Hi,

What is the Junos version ? Have you configured management-url ?  in newer junos versions, there is separation of J-web and Dynamic VPN Page. If you want to disable j-web, you need to add loopback interface (lo0) under web-management .

For more details, please check KB17234.

I'm using 11.4R1.6 and no management-url has been setup.

It looks like j-web would be disabled if I put in a loopback address, is there a way to just disable j-web on ge-0/0/0.0?

I do apologies I am really new to Juniper.

Thanks,

David

Hi ,

 For example , if the setup is like this

set system services web-management https interface ge-0/0/0.0 (untrust, with ip 100.1.1.1)
set system services web-management https interface ge-0/0/1.0 (trust, with ip 192.168.1.1)
set system services web-management https system-generated-certificate

No management-URL configured and Lo0.0 interfaces not included under web-management interfaces. and ge-0/0/1.0 is your ipsec  vpn external interface

now:

https://100.1.1.1  DVPN Page (from external network)
https://192.168.1.1 J-Web (from internal network)

In this case as the management-url is not configured, with 100.1.1.1 we will not be able to connect to J-Web.

As mentioned in my previous post,  the following URL explains the behaviour in detail -

http://www.juniper.net/techpubs/en_US/junos10.3/information-products/topic-collections/release-notes...

If your experience is different  from this one , please post your config details and web-management traceoptions output.

Dynamic vpn is always enabled in the ike external gateway interface. If there are any interfaces configured under http/https, then jweb will be enabled only on those interfaces.

Case 1: J-Web and dynamic VPN do not share the same interface

set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/5.0(90.90.4.1)
set security ike gateway CLIENT1 external-interface ge-0/0/4(80.80.80.1)

As per above configuration, Jweb is enabled on ge-0/0/5 and DVPN is enabled on ge-0/0/4

https://90.90.4.1------>Jweb page
https://80.80.80.1------>Dynamic vpn page

Case 2: J-Web and dynamic VPN do share the same interface.

Without management url configured,
===========================
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/5(90.90.4.1)
set system services web-management https interface ge-0/0/4
set security ike gateway CLIENT1 external-interface ge-0/0/4(80.80.80.1)

https://90.90.4.1-------->Jweb page
https://80.80.80.1------>Dynamic vpn

With management url configured,
===========================
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/5(90.90.4.1)
set system services web-management https interface ge-0/0/4
set security ike gateway CLIENT1 external-interface ge-0/0/4(80.80.80.1)
set system services web-management management-url web

https://90.90.4.1------------>Jweb page

https://80.80.80.1---------->DVPN page

https://80.80.80.1/web----->JWeb page

Thanks,
Deebika

Sorry for the late response, I've been gone. I upgraded to v12.1R1.9 and it now I cannot access j-web from the untrust network, which is what I wanted.

Thanks for all of your responses!

David