06-02-2010 06:20 AM
I am setting up a dyn vpn on an srx setup.
I have followed the appnotes but I am concerned that when enabling https on my external interface for clients to connect and download the vpn client they are also able to see the management GUI
we used to restrict http access via a filter on the lo0 but is there a way I can say:
<ip>/dynamic-vpn = allowed from anywhere
<ip>/ = allowed from only specific IP prefix list
so that the management GUI is restricted to a specific prefix list whilst the dynamic vpn page is available to all?
06-04-2010 11:00 AM
Do you have the UTM license on your box? You could use custom web filtering rules to accomplish this task.
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador
Juniper Elite Reseller
J-Partner Service Specialist - Implementation
If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
03-28-2011 07:11 AM
I'm also looking to do the same on an SRX210. Can you give me an example of the proposed config.
03-28-2011 09:39 AM
Long story short, this can't be done:
1. Even when setting management-url J-Web can still be accessed as https://wan.ipa.ddr.ess/login.
2. Web filter rules cannot be applied to HTTPS.