04-16-2012 09:24 PM
I have buy new MAG4610. So my question can i use this device for both feature as per title above at the same time? Thanks and appreciate someone feddback.
04-16-2012 11:43 PM
We can either use the it as a UAC or SSL VPN (change personality). IT can be used as a SSL vpn and UAC at the same time.
please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks
04-17-2012 07:34 AM
The answer is "No".
You can install IVE OS(Secure Access) or UAC OS(Access Control) in one device.
If you install IVE OS, the device is SSL VPN.
If you install UAC OS, the device is UAC.
It's impossible to be a SAG(Secure Access Gateway) and ACG(Access Control Gateway) at the same time.
04-17-2012 10:19 PM
The last answer posted by Joseph is right.
MAG4610 comes with a fixed MAG SM-160 Application Blade in which both SSL VPN and UAC OS are loaded with factory version settings like 4.1 or 4.2.
When we configure the device , we can configure either SSL VPN or UAC but both the services cannot be run simultaneosly.
If you load as SA option it install SSL VPN OS and boots up as SA
If you load as UAC option it install UACOS and boots up as an IC.
If you are looking for once chassis running with both UAC and SA device then you need to use MAG 6610 or 6611 chassis where you can have multiple Application module sin which you can run UAC and SA services seperately on each blade.
Hope this calrifies your query.
04-18-2012 06:22 AM
It is worth noting that you can factory default the box and change it's "pesonality" IE - run it as an SSL-VPN or run it as a UAC box. Not to good for production - but handy for demo / testing.
04-18-2012 07:40 PM
each blade on the system can only run one version at a time. if you have 2 blades, one can be an SA and the other IC. if you only have 1 blade though, yes, it is just one type
04-19-2012 01:06 AM
Many thanks for all the feedback. Another help if someone can give the url (KB) / doc how to setup MAG4610 as SSL VPN (step-by-step). I try to search in KB but not found any step-by-step. Below is the my network.
Internal LAN (MAG4610) ---->SSG5 ----> Internet
For your information i dont have any server. It just a simple network and to make sure i can remote from anywhere to my Internal LAN. Hope someone can help me. Thanks
04-20-2012 12:21 AM
Thanks for the url... i already read the doc in the url given. But still not really undertand. Is there any video (step) for SSL VPN setup using MAG for example (IC4500) in KB.....One more thing, is it enough requiremet to do SSL VPN if i just have SSG and MAG? Thanks appreciate your feedback.
04-23-2012 10:04 AM
From a software point of view the SSL and the MAG are pretty much the same. The steps required are going be the same also. You enable the hardware from the console and the use the WEB UI to configure. Any KB that talks about configuration will work for you.
As for your question about about doing SSL VPN if you have SSG and MAG - can you explain a bit? Your setup is fine. Using the MAG behind an SSG is a piece of cake. You can either run it in one-armed one where you just enable the internal interface only (in trust zone) and use a MIP on the SSG to pass traffic in from the outside along with the policy to allow the traffic from untrust to trust.
Or you can make a slighly more complex (and some would say more secure) setup by placing the external interface and internal interfaces into the SSG. Put the internal in your trust zone and your external in your untrust, or create a DMZ and place it there.
I had this exact setup for years with problems. SA2000 - SSG20 - Internet.
04-25-2012 11:41 PM
Many thanks for ypur feedback. I follow this URL but not detail what the step...http://www.juniper.net/techpubs/en_US/sa7.1/topics
04-25-2012 11:45 PM
Currently i want to do from anywhere can access my office using SSL VPN (MAG4610).....Our office is just small not have server. The purpose is i want to make my Juniper lab can be access from anywhere (SSL VPN)....but i'm not have exprineced configure SSL VPN and MAG4610. So tha't make difficult to me. Hopefully u can show step by step how to configure in MAG. Thanks
04-26-2012 05:27 PM
04-26-2012 08:59 PM
Currently my bos told me not to involve JTAC because if have a problem then we can open JTAC. Because if we open JTAC just because to make them to show how to config SSL VPN it will redeuce partner point. So that's why i need to search some alternative. Thanks.
04-27-2012 08:57 AM
Well - configuring an SSL box is a multi-step process. Step one is do all the basic stuff - network addressing, certificates (not required to get going but cert errors are not nice) That kind of stuff.
I personally always start with Role Definitions. You need roles to assign to both realms and resources and by defining the roles 1st you spend a little time thinking about the types of access (web, RDP, ssh.....) you will grant. In addition I always define my defautl options for the UI and sessions first so I can use the defaults across my roles.
Then define my Auth servers. Next define any host check policies I wil use. Now I have what I need to create my user realms. My auth server, my HC (if any) and my roles. Role mapping ties my users to my roles within a realm.
Now I have a realm I can create a sign-in policy. (Personally I always start with the default sign-in and maybe just change the logo on that page before I go crazy building out multiple pages.
Once I have a sign-in policy defined (IE tying my user realms to the sign-in page) I can test. Even though I have not defined any resources the login process should work at this stage and I should just get an empty landing page.
Now i go and define the resources that will be tied to the roles and the box is functional and ready for use.
It may seem like I skip around a lot (if you think about the layout of the menu) but I find this order makes the most sense.
Hope this helps you!
05-07-2012 07:30 PM
Hi Mutt / All,
Another question is there need to use 2 port in MAG4610 to make SSL VPN or just enough using 1 port. Appreciate someone feedback. thanks
05-07-2012 08:17 PM
one port is just fine; it is up to you on if you want to use both the internal port (required) and external port (optional). all traffic to the internal LAN is sourced from the internal port