Hi,

Two questions, - can you log and track internet access of users on a local networks with an SSG-20 (reports, logging, etc) and question 2 where can we buy copies of Junipers VPN client for an SSG-20?

Cheers'
Dave Cason

ScreenOS does logging by policy.  So you would need to enable the traffic log on your internet access policy for the logging of web sites. 

But there is no reporting engine, and the logs are all based on ip address not on url.  And there is limited space for log storage on an SSG20.  So this may not be what you are looking for.

You could ship these logs to a syslog server and use them with a reporting tool.  Or you could subscribe to a url filtering service like the websense built in or redirect.

For remote access the offical client for ScreenOS was outsourced to  NCP.  See this thread.

http://forums.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/FAQ-available-for-NCP-s-IPsec-VPN-client-NCP-Secure-Client/td-p/40275

Hi Steve, 

Hey thanks for the info, I'll go contact NCP about getting a few client licences for the VPN.

As for internet montoring, that's kind of a bummer.  Can you think of any turnkey program thats

out there?  To date myself, I used to use something called Elron Internet Manager on my old

NT networks.  (grin) Can you think of anything else simillar?

Cheers'

Dave

Sorry, I don't have a monitoring recommendation.  I've only used tools that came with the specific proxy devices used in my various assignments.

If you are looking for an open source solution, I've heard good things about squid, but have not used it myself.

Hi Steve,

Here's a bit of a quandry you might have an idea about .......

I contacted NCP and downloaded their clients software ....dropped the 30 day trial on a test laptop and tried to

configure it, with no luck.

I contacted NCP and they say they don't have anyone on staff who can offer tech supprt to help me configure thier

client software to talk to my present config in the SSG-20. Ummmm, OK ..... ?

So now I'm trying to find a Juniper guy who I can hire for an hour who understands the config in the router and I also have my old and working config file from the Shrewsoft client to make it easier.

Do you have any suggstions on who I can call to get a guy to help me set it up?  It should be a 10 min job but we'll

pay for for the work to be done ..... our old Juniper guys are MIA.

Cheers'
Dave Cason

Hi Dave,

I am not sure about freelancers, but you can contact your Juniper account manager or local partner / reseller who can guide.

If you want to give it a try yourself, you can follow http://kb.juniper.net/InfoCenter/index?page=content&id=KB17364. Even if it does not work with the first try, I felt the logs on NCP are very informative when compared to other clients. So, you can tweak the configuration based on what NCP and the firewall events say.

Hi,

Thanks for trying but here's what the link showed:   (I'll try to search for it)

OK, I found the  config walk thru !

Thanks a bunch, do you know where in an SSG-20 i can go to look for the pre-shared key for the VPN config?

The notes I have for the password don't show the capitals or lower case letters.  Can I view what's in the SGG

someplace in the config.  I have a login!

Cheers'

Dave

Yep,

My notes are there but the pre-share key I type in gives me the error:

VPN Error

RECV-MSG2-AGGR-PSK --> invalid

preshared key

Is there a chance that my export file from shrewsoft that I'm reading is showing

me an encrpypted password and it's in the router as something else?

Cheers'

Dave

The preshared key is encrypted on the firewall so you won't be able to read it.  But it is easy enough to just change it on both the firewall and the software.

VPN--VPN Advanced--Gateway

Edit your gateway

Advanced Button

enter the Preshared key

Yep, that's what I kind of suspected - course the bummer there is now when I do that I have to go change all the working clients that are still on the Shrewsoft -DOH !  Oh well ..... I'll give it a shot - Thanks Steve!

Cheers'

Dave