SRX Services Gateway
Reply
Trusted Contributor
SapphireNET
Posts: 154
Registered: ‎03-27-2008
0

Restricting web access to management GUI when running dynamic VPN on external interface

I am setting up a dyn vpn on an srx setup.

 

I have followed the appnotes but I am concerned that when enabling https on my external interface for clients to connect and download the vpn client they are also able to see the management GUI

 

we used to restrict http access via a filter on the lo0 but is there a way I can say:

 

<ip>/dynamic-vpn = allowed from anywhere

<ip>/ = allowed from only specific IP prefix list

 

so that the management GUI is restricted to a specific prefix list whilst the dynamic vpn page is available to all?

JNCIS-M, JNCIS-SEC
Distinguished Expert
muttbarker
Posts: 2,379
Registered: ‎01-29-2008
0

Re: Restricting web access to management GUI when running dynamic VPN on external interface

Do you have the UTM license on your box? You could use custom web filtering rules to accomplish this task.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Visitor
Whadmin
Posts: 3
Registered: ‎03-23-2011
0

Re: Restricting web access to management GUI when running dynamic VPN on external interface

Kevin,

 

I'm also looking to do the same on an SRX210. Can you give me an example of the proposed config.

 

Thanks,

 

Anton

 

Trusted Contributor
mawr
Posts: 236
Registered: ‎06-11-2010
0

Re: Restricting web access to management GUI when running dynamic VPN on external interface

Long story short, this can't be done:

 

1. Even when setting management-url J-Web can still be accessed as https://wan.ipa.ddr.ess/login.

2. Web filter rules cannot be applied to HTTPS.

 

mawr

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.