From a software point of view the SSL and the MAG are pretty much the same. The steps required are going be the same also. You enable the hardware from the console and the use the WEB UI to configure. Any KB that talks about configuration will work for you.

As for your question about about doing SSL VPN if you have SSG and MAG - can you explain a bit? Your setup is fine. Using the MAG behind an SSG is a piece of cake. You can either run it in one-armed one where you just enable the internal interface only (in trust zone) and use a MIP on the SSG to pass traffic in from the outside along with the policy to allow the traffic from untrust to trust.

Or you can make a slighly more complex (and some would say more secure) setup by placing the external interface and internal interfaces into the SSG. Put the internal in your trust zone and your external in your untrust, or create a DMZ and place it there.

I had this exact setup for years with problems. SA2000 - SSG20 - Internet.

Hi Mutt,

Many thanks for ypur feedback. I follow this URL but not detail what the step...http://www.juniper.net/techpubs/en_US/sa7.1/topics/concept/secure-access-configuring-overview.html ....regarding to your explanation SA2000, u mean that's refer to MAG4610 right? Thanks and appreciate your feedback..

Hi Mutt,

Currently i want to do from anywhere can access my office using SSL VPN (MAG4610).....Our office is just small not have server. The purpose is i want to make my Juniper lab can be access from anywhere (SSL VPN)....but i'm not have exprineced configure SSL VPN and MAG4610. So tha't make difficult to me. Hopefully u can show step by step how to configure in MAG. Thanks

Hi zanyterp,

Currently my bos told me not to involve JTAC because if have a problem then we can open JTAC. Because if we open JTAC just because to make them to show how to config SSL VPN it will redeuce partner point. So that's why i need to search some alternative. Thanks.

Well - configuring an SSL box is a multi-step process. Step one is do all the basic stuff - network addressing, certificates (not required to get going but cert errors are not nice) That kind of stuff.

I personally always start with Role Definitions. You need roles to assign to both realms and resources and by defining the roles 1st you spend a little time thinking about the types of access (web, RDP, ssh.....) you will grant. In addition I always define my defautl options for the UI and sessions first so I can use the defaults across my roles.

Then define my Auth servers. Next define any host check policies I wil use. Now I have what I need to create my user realms. My auth server, my HC (if any) and my roles. Role mapping ties my users to my roles within a realm.

Now I have a realm I can create a sign-in policy. (Personally I always start with the default sign-in and maybe just change the logo on that page before I go crazy building out multiple pages.

Once I have a sign-in policy defined (IE tying my user realms to the sign-in page) I can test. Even though I have not defined any resources the login process should work at this stage and I should just get an empty landing page.

Now i go and define the resources that will be tied to the roles and the box is functional and ready for use.

It may seem like I skip around a lot (if you think about the layout of the menu) but I find this order makes the most sense.

Hope this helps you!

Hi Mutt,

Thanks for giving step. How about in SSG? Is there any specfic config need to turn on? Thanks and appreciate your feedback.

Hi Mutt / All,

Another  question is there need to use 2 port in MAG4610 to make SSL VPN or just enough using 1 port. Appreciate someone feedback. thanks

one port is just fine; it is up to you on if you want to use both the internal port (required) and external port (optional). all traffic to the internal LAN is sourced from the internal port