SSL VPN
Reply
Trusted Contributor
kronicklez
Posts: 465
Registered: ‎08-10-2010
0

Re: Can MAG4610 use as SSL VPN and UAC at the same ?

Hi zanytrep,

 

 

Thanks for the url... i already read the doc in the url given. But still not really undertand. Is there any video (step) for SSL VPN setup using MAG for example  (IC4500) in KB.....One more thing, is it enough requiremet to do SSL VPN if i just have SSG and MAG? Thanks appreciate your feedback.

Distinguished Expert
muttbarker
Posts: 2,352
Registered: ‎01-29-2008
0

Re: Can MAG4610 use as SSL VPN and UAC at the same ?

From a software point of view the SSL and the MAG are pretty much the same. The steps required are going be the same also. You enable the hardware from the console and the use the WEB UI to configure. Any KB that talks about configuration will work for you.

 

As for your question about about doing SSL VPN if you have SSG and MAG - can you explain a bit? Your setup is fine. Using the MAG behind an SSG is a piece of cake. You can either run it in one-armed one where you just enable the internal interface only (in trust zone) and use a MIP on the SSG to pass traffic in from the outside along with the policy to allow the traffic from untrust to trust.

 

Or you can make a slighly more complex (and some would say more secure) setup by placing the external interface and internal interfaces into the SSG. Put the internal in your trust zone and your external in your untrust, or create a DMZ and place it there.

 

I had this exact setup for years with problems. SA2000 - SSG20 - Internet.

 

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Trusted Contributor
kronicklez
Posts: 465
Registered: ‎08-10-2010
0

Re: Can MAG4610 use as SSL VPN and UAC at the same ?

Hi Mutt,

 

 

Many thanks for ypur feedback. I follow this URL but not detail what the step...http://www.juniper.net/techpubs/en_US/sa7.1/topics/concept/secure-access-configuring-overview.html ....regarding to your explanation SA2000, u mean that's refer to MAG4610 right? Thanks and appreciate your feedback..

Trusted Contributor
kronicklez
Posts: 465
Registered: ‎08-10-2010
0

Re: Can MAG4610 use as SSL VPN and UAC at the same ?

Hi Mutt,

 

 

 

Currently i want to do from anywhere can access my office using SSL VPN (MAG4610).....Our office is just small not have server. The purpose is i want to make my Juniper lab can be access from anywhere (SSL VPN)....but i'm not have exprineced configure SSL VPN and MAG4610. So tha't make difficult to me. Hopefully u can show step by step how to configure in MAG. Thanks

Moderator
zanyterp
Posts: 2,274
Registered: ‎11-19-2007
0

Re: Can MAG4610 use as SSL VPN and UAC at the same ?

There is no video step-by-step detailing login.
I would recommend working w/ JTAC as they are very experienced with helping do initial setup and answering questions
Trusted Contributor
kronicklez
Posts: 465
Registered: ‎08-10-2010
0

Re: Can MAG4610 use as SSL VPN and UAC at the same ?

Hi zanyterp,

 

 

Currently my bos told me not to involve JTAC because if have a problem then we can open JTAC. Because if we open JTAC just because to make them to show how to config SSL VPN it will redeuce partner point. So that's why i need to search some alternative. Thanks.

Distinguished Expert
muttbarker
Posts: 2,352
Registered: ‎01-29-2008

Re: Can MAG4610 use as SSL VPN and UAC at the same ?

Well - configuring an SSL box is a multi-step process. Step one is do all the basic stuff - network addressing, certificates (not required to get going but cert errors are not nice) That kind of stuff.

 

I personally always start with Role Definitions. You need roles to assign to both realms and resources and by defining the roles 1st you spend a little time thinking about the types of access (web, RDP, ssh.....) you will grant. In addition I always define my defautl options for the UI and sessions first so I can use the defaults across my roles.

 

Then define my Auth servers. Next define any host check policies I wil use. Now I have what I need to create my user realms. My auth server, my HC (if any) and my roles. Role mapping ties my users to my roles within a realm.

 

Now I have a realm I can create a sign-in policy. (Personally I always start with the default sign-in and maybe just change the logo on that page before I go crazy building out multiple pages.

 

Once I have a sign-in policy defined (IE tying my user realms to the sign-in page) I can test. Even though I have not defined any resources the login process should work at this stage and I should just get an empty landing page.

 

Now i go and define the resources that will be tied to the roles and the box is functional and ready for use.

 

It may seem like I skip around a lot (if you think about the layout of the menu) but I find this order makes the most sense.

 

Hope this helps you!

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Trusted Contributor
kronicklez
Posts: 465
Registered: ‎08-10-2010
0

Re: Can MAG4610 use as SSL VPN and UAC at the same ?

Hi Mutt,

 

 

Thanks for giving step. How about in SSG? Is there any specfic config need to turn on? Thanks and appreciate your feedback.

Trusted Contributor
kronicklez
Posts: 465
Registered: ‎08-10-2010
0

Re: Can MAG4610 use as SSL VPN and UAC at the same ?

Hi Mutt / All,

 

Another  question is there need to use 2 port in MAG4610 to make SSL VPN or just enough using 1 port. Appreciate someone feedback. thanks

Moderator
zanyterp
Posts: 2,274
Registered: ‎11-19-2007
0

Re: Can MAG4610 use as SSL VPN and UAC at the same ?

one port is just fine; it is up to you on if you want to use both the internal port (required) and external port (optional). all traffic to the internal LAN is sourced from the internal port

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.