Screen OS

Hi all,

I am very new to Juniper products, in fact this would be the very first time I am dealing with Juniper as well as the RAS Server. For the server side, we are using Windows Server 2003 and this server will be configured to support RAS server, hopefully I can get help from Microsoft Technet and KB. If anyone has info on this too, it would be appreciated.

However, I would like to get more info on how to configure this feature in the firewall, Juniper Netscreen-5GT, guides or technical notes/knowledge base. I totally have no idea on what I need, what to configure on what screen or where to start when it comes to the Juniper brand. Can anyone who has done this successfully before share guides, info on what I need to implement this or links to any guides for implementation. Thanks in advance for any assistance rendered.

PS : If you need additional info, please ask and I will try my best to provide. Also, I should add that the VPN tunneling should be handled by the RAS server, not the firewall itself. The firewall only perform the routing of IPs and ports to which services/servers. Also, does anyone know what this implementation is called?

Welcome to the SSG.

ScreenOS Dyanmic VPN

To make the connection on the firewall you will use what ScreenOS calls dynamic vpn.  This is the kb that outlines the various configuration options.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB8535

These reference the netscreen client but this will not support Win7.  If you have win7 clients you will need to choose either the officially supported but paid NCP client.  See this thread

http://forums.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/FAQ-available-for-NCP-s-IPsec-VPN-client-NCP-Secure-Client/td-p/40275

And the kb
http://kb.juniper.net/InfoCenter/index?page=content&id=KB17266

Or the Shrew open source client.
http://www.shrew.net/support/wiki/HowtoJuniperSsg

Windows 2003 RAS

To  use the windows server method these are the instructions.  

configuring RAS on Windows 2003
http://technet.microsoft.com/en-us/library/cc787153%28WS.10%29.aspx

Troubleshooting RAS connections
http://technet.microsoft.com/en-us/library/cc772616%28WS.10%29.aspx

On the firewall you then allow this traffic forwarded from you public ip address
http://kb.juniper.net/InfoCenter/index?page=content&id=KB5471

Firstly, thank you very much for the great reply as well as including the RAS server part. I am looking through the links as I type this trying to understand as best as I can.

However I can't help feeling overwhelmed by it due to my unfamiliarity with it. I think I am ok on the server part but would it be too much if I ask for more guidance on the Juniper part? The KB provides links from one article to another based on different implementations and protocols. Honestly I don't know what is involved or which direction I should go, so maybe some list of action plan/steps to follow will be better, based on how you would do this. And from there I can refer to the KB on how it's done, maybe it would be better to assume I'm totally inexperienced in this?

Also, I think you may have misunderstood my post and to re-iterate my question for your clarification, I only need the Juniper firewall to route the incoming connections from external sources to the correct internal IPs and ports (internet/SDSL IP -> internal/server IP), eg. Internet IP or SDSL 60.48.12.25 to internal server IP 192.168.2.250 with port 1723, no authorisation whatsoever for this side. The RAS server is the one handling the allocated IP pool and user authorisation since it is connected to the Active Directory, thus I think the Netscreen Remote client or NCP client are not needed. Do correct me if I am wrong. At the end of the day, once dialed-in and authorised by the RAS server, they can access the network servers and folders as if they are physically there.

Thank you again and I do apologise if my request is too troublesome.

Hi,

You should configure a MIP on the untrust interface that maps 60.48.12.25 to 192.168.2.250 and create an Untrust-to-Trust policy that allows TCP-1723 and GRE to this MIP for any Internet IP. You can also use predefined ScreenOS services for this, but check them first. I saw in certain older ScreenOS releases wrongly defined services.

Thanks Edouard. Yes I roughly guessed this is what needs to be done but again, I do not have an idea on where or how to do this on the Juniper device which is my main question all along. I have tried studying the various links and screens on-line and I ended up confusing myself. 😞

Hi,

Don't be so sad. This happens to all of us when we start to work with an absolutelly new platform.

The best starting point would be the Web Interface. Fortunately any Netscreen/SSG device is a well pre-configured box that can be implemented with minimal efforts. Most of the settings can be left on defaults. Security zones Untrust and Trust are already mapped to the Trust Virtual Router so that you do not need to change these mappings. Interfaces are also mapped to the zones in an optimal way. So, you can focus on the interface settings, including NAT, routing (default gateway is enough) and policies.

Sure, you cannot avoid reading of the ScreenOS documentation. Fortunately it is excelent. Download and read Concepts and Examples, Vol. Fundamentals. If you are through, you will be able to create not very complex configurations even without in-depth studying of Routing/VPN/NAT and other volumes.

Sorry for some of the confusion.  I did misinterpret you comments.  I thought you were looking at an either or situation with deploying vpn software to connect to the firewall (The Dynamic VPN section) or using PPTP on Server 2003.

You can ignore everything under the first title it is the alternative to using server 2003 RAS.

The kb note above is if you are using the same public ip address as you interface on teh firewall to forward to your MS RAS. If you have another ip available for this you configure a mip and the policy following kb10923.  As Edouard mentions you need both pptp and gre in the policy for this to work. 

And you need to be sure the pptp alg is turned on (Security - ALG in the web interface).

Thanks Edouard and Steve. I'll give this a read-through during the weekends and I think I only have physical access to the device next week as it is at another location. That's why I'm trying to read up and learn before doing this. So from what I have explained and understood from the info you guys provided, this can be done right, with no additional software or hardware? Just the Juniper NS-5GT and a server running MS Windows Server 2003?

I'll try to post questions if I have them during the weekends but I'm not sure if any of you guys will be around to reply. Lastly, Merry Christmas and a Happy New Year.

Yes, all you need for this is the server and the firewall. 

But you will need to add roles to the  server so the install disk will be asked for if that is not copied to the drive.

And you should check that the firewall is updated to the latest release of your software version, which I believe is 5.4 for the 5GT.  Check the downloads site.

Both of these functions should also be able to do remotely.  The firewall and the server support remote access management protocols so you would not need to be on-site for the work.

Thanks steve. Sorry I myself was away during the weekends. Ok I think so far I understand your guides. Only thing left is for me to do it but sadly, I cannot remotely do it as this particular client of ours has a very rigid policy, thus I have to be on-site.

As for the firmware, if I update it, no settings will change right? What if it is using an older version? Is it a must to update it?

When you mention install disk, what do you mean? Do I have to install anything from the CD? I hope if I do need it, they ill have it, or else.....

Lastly, the remote part, for firewall, I am not quite sure of it but for server side, you mean remote access in Windows right?

Thank you.

On the firmware, the settings are normally presevered through an updated.  But of course you should download a fresh copy right before the procedure just in case something goes horribly wrong and you need to factory reset and reload.

On the disk, this is for the adding of the RRAS role on Server 2003.  You will just do this in add/remove programs and windows components.  Depending on the specifics of your install it may ask you for the Windows server 2003 install disk to complete the process.

On remote access, the firewall supports ssl and ssh management interfaces if you have a tunnel up to the site.  On the server I'm referring to remote desktop.  I routinely do this type of update remotely across the network for both servers and firewalls. But it is always nice to see  people in person if that's what they need.

Oh darn I am unable to download the latest firmware for the firewall from the download section as I do not have access to it. I have emailed to Juniper support but I have a feeling that the firewall is no longer under warranty and the client do not have Juniper support contract. Any other way I can update the firmware?

The access to screenos downloads is just based on having a registered product and agreeing to abide by the legal export restrictions.

Make sure there is at least one sceenos device registered and associated with the login id that is requesting the access.

Thank you. Seeing as today I will be going on-site, I'll try and get the serial number to register with Juniper and proceed from there.

Meanwhile, just wanting to be clear, if I do close this question/accept a solution, can I still post or update here in case I encounter any further issues or have further questions? Or should I leave it open till everything is completed?

The screenos functions are pretty basic so it will likely work just fine with older software.  It is just best to update to the latest JTAC recommended release for your model.  The download site shows this recommendation as 5.4 for the 5GT.

The threads are never locked for comments. Related questions to getting the RRAS working behind the firewall should continue here, but if it vears into a different topic then a new thread with a good description is best for future reference and the archives.

The purpose of the "accepted solutions" are to flag the thread for future search users and to calculate our member rankings for the system.  See this annoucement for a description.

http://forums.juniper.net/t5/News-and-Announcements/Accepted-Solutions/m-p/1071

I apologise for the late reply. I was busy with new assignments in the new year till I forgot about this. Anyway, a brief update, I have yet to implement this as the client needed some time to consider and decide on some things so I am just keeping this topic in my bookmarks for reference purposes. I can post anytime right?

I have also accepted steve's post as a solution and gave kudos. I hope I did it right, just did not want to drag on any longer, at least till the need arises. So thanks steve and edouard, I will be sure to scream for help here in the very near future.

Best regards.