SRX

Hey folks.. another SRX question 😉

Is there any way to do clientless VPN (like an SA700 does) on the SRX series?  I don't believe it's an option but wanted to double check...

Thanks,

Paul

This can be done on branch platforms, starting with SRX-100 through SRX-650.  It works a similar way, in that you launch a web browser to a particular URL, and it downloads both a client, and the VPN profile specific to the login you have configured for that user.  

There is an app note that goes through the configuration of this ... http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/dynamic-vpn-appnote-v12.pdf

Thank you very much - I didn't realize this option existed. 

So when ordering an SRX, this is the "VPN Client License" that is referred to then?

Presuming that it is, is there a license required for folks who already have an IPSec client installed on their computers or are these licenses one and the same?

Finally, what's the major differences between this type of VPN and the SA700 clientless approach?  I know one is SSL based and the other is IPSec client based - does it mainly come down to whether or not the person connecting can install anything on their computer or not? 

Just trying to get this clear - for small installations, I would think that using the SRX clientless version would be ideal....

Many thanks for all the replies...

Paul

The VPN Client license for SRX is exactly that.  In order to use this feature, the VPN client license must be loaded on the SRX device.  This license is specific to the "Access Manager", which is the integrated VPN Client for SRX devices.  There may be an issue with loading the Access Manager on a PC that has an already existing VPN Client.  This is because they are writing to the same portion of the TCP stack/shim.

The SA700 and the SRX clientless approach is similar, but there are still some differences (like SSL VPN vs. IPSec).  The install works basically the same way, where the client is downloaded to your PC.

I hope this answers your question.