SRX

I'm been trying to configure MAG2600 to work with SRX210 which is configured as follows:

internet from ge-0/0/0 via DHCP

ge-0/0/1 serves as DHCP server connected to a switch and many computers behind that.

From what little documentation I've found it seems that I should set up a static route from untrusted zone to the internal port of the MAG device. Then create a policy to allow VPN traffic from the VPN box.

I have not been able to do this successfully. I can ping the MAG and connect to it via the web interface if it's connected to a trusted zone.

I've also looked at the raw logs from the MAG while attempting to connect with pulse client and it seems like the connection is received but nothing is sent back to the pulse client.

Can anybody provide some example configuration or guidance in this matter?

I'm sorry but I'm having trouble visualizing which method you are using to deploy the MAG with the SRX.  Could you have a look at kb10162 and let us know which direction you are heading here?

http://kb.juniper.net/InfoCenter/index?page=content&id=KB10162

I'm guessing from the description that you are using a "one arm" deploy.  But I am not sure if that is with or without the DMZ and which zone and interface of your SRX connects to the MAG.

Thank you for the link! Actually it seems that I was also having trouble realizing what I wanted to do. 

Anway based on the document you linked, I think we would like to use the 2 arm 2 DMZ method since it's the most secure one. Is there any example configuration for this scenario?

Try the SSL VPN forum. 

http://forums.juniper.net/t5/SSL-VPN/bd-p/SSL_VPN

Also there is course on exactly what you need to know, JPSA. Check that out, it should help you. other than that, I am only aware of the userguides for the devices.

But if you are deciding to use the One-Arm Without a DMZ, that is a simple method.Use a firewall filter to forward all the port 443 (SSL) of the Junos Pulse Secure Access Service (MAG2600).

This may help.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB17476

Lyndidon,

I think you grabbed the wrong link for your sample.  KB17476 is regarding the UAC install with SRX not the SSL VPN.

I would suggest Baastax use this thread for the questions about how to configure the SRX.  And if he has questions the the SSL VPN settings they would be better served in the SSL VPN forum.

Baastax,

Unfortunately, I don't believe there are any NCE (network configuration examples) published yet for these scenarios.

For two arm two dmz on your SRX these would be the basic steps:

Design

Select your subnets for the two DMZ zones

Select your two interface addresses on the MAG in these zones

Design your ip pool requirements for the MAG and note the subnets or addresses used

Note any subnets NOT directly connected to the SRX that need to be reachable from the MAG

Create a list of internal resource addresses that remote users will access from the MAG

Create the two DMZ zones, add the interfaces

Create destination nat for your public address in untrust to the outside dmz address on your MAG

Create a policy allowing ping, http, https and 4500 from untrust to the outside dmz address of MAG

Create policies allowing access from your internal dmz ip address and pools designed above to your internal resources

Add routing to reach remote subnets from the SRX