SRX Services Gateway
Reply
Visitor
TriSept
Posts: 3
Registered: ‎03-27-2012
0
Accepted Solution

Cannot get VPN to work without allowing access to J-Web manager

[ Edited ]

I'm new to Juniper and I need to get VPN access to three of our employees. I am current;y using a SRX220h and using Junos Pulse as the VPN client. I kept getting a "Failed to get HTTP response Error 1454" when trying to login and the only way I've gotten it to work is to go to System Properties / Management Access  and enable HTTPs on ge-0/0/0.0 and of course now opens up the ability to access my SRX from the Internet.

 

Can I allow VPN access without allowing access to the J-Web Manager from the Internet and if so how?

 

Thanks,

 

David

Recognized Expert
JunOS_Fan
Posts: 241
Registered: ‎02-13-2012
0

Re: Cannot get VPN to work without allowing access to J-Web manager

Hi,

 

What is the Junos version ? Have you configured management-url ?  in newer junos versions, there is separation of J-web and Dynamic VPN Page. If you want to disable j-web, you need to add loopback interface (lo0) under web-management .

 

For more details, please check KB17234.

 

Best regards
Pradeep (JNCIP-SEC,ENT,SP)
www.networker.co.in
Visitor
TriSept
Posts: 3
Registered: ‎03-27-2012
0

Re: Cannot get VPN to work without allowing access to J-Web manager

[ Edited ]

I'm using 11.4R1.6 and no management-url has been setup.

 

It looks like j-web would be disabled if I put in a loopback address, is there a way to just disable j-web on ge-0/0/0.0?

 

I do apologies I am really new to Juniper.

 

Thanks,

 

David

Recognized Expert
JunOS_Fan
Posts: 241
Registered: ‎02-13-2012
0

Re: Cannot get VPN to work without allowing access to J-Web manager

Hi ,

 

 For example , if the setup is like this

 

set system services web-management https interface ge-0/0/0.0 (untrust, with ip 100.1.1.1)
set system services web-management https interface ge-0/0/1.0 (trust, with ip 192.168.1.1)
set system services web-management https system-generated-certificate

No management-URL configured and Lo0.0 interfaces not included under web-management interfaces. and ge-0/0/1.0 is your ipsec  vpn external interface

now:

https://100.1.1.1  DVPN Page (from external network)
https://192.168.1.1 J-Web (from internal network)

In this case as the management-url is not configured, with 100.1.1.1 we will not be able to connect to J-Web.

 

As mentioned in my previous post,  the following URL explains the behaviour in detail -

 

http://www.juniper.net/techpubs/en_US/junos10.3/information-products/topic-collections/release-notes...

 

If your experience is different  from this one , please post your config details and web-management traceoptions output.

Best regards
Pradeep (JNCIP-SEC,ENT,SP)
www.networker.co.in
Juniper Employee
deebikac
Posts: 7
Registered: ‎06-27-2011
0

Re: Cannot get VPN to work without allowing access to J-Web manager

Dynamic vpn is always enabled in the ike external gateway interface. If there are any interfaces configured under http/https, then jweb will be enabled only on those interfaces.

 

Case 1: J-Web and dynamic VPN do not share the same interface

 

set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/5.0(90.90.4.1)
set security ike gateway CLIENT1 external-interface ge-0/0/4(80.80.80.1)

 

As per above configuration, Jweb is enabled on ge-0/0/5 and DVPN is enabled on ge-0/0/4

 

https://90.90.4.1------>Jweb page
https://80.80.80.1------>Dynamic vpn page

 

Case 2: J-Web and dynamic VPN do share the same interface.

 

Without management url configured,
===========================
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/5(90.90.4.1)
set system services web-management https interface ge-0/0/4
set security ike gateway CLIENT1 external-interface ge-0/0/4(80.80.80.1)

 

https://90.90.4.1-------->Jweb page
https://80.80.80.1------>Dynamic vpn

 

With management url configured,
===========================
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/5(90.90.4.1)
set system services web-management https interface ge-0/0/4
set security ike gateway CLIENT1 external-interface ge-0/0/4(80.80.80.1)
set system services web-management management-url web

 

https://90.90.4.1------------>Jweb page

https://80.80.80.1---------->DVPN page

https://80.80.80.1/web----->JWeb page

 

Thanks,
Deebika

Trusted Contributor
BenR
Posts: 89
Registered: ‎03-18-2010
0

Re: Cannot get VPN to work without allowing access to J-Web manager

I think you might be running into this bug:

https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR712179

Upgrade to 11.4R2 and I think it will work for you.

Visitor
TriSept
Posts: 3
Registered: ‎03-27-2012
0

Re: Cannot get VPN to work without allowing access to J-Web manager

Sorry for the late response, I've been gone. I upgraded to v12.1R1.9 and it now I cannot access j-web from the untrust network, which is what I wanted.

 

Thanks for all of your responses!

 

David

Visitor
rondlu
Posts: 3
Registered: ‎07-07-2013
0

Re: Cannot get VPN to work without allowing access to J-Web manager

Tried everything on this problem abover from juniper help and this case and also updated the resolved issue OS, still with http i get J-web and with https i get below

 

Access Error: 401 -- Unauthorized

Interface is not authorized for HTTP access

 

Kindly suggest...

Visitor
rondlu
Posts: 3
Registered: ‎07-07-2013
0

Re: Cannot get VPN to work without allowing access to J-Web manager

Tried everything on this problem above from juniper help and this opened case also updated the resolved issue OS, still with http i get J-web and with https i get below:

 

Access Error: 401 -- Unauthorized

Interface is not authorized for HTTP access

 

Kindly suggest...

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.