6.5-IVEAdminGuide

8/12/2019 6.5-IVEAdminGuide

1/1075

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, CA 94089

USA

408-745-2000

www.juniper.net

Part Number: 65A190410

Juniper Networks Secure Access

Administration Guide

Release 6.5


2/1075

This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright 19861997, EpilogueTechnology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the publicdomain.

This product includes memory allocation software developed by Mark Moraes, copyright 1988, 1989, 1993, University of Toronto.

This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and softwareincluded in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by The Regents of the University of California. Copyright 1979, 1980, 1983, 1986, 1988,1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.

GateD software copyright 1995, The Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 byCornell University and its collaborators. Gated is based on Kirtons EGP, UC Berkeleys routing daemon (routed), and DCNs HELLO routing protocol.Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright 1988, Regents of theUniversity of California. All rights reserved. Portions of the GateD software copyright 1991, D. L. S. Associates.

Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, the NetScreen logo, NetScreen-Global Pro, ScreenOS, and GigaScreen areregistered trademarks of Juniper Networks, Inc. in the United States and other countries.

The following are trademarks of Juniper Networks, Inc.: ERX, E-series, ESP, Instant Virtual Extranet, Internet Processor, J2300, J4300, J6300, J-Protect,J-series, J-Web, JUNOS, JUNOScope, JUNOScript, JUNOSe, M5, M7i, M10, M10i, M20, M40, M40e, M160, M320, M-series, MMD, NetScreen-5GT,NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-5200, NetScreen-5400,NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-SA 1000 Series,NetScreen-SA 3000 Series, NetScreen-SA 5000 Series, NetScreen-SA Central Manager, NetScreen Secure Access, NetScreen-SM 3000, NetScreen-SecurityManager, NMC-RX, SDX, Stateful Signature, T320, T640, T-series, and TX Matrix. All other trademarks, service marks, registered trademarks, or registeredservice marks are the property of their respective owners. All specifications are subject to change without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensedto Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347,6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Copyright 2008, Juniper Networks, Inc.All rights reserved. Printed in USA.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, orotherwise revise this publication without notice.

Year 2000 Notice

Juniper Networks hardware and software products are Year 2000 compliant. The JUNOS software has no known time-related limitations through the year2038. However, the NTP application is known to have some difficulty in the year 2036.

Software License

The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchase order or, to theextent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks. By using this software, youindicate that you understand and agree to be bound by those terms and conditions.

Generally speaking, the software license restricts the manner in which you are permitted to use the software and may contain prohibitions against certainuses. The software license may state conditions under which the license is automatically terminated. You should consult the license for further details.

For complete product documentation, please see the Juniper Networks Web site at www.juniper.net/techpubs.

End User License Agreement

READ THIS END USER LICENSE AGREEMENT ("AGREEMENT") BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE.BYDOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU(AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUNDBY THIS AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THESOFTWARE, AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.

1. The Parties. The parties to this Agreement are Juniper Networks, Inc. and its subsidiaries (collectively Juniper), and the person or organization thatoriginally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (Customer) (collectively, the Parties).

2. The Software.In this Agreement, Software means the program modules and features of the Juniper or Juniper-supplied software, and updates andreleases of such software, for which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller.

3. License Grant.Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer a non-exclusiveand non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:

a. Customer shall use the Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniper or anauthorized Juniper reseller, unless the applicable Juniper documentation expressly permits installation on non-Juniper equipment.

b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customerhas paid the applicable license fees.

c. Product purchase documents, paper or electronic user documentation, and/or the particular l icenses purchased by Customer may specify limits toCustomers use of the Software. Such limits may restrict use to a maximum number of seats, registered endpoints, concurrent users, sessions, calls,connections, subscribers, clusters, nodes, or transactions, or require the purchase of separate licenses to use particular features, functionalities, services,applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing, temporal, or geographicallimits. Customers use of the Software shall be subject to all such limitations and purchase of all applicable licenses.

The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicablelicense(s) for the Software from Juniper or an authorized Juniper reseller.


3/1075

4. Use Prohibitions.Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall not:(a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as necessaryfor backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software, in any form, to any third party; (d) remove anyproprietary notices, labels, or marks on or in any copy of the Software or any product in which the Software is embedded; (e) distribute any copy of theSoftware to any third party, including as may be embedded in Juniper equipment sold in the secondhand market; (f) use any locked or key-restrictedfeature, function, service, application, operation, or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, evenif such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper toany third party; (h) use the Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniperreseller; (i) use the Software on non-Juniper equipment where the Juniper documentation does not expressly permit instal lation on non-Juniper equipment;(j) use the Software (or make it available for use) on Juniper equipment that the Customer did not originally purchase from Juniper or an authorized Juniperreseller; or (k) use the Software in any manner other than as expressly provided herein.

5. Audit.Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnishsuch records to Juniper and certify its compliance with this Agreement.

6. Confidentiality.The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customershall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includesrestricting access to the Software to Customer employees and contractors having a need to use the Software for Customers internal business purposes.

7. Ownership.Juniper and Junipers licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software,associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in theSoftware or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.

8. Warranty,Limitation of Liability, Disclaimer of Warranty.The warranty applicable to the Software shall be as set forth in the warranty statement thataccompanies the Software (the Warranty Statement). Nothing in this Agreement shall give rise to any obligation to support the Software. Support servicesmay be purchased separately. Any such support shall be governed by a separate, wri tten support services agreement. TO THE MAXIMUM EXTENTPERMITTED BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS

OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPEROR JUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OFANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BYLAW, JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE),INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOESJUNIPER WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR ORINTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Junipers or its suppliers or licensors l iability toCustomer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gaverise to the claim, or if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges andagrees that Juniper has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forthherein, that the same reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and causeconsequential loss), and that the same form an essential basis of the bargain between the Parties.

9. Termination.Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the licensegranted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customerspossession or control.

10. Taxes.All license fees for the Software are exclusive of taxes, withholdings, duties, or levies (collectively Taxes). Customer shall be responsible forpaying Taxes arising from the purchase of the license, or importation or use of the Software.

11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreignagency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, orwithout all necessary approvals. Customer shall be l iable for any such violations. The version of the Software supplied to Customer may contain encryptionor other capabilities restricting Customers ability to export the Software without an export license.

12. Commercial Computer Software.The Software is commercial computer software and is provided with restricted rights. Use, duplication, ordisclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS 227.7201 through 227.7202-4,FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.

13. Interface Information.To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interfaceinformation needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any.Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with anyapplicable terms and conditions upon which Juniper makes such information available.

14. Third Party Software.Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technologyare embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendorshall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with theSoftware and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under andsubject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License(GPL) or the GNU Library General Public License (LGPL)), Juniper wi ll make such source code portions (including Juniper modifications, as appropriate)available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N.Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of theLGPL at http://www.gnu.org/licenses/lgpl.html.

15. Miscellaneous.This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. Theprovisions of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, theParties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts wi thin Santa Clara County, California. ThisAgreement constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior andcontemporaneous agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except thatthe terms of a separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms areinconsistent or conflict with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unlessexpressly assented to in writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall notaffect the validity of the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and theParties agree that the English version will govern. (For Canada: Les parties aux prsents confirment leur volont que cette convention de mme que tousles documents y compris tout avis qui s'y rattach, soient redigs en langue anglaise. (Translation: The parties confirm that this Agreement and all relateddocumentation is and will be in the English language)).


4/1075


5/1075

Table of Contents v

Table of Contents

About This Guide xxiii

Audience..................................................................................................... xxiiiWhere to find additional information.......................................................... xxiii

Administrator and developer documentation ....................................... xxiiiError Message Documentation ............................................................. xxivHardware documentation..................................................................... xxiv

Product downloads............................................................................... xxivConventions................................................................................................ xxivDocumentation ............................................................................................xxv

Release Notes ........................................................................................ xxvWeb Access........................................................................................... xxv

Contacting Customer Support ...................................................................... xxv

Part 1 Getting Started

Chapter 1 Initial Verification and Key Concepts 3

Verifying User Accessibility ..............................................................................3Creating a Test Scenario to Learn IVE Concepts and Best Practices..................5

Defining a User Role..................................................................................6Defining a Resource Profile .......................................................................8Defining an Authentication Server...........................................................10Defining an Authentication Realm...........................................................13Defining a Sign-In Policy..........................................................................16Using the Test Scenario ...........................................................................19

Configuring Default Settings for Administrators .............................................22

Chapter 2 Introduction to the IVE 25

What Is the IVE?.............................................................................................25What Can I Do with the IVE?..........................................................................27

Can I Use the IVE to Secure Traffic to All of My CompanysApplications, Servers, and Web Pages? .............................................27

Can I Use My Existing Servers to Authenticate IVE Users? .......................29Can I Fine-Tune Access to the IVE and the Resources It Intermediates?...29Can I Create a Seamless Integration Between the IVE and the

Resources It Intermediates? ..............................................................30Can I Use the IVE to Protect Against Infected Computers and

Other Security Concerns?..................................................................31Can I Ensure Redundancy in my IVE Environment? ................................31Can I Make the IVE Interface Match My Companys Look-and-Feel? ........ 31


6/1075

vi Table of Contents

Juniper Networks Secure Access Administration Guide

Can I Enable Users on a Variety of Computers and Devices toUse the IVE?......................................................................................32

Can I Provide Secure Access for My International Users?.........................32How Do I Start Configuring the IVE? ..............................................................32Using Network and Security Manager with the IVE ........................................33

How the IVE and NSM communicate.......................................................34Task Summary: Configuring DMI Communication for NSM .....................35Managing Large Binary Data Files............................................................37

Part 2 Access Management Framework

Chapter 3 General Access Management 49

Licensing: Access Management Availability....................................................50

Policies, Rules & Restrictions, and Conditions Overview................................50Accessing Authentication Realms ............................................................50Accessing User Roles...............................................................................51Accessing Resource Policies.....................................................................51

Policies, Rules & Restrictions, and Conditions Evaluation ..............................53Dynamic Policy Evaluation.............................................................................55

Understanding Dynamic Policy Evaluation ..............................................55Understanding Standard Policy Evaluation ..............................................56Enabling Dynamic Policy Evaluation .......................................................56

Configuring Security Requirements................................................................57Specifying Source IP Access Restrictions .................................................58Specifying Browser Access Restrictions ...................................................59Specifying Certificate Access Restrictions ................................................62Specifying Password Access Restrictions .................................................63Specifying Host Checker Access Restrictions ...........................................64Specifying Cache Cleaner Access Restrictions..........................................64Specifying Limits Restrictions..................................................................64

Federation of User Sessions with IF-MAP .......................................................66IF-MAP Federation Licensing ...................................................................66IF-MAP Federation Overview...................................................................66IF-MAP Federation Workflow...................................................................69IF-MAP Federation Details .......................................................................69IF-MAP Logging .......................................................................................72Configuring IF-MAP Federation................................................................72IF-MAP Servers ........................................................................................72Configuring IF-MAP Client Settings ..........................................................73IF--MAP Federation Network Timing Considerations ...............................73

Session-Export and Session-Import Policies.............................................74Default Session-Export and Session-Import Policy Action........................76Advanced Session-Export and Session-Import Policies ............................76Configuring Session-Export Policies.........................................................76Session-Import Policies............................................................................78Troubleshooting the IF-MAP Federation Network ....................................79Viewing Active Users on the IF-MAP Client..............................................79Trusted Server List...................................................................................79


7/1075

Table of Contents

Table of Contents vi

Chapter 4 User Roles 83

Licensing: User Roles Availability ...................................................................84User Role Evaluation ......................................................................................84

Permissive Merge Guidelines ...................................................................85Configuring User Roles...................................................................................86

Configuring General Role Options............................................................87Configuring Role Restrictions...................................................................88Specifying Role-Based Source IP Aliases ..................................................89Specifying Session Options......................................................................89Specifying UI Options ..............................................................................92Defining Default Options for User Roles ..................................................97

Customizing UI Views for User Roles .............................................................99

Chapter 5 Resource Profiles 103

Licensing: Resource Profile Availability ........................................................104Task Summary: Configuring Resource Profiles .............................................104Resource Profile Components ......................................................................104

Defining Resources................................................................................107Defining Autopolicies.............................................................................108Defining Roles .......................................................................................109Defining Bookmarks..............................................................................110

Resource Profile Templates..........................................................................111

Chapter 6 Virtual Desktop Resource Profiles 113

Configuring a Citrix XenDesktop Resource Profile........................................113Configuring a VMware View Manager Resource Profile ................................ 114Defining Bookmarks for a Virtual Desktop Profile ........................................116Configuring the Client Delivery ....................................................................117

Connecting to the Servers ............................................................................117Chapter 7 Resource Policies 119

Licensing: Resource Policies Availability ......................................................120Resource Policy Components.......................................................................120

Specifying Resources for a Resource Policy ...........................................121Resource Policy Evaluation ..........................................................................124Creating Detailed Rules for Resource Policies...............................................125

Writing a Detailed Rule..........................................................................126Customizing Resource Policy UI Views.........................................................128

Chapter 8 Authentication and Directory Servers 131

Licensing: Authentication Server Availability................................................132Task Summary: Configuring Authentication Servers ....................................132Defining an Authentication Server Instance .................................................133

Defining an Authentication Server Instance...........................................134Modifying an Existing Authentication Server Instance ...........................134

Configuring an Anonymous Server Instance ................................................134Anonymous Server Restrictions.............................................................135Defining an Anonymous Server Instance...............................................135

Configuring an ACE/Server Instance.............................................................136Defining an ACE/Server Instance ...........................................................137Generating an ACE/Agent Configuration File..........................................138


8/1075

viii Table of Contents


Configuring an Active Directory or NT Domain Instance..............................139Defining an Active Directory or Windows NT Domain Server Instance..140Multi-Domain User Authentication.........................................................143Active Directory and NT Group Lookup Support ....................................144

Configuring a Certificate Server Instance.......................................................... 145Configuring an LDAP Server Instance...........................................................147

Defining an LDAP Server Instance.........................................................147Configuring LDAP Search Attributes for Meeting Creators .....................150Monitoring and Deleting Active User Sessions .......................................150Enabling LDAP Password Management .................................................151

Configuring a Local Authentication Server Instance .....................................155Defining a Local Authentication Server Instance....................................155Creating User Accounts on a Local Authentication Server......................157Managing User Accounts .......................................................................158

Configuring an NIS Server Instance..............................................................159Configuring a RADIUS Server Instance.........................................................160

User Experience for RADIUS Users ........................................................161

Configuring the IVE to Work with a Back-end RADIUS Server................162Enabling RADIUS Accounting ................................................................165

Configuring an eTrust SiteMinder Server Instance........................................174eTrust SiteMinder Overview ..................................................................174Configuring SiteMinder to Work with the IVE ........................................179Configuring the IVE to Work with SiteMinder ........................................185Debugging SiteMinder and IVE Issues....................................................198

Configuring a SAML Server Instance ............................................................198Using the Artifact Profile and the POST Profile ......................................199Creating a new SAML Server Instance ...................................................203

Chapter 9 Authentication Realms 207

Licensing: Authentication Realms Availability ..............................................208Creating an Authentication Realm................................................................208Defining Authentication Policies ..................................................................210Creating Role Mapping Rules .......................................................................211

Specifying Role Mapping Rules for an Authentication Realm.................212Customizing User Realm UI Views ...............................................................220

Chapter 10 Sign-In Policies 223

Licensing: Sign-In Policies and Pages Availability ......................................... 225Task summary: Configuring Sign-In Policies.................................................225Configuring Sign-In Policies..........................................................................225

Defining Sign-in Policies ........................................................................226Defining authorization-only access policies............................................227

Defining Meeting Sign-In Policies...........................................................229Enabling and Disabling Sign-In Policies .................................................230Specifying the Order in Which Sign-In Policies are Evaluated................230

Configuring Sign-In pages ............................................................................231Configuring Standard Sign-In Pages.......................................................232

Chapter 11 Single Sign-On 235

Licensing: Single Sign-On Availability...........................................................235Single Sign-On Overview..............................................................................235Multiple Sign-In Credentials Overview..........................................................237

Task Summary: Configuring Multiple Authentication Servers.................237


9/1075

Table of Contents

Table of Contents ix

Task Summary: Enabling SSO to Resources Protected by BasicAuthentication ................................................................................238

Task Summary: Enabling SSO to Resources Protected by NTLM............238Multiple Sign-In Credentials Execution...................................................240

Configuring SAML ........................................................................................245Configuring SAML SSO Profiles ....................................................................248

Creating an artifact profile.....................................................................248Creating a POST Profile .........................................................................252Creating an Access Control Policy..........................................................255Creating a Trust Relationship Between SAML-Enabled Systems.............258

Chapter 12 Synchronizing User Records 265

Enabling User Record Synchronization ........................................................267Configuring the Authentication Server .........................................................267Configuring the User Record Synchronization Server...................................268Configuring the Client ..................................................................................268

Configuring the Database.............................................................................269

Part 3 Endpoint Defense

Chapter 13 Host Checker 273

The TNC Architecture Within Host Checker..................................................273Host Checker Overview................................................................................274Task Summary: Configuring Host Checker ...................................................274Creating Global Host Checker Policies..........................................................276

Enabling Enhanced Endpoint Security Functionality..............................277

Enabling Connection Control Policies (Windows Only) ..........................280Creating and Configuring New Client-side Policies .......................................280Checking for Third-Party Applications Using Pre-defined Rules

(Windows Only).....................................................................................281Configuring a Predefined Antivirus Rule with Remediation Options ...... 283Configuring a Predefined Firewall Rule with Remediation Options........285Configuring a Pre-defined Anti-Spyware Rule ........................................286Configuring Virus Signature Version Monitoring and

Patch Assessment Data Monitoring.................................................288Specifying Customized Requirements Using Custom Rules ..........................290

Using a Wildcard or Environment Variable in a Host Checker Rule .......297Evaluating Multiple Rules in a Single Host Checker Policy .....................298Configuring Patch Assessment Policies..................................................299

Using third-party integrity Measurement Verifiers........................................303Configuring a Remote IMV Server..........................................................303Implementing the Third-Party IMV Policy..............................................308

Combining Multiple Integrity Measurement Rules withCustom Expressions ..............................................................................309Enabling Customized Server-side Policies..............................................310

Implementing Host Checker Policies............................................................311Executing Host Checker Policies............................................................312Configuring Host Checker Restrictions...................................................314

Remediating Host Checker Policies ..............................................................316Host Checker Remediation User Experience..........................................317


10/1075

x Table of Contents


Configuring General Host Checker Remediation ....................................318Defining Host Checker Pre-Authentication Access Tunnels ..........................321

Specifying Host Checker Pre-Authentication Access Tunnel Definitions.322Specifying General Host Checker Options ....................................................325Specifying Host Checker Installation Options...............................................327

Removing the Juniper ActiveX Control...................................................328Using Host Checker with the GINA Automatic Sign-In Function .............328Automatically install Host Checker ........................................................329Manually install Host Checker................................................................330

Using Host Checker Logs..............................................................................330Configuring Host Checker for Windows Mobile............................................331Using Proxy Exceptions ...............................................................................331Enabling the Secure Virtual Workspace........................................................332

Secure Virtual Workspace Features........................................................333Secure Virtual Workspace Restrictions and Defaults..............................333Configuring the Secure Virtual Workspace.............................................334

Chapter 14 Cache Cleaner 341

Licensing: Cache Cleaner Availability ........................................................... 341Setting Global Cache Cleaner Options ..........................................................342Implementing Cache Cleaner Options..........................................................345

Executing Cache Cleaner .......................................................................345Specifying Cache Cleaner Restrictions ...................................................347

Specifying Cache Cleaner Installation Options .............................................349Using Cache Cleaner Logs ............................................................................350

Part 4 Remote Access

Choosing a Remote Access Mechanism........................................................351

Chapter 15 Hosted Java Applets Templates 353

Licensing: Hosted Java Applets Availability ..................................................353Task Summary: Hosting Java Applets...........................................................353Hosted Java Applets Overview .....................................................................354

Uploading Java Applets To The IVE........................................................355Signing Uploaded Java Applets ..............................................................356Creating HTML Pages That Reference Uploaded Java Applets................356Accessing Java Applet Bookmarks .........................................................357

Defining Resource Profiles: Hosted Java Applets .......................................... 358

Defining Hosted Java Applet Bookmarks ...............................................359Use case: Creating a Citrix JICA 9.5 Java Applet Bookmark ..........................364JICA 9.5 Applet Example ....................................................................... 365JICA 8.x Applet Example........................................................................366

Chapter 16 Citrix Templates 369

Citrix Web Template Overview ....................................................................369Comparing IVE Access Mechanisms for Configuring Citrix...........................370Creating Resource Profiles Using Citrix Web Applications............................372


11/1075

Table of Contents

Table of Contents x

Chapter 17 Lotus iNotes Templates 379

Chapter 18 Microsoft OWA Templates 383

Chapter 19 Microsoft Sharepoint Templates 387

Chapter 20 Web Rewriting 389

Licensing: Web Rewriting Availability ..........................................................390Task summary: Configuring the Web Rewriting Feature ..............................390Web URL Rewriting Overview......................................................................392

Remote SSO Overview ..........................................................................393Passthrough Proxy Overview.................................................................394

Defining Resource Profiles: Custom Web Applications.................................397Defining Base URLs ...............................................................................398Defining Web Resources........................................................................399

Defining a Web Access Control Autopolicy............................................400Defining a Single Sign-On Autopolicy ....................................................401Defining a Caching Autopolicy...............................................................405Defining a Java Access Control Autopolicy.............................................407Defining a Rewriting Autopolicy ............................................................409Defining a Web Compression Autopolicy...............................................413Defining a Web Bookmark ....................................................................414

Defining Role Settings: Web URLs................................................................416Creating Bookmarks Through Existing Resource Profiles.......................417Creating Standard Web Bookmarks .......................................................418Specifying General Web Browsing Options............................................419

Defining Resource Policies: Overview ..........................................................423Defining Resource Policies: Web Access ......................................................425

Defining Resource Policies: Single Sign-On ..................................................426Defining the Basic, NTLM and Kerberos Resources................................426Writing a Basic Authentication, NTLM or Kerberos

Intermediation Resource Policy.......................................................431Writing a Remote SSO Form POST Resource Policy ..............................434Writing a Remote SSO Headers/Cookies Resource Policy ......................436

Defining Resource Policies: Caching.............................................................438Writing a Caching Resource Policy ........................................................438Creating OWA and Lotus Notes Caching Resource Policies....................441Specifying General Caching Options ......................................................441

Defining Resource Policies: External Java Applets........................................442Writing a Java Access Control Resource Policy ......................................442Writing a Java Code Signing Resource Policy.........................................444

Defining Resource Policies: Rewriting ..........................................................445Creating a Selective Rewriting Resource Policy......................................445Creating a Passthrough Proxy Resource Policy ......................................448Creating a Custom Header Resource Policy ...........................................450Creating an ActiveX Parameter Resource Policy....................................452Restoring the Default IVE ActiveX Resource Policies..............................454Creating Rewriting Filters ......................................................................455

Defining Resource Policies: Web Compression ............................................455Writing a Web Compression Resource Policy ........................................456Defining an OWA Compression Resource Policy ...................................457

Defining Resource Policies: Web Proxy........................................................457Writing a Web Proxy Resource Policy ...................................................457


12/1075

xii Table of Contents


Specifying Web Proxy Servers ...............................................................459Defining Resource Policies: HTTP 1.1 Protocol.............................................460Defining Resource Policies: Cross-Domain Access (XMLHttpRequest Calls)..461Defining Resource Policies: General Options................................................463Managing Resource Policies: Customizing UI Views.....................................463

Chapter 21 File Rewriting 465

Licensing: File Rewriting Availability............................................................465Defining Resource Profiles: File Rewriting....................................................465

Defining File Resources .........................................................................467Defining a File Access Control Autopolicy..............................................468Defining a File Compression Autopolicy ................................................468Defining a Single Sign-On Autopolicy (Windows Only) ..........................469Defining a File Bookmark ......................................................................470

Defining Role Settings: Windows Resources ................................................472Creating Advanced Bookmarks to Windows Resources .........................473

Creating Windows Bookmarks that Map to LDAP Servers......................474Defining General File Browsing Options ................................................475Defining Resource Policies: Windows File Resources ...................................475

Canonical Format: Windows File Resources ..........................................476Writing a Windows Access Resource Policy...........................................477Writing a Windows SSO Resource Policy...............................................478Writing a Windows Compression Resource Policy.................................480Defining General File Writing Options ...................................................481

Defining Role Settings: UNIX/NFS File Resources .........................................482Creating Advanced Bookmarks to UNIX Resources................................482Defining General File Browsing Options ................................................483

Defining Resource Policies: UNIX/NFS File Resources ..................................484Canonical Format: UNIX/NFS File Resources .........................................485Writing UNIX/NFS Resource Policies......................................................485Writing a Unix/NFS Compression Resource Policy.................................486Defining General File Writing Options ...................................................488

Chapter 22 Secure Application Manager 489

Licensing: Secure Application Manager Availability......................................490Task Summary: Configuring WSAM .............................................................490WSAM Overview..........................................................................................491

Securing Client/server Traffic Using Wsam ............................................491Launching Network Connect During a WSAM Session ...........................494Debugging WSAM Issues .......................................................................494

Defining Resource Profiles: WSAM...............................................................495Creating WSAM Client Application Resource Profiles.............................495

Creating WSAM Destination Network Resource Profiles ........................497Defining Role Settings: WSAM .....................................................................498Specifying Applications and Servers for WSAM to Secure......................498Specifying Applications that Need to Bypass WSAM..............................501Specifying Role-Level WSAMOptions ....................................................502Downloading WSAM Applications..........................................................504

Defining Resource Policies: WSAM...............................................................504Specifying Application Servers that Users can Access............................504Specifying Resource Level WSAM Options.............................................506

Using the WSAM Launcher...........................................................................507Running Scripts Manually ......................................................................508


13/1075


14/1075


15/1075

Table of Contents

Table of Contents xv

Creating Network Connect Connection Profiles .....................................659Defining Network Connect Split Tunneling Policies ...............................666Use Case: Network Connect Resource Policy Configuration...................667Defining Network Connect Bandwidth Management Policies ................669

Defining System Settings: Network Connect ................................................673Specifying IP Filters ...............................................................................673Downloading the Network Connect installer..........................................674Network Connect Installation Process Dependencies.............................674Network Connect Un-installation Process Dependencies .......................676

Using the Network Connect Launcher (NC Launcher)...................................678Launching Network Connect On Other Platforms..................................680

Troubleshooting Network Connect errors.....................................................681nc.windows.app.23792 .........................................................................681Version Conflict on Downgrade .............................................................681Error When Connecting to a FIPS Appliance..........................................682

Part 5 System Management

Chapter 28 General System Management 685

Licensing: System Management Availability.................................................685Task Summary: Configuring Management Capabilities ................................686Configuring Network Settings.......................................................................686

Bonding Ports........................................................................................687Configuring General Network Settings ...................................................687Configuring Internal and External Ports.................................................689Configuring SFP Ports............................................................................692Configuring the Management Port.........................................................692Configuring VLANs ................................................................................693Configuring Virtual Ports .......................................................................695Task Summary: Defining Subnet Destinations Based on Roles ..............697Configuring Static Routes for Network Traffic........................................697Creating ARP Caches.............................................................................698Specifying Host Names for the IVE to Resolve Locally ...........................699Specifying IP Filters ...............................................................................699

Using Central Management Features............................................................700Modifying Central Management Dashboard Graphs...............................700

Configuring System Utilities .........................................................................702Reviewing System Data.........................................................................702Upgrading or Downgrading the IVE ......................................................704Setting System Options .........................................................................704

Downloading Application Installers........................................................706Configuring Licensing, Security, and NCP ....................................................709

Entering or Upgrading IVE Licenses.......................................................709Activating and Deactivating Emergency Mode.......................................715Setting Security Options ........................................................................716Configuring NCP and JCP.......................................................................719Installing a Juniper Software Service Package ........................................720

Configuring and Using the Management Port...............................................721Configuring Management Port Network Settings ...................................722Adding Static Routes to the Management Route Table...........................723Assigning Certificate to Management Port .............................................723


16/1075


17/1075

Table of Contents

Table of Contents xvi

Defining the Target IVEs........................................................................794Pushing the Configuration Settings ........................................................795

Archiving Secure Meetings ...........................................................................797

Chapter 31 Logging and Monitoring 799

Licensing: Logging and Monitoring Availability ............................................799Logging and Monitoring Overview ...............................................................800

Log File Severity Levels..........................................................................801Custom Filter Log Files ..........................................................................801Dynamic Log Filters...............................................................................802Viewing and Deleting User Sessions ......................................................802

Configuring the Log Monitoring Features .....................................................803Configuring Events, User Access, Admin Access, and IDP Sensor ...............804

Creating, Resetting, or Saving a Dynamic Log Query.............................804Specifying Which Events to Save in the Log File ....................................805Creating, Editing, or Deleting Log Filters................................................806

Creating custom filters and Formats for Your Log Files .........................807Monitoring the IVE as an SNMP Agent .........................................................808Viewing System Statistics.............................................................................814Enabling Client-Side Logs.............................................................................814

Enabling Client-Side Logging and Global Options...................................815Enabling Client-Side Log Uploads...........................................................816Viewing Uploaded Client-Side Logs........................................................817

Viewing General Status ................................................................................818Viewing System Capacity Utilization......................................................818Specifying Time Range and Data to Display in Graphs ..........................819Configuring Graph Appearance..............................................................819Viewing Critical System Events..............................................................820Downloading the Current Service Package ............................................820Editing the System Date and Time ........................................................820

Monitoring Active Users...............................................................................821Viewing and Cancelling Scheduled Meetings................................................822Adding Real Source IP Addresses to Log Messages.......................................823

Chapter 32 Troubleshooting 825

Licensing: Troubleshooting Availability ........................................................825Simulating or Tracking Events......................................................................826

Simulating Events That Cause a Problem...............................................826Tracking Events Using Policy Tracing ....................................................828

Recording Sessions ......................................................................................830Creating Snapshots of the IVE System State.................................................831Creating TCP Dump Files .............................................................................832

Testing IVE Network Connectivity................................................................834Address Resolution Protocol (ARP) ........................................................834Ping.......................................................................................................834Traceroute .............................................................................................834NSlookup...............................................................................................835

Running Debugging Tools Remotely ............................................................835Creating Debugging Logs .............................................................................836Monitoring Nodes ........................................................................................837Configuring Group Communication Monitoring on a Cluster ........................837Configuring Network Connectivity Monitoring on a Cluster..........................838


18/1075

xviii Table of Contents


Chapter 33 Clustering 841

Licensing: Clustering Availability..................................................................842Task Summary: Deploying a Cluster ............................................................842

Creating and Configuring a Cluster...............................................................843Defining and Initializing a Cluster..........................................................844Joining an Existing Cluster ..................................................................... 846

Configuring Cluster Properties .....................................................................849Deploying Two Nodes in an Active/Passive Cluster................................849Deploying Two or More Units in an Active/Active Cluster ......................850Synchronizing the Cluster State .............................................................852Configuring Cluster Properties ...............................................................855

Managing and Configuring Clusters..............................................................856Adding Multiple Cluster Nodes...............................................................857Managing Network Settings for Cluster Nodes .......................................857Upgrading Clustered Nodes ...................................................................858Changing the IP Address of a Cluster Node............................................858

Upgrading the Cluster Service Package..................................................859Deleting a Cluster ..................................................................................859Restarting or Rebooting Clustered Nodes...............................................859Admin Console Procedures....................................................................859Monitoring Clusters ...............................................................................861Troubleshooting Clusters .......................................................................862

Serial Console Procedures............................................................................864Joining an IVE to a Cluster Through Its Serial Console ...........................864Disabling a Clustered IVE by Using Its Serial Console ............................867

Chapter 34 Delegating Administrator Roles 869

Licensing: Delegated Administration Role Availability..................................870Creating and Configuring Administrator Roles .............................................870

Creating Administrator Roles.................................................................871Modifying Administrator Roles ..............................................................871Deleting Administrator Roles.................................................................872

Specifying Management Tasks to Delegate ..................................................872Delegating System Management Tasks..................................................872Delegating User and Role Management .................................................873Delegating User Realm Management.....................................................874Delegating Administrative Management................................................875Delegating Resource Policy Management ..............................................876Delegating Resource Profile Management..............................................877

Defining General System Administrator Role Settings..................................878Defining Default Options for Administrator Roles..................................879Managing General Role Settings and Options ........................................879

Specifying Access Management Options for the Role ............................879Specifying General Session Options.......................................................880Specifying UI Options ............................................................................881Delegating Access to IVS Systems..........................................................882

Chapter 35 Instant Virtual System (IVS) 883

Licensing: IVS Availability ............................................................................884Deploying an IVS .........................................................................................884

Virtualized IVE Architecture...................................................................886Signing In to the Root System or the IVS......................................................887

Signing-In Using the Sign-In URL Prefix.................................................888


19/1075


20/1075

xx Table of Contents


Configuring a DNS/WINS Server IP Address per Subscriber ...................934Configuring Access to Web Applications and Web Browsing for Each

Subscriber.......................................................................................935Configuring File Browsing Access for Each Subscriber...........................936Setting Up Multiple Subnet IP Addresses for a Subscribers End-Users...937Configuring Multiple IVS Systems to Allow Access to Shared Server ...... 938

Chapter 36 IVEand IDP Interoperability 939

Licensing: IDP Availability............................................................................940Deployment Scenarios .................................................................................941Configuring the IVE to Interoperate with IDP ...............................................942

Configuring IDP Connections.................................................................942Interaction Between the IVE and IDP.....................................................945Defining Automatic Response Sensor Event Policies .............................945Identifying and Managing Quarantined Users Manually.........................947

Part 6 System Services

Chapter 37 IVE Serial Console 951

Licensing: Serial Console Availability............................................................951Connecting to an IVE Appliances Serial Console .........................................951Rolling Back to a Previous System State.......................................................952

Rolling Back to a Previous System State Through the Admin Console....953Rolling Back to a Previous System State Through the Serial Console .....953

Resetting an IVE Appliance to the Factory Setting........................................954Performing Common Recovery Tasks..........................................................957

Chapter 38 Customizable Admin and End-User UIs 959

Licensing: Customizable UI Availability........................................................959Customizable Admin Console Elements Overview .......................................959Customizable End-User Interface Elements Overview..................................961

Chapter 39 Secure Access 6000 963

Standard Hardware......................................................................................963Secure Access 6000 Field-Replaceable Units ................................................964

Chapter 40 Secure Access 4500 and 6500 967

Standard Hardware......................................................................................967SA 6500 Field-Replaceable Units..................................................................969Replacing the Cooling Fans ..........................................................................970

Removing and Installing a Cooling Fan..................................................970Replacing a Hard Drive ................................................................................970

Removing and Installing a Hard Drive ...................................................971Replacing IOC Modules................................................................................971

Installing an IOM...................................................................................972Removing an IOM .................................................................................972

Replacing an AC Power Supply ....................................................................973Removing and Installing an AC Power Supply .......................................973Removing and Installing a DC Power Supply.........................................973


21/1075

Table of Contents

Table of Contents xx

Chapter 41 Secure Access FIPS 975

Licensing: Secure Access FIPS Availability....................................................975Secure Access FIPS Execution ......................................................................976

Creating Administrator Cards.......................................................................977Administrator Card Precautions.............................................................978

Deploying a Cluster in a Secure Access FIPS Environment...........................978Creating a New Security World ....................................................................980

Creating a Security World on a Stand-Alone IVE....................................981Creating a Security World in a Clustered Environment ..........................982Replacing Administrator Cards ..............................................................982

Recovering an Archived Security World .......................................................983Importing a Security World Into a Stand-Alone IVE ...............................984Importing a Security World Into a Cluster..............................................984

Chapter 42 Secure Access 4500 & 6500 FIPS 987

FIPS Overview .............................................................................................988Name and Password Requirements .............................................................988Initializing a Keystore...................................................................................988Reinitializing the Keystore ...........................................................................989Joining a Cluster ...........................................................................................990Device Certificates .......................................................................................991Changing the Security Officer Password.......................................................991Changing the Web User Password ...............................................................991Resetting the HSM Card In Case Of An Error................................................992Upgrading the HSM Firmware......................................................................992Binary Importing and Exporting of the Keystore..........................................993

FIPS Device Status LED Behavior...........................................................993

Chapter 43 Compression 995

Licensing: Compression Availability.............................................................995Compression Execution ...............................................................................995Supported Data Types..................................................................................996Enabling Compression at the System Level..................................................997Creating Compression Resource Profiles and Policies ..................................998

Chapter 44 Multi-Language Support 999

Licensing: Multi-Language Support Availability...........................................1000Encoding Files............................................................................................1000Localizing the User Interface ......................................................................1000Localizing Custom Sign-In and System Pages.............................................1001

Chapter 45 Handheld Devices and PDAs 1003

Licensing: Handheld and PDA Support Availability ....................................1004Task Summary: Configuring the IVE for PDAs and Handhelds ................... 1004Defining Client Types.................................................................................1005Enabling WSAM on PDAs...........................................................................1007Enabling ActiveSync...................................................................................1008


22/1075

xxii Table of Contents


Part 7 Supplemental Information

Appendix A Writing Custom Expressions 1013

Licensing: Custom Expressions Availability................................................1013Custom Expressions...................................................................................1013

Wildcard Matching ..............................................................................1017DN Variables and Functions ................................................................1017

System Variables and Examples.................................................................1018Using System Variables in Realms, Roles, and Resource Policies ...............1027

Using Multi-valued Attributes...............................................................1028Specifying Fetch Attributes in a Realm ................................................1029Specifying the homeDirectory Attribute for LDAP................................1030


23/1075


24/1075


xxiv Conventions

Error Message Documentation

For information about error messages that Network Connect and WSAMdisplays to end-users, refer to Network Connect and WSAM Error Messages.

For information about error messages that Secure Meeting displays toadministrators end-users, refer to Secure Meeting Error Messages.

Hardware documentation

For help during installation, refer to the Quick Start Guidethat comes with theproduct.

For Secure Access and Secure Access FIPS safety information, refer to theJuniper Networks Security Products Safety Guide.

For information on how to install hard disks, power supplies, and cooling fans

on Secure Access 6000 appliances, refer to the Secure Access 6000 FieldReplaceable Units Guide.

Product downloads

To download the latest build of the Secure Access and Secure Access FIPS OSand release notes, go to the IVE OS Software page of the Juniper NetworksCustomer Support Center.

Conventions

Table 1defines notice icons used in this guide, and Table 2defines text

conventions used throughout the book.

Table 1: Notice icons

Icon Meaning Description

Informational note Indicates important features or instructions.

Caution Indicates that you may risk losing data or damaging yourhardware.

Warning Alerts you to the risk of personal injury.

Table 2: Text conventions (except for command syntax)

Convention Description Examples

Bold typeface Indicates buttons, field names, dialogbox names, and other user interfaceelements.

Use the Schedulingand Appointmenttabs toschedule a meeting.
https://www.juniper.net/customers/csc/software/ive/http://-/?-http://-/?-http://-/?-http://-/?-https://www.juniper.net/customers/csc/software/ive/


25/1075

Documentation xxv

About This Guide

Documentation

Release Notes

Release notes are included with the product software and are available on the Web.

In theRelease Notes, you can find the latest information about features, changes,

known problems, and resolved problems. If the information in theRelease Notesdiffers from the information found in the documentation set, follow the ReleaseNotes.

Web Access

To view the documentation on the Web, go to:

http://www.juniper.net/techpubs/

Contacting Customer Support

For technical support, contact Juniper Networks at [email protected], or at 1-888-314-JTAC (within the United States) or 408-745-9500 (from outside the UnitedStates).

Plain sans serif typeface Represents:

Code, commands, and keywords

URLs, file names, and directories

Examples:

Code:certAttr.OU = 'Retail Products Group'

URL:Download the JRE application from:http://java.sun.com/j2se/

Italics Identifies:

Terms defined in text

Variable elements

Book names

Examples:

Defined term:AnRDP clientis a Windows component thatenables a connection between a Windowsserver and a users machine.

Variable element:Use settings in the Users > User Roles >Select Role> Terminal Services page to create

a terminal emulation session. Book name:

See the IVESupported Platformsdocument.

Table 2: Text conventions (except for command syntax) (Continued)

Convention Description Examples
http://www.juniper.net/techpubs/http://java.sun.com/j2sehttp://java.sun.com/j2sehttp://www.juniper.net/techpubs/http://java.sun.com/j2sehttp://java.sun.com/j2sehttp://java.sun.com/j2se


26/1075


xxvi Contacting Customer Support


27/1075

1

Part 1

Getting Started

The IVE is a hardened network appliance that provides robust security byintermediating the data streams that flow between external users and internalresources. This section contains the following information about beginning to useand understand the IVE:

Initial Verification and Key Concepts on page 3

Introduction to the IVE on page 25


28/1075


2


29/1075

Verifying User Accessibility 3

Chapter 1

Initial Verification and Key Concepts

This topic describes the tasks you do after initially installing and configuring yourIVE. It assumes that you have already followed the Task Guide in the admin consoleto update your software image and to generate and apply your Secure Accesslicense key.

Verifying User Accessibi lity

You can easily create a user account in the system authentication server for use inverifying user accessibility to your IVE. After creating the account through theadmin console, sign in as the user on the IVE user sign-in page.

To verify user accessibility:

1. Select Authentication > Auth. Serversfrom the admin console.

2. Select the System Locallink.

The System Local page appears.

3. Select the Userstab.

4. Click New.

The New Local User page appears.

5. Type testuser1as the username and enter a password, and then click SaveChanges. The IVE creates the testuser1 account.

6. Use another browser window to enter the machines URL to access the user

sign-in page. The URL is in the format: https://a.b.c.d, where a.b.c.dis themachine IP address you entered in the serial console when you initiallyconfigured your IVE.

7. Click Yeswhen prompted with the security alert to proceed without a signedcertificate. The user sign-in page appears, indicating that you have successfullyconnected to your IVE appliance. See Figure 1.


30/1075


31/1075

Creating a Test Scenario to Learn IVE Concepts and Best Practices 5

Chapter 1: Initial Verification and Key Concepts

Figure 3: Example Internal Web Page with Browsing Toolbar

10. Enter the URL to your external corporate site on the IVE home page (seeFigure 2), and click Browse. The IVE opens the Web page in the same browserwindow, so use the button on the toolbar to return to the IVE home page.

11. Click Browsing > Windows Fileson the IVE home page (see Figure 2) tobrowse through available Windows file shares or Browsing > UNIX/NFS Filesto browse through available UNIX NFS file shares.

After verifying user accessibility, return to the admin console to go through anintroduction of key concepts, as described in Creating a Test Scenario to Learn IVEConcepts and Best Practices on page 5.

Creating a Test Scenario to Learn IVE Concepts and Best Practices

The IVE provides a flexible access management system that makes it easy tocustomize a users remote access experience through the use of roles, resourcepolicies, authentication servers, authentication realms, and sign-in policies. Toenable you to quickly begin working with these entities, the IVE ships with systemdefaults for each. This section describes these system defaults and shows you howto create each access management entity by performing the following tasks:

Defining a User Role on page 6

Defining a Resource Profile on page 8

Defining an Authentication Server on page 10

Defining an Authentication Realm on page 13

Defining a Sign-In Policy on page 16


32/1075


6 Creating a Test Scenario to Learn IVE Concepts and Best Practices

Using the Test Scenario on page 19

The following test scenario focuses on using the IVE access management elementsto configure access parameters for a user. For information about the system defaultsettings for administrators, see Configuring Default Settings for Administrators on

page 22.

Defining a User Role

The IVE is preconfigured with one user role called Users. This predefined roleenables the Web and file browsing access features, enabling any user mapped to theUsers role to access the Internet, corporate Web servers, and any available Windowsand UNIX NFS file servers. You can view this role on the User Roles page.

To define a user role:

1. Choose Users > User Rolesfrom the admin console. The Roles page appears.

2. Click New Role. The New Role page appears. See Figure 4.

3. Enter Test Rolein the Name box and then click Save Changes. Wait for the IVEto display the Test Role page with the General tab and Overview link selected.See Figure 8.

4. Select the Webcheck box under Access features and then click Save Changes.

5. Select Web > Options.

6. Select the User can type URLs in the IVE browser barcheck box, and thenclick Save Changes.

After completing these steps, you have defined a user role. When you createresource profiles, you can apply them to this role. You can also map users to thisrole through role mapping rules defined for an authentication realm.

NOTE: The IVE supports two types of users:

AdministratorsAn administratoris a person who may view or modify IVEconfiguration settings. You create the first administrator account through theserial console.

UsersA useris a person who uses the IVE to gain access to corporateresources as configured by an administrator. You created the first user account(testuser1) in Verifying User Accessibility on page 3.

NOTE: After you enable an access feature for a role, configure the appropriatecorresponding options that are accessible from the access features configurationtab.

NOTE: To quickly create a user role that enables Web and file browsing, duplicatethe Users role, and then enable additional access features as desired.
http://-/?-http://-/?-


33/1075



Figure 4: New Role Page

Figure 5: Test Role Page


34/1075



Defining a Resource Profile

A resource profileis a set of configuration options that contains all of the resourcepolicies, role assignments, and end-user bookmarks required to provide access to

an individual resource.

Within a resource profile, a resource policyspecifies the resources to which thepolicy applies (such as URLs, servers, and files) and whether the IVE grants accessto a resource or performs an action. Note that the IVE is preconfigured with twotypes of resource policies:

Web AccessThe predefined Web Access resource policy enables all users toaccess the Internet and all corporate Web servers through the IVE. By default,this resource policy applies to the Users role.

Windows AccessThe predefined Windows Access resource policy enables allusers mapped to the Users role to access all corporate Windows file servers. Bydefault, this resource policy applies to the Users role.

To define a resource profile:

1. Select Users > Resource Profiles > Webfrom the admin console. The WebApplications Resource Profile page appears.

2. Click New Profile. The Web Applications Resource Profile page appears. SeeFigure 6.

NOTE: Delete the default Web Access and Windows Access resource policies if youare concerned about users having access to all of your Web and file content.
http://-/?-http://-/?-


35/1075



Figure 6: New Web Application Resource Profile Page

3. Fill in the following information:

a. In the Type box, keep the default option (Custom)

b. In the Name box, type Test Web Access

c. In the Base URL box, type http://www.google.com

d. Under Autopolicy: Web Access Control, select the check box next to thedefault policy created by the IVE (http://www.google.com:80/*) and choose

Delete.

e. In Resource box, type http://www.google.com, select Deny from theAction list, and click Add.

f. Click Save and Continue. The Test Web Access page appears.

4. Click the Rolestab.

a. Select Test Rolein the Available Roles box and click Addto move it to theSelected Roles box.


36/1075



b. Click Save Changes.

The IVE adds Test Web Access to the Web Application Resource Policies page andautomatically creates a corresponding bookmark that links to google.com.

After completing these steps, you have configured a Web Access resource profile.Even though the IVE comes with a resource policy that enables access to all Webresources, users mapped to Test Role are still prohibited from accessinghttp://www.google.com. These users are denied access because the autopolicy youcreated during the resource profile configuration takes precedence over the defaultWeb access policy that comes with the IVE.

Defining an Authentication Server

An authentication serveris a database that stores user credentialsusername andpasswordand typically group and attribute information. When a user signs in toan IVE, the user specifies an authentication realm, which is associated with an

authentication server. The IVE forwards the users credentials to this authenticationserver to verify the u

6.5-IVEAdminGuide

Documents