SSL VPN
Reply
New User
HospiceIT
Posts: 4
Registered: ‎03-20-2008
0

SA 700 Config question

Hello, I'm just starting the configuration of my first SA 700. From a laptop connected to the internal port I can logon and get to the GUI, but I can't ping the external port or get any traffic through it. Is this normal? Do I need to go further in the config process or do I have an issue that I should address first before going any furher? Thanks for any help anyone can offer.

 

Rick 

Contributor
dusannovakovic
Posts: 21
Registered: ‎02-16-2008
0

Re: SA 700 Config question

[ Edited ]

Is the external Interface enabled? Watch the Network Tab in your IVE configuration.

But no matter - you can go on configuring and learn the basic concept of this great solution even if ext. interface is still not enabled.

 

The most important thing on beginning is to understand the concept...

 

1. Sign-In Policies >>> Generate a URL for the users. Maps a Sign-In Webpage and a Realm to that URL.

 

2. Realms >>> Define which Authentication Server to use, Pre-Login Restrictions and how to map User-Roles to that Realm. You can also activate hostchecker to check a host pc BEFORE the user logs in to the IVE!

 

3. Roles >>> Defines which Ressources the users who will be mapped to that role will have (only Web? Only VPN? Only Fileaccess? Only SSH or RDP? Or everything?). Here you can also activate hostchecker, to check host pc AFTER User did log in to the IVE!

 

4. Resource Policies >>> Defines which userrole will be able to access which resources.

Message Edited by dusannovakovic on 03-20-2008 12:54 PM
New User
HospiceIT
Posts: 4
Registered: ‎03-20-2008
0

Re: SA 700 Config question

Thanks for the quick reply. Yes the external port is enabled. My plan was to put the Juniper between my firewall and internal router and then start working on the Realms, Roles,etc. However because the external port is not accessible even though it's enabled, I can't put the box in the network or it shuts down all our outbound traffic. I'm confused. I could understand that it would not pass traffic from external to internal, but I would expect that external bound traffic would be passed through by default. Am I missing something?
Contributor
dusannovakovic
Posts: 21
Registered: ‎02-16-2008
0

Re: SA 700 Config question

Well, i dont know anything about your network topology. I hope i did get you right...

IVE has nothing to do with the "other" traffic which passes from the inside to the outside (internet) network.

Its just a "hardened gateway" which allows secure access to internal ressources from the outside.

 

So, it needs an IP on the external interface, to be accessable from the internet.

If you have no public IP for your IVE, use NAT on the firewall and give IVE a private IP.

If it has a public IP, place it in the DMZ and thats it.

If you can not ping it, troubleshoot if it has a link (LED). Check Duplex and Speedsettings.

Sometimes negotiation does not work properly. Maybe its best idea to put a fix speed setting, according to your firewall port (100Mbit?).

If it has a link, do a tracert or pathping or traceroute commands to find out why ICMP can not access IVE.

You dont need to connect an notebook directly to the internal port to expect to ping the external interface.

Connect internal interface to your LAN, connect external Interface to your Firewall and thats it.

Even if you put your external interface to DMZ - its safe.

This is a hardened machine. No unnecessary ports are opened, only TCP 443 / 80 and UDP 4500.

 

 

 

New User
HospiceIT
Posts: 4
Registered: ‎03-20-2008
0

Re: SA 700 Config question

Thanks, I think that's really the info I needed. My setup is as follows:

 

Firewall (public IP address)

            |

Juniper (private IP on both interfaces)

            |

Cisco router (private IP)

 

Assuming there aren't any obvious problems,I'll just start hacking at it and see what I can come up with.Thanks for the help.

 

Rick 

 

Contributor
dusannovakovic
Posts: 21
Registered: ‎02-16-2008
0

Re: SA 700 Config question

The IVE is also a router.

Give each interface an IP from another subnet, for example internal IF= 10.10.10.1/24  and external IF=10.10.10.20.1/24.

The IVE will create automatically the proper routing table.

Then think about the transfer-networks between your FW and external interface, and between your IVE internal interface and your cisco router interface.

 

Firewall---------Transfer-Net1------------IVE---------Transfer-Net2-----------Cisco Interface

New User
HospiceIT
Posts: 4
Registered: ‎03-20-2008
0

Re: SA 700 Config question

I'll try that this evening. Thanks for the help, I truly appreceate it.
New User
aijaz
Posts: 2
Registered: ‎01-29-2012
0

Re: SA 700 Config question

Dear All 

 

i have windows 7 os in my laptop i can't conn't to SA700 box its giving me error



Moderator
zanyterp
Posts: 2,276
Registered: ‎11-19-2007
0

Re: SA 700 Config question


aijaz wrote:

Dear All 

 

i have windows 7 os in my laptop i can't conn't to SA700 box its giving me error




this is a config-related error. what message do you see in your user access log?

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.