09-05-2010 03:47 PM - edited 09-05-2010 05:38 PM
Today I experimented with the management-url changes in 10.2 and 10.3 and I'm frusterated with the results. My expectation from the notes was that these changes would allow me to run J-Web and Dynamic VPN on separate URLs and/or disabled J-Web completely. I discovered that even if the https interface is set to lo0 that the web management can still be access by https://wan.ipa.ddr.ess/login and, even worse, that simply clicking the About link on the Dynamic VPN login page can lead you to the /login web management page (IE8 issues security warning about self signed certificate, click Continue, session is invalidated and user is prompted to login again, web management login page is displayed).
What is the point of allowing URL separation and "disabling" of web management if it can still be accessed with non-advertised URLs and links off of the main Dynamic VPN page?
In my opinion allowing a management interface to face the internet is a dangerous thing which is unfortunate considering that it's a requirement for Dynamic VPN to function properly. It's also unfortunate that Juniper appears to be "hacking" something to a half way point without providing a real solution.
What is a real solution to me? Either give us the ability to disable J-Web and/or Dynamic VPN *completely* and/or allow separation of these services to separate ports.
Otherwise I'm quite happy with the product and I'm looking forward to what is in store.
09-06-2010 08:12 PM
Do you have system services web-management configured? If you dont need JWeb, they that needs to be disabled or deleted.
It appears as though web-management being enabled is a requirement for Dynamic VPN to work properly. I just deactivated it as a test and was then unable to access the dynamic-vpn page.