SRX Services Gateway
Highlighted
SRX Services Gateway

Enabling web authentication allows J-web access

‎01-13-2020 12:04 PM

We use the web-authentication portal for vendors to log in. After log in the vendor can access internal systems as defined by our security policies and destination NAT rules. This works flawlessly except for one detail.

 

webauth.example.com resolves to a.b.c.d(below).


Going to https://webauth.example.com/ takes one to the Firewall User Web-Authentication Login page.

 

But, if one goes to https://webauth.example.com/asdfa (or any other random letters) the J-Web login is presented.

 

Is it possible to use web-authentication without exposing J-web on the same interface?

 

We have an SRX-300 running 18.2R3.4.

# show system services web-management 
management-url admin;
https {
    pki-local-certificate webauth-cert;
    interface [ ge-0/0/0.0 ge-0/0/1.0 ge-0/0/5.0 ];
}
session {
    idle-timeout 60;
}

# show interfaces ge-0/0/5 unit 0 family inet address a.b.c.d/28    
web-authentication https;

# show security zones security-zone Internet 
screen untrust-screen;
interfaces {
    ge-0/0/5.0 {
        host-inbound-traffic {
            system-services {
                ping;
                https;
                ike;
            }
        }
    }
}

 

3 REPLIES 3
Highlighted
SRX Services Gateway

Re: Enabling web authentication allows J-web access

[ Edited ]
‎01-14-2020 01:39 AM

Hi WSGC,

Basically because you have configured WebAuth and JWeb on the same interface WebAuth Passthrough Authentication takes presidence by default, however when errors happen in the WebAuth (aka adding unexpected letters at the end of the URL Path) it defaults to Direct Authentication (to the SRX300) which is why J-Web is displayed.

Is there a reason or usecase as to why you are using GE5 instead of the default FXP0 interface for this? Also the JTAC recommended version is 18.2R3-S2 so you are running two sub-releases above the recommended.

KR Adam

~~~~~~~~~~~~~~~~~~~~~~~
- Please Kudos if you found my response helpful
- Please accept my response as a 'Accepted Solution' if it solved your query
Highlighted
SRX Services Gateway

Re: Enabling web authentication allows J-web access

‎01-14-2020 06:13 AM

Hi Adam,

Thanks for the reply.  How would I enable web-authentication via HTTPS on the interface without also enabling web management on it? They seem to be linked to me: one can only cofigure a certificate for HTTPS using the system/services/web-management options and then this certificate is also used for web-authentication.

 

This was also a problem on 15.1X49-D45 that I was using prior to recently upgrading.

 

The use of 18.2R3.4 is an oversight on my part. I can downgrade to 18.2R3-S2 but I'd like to focus on my initial inquiry first.

 

This is not a clustered firewall so there is no fxp interface.

SRX Services Gateway

Re: Enabling web authentication allows J-web access

‎01-22-2020 06:10 AM

Does anyone know if it is possible to use web-authentication over HTTPS without exposing J-web on the same interface?