SRX Services Gateway
Reply
Contributor
microguy
Posts: 14
Registered: ‎09-01-2010
0

Dynamic VPN and Web Management on Public Interface

 

Hi there,

 

I have a serious query to get helped out. I am using dynamic vpn on my SRX210 firewall. For this purpose I had to open https service on public interface which allowed web management of the device from public interface.

 

How can I stop web management from internet???

 

Please help me out.

 

Thank

 

Fahad Afzal

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: Dynamic VPN and Web Management on Public Interface

It's all-or-nothing.  When you enable Dynamic VPN, web management is also enabled on the same interface.

 

This was a serious oversight by the team who implemented this feature.

 

If you have a UTM license you can create a web filtering rule to block management access.

 

-kr

 

---

If this solves you problem, please mark this post as "Accepted Solution."

Kudos are always appreciated.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Trusted Contributor
BenR
Posts: 89
Registered: ‎03-18-2010
0

Re: Dynamic VPN and Web Management on Public Interface

In Junos 10.2 and later you are supposed to be able to do this, but it doesn't work properly. See the 10.2 release notes for how to configure it. When I tested it on 10.2r2 it still allowed you to login to Jweb on the external interface when you added /login to the url, but no longer showed the Jweb login by default. I haven't tested it on 10.2r3 yet.

Trusted Contributor
mawr
Posts: 236
Registered: ‎06-11-2010
0

Re: Dynamic VPN and Web Management on Public Interface


BenR wrote:

In Junos 10.2 and later you are supposed to be able to do this, but it doesn't work properly. See the 10.2 release notes for how to configure it. When I tested it on 10.2r2 it still allowed you to login to Jweb on the external interface when you added /login to the url, but no longer showed the Jweb login by default. I haven't tested it on 10.2r3 yet.

 


10.2R3 behaves the same way.

 


keithr wrote:

It's all-or-nothing.  When you enable Dynamic VPN, web management is also enabled on the same interface.

 

This was a serious oversight by the team who implemented this feature.

 

If you have a UTM license you can create a web filtering rule to block management access.

 


How exactly is this done assuming that the traffic is HTTPS and unable to be scanned by the web filter?  I just tried as a test and it didn't work.

 

mawr

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.