Security

We have 3 Juniper SA6500 FIPS boxes for SSLVPN (2 in a cluster). 

As is always the case, upper managent decided we needed yet another device, to centrally manage what amounts to 2 different machines...

Setting up the SA boxes was a real treat. 

So they bought this NSMExpress...

It's been in the box for the last 8 months, but now I've been asked to get it into place..

First boot...boot hung and wouldn't come back...was told by support to re-image using USB stick (great first impression).

After a lenghty re-image, i'm at the CLI when I set the IP address and network config and passwords..

Then I go to the https://ip_address/administration and login....

Apparently this box is running software version 2009.1r1a, and it looks NOTHING like the Juniper SSLVPN boxes. 

I'm apparently supposed to run the setup for a Regional Server (if I only have one box, shouldn't it be a central server?? and what is the difference...not covered in documentation)

Following the quickstart guide for the NSMexpress 2009.1, (http://www.juniper.net/techpubs/software/management/security-manager/nsm2009_1/nsmxpress-quick-start.pdf)

is a rather painful experience...

I can't find the license info, so I go to a base install..

I have DNS and syslog configured...

I figured I'd try updating it...maybe newer version are more user friendly...

and so, I go to system update,  and it spits out this message...so now I am stuck..

warning: rpmts_HdrFromFdno: V3 DSA signature: NOKEY, key ID 9f01527e The GPG keys listed for the "NSMxpress - 5 - Updates" repository are already installed but they are not correct for this package. Check that the correct key URLs are configured for this repository. Setting up Update Process Setting up repositories Reading repository metadata in from local files Resolving Dependencies --> Populating transaction set with selected packages. Please wait. ---> Package nsmxpress-release.i386 6:5-4.5.nsmx5.152894 set to be updated --> Running transaction check Dependencies Resolved ============================================================================= Package Arch Version Repository Size ============================================================================= Updating: nsmxpress-release i386 6:5-4.5.nsmx5.152894 update 6.3 k Transaction Summary ============================================================================= Install 0 Package(s) Update 1 Package(s) Remove 0 Package(s) Total download size: 6.3 k Downloading Packages: Public key for nsmxpress-release-5-4.5.nsmx5.152894.i386.rpm is not installed Retrieving GPG key from http://download.juniper.net/software/nsmxpress/public/RPM-GPG-KEY-nsmxpress-1 GPG key at http://download.juniper.net/software/nsmxpress/public/RPM-GPG-KEY-nsmxpress-1 (0x22C36A80) is already installed Yum Update Failed

Any recommendations? Is the NSM always this user unfriendly?

Hi,

  You don't have to use yum to update your NSM software but you may at least need some utilities like unzip to uncompress

nsm packages. To disable gpg check temporarily you can edit /etc/yum.repos.d/nsmxpress.repo file and set gpgcheck to 0 

to let you use yum. Then install unzip with "yum install unzip"

If you are upgrading to for example 2010.3s2 get the packages;

nsm2010.3s2_servers_upgrade_rs.zip
nsm2010.3s2_offline_upgrade.zip

and install them as below

unzip nsm2010.3s2_servers_upgrade_rs.zip
sh upgrade-os.sh  nsm2010.3s2_servers_linux_x86.sh offline

Installer should guide you throughout the process.

I hope this helps.

ok...that really helped actually...

I downloaded 2011.4, but once installed...it shows up as 2010.something..

Also...I dunno if it`s just me...but it`s almost like the guide isn`t as friendly as it could be..as I am a little lost as to HOW to actually figure out how to us this thing..

If I go to https://ip_address/, I get an option to install the windows or the linux client...ok...download and install the Windows clients, but creds not accepted.if I go to https://ip_address/administration, I have a few options, but most seem to relate to the NSM itself, not so much any real device management...

Im guessing I have to connect with that Window client, but creating a new user from the /administrator page, didn't seem to help.

it's almost like the guide is missing a chapter, on how to get from setting the "the appliance" to how get to actually use it....

To login with Windows-client you created "super"-account when setting up NSM, use that account.

What comes to managing SSLVPN with NSM, I'd say dont. NSM is nice when it comes to firewalls (ISG, SSG..) but when it comes to SSLVPN/IC/EX etc. it's useless to attach those devices to NSM. But this is my opinion.

I have to agree with terosa – NSM is a good thing to manage ScreenOS based products, even managing SRX firewalls may make sense. But for the SSL-VPN appliances it won't help at all!