Restricting web access to management GUI when running dynamic VPN on external interface

SapphireNET · ‎03-27-2008

I am setting up a dyn vpn on an srx setup.

I have followed the appnotes but I am concerned that when enabling https on my external interface for clients to connect and download the vpn client they are also able to see the management GUI

we used to restrict http access via a filter on the lo0 but is there a way I can say:

<ip>/dynamic-vpn = allowed from anywhere

<ip>/ = allowed from only specific IP prefix list

so that the management GUI is restricted to a specific prefix list whilst the dynamic vpn page is available to all?

JNCIS-M, JNCIS-SEC

muttbarker · ‎01-29-2008

Do you have the UTM license on your box? You could use custom web filtering rules to accomplish this task.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

Whadmin · ‎03-23-2011

Kevin,

I'm also looking to do the same on an SRX210. Can you give me an example of the proposed config.

Thanks,

Anton

mawr · ‎06-11-2010

Long story short, this can't be done:

1. Even when setting management-url J-Web can still be accessed as https://wan.ipa.ddr.ess/login.

2. Web filter rules cannot be applied to HTTPS.

mawr

Restricting web access to management GUI when running dynamic VPN on external interface

Re: Restricting web access to management GUI when running dynamic VPN on external interface

Re: Restricting web access to management GUI when running dynamic VPN on external interface

Re: Restricting web access to management GUI when running dynamic VPN on external interface