Subasish Junos Admin Guide

7/30/2019 Subasish Junos Admin Guide

1/130

Junos Pulse Application AccelerationService

Administration Guide

Release

6.2

Published: 2011-10-20

Copyright 2011, Juniper Networks, Inc.


2/130

Juniper Networks, Inc.1194North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.net

Thisproduct includesthe Envoy SNMPEngine, developed by EpilogueTechnology,an IntegratedSystems Company.Copyright 1986-1997,

Epilogue Technology Corporation.All rights reserved. This program and its documentation were developed at privateexpense, and no part

of them is in thepublic domain.

This product includes memory allocation software developed by Mark Moraes,copyright 1988, 1989, 1993, University of Toronto.

This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation

and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright

1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.

GateD software copyright 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through

release 3.0 by Cornell University and its collaborators. Gated is based on Kirtons EGP, UC Berkeleys routing daemon (routed), and DCNs

HELLO routing protocol. Development of Gated has beensupported in part by the National Science Foundation. Portions of the GateD

software copyright 1988, Regentsof theUniversityof California.All rights reserved. Portionsof theGateD software copyright 1991, D.

L. S. Associates.

This product includes software developed by Maker Communications, Inc., copyright 1996, 1997, Maker Communications, Inc.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc.in the United

States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc.All other

trademarks, service marks, registered trademarks, or registered service marks are the property of theirrespective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,

transfer, or otherwise revise this publication without notice.

Products made or sold byJuniper Networks or components thereof might be covered by oneor more of thefollowingpatents that are

owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440,6,192,051, 6,333,650, 6,359,479, 6,406,312,

6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Junos PulseApplication AccelerationServiceAdministrationGuideCopyright 2011, Juniper Networks, Inc.

All rights reserved.

Revision History

October 2011Revision 01

The informationin this document is currentas of thedatelisted in the revisionhistory.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the

year 2038. However,the NTPapplicationis known to have some difficulty in theyear2036.

SOFTWARE LICENSE

The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchase

order or, to the extent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks.

By using this software, you indicate that you understand and agree to be bound by those termsand conditions.Generallyspeaking, the

software license restricts the manner in which you are permitted to use the software and may contain prohibitions against certain uses.

The software license maystate conditions under which the license is automatically terminated. You should consult the license for further

details. For complete product documentation, please see the Juniper Networks website at www.juniper.net/techpubs.

Copyright 2011, Juniper Networks, Inc.ii


3/130

END USER LICENSE AGREEMENT

The Juniper Networks product that is thesubject of this technical documentationconsists of (or is intended for usewith)Juniper Networks

software. Useof such software is subject to theterms and conditions of theEnd User License Agreement (EULA) posted at

http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to theterms and conditions

of that EULA.

iiiCopyright 2011, Juniper Networks, Inc.
http://www.juniper.net/support/eula.htmlhttp://www.juniper.net/support/eula.html


4/130

Copyright 2011, Juniper Networks, Inc.iv


5/130

Table of Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

List of Technical Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Part 1 Getting Started

Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Junos Pulse Application Acceleration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Application Acceleration Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Application Acceleration Features and Benefits . . . . . . . . . . . . . . . . . . . . . . . . 4

New Features in JWOS Release 6.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Sample Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Inline Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Off-Path Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Deployment with VPN Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 2 Installing Junos Pulse Application Acceleration Gateways . . . . . . . . . . . . . . . 9

Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Preinstallation Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Interface Speeds and Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Installation Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Inline and Off-Path Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Running Quick Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Postinstallation Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Part 2 Configuration and Management

Chapter 3 Configuring Setup Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Using the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Logging In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Understanding the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Using Special Characters in Object Names . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Configuring Basic Setup Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Configuring the Device Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Configuring the Bridge Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Configuring the Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

vCopyright 2011, Juniper Networks, Inc.


6/130

Configuring the Domain Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Configuring the Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Obtaining a Permanent License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Configuring the Community Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Configuring AAA Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Defining Local User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Securing Front Panel Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Loading the SSO Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Configuring ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Configuring SNMP Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Configuring Syslog Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Configuring Packet Interception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Chapter 4 Configuring Acceleration Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Types of Application Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Overview of TCP Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Overview of Microsoft CIFS and Exchange Acceleration . . . . . . . . . . . . . . . . 30Overview of SSL Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Configuring Application Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Configuring Application Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Configuring SMB Signing for CIFS Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Configuring the Keystore Passphrase for SSL Optimization . . . . . . . . . . . . . . . . . 40

Managing SSL Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Chapter 5 Viewing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Viewing and Printing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Executive Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

WAN Accelerated Throughput Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Application Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Compression Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Sessions Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

MAPI Sessions Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Chapter 6 Managing Junos Pulse Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Junos Pulse Client Hardware and Software Requirements . . . . . . . . . . . . . . . . . . 49

Installing the Junos Pulse Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Configuring Personal Firewalls for Junos Pulse Acceleration . . . . . . . . . . . . . 50

Downloading the Junos Pulse Client from a Pulse Secure Access Server . . . . 51

Downloading the Junos Pulse Client from a Pulse Application Acceleration

Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Uninstalling the Junos Pulse Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Managing Junos Pulse Client Software, Configurations, and Policies . . . . . . . . . . 52

Enabling Pulse Client Downloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Enabling Pulse Client Adjacencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Configuring Pulse Client Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Viewing the Status of Pulse Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Defining the Pulse Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Viewing the Pulse Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Copyright 2011, Juniper Networks, Inc.vi

Junos Pulse Application Acceleration Service Administration Guide


7/130

Uploading Pulse Client Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Distributing the Pulse Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Distributing the Pulse Client Through an SA Series Gateway . . . . . . . . . 57

Distributing the Pulse Client Through SMS . . . . . . . . . . . . . . . . . . . . . . . 58

Chapter 7 Maintaining Junos Pulse Application Acceleration Gateways . . . . . . . . . . . 59

Maintaining Configurations and Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Saving a Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Viewing the Gateway Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Loading a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Loading a Software Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Clearing Monitoring Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Restoring the Factory Default Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Rebooting or Shutting Down a Gateway or Junos Pulse Module . . . . . . . . . . 64

Maintaining the Disk Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Viewing the Gateway Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Using Maintenance Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Using the Ping Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Using the Traceroute Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Using the Packet Capture Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Viewing and Saving System Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Viewing and Saving Access Control Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Exporting Performance Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Creating a Diagnostic File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Viewing Flow Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Troubleshooting Passthrough Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Detecting Passthrough Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Using the Web Interface to Recover from Passthrough Mode . . . . . . . . . . . . . 72

Using the Console to Recover from Passthrough Mode . . . . . . . . . . . . . . . . . . 72

Part 3 Specifications

Appendix A Specifications for Application Acceleration Service Gateways . . . . . . . . . . 77

Platform Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

General Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Specifications for MAG-SM161, MAG4611, and MAG-SM361 . . . . . . . . . . . . . . 79

DB9 Console Port Pinouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Appendix B SNMP Traps and SyslogMessages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

System Events and SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Syslog Message Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Appendix C Exported Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Exported Performance Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

General Device Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Data Section Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

System Session Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Compression Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

WAN Performance Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

viiCopyright 2011, Juniper Networks, Inc.

Table of Contents


8/130

TCP Flow Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Exported Flow Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Appendix D Copyrights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Traceroute Copyright License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97OpenSSL Copyright License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

GNU GENERAL PUBLIC LICENSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Part 4 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Copyright 2011, Juniper Networks, Inc.viii



9/130

List of Figures

Part 1 Getting Started

Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Figure 1: Typical Inline Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Figure 2: Off-Path Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Figure 3: VPN Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7



Figure 4: JWOS Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

ixCopyright 2011, Juniper Networks, Inc.


10/130

Copyright 2011, Juniper Networks, Inc.x



11/130

List of Tables

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Table 1: Notice icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Table 2: Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Table 3: GUI Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv



Table 4: Interface Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Chapter 4 Configuring Acceleration Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Table 5: Default Application Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Table 6: DSCP and IP Precedence Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Chapter 6 Managing Junos Pulse Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Table 7: Personal Firewall Exceptions for Pulse Acceleration . . . . . . . . . . . . . . . . 50

Chapter 7 Maintaining Junos Pulse Application Acceleration Gateways . . . . . . . . . . . 59

Table 8: Passthrough Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Part 3 Specifications

Table 9: General Specifications for All Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Table 10: MAG Series Module Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Table 11: Pinouts for DB9-to-DB9 Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Table 12: Pinouts for DB9-to-DB25 Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Table 13: System Events and SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Table 14: General Device Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Table 15: Data Section Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Table 16: System Session Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Table 17: Compression Session Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Table 18: WAN Performance Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Table 19: TCP Flow Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Table 20: Flow Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Appendix A Specifications for Application Acceleration Service Gateways . . . . . . . . . . 77

Table 9: General Specifications for All Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Table 10: MAG Series Module Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Table 11: Pinouts for DB9-to-DB9 Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Table 12: Pinouts for DB9-to-DB25 Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Appendix B SNMP Traps and SyslogMessages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Table 13: System Events and SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

xiCopyright 2011, Juniper Networks, Inc.


12/130

Appendix C Exported Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Table 14: General Device Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Table 15: Data Section Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Table 16: System Session Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Table 17: Compression Session Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Table 18: WAN Performance Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Table 19: TCP Flow Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Table 20: Flow Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Copyright 2011, Juniper Networks, Inc.xii



13/130

About This Guide

Objectives on page xiii

Audience on page xiii

Document Conventions on page xiii

List of Technical Publications on page xiv

Requesting Technical Support on page xv

Objectives

This guide describes how to use the Web interface to configure and monitor Junos Pulse

Application Acceleration Service gateways. The gateways accelerate application traffic

for remote clients that have Junos Pulse installed.

To perform management tasks using the command-line interface (CLI), see theJunos

PulseApplication Acceleration Service Command Reference Guide.

Audience

This guide is intended for administrators who configure and manage the the Junos PulseApplication Acceleration Service. Be sure you are familiar with your network architecture

and devices and that you can perform basic network configuration procedures.

Document Conventions

Table 1 on page xiv defines notice icons used in this guide, Table 2 on page xiv defines

text conventions used throughout the book, and Table 3 on page xiv defines the GUI

conventions.

xiiiCopyright 2011, Juniper Networks, Inc.


14/130

Table 1: Notice icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates that you may risk losing data or damaging your

hardware.

Caution

Alerts you to the risk of personal injury.Warning

Table 2: Text Conventions

DescriptionConvention

Filenames and directory names.Sans serif type

Terms defined in text.

Variable elements for which you supply values.

Book titles.

Italics

Key names linked with a plus sign indicatethatyou must press

two or more keys simultaneously.

+ (plus sign)

Table 3: GUI Conventions

DescriptionConvention

Navigation paths through the UI.> (right angle bracket)

User interface elements that you select in a procedure, such

as tabs, buttons, and menu options.

Bold type

Variables for which you supply values.Italics

List of Technical Publications

The following additional documents are available at http://www.juniper.net/techpubs:

JunosPulseApplication Acceleration Service Command Reference GuideDescribes

how to use the CLI to configure the Junos Pulse Application Acceleration Service.

MAG Series Junos PulseGateway HardwareGuideDescribes how to set up the MAG

Series gateways and install and configure individual modules.

JunosPulseAdministration GuideDescribes how to configure anddistribute the Junos

Pulse client from a JuniperNetworks IC Seriesor SA Seriesdevice. Onlinehelp provided

Copyright 2011, Juniper Networks, Inc.xiv

http://www.juniper.net/techpubshttp://www.juniper.net/techpubs


15/130

withthe Junos Pulse client describes how to use the featuresavailable to the end user,

such as viewing the client status.

Requesting Technical Support

Technical productsupport is availablethrough the Juniper Networks TechnicalAssistance

Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,

or are covered under warranty, and need post-sales technical support, you can access

our tools and resources online or open a case with JTAC.

JTAC policiesFor a complete understanding of our JTAC procedures and policies,

review theJTACUser Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .

Product warrantiesFor product warranty information, visit

http://www.juniper.net/support/warranty/ .

JTAC hours of operationThe JTAC centers have resources available 24 hours a day,

7 daysa week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides you with the

following features:

Find CSC offerings: http://www.juniper.net/customers/support/

Search for known bugs: http://www2.juniper.net/kb/

Find product documentation: http://www.juniper.net/techpubs/

Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verify service entitlementby productserial number, use our Serial NumberEntitlement

(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

xvCopyright 2011, Juniper Networks, Inc.

About This Guide
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdfhttp://www.juniper.net/support/warranty/http://www.juniper.net/customers/support/http://www2.juniper.net/kb/http://www.juniper.net/techpubs/http://kb.juniper.net/http://www.juniper.net/customers/csc/software/https://www.juniper.net/alerts/http://www.juniper.net/company/communities/http://www.juniper.net/cm/https://tools.juniper.net/SerialNumberEntitlementSearch/http://www.juniper.net/cm/http://www.juniper.net/cm/https://tools.juniper.net/SerialNumberEntitlementSearch/http://www.juniper.net/cm/http://www.juniper.net/company/communities/https://www.juniper.net/alerts/http://www.juniper.net/customers/csc/software/http://kb.juniper.net/http://www.juniper.net/techpubs/http://www2.juniper.net/kb/http://www.juniper.net/customers/support/http://www.juniper.net/support/warranty/http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf


16/130

For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting-support.html .

Copyright 2011, Juniper Networks, Inc.xvi

http://www.juniper.net/support/requesting-support.htmlhttp://www.juniper.net/support/requesting-support.html


17/130

PART 1

Getting Started

Introduction on page 3

Installing Junos Pulse Application Acceleration Gateways on page 9

1Copyright 2011, Juniper Networks, Inc.


18/130

Copyright 2011, Juniper Networks, Inc.2



19/130

CHAPTER 1

Introduction

Thischapterintroducesthe features provided by the JunosPulse ApplicationAcceleration

Service, and describes the new features in this release.

Junos Pulse Application Acceleration Overview on page 3

Sample Deployments on page 6

Junos Pulse Application Acceleration Overview

Application traffic can be accelerated between Junos Pulse Application Acceleration

Service gateways, typically installed in a data center, and remote clients that have the

Junos Pulse software installed.

The following gateways and clients are supported:

The Junos Pulse Application Acceleration Service gateways include:

MAG4611 gateway

MAG6610 or MAG6611 gateways with an SM161 or SM361Application Acceleration

Service Module installed

WXC3400, WXC2600, or WXC590 gateways that have been upgraded to JWOS 6.1

or higher

Junos Pulse Clients Windows 7, Windows Vista, or Windows XP clients that have

Junos Pulse installed

Application Acceleration Technologies

The following technologies are used to compress and accelerate application traffic:

LZ compressionAmemory-basedcompressionalgorithm thatlocates repeated data

patterns at the byte level, in real time, across all IP application sessions. The reduction

in traffic effectively increases the WAN bandwidth, reduces network congestion, and

improves overall data flow.

Network Sequence Caching (NSC)A disk-based compression algorithm used to

identify and retain long patterns of repeated traffic. NSC is most effective where large

files are often sent over the WAN.



20/130

TCP accelerationWhile compression effectively increases available bandwidth, TCP

acceleration improves TCP application performance where the use of available

bandwidth is constrained by network latency.

CIFS accelerationAn application-level acceleration method for Microsoft CommonInternet File System (CIFS) traffic.

Exchange accelerationAn application-level acceleration method for Microsoft

Exchange traffic. Unencrypted traffic is accelerated between any combination of

Outlook 2003, 2007, and 2010 clients and Exchange 2003, 2007, and 2010 servers.

SSL optimizationAn application-level optimization method that decrypts Secure

Socket Layer (SSL) trafficso that LZand NSCcompression canbe applied. Applications

are supported, such as HTTPS, that negotiate an SSL connection soon after the TCP

connection is established (implicit SSL).

Application Acceleration Features and Benefits

Application acceleration enables networks to achieve maximum capacity over WAN

links. The primary features and benefits include:

Secure AccessDesigned to work closely with the Junos Pulse Secure Access Service

to provide both secure access and acceleration benefits to mobile users and users in

remote branch office environments.

Substantial throughput gainGreatly improves WAN capacity, accelerates TCP

applications in high-latency environments, and reduces the load on other network

devices.

Immediateimpact with autodiscoveryGains arerealizedimmediately. Thegateways

and Junos Pulse clients discover each other automatically, and dynamically form an

adjacencyto accelerate the traffic between them.

TransparencyOperates transparently to existing network equipment, topologies,

andWAN interfaces (such asFrameRelay, MPLS, andATM). No network or application

modifications are required.

Application independenceWorks on any TCP-based application (such as e-mail,

database, Web, ERP, and so on). Uses open standard protocols.

Fail-safe nonstop operationTraffic is passed through on any hardware or software

disruption, including power loss.

Easy managementProvides administrative access through a CLI and an intuitive

Web user interface. You can also monitor performance through an SNMP-based

management system.

Seamless operation with VPNs and firewallsInstalls on the LAN side of encryption

devices to work seamlessly with virtual private networks (VPNs) and firewalls.




21/130

New Features in JWOS Release 6.2

JWOS Release 6.2 includes the following new features:

MAG Series Junos Pulse Gateway supportThe new MAG Series gateways support

bothApplication Acceleration ServiceModules and IntegratedAccessServiceModules.

Thefollowing table liststhe number of JunosPulse clients supported bythe Application

Acceleration Service Modules and the MAG4611 gateway.

Junos Pulse ClientsModule/Gateway

1000MAG-SM361 module

250MAG-SM161 module

250MAG4611 platform

Exchange accelerationAn application-level acceleration method for unencrypted

Microsoft Exchangetraffic between any combination of Outlook 2003,2007, and 2010

clients and Exchange 2003, 2007, and 2010 servers.

SSL optimizationAn application-level optimization method that decrypts Secure

Socket Layer (SSL) traffic so that LZ and NSC compression can be applied. SSL

optimization supports applications that negotiate an SSL connection soon after the

TCP connection is established (implicit SSL), such as HTTPS.

NSC compressionDisk-based compression used to identify and retain long patterns

of repeated traffic. Data patterns are learned from traffic in both directions, and the

dictionary on the gateway is automatically synchronized with the dictionary on the

Pulse clients.

HTTP requests redirected to HTTPSAttempts to access the gateway over HTTP

(port 80)are redirected to HTTPS (port 443). Specifically,the URLshttp://

and http:///client are changed to https:// and

https:///client. HTTPS is required for security, andthe network must allow

traffic on port 443.

Automatic scaling of TCP window sizeThe TCP window size is increased

automatically (up to 256 KB) to maximize throughput and acceleration gains on

high-bandwidth, low-latency connections.

Compatibility with previous releasesThe MAG Series gateways require JWOS 6.2

or higher. Any WXC590, WXC2600, or WXC3400 that has WXOS 5.7 or higher can be

upgraded to JWOS 6.2. Traffic can be accelerated for remote clients with Pulse 2.0,but Pulse 2.1 is required to support the new features in JWOS 6.2, such as NSC

compression and SSL optimization.

Junos Pulse clients do not support WXC gateways that are running JWOS 6.0 or any

version of WXOS. To upgrade from JWOS 6.0 to JWOS 6.2, you must first downgrade

to WXOS (see theJWOS6.2 Release Notes).


Chapter 1: Introduction
http://%3Cip-address%3E/http://%3Cip-address%3E/clienthttps://%3Cip-address%3E/https://%3Cip-address%3E/clienthttps://%3Cip-address%3E/clienthttps://%3Cip-address%3E/http://%3Cip-address%3E/clienthttp://%3Cip-address%3E/


22/130

Related

Documentation

Platform Specifications on page 77

Sample Deployments

The following topics provide sample deployment topologies for Junos Pulse Application

Acceleration:

Inline Deployment on page 6

Off-Path Deployment on page 6

Deployment with VPN Devices on page 7

Inline Deployment

When the Junos Pulse client is installed on Windows workstations, WAN traffic can be

accelerated from the Pulse clients to a remote Junos Pulse gateway installed on the

other side of the WAN. Typically, the gateway is deployed in the data path between aLAN switch and an edge router (see Figure1 on page 6).

Figure 1: Typical Inline Deployment

Off-Path Deployment

Junos Pulse gateways are usually deployed in the physical data path between a LAN

switch and a WAN edge router, with no changes to Layer 3 routing. When interrupting

the data path is not practical, such as in collapsed backbone environments where the

switch and the router are the same physical device, you can deploy the gateway off path

(see Figure 2 on page 7). In this case, the Local interface (port 1 on a Junos Pulse

gateway) is connected to the switch or the router, and the Remote interface (port 2 on

a Junos Pulse gateway) is not used. Connecting the gateway directly to the router is

recommended.




23/130

Figure 2: Off-Path Deployment

Deployment with VPN Devices

Junos Pulse gateways operate transparently relative to existing network equipment,

including firewalls and VPN devices (see Figure3 on page 7). By compressing data

before it enters the VPN tunnel, the gateways and Pulse clients reduce the workload for

the VPN devices. The same bandwidth multiplication effect is achieved for VPN

encapsulated traffic as for unencapsulated traffic.

NOTE: Junos Pulse gateways should always be deployed behind a firewall

or VPN device. However, Network Address Translation(NAT) is not supported.

If NAT is enabled on the local firewall, all traffic is passed through without

any processing.

Figure 3: VPN Deployment


Chapter 1: Introduction


24/130




25/130

CHAPTER 2

Installing Junos Pulse ApplicationAcceleration Gateways

The following topics provide an overview of the installation process for the Junos Pulse

Application Acceleration Service gateways. For the installation details for each Junos

Pulse gateway, see theMAG Series Junos Pulse Gateway Hardware Guide.

Installation Overview on page 9

Running Quick Setup on page 11

Postinstallation Tasks on page 12

Installation Overview

Preinstallation Tasks on page 9

Interface Speeds and Modes on page 10

Installation Procedure on page 10

Inline and Off-Path Installations on page 10

Preinstallation Tasks

Before you begin, complete the following preinstallation tasks:

Ensure that sufficient power is available and that power supply circuits are protected

by a 15A or 20A circuit breaker.

Ensure there is ample space and lighting. You need enough space to connect one or

two CAT-5 UTP Ethernet data cables and one or two power cords to the back of the

chassis, as well as enough lighting to see the LEDs on the data ports.

Provide at least 24 inches of clearance in the front and back of the chassis to allow

service personnel to remove and install hardware components. Provide 3 inches of

clearance on both sides of the chassis to allow the cooling system to function properly.

Do not install one gateway directly behind another, which can cause warm or hot air

to be recirculated.

Do not place paper materials or heavy equipment on top of the gateway.

For rack-mount installations, reserve sufficient space for each form factor, as follows:

1 U MAG4610 and MAG6610



26/130

2 U MAG6611

Identify a 10/100/1000 Ethernet LAN port where you can connect the gateway. This

port is typically on an aggregation switch or another LAN device that is connected

directly to the WAN router.

Log in to the router that will be on the WAN side of the gateway, and note theinterface

speed and duplex mode.

On all firewall and antivirus software between the gateway and Junos Pulse clients,

note the following:

UDP port 3578 must be open. The Windows Firewall is updated when the Pulse

client is installed, but some firewalls, such as Kaspersky and Trend Micro, must be

updated manually to allow traffic on UDP port 3578.

If the gateway is installed in the DMZ, and you plan to upgrade the JWOS software

using FTP, you must open an FTP port in the firewall between the DMZ and the

intranet.

Network Address Translation (NAT) is not supported. If NAT is enabled on the local

firewall, all traffic is passed through without any optimization.

TCP options must NOT be stripped from SYN or SYN-ACK packets. TCP options are

required to form adjacencies between the gateway and the Pulse clients.

Reserve an IP address for the gateway, and identify the default gateway. The default

gateway is the next hop on the WAN side of the gateway.

For hardware safety recommendations and warnings, see theSecurity Products Safety

Guide

Interface Speeds and Modes

Interface speed and duplex settings should be the same across all devices: the switch,

the gateway interfaces, and the router. This ensures connectivity through the gateway

in case of a power loss or a condition that causes a hardware bypass.

Installation Procedure

Gateway installation consists of the following steps:

1. Install the hardware and apply power.

2. Run Quick Setup to define the required configuration settings (see Running Quick

Setup on page 11).

3. Perform postinstallation tasks foroptionalconfigurationsettings(see Postinstallation

Tasks on page 12).

Inline and Off-Path Installations

The gateway is usually installed in the data path (inline) between a LAN switch (or other

aggregationdevice)and the WAN edgerouter. If interruptingthe data path is not practical,

such as in collapsed-backbone environments, you can deploy the gateway off path.




27/130

To install a gateway off path, note the following:

Do not disconnect any cables. Simply connect the Local interface (port 1 on a MAG

Series gateway) to the switch or the router. We recommend connecting directly to the

router. Set the interface to full-duplex mode (half-duplex mode can cause excessivecollisions).

TheRemote interface(port2 on the MAGSeries gateway) is notused,so you canapply

power without first verifying connectivity between the LAN and the router.

After you run Quick Setup, configure packet interception to route traffic to the off-path

gateway (see Configuring Packet Interception on page 26).

Running Quick Setup

When the Junos Pulse Application Acceleration Service gateway is started for the first

time, or when the factorydefaultconfigurationis reloaded, you must use the Quick Setup

program to specify the network settings from a terminal connected to the serial Console

port on the gateway. All settings made during Quick Setup can be changed later.

The Quick Setup program should start automatically when you log in to the Console. If

necessary, enter the setup CLI command to start Quick Setup. For example:

WX- login: admin

Password:

******************************* WELCOME *******************************

Welcome to the Quick Setup wizard for JWOS. This wizard will enable you

to get your JWOS device up and running with minimal effort.

*********************************************************************

Press Enter to continue

---------------------------------------------------------------------

You will now configure IP parameters (IP address, subnet mask, default

gateway) to enable IP connectivity for this device. Once these parameters

are configured, additional management tasks can be performed via the

CLI or the Web interface.

setup br-0/0? yes[y]/no[n] (yes) yes

IP address: 10.204.64.146

IP subnet mask: 255.255.255.248

IP default gateway: 10.204.64.145

You have entered the following values:

IP address: 10.204.64.146

IP subnet mask: 255.255.255.248

IP default gateway: 10.204.64.145

Do you wish to change any of them? yes[y]/no[n] (no) no

Local Interface Mode: (auto, full, half) (auto) auto

Local Interface Speed: (auto, 10, 100, 1000) (auto) auto


Local Interface Mode: auto

Local Interface Speed: auto


Remote Interface Mode: (auto, full, half) (auto) auto

Remote Interface Speed: (auto, 10, 100, 1000) (auto) auto


Remote Interface Mode: auto


Chapter 2: Installing Junos Pulse Application Acceleration Gateways


28/130

Remote Interface Speed: auto


Welcome To WX

WX-10.204.64.146>show interfaces bridge all status

The initial configuration is complete. For a list of key configuration tasks, see

Postinstallation Tasks on page 12.

Postinstallation Tasks

After you run Quick Setup, you can continue configuring the Junos Pulse Application

Acceleration Service gateway through the Web interface or through the CLI.

To use the Web interface, see Using the Web Interface on page 15.

To usethe CLI, seetheJunosPulseApplicationAccelerationService CommandReference

Guide.

Be sure to review the following key configuration tasks:

Set the time manually, or specify an NTP server, as described in Configuring the Time

Settings on page 20.

Change the default password for the admin account, as described in Defining Local

User Accounts on page 22.

Review the application definitions provided and add any new ones needed for your

network, as described in Configuring Application Definitions on page 33.

Configure acceleration for the appropriate applications, as described in Configuring

Application Policies on page 31.

Install the Junos Pulse client on the appropriate Windows workstations, as described

in Installing the Junos Pulse Client on page 49.




29/130

PART 2

Configuration and Management

Configuring Setup Policies on page 15

Configuring Acceleration Policies on page 29

Viewing Reports on page 43

Managing Junos Pulse Clients on page 49

Maintaining Junos Pulse Application Acceleration Gateways on page 59



30/130




31/130

CHAPTER 3

Configuring Setup Policies

This chapter describes how to use the Web interface to perform the basic setup

procedures on Junos Pulse Application Acceleration Service gateways. To use the CLI,

see theJunos Pulse Application AccelerationService Command Reference Guide.

Using the Web Interface on page 15

Configuring Basic Setup Policies on page 17

Configuring AAA Settings on page 22

Configuring ARP on page 24

Configuring SNMP Support on page 24

Configuring Syslog Reporting on page 25

Configuring Packet Interception on page 26

Using the Web Interface

The Web interface lets you securely access management and performance information

forJunos Pulse ApplicationAccelerationService gatewaysfromanywhere in yournetwork.

The Web interface supports Microsoft Internet Explorer, version 7.0 or 8.0, and Mozilla

Firefox3.0, 3.5, or 3.6. Be sure to configure thebrowserprivacy settings to accept cookies.

The Web interface is designed to be viewed at 1024 x 768 pixels. To ensure secure

transmission of configuration and management data, the Web interfaceuses the Secure

Sockets Layer protocol (SSL/HTTPS).

Logging In on page 15

Understanding the Web Interface on page 16

Using Special Characters in Object Names on page 16

Logging In

To log in to a gateway through the Web interface:

1. Using a supported Web browser, enter the IP address of the gateway:

https://Gateway IP address

If you enter http, the browser is redirected to https.

2. If a Security Alert dialog box appears, click Yes to proceed.



32/130

3. In the Enter Network Password dialog box, enter your username and password. When

you access a new gateway for the first time, use admin and juniper for the username

and password.

To log out of the JWOS Web interface, click Logout in the taskbar of any page. Users areloggedout automatically if theirsessions areinactive forthe sessiontimeouttime(default

is 30 minutes).

Understanding the Web Interface

The Web interface has a taskbar at thetop of the page, a left-hand navigation pane, and

a data pane for configuring and viewing policies and performance data. Note that the

Save function is in the upper right corner of the taskbar.

Figure 4: JWOS Web Interface

From the taskbar, select Help > About to view hardware and software information for

the gateway, such as the IP address, the software andhardwareversions, andthe license

key. Select Help> Site Map to view a list of the options available under each taskbar

selection. Select Help > Online Documentation to access the documentation website.

Using Special Characters in Object Names

Useonly letters (AthroughZ, a throughz), numbers(0through9), dashes(-),underscores

(_), and periods (.) when you assign names to the gateways, applications, and otherobjects.




33/130

Configuring Basic Setup Policies

Configuring the Device Name on page 17

Configuring the Bridge Interfaces on page 17

Configuring the Management Interface on page 19

Configuring the Domain Name on page 20

Configuring the Time Settings on page 20

Obtaining a Permanent License on page 21

Configuring the Community Name on page 21

Configuring the Device Name

The name of the Junos Pulse Application Acceleration gateway is displayed in the CLI

prompts. You can change the name, specify the devices physical location, and provide

contact information for the system administrator.

To configure the gateway name and contact information:

1. Select Setup > Basic > Device Name.

2. Specify the following information:

Enter the devicename (up to30 characters). The name is displayed in

CLI prompts, followed by a dash and the IP address. Use only letters,

numbers, dashes, underscores, and periods.

Device Name

Enter a description of the devices physical location.Device Location

Enter the contact information (up to 64 characters) for the system

administrator.

Contact Information

3. Click Submit to activate the changes, or click Reset to discard them.

4. Click Save in the taskbar to retain your changes after the next reboot.

Configuring the Bridge Interfaces

A bridgeinterface connectsa pair ofLocal andRemoteportson a JunosPulseApplication

Acceleration Service gateway (labeled ports 1 and 2). When either port receives traffic

that is not processed by the gateway, suchas broadcast or passthrough traffic,the traffic

is sent out the other port. The two ports, called aport-pair, share the IP address of the

bridge interface.

For each bridge interface, you can view the name, status, media access control (MAC)

address, and speed and mode for the associated Local and Remote interfaces. You can

also change the network settings, enable link-failure propagation, and add static routes.

Table 4 on page 18 describes the interface names.


Chapter 3: Configuring Setup Policies


34/130

Table 4: Interface Names

DescriptionNameInterface

Every gateway has a bridge interface named br-0/0.br-slot/pairBridge

Theslotand pair numbers arethe same asthe associated

bridge interface. The /0 indicates the Local interface (port

1 on a MAG Series gateway).

ge-slot/pair/0Local

Same as the Local interface name, except that the /1

indicates the Remote interface (port 2 on a MAG Series

gateway).

ge-slot/pair/1Remote

To configure the bridge interfaces:

1. Select Setup > Basic > Bridge Interfaces, and then select the name of the bridge

interface to be configured.

2. To change the interface settings, specify the following information, and click Submit:

Enter the IP address of the bridgeinterface. If you change the IP address

or subnetmask,you must rebootthe gateway (see Rebooting or Shutting

Down a Gateway or Junos Pulse Module on page 64).

IP address

Specify the network portion of the IP address. For example, 255.255.255.0

indicates thatthe first 24bitsof the IP address are used for the network

portion of the address.

Subnet mask

Enter the IP address of the default router, which must be on the same

subnet as the bridgeIP address.

Default gateway

Select the speed and mode for the Local or Remote interface(such as

1000 full-duplex). By default, the Local and Remote interfaces are set to

negotiate the speed and mode automatically.

Note that a passive test runsperiodically and displays a message above

thetaskbar if a speed or mode mismatch is detected. Thepassive test can

detect a mismatch only when data is sent andreceived atthe same time.

Speed/Duplex

In high-availability environments, you can enablethe following options so

that when a failure is detected on one interface, the other interface turns

offfor 15 seconds. This allows theswitch or router to detectthe failure and

ensures that the routing mechanisms work as expected.

Propagate to RemoteIf the switch fails, the Remote interface is

disabled so that the router detects the loss of connectivity with theswitch.

Propagate to LocalIf the router fails, the Local interface is disabled

so that the switch detects a loss of connectivity with the router.

You can alsodisablethe hardwarepassthroughfeature so thatthe router

detects the loss of traffic if the gateway fails (see the config set system

bypass-capability commandin theJunos PulseApplication Acceleration

Service Command Reference Guide).

Link Failure

3. To add static routes to the bridge interface:




35/130

a. On the Bridge Interfaces page, select the Local Routes tab.

b. Enter the IP address, subnet mask, and theIP address of the gateway for a subnet.

c. Click Submit to add the route to the list of local routes. You can add a total of 4K

static routes. Note that ICMP redirect routes take precedence over static routes.

d. Click DELETE next to any route that you want to remove.


Related

Documentation

Configuring the Management Interface on page 19

Configuring the Management Interface

You can manage a Junos Pulse Application Acceleration Service gateway through a

bridge interface address or through the management port. To use the management port

(port 0 onthe MAG Seriesgateway), connect themanagement port toyourmanagement

network, and then configure an IP address, subnet mask, and default gateway for the

port. The name of the management interface is fxp0.

To configure the management interface:

1. Select Setup > Basic > Management Interface.

2. Select the Enable management interface check box, and specify the following

information:

Enter the IP address of the management interface. If you change the IP

address or subnet mask, you must reboot the gateway (see Rebooting

or Shutting Down a Gateway or Junos Pulse Module on page64).

IP Address

Specifythe network portion of theIP address.For example, 255.255.255.0

indicates thatthe first24 bitsof the IP address are usedfor the network

portion of the address.

Subnet Mask

Enter the IP address of the default router, whichmustbe on the same

subnet as the interface IP address.

Default Gateway

Select Auto to allow the interfacespeed and mode to be negotiated.To

setthe interface speed and mode manually, select Manual, and then

select a speedand mode settingfrom thelist(such as1000 full-duplex).

Speed



Related

Documentation

Configuring the Bridge Interfaces on page 17




36/130

Configuring the Domain Name

You can specify the local DNS domain name of a Junos Pulse Application Acceleration

Service gateway, and up to three DNS servers for use in resolving the IP addresses shownon the Flow Diagnostics page (see Viewing Flow Diagnostics on page 69).

To configure the domain name:

1. Select Setup > Basic > Domain Name.

2. Specify the following information:

Enter the local DNS domain name (up to 256 characters). The domain

name must include atleast one period, but not asthe first or last

character.

When anIP addressin thelocaldomain isresolvedby oneof thespecified

DNS servers, the local domain nameis prepended to the hostname

shown on the FlowDiagnostics page. If the domain is blank, only thehostnames areshown for resolved IP addresses in the local domain.

Resolved addresses outside the local domain include thedomain name

returned by the DNS server.

Domain Name

Enter the IP addresses of up tothree DNS servers (one per line).DNS Servers



Configuring the Time Settings

If your network uses the Network Time Protocol (NTP), you can specify a primary andsecondary NTP server to maintain the current time on a Junos Pulse Application

Acceleration Service gateway. You can also set the time manually. Each entry in the

system log files includes the current time.

To configure the time settings:

1. Select Setup > Basic > Time.

2. Select the time format (AM/PM or 24 Hour).

3. Do one of the following:

If you have an NTP server in your network, select Use NTP Server, and enter the IP

address of the NTP server in the Primary box. A secondary NTP server is optional.

If you do not have an NTP server, select Enter Local Time, and enter the current

time and date.

4. Select a time zone, GMT offset, or geographical location from the Time Zone list.

Optionally, select the check box to automatically adjust the time for daylight saving

time.




37/130



Obtaining a Permanent License

EachJunosPulse Application Acceleration Service gateway requiresa permanent license

key for operation. The license key registers the product and determines the number of

users who can obtain acceleration services. When the initial 30-day temporary license

expires, all traffic is passed through without any processing.

To obtain a permanent license key, gather the following information:

Device serial number displayed in the License Key page (also displayed in the About

box and on the back of the gateway).

AuthorizationCode Certificate thatwas e-mailedto youin PDFformat(ifyoupurchased

license upgrades).

User ID and password to access the License Key server at:

http://www.juniper.net/generate_license

If you lose the license key, you can use the License Key server to retrieve your current

license key.

If you have any problems with the licensing process, open a case with the Juniper Case

Manager at http://www.juniper.net/cm . To call from theUnited States, Canada, orMexico,

dial +1-888-314-JTAC. To call from other locations,check the list of localsupport centers

at http://www.juniper.net/support/requesting-support.html or dial +1-408-745-9500.

To install a permanent license key:

1. Select Setup > Basic > License Key.

The License Key page displays the status of the current license, including the licensed

modules and the compressed output for the gateway.

2. Enter your registered license key in the Enter License Key box. To obtain a registered

license key:

a. Go to http://www.juniper.net/generate_license, register to create an account, and

then log in.

b. Select Application Acceleration Products from the menu, and click Go.

c. Enter your gateway serial number and authorization code, and click Generate.

d. Copy the displayed license key into the Enter License Key box on the device.


Configuring the Community Name

To form an adjacency witha Pulse client and accelerate traffic, theJunos Pulse Application

Acceleration Service gateway must be in the same community as the client. Initially, all




38/130

gateways are in the default community. In large deployments you may want to define

separate communities.

Pulse clients that are downloaded from a gateway are in the same community as the

gateway (see Installing the Junos Pulse Client on page 49). If you later change thecommunity name, you must reinstall the Pulse client.

To configure the community:

1. Select Setup > Basic > Community.

2. Enter the community name (up to 64 characters). If you do not specify a community

name, the gateway remains in the default community. Note that changing the

community name disables all adjacencies with the Junos Pulse clients in the old

community.



Configuring AAA Settings

The following topics describe how to configure the JWOS security features:

Defining Local User Accounts on page 22

Securing Front Panel Access on page 23

Loading the SSO Certificate on page 23

Defining Local User Accounts

You can define up to 25 users for local authentication on Junos Pulse ApplicationAcceleration Service gateways. The user class assigned to each account determines the

users access privileges. The predefined admin account has full access and a default

password of juniper. To ensure secure access, you should change the passwords

periodically.

To define local user accounts:

1. Select Setup > AAA > Local Users.

From the Local Users page, you can:

Add a new user account, as described in Step 2.

Change a user account. Click the username, make any needed changes, and click

Submit.

Deleteuser accounts. Select the check box next to the accounts you want to delete,

and click Submit.

2. Click New User to add a new account, and specify the following information:

Enter the account name (up to 32 characters).User Name




39/130

Select a user class to specify the users privileges:

Superuser. Full read/write privileges, including management of user

accounts.

Operator. Read/write configuration privileges, but no packet captureor user management privileges.

Read Only Plus. Read-only privileges and packet capture capability.

Read Only. Read-only privileges.

User Class

Enter the number of minutes that elapse beforean idle user is logged

out (the default is 30).

Idle Timeout

Enter the password twice (from 4 to 64 characters).Password

3. Click Submit to activate the changes.


Securing Front Panel Access

On the WXC2600 and WXC3400, you can lock the keypad to prevent anyone from

rebooting the gateway or making unauthorized configuration changes. The MAG Series

gateways do not have a front panel keypad.

To lock the front panel keypad:

1. Select Setup > AAA > Front Panel Access.

2. Select Locked to lock the front panel keypad.



Loading the SSO Certificate

A singlesign-on(SSO)certificatecan beloadedon a MAG-SM161or MAG-SM361 module

if the module is installed in a MAG Series gateway that has a MAG-CM060 chassis

management card (CMC). After the certificate is loaded, administrators who log in to

the CMC interface can access the Application Acceleration service without having to log

in again. TheSSO certificatemust first begeneratedand loaded onthe CMC, asdescribed

in theJunos Pulse GatewayMAG-CM060Administration Guide.

To load the SSO certificate:

1. Select Setup > AAA > SSO Certificate.

2. Specify the location of the certificate:

Specify the following:

Path and filename of the SSO certificate fileon a machine in your

network (click Browse to selectthe file).

Local disk




40/130


IP address of a TFTP server.

Path andfilenameof theSSO certificatefile.The first character must

be a slash (\).

TFTP server


IP address of an FTP server.

If the FTP server does notaccept anonymous user access, enter a

username and password for an account thathas read/writeprivileges

on the server.

Path andfilenameof theSSO certificatefile.The first character must

be a slash (\).

FTP server

3. Click Load to import the certificate.

Configuring ARP

The Address Resolution Protocol (ARP) determines whether the gateway for a route is

on the Local or Remote interface of the Junos Pulse Application Acceleration Service

gateway (labeled port 1 and 2) and discovers the hardware (MAC) addresses of devices

that are directly addressable on each interface.

For devices that do not respond to ARP requests, you can add static ARP entries that

map their IP addresses to their MAC addresses. You can also clear the dynamic ARP

entries if you suspect some entries are out of date.

To configure the ARP table:

1. Select Setup > Network > ARP.

2. Click Flush to delete all dynamic ARP entries. This forces new ARP requests to be

issued as needed.

3. Click DELETE next to any static ARP entry that you want to remove.

4. Click Add to add one or more static ARP entries. For each entry, enter the IP address

and its associated MAC address, and then select the Local or Remote interface. You

can add up to five entries at one time. The format of the MAC address is:

xx:xx:xx:xx:xx:xx.

Click Submit to activate the new entries, or click Cancel to discard them.


Configuring SNMP Support

TheJunosPulse Application Acceleration Servicegateways providethe following support

for SNMP:

SNMP version 2

Enterprise management information base (MIB)




41/130

MIB II, Interface Group public objects

NOTE: SNMPv2-compatible utilities are needed to query the 64-bit

counters in the Enterprise MIB.

You can use the Enterprise MIB to view performance statistics from a network

management system (NMS). In addition, you can enable SNMP traps to be sent to an

NMSand other network devices. Fora description of theSNMP traps,see SystemEvents

and SNMP Traps on page 81.

To configure support for SNMP:

1. Select Setup > Monitoring > SNMP.

2. Select the SNMP Enabled check box to enable support for SNMP, and then enter the

read and write community strings used by the NMS to access SNMP data on the

gateway. The default community strings are public and private.

3. Select the Trap Enabled check box to generate SNMP traps (version 2 traps only).

To add trap destinations (up to 10), enter the IP address and community string (up

to 30 characters), and click Add. To delete a trap destination, click Delete next to the

destination.

4. Select the Authentication Trap Enabled check box to generate traps for incorrect

logins and unauthorized user access attempts.



Configuring Syslog Reporting

The Junos Pulse Application Acceleration Service gateways can send syslog messages

to up to five syslog servers. A syslog server allows you to centrally log and analyze

configuration events and system error messages such as interface status, security alerts,

and environmental conditions. For a description of the syslog messages, see System

Events and SNMP Traps on page 81.

To enable syslog reporting:

1. Select Setup > Monitoring > Syslog Server.

2. Enter the IP addresses of up to five syslog servers (one per line).

3. Select a facility from the Facility list to send the syslog messages to a specific facility

(local1 through local7). The default is local0.

4. Select the lowest severity level of the messages sent to the syslog servers. Select Any

to include all severity levels, including debug messages.

EmergencyCritical error messages about system failures.

AlertCritical error messages that need immediate action.




42/130

CriticalCritical error messages that need prompt action.

ErrorNoncritical error messages, such as license expired.

WarningInformational messages about minor events that are not errors.

NoticeInformational messages about normal, but significant events.

InfoInformational messages, such as reload requests.



Configuring Packet Interception

Typically, a Junos Pulse Application Acceleration Service gateway is deployed in the data

path between a LAN switch and a WAN edge router. When interrupting the data path is

not practical, youcan deploythe gateway offpath, where the Local interface is connected

to the switchor router, and the Remote interface is not used (we recommend connecting

the Local interface directly to the router).

On a MAG Series gateway, the Local and Remote interfaces are labeled ports 1 and 2.

For gateways that have multiple bridge interfaces, all interfaces must be connected in

the same way (inline or off-path).

After a gateway is installed off path, you must configure packet interception to redirect

the appropriate traffic to the gateway for acceleration.

To configure packet interception:

1. Select Setup > Advanced > Packet Interception.

2. Select Use external policy-based router commands.

3. Click Submit to activate the changes.


5. Enter the following CLI command to disable the Remote interface (port 2):

config set interface ge-0/0/1 disable

6. Configure a policyon thelocal router or Layer3 switch toredirect trafficto thegateway.

If the off-path gateway is connected to a dedicated port on a router, apply the policy

to the inbound interface from the LAN switch. In the following example, any incoming

packet on interface FastEthernet 0/0 that matches access-list 120 is routed to the

gateway at IP address 192.168.10.10. The access list shown here redirects all packets,

but you can specify additional filtering criteria.

interface FastEthernet 0/0

ip address 192.168.9.1 255.255.255.0

ip policy route-map Juniper

access-list 120 permit ip any any

route-map Juniper permit 50




43/130

match ip address 120

set ip next-hop 192.168.10.10

If the off-path gateway is connected to a dedicated VLAN on a Layer 3 switch, the

commands are almost the same, except that you apply the policy to the inbound

interface from the LAN:

interface Vlan200

ip address 192.168.9.1 255.255.255.0

ip policy route-map Juniper

NOTE: Use the setip next-hop command to redirect packets to the IP

addressof thebridgeinterfaceon thegateway. Donot usetheset interface

command to redirect traffic to the interface where the gateway is

connected.




44/130




45/130

CHAPTER 4

Configuring Acceleration Policies

Types of Application Acceleration on page 29

Configuring Application Policies on page 31

Configuring Application Definitions on page 33

Configuring SMB Signing for CIFS Acceleration on page 39

Configuring the Keystore Passphrase for SSL Optimization on page 40

Managing SSL Certificates on page 41

Types of Application Acceleration

Overview of TCP Acceleration on page 29

Overview of Microsoft CIFS and Exchange Acceleration on page 30

Overview of SSL Optimization on page 31

Overview of TCP Acceleration

In WAN environments, TCP mayrestrict thetransmission of data because long wait times

for acknowledgments (ACKs) are interpreted as signs of network congestion. TCP

acceleration solves this problem by terminating each TCP session locally. The result is

three independent TCP sessionsbetween the TCP source and the Junos Pulse client,

between the Junos Pulse client and the Junos Pulse Application Acceleration Service

gateway, and between the gateway and the destination. Because each TCP

acknowledgement (ACK) is sent locally, more data can be put in flight at once.

NOTE: TCP acceleration must be enabled for all other compression and

acceleration services.

TCP acceleration is most effective for applications that transfer large amounts of data.

In general, TCP acceleration improves performance if the maximum window size (the

effective bandwidth multiplied by the latency) exceeds the TCP window size.

For example, on a T1 link (1.5 Mbps), where the latency is 200 ms and a 50 percent data

compression doubles the effective bandwidth, the maximum window size is:

(3,088,000 bps * 0.200 seconds)/8 = 77,200 bytes



46/130

In this case, TCP acceleration improves performance if the hosts TCP window size is

64KB or less.

NOTE: As with high bandwidth and latency, high compression rates alsoincrease the maximum window size, which in turn increases the benefit of

TCP acceleration.

Related

Documentation


Overview of Microsoft CIFS and Exchange Acceleration

If TCP acceleration is enabled, the Junos Pulse Application Acceleration Service can also

accelerate Microsoft CIFS and Microsoft Exchange (MAPI) traffic. Microsoft CIFS and

Exchange transfer files by sending one block of data at a time, and then waiting for an

acknowledgment before sending the next block. The serial transmission of small datablocks is a major contributor to slow performance over the WAN.

When CIFS or Exchange acceleration is enabled, each block of traffic sent during bulk

read/write operations is acknowledged locally. This allows many data blocks to be in

flight at the same time, which speeds up the data transfer. Acceleration benefits begin

at relatively low latencies.

Note the following:

CIFSaccelerationis supported between Junos Pulse clients and mostWindows servers,

and between Pulse clients and Samba version 3.0 and later. CIFS acceleration is not

supported between any combination of Windowsplatforms that use SMB2 (Windows

7, Windows Vista, and Windows Server 2008).

When CIFS Server Message Block (SMB) signing is enabled, additional processing is

required to accelerate the traffic flow (see Configuring SMB Signing for CIFS

Acceleration on page 39). CIFS traffic flows are not accelerated when SMB2 signing

is enabled.

MAPI acceleration applies to Exchange traffic for Windows clients. Acceleration is

applied to e-mails with attachments sent between any combination of Outlook2003,

2007, and 2010 clients and Exchange 2003, 2007, and 2010 servers. To accelerate

Exchange traffic for Web clients, enable SSL optimization for HTTPS.

NOTE: MAPI accelerationrequiresencryptionto be disabled on theOutlook

client. For Outllook 2003 and 2007, select Tools > Account Settings >

Microsoft Exchange > More Settings > Security and clear the Encrypt data

check box. For Outllook 2010, select File > Account Settings > Microsoft

Exchange > More Settings > Security.

You can accelerate all CIFS and Exchange traffic, or you can create application

definitions that let you accelerate traffic to specific servers.




47/130

Related

Documentation


Overview of SSL Optimization

Applications that negotiate an SSL connection soon after the TCP connection is

established (implicit SSL), such as HTTPS, can be optimized by decrypting the traffic

and applying LZ and NSC compression. On the Junos Pulse Application Acceleration

Service gateway, you must import a certificate for each SSL server whose traffic you

want to optimize. The imported certificates are saved in an encrypted keystore on the

gateway.

SSL traffic flows that meet the following conditions can be optimized:

The protocol is SSL version 3 or TLS 1.0.

The key exchange algorithm is RSA.

The encryption cipher is AES128, AES256, DES, 3DES, RC2, or RC4.

The message digest algorithm is MD5 or SHA.

SSL compression is NOT used.

TLS extensions, such as the new session ticket, are NOT used.

Related

Documentation


Configuring the Keystore Passphrase for SSL Optimization on page 40

Managing SSL Certificates on page 41

Configuring Application Policies

For each application defined on a Junos Pulse Application Acceleration Service gateway,

you can enable or disable compression and acceleration services, as well as monitoring

for reports. The application policies are applied to the traffic sent to all adjacent Junos

Pulse clients, provided that the appropriate services are enabled for each client (see

Configuring Pulse Client Policies on page 54).

To add or change an application definition, see Configuring Application Definitions on

page 33.

NOTE: If you upgrade from JWOS 6.1 to JWOS 6.2, the MAPI applicationdefinition must be added manually, and MAPI acceleration is disabled by

default. If you upgrade from WXOS 5.7 to JWOS 6.2, NSC compression is

Subasish Junos Admin Guide

Documents

Transcript of Subasish Junos Admin Guide