SSL VPN
Reply
Contributor
j_rabb
Posts: 13
Registered: ‎10-18-2010
0

MAG2600 and SRX210 work together for iPhone/iPad access?

I currently have several locations using SRX210's (hub and spoke vpn's).

I need to get iPhone and iPad users access to the headquarters location.

The Pulse client doesn't work with the SRX's.

Will a MAG2600 work ok in conjuntion with the SRX210?

Can I just add it behind my SRX210 and configure it to pass the iPhone traffic to the MAG for authentication?

Or is there a better recommendation?

 

On another subject...

Even though I'm located in Sunnyvale, I have not been able to get much (any) assistance from Juniper.

Anyone have a recommendation on how or where to get some sales-type support on simple networking setups like this?

Or recommendations on best-practice solutions as I build my simple networks?

 

Thanks.

Anyone can feel free to contact me off line also.

Contributor
j_rabb
Posts: 13
Registered: ‎10-18-2010
0

Re: MAG2600 and SRX210 work together for iPhone/iPad access?

As an FYI-

 

My two main uses for the iPhone/iPad (VPN access) via the Pulse client:

 

- Being able to connect to our internal ShoreTel phone server/system

- Being able to access a couple of internal company websites for production/mfg status

 

Of course I assume I will find more, but those are the key drivers right now.

 

TIA...

Recognized Expert
aweck
Posts: 255
Registered: ‎07-24-2009
0

Re: MAG2600 and SRX210 work together for iPhone/iPad access?

MAG should work just fine in that setup.  Give it a public hostname/IP that allows tcp/443 access through the SRX and then Pulse will be able to connect so that you can access internal resources.  Users will need to launch Pulse from their iPhone/iPad before accessing internal resources, unless you use Cert-based authentication on the MAG - then they can use a feature called VPN on Demand to auto-launch Pulse when accessing certain hostnames/IPs.

Juniper Elite Partner
JNCIE-ENT #63, JNCIE-SP #705, JNCIE-SEC #17, JNCIS-FWV, JNCIS-SSL
Contributor
j_rabb
Posts: 13
Registered: ‎10-18-2010
0

Re: MAG2600 and SRX210 work together for iPhone/iPad access?

Know of any configuration guides or can you help with a suggested configuration on the SRX?

 

Distinguished Expert
muttbarker
Posts: 2,362
Registered: ‎01-29-2008
0

Re: MAG2600 and SRX210 work together for iPhone/iPad access?

[ Edited ]

Are you are refering to getting the MAG up and running behind the SRX?

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Moderator
zanyterp
Posts: 2,276
Registered: ‎11-19-2007
0

Re: MAG2600 and SRX210 work together for iPhone/iPad access?

Don't forget UDP/4500 open to the MAG2600.
But, yes, that is what you do.
The SRX has good setup guides; the MAG does as well for what is needed to configure for access.
Contributor
j_rabb
Posts: 13
Registered: ‎10-18-2010
0

Re: MAG2600 and SRX210 work together for iPhone/iPad access?

Yes, I was referring to getting the MAG set up behind the SRX...

TIA

Distinguished Expert
muttbarker
Posts: 2,362
Registered: ‎01-29-2008
0

Re: MAG2600 and SRX210 work together for iPhone/iPad access?

On the SRX you need to do the following:

 

1- Create a NAT rule mapping traffic from the external IP to your internal address:

set security nat static rule-set ssl-vpn from zone untrust
set security nat static rule-set ssl-vpn rule ssl-nat match destination-address XX.XXX.13.30/32
set security nat static rule-set ssl-vpn rule ssl-nat then static-nat prefix 192.168.3.12/32
set security nat proxy-arp interface at-1/0/0.0 address XX.XXX.13.30/32 (optional depending on what external address you use.)

 

2- Create an address book entry for use in your zone policy:

set security zones security-zone trust address-book address ssl-vpn 192.168.3.12/32

 

3- Create a zone policyto pass traffic:

set security policies from-zone untrust to-zone trust policy allow-ssl match source-address any
set security policies from-zone untrust to-zone trust policy allow-ssl match destination-address ssl-vpn
set security policies from-zone untrust to-zone trust policy allow-ssl match application junos-http
set security policies from-zone untrust to-zone trust policy allow-ssl match application junos-https
set security policies from-zone untrust to-zone trust policy allow-ssl match application junos-ping
set security policies from-zone untrust to-zone trust policy allow-ssl match application ssl-nc
set security policies from-zone untrust to-zone trust policy allow-ssl then permit

 

I hope this helps!

 

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.