Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  SSG5 - DHCP

    Posted 08-23-2010 13:46

    I have a SSG5 and computers are connected by IP reserved. It is very convenient to me. I need to make a change, so that all computers are connected with dynamic IP. In this case I have a question: can you create a policy where you can set the range of IP addresses that will by dynamic? Another question: Does the computer can support me to establish a dynamic range and a range of problems in privacy?

     

    Thank you very much



  • 2.  RE: SSG5 - DHCP

    Posted 08-25-2010 04:08

    Assuming the rules will be the same for all the dynamic pcs you would do the following:

     

    • Create a dhcp server on the lan segment
    • Convert the pcs to dhcp
    • Create the address object for this range unde policy object.  These are required to be cidr notation ranges and not random ip ranges
    • Use this address object in the policy you create instead of the "any" object to enforce you permits and deny actions

    I'm not sure what you mean about privacy concerns.  You'll have to elaborate on that.



  • 3.  RE: SSG5 - DHCP

    Posted 08-25-2010 10:01

    Ready, and put all computers by DHCP. In fact I made a VPN with a SSG140. I have two questions, I hope you can support: what software I can use to connect to my SSG5, knowing that no public IP? There might be a direct connection to that computer, without going through the SSG140. Can I create another segment in my SSG5?

     

    Excuse my English, I can not write very well.

     

    Thanks for your support.



  • 4.  RE: SSG5 - DHCP

    Posted 08-26-2010 04:05

     

    @emoralesa wrote:

     I have two questions, I hope you can support: what software I can use to connect to my SSG5, knowing that no public IP?

     .

    I assume you ar asking about client software for computer to firewall vpn.  I don't use this function, so I only know what I have read here in  the forums.  I'm not sure i follow the ip question.   I believe either of these will support dns names for connection so they don't need to know the ip address.  If you ip address is dynamic, you can use dyndns.com to have the firewall automatically register a dns name when it boots up and keep it refreshed.

     

    The new official software is the NCP secure client.  This links to the forum posting on the faq and announcement of support.

     

    I've seen many posts of people using the Shrew client.  This is their guide page and if you search this forum for shrew you will see a number of posts of people using it.

     

    http://www.shrew.net/support/wiki/HowtoJuniperSsg

    @emoralesa wrote:

    There might be a direct connection to that computer, without going through the SSG140. Can I create another segment in my SSG5?

    Yes, you can create additional segments and put them into different zones so you can control access to them separately from the main one.

     



  • 5.  RE: SSG5 - DHCP

    Posted 08-26-2010 12:27

    Okay, I have more clarity on the concept. Your answer helps me a lot. One question: where I can find some practice for the segment?

     

    Many thanks.



  • 6.  RE: SSG5 - DHCP
    Best Answer

    Posted 08-27-2010 04:13

    The main screenos documentation site is the Concepts and Examples guides.

     

    To create new segments you'll need to understand the concepts in Zones and Policies.  These are covered in volume 2 Fundamentals.  Zones page 25 and folloowing   and policies on page 105 and following.  Examples of multi zone enterprise networks are found on page 14 and following.



  • 7.  RE: SSG5 - DHCP

    Posted 08-27-2010 07:57

    Many, thank you very much. With that information you provide me, I can supplement my knowledge.