8/8/2019 ug_HSC
1/23
1(76&5((1+$5':$5(6(&85,7
8/8/2019 ug_HSC
2/23
Copyright Notice
Copyright 2004 Ju niper Net works, Inc. All right s reserved.
Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen logoare registered trademarks of Juniper Networks, Inc. NetScreen-5GT, NetScreen-5XP, NetScreen-5XT, NetScreen-25,NetScreen-50, NetScreen -100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-5200, NetScreen-5400,NetScreen -Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Securit y Client , NetScreen-Remote VPNClient, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen -IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, andNetScreen ScreenOS are tradem arks of Juniper Networks, Inc. All other t rademar ks and r egistered tra demarks are th epropert y of their r espective compan ies.
Informa tion in this document is subject to change without n otice.
No part of this document may be r eproduced or tr ansmitt ed in an y form or by any mean s, electronic or m echanical, for anypurpose, without receiving written permission from:
Ju niper Networks, Inc.
ATTN: Genera l Counsel
1194 N. Math ilda Ave.Sunn yvale, CA 95014
FCC Statement
The following informa tion is for FCC compliance of Class A devices: This equipmen t h as been test ed an d found t o complywith th e limits for a Class A digita l device, pur sua nt t o part 15 of the F CC rules. These limits a re designed to providereasonable protection against ha rmful interference when the equipment is operated in a commer cial environment. Theequipment generates, uses, and can ra diate radio-frequency energy and, if not insta lled and used in a ccordance with theinstruction m anua l, may cause har mful interference to radio comm unications. Operation of this equipment in aresident ial area is likely to cause ha rm ful int erference, in which case users will be requir ed to correct th e interferen ce attheir own expense.
The following informa tion is for F CC complian ce of Class B devices: The equipmen t described in t his m anu al genera tesan d may ra diate ra dio-frequency energy. If it is not installed in accorda nce with NetScreen s insta llation instr uctions, itmay cause inter ference with ra dio and television reception. This equipment has been tested a nd found to comply with th elimits for a Class B digital device in accordan ce with th e specificat ions in par t 15 of the FCC r ules. These specifications ar edesigned to provide reasonable protection against such interference in a residential installation. However, there is noguaran tee tha t int erference will not occur in a part icular installation.
If this equipment does caus e har mful inter ference to ra dio or television reception, which can be deter mined by tu rn ing theequipmen t off an d on, the user is encour aged to tr y to correct th e inter ference by one or more of the following measu res:
Reorient or relocate the receiving antenna .
Increase the separation between the equipment and receiver.
Consult th e dealer or an experienced radio/TV technician for help.
Connect th e equipment to an outlet on a circuit different from t hat to which t he receiver is connected.
Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.
Disclaimer
THE SOF TWARE LICENSE AND LIMITE D WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET F ORTHIN THE INFORMATION PACKET THAT SHIPPED WITH THE P RODUCT AND ARE INCORPORATED HEREI N BYTHIS REF EREN CE. IF YOU ARE UN ABLE TO LOCATE THE SOF TWARE LICEN SE OR LIMITED WARRANTY,CONTACT YOUR NETSCRE EN RE PRESE NTATIVE FOR A COPY.
8/8/2019 ug_HSC
3/23
1HW6FUHHQ+DUGZDUH6HFXULW\&OLHQW LLL
&RQWHQWV
3UHIDFH Y
2UJDQL]DWLRQY
&/,&RQYHQWLRQVY
-XQLSHU1HWZRUNV1HW6FUHHQ3XEOLFDWLRQVYL
&KDSWHU&RQQHFWLQJWKH'HYLFH
&RQQHFWLQJWRWKH1HWZRUN
&RQQHFWLQJWKH3RZHU
&KDSWHU&RQILJXULQJWKH'HYLFH $ERXW'HIDXOW6HWWLQJV
$FFHVVLQJWKH'HYLFH
&RQILJXULQJWKH'HYLFH
9HULI\LQJ([WHUQDO&RQQHFWLYLW\
5HVWRULQJ'HIDXOW6HWWLQJV
&KDSWHU0DQDJLQJWKH'HYLFH
&HQWUDOL]HG0DQDJHPHQW
/RFDO0DQDJHPHQW
$QWL9LUXV6FDQQLQJ
&KDSWHU+DUGZDUH'HVFULSWLRQV
3RUWDQG3RZHU&RQQHFWRUV
6WDWXV/('V
$SSHQGL[$6SHFLILFDWLRQV$
8/8/2019 ug_HSC
4/23
&RQWHQWV
LY 8VHUV*XLGH
8/8/2019 ug_HSC
5/23
1HW6FUHHQ+DUGZDUH6HFXULW\&OLHQW Y
3UHIDFH
The Ju niper Networks NetScreen-Har dware Security Client pr ovides IPSec VPN and
firewall services for a broadband telecommuter, a branch office, or a retail outlet. The
NetScreen-Hardwa re Security Client u ses the sa me firewall, VPN, a nd t raffic
man agement technology as N etScreens h igh-end centra l site products.
25*$1,=$7,21This guide has four cha pters a nd one appendix:
Chapter 1, Connectin g th e Device describes how to connect t he N etScreen-
Ha rdwar e Securit y Client to the net work a nd a power source.
Chapter 2, Configur ing th e Device describes how to access and configure the
NetScreen-Hard ware Security Client.
Chapter 3, Man aging t he Device describes the ma na gement options for t he
NetScreen-Hard ware S ecurity Client, including how to enable AntiVirus
Scanning.
Chapter 4, Ha rdwar e Descriptions describes the NetScreen-Hardware
Security Client cha ssis.
Appendix A, Specifications, provides general system specifications for the
NetScreen-Hard ware Security Client.
&/,&219(17,216The following conventions ar e used when present ing th e synta x of a comman d line
interface (CLI) command:
Anything inside squar e bra ckets [ ] is optional.
Anyth ing ins ide bra ces { } is requ ired.
If there is more th an one choice, each choice is separa ted by a pipe ( | ). For
example,
set interface { ethernet1 | ethernet2 | ethernet3 }manage
means set the management options for the ethernet1, ethernet2, or ethernet3
interface.
Variables appear in italic. For example:
set admin user name1password xyz
8/8/2019 ug_HSC
6/23
3UHIDFH
YL 8VHUV*XLGH
When a CLI comman d appea rs within th e context of a sent ence, it is in bold (except for
variables, which a re a lways in italic). For exa mple: Use t he get system command to
display the ser ial nu mber of a Net Screen device.
-81,3(51(7:25.61(76&5((138%/,&$7,216To obtain technical docum enta tion for any J uniper Networks N etScreen product, visit
www.netscreen.com/resources/ma nu als/.
To obtain th e latest software version, visit: www.net screen.com/services/download_soft.
Select a category of softwa re pr oduct from th e dropdown list, th en follow th e displayed
instr uctions. (You must be a registered us er to download Ju niper Net works N etscreen
software.)
If you find a ny err ors or omissions in th e following cont ent , please cont act us a t t he e-mail
addr ess below:
Note: Wh en typin g a k eyword, you only hav e to type enough letters to identify th e word
un iquely. For exam ple, typing set ad m u joe j12fmt 54 is enough to enter the command
set ad mi n user joe j12fmt54 . Although you can use this shortcut when entering
com m ands, a ll the com m ands docum ented h ere are presented in th eir entirety.
http://www.netscreen.com/resources/manuals/http://www.netscreen.com/http://www.netscreen.com/mailto:[email protected]:[email protected]://www.netscreen.com/http://www.netscreen.com/resources/manuals/8/8/2019 ug_HSC
7/23
1HW6FUHHQ+DUGZDUH6HFXULW\&OLHQW
8 u h r
&RQQHFWLQJWKH'HYLFH
This cha pter describes how to connect t he J un iper Networks NetScreen-Har dware
Security Client to the n etwork an d a power source.
&211(&7,1*727+(1(7:25.To ena ble the Net Screen-Har dware S ecurity Client t o provide firewall and genera l
secur ity for your n etwork, you must conn ect th e Untr ust ed port t o th e Intern et an d the
Trust ed port s to your intern al network.
&RQQHFWLQJWKH8QWUXVWHG3RUWThe Unt ru sted port ha ndles tra ffic between the device and th e Intern et or oth er outside
computers. The NetScreen-Hard ware Security Client cont ains one Untr ust ed port t hat
you can use t o connect t o an externa l router, DSL modem, or cable modem. To connect the
device to the Inter net, use th e provided Ether net cable between the Un tr ust ed port on the
device an d an externa l router or modem.
&RQQHFWLQJWKH7UXVWHG3RUWVA Tru sted port h an dles traffic between t he device an d your intern al workst at ions. The
NetScreen-Hardwa re Security Client cont ains four Tr ust ed ports t ha t you can use to
connect LANs or workstations:
To conn ect t he device to a LAN via an intern al switch or h ub, use an Eth ernet
cable between a Tru sted port an d a port on the switch or hu b.
To conn ect t he device directly to a workst at ion, u se an Eth ernet cable between a
Trusted port a nd th e worksta tion E thernet port.
&211(&7,1*7+(32:(5To conn ect a power s our ce to the N etScreen-Hardwa re S ecur ity Client device:
1. Plug the DC connector end of the power cable into the DC power receptacle on
th e back of th e device.
2. Plug the AC adapter end of the power cable into an AC power source.
Note: For safety w arnin gs and instru ctions, refer to the NetScreen Sa fety Guide. The
instructions in the S afety Guide w arn you about situations th at could cause bodily injury.
Before working on an y equipm ent, be aware of the hazard s involved wit h electrical
circuitry and be familiar with standard practices for preventing accidents.
Warning:Ju niper N etworks recomm ends u sing a su rge protector for the power
connection.
8/8/2019 ug_HSC
8/23
&KDSWHU&RQQHFWLQJWKH'HYLFH
8VHUV*XLGH
8/8/2019 ug_HSC
9/23
1HW6FUHHQ+DUGZDUH6HFXULW\&OLHQW
8 u h r ! &RQILJXULQJWKH'HYLFH
This chapter describes how to access an d configure a J un iper Networks
NetScreen-Hardwa re Security Client .
Before you configur e th e device, ensur e th at you have conn ected it to your network an d to
a power source as det ailed in Connecting th e Device on pa ge 1.
After completing t he device configura tion, your network users can a ccess th e Int ernet
thr ough the J un iper Network device while resour ces in your network a re protected from
out side computer s. The J un iper Networks device includes a defau lt policy tha t per mits
your network worksta tions to use an y service to access outside compu ters an d denies
out side computers access to your network workst ations.
To configur e additional policies tha t direct t he J un iper Networks device to permit outside
compu ters to star t specific kinds of sessions with your compu ters, you mu st u se
NetScreen-Secur ity Mana ger 2004 or S creenOS CLI comma nds:
For details on firewall policies in NetScreen-Security Manager, see the
Configur ing Fir ewall Policies chapt er in t he Jun iper N etworks N etScreen-
S ecurity M anager 2004 Ad m inistrators Guid e.
For deta ils on VPN policies in NetScreen-Secur ity Mana ger, see the
Configur ing VPN P olicies chapt er in th e Juniper Networks NetScreen-Security
Mana ger 2004 Adm inistrat ors Guide.
For details on creating or modifying policies with ScreenOS CLI commands, see
the NetS creen Concepts & E xam ples ScreenOS Reference Guide.
After you configure t he d evice, you should ver ify th at th e device is work ing corr ectly (for
details, see Verifying E xter na l Connectivity on pa ge 11).
If you experience problems complet ing a configur at ion, you can rest ore th e device to its
default settings (for details, see Restoring Default Settings on page 11).
Note: Y ou cannot create firewall policies or VPN s usin g the NetS creen-Hardw are Security
Client WebUI.
8/8/2019 ug_HSC
10/23
&KDSWHU&RQILJXULQJWKH'HYLFH
8VHUV*XLGH
$%287'()$8/76(77,1*6
The Net Screen-Ha rdwar e Security Client includes pr e-defined, defau lt sett ings:
Typically, you need to change only a few default settings to make your device operational
on your n etwork. Some sett ings are required, meaning you must chan ge the defau lt
values to values th at are relevant for your network before t he device is opera tiona l. Other
settings are optional, mean ing you can use t he pr e-defined default values.
This guide does not describe optional settings; for details on configuring an optional
setting, see the appr opriat e sections in t he NetS creen Concepts & E xam ples ScreenOS
Reference Guide.
The following sections det ail th e inform at ion you will need t o configur e th e device.
8QWUXVW,QWHUIDFH$GGUHVV5HTXLUHG
The Unt rust interface is boun d to the Unt rus t zone an d is configur ed with the IP a ddress
0.0.0.0/0. You must configur e an IP a ddress for t he Un tru st int erface to enable th e
J un iper Networks device (an d th e workst at ions on your net work) to conn ect t o the
Int ernet . This IP addr ess represents your network to the outside world and is obtained
from your Int ern et Ser vice Pr ovider (ISP) in one of th e following ways:
You r eceive a specific, fixed IP add ress a nd n etm as k for your n etwork from your
Int ernet Service Pr ovider (ISP).
Your net work r eceives an IP a ddress from a ser ver via Dynamic Host
Configur at ion Pr otocol (DHCP ).
Your n etwork receives an IP addr ess from a server via P oint-to-Point P rotocol
over Ethernet (PPPoE).
Trust Interface192.168.1.1/24
Untrust Interface0.0.0.0/0
Trust Zone
Untrust Zone
The Juniper Networksdevice assigns IP
addresses to devicesin your network via
All types of trafficoriginated from yournetwork is allowed to
the Internet, buttraffic originated
from the Internet isnot allowed to your
network.External Router
Hub
Internet
WebUI and Telnetaccess to the
Juniper Networksdevice allowedfrom any device
in thesubnetwork.
8/8/2019 ug_HSC
11/23
$ERXW'HIDXOW6HWWLQJV
NetScreen-Hardware Security Client 5
$GPLQ1DPH3DVVZRUG5HTXLUHG
Any user in the su bnetwork who knows the device adm in na me an d password can access
and configure the J un iper Networks device. Because all Ju niper Networks
FW/VPN devices use th e same default a dmin n am e and password (netscreen, netscreen),
J un iper Networks highly recommen ds th at you cha nge your login a nd pa ssword to the
J un iper Networks device.
3RUW0RGH2SWLRQDO
Th e port mode is th e binding of physical port s, logical int erfaces, and zones. Th e default
port mode, Trust-Unt rust, binds the Tru st interface to the Trust zone an d the U ntru st
interface to the Un tru st zone. Chan ging th e port mode cha nges these bindings.
This guide deta ils h ow to configur e your device in t he Tr ust -Unt ru st port mode only. For
details on port modes an d h ow to cha nge th em, see th e Zones cha pter in Volume 2 of the
NetS creen Concepts & E xam ples ScreenOS Reference Guid e.
0DQDJHPHQW2SWLRQDO
You can configure the following management settings:
Specify the connection protocol (Telnet, SSH) that a host can use to
comm unicate with the device.
Specify the commu nication pa ram eters t ha t en able the device to connect t o
NetScreen-Secur ity Manager 2004 for mana gement.
For details, see the Administration chapter in Volume 3 of the NetS creen Concepts &
Exam ples ScreenOS Reference Guide.
2SHUDWLRQDO0RGH2SWLRQDO
Th e operational mode defines how your device operates with its connected networks. By
defau lt, the NetScreen-Har dware Security Client operat es in Rout e mode with Net work
Address Tran slation (NAT) enabled on th e Trust interface. In t his operational mode,
when worksta tions in the Tru st zone send tr affic to the Int ernet, t he device replaces the
original sour ce IP addr esses with t he IP a ddress of th e Unt rus t inter face. Becau se the
device assigns private IP a ddresses to your network worksta tions, th ese addresses ar enever seen by comput ers outside your network.
For details on configuring the device for Route mode without NAT enabled, see the
Int erface Modes chapt er in Volume 2 of th e NetS creen Concepts & E xam ples ScreenOS
Reference Guide
Warning:Because chan ging the port m ode rem oves an y existing configurations on th e
Ju niper N etworks d evice, you should change the port m ode before configurin g the d evice.
Note: The NetScreen-Hardware Security Client does not support Transparent mode.
8/8/2019 ug_HSC
12/23
&KDSWHU&RQILJXULQJWKH'HYLFH
8VHUV*XLGH
7UXVW,QWHUIDFH$GGUHVV2SWLRQDO
The Trus t int erface is boun d to the Tr ust zone a nd is configur ed with th e subnet work
addr ess 192.168.1.1/24. All workst at ions t ha t you conn ect t o the Tru st in terface must be
in the same subn etwork a nd ha ve IP addr esses in tha t subnetwork. The
NetScreen-Hard ware Security Client can also use DHCP t o automat ically assign IP
addr esses for t he 192.168.1.1/24 subnet work to your network workst at ions.
You might need to cha nge the IP a ddress an d netm ask of the Tru st inter face to mat ch th e
IP ad dresses tha t alrea dy exist on your network. If you do cha nge the Tru st IP, you m ust
also change th e ran ge of addr esses that the DH CP server as signs to your n etwork
workst ations, or disable the DHCP s erver on t he Tru st inter face.
For details on assigning a different IP a ddress an d netm ask t o th e Trust int erface, see the
Int erfaces chapt er in Volum e 2 of th e NetS creen Concepts & E xam ples ScreenOS
Reference Guide.
For details on chan ging the DHCP sett ings for the J un iper Networks device, see th eSystem P ar amet ers cha pter in Volume 2 of th eJun iper Networks NetS creen Concepts &
Exam ples S creenOS R eference Guid e.
$&&(66,1*7+('(9,&(Before you at tempt to access th e device, ensur e th at you have conn ected it to your
network a nd t o a power sour ce. You can access th e NetScreen-Hardwa re Security Client
usin g one of th e following met hods:
Rapid De ploym e n t , a met hod for configur ing a J un iper Net works device for
management by NetScreen-Security Manager 2004, an integrated management
system for a ll Ju niper Net works FW/VPN devices. In t he Rap id Deploymentprocess, th e NetScreen-Secur ity Mana ger administr at or genera tes a sma ll
configura tion file (called a configlet) in th e ma na gement system, th en sen ds t he
configlet t o the on-site a dministra tor, who u ses t he configlet to a utomat ically
configur e th e device. For deta ils a nd step-by-step in str uctions on using Rapid
Deploymen t t o configur e your device, see the Getting S tarted Guid e for t he
NetScreen-Har dware Security Client.
WebUI, a gra phical user int erface tha t en ables you t o access th e device th rough
a Web browser. To use th e WebUI, you mu st be on th e same subn etwork as th e
device.
Te ln e t , a comman d line application t ha t en ables you t o access th e device
th rough a n IP network. To access an d configur e th e device, you u se ScreenOS
Command Line Int erface (CLI) comma nds in a Telnet session from yourworkst ation. You can a lso access remote J un iper Networks devices using Secure
Shell (SSH) applications. For deta ils on u sing SSH, see the Administr ation
volum e of th e NetS creen Concepts & Exam ples ScreenOS Reference Guide.
Note: T he N etScreen-Hard ware S ecurity Client d oes not h ave a console port.
8/8/2019 ug_HSC
13/23
&RQILJXULQJWKH'HYLFH
NetScreen-Hardware Security Client 7
&21),*85,1*7+('(9,&(
You can configure the required device settings using Rapid Deployment, the WebUI orCLI command s via a Telnet conn ection. For a required sett ing, you must change th e
defau lt value to a value th at is relevan t for your n etwork before the device is operat iona l.
The instructions below detail how to configure your device using the WebUI or CLI
comman d via Telnet. F or instr uction on usin g Rapid Deployment to configure t he device,
see the Getting S tarted Gu ide for th e NetScreen-Ha rdwar e Security Client.
If you experience problems complet ing a configur at ion, you can rest ore th e device to its
defau lt sett ings (see Restoring Default Settings on page 11). To tr oubleshoot basicdevice problems, see th e NetS creen-Hardw are S ecurity Client Adm inistrat ors Guide.
8VLQJWKH:HE8,You can configure the device using the WebUI Initial Configuration Wizard. To use the
WebUI, you mu st be on the sam e subnetwork as t he J un iper Networks device.
$FFHVVLQJWKH'HYLFH
To access th e NetScreen-Har dware Secur ity Client device using t he WebUI:
1. Connect a workstat ion (or your LAN hub) to the Trusted ports , as descr ibed in
Connectin g to the N etwork on page 1.
2. Configure the workstat ion to be on the same subnet as the device using one of
th e following met hods:
Using DHCP. Configure your worksta tion to au tomatically receive an IP
addr ess from the J un iper Networks device using DHCP (ensur e tha t your
intern al network does not already use a DHCP server).
Using a S tatic IP add ress. Configur e your workst ation to use a sta tic IP
addr ess tha t is on t he 192.168.1.0 network.
For help, see your PC operating system documenta tion.
3. If necessary, restar t your workstat ion. Some operat ing systems must be
resta rted before new settings can ta ke effect.
4. Launch a Web browser , type the IP address for the Trust interface in the URL
field, an d then press Enter . After a few moments, t he In itial Configura tion
Wizard appears.
Exam ple: If th e IP add ress of th e Trust interface on th e J un iper Networks device
is 192.168.1.1/24, type the following: 192.168.1.1
Note: T his gu ide does not describe optional settings; for details on configuring a n optional
setting, see the ap propriate sections in the J un iper Networks NetScreen Concepts &
Exam ples ScreenOS Reference Guide.
8/8/2019 ug_HSC
14/23
&KDSWHU&RQILJXULQJWKH'HYLFH
8VHUV*XLGH
8VLQJWKH:L]DUG
To configure the device using the WebUI, follow the instructions in the Initial
Configura tion Wizard. This wizard appear s when you a ccess th e WebUI for the first t ime,
an d h elps you configur e th e default sett ings on th e device:
1. Select No, use the Initia l Configu ration Wizard instea d ,an d th en click
Ne x t to continue.
If you h ave r eceived a configlet from your N etScreen -Secur ity Man ager
adm inistra tor to help you configur e th e device, do not continue t o use th e
instr uctions below. Please see th e Getting S tarted Guid e for t he
NetScreen-Har dware Security Client for deta ils on using a configlet for Rapid
Deployment.
If you wan t to skip th e Wizar d a nd go directly to the WebUI to configure t he
device, th en s elect No, skip the Wizard and go straigh t to WebUI
ma n a g e me n t se ss io n .
2. Select No P la in Configurat ion Fi le , and th en clickNext to contin ue. The
Initial Configuration Welcome screen appears. clickNext to cont inue.
3. Check the Enable NAT check box if you wan t t he device to be in Route m ode
with NAT ena bled. ClickNext to continue.
4 . Type the device admin name and password . Click Ne x t to contin ue.
5. Type the information th at descr ibes how your device connects to the Internet :
If your device uses DHCP to obtain an IP address for the Untru st zone
inter face, select Dynamic IP v ia D HCP .
If your device uses a PPP oE connection to obtain an IP address for the
Unt ru st zone Int erface, select Dy n a mic IP v ia PP Po E . Selecting this
option enables your J un iper Networks device to act as a PP PoE client th atcan receive an IP addr ess for the Un tru st zone int erface from an ISP. Type
the user na me and pa ssword for your P PP oE account.
If your device uses a static IP address for the Untr ust zone interface,
select Static IP . Selecting this option enables your J un iper Networks
device to use a u nique an d fixed IP addr ess for t he Un tru st zone interface.
Type the IP addr ess, Netma sk, and Ga teway for th e device.
The IP ad dress is the IP a ddress of the int erface tha t is conn ected to the
externa l router, cable modem, or DSL modem. The gat eway addr ess is the
IP a ddress of th e router port conn ected to th e J un iper Networks device.
ClickNext to cont inue.
6. Configure the IP address of the Trust zone interface: To use the exis t ing IP address , s imply cl ickNe x t .
To change the exis t ing IP address, type the new IP address and netmask,
th en clickNext .
8/8/2019 ug_HSC
15/23
&RQILJXULQJWKH'HYLFH
NetScreen-Hardware Security Client 9
If you chan ge the IP a ddress an d netm ask of th e Trust zone interface, your PC
an d th e Trust interface of the J un iper Networks device may th en be on different
subnet works. To continue ma na ging the J un iper Networks device thr ough the
WebUI, ensur e that both your PC an d th e J uniper Networks device are in t he
same IP network and u se the same netmask.
7 . Configure DHCP for the Trust zone in te r face :
Ye s , If using NAT mode, ena ble DHCP t o automa tically assign IP
addr esses to workstat ions in th e Trust zone.
No , If using Route mode, disable DHCP.
ClickNe x t to continue.
8 . Configure the management sys tem for the device :
Select Ye s to configur e th e device to connect t o Net Screen-Securit y
Manager. ClickNe x t to continue a nd go to step 9.
Select No to configure t he connection pr otocols for t he device, but notconnect to NetScreen-Security Manager. ClickNext to continue a nd goto
step 10.
9. Type the communicat ion parameters that enable the device to connect to
NetScreen-Secur ity Manager:
Security Manager Address . Type the IP addr ess of the Secur ity
Mana ger device-server (provided by the Security Ma na ger adm inistra tor).
Device ID . Type th e device ID of th e device (provided by th e Secur ity
Manager administrator).
One Time Passw ord . Type a one time password. When the device
conn ects to Secur ity Manager, th e one time pass word a ut hent icat es the
initial connection.
Port Number. Type the port nu mber on the Security Mana ger
device-server (provided by th e Security Man ager admin istra tor).
Admin Name . Type the na me of th e device adm in.
Admin Passw ord . Type the pa ssword of the device admin.
ClickNe x t to display th e configur at ion summ ar y and goto step 11.
10. Configure the conn ection protocols for the device un tru sted port . You can ena ble
one or both protocols.
SSH . To access an d ma na ge the device remotely using SSH, you m ust
enable SSH on the device un tr usted port.
Telnet . To access an d ma na ge the device remotely using Telnet, you m ust
enable Telnet on th e device unt rust ed port.
ClickNe x t to display th e configur ation sum mar y.
11. Review the configurat ion information:
Click Previous to re-type configuration information.
Click Next to type t he configur ation.
8/8/2019 ug_HSC
16/23
&KDSWHU&RQILJXULQJWKH'HYLFH
8VHUV*XLGH
After you have configured the device, a confirmation screen appears.
To verify tha t t he device ha s conn ectivity to the Int ernet , see Verifying
External Connectivity on page 11. To use th e WebUI to view or cha nge t he device configur at ion, open a Web
browser and type th e IP addr ess for the Tru st inter face in th e URL field. At th e
login pr ompt, type th e device admin n ame a nd pa ssword a nd clickEnter t o
display the WebUI.
To restore the default device settings on the device, see Restorin g Defau lt
Settings on page 11.
8VLQJ7HOQHWYou can access and configure the device using ScreenOS CLI commands. Follow the
instr uctions in th e sections below to change t he r equired sett ings for th e device.
$FFHVVLQJWKH'HYLFH
To access t he device:
1. Connect your workstat ion (or your LAN hub) to the Trusted ports , as descr ibed
in Connectin g to the N etwork on page 1.
2. Star t a Telnet cl ient applicat ion to the IP address for the Trust interface. For
example, if th e IP addr ess of the Tru st int erface on t he J un iper Networks device
is 192.168.1.1/24, type the following: 192.168.1.1
3. Type netscreen in both the a d min n a me and password prompts. (Use
lowercase letters only. The a dmin n am e an d password fields are both case
sensitive.)
&RQILJXULQJWKH8QWUXVW,QWHUIDFH
Your net work u ses the Un tru st int erface on t he J un iper Networks device to connect to the
Int ernet . If you a re sett ing up your Int ernet conn ection for the first time, cont act your ISP
for inform at ion on your network IP addr ess assignment .
In a Telnet session:
If your ISP gave you a specific, fixed IP addr ess an d n etma sk for your network,
configure the IP a ddress and netmask for t he network an d th e IP a ddress of the
router port conn ected t o the J un iper Net works device by typing th e following
CLI command s:
set interface untrust ipip_addr/mask
set interface untrust gatewayip_addr
save
If your net work r eceives an IP addr ess from a server via DHCP, ena ble the
DHCP client by typing the following CLI commands:
set interface untrust dhcp client enable
save
8/8/2019 ug_HSC
17/23
9HULI\LQJ([WHUQDO&RQQHFWLYLW\
NetScreen-Hardware Security Client 11
If your n etwork receives an IP addr ess from a server via PP PoE, configure th e
user na me a nd pa ssword a ssigned by your ISP by t yping the following CLI
commands:
set pppoe interface untrust
set pppoe usernamename_strpasswordpswd_str
save
&RQILJXULQJ$GPLQ1DPH3DVVZRUG
Because all J uniper Networks N etScreen products u se the sam e default a dmin nam e and
password (netscreen ), you should change the default adm in na me an d password
immediately.
In a Telnet session, type the following CLI commands:
set admin namename_str
set admin passwordpswd_str
save
For informa tion on creating different levels of admin istra tors, see th e Administrat ion
chapter in Volume 3 of the NetS creen Concepts & Exam ples ScreenOS R eference Guide.
9(5,)
8/8/2019 ug_HSC
18/23
&KDSWHU&RQILJXULQJWKH'HYLFH
8VHUV*XLGH
To restore the device to its default set tings:
1. Locate the reset pinhole on the back panel. Using a thin, fi rm wire (such as a
paper clip), push the pinh ole unt il th e Stat us LE D tur ns from blinking green toorange, and t hen ba ck to blinking green. Release the pinh ole.
2. Wa it for fou r secon ds .
3 . Push the reset p inhole aga in . When the Sta tus LED turns to red, and then to
green, release th e pinhole.
4. The device resets to i ts original factory settings and restarts. After the device
start s up (should take a bout 30 seconds), ensure tha t t he Power LED a nd Sta tus
LED both blink green.
If you do not follow th e complete sequen ce, th e reset p rocess can cels with out chan ging th e
configura tion, an d th e Stat us LE D blinks green . If the device did not reset, an SNMP
alert is sent t o confirm t he failure.
Reset Pinhole
8/8/2019 ug_HSC
19/23
1HW6FUHHQ+DUGZDUH6HFXULW\&OLHQW
8 u h r " 0DQDJLQJWKH'HYLFH
This cha pter describes the man agement options for your J un iper Networks NetScreen-
Hardwar e Security Client a nd deta ils t he a ntivirus scann ing feature.
After you h ave conn ected th e device to your net work a nd configur ed it, you can begin
using centralized or local management to control device functionality.
&(175$/,=('0$1$*(0(17Your NetS creen-Har dwar e Secur ity Client is designed t o be man aged using
Netscreen- Secur ity Manager 2004, an integra ted ma na gement system for all NetScreen
FW/VPN devices. For deta ils on u sing NetScreen-Secur ity Mana ger to ma na ge your
NetScreen FW/VPN devices, see the NetS creen-Security M ana ger 2004 Ad m inistrators
Guide.
/2&$/0$1$*(0(17You can use t he WebUI or ScreenOS CLI comma nds (using Telnet or SSH) to ma na ge the
NetScreen-Hardwa re Security Client .
:HE8,The WebUI is a graph ical user in terface that enables you t o mana ge the device using a
Web browser. To use t he WebUI, you m ust be on t he sa me subn etwork as the device.
You can u se th e WebUI to ma na ge specific device fun ctiona lity:
Configur e basic device sett ings
View t he device configura tion
Monitor system, firewall, and VPN st at us
Monitor system, firewall, and VPN event s
Configure t he device for m an agement by NetScreen-Secur ity Mana ger 2004
To mana ge additional device functiona lity, you must use N etScreen-Secur ity Man ager or
ScreenOS CLI comma nds.
&/,ScreenOS Comma nd Line Inter face (CLI) comma nds en able you t o man age th e device in a
Telnet or Secure Shell (SSH) session.
You can use CLI commands to manage all device functionality. For details on ScreenOS
CLI comma nds, see the NetS creen CLI Reference Guide .
8/8/2019 ug_HSC
20/23
&KDSWHU0DQDJLQJWKH'HYLFH
8VHUV*XLGH
$17,9,5866&$11,1*
Your device includes internal antivirus scanning to detect viruses in specific application-layer tra nsactions. When an tivirus scann ing is enabled, the device uses an int erna l
an tivirus scan engine developed by Tren dMicro to examine SMTP, HTTP (webmail only)
or P OP3 tr affic for kn own virus pa tt erns.
By defau lt, the device au tomatically passes a ll permitted SMTP, H TTP, an d POP 3 tra ffic
to the intern al an tivirus scan engine. After verifying tha t it ha s received th e entire
cont ent of th e packet, the intern al ant ivirus scan en gine examines th e data for viruses:
If a viru s is detected, the device drops the conten t a nd sen ds a m essage to the
client indicating tha t t he cont ent wa s infected.
If no viru s is detected, the device forwards the content to its inten ded
destination.
The an tivirus scan engine can examine u p to 16MB of concurr ent m essages. If th e total
size of messages received concurr ently exceeds th is amoun t, th e scan en gine bypasses the
cont ent (does not scan it). For example, the int erna l ant ivirus scan engine can receive and
examine four -4MB messages concurr ently. If the int erna l ant iviru s scan en gine receives
17-1MB messages concurr ently, it would drop or pa ss t he t ra ffic depending on conten t.
For H TTP tr affic scanning, th e device can redirect Web server r esponses t o the inter na l
an tivirus scan engine before forwarding t he t raffic to the client.
For deta ils on th e an tivirus scan en gine, see the AntiViru s Scann ing section in Volume 4
(Attack Detection and Defense Mechanisms) of the NetS creen Concepts & E xam ples
S creenOS Reference Guide.
8/8/2019 ug_HSC
21/23
1HW6FUHHQ+DUGZDUH6HFXULW\&OLHQW
8 u h r # +DUGZDUH'HVFULSWLRQV
This chapter details the Juniper Networks NetScreen-Hardware Security Client chassis.
3257$1'32:(5&211(&7256The rear pan el of th e NetScreen-Ha rdwa re Security Client cont ains port a nd power
connectors.
Use t he DC power r eceptacle to connect t he device to a power source
Use th e Reset pinhole to reset th e device and r estore its factory defau lt settings.
The N etScreen-Ha rdwar e Security Client includes th e following ports:
67$786/('6The front p anel of th e NetScreen-Hardwa re Security Client device has power and st atu s
LEDs for t he device, and port sta tu s LEDs for t he int erfaces:
3RUW 'HVFULSWLRQ &RQQHFWRU 6SHHG3URWRFRO
8QWUXVWHG (QDEOHVDQ,QWHUQHWFRQQHFWLRQWKURXJKDQ
H[WHUQDOURXWHU'6/PRGHPRUFDEOHPRGHP
5- 0ESV
(WKHUQHW
3RUWV (QDEOHVGLUHFWFRQQHFWLRQVWRZRUNVWDWLRQVRUD/$1FRQQHFWLRQWKURXJKDVZLWFKRUKXE8VHWKLV
FRQQHFWLRQWRPDQDJHWKHGHYLFHWKURXJKD
7HOQHWVHVVLRQRUWKH:HE8,PDQDJHPHQW
DSSOLFDWLRQ
5- 0ESV(WKHUQHW
3RUW6WDWXV/('V6WDWXV/('3RZHU/('
8/8/2019 ug_HSC
22/23
&KDSWHU+DUGZDUH'HVFULSWLRQV
8VHUV*XLGH
,QWHUSUHWLQJ3RZHU6WDWXV/('VThe power sta tu s LED indicat es whether th e device is receiving power and t he sta tus
LED indicat es th e sta te of th e device. The following ta ble describes th e sta tu s possibilities
for each LED:
,QWHUSUHWLQJ3RUW6WDWXV/('VThe port stat us LEDs indicate wheth er th e port s on th e device ar e operat ing properly.
The following table describes the status possibilities for the ports.
/(' /('&RORU 0HDQLQJRIWKH/('
32:(5 *UHHQ 6ROLG2QLQGLFDWHVWKHV\VWHPLVUHFHLYLQJSRZHU
2II 2IILQGLFDWHVWKHV\VWHPLVQRWUHFHLYLQJSRZHU
67$786 $PEHU 6ROLG2QLQGLFDWHVWKHV\VWHPLVQRWFRPPXQLFDWLQJWR106
*UHHQ %OLQNLQJ2QLQGLFDWHVWKHV\VWHPLVIXQFWLRQLQJ
$PEHU %OLQNLQJ2QLQGLFDWHVDIDFWRU\GHIDXOWRUDIDLOHGXSJUDGH
2II 2IILQGLFDWHVWKHV\VWHPLVQRWRSHUDWLRQDO
/(' /('&RORU 0HDQLQJRIWKH/('
/LQN$FWLYLW\ *UHHQ %OLQNLQJ2QLQGLFDWHVWKHGHYLFHGHWHFWV(WKHUQHWWUDIILFIRUWKHSRUW
2IILQGLFDWHVWKHSRUWKDVQRWHVWDEOLVKHGDOLQNZLWKDQRWKHUGHYLFH
6ROLG2QLQGLFDWHVWKHSRUWKDVHVWDEOLVKHGDOLQNZLWKDQRWKHUGHYLFH
*UHHQ 6ROLG2QLQGLFDWHVWKHSRUWLVFRQQHFWHGWRD%DVH7GHYLFH
$PEHU 6ROLG2QLQGLFDWHVWKHSRUWLVFRQQHFWHGWRD%DVH7GHYLFH
8/8/2019 ug_HSC
23/23
$6 r q v 6 6SHFLILFDWLRQV
This appen dix provides general system specificat ions for the J un iper Networks
NetScreen-Hardwa re Security Client .
$WWULEXWHV
+HLJKW LQFKHVFP
'HSWK LQFKHVFP
:LGWK LQFKHVFP
:HLJKW SRXQGVJ
(OHFWULFDO 6ZLWFKLQJ5HJXODWRU /LQHDU5HJXODWRU
$&YROWDJH9$&+]
$&:DWWV:DWWV
'&YROWDJH9ROWV
$&YROWDJH9$&+]
$&:DWWV:DWWV
'&YROWDJH9ROWV
(QYLURQPHQWDO 7HPSHUDWXUH 2SHUDWLQJ
1RUPDODOWLWXGH &)
5HODWLYHKXPLGLW\
1RQFRQGHQVLQJ
&HUWLILFDWLRQV 6DIHW\ (0,
8/&8/
&%
&6$
(1
,(&
36(0DUN70DUN([WHUQDO3RZHU6XSSO\
&(&ODVV%
)&&3DUWFODVV%
&7,&.
%60,
9&&,&ODVV,,
$XVWHO
&RQQHFWRUV 7KH5-WZLVWHGSDLUSRUWVDUHFRPSDWLEOHZLWKWKH,(((7\SH
%DVH7VWDQGDUG
Standard %DVH7;
Media Type &DWHJRU\DQGKLJKHU8QVKLHOGHG
7ZLVWHG3DLU873&DEOH
Maximum Distance \DUGVP