2019 Subasish Junos Admin Guide
12/130
Appendix C Exported Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Table 14: General Device Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Table 15: Data Section Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Table 16: System Session Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Table 17: Compression Session Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Table 18: WAN Performance Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Table 19: TCP Flow Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Table 20: Flow Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Copyright 2011, Juniper Networks, Inc.xii
Junos Pulse Application Acceleration Service Administration Guide
-
7/30/2019 Subasish Junos Admin Guide
13/130
About This Guide
Objectives on page xiii
Audience on page xiii
Document Conventions on page xiii
List of Technical Publications on page xiv
Requesting Technical Support on page xv
Objectives
This guide describes how to use the Web interface to configure and monitor Junos Pulse
Application Acceleration Service gateways. The gateways accelerate application traffic
for remote clients that have Junos Pulse installed.
To perform management tasks using the command-line interface (CLI), see theJunos
PulseApplication Acceleration Service Command Reference Guide.
Audience
This guide is intended for administrators who configure and manage the the Junos PulseApplication Acceleration Service. Be sure you are familiar with your network architecture
and devices and that you can perform basic network configuration procedures.
Document Conventions
Table 1 on page xiv defines notice icons used in this guide, Table 2 on page xiv defines
text conventions used throughout the book, and Table 3 on page xiv defines the GUI
conventions.
xiiiCopyright 2011, Juniper Networks, Inc.
-
7/30/2019 Subasish Junos Admin Guide
14/130
Table 1: Notice icons
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Indicates that you may risk losing data or damaging your
hardware.
Caution
Alerts you to the risk of personal injury.Warning
Table 2: Text Conventions
DescriptionConvention
Filenames and directory names.Sans serif type
Terms defined in text.
Variable elements for which you supply values.
Book titles.
Italics
Key names linked with a plus sign indicatethatyou must press
two or more keys simultaneously.
+ (plus sign)
Table 3: GUI Conventions
DescriptionConvention
Navigation paths through the UI.> (right angle bracket)
User interface elements that you select in a procedure, such
as tabs, buttons, and menu options.
Bold type
Variables for which you supply values.Italics
List of Technical Publications
The following additional documents are available at http://www.juniper.net/techpubs:
JunosPulseApplication Acceleration Service Command Reference GuideDescribes
how to use the CLI to configure the Junos Pulse Application Acceleration Service.
MAG Series Junos PulseGateway HardwareGuideDescribes how to set up the MAG
Series gateways and install and configure individual modules.
JunosPulseAdministration GuideDescribes how to configure anddistribute the Junos
Pulse client from a JuniperNetworks IC Seriesor SA Seriesdevice. Onlinehelp provided
Copyright 2011, Juniper Networks, Inc.xiv
Junos Pulse Application Acceleration Service Administration Guide
http://www.juniper.net/techpubshttp://www.juniper.net/techpubs -
7/30/2019 Subasish Junos Admin Guide
15/130
withthe Junos Pulse client describes how to use the featuresavailable to the end user,
such as viewing the client status.
Requesting Technical Support
Technical productsupport is availablethrough the Juniper Networks TechnicalAssistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
or are covered under warranty, and need post-sales technical support, you can access
our tools and resources online or open a case with JTAC.
JTAC policiesFor a complete understanding of our JTAC procedures and policies,
review theJTACUser Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .
Product warrantiesFor product warranty information, visit
http://www.juniper.net/support/warranty/ .
JTAC hours of operationThe JTAC centers have resources available 24 hours a day,
7 daysa week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:
Find CSC offerings: http://www.juniper.net/customers/support/
Search for known bugs: http://www2.juniper.net/kb/
Find product documentation: http://www.juniper.net/techpubs/
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
Search technical bulletins for relevant hardware and software notifications:
https://www.juniper.net/alerts/
Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlementby productserial number, use our Serial NumberEntitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
xvCopyright 2011, Juniper Networks, Inc.
About This Guide
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdfhttp://www.juniper.net/support/warranty/http://www.juniper.net/customers/support/http://www2.juniper.net/kb/http://www.juniper.net/techpubs/http://kb.juniper.net/http://www.juniper.net/customers/csc/software/https://www.juniper.net/alerts/http://www.juniper.net/company/communities/http://www.juniper.net/cm/https://tools.juniper.net/SerialNumberEntitlementSearch/http://www.juniper.net/cm/http://www.juniper.net/cm/https://tools.juniper.net/SerialNumberEntitlementSearch/http://www.juniper.net/cm/http://www.juniper.net/company/communities/https://www.juniper.net/alerts/http://www.juniper.net/customers/csc/software/http://kb.juniper.net/http://www.juniper.net/techpubs/http://www2.juniper.net/kb/http://www.juniper.net/customers/support/http://www.juniper.net/support/warranty/http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf -
7/30/2019 Subasish Junos Admin Guide
16/130
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting-support.html .
Copyright 2011, Juniper Networks, Inc.xvi
Junos Pulse Application Acceleration Service Administration Guide
http://www.juniper.net/support/requesting-support.htmlhttp://www.juniper.net/support/requesting-support.html -
7/30/2019 Subasish Junos Admin Guide
17/130
PART 1
Getting Started
Introduction on page 3
Installing Junos Pulse Application Acceleration Gateways on page 9
1Copyright 2011, Juniper Networks, Inc.
-
7/30/2019 Subasish Junos Admin Guide
18/130
Copyright 2011, Juniper Networks, Inc.2
Junos Pulse Application Acceleration Service Administration Guide
-
7/30/2019 Subasish Junos Admin Guide
19/130
CHAPTER 1
Introduction
Thischapterintroducesthe features provided by the JunosPulse ApplicationAcceleration
Service, and describes the new features in this release.
Junos Pulse Application Acceleration Overview on page 3
Sample Deployments on page 6
Junos Pulse Application Acceleration Overview
Application traffic can be accelerated between Junos Pulse Application Acceleration
Service gateways, typically installed in a data center, and remote clients that have the
Junos Pulse software installed.
The following gateways and clients are supported:
The Junos Pulse Application Acceleration Service gateways include:
MAG4611 gateway
MAG6610 or MAG6611 gateways with an SM161 or SM361Application Acceleration
Service Module installed
WXC3400, WXC2600, or WXC590 gateways that have been upgraded to JWOS 6.1
or higher
Junos Pulse Clients Windows 7, Windows Vista, or Windows XP clients that have
Junos Pulse installed
Application Acceleration Technologies
The following technologies are used to compress and accelerate application traffic:
LZ compressionAmemory-basedcompressionalgorithm thatlocates repeated data
patterns at the byte level, in real time, across all IP application sessions. The reduction
in traffic effectively increases the WAN bandwidth, reduces network congestion, and
improves overall data flow.
Network Sequence Caching (NSC)A disk-based compression algorithm used to
identify and retain long patterns of repeated traffic. NSC is most effective where large
files are often sent over the WAN.
3Copyright 2011, Juniper Networks, Inc.
-
7/30/2019 Subasish Junos Admin Guide
20/130
TCP accelerationWhile compression effectively increases available bandwidth, TCP
acceleration improves TCP application performance where the use of available
bandwidth is constrained by network latency.
CIFS accelerationAn application-level acceleration method for Microsoft CommonInternet File System (CIFS) traffic.
Exchange accelerationAn application-level acceleration method for Microsoft
Exchange traffic. Unencrypted traffic is accelerated between any combination of
Outlook 2003, 2007, and 2010 clients and Exchange 2003, 2007, and 2010 servers.
SSL optimizationAn application-level optimization method that decrypts Secure
Socket Layer (SSL) trafficso that LZand NSCcompression canbe applied. Applications
are supported, such as HTTPS, that negotiate an SSL connection soon after the TCP
connection is established (implicit SSL).
Application Acceleration Features and Benefits
Application acceleration enables networks to achieve maximum capacity over WAN
links. The primary features and benefits include:
Secure AccessDesigned to work closely with the Junos Pulse Secure Access Service
to provide both secure access and acceleration benefits to mobile users and users in
remote branch office environments.
Substantial throughput gainGreatly improves WAN capacity, accelerates TCP
applications in high-latency environments, and reduces the load on other network
devices.
Immediateimpact with autodiscoveryGains arerealizedimmediately. Thegateways
and Junos Pulse clients discover each other automatically, and dynamically form an
adjacencyto accelerate the traffic between them.
TransparencyOperates transparently to existing network equipment, topologies,
andWAN interfaces (such asFrameRelay, MPLS, andATM). No network or application
modifications are required.
Application independenceWorks on any TCP-based application (such as e-mail,
database, Web, ERP, and so on). Uses open standard protocols.
Fail-safe nonstop operationTraffic is passed through on any hardware or software
disruption, including power loss.
Easy managementProvides administrative access through a CLI and an intuitive
Web user interface. You can also monitor performance through an SNMP-based
management system.
Seamless operation with VPNs and firewallsInstalls on the LAN side of encryption
devices to work seamlessly with virtual private networks (VPNs) and firewalls.
Copyright 2011, Juniper Networks, Inc.4
Junos Pulse Application Acceleration Service Administration Guide
-
7/30/2019 Subasish Junos Admin Guide
21/130
New Features in JWOS Release 6.2
JWOS Release 6.2 includes the following new features:
MAG Series Junos Pulse Gateway supportThe new MAG Series gateways support
bothApplication Acceleration ServiceModules and IntegratedAccessServiceModules.
Thefollowing table liststhe number of JunosPulse clients supported bythe Application
Acceleration Service Modules and the MAG4611 gateway.
Junos Pulse ClientsModule/Gateway
1000MAG-SM361 module
250MAG-SM161 module
250MAG4611 platform
Exchange accelerationAn application-level acceleration method for unencrypted
Microsoft Exchangetraffic between any combination of Outlook 2003,2007, and 2010
clients and Exchange 2003, 2007, and 2010 servers.
SSL optimizationAn application-level optimization method that decrypts Secure
Socket Layer (SSL) traffic so that LZ and NSC compression can be applied. SSL
optimization supports applications that negotiate an SSL connection soon after the
TCP connection is established (implicit SSL), such as HTTPS.
NSC compressionDisk-based compression used to identify and retain long patterns
of repeated traffic. Data patterns are learned from traffic in both directions, and the
dictionary on the gateway is automatically synchronized with the dictionary on the
Pulse clients.
HTTP requests redirected to HTTPSAttempts to access the gateway over HTTP
(port 80)are redirected to HTTPS (port 443). Specifically,the URLshttp://
and http:///client are changed to https:// and
https:///client. HTTPS is required for security, andthe network must allow
traffic on port 443.
Automatic scaling of TCP window sizeThe TCP window size is increased
automatically (up to 256 KB) to maximize throughput and acceleration gains on
high-bandwidth, low-latency connections.
Compatibility with previous releasesThe MAG Series gateways require JWOS 6.2
or higher. Any WXC590, WXC2600, or WXC3400 that has WXOS 5.7 or higher can be
upgraded to JWOS 6.2. Traffic can be accelerated for remote clients with Pulse 2.0,but Pulse 2.1 is required to support the new features in JWOS 6.2, such as NSC
compression and SSL optimization.
Junos Pulse clients do not support WXC gateways that are running JWOS 6.0 or any
version of WXOS. To upgrade from JWOS 6.0 to JWOS 6.2, you must first downgrade
to WXOS (see theJWOS6.2 Release Notes).
5Copyright 2011, Juniper Networks, Inc.
Chapter 1: Introduction
http://%3Cip-address%3E/http://%3Cip-address%3E/clienthttps://%3Cip-address%3E/https://%3Cip-address%3E/clienthttps://%3Cip-address%3E/clienthttps://%3Cip-address%3E/http://%3Cip-address%3E/clienthttp://%3Cip-address%3E/ -
7/30/2019 Subasish Junos Admin Guide
22/130
Related
Documentation
Platform Specifications on page 77
Sample Deployments
The following topics provide sample deployment topologies for Junos Pulse Application
Acceleration:
Inline Deployment on page 6
Off-Path Deployment on page 6
Deployment with VPN Devices on page 7
Inline Deployment
When the Junos Pulse client is installed on Windows workstations, WAN traffic can be
accelerated from the Pulse clients to a remote Junos Pulse gateway installed on the
other side of the WAN. Typically, the gateway is deployed in the data path between aLAN switch and an edge router (see Figure1 on page 6).
Figure 1: Typical Inline Deployment
Off-Path Deployment
Junos Pulse gateways are usually deployed in the physical data path between a LAN
switch and a WAN edge router, with no changes to Layer 3 routing. When interrupting
the data path is not practical, such as in collapsed backbone environments where the
switch and the router are the same physical device, you can deploy the gateway off path
(see Figure 2 on page 7). In this case, the Local interface (port 1 on a Junos Pulse
gateway) is connected to the switch or the router, and the Remote interface (port 2 on
a Junos Pulse gateway) is not used. Connecting the gateway directly to the router is
recommended.
Copyright 2011, Juniper Networks, Inc.6
Junos Pulse Application Acceleration Service Administration Guide
-
7/30/2019 Subasish Junos Admin Guide
23/130
Figure 2: Off-Path Deployment
Deployment with VPN Devices
Junos Pulse gateways operate transparently relative to existing network equipment,
including firewalls and VPN devices (see Figure3 on page 7). By compressing data
before it enters the VPN tunnel, the gateways and Pulse clients reduce the workload for
the VPN devices. The same bandwidth multiplication effect is achieved for VPN
encapsulated traffic as for unencapsulated traffic.
NOTE: Junos Pulse gateways should always be deployed behind a firewall
or VPN device. However, Network Address Translation(NAT) is not supported.
If NAT is enabled on the local firewall, all traffic is passed through without
any processing.
Figure 3: VPN Deployment
7Copyright 2011, Juniper Networks, Inc.
Chapter 1: Introduction
-
7/30/2019 Subasish Junos Admin Guide
24/130
Copyright 2011, Juniper Networks, Inc.8
Junos Pulse Application Acceleration Service Administration Guide
-
7/30/2019 Subasish Junos Admin Guide
25/130
CHAPTER 2
Installing Junos Pulse ApplicationAcceleration Gateways
The following topics provide an overview of the installation process for the Junos Pulse
Application Acceleration Service gateways. For the installation details for each Junos
Pulse gateway, see theMAG Series Junos Pulse Gateway Hardware Guide.
Installation Overview on page 9
Running Quick Setup on page 11
Postinstallation Tasks on page 12
Installation Overview
Preinstallation Tasks on page 9
Interface Speeds and Modes on page 10
Installation Procedure on page 10
Inline and Off-Path Installations on page 10
Preinstallation Tasks
Before you begin, complete the following preinstallation tasks:
Ensure that sufficient power is available and that power supply circuits are protected
by a 15A or 20A circuit breaker.
Ensure there is ample space and lighting. You need enough space to connect one or
two CAT-5 UTP Ethernet data cables and one or two power cords to the back of the
chassis, as well as enough lighting to see the LEDs on the data ports.
Provide at least 24 inches of clearance in the front and back of the chassis to allow
service personnel to remove and install hardware components. Provide 3 inches of
clearance on both sides of the chassis to allow the cooling system to function properly.
Do not install one gateway directly behind another, which can cause warm or hot air
to be recirculated.
Do not place paper materials or heavy equipment on top of the gateway.
For rack-mount installations, reserve sufficient space for each form factor, as follows:
1 U MAG4610 and MAG6610
9Copyright 2011, Juniper Networks, Inc.
-
7/30/2019 Subasish Junos Admin Guide
26/130
2 U MAG6611
Identify a 10/100/1000 Ethernet LAN port where you can connect the gateway. This
port is typically on an aggregation switch or another LAN device that is connected
directly to the WAN router.
Log in to the router that will be on the WAN side of the gateway, and note theinterface
speed and duplex mode.
On all firewall and antivirus software between the gateway and Junos Pulse clients,
note the following:
UDP port 3578 must be open. The Windows Firewall is updated when the Pulse
client is installed, but some firewalls, such as Kaspersky and Trend Micro, must be
updated manually to allow traffic on UDP port 3578.
If the gateway is installed in the DMZ, and you plan to upgrade the JWOS software
using FTP, you must open an FTP port in the firewall between the DMZ and the
intranet.
Network Address Translation (NAT) is not supported. If NAT is enabled on the local
firewall, all traffic is passed through without any optimization.
TCP options must NOT be stripped from SYN or SYN-ACK packets. TCP options are
required to form adjacencies between the gateway and the Pulse clients.
Reserve an IP address for the gateway, and identify the default gateway. The default
gateway is the next hop on the WAN side of the gateway.
For hardware safety recommendations and warnings, see theSecurity Products Safety
Guide
Interface Speeds and Modes
Interface speed and duplex settings should be the same across all devices: the switch,
the gateway interfaces, and the router. This ensures connectivity through the gateway
in case of a power loss or a condition that causes a hardware bypass.
Installation Procedure
Gateway installation consists of the following steps:
1. Install the hardware and apply power.
2. Run Quick Setup to define the required configuration settings (see Running Quick
Setup on page 11).
3. Perform postinstallation tasks foroptionalconfigurationsettings(see Postinstallation
Tasks on page 12).
Inline and Off-Path Installations
The gateway is usually installed in the data path (inline) between a LAN switch (or other
aggregationdevice)and the WAN edgerouter. If interruptingthe data path is not practical,
such as in collapsed-backbone environments, you can deploy the gateway off path.
Copyright 2011, Juniper Networks, Inc.10
Junos Pulse Application Acceleration Service Administration Guide
-
7/30/2019 Subasish Junos Admin Guide
27/130
To install a gateway off path, note the following:
Do not disconnect any cables. Simply connect the Local interface (port 1 on a MAG
Series gateway) to the switch or the router. We recommend connecting directly to the
router. Set the interface to full-duplex mode (half-duplex mode can cause excessivecollisions).
TheRemote interface(port2 on the MAGSeries gateway) is notused,so you canapply
power without first verifying connectivity between the LAN and the router.
After you run Quick Setup, configure packet interception to route traffic to the off-path
gateway (see Configuring Packet Interception on page 26).
Running Quick Setup
When the Junos Pulse Application Acceleration Service gateway is started for the first
time, or when the factorydefaultconfigurationis reloaded, you must use the Quick Setup
program to specify the network settings from a terminal connected to the serial Console
port on the gateway. All settings made during Quick Setup can be changed later.
The Quick Setup program should start automatically when you log in to the Console. If
necessary, enter the setup CLI command to start Quick Setup. For example:
WX- login: admin
Password:
******************************* WELCOME *******************************
Welcome to the Quick Setup wizard for JWOS. This wizard will enable you
to get your JWOS device up and running with minimal effort.
*********************************************************************
Press Enter to continue
---------------------------------------------------------------------
You will now configure IP parameters (IP address, subnet mask, default
gateway) to enable IP connectivity for this device. Once these parameters
are configured, additional management tasks can be performed via the
CLI or the Web interface.
setup br-0/0? yes[y]/no[n] (yes) yes
IP address: 10.204.64.146
IP subnet mask: 255.255.255.248
IP default gateway: 10.204.64.145
You have entered the following values:
IP address: 10.204.64.146
IP subnet mask: 255.255.255.248
IP default gateway: 10.204.64.145
Do you wish to change any of them? yes[y]/no[n] (no) no
Local Interface Mode: (auto, full, half) (auto) auto
Local Interface Speed: (auto, 10, 100, 1000) (auto) auto
You have entered the following values:
Local Interface Mode: auto
Local Interface Speed: auto
Do you wish to change any of them? yes[y]/no[n] (no) no
Remote Interface Mode: (auto, full, half) (auto) auto
Remote Interface Speed: (auto, 10, 100, 1000) (auto) auto
You have entered the following values:
Remote Interface Mode: auto
11Copyright 2011, Juniper Networks, Inc.
Chapter 2: Installing Junos Pulse Application Acceleration Gateways
-
7/30/2019 Subasish Junos Admin Guide
28/130
Remote Interface Speed: auto
Do you wish to change any of them? yes[y]/no[n] (no) no
Welcome To WX
WX-10.204.64.146>show interfaces bridge all status
The initial configuration is complete. For a list of key configuration tasks, see
Postinstallation Tasks on page 12.
Postinstallation Tasks
After you run Quick Setup, you can continue configuring the Junos Pulse Application
Acceleration Service gateway through the Web interface or through the CLI.
To use the Web interface, see Using the Web Interface on page 15.
To usethe CLI, seetheJunosPulseApplicationAccelerationService CommandReference
Guide.
Be sure to review the following key configuration tasks:
Set the time manually, or specify an NTP server, as described in Configuring the Time
Settings on page 20.
Change the default password for the admin account, as described in Defining Local
User Accounts on page 22.
Review the application definitions provided and add any new ones needed for your
network, as described in Configuring Application Definitions on page 33.
Configure acceleration for the appropriate applications, as described in Configuring
Application Policies on page 31.
Install the Junos Pulse client on the appropriate Windows workstations, as described
in Installing the Junos Pulse Client on page 49.
Copyright 2011, Juniper Networks, Inc.12
Junos Pulse Application Acceleration Service Administration Guide
-
7/30/2019 Subasish Junos Admin Guide
29/130
PART 2
Configuration and Management
Configuring Setup Policies on page 15
Configuring Acceleration Policies on page 29
Viewing Reports on page 43
Managing Junos Pulse Clients on page 49
Maintaining Junos Pulse Application Acceleration Gateways on page 59
13Copyright 2011, Juniper Networks, Inc.
-
7/30/2019 Subasish Junos Admin Guide
30/130
Copyright 2011, Juniper Networks, Inc.14
Junos Pulse Application Acceleration Service Administration Guide
-
7/30/2019 Subasish Junos Admin Guide
31/130
CHAPTER 3
Configuring Setup Policies
This chapter describes how to use the Web interface to perform the basic setup
procedures on Junos Pulse Application Acceleration Service gateways. To use the CLI,
see theJunos Pulse Application AccelerationService Command Reference Guide.
Using the Web Interface on page 15
Configuring Basic Setup Policies on page 17
Configuring AAA Settings on page 22
Configuring ARP on page 24
Configuring SNMP Support on page 24
Configuring Syslog Reporting on page 25
Configuring Packet Interception on page 26
Using the Web Interface
The Web interface lets you securely access management and performance information
forJunos Pulse ApplicationAccelerationService gatewaysfromanywhere in yournetwork.
The Web interface supports Microsoft Internet Explorer, version 7.0 or 8.0, and Mozilla
Firefox3.0, 3.5, or 3.6. Be sure to configure thebrowserprivacy settings to accept cookies.
The Web interface is designed to be viewed at 1024 x 768 pixels. To ensure secure
transmission of configuration and management data, the Web interfaceuses the Secure
Sockets Layer protocol (SSL/HTTPS).
Logging In on page 15
Understanding the Web Interface on page 16
Using Special Characters in Object Names on page 16
Logging In
To log in to a gateway through the Web interface:
1. Using a supported Web browser, enter the IP address of the gateway:
https://Gateway IP address
If you enter http, the browser is redirected to https.
2. If a Security Alert dialog box appears, click Yes to proceed.
15Copyright 2011, Juniper Networks, Inc.
-
7/30/2019 Subasish Junos Admin Guide
32/130
3. In the Enter Network Password dialog box, enter your username and password. When
you access a new gateway for the first time, use admin and juniper for the username
and password.
To log out of the JWOS Web interface, click Logout in the taskbar of any page. Users areloggedout automatically if theirsessions areinactive forthe sessiontimeouttime(default
is 30 minutes).
Understanding the Web Interface
The Web interface has a taskbar at thetop of the page, a left-hand navigation pane, and
a data pane for configuring and viewing policies and performance data. Note that the
Save function is in the upper right corner of the taskbar.
Figure 4: JWOS Web Interface
From the taskbar, select Help > About to view hardware and software information for
the gateway, such as the IP address, the software andhardwareversions, andthe license
key. Select Help> Site Map to view a list of the options available under each taskbar
selection. Select Help > Online Documentation to access the documentation website.
Using Special Characters in Object Names
Useonly letters (AthroughZ, a throughz), numbers(0through9), dashes(-),underscores
(_), and periods (.) when you assign names to the gateways, applications, and otherobjects.
Copyright 2011, Juniper Networks, Inc.16
Junos Pulse Application Acceleration Service Administration Guide
-
7/30/2019 Subasish Junos Admin Guide
33/130
Configuring Basic Setup Policies
Configuring the Device Name on page 17
Configuring the Bridge Interfaces on page 17
Configuring the Management Interface on page 19
Configuring the Domain Name on page 20
Configuring the Time Settings on page 20
Obtaining a Permanent License on page 21
Configuring the Community Name on page 21
Configuring the Device Name
The name of the Junos Pulse Application Acceleration gateway is displayed in the CLI
prompts. You can change the name, specify the devices physical location, and provide
contact information for the system administrator.
To configure the gateway name and contact information:
1. Select Setup > Basic > Device Name.
2. Specify the following information:
Enter the devicename (up to30 characters). The name is displayed in
CLI prompts, followed by a dash and the IP address. Use only letters,
numbers, dashes, underscores, and periods.
Device Name
Enter a description of the devices physical location.Device Location
Enter the contact information (up to 64 characters) for the system
administrator.
Contact Information
3. Click Submit to activate the changes, or click Reset to discard them.
4. Click Save in the taskbar to retain your changes after the next reboot.
Configuring the Bridge Interfaces
A bridgeinterface connectsa pair ofLocal andRemoteportson a JunosPulseApplication
Acceleration Service gateway (labeled ports 1 and 2). When either port receives traffic
that is not processed by the gateway, suchas broadcast or passthrough traffic,the traffic
is sent out the other port. The two ports, called aport-pair, share the IP address of the
bridge interface.
For each bridge interface, you can view the name, status, media access control (MAC)
address, and speed and mode for the associated Local and Remote interfaces. You can
also change the network settings, enable link-failure propagation, and add static routes.
Table 4 on page 18 describes the interface names.
17Copyright 2011, Juniper Networks, Inc.
Chapter 3: Configuring Setup Policies
-
7/30/2019 Subasish Junos Admin Guide
34/130
Table 4: Interface Names
DescriptionNameInterface
Every gateway has a bridge interface named br-0/0.br-slot/pairBridge
Theslotand pair numbers arethe same asthe associated
bridge interface. The /0 indicates the Local interface (port
1 on a MAG Series gateway).
ge-slot/pair/0Local
Same as the Local interface name, except that the /1
indicates the Remote interface (port 2 on a MAG Series
gateway).
ge-slot/pair/1Remote
To configure the bridge interfaces:
1. Select Setup > Basic > Bridge Interfaces, and then select the name of the bridge
interface to be configured.
2. To change the interface settings, specify the following information, and click Submit:
Enter the IP address of the bridgeinterface. If you change the IP address
or subnetmask,you must rebootthe gateway (see Rebooting or Shutting
Down a Gateway or Junos Pulse Module on page 64).
IP address
Specify the network portion of the IP address. For example, 255.255.255.0
indicates thatthe first 24bitsof the IP address are used for the network
portion of the address.
Subnet mask
Enter the IP address of the default router, which must be on the same
subnet as the bridgeIP address.
Default gateway
Select the speed and mode for the Local or Remote interface(such as
1000 full-duplex). By default, the Local and Remote interfaces are set to
negotiate the speed and mode automatically.
Note that a passive test runsperiodically and displays a message above
thetaskbar if a speed or mode mismatch is detected. Thepassive test can
detect a mismatch only when data is sent andreceived atthe same time.
Speed/Duplex
In high-availability environments, you can enablethe following options so
that when a failure is detected on one interface, the other interface turns
offfor 15 seconds. This allows theswitch or router to detectthe failure and
ensures that the routing mechanisms work as expected.
Propagate to RemoteIf the switch fails, the Remote interface is
disabled so that the router detects the loss of connectivity with theswitch.
Propagate to LocalIf the router fails, the Local interface is disabled
so that the switch detects a loss of connectivity with the router.
You can alsodisablethe hardwarepassthroughfeature so thatthe router
detects the loss of traffic if the gateway fails (see the config set system
bypass-capability commandin theJunos PulseApplication Acceleration
Service Command Reference Guide).
Link Failure
3. To add static routes to the bridge interface:
Copyright 2011, Juniper Networks, Inc.18
Junos Pulse Application Acceleration Service Administration Guide
-
7/30/2019 Subasish Junos Admin Guide
35/130
a. On the Bridge Interfaces page, select the Local Routes tab.
b. Enter the IP address, subnet mask, and theIP address of the gateway for a subnet.
c. Click Submit to add the route to the list of local routes. You can add a total of 4K
static routes. Note that ICMP redirect routes take precedence over static routes.
d. Click DELETE next to any route that you want to remove.
4. Click Save in the taskbar to retain your changes after the next reboot.
Related
Documentation
Configuring the Management Interface on page 19
Configuring the Management Interface
You can manage a Junos Pulse Application Acceleration Service gateway through a
bridge interface address or through the management port. To use the management port
(port 0 onthe MAG Seriesgateway), connect themanagement port toyourmanagement
network, and then configure an IP address, subnet mask, and default gateway for the
port. The name of the management interface is fxp0.
To configure the management interface:
1. Select Setup > Basic > Management Interface.
2. Select the Enable management interface check box, and specify the following
information:
Enter the IP address of the management interface. If you change the IP
address or subnet mask, you must reboot the gateway (see Rebooting
or Shutting Down a Gateway or Junos Pulse Module on page64).
IP Address
Specifythe network portion of theIP address.For example, 255.255.255.0
indicates thatthe first24 bitsof the IP address are usedfor the network
portion of the address.
Subnet Mask
Enter the IP address of the default router, whichmustbe on the same
subnet as the interface IP address.
Default Gateway
Select Auto to allow the interfacespeed and mode to be negotiated.To
setthe interface speed and mode manually, select Manual, and then
select a speedand mode settingfrom thelist(such as1000 full-duplex).
Speed
3. Click Submit to activate the changes, or click Reset to discard them.
4. Click Save in the taskbar to retain your changes after the next reboot.
Related
Documentation
Configuring the Bridge Interfaces on page 17
19Copyright 2011, Juniper Networks, Inc.
Chapter 3: Configuring Setup Policies
-
7/30/2019 Subasish Junos Admin Guide
36/130
Configuring the Domain Name
You can specify the local DNS domain name of a Junos Pulse Application Acceleration
Service gateway, and up to three DNS servers for use in resolving the IP addresses shownon the Flow Diagnostics page (see Viewing Flow Diagnostics on page 69).
To configure the domain name:
1. Select Setup > Basic > Domain Name.
2. Specify the following information:
Enter the local DNS domain name (up to 256 characters). The domain
name must include atleast one period, but not asthe first or last
character.
When anIP addressin thelocaldomain isresolvedby oneof thespecified
DNS servers, the local domain nameis prepended to the hostname
shown on the FlowDiagnostics page. If the domain is blank, only thehostnames areshown for resolved IP addresses in the local domain.
Resolved addresses outside the local domain include thedomain name
returned by the DNS server.
Domain Name
Enter the IP addresses of up tothree DNS servers (one per line).DNS Servers
3. Click Submit to activate the changes, or click Reset to discard them.
4. Click Save in the taskbar to retain your changes after the next reboot.
Configuring the Time Settings
If your network uses the Network Time Protocol (NTP), you can specify a primary andsecondary NTP server to maintain the current time on a Junos Pulse Application
Acceleration Service gateway. You can also set the time manually. Each entry in the
system log files includes the current time.
To configure the time settings:
1. Select Setup > Basic > Time.
2. Select the time format (AM/PM or 24 Hour).
3. Do one of the following:
If you have an NTP server in your network, select Use NTP Server, and enter the IP
address of the NTP server in the Primary box. A secondary NTP server is optional.
If you do not have an NTP server, select Enter Local Time, and enter the current
time and date.
4. Select a time zone, GMT offset, or geographical location from the Time Zone list.
Optionally, select the check box to automatically adjust the time for daylight saving
time.
Copyright 2011, Juniper Networks, Inc.20
Junos Pulse Application Acceleration Service Administration Guide
-
7/30/2019 Subasish Junos Admin Guide
37/130
5. Click Submit to activate the changes, or click Reset to discard them.
6. Click Save in the taskbar to retain your changes after the next reboot.
Obtaining a Permanent License
EachJunosPulse Application Acceleration Service gateway requiresa permanent license
key for operation. The license key registers the product and determines the number of
users who can obtain acceleration services. When the initial 30-day temporary license
expires, all traffic is passed through without any processing.
To obtain a permanent license key, gather the following information:
Device serial number displayed in the License Key page (also displayed in the About
box and on the back of the gateway).
AuthorizationCode Certificate thatwas e-mailedto youin PDFformat(ifyoupurchased
license upgrades).
User ID and password to access the License Key server at:
http://www.juniper.net/generate_license
If you lose the license key, you can use the License Key server to retrieve your current
license key.
If you have any problems with the licensing process, open a case with the Juniper Case
Manager at http://www.juniper.net/cm . To call from theUnited States, Canada, orMexico,
dial +1-888-314-JTAC. To call from other locations,check the list of localsupport centers
at http://www.juniper.net/support/requesting-support.html or dial +1-408-745-9500.
To install a permanent license key:
1. Select Setup > Basic > License Key.
The License Key page displays the status of the current license, including the licensed
modules and the compressed output for the gateway.
2. Enter your registered license key in the Enter License Key box. To obtain a registered
license key:
a. Go to http://www.juniper.net/generate_license, register to create an account, and
then log in.
b. Select Application Acceleration Products from the menu, and click Go.
c. Enter your gateway serial number and authorization code, and click Generate.
d. Copy the displayed license key into the Enter License Key box on the device.
3. Click Submit to activate the changes, or click Reset to discard them.
Configuring the Community Name
To form an adjacency witha Pulse client and accelerate traffic, theJunos Pulse Application
Acceleration Service gateway must be in the same community as the client. Initially, all
21Copyright 2011, Juniper Networks, Inc.
Chapter 3: Configuring Setup Policies
-
7/30/2019 Subasish Junos Admin Guide
38/130
gateways are in the default community. In large deployments you may want to define
separate communities.
Pulse clients that are downloaded from a gateway are in the same community as the
gateway (see Installing the Junos Pulse Client on page 49). If you later change thecommunity name, you must reinstall the Pulse client.
To configure the community:
1. Select Setup > Basic > Community.
2. Enter the community name (up to 64 characters). If you do not specify a community
name, the gateway remains in the default community. Note that changing the
community name disables all adjacencies with the Junos Pulse clients in the old
community.
3. Click Submit to activate the changes, or click Reset to discard them.
4. Click Save in the taskbar to retain your changes after the next reboot.
Configuring AAA Settings
The following topics describe how to configure the JWOS security features:
Defining Local User Accounts on page 22
Securing Front Panel Access on page 23
Loading the SSO Certificate on page 23
Defining Local User Accounts
You can define up to 25 users for local authentication on Junos Pulse ApplicationAcceleration Service gateways. The user class assigned to each account determines the
users access privileges. The predefined admin account has full access and a default
password of juniper. To ensure secure access, you should change the passwords
periodically.
To define local user accounts:
1. Select Setup > AAA > Local Users.
From the Local Users page, you can:
Add a new user account, as described in Step 2.
Change a user account. Click the username, make any needed changes, and click
Submit.
Deleteuser accounts. Select the check box next to the accounts you want to delete,
and click Submit.
2. Click New User to add a new account, and specify the following information:
Enter the account name (up to 32 characters).User Name
Copyright 2011, Juniper Networks, Inc.22
Junos Pulse Application Acceleration Service Administration Guide
-
7/30/2019 Subasish Junos Admin Guide
39/130
Select a user class to specify the users privileges:
Superuser. Full read/write privileges, including management of user
accounts.
Operator. Read/write configuration privileges, but no packet captureor user management privileges.
Read Only Plus. Read-only privileges and packet capture capability.
Read Only. Read-only privileges.
User Class
Enter the number of minutes that elapse beforean idle user is logged
out (the default is 30).
Idle Timeout
Enter the password twice (from 4 to 64 characters).Password
3. Click Submit to activate the changes.
4. Click Save in the taskbar to retain your changes after the next reboot.
Securing Front Panel Access
On the WXC2600 and WXC3400, you can lock the keypad to prevent anyone from
rebooting the gateway or making unauthorized configuration changes. The MAG Series
gateways do not have a front panel keypad.
To lock the front panel keypad:
1. Select Setup > AAA > Front Panel Access.
2. Select Locked to lock the front panel keypad.
3. Click Submit to activate the changes, or click Reset to discard them.
4. Click Save in the taskbar to retain your changes after the next reboot.
Loading the SSO Certificate
A singlesign-on(SSO)certificatecan beloadedon a MAG-SM161or MAG-SM361 module
if the module is installed in a MAG Series gateway that has a MAG-CM060 chassis
management card (CMC). After the certificate is loaded, administrators who log in to
the CMC interface can access the Application Acceleration service without having to log
in again. TheSSO certificatemust first begeneratedand loaded onthe CMC, asdescribed
in theJunos Pulse GatewayMAG-CM060Administration Guide.
To load the SSO certificate:
1. Select Setup > AAA > SSO Certificate.
2. Specify the location of the certificate:
Specify the following:
Path and filename of the SSO certificate fileon a machine in your
network (click Browse to selectthe file).
Local disk
23Copyright 2011, Juniper Networks, Inc.
Chapter 3: Configuring Setup Policies
-
7/30/2019 Subasish Junos Admin Guide
40/130
Specify the following:
IP address of a TFTP server.
Path andfilenameof theSSO certificatefile.The first character must
be a slash (\).
TFTP server
Specify the following:
IP address of an FTP server.
If the FTP server does notaccept anonymous user access, enter a
username and password for an account thathas read/writeprivileges
on the server.
Path andfilenameof theSSO certificatefile.The first character must
be a slash (\).
FTP server
3. Click Load to import the certificate.
Configuring ARP
The Address Resolution Protocol (ARP) determines whether the gateway for a route is
on the Local or Remote interface of the Junos Pulse Application Acceleration Service
gateway (labeled port 1 and 2) and discovers the hardware (MAC) addresses of devices
that are directly addressable on each interface.
For devices that do not respond to ARP requests, you can add static ARP entries that
map their IP addresses to their MAC addresses. You can also clear the dynamic ARP
entries if you suspect some entries are out of date.
To configure the ARP table:
1. Select Setup > Network > ARP.
2. Click Flush to delete all dynamic ARP entries. This forces new ARP requests to be
issued as needed.
3. Click DELETE next to any static ARP entry that you want to remove.
4. Click Add to add one or more static ARP entries. For each entry, enter the IP address
and its associated MAC address, and then select the Local or Remote interface. You
can add up to five entries at one time. The format of the MAC address is:
xx:xx:xx:xx:xx:xx.
Click Submit to activate the new entries, or click Cancel to discard them.
5. Click Save in the taskbar to retain your changes after the next reboot.
Configuring SNMP Support
TheJunosPulse Application Acceleration Servicegateways providethe following support
for SNMP:
SNMP version 2
Enterprise management information base (MIB)
Copyright 2011, Juniper Networks, Inc.24
Junos Pulse Application Acceleration Service Administration Guide
-
7/30/2019 Subasish Junos Admin Guide
41/130
MIB II, Interface Group public objects
NOTE: SNMPv2-compatible utilities are needed to query the 64-bit
counters in the Enterprise MIB.
You can use the Enterprise MIB to view performance statistics from a network
management system (NMS). In addition, you can enable SNMP traps to be sent to an
NMSand other network devices. Fora description of theSNMP traps,see SystemEvents
and SNMP Traps on page 81.
To configure support for SNMP:
1. Select Setup > Monitoring > SNMP.
2. Select the SNMP Enabled check box to enable support for SNMP, and then enter the
read and write community strings used by the NMS to access SNMP data on the
gateway. The default community strings are public and private.
3. Select the Trap Enabled check box to generate SNMP traps (version 2 traps only).
To add trap destinations (up to 10), enter the IP address and community string (up
to 30 characters), and click Add. To delete a trap destination, click Delete next to the
destination.
4. Select the Authentication Trap Enabled check box to generate traps for incorrect
logins and unauthorized user access attempts.
5. Click Submit to activate the changes, or click Reset to discard them.
6. Click Save in the taskbar to retain your changes after the next reboot.
Configuring Syslog Reporting
The Junos Pulse Application Acceleration Service gateways can send syslog messages
to up to five syslog servers. A syslog server allows you to centrally log and analyze
configuration events and system error messages such as interface status, security alerts,
and environmental conditions. For a description of the syslog messages, see System
Events and SNMP Traps on page 81.
To enable syslog reporting:
1. Select Setup > Monitoring > Syslog Server.
2. Enter the IP addresses of up to five syslog servers (one per line).
3. Select a facility from the Facility list to send the syslog messages to a specific facility
(local1 through local7). The default is local0.
4. Select the lowest severity level of the messages sent to the syslog servers. Select Any
to include all severity levels, including debug messages.
EmergencyCritical error messages about system failures.
AlertCritical error messages that need immediate action.
25Copyright 2011, Juniper Networks, Inc.
Chapter 3: Configuring Setup Policies
-
7/30/2019 Subasish Junos Admin Guide
42/130
CriticalCritical error messages that need prompt action.
ErrorNoncritical error messages, such as license expired.
WarningInformational messages about minor events that are not errors.
NoticeInformational messages about normal, but significant events.
InfoInformational messages, such as reload requests.
5. Click Submit to activate the changes, or click Reset to discard them.
6. Click Save in the taskbar to retain your changes after the next reboot.
Configuring Packet Interception
Typically, a Junos Pulse Application Acceleration Service gateway is deployed in the data
path between a LAN switch and a WAN edge router. When interrupting the data path is
not practical, youcan deploythe gateway offpath, where the Local interface is connected
to the switchor router, and the Remote interface is not used (we recommend connecting
the Local interface directly to the router).
On a MAG Series gateway, the Local and Remote interfaces are labeled ports 1 and 2.
For gateways that have multiple bridge interfaces, all interfaces must be connected in
the same way (inline or off-path).
After a gateway is installed off path, you must configure packet interception to redirect
the appropriate traffic to the gateway for acceleration.
To configure packet interception:
1. Select Setup > Advanced > Packet Interception.
2. Select Use external policy-based router commands.
3. Click Submit to activate the changes.
4. Click Save in the taskbar to retain your changes after the next reboot.
5. Enter the following CLI command to disable the Remote interface (port 2):
config set interface ge-0/0/1 disable
6. Configure a policyon thelocal router or Layer3 switch toredirect trafficto thegateway.
If the off-path gateway is connected to a dedicated port on a router, apply the policy
to the inbound interface from the LAN switch. In the following example, any incoming
packet on interface FastEthernet 0/0 that matches access-list 120 is routed to the
gateway at IP address 192.168.10.10. The access list shown here redirects all packets,
but you can specify additional filtering criteria.
interface FastEthernet 0/0
ip address 192.168.9.1 255.255.255.0
ip policy route-map Juniper
access-list 120 permit ip any any
route-map Juniper permit 50
Copyright 2011, Juniper Networks, Inc.26
Junos Pulse Application Acceleration Service Administration Guide
-
7/30/2019 Subasish Junos Admin Guide
43/130
match ip address 120
set ip next-hop 192.168.10.10
If the off-path gateway is connected to a dedicated VLAN on a Layer 3 switch, the
commands are almost the same, except that you apply the policy to the inbound
interface from the LAN:
interface Vlan200
ip address 192.168.9.1 255.255.255.0
ip policy route-map Juniper
NOTE: Use the setip next-hop command to redirect packets to the IP
addressof thebridgeinterfaceon thegateway. Donot usetheset interface
command to redirect traffic to the interface where the gateway is
connected.
27Copyright 2011, Juniper Networks, Inc.
Chapter 3: Configuring Setup Policies
-
7/30/2019 Subasish Junos Admin Guide
44/130
Copyright 2011, Juniper Networks, Inc.28
Junos Pulse Application Acceleration Service Administration Guide
-
7/30/2019 Subasish Junos Admin Guide
45/130
CHAPTER 4
Configuring Acceleration Policies
Types of Application Acceleration on page 29
Configuring Application Policies on page 31
Configuring Application Definitions on page 33
Configuring SMB Signing for CIFS Acceleration on page 39
Configuring the Keystore Passphrase for SSL Optimization on page 40
Managing SSL Certificates on page 41
Types of Application Acceleration
Overview of TCP Acceleration on page 29
Overview of Microsoft CIFS and Exchange Acceleration on page 30
Overview of SSL Optimization on page 31
Overview of TCP Acceleration
In WAN environments, TCP mayrestrict thetransmission of data because long wait times
for acknowledgments (ACKs) are interpreted as signs of network congestion. TCP
acceleration solves this problem by terminating each TCP session locally. The result is
three independent TCP sessionsbetween the TCP source and the Junos Pulse client,
between the Junos Pulse client and the Junos Pulse Application Acceleration Service
gateway, and between the gateway and the destination. Because each TCP
acknowledgement (ACK) is sent locally, more data can be put in flight at once.
NOTE: TCP acceleration must be enabled for all other compression and
acceleration services.
TCP acceleration is most effective for applications that transfer large amounts of data.
In general, TCP acceleration improves performance if the maximum window size (the
effective bandwidth multiplied by the latency) exceeds the TCP window size.
For example, on a T1 link (1.5 Mbps), where the latency is 200 ms and a 50 percent data
compression doubles the effective bandwidth, the maximum window size is:
(3,088,000 bps * 0.200 seconds)/8 = 77,200 bytes
29Copyright 2011, Juniper Networks, Inc.
-
7/30/2019 Subasish Junos Admin Guide
46/130
In this case, TCP acceleration improves performance if the hosts TCP window size is
64KB or less.
NOTE: As with high bandwidth and latency, high compression rates alsoincrease the maximum window size, which in turn increases the benefit of
TCP acceleration.
Related
Documentation
Configuring Application Policies on page 31
Overview of Microsoft CIFS and Exchange Acceleration
If TCP acceleration is enabled, the Junos Pulse Application Acceleration Service can also
accelerate Microsoft CIFS and Microsoft Exchange (MAPI) traffic. Microsoft CIFS and
Exchange transfer files by sending one block of data at a time, and then waiting for an
acknowledgment before sending the next block. The serial transmission of small datablocks is a major contributor to slow performance over the WAN.
When CIFS or Exchange acceleration is enabled, each block of traffic sent during bulk
read/write operations is acknowledged locally. This allows many data blocks to be in
flight at the same time, which speeds up the data transfer. Acceleration benefits begin
at relatively low latencies.
Note the following:
CIFSaccelerationis supported between Junos Pulse clients and mostWindows servers,
and between Pulse clients and Samba version 3.0 and later. CIFS acceleration is not
supported between any combination of Windowsplatforms that use SMB2 (Windows
7, Windows Vista, and Windows Server 2008).
When CIFS Server Message Block (SMB) signing is enabled, additional processing is
required to accelerate the traffic flow (see Configuring SMB Signing for CIFS
Acceleration on page 39). CIFS traffic flows are not accelerated when SMB2 signing
is enabled.
MAPI acceleration applies to Exchange traffic for Windows clients. Acceleration is
applied to e-mails with attachments sent between any combination of Outlook2003,
2007, and 2010 clients and Exchange 2003, 2007, and 2010 servers. To accelerate
Exchange traffic for Web clients, enable SSL optimization for HTTPS.
NOTE: MAPI accelerationrequiresencryptionto be disabled on theOutlook
client. For Outllook 2003 and 2007, select Tools > Account Settings >
Microsoft Exchange > More Settings > Security and clear the Encrypt data
check box. For Outllook 2010, select File > Account Settings > Microsoft
Exchange > More Settings > Security.
You can accelerate all CIFS and Exchange traffic, or you can create application
definitions that let you accelerate traffic to specific servers.
Copyright 2011, Juniper Networks, Inc.30
Junos Pulse Application Acceleration Service Administration Guide
-
7/30/2019 Subasish Junos Admin Guide
47/130
Related
Documentation
Configuring Application Policies on page 31
Overview of SSL Optimization
Applications that negotiate an SSL connection soon after the TCP connection is
established (implicit SSL), such as HTTPS, can be optimized by decrypting the traffic
and applying LZ and NSC compression. On the Junos Pulse Application Acceleration
Service gateway, you must import a certificate for each SSL server whose traffic you
want to optimize. The imported certificates are saved in an encrypted keystore on the
gateway.
SSL traffic flows that meet the following conditions can be optimized:
The protocol is SSL version 3 or TLS 1.0.
The key exchange algorithm is RSA.
The encryption cipher is AES128, AES256, DES, 3DES, RC2, or RC4.
The message digest algorithm is MD5 or SHA.
SSL compression is NOT used.
TLS extensions, such as the new session ticket, are NOT used.
Related
Documentation
Configuring Application Policies on page 31
Configuring the Keystore Passphrase for SSL Optimization on page 40
Managing SSL Certificates on page 41
Configuring Application Policies
For each application defined on a Junos Pulse Application Acceleration Service gateway,
you can enable or disable compression and acceleration services, as well as monitoring
for reports. The application policies are applied to the traffic sent to all adjacent Junos
Pulse clients, provided that the appropriate services are enabled for each client (see
Configuring Pulse Client Policies on page 54).
To add or change an application definition, see Configuring Application Definitions on
page 33.
NOTE: If you upgrade from JWOS 6.1 to JWOS 6.2, the MAPI applicationdefinition must be added manually, and MAPI acceleration is disabled by
default. If you upgrade from WXOS 5.7 to JWOS 6.2, NSC compression is