Connecting to the secondary node from the primary node on an SRX cluster

On the branch SRX devices, this can be achieved by the command:

{primary:node0}

lab@host-At> request routing-engine login node 1

— JUNOS 10.1R3.7 built 2010-011-10 04:15:10 UTC

{secondary:node1}

lab@host-B>

On the high-end SRX devices, you will need to be in the shell and run the following command:

root@host-A% rlogin -T node1

 

Reference

Advertisements

SSO

In Juniper SA Series, there is an option to give a secure connection to corporate networks without the use of network connect .

In this example I’ll demonstrate how can we do this with OWA server .

Screenshot_11

Screenshot_12

 

Screenshot_13

Cashing: To control what browser contents temporarily stored (cached) on the client machine. Which web content the client’s computer will do cashing to it . Usually listed above are generated Automatically , so there is no need for our intervention in the configuration.

 

Screenshot_14

Screenshot_15

Now add the Realms to the SSO , then you can see that an autopolicy created:

Screenshot_16

 

WSAM

  1. Creating the WSAM profile

Screenshot_1

Screenshot_2

JSAM is likely more for Apple users.

At this example I will demonstrate how to enter exchange through outlook

Screenshot_3 Screenshot_4

If you wonder why I typed (*) which means (all ports), that because we’re talking about a lot of ports, not only SMTP port .. if you have another helpful idea please put that in a comment .

Don’t forget to click on Add button , and then save and continue .

2. Adding the WSAM to a role :

Screenshot_5

Screenshot_6

As you noticed, it created automatically “Supporting Policies”. But if we created the WSAM by “Resource Policies”, then we’ll be have to create a profile, and associate then to each other (complicated) ..

If we configured something wrong in WSAM , this error message will be generated:

Screenshot_7

We can also add the application by the User Roles> Access features> Applications

Screenshot_8  Screenshot_9Screenshot_10

Note that we add the application same as it shows in the Task Manager

SSH connection failed when discovering SA device

In Junos Space Network Management Ver. 15.1

When trying to discover SA-2500 VPN appliance and getting the following error:

SSH connection failed. Device might not be reachable through device management interface.

This is because Junos Space will only manage devices that are running Junos 9.3 or higher.   Any other operating system cannot be managed.  Although you can have “unmanaged” devices whereby Junos Space and more specifically OpenNMS is performing SNMP monitoring only, You wouldn’t have the ability to perform configuration backups, configuration changes, software upgrades etc., with any unmanaged devices.

The supported platform list can be found at the following URL:

http://www.juniper.net/techpubs/en_US/junos-space15.1/platform/topics/reference/general/faqs-junos-space-device-management.html

 

Reference

Junos Space web timeout

When we open the topology, the entire application will log out after a certain time.

In order to keep the display open as long as we want, We need to do the following:

Logon to the Junos Space Web UI >> Network Application Platform >> In the Network Application ribbon bar, click Administration >> Manage Applications >> Right-click Network Application Platform and then click Modify Application Settings >> Set the timeout value >> Save the changed settings and click the Modify button located at the bottom of the page

 

Reference : KB21829

Transparent Proxy Configuration on SRX Firewall

how to implement transparent proxy so any internet traffic(HTTP, HTTPS,FTP) does not go directly rather via proxy server.

In Cisco we can do  transparent proxy via WCCP, So how implement it with Juniper ?

set routing-options interface-routes rib-group inet IMPORT-PHY
set routing-options rib-groups IMPORT-PHY import-rib inet.0
set routing-options rib-groups IMPORT-PHY import-rib to-proxy.inet.0
set firewall family inet filter to-proxy term one from destination-port 80
set firewall family inet filter to-proxy term one from destination-port 443
set firewall family inet filter to-proxy term one from destination-port 21
set firewall family inet filter to-proxy term one then count to-proxy
set firewall family inet filter to-proxy term one then log
set firewall family inet filter to-proxy term one then routing-instance to-proxy
set firewall family inet filter to-proxy term two then count to-default-route
set firewall family inet filter to-proxy term two then log
set firewall family inet filter to-proxy term two then accept
set routing-instances to-proxy instance-type forwarding
set routing-instances to-proxy routing-options static route 0.0.0.0/0 next-hop X.X.X.X

While x.x.x.x your proxy server IP .

Then, you apply that filter as a family inet filter to an interface:

set interfaces ae0.6 family inet filter input to-proxy