Intro
I was consulting for a company which got a shiny brand new Juniper SA2500. I’ve heard about such things. In fact I heard about it in the days when Netscreen themselves presented it to us. I was impressed at the time and still am. But how to get the thing working when the documentation is pretty formidable? This company was getting off an old Nortel Alteon platform which I was more familiar with. It, too, was very difficult to master at first. you gotta get their paradigm, I suppose. Once you have it, it’s a walk in the park.
The problem we are addressing
Provide secure access to selected external users to selected Intranet sites. Can’t be that hard, right? That’s the bread and butter for these boxes after all. Ha! 1164 pages of documentation and the basic concepts are almost completely lost in the forest.
The details
So I assembled all the important information here in one short, sweet example. I can’t speak for anyone else, but I myself will use this as a reference from now on!
Open source zealots will say that this SA is an overpriced waste of money since everything we’re doing can be done by apache or Squid or tools like that. We’re just setting up reverse proxy with some fancy authentication after all. But I do genuinely think this network appliance is an appropriate expense for a mid- to large-sized company with It staff too busy to investigate “free” alternatives.
To mix things up a bit – everyone has something unique about their use-case, right? – the same SA2500 is to be used for both Network Connect VPN-style connections as well as this SSL-VPN poprtal application. We will associate the SSL-VPN portal with a VIP on the external interface and give it the name ssl-vpn-portal-vip1.drj.com.
Assumptions
I assume there is RSA authentication, though that doesn’t matter much, and that LDAP group-based authorization will be used.
Other assumptions: the desired users, let’s say the company sales force, are in an LDAP group SalesExtranet_access; and that they need access to Intranet sites https://sales-intranet.drj.com/ and http://quality-asurance.johnthedoctor.net/QA/home.htm; my LDAP authentication server has been set up and called LDAP-extranet.
So here goes.
Authentication
Auth. Servers|LDAP-extranet
click Server Catalog
click Search
in filter field: cn=SalesExtranet_access, then Search
click on group name, then OK. It should now be available for roles.
Role Definition
User Roles|New User Role…
Name: SSL-VPN-SalesExtranet-role
Access: Web.
Save Changes
Resource Definition
Resource Profiles|Web|New profile
Name: SSL-VPN-SalesExtranet-profile
Description: Profile for the SalesExtranet_access group. – DrJ 12/3/12
base URL: https://sales-intranet.drj.com/
Save and Continue
add SSL-VPN-SalesExtranet-role
Add 2nd web site w/ different domain to this role
Resource Profile|Web. Pick SSL-VPN-SalesExtranet-profile, then Duplicate
Rename this profile to SSL-VPN-SalesExtranet-profile-QA or similar
Enter correct URL for this new profile: http://quality-asurance.johnthedoctor.net/QA/home.htm
Role to Group Mapping
For me this is the key step that ties all the pieces together, and is a little non-intuitive
User Realms|SSL-VPN-portal-RSA-realm|Role Mapping
New Rule
Rule based on Group membership.
Update
Name: SSL-VPN-SalesExtranet-roleMapping
If User is a member of SalesExtranet_Access. Add
…then assign these roles: SSL-VPN-SalesExtranet-role
Save Changes
Nota Bene
SSL-VPN-portal-page sign-in page has already been set up. This is a one-time setup. This is the place where you can present a custom message to your users.
Signing-in|Sign-in Policies is where we establish the URL for this portal, e.g.,
Put ssl-vpn-portal-vip1.drj.com first in the list of user URLs in the Signing in screen
Certificate Loading
It’s fairly obvious that to stuff a certificate into the SA you go to
Configuration|Certificates|Device Certificates
because where else would it be?
But it’s less obvious that you need to click on the certificate name to associate it with your vlan and possibly external interface. You can even associate the certificate with both an internal virtual interface as well as an external virtual interface. This kind of flexibility is what drew me to the Juniper solution.
Appendix A
Finding the LDAP Group in Novell eDirectory
This threw me for a loop at first. the single most important thing in this case is that group membership is indicated by the attribute member when you’re setting up the LDAP authentication server, even though when you conduct an ldap query you’d think it would be groupMembership. But I think this could vary according to your particular installation.