Juniper NETWORK AND SECURITY MANAGER страница 207 Скачать руководство пользователя | Manualshive

Страница: 207 / 340

background image

Table 48: SAML Server Instance Configuration Details

(continued)

Your Action

Function

Option

Enter the string.

Specifies the user name template, which is a
mapping string from the SAML assertion to a
Secure Access user realm.

User Name
Template

Enter the allowed clock
skew value.

Determines the maximum allowed difference
in time between the Secure Access device
clock and the source site clock.

Allow Clock Skew
(minutes)

SAML Settings > Artifact SSO tab

Enter the Source ID.

Specifies the 20- byte identifier that the
Secure Access device uses to recognize an
assertion from a given source site.

Source ID

Enter a URL.

NOTE: You should specify
this URL in the form of an
HTTPS: protocol.

Specifies the source SOAP responder service
URL.

Source SOAP
Responder Service
URL

Select either

HTTP Basic

or

SSL Client Certificate

.

Specifies the SOAP client authentication.

SOAP Client
Authentication

Enter the username.

Specifies the username for SOAP client
authentication.

Username

Enter the password.

Specifies password for SOAP client
authentication.

Password

Select a device certificate
the drop-down list.

Specifies the device certificate.

Device Certificate

SAML Settings > POST SSO tab

Enter the name or browse
to locate the response
signing certificate.

Specifies the response signing cerificate for
the SAML response signature verification.

This is the PEM-formatted signing certificate,
which is loaded for the SAML response
signature verification. The certificate you
select should be the same certificate used for
signing the SAML response at the source site.
The source site may send this certificate along
with the SAML response, depending on the
source site configuration. By default, the
system performs signature verification of the
SAML response first on the locally configured
certificate. If a certificate is not configured
locally in the SAML authentication server, then
the system performs the signature verification
on the certificate included in the SAML
response from the source site.

Response Signing
Certificate

Issued To details is
displayed.

Displays name and attributes of the entity to
whom the certificate is issued.

Issued To

189

Copyright © 2010, Juniper Networks, Inc.

Chapter 11: Configuring Authentication and Directory Servers

«
...
205
206
207
208
209
...
»

Содержание NETWORK AND SECURITY MANAGER

Страница 1: ...Network and Security Manager Configuring Secure Access Devices Guide Release 2010 4 Published 2010 11 17 Revision 01 Copyright 2010 Juniper Networks Inc...

Страница 2: ...1991 D L S Associates This product includes software developed by Maker Communications Inc copyright 1996 1997 Maker Communications Inc Juniper Networks Junos Steel Belted Radius NetScreen and ScreenO...

Страница 3: ...re physically contained on a single chassis c Product purchase documents paper or electronic user documentation and or the particular licenses purchased by Customer may specify limits to Customer s us...

Страница 4: ...ATE WITHOUT ERROR OR INTERRUPTION OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK In no event shall Juniper s or its suppliers or licensors liability to Customer whether in contract tort inclu...

Страница 5: ...ree years from the date of distribution Such request can be made in writing to Juniper Networks Inc 1194 N Mathilda Ave Sunnyvale CA 94089 ATTN General Counsel You may obtain a copy of the GPL at http...

Страница 6: ...Copyright 2010 Juniper Networks Inc vi...

Страница 7: ...ntegrating Secure Access Devices Chapter 3 Adding Secure Access Devices 11 Importing a Secure Access Device 11 Installing and Configuring a Secure Access Device 11 Adding a Secure Access Device Throug...

Страница 8: ...pter 7 Configuring Terminal Services Using Remote Access Mechanism 51 Terminal Services Overview 51 Configuring Terminal Services on a Secure Access Device User Role NSM Procedure 52 Terminal Services...

Страница 9: ...irectory Servers 161 Configuring a Secure Access ACE Server Instance NSM Procedure 161 Creating a Custom Expression for an Authentication Server NSM Procedure 163 Configuring a Secure Access Local Aut...

Страница 10: ...e Policies for Windows Only NSM Procedure 247 Enabling Connection Control Policies 247 Configuring Virus Signature Version Monitoring NSM Procedure 248 Importing Virus Signature Version Monitoring or...

Страница 11: ...emoving a Secure Access Device from NSM Management NSM Procedure 296 Archiving Secure Meetings NSM Procedure 297 Managing Secure Access Node from a Cluster 298 Chapter 22 Troubleshooting Secure Access...

Страница 12: ...Copyright 2010 Juniper Networks Inc xii Configuring Secure Access Devices Guide...

Страница 13: ...ng market It enables a solution tailoring to meet the remote and extranet access requirements This guide provides the various steps to configure and manage Secure Access using NSM This guide also help...

Страница 14: ...ements Bold typeface like this user input Represents text that the user must type Bold typeface like this host1 show ip ospf Routing Process OSPF 2 with Router ID 5 5 0 250 Router is an area Border Ro...

Страница 15: ...Describes how to use and configure key management features in the NSM It provides conceptual information suggested workflows and examples where applicable This guide is best used in conjunction with...

Страница 16: ...and easy problem resolution Juniper Networks has designed an online self service portal called the Customer Support Center CSC that provides you with the following features Find CSC offerings http ww...

Страница 17: ...toll free in the USA Canada and Mexico For international or direct dial options in countries without toll free numbers see http www juniper net support requesting support html xvii Copyright 2010 Jun...

Страница 18: ...Copyright 2010 Juniper Networks Inc xviii Configuring Secure Access Devices Guide...

Страница 19: ...PART 1 Getting Started Understanding Secure Access Device Configuration on page 3 Secure Access Device and NSM Installation Overview on page 7 1 Copyright 2010 Juniper Networks Inc...

Страница 20: ...Copyright 2010 Juniper Networks Inc 2 Configuring Secure Access Devices Guide...

Страница 21: ...onfiguration screens rendered through NSM are similar to the screens in the Secure Access device admin console NSM incorporates a broad configuration management framework that allows co management usi...

Страница 22: ...licensing and password administration If you have several Secure Access devices that will be configured in a clustering environment the cluster abstraction must first be created in the NSM Cluster Ma...

Страница 23: ...ce supports the following services in NSM Inventory management service Enables management of the Secure Access software hardware and licensing details Adding or deleting licenses or upgrading or downg...

Страница 24: ...NSM and Secure Access Device Management Overview on page 3 Copyright 2010 Juniper Networks Inc 6 Configuring Secure Access Devices Guide...

Страница 25: ...nfigure a Secure Access device Related Documentation NSM Installation Overview on page 7 Communication Between a Secure Access Device and NSM Overview on page 3 NSM Installation Overview NSM is a soft...

Страница 26: ...mentation Communication Between a Secure Access Device and NSM Overview on page 3 Secure Access Device Installation Overview on page 7 Copyright 2010 Juniper Networks Inc 8 Configuring Secure Access D...

Страница 27: ...2 Integrating Secure Access Devices Adding Secure Access Devices on page 11 Adding Secure Access Clusters on page 23 Working with Secure Access Templates on page 29 9 Copyright 2010 Juniper Networks...

Страница 28: ...Copyright 2010 Juniper Networks Inc 10 Configuring Secure Access Devices Guide...

Страница 29: ...ing network by using NSM and importing its configurations Using the Add Device Wizard you can configure a connection between the management system and the physical device and then import all device pa...

Страница 30: ...ing Secure Access devices see the Juniper Networks Secure Access Administration Guide Adding a Secure Access Device Through NSM To add the Secure Access device through the NSM UI 1 From the left pane...

Страница 31: ...ecure Access Device You must configure and activate the NSM agent on the Secure Access device It establishes the SSH communications with the NSM application and controls the Secure Access device from...

Страница 32: ...es to save policy or VPN changes The Device Import Option dialog box appears 4 Select Run Summarize Delta Config click OK and Yes The Job Information dialog box displays the progress of the delta conf...

Страница 33: ...lick Next The Verify Device Authenticity dialog box opens The Add Device wizard displays the RSA Key FingerPrint information To prevent man in the middle attacks you should verify the fingerprint usin...

Страница 34: ...er Networks provides CSV templates in Microsoft Excel format for each type of CSV file These templates are located in the utils subdirectory where you have stored the program files for the UI client F...

Страница 35: ...devices create a text file with the following text 1 Open a Text file and add the Secure Access devices and its parameters as follows SA 4000 blue SA SA 4000 none root 6 3 netscreen SA 4500 pink SA SA...

Страница 36: ...is saved to the following GUI server directory usr netscreen GuiSvr var ManyDevicesOutput inputFile_YYYYMMDDHHMM Before the Secure Access devices can be managed by NSM you must enter the CLI commands...

Страница 37: ...nitor workspace check the following parameters for your imported device The Config Status must be Managed The Conn Status must be Up Using Device Manager Using the Device Manager in NSM you can verify...

Страница 38: ...vice maintenance particularly for devices on which a local device administrator has been troubleshooting using CLI commands or the Web UI Because the device object configuration in the NSM UI can over...

Страница 39: ...reate VPN abstractions for your VPN policies Get Running Configuration A running configuration summary shows you the exact CLI commands or XML messages that were used to create the current device conf...

Страница 40: ...Copyright 2010 Juniper Networks Inc 22 Configuring Secure Access Devices Guide...

Страница 41: ...tive active Network Connect NC deployments we recommend that you do the following Split the NC IP pool into node specific subpools Perform static route configuration on the backend router infrastructu...

Страница 42: ...e synchronized by the cluster across all cluster members Similarly changes to a Secure Access cluster membership that occur through administrator action on the native device UI will be reflected back...

Страница 43: ...adding standalone devices Adding Cluster Members through Not Reachable Workflow To add a cluster member through the non reachable workflow 1 From the left pane of the NSM UI click Configure 2 Expand D...

Страница 44: ...le Workflow To add a cluster member 1 From the left pane of the NSM UI click Configure 2 Expand Device Manager and select Devices The Devices workspace appears on the right side of the screen 3 Click...

Страница 45: ...k the Device Tree tab Right click the cluster to which you want to import the configurations and select Import Device NSM starts to import the configuration and a job window reports the progress of th...

Страница 46: ...Copyright 2010 Juniper Networks Inc 28 Configuring Secure Access Devices Guide...

Страница 47: ...the left pane of the NSM UI click Configure 2 Expand Device Manager and select Device Templates The Device Templates workspace appears on the right side of the screen 3 Click the Device Template Tree...

Страница 48: ...con The Edit Templates dialog box appears 6 Select the required template from the list and click OK in the Edit Templates dialog box 7 In the templates configuration screen select Retain template valu...

Страница 49: ...o promote a Secure Access device configuration to a template 1 From the Devices workspace in NSM double click the Secure Access device whose configuration settings you want to promote to a template Th...

Страница 50: ...Copyright 2010 Juniper Networks Inc 32 Configuring Secure Access Devices Guide...

Страница 51: ...onfiguring Authentication and Directory Servers on page 161 Configuring Authentication Realms on page 195 Configuring Sign in Policies and Sign in Pages on page 207 Configuring Single Sign On on page...

Страница 52: ...Copyright 2010 Juniper Networks Inc 34 Configuring Secure Access Devices Guide...

Страница 53: ...tion and session bookmarks and configuring session settings for the enabled access features You can create and configure user roles through the User Roles page from the Secure Access device configurat...

Страница 54: ...age and the browsing toolbar for users mapped to this role UI Options Select General Web to enable this access feature for the role Enables you to intermediate Web URLs through the Content Intermediat...

Страница 55: ...ovides secure SSL based network level remote access to all enterprise application resources using the Secure Access device over port 443 Network Connect Table 8 Global User Role Configuration Details...

Страница 56: ...back end device can then direct end user traffic based on these aliases as long as you configure the back end device such as a firewall to expect the aliases in place of the internal interface source...

Страница 57: ...n Options NSM Procedure on page 39 Creating and Configuring Secure Access Device Administrator Roles NSM Procedure on page 43 Creating and Applying a Secure Access Device Template on page 29 Verifying...

Страница 58: ...e nonadministrativeusersession may remain open before ending The minimum is six minutes The default time limit for a user session is 60 minutes after which the Secure Access device ends the user sessi...

Страница 59: ...rs mapped to this role Limit to subnet Limits the roaming session to the local subnet specified in the Netmask box Disabled Disables roaming user sessions for users mapped to this role Allows users to...

Страница 60: ...onymous sign in The Secure Access device caches NTLM and HTTP Basic Authentication passwords provided by users so that the users are not repeatedly prompted to enter the same credentials used to sign...

Страница 61: ...e appropriate authentication server not the role For example to create an individual administrator account you may use settings in the Authentication Auth Servers Administrators Users page of the admi...

Страница 62: ...inistrator role can modify all user role pages Select Custom Settings to allow you to pick and choose administrator privileges Deny Read or Write for the individual user role pages Specifies which use...

Страница 63: ...and read only access for an authentication realm page the Secure Access device grants the most permissive access Allows the administrator to view the user authentication realms but not modify Adminis...

Страница 64: ...es the level of access that you want to allow the security administrator role to set for system administrators NOTE This option appears only when you enable the Manage All admin roles option Access De...

Страница 65: ...e pages NOTE This option appears only when you enable the Manage All admin realm option Access Delegated Resource Policies All tab Select an access option Deny All Specifies that membersoftheadministr...

Страница 66: ...o individual policy For example if you want to control access to a resource policy that controls access to www google com Additional Access Policies Select Read or Write access level for the policy Al...

Страница 67: ...urce Profiles Access Delegated Resource Profiles Web File SAM Telnet SSH Terminal Services Select Deny or Read or Write access level for the type of resource Allows you to pick and choose administrato...

Страница 68: ...Verifying Imported Device Configurations on page 19 Copyright 2010 Juniper Networks Inc 50 Configuring Secure Access Devices Guide...

Страница 69: ...e server or Citrix Metaframe server You can also use this feature to deliver the terminal services through the Secure Access device eliminating the need to use another Web server to host the clients N...

Страница 70: ...dialog box appears 4 Add or modify settings as specified in Table 12 on page 52 5 Click one OK Saves the changes Cancel Cancels the modifications Table 12 User Role Terminal Services Configuration Det...

Страница 71: ...ccess device sprimaryauthentication server Or use the following syntax to submit the username for the secondary authentication server username Secondary ServerName or username 2 Specifies the username...

Страница 72: ...nect the user s local drive to the terminal server enabling the user to copy information from the terminal server to his local client directories Connect drives Select the Connect printers check box t...

Страница 73: ...nal server listens to the user client Server Port Select Full Screen 800x600 1024x768 or 1280x1024 from the drop down list Allows you to change the size of the terminal services window on the user s w...

Страница 74: ...r windows Themes Select the Font smoothing RDP 6 0 onwards check box to enable this option Allows users to make text smoother and easier to read This option only works on Windows Vista computers runni...

Страница 75: ...epth Terminal Services Terminal Services Sessions Type Citrix using default ICA file Start Application tab Enter the path Specifies where the application s executable file resides on the terminal serv...

Страница 76: ...it Password Allows you to specify a static password or select a variable password Password Type Enter the variable password Specifies the SSO variable password that the Secure Access device uses to va...

Страница 77: ...ent Download and Citrix Client Download Version boxes are displayed only when you select Downloaded from a URL option from the Citrix Client Delivery Method drop down list Citrix Client Download URL E...

Страница 78: ...ers to use smart card readers connected to their system for authenticating their remote desktop session User can connect smart cards Select the User can connect sound devices check box to enable this...

Страница 79: ...pective accessing secured terminal services resources through the Secure Access device is simple When you enable the Terminal Services feature for a user role the enduser needs to perform the followin...

Страница 80: ...ave uploaded a client to the device and specified that the device always use it to run your users terminal sessions the device launches the specified Java client The device checks for a Java client En...

Страница 81: ...e then stores the user s preference as a persistent cookie Once the Java client is installed the client initiates the user s terminal services session and the proxy intermediates the session traffic T...

Страница 82: ...Copyright 2010 Juniper Networks Inc 64 Configuring Secure Access Devices Guide...

Страница 83: ...to various applications servers and other resources using remote access mechanisms When you enable an access feature make sure to create corresponding resource policies To enable access features See...

Страница 84: ...e on page 66 Configuring Network Connect on a Secure Access Device User Role NSM Procedure on page 69 Configuring File Rewriting on a Secure Access Device User Role NSM Procedure A file resource profi...

Страница 85: ...nd file browsing The bookmark appears both on a user s welcome page and when browsing network files Appear in file browsing only The bookmark appearsonlywhenbrowsing network files Specifies the bookma...

Страница 86: ...te bookmarks to resources on available Windows file shares Users can add bookmarks Files Unix network files options tab Select the User can browse network file shares check box to enable this feature...

Страница 87: ...e Tree tab and then double click the Secure Access device for which you want to configure a user role access option 2 Click the Configuration tab Select Users User Roles 3 Click the New button The New...

Страница 88: ...le Network Connect Configuration Details continued Your Action Function Option Allows you to enable split tunneling Split Tunneling Modes Copyright 2010 Juniper Networks Inc 70 Configuring Secure Acce...

Страница 89: ...cess to local resources such as printers If needed you can add entries to the client s route table during the Network Connect session The Secure Access device does not terminate the session This is th...

Страница 90: ...r to the outer IP packet header Enable TOS Bits Copy Select the Multicast check box to enable this feature Specifies whether or not you want Network Connect to operate in multicast mode Multicast Sele...

Страница 91: ...r the start script location Specifies the location of Network Connect start scripts for Linux Linux Session start script location Enter the end script location Specifies the location of Network Connec...

Страница 92: ...17 User Role SAM Configuration Details Your Action Function Option SAM JSAM Applications tab Enter the name of the application Displays the application name in the Client Application Sessions area of...

Страница 93: ...umber Specifies the ports on which the Metaframe servers listen New Allowed Citrix Ports Type Microsoft Outlook Exchange Enter the server name Specifies the application servers for client application...

Страница 94: ...erver Enter the port numbers Allows you to specify multiple ports for a host as separate entries Ports SAM WSAM Bypass Applications tab Enter the name of the application Displays the application name...

Страница 95: ...dentials before connecting to sites on their internal network This option changes Internet Explorer s intranet zone setting so that Internet Explorer prompts the user for network sign in credentials w...

Страница 96: ...e permissions to look at their registries If JSAM tries to look at their registries then users see an error that they do not have permission This option ensures that users do not see this message Skip...

Страница 97: ...role 2 Click the Configuration tab Select Users User Roles 3 Click the New button The New dialog box appears 4 Add or modify settings as specified in Table 18 on page 79 5 Click one OK Saves the chang...

Страница 98: ...sers to create an additional meetingID Users can create additional meeting URLs under their personal URL Meetings Options Meeting Options tab Select one of the following types from the drop down list...

Страница 99: ...automatically distribute the meeting password to meeting invitees Specifies the distribution method that you want meeting creators to employ Password Distribution Select one of the following options...

Страница 100: ...t the minimum character length for passwords Allows you to set the minimum character length for passwords Minimum length characters Set the maximum character length for passwords Allows you to set the...

Страница 101: ...check box to enable this feature Allows you to specify the maximumnumberofmeetings that may be held by at any given time by members of the role Limit number of simultaneous meetings Select the Limit n...

Страница 102: ...n a Secure Access Device User Role NSM Procedure The Secure Access device Web rewriting feature enables you to intermediate Web URLs through the Content Intermediation Engine You can intermediate URLs...

Страница 103: ...play Tool Bar check box to enable this feature Allows all Web traffic through the Secure Access device by precluding users in the specified role from typing a new URL in the tool bar This option is di...

Страница 104: ...plet HTML and Multi Valued User Attributes fields are displayed only when you select Applet from the Bookmark Type drop down list Applet HTML Enter multiple attributes Allows you to specify multiple a...

Страница 105: ...un application such as the Virtual Network Computing VNC Java client Citrix NFuse Java client WRQ Reflection Web client and Lotus WebMail Allow Java applets Select the AllowFlashcontent check box to e...

Страница 106: ...se cases the Warn users about the certificate problems option must be disabled Enables users to access untrusted Web sites through the Secure Access device Allow browsing untrusted SSL websites Select...

Страница 107: ...x to enable this feature Allows the configuration of a Secure Access device to rewrite file URLs so that they are routed through the Secure Access device s file browsing CGI Rewrite file URLs Select t...

Страница 108: ...ations Table 20 User Role Telnet SSH Configuration Details Your Action Function Option Telnet SSH Telnet Bookmarks tab Enter the name for the bookmark Specifies the name for the Terminal Sessions page...

Страница 109: ...ers to define their own session bookmarks and to allow users to browse to a terminal session using the following syntax telnet ssh dana term newlaunchterm cgi The Add Terminal Session button appears o...

Страница 110: ...Copyright 2010 Juniper Networks Inc 92 Configuring Secure Access Devices Guide...

Страница 111: ...n page 129 Configuring WSAM Resource Profile NSM Procedure on page 131 Configuring Bookmarks for Virtual Desktop Resource Profiles NSM Procedure on page 134 Configuring a JSAM Resource Profile NSM Pro...

Страница 112: ...Client Port Select the Create an access control policy allowing SAM access to these servers check box to enable this feature Allows access to the list of servers specified in the Server Port column C...

Страница 113: ...role from the Non members to the Members list Specifies the roles to which the resource profile applies Roles Selections Related Documentation Configuring a Citrix Terminal Services Custom ICA Resour...

Страница 114: ...s device to fall back to the applets when other terminal services clients are not available on the user s system Always use Java applet Allows a Secure Access device to store terminal services Java cl...

Страница 115: ...ame Specifies the unique name for the custom ICA file Custom ICA Filename Citrix using Custom ICA Autopolicy Terminal Services Access control Rules tab Enter a name Specifies the name of a policy that...

Страница 116: ...le Password Enter the explicit password Specifies the explicit password Explicit Password Select the Auto launch check box to enable this feature Allows you to automatically launch this terminal servi...

Страница 117: ...ng settings that you specify in a default Citrix file ICA To configure a Citrix terminal services resource profile that uses default ICA settings 1 In the NSM navigation tree select Device Manager Dev...

Страница 118: ...hen associate these Java applets with the resource profile and specify that the Secure Access device always use them to intermediate traffic Allows you to enable or disable Java applet support Java Su...

Страница 119: ...the selected resource profile Specifies the existing host of the resource profile that connects to a Citrix terminal server on the Secure Access device Host The Secure Access device automatically popu...

Страница 120: ...you might enter the following directory for the Microsoft Word application C Program Files Microsoft Office Office10 WinWord exe Specifies where the application s executable file resides on the termin...

Страница 121: ...he application they are using until the network connectivity resumes or the session reliability time out has expired the time out value is defined by the Citrix product Session Reliability and Auto cl...

Страница 122: ...h published applications only applications that are allowed to be run are published With the Secure Access device these published applications are displayed on the Secure Access device index page as t...

Страница 123: ...e without employing a separate Web server to host them You can then associate these Java applets with the resource profile and specify that the Secure Access device always use them to intermediate tra...

Страница 124: ...ecting to the Citrix Metaframe server Specifies the username for connecting to the Citrix Metaframe server where the XML service is running XML Username Select either Variable Password or Password fro...

Страница 125: ...profile Description Select one of the following options from the Applications drop down list ALL applications Allows all executables on the server to be available to the end user Subset of selected ap...

Страница 126: ...can use the domain credentials to pass the user s cached domain credentials to the Windows Terminal server Password Type Enter the password variable Or use the following syntax to submit the password...

Страница 127: ...e drop down list All Terminal Service Profileroles Displays the session bookmark to all of the roles associated with the resource profile Subset of Terminal Service Profile roles Displays the session...

Страница 128: ...ort path For instance enter the URL of an NFuse server the Web interface for a Citrix Metaframe Presentation Server or a Web server from which the device can download Citrix Java applets or Citrix cab...

Страница 129: ...y if you have deployed Citrix using a Java ICA client When you select this option the device uses all of the allow values that you enter in the resource profile s Web access control autopolicy to auto...

Страница 130: ...ce NFuse URL defined in the Web Interface NFuse URL field and displays it to all users assigned to the role specified in the Roles tab Related Documentation Configuring a Citrix Listed Application Res...

Страница 131: ...se URL box Name Select Allow or Deny from the Action drop down list Allows or denies user access to the resource Action Enter the resource name Specifies the resource for which this policy applies Res...

Страница 132: ...ltiple POSTs to this resource POST Variables Enter the label name Specifies the label that appears on a user s preferences page in the Secure Access device This field is required if you either enable...

Страница 133: ...to the specified URL when a user makes a request to a resource Resource Enter the name Specifies the text for the Secure ccess device to send as header data Header name Enter the value Specifies the...

Страница 134: ...n the browser Don t Cache send Pragma No Cache Prevents the user s browser from caching files to the disk Unchanged do not add modify caching headers Secure Access device forwards the origin server s...

Страница 135: ...When the Secure Access device receives a client request for the application server hostname alias it forwards the request to the specified application server port in the Base URL box Use virtual host...

Страница 136: ...for client connections Server Port Enter the IP address Specifies a static loopback address If you do not provide a static IP loopback address the Secure Access device assigns an IP loopback address...

Страница 137: ...ype for the specified resource Action Enter the resource name Specifies the resources to which this policy applies Resource Settings tab Type Custom Bookmarks General Enter the name Specifies the name...

Страница 138: ...gs tab Type Custom Bookmarks Role Selections Select the role and click Add Specifies the roles to which the resource profile applies Role Selections Related Documentation Configuring File Rewriting Re...

Страница 139: ...resource Name Select Allow or Deny from the Action drop down list Allows or denies user access to resource Action Select the Read only check box to enable this option Allows users to view but not edit...

Страница 140: ...ed in the Secure Access device If the credentials later fail the Secure Access device again prompts the user for the credentials Specifies the type of credentials to pass to the Windows share or direc...

Страница 141: ...leroles Bookmark appears both on a user s welcome page and when browsing network files Subset of File Profile roles Bookmark appears only when users are browsing network files Specifies the roles to w...

Страница 142: ...rceProfileDetails Your Action Function Option Settings tab Enter the name Specifies the name for the resource profile that becomes the default session bookmark s name Name Enter the description Descri...

Страница 143: ...access the server specified in the Server Port box enabled by default Create an access control policy Bookmarks tab Enter the name Specifies the name of the session bookmark Name Enter a description...

Страница 144: ...he secondary authentication server Password SecondaryServerName or Password 2 Specifies the variable password Variable Password Enter the explicit password Specifies the explicit password Explicit Pas...

Страница 145: ...o connect the user s local printers to the terminal server enabling the user to print information from the terminal server to his local printer Connect printers Select the Connect COM Ports check box...

Страница 146: ...ap Caching check box to enable this option Improves performance by minimizing the amount of display information that is passed over a connection Bitmap Caching Select the Desktop Composition RDP 6 0 o...

Страница 147: ...ell session through a Web based terminal session emulation To configure a Telnet SSH resource profile 1 In the NSM navigation tree select Device Manager Devices Click the Device Tree tab and then doub...

Страница 148: ...s the bookmark Description Enter a size from 8 to 36 pixels or scroll to the required number By default the Secure Access device sets the font size to 12 Specifies the size of the bookmark Font Size S...

Страница 149: ...esses running on the client that are connecting to the specified internal hosts To configure a WSAM application resource profile 1 In the NSM navigation tree select Device Manager Devices Click the De...

Страница 150: ...ts the specified application Action Settings tab Settings tab Select one of the following options Custom You must manually enter your custom application s executable file name such as telnet exe Addit...

Страница 151: ...cations Table 31 Configuring WSAM Destination Resource Profile Details Your Action Function Option Settings tab Enter the name Specifies a name for the resource profile Name Enter the description Desc...

Страница 152: ...Click OK to save the changes Table 32 Bookmarks for Virtual Desktop Resource Profile Details Your Action Options Enter the session bookmark name Name Enter the session bookmark description Descriptio...

Страница 153: ...want to display the session bookmarks if you are configuring the session bookmark through the resource profile pages Select one of the following options from the drop down list All Virtual Desktops P...

Страница 154: ...Copyright 2010 Juniper Networks Inc 136 Configuring Secure Access Devices Guide...

Страница 155: ...ws and NFS file shares When a user makes a file request the Secure Access device evaluates the resource policies corresponding to the request such as Windows access resource policies for a request to...

Страница 156: ...4 7 Specify one or more expressions in the Conditions box to evaluate in order to perform the action 8 To specify actions and additional settings on the file rewriting policy using Table 33 on page 1...

Страница 157: ...ing options from the drop down list Allow Allows the user access to the resource Deny Denies the user access to the resource Specifies the action to perform if the user request matches a resource in t...

Страница 158: ...tailed rules for this policy Specifies the action to take when a resource requires credentials Action Enter a variable For example enter USERNAME orastatic username For example administrator to submit...

Страница 159: ...Variable Password Secure Access device uses specified credentials with variable password to pass to the Windows share or directory Use Specified Credentials Fixed Password Secure Access device uses sp...

Страница 160: ...ly when you select the Use Specified Credentials Variable Password option from the Action drop down list Variable Password Enter the static password Specifies a static password to the Windows share or...

Страница 161: ...sensitive path component Case sensitive matching for the path component in File resources Select from the drop down list Specifies the encoding to use when communicating with Windows and NFS file sha...

Страница 162: ...cess device for which you want to configure a Secure Application Manager resource policy 2 Click the Configuration tab Select Users Resource Policies SAM 3 Add or modify settings as specified in Table...

Страница 163: ...ifies the detailed rule name NOTE The Detailed Rules tab is displayed only when you select the Detailed Rules option from the Action drop down list Name Select one of the following options from the dr...

Страница 164: ...tion Configuring a Telnet and Secure Shell Resource Policy NSM Procedure on page 146 Configuring a Terminal Service Resource Policy NSM Procedure on page 149 Configuring a Telnet and Secure Shell Reso...

Страница 165: ...elect one of the following options from the drop down list Allow Allows access to the servers specified in the Resources list Deny Denies access to the servers specified in the Resources list Detailed...

Страница 166: ...one or more Boolean expressions using the NOT OR or AND operators Custom expressions Using the custom expression syntax write one or more custom expressions Specifies one or more expressions to evalu...

Страница 167: ...Enter the description Describes the policy Description Enter the server path Specifies the servers to which this policy applies Resources Select one of the following options from the drop down list Al...

Страница 168: ...form if the user request matches a resource in the Resource list optional Action Specify one of the following options The same or a partial list of the resources specified on the General tab A specifi...

Страница 169: ...and wildcards to efficiently specify multiple hostnames and paths For resources that you specify by hostname you can also choose either HTTP HTTPS or both protocols To configure Web rewriting resource...

Страница 170: ...r example http yourcompany com login cgi NOTE The Secure Access device does not accept wildcard characters in this field Specifies the absolute URL where the application posts the user s credentials s...

Страница 171: ...Specifies the size of the image Images are cached if it is less than the specified size Client should cache all images less than in KB Selective Rewriting General tab Select any one value from the dr...

Страница 172: ...s Enter the class ID Specifies class ID of the ActiveX control that you want to control with the policy Class Id Enter the description Describes the policy Description Enter the parameters Specifies t...

Страница 173: ...Procedure on page 137 Configuring a Network Connect Connection Profile Resource Policy NSM Procedure Use the Network Connect NC Connection Profiles tab to create an NC resource profile When a Secure A...

Страница 174: ...gh which you intend to direct UDP connection traffic The default port number is 4500 UDP Port Enter a value for the ESP to NCP fallback time out This option provides a period of time in seconds to fal...

Страница 175: ...wing options from the drop down list DHCP server This option allows you to specify the hostname or IP address of a network Dynamic Host Configuration Protocol DHCP server responsible for handling clie...

Страница 176: ...ies the URL of the server on which the PAC file resides and the frequency in minutes with which Network Connect polls the server for an updated version of the PAC file Manual configuration Specifies t...

Страница 177: ...ass through the NC tunnel The 10 204 68 0 24 network will not pass through the NC tunnel If split tunneling is enabled and the include route contains 10 204 64 0 24 subnet of the excluded route and th...

Страница 178: ...This option denies the Network IP address netmask combinations specified in the Resources field not to pass through the NC tunnel Action Roles Selection tab Select the members from the Members list Y...

Страница 179: ...Access SAML Server Instance NSM Procedure on page 188 Configuring a Secure Access Active Directory or NT Domain Instance NSM Procedure on page 190 Configuring a Secure Access NIS Server Instance NSM...

Страница 180: ...e modifications Table 40 Secure Access ACE Server Instance Configuration Details Your Action Function Option ACE Settings Select a default port number NOTE The Secure Access device uses only this sett...

Страница 181: ...ration tab In the configuration tree select Authentication Auth Servers 4 Add or modify an auth server instance and then select Server Catalog The Expressions tab appears 5 Click New to create a custo...

Страница 182: ...lidate button is not enabled in the Custom Expressions editor of device templates 9 Click OK to save the custom expression The new custom expression is displayed under the Expressions tab of the serve...

Страница 183: ...um length There is no maximum limit to the length Specifiesthemaximumcharacter length for passwords NOTE This is optional Maximum password length Set the minimum number of digits that is required in t...

Страница 184: ...r the username Specifies the username Username Enter the user s full name Specifies the user s full name Full name Enter the password Specifies the password Password Select Users One time user to enab...

Страница 185: ...ing server instance click the appropriate link in the Auth Server Name box and perform the Steps 5 through 8 4 Click the New button The New dialog box appears 5 Specify a name to identify the server i...

Страница 186: ...ticate users against LDAP Server Type Select the type of connection from the drop down list Specifies whether or not the connection between the Secure Access device and LDAP Directory Service should b...

Страница 187: ...ps Base DN Enter a filter value Fine tunes the search for a user group Filter Enter a name if you want to identify all the members of a static group For example entermemberuniquemember iPlanet specifi...

Страница 188: ...ies the e mail attribute for the LDAP server Email Address Enter a name For example to help the meeting creator easily distinguish between multiple invitees with the same name you may want to expose a...

Страница 189: ...nfiguring a Secure Access RADIUS Server Instance NSM Procedure A Remote Authentication Dial In User Service RADIUS server is a type of server that allows you to centralize authentication and accountin...

Страница 190: ...ort Enter a string for the shared secret Specifies a string for the shared secret Shared Secret Enter the port value NOTE Typically this port is 1813 but some legacy servers might use 1646 Specifies t...

Страница 191: ...ROLE Logs the user s Secure Access device role to the accounting server If the user is assigned to more than one role the Secure Access device comma separates them Specifies the user information that...

Страница 192: ...box and perform the Steps 5 through 8 4 Click the New button The New dialog box appears 5 Specify a name to identify the server instance 6 Select Anonymous Server from the Auth Server Type list 7 Cli...

Страница 193: ...SiteMinder Configuration Details Your Action Function Option Siteminder Settings Basic Settings tab Enter a name or IP address Specifies the name or IP address of the SiteMinder policy server Policy...

Страница 194: ...cted resource If you do not create sign in policies for SiteMinder the Secure Access device uses this default URL to set the user s protection level for the session The Secure Access device also uses...

Страница 195: ...n realm from the drop down list Specifies an authentication realm for automatically signed in users The Secure Access device maps the user to a role based on the role mapping rules defined in the sele...

Страница 196: ...L Specifies the target URL NOTE The form post target form post protocol form post Webagent form post port form post path and form post parameters field are displayed only when you select Form POST opt...

Страница 197: ...the Form POST option from the Authentication Type drop down list Form POST Path Enter the post parameters CommonSiteMindervariables that you can use include _ _USER_ _ _ _PASS_ _ and _ _TARGET_ _ The...

Страница 198: ...ard agent an SMSESSION cookie is set in the user s browser and the user is redirected back to the Secure Access device The Secure Access device then automatically signs in the user and establishes a S...

Страница 199: ...redirect to Enter a URL Specifies a resource on the Web agent to which the Secure Access device redirects users when they do not have the appropriate permissions Resource for insufficient protection...

Страница 200: ...Enter a number Controls the maximum number of requests that the policy server connection handles before the Secure Access device ends the connection If necessary tune to increase performance NOTE The...

Страница 201: ...o not select this option the Secure Access device checks the user s SMSESSION cookie on each request Enable Session Grace Period Enter the time period in seconds Specifies the time period for the Secu...

Страница 202: ...ure Access Certificate Server Instance NSM Procedure The certificate server feature allows users to authenticate based on attributes contained in client side certificates You may use the certificate s...

Страница 203: ...Access SAML Server Instance NSM Procedure on page 188 Configuring a Secure Access Active Directory or NT Domain Instance NSM Procedure on page 190 Configuring a Secure Access eTrust SiteMinder Server...

Страница 204: ...e OCSP validation method when possible but attempt to validate client certificates using CRLs should the OCSP method fail for example if the link to the OCSP Responder fails After you select this opti...

Страница 205: ...P Settings tab Select a value from the drop down list The list includes Responder specified in CA certificate Manually configured responders Responder specified in Client certificate Specifies the OCS...

Страница 206: ...er instance 3 Click the Configuration tab and select Authentication Auth Servers The corresponding workspace appears NOTE If you want to update an existing server instance click the appropriate link i...

Страница 207: ...nt authentication Password Select a device certificate the drop down list Specifies the device certificate Device Certificate SAML Settings POST SSO tab Enter the name or browse to locate the response...

Страница 208: ...ectory or NT Domain Instance NSM Procedure on page 190 Configuring a Secure Access NIS Server Instance NSM Procedure on page 193 Configuring a Secure Access Certificate Server Instance NSM Procedure o...

Страница 209: ...in Select AD NT Settings General Allow domain to be specified as part of username to enable this feature Allows users to sign in by entering a domain name in the Username box in the format domain user...

Страница 210: ...m name AD NT Settings Advanced tab Select AD NT Settings Advanced User may belong to Domain Local Groups across trust boundaries to enable this feature Specifies that the selected user belongs to the...

Страница 211: ...ication Auth Servers The corresponding workspace appears NOTE If you want to update an existing server instance click the appropriate link in the Auth Server Name box and perform the Steps 5 through 8...

Страница 212: ...erver user directory Value Related Documentation Configuring Secure Access Authentication Realms NSM Procedure on page 195 Configuring Secure Access Authentication Policies NSM Procedure on page 198 C...

Страница 213: ...want to configure authentication realms 2 Click the Configuration tab select Administrators Admin Realms or Users User Realms The corresponding workspace appears 3 Click the New button The New dialog...

Страница 214: ...evice NOTE You cannot choose an anonymous server certificate server or eTrust SiteMinder server Additional Authentication Server Select General End session if authentication against this server fails...

Страница 215: ...apping rules and role restrictions Uses dynamic policy evaluation for this realm Enable Dynamic policy evaluation Select General Refresh roles to enable this option Refreshes the roles of all users in...

Страница 216: ...le 52 Authentication Realm Policies Configuration Details Your Action Function Option Authentication Policies Source IP tab Select any one of the following options from the drop down list Usersfromany...

Страница 217: ...to a role or access a resource You are prompted with a sign in attempt failed error message when you try to sign in to the device using an unsupported browser Allow Enter a string in the format browse...

Страница 218: ...drop down list and by clicking New Specifies any additional criteria that the admin realm should use when verifying the policies Certificate Field Enter a variable for example enter userAttr uid NOTE...

Страница 219: ...access Evaluate ALL policies Select Authentication Policies Host Checker Enforce ALL policies to enable this feature Enforces all the policies on the client for the user to log in to the specified re...

Страница 220: ...ache Cleaner to the client machine before the user may access the Secure Access device sign in page Specifies the cache cleaner restrictions NOTE The Cache Cleaner tab is displayed only when you confi...

Страница 221: ...in Table 53 on page 203 6 Click one OK Saves the changes Cancel Cancels the modifications Table 53 Role Mapping Rules Configuration Details Your Action Function Option Role Mapping Rules tab Select Ad...

Страница 222: ...ressions button appears 1 Click the collection of expressions button to assign expressions The expressions that were created for the selected authentication server appears 2 Select an existing express...

Страница 223: ...ate has any of the attributes as role mapping rule type Specifies the rules that are used for matching New Enter an attribute name Specifies the role mapping role attributes NOTE This option is enable...

Страница 224: ...Copyright 2010 Juniper Networks Inc 206 Configuring Secure Access Devices Guide...

Страница 225: ...trator URLs on page 209 3 Creating Meeting URLs on page 210 Creating Authorization Only Policies The authorization only policy is similar to a reverse proxy Typically a reverse proxy is a proxy server...

Страница 226: ...his URL The request from the virtual hostname gets transformed as a request to this URL Backend URL Enter a description for the policy Specifies the description of the policy Description Select the co...

Страница 227: ...entication Signing In Sign in Policies User Administrator URLs The corresponding workspace appears 3 Add or modify settings on the user administrator URL as specified in Table 55 on page 209 4 Click o...

Страница 228: ...t to configure a meeting URL 2 Click the Configuration tab and select Authentication Signing In Sign in Policies Meeting URLs The corresponding workspace appears 3 Add or modify settings on the meetin...

Страница 229: ...n in Pages To configure a user or administrator sign in page 1 In the NSM navigation tree select Device Manager Devices Click the Device Tree tab and then double click the Secure Access device for whi...

Страница 230: ...the sign in page Realm Enter the alternate or the secondary username Specifies the alternate or the secondary username Secondary username Enter the password for the secondary username Specifies the p...

Страница 231: ...espective Help file from its location using the browse button Allows the administrator to select the HTML file that needs to be displayed when the user clicks the Help button on the page HTML File Set...

Страница 232: ...e to show in the secure meeting sign in page Submit button Enter an appropriate message for the user to perform while signing in for the secure meeting For example enter Please sign in to begin your s...

Страница 233: ...ates File Automatically displays the file upload time and it is not editable Specifies the time taken to upload the template file File Upload Time Related Documentation Configuring a SAML Access Contr...

Страница 234: ...Copyright 2010 Juniper Networks Inc 216 Configuring Secure Access Devices Guide...

Страница 235: ...s if challenged with the negotiate header NTLM if challenged with the NTLM header and basic authentication if challenged with the basic resource If the device receives multiple challenges the order of...

Страница 236: ...ich you want to configure the basic NTLM and Kerberos resources 3 Click the Configuration tab Select Users Resource Policies Web General 4 Click the New icon to configure the options as described in T...

Страница 237: ...erberos Constrained Delegation Constrained Delegation Services List New Constrained Delegation Service List Enter a unique identification number for the constrained delegation service list Id Enter a...

Страница 238: ...xes Static Specifies the username and password exactly as they are entered in the Username and Password boxes Credential Type Enter the account username If you select Variable as the credential type y...

Страница 239: ...page to collect the credentials for the Web resource and then rewrites the credentials along with the entire challenge or response sequence With the Kerberos intermediation resource policy backend Web...

Страница 240: ...ediation method to control the SSO behavior Disable Intermediation Not valid for web proxies Specifies that in selecting this option the device does not intermediate the challenge or response sequence...

Страница 241: ...control transactions to a trusted access management system theSecureAccessdeviceandtrustedaccessmanagementsystemexchangesinformation To configure a SAML access control resource policy 1 In the navigat...

Страница 242: ...Detailed Rules Specifies one or more detailed rules for this policy Allows or denies the Secure Access device to perform an access control check Action Enter the URL using the format https hostname w...

Страница 243: ...owing options from the drop down list Other Sends the username in another format agreed upon by the Secure Access device and the SAML Web service DN Sends the username in the format of a DN distinguis...

Страница 244: ...ustom expressions Specifies one or more expressions to evaluate to perform the action Conditions Related Documentation Configuring SAML SSO Artifact Profile Resource Policy NSM Procedure on page 226 S...

Страница 245: ...Selection section Policy applies to all roles OTHER THAN those selectedbelow Appliesthe policy to all users except for those who mapped to the roles in the Role Selection section Specifies the roles t...

Страница 246: ...Secure Access device can use to identify itself when it generates assertions Issuer Select one of the following options from the drop down list Other Sendstheusername in another format DN Sends the us...

Страница 247: ...device NOTE The username and password boxes are displayed only when you select the Username Password option from the Authentication Type drop down list Username Enter the password Specifies the passw...

Страница 248: ...down list Role SAML SSO Detailed Role Specify one of the following options Boolean expressions Using system variables write one ormoreBooleanexpressions using the NOT OR or AND operators Custom expre...

Страница 249: ...g Virus Signature Version Monitoring or Patch Management Version Monitoring List NSM Procedure on page 249 Assigning a Proxy Server an Auto Update Server NSM Procedure on page 250 Setting Up Secure Ac...

Страница 250: ...nloading Host Checker over a slow connection increase the interval to allow enough time for the download to complete Client side process login inactivity timeout minutes Select the Auto upgrade HostCh...

Страница 251: ...in Table 64 on page 233 to specify the remediation actions that you want Host Checker to perform if a user s computer does not meet the requirements of the current policy 7 Click one OK Saves the cha...

Страница 252: ...eason strings Related Documentation Configuring Host Checker Third Party Applications Using Predefined Rules NSM Procedure on page 234 Configuring the Remote Integrity Measurement Verifier Server NSM...

Страница 253: ...the name for Antivirus rule Rule Name Select one of the following options Require any supported product Specifies the software vendor s product that is supported for the system scan check Require spe...

Страница 254: ...nitor this rule for change in result Select the EnableDownloadlatest virus definition files for all supported products to enable this feature Allows you to download latest virus definition files for a...

Страница 255: ...ific vendor for the system scan check Allows you to select your firewall vendor s and product s Select Products Select the Require any supported product from a specific vendor to enable this feature C...

Страница 256: ...Name Select the Monitor this role for change in result to enable this feature Continuously monitors the policy compliance of endpoints Monitor this role for change in result Select the product and the...

Страница 257: ...oducts Selected tab Select the product and then click Add to move the product from the Non memberstotheMemberslist Allows you to select specific products Specific Products Selected Selected Products S...

Страница 258: ...In the configuration tree select Authentication Endpoint Security Host Checker 4 Add or modify settings as specified in Table 66 on page 240 5 Click one OK Saves the changes Cancel Cancels the modifi...

Страница 259: ...licy NSMProcedure onpage144 Configuring Host Checker Customized Requirements Using Custom Rules NSM Procedure You can create custom rules within a Host Checker policy to define requirements that users...

Страница 260: ...nsiders the rule met NHCRules 1 Enter the rule name 2 Select the Required option to specify that these ports are open or closed 3 Enter a comma delimited port list without spaces of ports or port rang...

Страница 261: ...You may also use file checks to evaluate the age and content through MD5 checksums of required files and allow or deny access accordingly File Rules 1 Enter the rule name 2 Select the registry root k...

Страница 262: ...specify 3 Enter a comma delimited list without spaces of MAC addresses in the form XX XX XX XX XX XX where the X s are hexadecimal numbers For example 00 0e 1b 04 40 29 4 Click OK Windows only Use thi...

Страница 263: ...y level of the patches that you wish to ignore Select the Enable SMS patch update check box to update patches using SMS Configures a policy based on specific products Scan for Specific products Enter...

Страница 264: ...figuration tree select Authentication Endpoint Security Host Checker 3 Select Settings Policies and then click New 4 Enter a name for the policy in the Policy Name box 5 In the Policy Type list select...

Страница 265: ...trator privileges for the Host Checker to enforce the connection control policy on the client computer To enable the predefined Host Checker connection control policy 1 In the NSM navigation tree sele...

Страница 266: ...igation tree select Device Manager Devices Click the Device Tree tab and then double click the Secure Access device for which you want to configure the device to automatically import the current signa...

Страница 267: ...ion tab and select Authentication Endpoint Security Host Checker 3 Click either Virussignatureversionmonitoring or PatchManagementInfoMonitoring 4 Download the list from the Juniper Networks staging s...

Страница 268: ...ate Server details Your Action Options Specifies the existing URLs of the staging sites where the current lists are stored The default URLs are the paths to the Juniper Networks staging site https dow...

Страница 269: ...ick the Secure Access device for which you want to configure global Cache Cleaner options 3 Click the Configuration tab and select Authentication Endpoint Security Cache Cleaner The corresponding work...

Страница 270: ...hat Internet Explorer has cached on the user s system Flush all existing AutoComplete passwords Select one of the following options from the drop down list For the IVE session only Secure Access devic...

Страница 271: ...ar folders only at the end of session Enter the name of the file Specifies the name of a file that you want Cache Cleaner to remove File or folder path Select the Files and Folders Clear Subfolders ch...

Страница 272: ...s not already running Cache Cleaner then the Secure Access device does not map the user to that role Resource policy When a user requests a resource the Secure Access device evaluates the resource pol...

Страница 273: ...to meet the access requirement Cache Cleaner option To configure cache cleaner restrictions at the role level 1 In the navigation tree select Device Manager Devices 2 Click the Device Tree tab and the...

Страница 274: ...m the drop down list Specifies the action to allow the Secure Access device to access the resource if the user s machine does not meet the Cache Cleaner requirement Action Enter specific URL directory...

Страница 275: ...Network Communications Protocol is used to communicate between the Secure Access device server and client applications To configure the Network Communications Protocol 1 In the NSM navigation tree sel...

Страница 276: ...client applications NCP Auto Select Set the idle connection interval Allows you to specify the timeout interval for Java clients 15 to 120 seconds Note that this value does not apply to user inactivit...

Страница 277: ...gs 2 Click the Configuration tab and select System Configuration Secure Meeting The corresponding workspace appears 3 Add or modify settings as specified in Table 75 on page 259 4 Click one OK Saves t...

Страница 278: ...uniqueness For example meeting_room1 meeting_room2 Meeting room number prefix Specify an expresion Allows you to specify an expression such as userAttr lname to the meeting URL If the attribute is no...

Страница 279: ...uring Global Security NSM Procedure on page 261 Configuring Sensors NSM Procedure on page 265 Configuring Global Security NSM Procedure The default global security settings provide maximum security Ho...

Страница 280: ...f the following options from the drop down list Accept only 168 bit and greater maximize security Secure Access device gives preference to 256 bit AES over 3DES Accept only 128 bit and greater securit...

Страница 281: ...etween 128 bit and 168 bit check box to enable this feature Allows Secure Access device to use 168 bit or higher ciphers for backend rewriter connections and device gives preference to 256 bit AES enc...

Страница 282: ...ssion termination Preserve cookies at session termination Secure Access device preserves cookies at session termination Allows Secure Access device to set persistent cookies on the user s machine to s...

Страница 283: ...ection entry Name Enter the hostname or IP address Specifies the hostname or IP address of the IDP sensor to which the Secure Access device connects to receive application and resource attack alert me...

Страница 284: ...rop down list Ignore just log the event Secure Access device logs the event and takes no further action against the user profile to which this rule applies Terminate user session Secure Access device...

Страница 285: ...users who are mapped to roles in the Selected roles list Make sure to add roles to this list from the Available roles list Except those selected Applies this policy to all users except for those who a...

Страница 286: ...expressions Select a prebuilt expression and click the Insert Expression button The prebuilt expression is displayed in the Expression area Modify the values to create your own custom expression Vari...

Страница 287: ...s NOTE You can create a custom expression in a device template but you cannot validate the custom expression The Validate button is not enabled in the Custom Expressions editor of device templates 9 C...

Страница 288: ...Copyright 2010 Juniper Networks Inc 270 Configuring Secure Access Devices Guide...

Страница 289: ...al network settings 1 In the NSM navigation tree select Device Manager Devices Click the Device Tree tab and then double click the Secure Access device for which you want to configure general network...

Страница 290: ...WINS server that you use to associate workstation names and locations with IP addresses if applicable WINS Windows networking tab SelectWindowsnetworkingtab Enable network discovery allows detection...

Страница 291: ...for the individual Secure Access device By default these boxes are populated with the settings entered during initial Secure Access device setup IP Address Enter the netmask Specifies the netmask for...

Страница 292: ...uests Routes Interface Enter the metric Specifies metric for comparing multiple routes to establish precedence NOTE Generally the lower the number from 1 to 15 the higher the precedence So a route wit...

Страница 293: ...then double click the Secure Access device for which you want to configure hosts 2 Click the Configuration tab and select System Network Settings Hosts The corresponding workspace appears 3 Add or mo...

Страница 294: ...Add or modify settings as specified in Table 81 on page 276 4 Click one OK Saves the changes Cancel Cancels the modification Table 81 Configuring Internet Protocol Filters Details Your Action Function...

Страница 295: ...he same user For example SA1 is an ACE authentication server with user1 who creates a bookmark to www juniper net SA2 is an Active Directory authentication server with the same user1 For the www junip...

Страница 296: ...nchronization 1 In the NSM navigation tree select Device Manager Devices Click the Device Tree tab and then double click the Secure Access device for which you want to enable user record synchronizati...

Страница 297: ...authentication server you are implicitly assigning it to all users that authenticate with that authentication server The combination of the user login name and its LAS name uniquely identifies the use...

Страница 298: ...hronize with To configure the client 1 In the NSM navigation tree select Device Manager Devices Click the Device Tree tab and then double click the Secure Access device for which you want to configure...

Страница 299: ...records from the cache The device performs a check every 15 minutes and deletes user records that meet all of the following criteria There are no active user sessions associated with the user record...

Страница 300: ...Copyright 2010 Juniper Networks Inc 282 Configuring Secure Access Devices Guide...

Страница 301: ...sion Export Policy on the Secure Access Device NSM Procedure on page 285 Configuring IF MAP Session Import Policy on the Secure Access Device NSM Procedure on page 288 Configuring IF MAP Server Replic...

Страница 302: ...uted through a different network interface Listing all of the IP addresses maximizes the probability that IF MAP Federation still works in the event of a failure 9 Under Authentication Type select the...

Страница 303: ...use to verify the certificate for this client Optionally specify certificate attributes or restrictions to require values for certain client certificate attributes Ensure that the certificate of the...

Страница 304: ...Name Enter a brief description for the policy Describes the policy Description Type the administrative domain for the session export policy If you want different aspects of a user session to be export...

Страница 305: ...copy all of the roles from the user session to the IF MAP capabilities data Set roles specified below Select this option to set the specified roles The Roles option appears From Roles click New and e...

Страница 306: ...er Session import policies specify how the Secure Access device derives a set of roles and a username from the IF MAP data in the IF MAP server Session import policies establish rules for importing us...

Страница 307: ...f the IF MAP identity name type and administrative domain must exactly match the session import policy Specifies that identity should be used as the criteria for assigning roles Match IF MAP Identity...

Страница 308: ...rver Replicas NSM Procedure You can configure an IF MAP server to replicate all of its IF MAP data to other IF MAP servers For example if you have a network in Boston and a network in London you can r...

Страница 309: ...te connections to this server If the replica is standalone for survivability list both the internal and external network interfaces If the replica is a cluster for survivability list the internal and...

Страница 310: ...Copyright 2010 Juniper Networks Inc 292 Configuring Secure Access Devices Guide...

Страница 311: ...PART 4 Managing Secure Access Devices Managing Secure Access Devices on page 295 Troubleshooting Secure Access Device Federated Networks on page 301 293 Copyright 2010 Juniper Networks Inc...

Страница 312: ...Copyright 2010 Juniper Networks Inc 294 Configuring Secure Access Devices Guide...

Страница 313: ...nd link that file into the Secure Access or Infranet Controller device configuration tree 1 In the Device Manager right click the device icon and select Import Device from the list to import the Secur...

Страница 314: ...RemovingaSecureAccessDevicefromNSMManagement NSMProcedure onpage296 Archiving Secure Meetings NSM Procedure on page 297 Configuring Secure Access Sign In Pages NSM Procedure on page 211 Configuring Ho...

Страница 315: ...number of days are archived Define which node in a cluster performs the archive To archive secure meetings 1 In the navigation tree select Device Manager Devices Click the Device Tree tab and then do...

Страница 316: ...mation Description User Interface Element Displays the cluster name type configuration internal VIP and external VIP for an active passive cluster Status Information Specifies a device to add the clus...

Страница 317: ...rent state of the node light color does not reflect failures in the external interface connectivity Such failures are logged as events NOTE A node s state is considered standalone when it is deployed...

Страница 318: ...d Documentation Adding a Secure Access Cluster Overview on page 23 Managing Large Binary Data Files NSM Procedure on page 295 Copyright 2010 Juniper Networks Inc 300 Configuring Secure Access Devices...

Страница 319: ...IF MAP Client User Messages from Log Monitoring User Access Settings on the SA Series appliances IF MAP client IF MAP Server Trace On the IF MAP server logs the XML for all IF MAP requests and respon...

Страница 320: ...Copyright 2010 Juniper Networks Inc 302 Configuring Secure Access Devices Guide...

Страница 321: ...PART 5 Monitoring Secure Access Devices Configuring Logs in Secure Access Devices on page 305 Viewing Logs in Secure Access Devices on page 313 303 Copyright 2010 Juniper Networks Inc...

Страница 322: ...Copyright 2010 Juniper Networks Inc 304 Configuring Secure Access Devices Guide...

Страница 323: ...ich you want to configure user access admin access sensors and events 2 Click the Configuration tab and select System Log Monitoring The corresponding workspace appears 3 Add or modify settings as spe...

Страница 324: ...the reverse proxy information of the event Reverse Proxy Select Meeting Events to enable this feature Captures the meeting information of events Meeting Events User Access Settings tab Specify the fi...

Страница 325: ...Client User Messages Admin Access Settings tab Enter the file size Specifies the maximum file size for the local log file The limit is 500 MB NOTE The system log displays data up to the amount specifi...

Страница 326: ...o configure custom filters and formats for log files 1 In the NSM navigation tree select Device Manager Devices Click the Device Tree tab and then double click the Secure Access device for which you w...

Страница 327: ...The World Wide Web Consortium s extended log file format is a customizable ASCII format with a variety of different fields Visit http www w3 org for more information about this format Only the User Ac...

Страница 328: ...stem Log Monitoring Client Logs 3 Add or modify settings as specified in Table 92 on page 310 4 Click one OK Saves the changes Cancel Cancels the modifications Table 92 Configuring Client Side Logs De...

Страница 329: ...05 Configuring Custom Log Filters NSM Procedure You can create custom log filters or edit the set of predefined log filters to specify which data is written to your log files as well as its format To...

Страница 330: ...cure Access device event ID and message WELF ThiscustomizedWebTrends EnhancedLogFormat WELF filter combines the standard WELF format with information about the Secure Access device s realms roles and...

Страница 331: ...vice Status Table 94 on page 313 lists and describes device information that you can view through the Device Monitor Table 94 Device Status Information Description Column Unique name assigned to the d...

Страница 332: ...ether the device is part of a vsys device part of a cluster or part of a virtual chassis A device in this state cannot connect to NSM Detected duplicate serial number The device has the same sequence...

Страница 333: ...Major or Minor None The device has no alarms Unknown The device status is unknown For example the device might not be connected N A The device s alarm is not pollable or discoverable for example this...

Страница 334: ...device disconnected from the NSM Device Server Latest Disconnect Related Documentation Viewing Device Monitor Alarm Status on page 316 Monitoring the Secure Access as an SNMP Agent NSM Procedure on p...

Страница 335: ...g workspace appears 3 Add or modify settings as specified in Table 95 on page 317 4 Click one OK Saves the changes Cancel Cancels the modification Table 95 Monitoring Secure Access Device as SNMP Agen...

Страница 336: ...for Critical Log Events check box to enable this feature Allows you to send traps for critical log events Send Traps for Critical Log Events Select the Send Traps for Major Log Events check box to ena...

Страница 337: ...PART 6 Index Index on page 321 319 Copyright 2010 Juniper Networks Inc...

Страница 338: ...Copyright 2010 Juniper Networks Inc 320 Configuring Secure Access Devices Guide...

Страница 339: ...Index C customer support xvi contacting JTAC xvi S support technical See technical support T technical support contacting JTAC xvi 321 Copyright 2010 Juniper Networks Inc...

Страница 340: ...Copyright 2010 Juniper Networks Inc 322 Configuring Secure Access Devices Guide...

Отзывы:

Нет отзывов

Похожие инструкции для NETWORK AND SECURITY MANAGER

Бренд: Baracoda Страницы: 9

Бренд: Juniper Страницы: 772

FLASH MX 2004 - FLASH LITE AUTHORING GUIDELINES FOR THE I-MODE...

Бренд: MACROMEDIA Страницы: 48

Бренд: Campbell Страницы: 16

Бренд: SanDisk Страницы: 18

Бренд: Epson Страницы: 6

Stylus Color 600Q

Бренд: Epson Страницы: 1

Stylus Pro - Stylus Color Pro Ink Jet Printer

Бренд: Epson Страницы: 14

Software Film Factory

Бренд: Epson Страницы: 73

Stylus Pro - Stylus Color Pro Ink Jet Printer

Бренд: Epson Страницы: 98

Stylus Color 600Q

Бренд: Epson Страницы: 95

Бренд: Epson Страницы: 209

PowerLite D6150

Бренд: Epson Страницы: 196

Бренд: HP Страницы: 4

G2 PORTABLE HX-MU025DC

Бренд: Samsung Страницы: 1

Бренд: Samsung Страницы: 14

Бренд: MMSOFT Design Страницы: 85

Unified Messenger

Бренд: Avaya Страницы: 35

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды