SRX Services Gateway
Reply
Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007

J-web access redirecting to dynamic-vpn page after 10.2R3 and 10.3R1 releases

[ Edited ]

Q: On SRX Branch devices, after upgrading to 10.2R3 and 10.3R1 or later releases, J-Web access may not work if that interface is also terminating an IPSec VPN tunnel. Interfaces terminating an IPSec tunnel will redirect all HTTP and HTTPS requests to the Dynamic VPN domain.

Example:
https://<srx-domain-or-ip>/dynamic-vpn

How do I access J-Web now?

 

A: This was done to allow for Dynamic VPN support without implicitly allowing all J-Web access. In order to allow J-Web management on an interface which is terminating an IPSec VPN, you must configure management-url for J-Web access:

 set system services web-management management-url <path>


For example, with the following configuration:

set system services web-management management-url mgmt

J-Web management would require administrator to browse to:

http://<srx-domain-or-ip>/mgmt
Trusted Contributor
mawr
Posts: 236
Registered: ‎06-11-2010
0

Re: J-web access redirecting to dynamic-vpn page after 10.2R3 and 10.3R1 releases

It would be nice if JUNOS could only allow access to Dynamic VPN, and not the /mgmt or /login pages.  Having these available on separate ports would be even more ideal.

 

Thanks,

 

mawr

Juniper Employee
Juniper Employee
mxk
Posts: 13
Registered: ‎02-06-2008
0

Re: J-web access redirecting to dynamic-vpn page after 10.2R3 and 10.3R1 releases

Message received.


--mxk
Trusted Contributor
Pato
Posts: 36
Registered: ‎12-21-2009

Re: J-web access redirecting to dynamic-vpn page after 10.2R3 and 10.3R1 releases

With the latest code, if you remove the interface from J-web while it is still used for dynamic-vpn, you essentially disallow J-web access and allow only dyn-vpn access.

 

In short:

 

  • If an interface is configured under dynamic-vpn only (i.e. no J-web) the users can only access the dyn-vpn authentication portal (and the default URL will redirect them to this portal, so they don't have to type the /dynamic-vpn url anymore).
  • If an interface is configured for J-web only, users can only access J-web
  • Only if an interface is configured both under dynamic-vpn and J-web we use the URL to distinguish which service a user might be trying to access. Since we assume most users will be trying to access the VPN (and not the box) the default URL will redirect them to the dynamic-vpn portal. The user-configurable management-url is used to access J-web in such instances.
As a final note, it is alway a good idea to disable J-web access from the interfaces used for dynamic-vpn. Administrators can always do a VPN connection to the device and access the box through a trusted interface.  

 

 

Visitor
atom2ueki
Posts: 9
Registered: ‎01-20-2011
0

Re: J-web access redirecting to dynamic-vpn page after 10.2R3 and 10.3R1 releases

Thanks:smileyhappy:

Contributor
rotearc
Posts: 82
Registered: ‎07-10-2010
0

Re: J-web access redirecting to dynamic-vpn page after 10.2R3 and 10.3R1 releases

Pato,
Do you have a sample config that you can share?  I just try to follow the 11.4 security guide.  I am not able to get that to work.
Rotearc

Pato wrote:

With the latest code, if you remove the interface from J-web while it is still used for dynamic-vpn, you essentially disallow J-web access and allow only dyn-vpn access.

 

In short:

 

  • If an interface is configured under dynamic-vpn only (i.e. no J-web) the users can only access the dyn-vpn authentication portal (and the default URL will redirect them to this portal, so they don't have to type the /dynamic-vpn url anymore).
  • If an interface is configured for J-web only, users can only access J-web
  • Only if an interface is configured both under dynamic-vpn and J-web we use the URL to distinguish which service a user might be trying to access. Since we assume most users will be trying to access the VPN (and not the box) the default URL will redirect them to the dynamic-vpn portal. The user-configurable management-url is used to access J-web in such instances.
As a final note, it is alway a good idea to disable J-web access from the interfaces used for dynamic-vpn. Administrators can always do a VPN connection to the device and access the box through a trusted interface.  

 

 


 

Juniper Employee
msheikoh
Posts: 12
Registered: ‎12-09-2009
0

Re: J-web access redirecting to dynamic-vpn page after 10.2R3 and 10.3R1 releases

Hi Rotearc,

 

Here is a snippet from 10.2 Release notes.

 

■ URL Separation for J-Web and Dynamic VPN—This feature prevents the dynamic
VPN users from accessing J-Web accidentally or intentionally. Unique URLs for
J-Web and dynamic VPN add support to the webserver for parsing all the HTTP
requests it receives. The webserver also provides access permission based on
the interfaces enabled for J-Web and dynamic VPN.
■ CLI changes: A new configuration attribute management-url is introduced at
the [edit system services web-management] hierarchy level to control J-Web
access when both J-Web and dynamic VPN are enabled on the same interface.
The following example describes the configuration of the new attribute:
web-management {
traceoptions {
level all;
flag dynamic-vpn;
flag all;
}
management-url my-jweb;
http;
https {
system-generated-certificate;
}
limits {
debug-level 9;
}
session {
session-limit 7;
}
}
■ Disabling J-Web: Dynamic VPN must have the configured HTTPS certificate
and the webserver to communicate with the client. Therefore, the
configuration at the [edit system services web-management] hierarchy level
required to start the appweb webserver cannot be deleted or deactivated.
To disable J-Web, the administrator must configure a loopback interface of
lo0 for HTTP or HTTPS. This ensures that the webserver rejects all J-Web
access requests.
web-management {
traceoptions {
level all;
flag dynamic-vpn;
flag all;
}
management-url my-jweb;
http {
interface lo0.0;
}
https {
system-generated-certificate;
Changes in Default Behavior and Syntax in JUNOS Release 10.2 for SRX Series Services Gateways and J Series Services
Routers ■ 187
Changes in Default Behavior and Syntax in JUNOS Release 10.2 for SRX Series Services Gateways and J Series Services Routers
}
limits {
debug-level 9;
}
session {
session-limit 7;
}
}

Thanks

Salman

Trusted Contributor
michael.saw
Posts: 1,048
Registered: ‎09-26-2011
0

Re: J-web access redirecting to dynamic-vpn page after 10.2R3 and 10.3R1 releases

What is the command to activate the dynamic VPN url?
Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.