SRX Services Gateway
Highlighted
SRX Services Gateway

Restricting web access to management GUI when running dynamic VPN on external interface

06.02.10   |  
‎06-02-2010 06:20 AM

I am setting up a dyn vpn on an srx setup.

 

I have followed the appnotes but I am concerned that when enabling https on my external interface for clients to connect and download the vpn client they are also able to see the management GUI

 

we used to restrict http access via a filter on the lo0 but is there a way I can say:

 

<ip>/dynamic-vpn = allowed from anywhere

<ip>/ = allowed from only specific IP prefix list

 

so that the management GUI is restricted to a specific prefix list whilst the dynamic vpn page is available to all?

JNCIS-M, JNCIS-SEC
3 REPLIES
SRX Services Gateway

Re: Restricting web access to management GUI when running dynamic VPN on external interface

06.04.10   |  
‎06-04-2010 11:00 AM

Do you have the UTM license on your box? You could use custom web filtering rules to accomplish this task.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
SRX Services Gateway

Re: Restricting web access to management GUI when running dynamic VPN on external interface

03.28.11   |  
‎03-28-2011 07:11 AM

Kevin,

 

I'm also looking to do the same on an SRX210. Can you give me an example of the proposed config.

 

Thanks,

 

Anton

 

SRX Services Gateway

Re: Restricting web access to management GUI when running dynamic VPN on external interface

03.28.11   |  
‎03-28-2011 09:39 AM

Long story short, this can't be done:

 

1. Even when setting management-url J-Web can still be accessed as https://wan.ipa.ddr.ess/login.

2. Web filter rules cannot be applied to HTTPS.

 

mawr