Saturday, 15 December 2012

Junos : How to launch Junos Pulse (VPN) and perform a RDP from iPhone/iPad

The following procedure helps to configure Junos pulse on iPad/iPhone to launch VPN and perform RDP access:


  • Go to the Apple App store to download the Junos Pulse client and RDP Lite app.

  • Network Connect (Pre-7.2R1 code) or VPN Tunneling (from 7.2R1 IVE code) has to be configured on the IVE, which will help the user to connect to SSL-VPN using Junos pulse client from the iPad/iPhone.

  • User Role, User Realm, and Sign-in Policy are required with Network Connect configured on the IVE.

  1. On IVE go to Users > Users Role > New User Role > General > Enable Network Connect (Prior to 7.2R1 IVE OS) or VPN Tunneling (In IVE OS 7.2R1 and onwards) and then click Save Changes.


  2. Go to the newly created role's Network Connect/VPN Tunneling tab and ensure that the Split Tunneling Options are set correctly and then click Save Changes.

  3. If Enable split tunneling is configured, make sure that the Split tunneling Resource Policy is applied for that role on IVE under Users > Resource Policies > Network Connect > Split-tunneling Networks (specify the IP address of the Terminal service resource,which you need to access from Junos Pulse on iOS devices; by using any RDP app from the app store).

    If Disable Split Tunneling or Allow access to local subnet is selected, ensure that the ACL under the Access tab on IVE under Users > Resource Policies > Network Connect > Network Connect Access Control allows the specified RDP host IP address.

  4. Configure the NC Connection Profile on IVE under Users > Resource Policies > Network Connect > NC Connection Profiles:

    1. Click New Profile:

      When the SA Series device receives a client request to start a session, it assigns an IP address to the client; based on the IP address policies defined either through DHCP or the IP address pool. Apply to the desired role as well and save changes.

  5. On IVE under Users > Users Realm > New User realm > General:

    You can, by using the above procedure, launch the VPN connection on an iPhone or iPad and perform the RDP access.

    1. Select the Preferred Auth Server and save changes.

    2. Click the Role Mapping tab, create a New Rule, and apply it to the iPhone role as configured in step 1.

  6. Now go to Authentication > Signing In > Sign-in Policies > New URL, create the new Sign-in URL and apply it to the iPhone realm only and save changes.

  7. On the iPhone:

    1. Launch the Junos Pulse App, which was downloaded from the Apple App store.

    2. Configure the Junos Pulse App with the IVE Sign-in URL and a user-friendly name. Save changes.

    3. Click the Connect button on the Junos Pulse App; this will start the connection.

    4. Provide the credentials to authenticate; once authenticated, you will be able to see the VPN icon, as shown in the following image (this confirms that the VPN tunnel is connected):


  8. Perform the RDP Access:

    1. Click the Home button on the iPhone/iPad to exit the Junos Pulse app user interface. Launch the RDP app downloaded from the Apple App store (for example - RDP lite is one application, which can be used for RDP access and is a free download from the Apple App store).

    2. Click Configure on the RDP lite App and then click New.

    3. Specify the Host address for the remote computer; for which the RDP is being performed (ACL for this Host IP address should be specified as described in step-3) and click the back button.

    4. Now you will be able to see the configured Host IP address; click the profile.

    5. This will initiate the RDP access and you will get connected to the RDP device.

Sunday, 9 December 2012

Junos : Sending IDP and traffic logs to a syslog server in SRX

If you want to forward your IDP and traffic session logs to a syslog server, here is how we can do it;

1) First inside the security policy we should set that we want to log session initiations e.g;
{primary:node0}[edit]
root@srx210-1# top show security policies 
from-zone downlink to-zone wan {
    policy net-access {
        match {
            source-address net_210;
            destination-address any;
            application any;
        }
        then {
            permit {
                application-services {
                    idp;
                }
            }
            log {
 session-init;
            }
        }
    }
}

2) Then syslog server configuration;
root@srx210-1# show system syslog        
host 192.168.103.20 {
    any any;
    match "RT_IDP|RT_FLOW_SESSION";
    structured-data;
}

After this we should be able to log our traffic logs to the syslog server 192.168.103.20
As you might see there is RT_IDP regular expression string for IDP logs as well. If you set the following configuration under
IDP rule base, you will also log IDP notifications.

3)  IDP notifications
{primary:node0}[edit]
root@srx210-1# show security idp idp-policy Recommended_1 
rulebase-ips {
    rule 1 {
        match {
            source-address any;
            destination-address any;
            application default;
            attacks {
                predefined-attacks ICMP:INFO:ECHO-REQUEST;
            }
        }
        then {
            action {
                drop-packet;
            }
            notification {
 log-attacks;
            }
        }
    }
}

Wednesday, 5 December 2012

Junos : Software Installation/Upgrade

Install Software via CLI (Method: from Junos software copied to SRX)

Refer to the following steps for copying the software to the SRX and then performing the software installation via the CLI:
  1. Copy software to SRX via SCP or FTP to /var/tmp: 
    For example:
    user@srx>  scp  junos-srxsme-11.4R4.4-domestic.tgz  user@srx:/var/tmp/junos-srxsme-11.4R4.4-domestic.tgz

    OR

    user@srx>  ftp <ip address of local ftp server>  (and login)
    user@srx>  lcd /var/tmp
    user@srx>  bin
    user@srx>  get junos-srxsme-11.4R4.4-domestic.tgz
    user@srx>  bye
  2. Install software with the commands below. 
    For example:
    From the local file in /var/tmp
    user@srx>  request system software add no-copy /var/tmp/junos-srxsme-11.4R4.4-domestic.tgz
    user@srx>  request system reboot

Monday, 3 December 2012

Junos : Routing Policy

Overview

A routing policy is the method that you can use to control what routes from dynamic routing policies (OSPF, BGP, RIP, etc) get imported into your routing table and or advertised to other peers or neighbors.

Import Policy

The import policy is responsible for changing or modifying any routes that are advertised to you by other neighbors or peers. Import policies are most commonly seen changing route metrics or preferences or filtering certain routes from being put into your routing table. The Import policy effects how your router views the world.

Export Policy

The export policy is responsible for filtering or modifying routes that you are adverting to other peers or neighbors. Export policies are most commonly seen changing metrics or preferences of routes or re advertising routes from other routing protocols into the protocol that has the export policy tied to it.

Default Routing Policies

Each routing protocol has a default routing policy associated with it that is not specifically defined in the configuration and each one is different.

RIP

By default (without a routing policy) a JunOS device will accept all RIP routes advertised to it by its explicitly configured neighbors but will not advertise those routes at all.

OSPF

Just like RIP, by default (without a routing policy) a JunOS device will accept all OSPF LSA's and exports all routes learned by OSPF but no other protocols. Link State Protocols depend on all routers having the exact same picture of the network so import and export policies on OSPF are pretty limited.

BGP

By default (without a routing policy) a JunOS device will import and export all BGP routes to and from the routing table.
loading...