ug_HSC

8/8/2019 ug_HSC

1/23

1(76&5((1+$5':$5(6(&85,7

8/8/2019 ug_HSC

2/23

Copyright Notice

Copyright 2004 Ju niper Net works, Inc. All right s reserved.

Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen logoare registered trademarks of Juniper Networks, Inc. NetScreen-5GT, NetScreen-5XP, NetScreen-5XT, NetScreen-25,NetScreen-50, NetScreen -100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-5200, NetScreen-5400,NetScreen -Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Securit y Client , NetScreen-Remote VPNClient, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen -IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, andNetScreen ScreenOS are tradem arks of Juniper Networks, Inc. All other t rademar ks and r egistered tra demarks are th epropert y of their r espective compan ies.

Informa tion in this document is subject to change without n otice.

No part of this document may be r eproduced or tr ansmitt ed in an y form or by any mean s, electronic or m echanical, for anypurpose, without receiving written permission from:

Ju niper Networks, Inc.

ATTN: Genera l Counsel

1194 N. Math ilda Ave.Sunn yvale, CA 95014

FCC Statement

The following informa tion is for FCC compliance of Class A devices: This equipmen t h as been test ed an d found t o complywith th e limits for a Class A digita l device, pur sua nt t o part 15 of the F CC rules. These limits a re designed to providereasonable protection against ha rmful interference when the equipment is operated in a commer cial environment. Theequipment generates, uses, and can ra diate radio-frequency energy and, if not insta lled and used in a ccordance with theinstruction m anua l, may cause har mful interference to radio comm unications. Operation of this equipment in aresident ial area is likely to cause ha rm ful int erference, in which case users will be requir ed to correct th e interferen ce attheir own expense.

The following informa tion is for F CC complian ce of Class B devices: The equipmen t described in t his m anu al genera tesan d may ra diate ra dio-frequency energy. If it is not installed in accorda nce with NetScreen s insta llation instr uctions, itmay cause inter ference with ra dio and television reception. This equipment has been tested a nd found to comply with th elimits for a Class B digital device in accordan ce with th e specificat ions in par t 15 of the FCC r ules. These specifications ar edesigned to provide reasonable protection against such interference in a residential installation. However, there is noguaran tee tha t int erference will not occur in a part icular installation.

If this equipment does caus e har mful inter ference to ra dio or television reception, which can be deter mined by tu rn ing theequipmen t off an d on, the user is encour aged to tr y to correct th e inter ference by one or more of the following measu res:

Reorient or relocate the receiving antenna .

Increase the separation between the equipment and receiver.

Consult th e dealer or an experienced radio/TV technician for help.

Connect th e equipment to an outlet on a circuit different from t hat to which t he receiver is connected.

Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.

Disclaimer

THE SOF TWARE LICENSE AND LIMITE D WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET F ORTHIN THE INFORMATION PACKET THAT SHIPPED WITH THE P RODUCT AND ARE INCORPORATED HEREI N BYTHIS REF EREN CE. IF YOU ARE UN ABLE TO LOCATE THE SOF TWARE LICEN SE OR LIMITED WARRANTY,CONTACT YOUR NETSCRE EN RE PRESE NTATIVE FOR A COPY.

8/8/2019 ug_HSC

3/23

1HW6FUHHQ+DUGZDUH6HFXULW\&OLHQW LLL

&RQWHQWV

3UHIDFH Y

2UJDQL]DWLRQY

&/,&RQYHQWLRQVY

-XQLSHU1HWZRUNV1HW6FUHHQ3XEOLFDWLRQVYL

&KDSWHU&RQQHFWLQJWKH'HYLFH

&RQQHFWLQJWRWKH1HWZRUN

&RQQHFWLQJWKH3RZHU

&KDSWHU&RQILJXULQJWKH'HYLFH $ERXW'HIDXOW6HWWLQJV

$FFHVVLQJWKH'HYLFH

&RQILJXULQJWKH'HYLFH

9HULI\LQJ([WHUQDO&RQQHFWLYLW\

5HVWRULQJ'HIDXOW6HWWLQJV

&KDSWHU0DQDJLQJWKH'HYLFH

&HQWUDOL]HG0DQDJHPHQW

/RFDO0DQDJHPHQW

$QWL9LUXV6FDQQLQJ

&KDSWHU+DUGZDUH'HVFULSWLRQV

3RUWDQG3RZHU&RQQHFWRUV

6WDWXV/('V

$SSHQGL[$6SHFLILFDWLRQV$

8/8/2019 ug_HSC

4/23

&RQWHQWV

LY 8VHUV*XLGH

8/8/2019 ug_HSC

5/23

1HW6FUHHQ+DUGZDUH6HFXULW\&OLHQW Y

3UHIDFH

The Ju niper Networks NetScreen-Har dware Security Client pr ovides IPSec VPN and

firewall services for a broadband telecommuter, a branch office, or a retail outlet. The

NetScreen-Hardwa re Security Client u ses the sa me firewall, VPN, a nd t raffic

man agement technology as N etScreens h igh-end centra l site products.

25*$1,=$7,21This guide has four cha pters a nd one appendix:

Chapter 1, Connectin g th e Device describes how to connect t he N etScreen-

Ha rdwar e Securit y Client to the net work a nd a power source.

Chapter 2, Configur ing th e Device describes how to access and configure the

NetScreen-Hard ware Security Client.

Chapter 3, Man aging t he Device describes the ma na gement options for t he

NetScreen-Hard ware S ecurity Client, including how to enable AntiVirus

Scanning.

Chapter 4, Ha rdwar e Descriptions describes the NetScreen-Hardware

Security Client cha ssis.

Appendix A, Specifications, provides general system specifications for the

NetScreen-Hard ware Security Client.

&/,&219(17,216The following conventions ar e used when present ing th e synta x of a comman d line

interface (CLI) command:

Anything inside squar e bra ckets [ ] is optional.

Anyth ing ins ide bra ces { } is requ ired.

If there is more th an one choice, each choice is separa ted by a pipe ( | ). For

example,

set interface { ethernet1 | ethernet2 | ethernet3 }manage

means set the management options for the ethernet1, ethernet2, or ethernet3

interface.

Variables appear in italic. For example:

set admin user name1password xyz

8/8/2019 ug_HSC

6/23

3UHIDFH

YL 8VHUV*XLGH

When a CLI comman d appea rs within th e context of a sent ence, it is in bold (except for

variables, which a re a lways in italic). For exa mple: Use t he get system command to

display the ser ial nu mber of a Net Screen device.

-81,3(51(7:25.61(76&5((138%/,&$7,216To obtain technical docum enta tion for any J uniper Networks N etScreen product, visit

www.netscreen.com/resources/ma nu als/.

To obtain th e latest software version, visit: www.net screen.com/services/download_soft.

Select a category of softwa re pr oduct from th e dropdown list, th en follow th e displayed

instr uctions. (You must be a registered us er to download Ju niper Net works N etscreen

software.)

If you find a ny err ors or omissions in th e following cont ent , please cont act us a t t he e-mail

addr ess below:

[email protected]

Note: Wh en typin g a k eyword, you only hav e to type enough letters to identify th e word

un iquely. For exam ple, typing set ad m u joe j12fmt 54 is enough to enter the command

set ad mi n user joe j12fmt54 . Although you can use this shortcut when entering

com m ands, a ll the com m ands docum ented h ere are presented in th eir entirety.
http://www.netscreen.com/resources/manuals/http://www.netscreen.com/http://www.netscreen.com/mailto:[email protected]:[email protected]://www.netscreen.com/http://www.netscreen.com/resources/manuals/

8/8/2019 ug_HSC

7/23

1HW6FUHHQ+DUGZDUH6HFXULW\&OLHQW

8 u h r

&RQQHFWLQJWKH'HYLFH

This cha pter describes how to connect t he J un iper Networks NetScreen-Har dware

Security Client to the n etwork an d a power source.

&211(&7,1*727+(1(7:25.To ena ble the Net Screen-Har dware S ecurity Client t o provide firewall and genera l

secur ity for your n etwork, you must conn ect th e Untr ust ed port t o th e Intern et an d the

Trust ed port s to your intern al network.

&RQQHFWLQJWKH8QWUXVWHG3RUWThe Unt ru sted port ha ndles tra ffic between the device and th e Intern et or oth er outside

computers. The NetScreen-Hard ware Security Client cont ains one Untr ust ed port t hat

you can use t o connect t o an externa l router, DSL modem, or cable modem. To connect the

device to the Inter net, use th e provided Ether net cable between the Un tr ust ed port on the

device an d an externa l router or modem.

&RQQHFWLQJWKH7UXVWHG3RUWVA Tru sted port h an dles traffic between t he device an d your intern al workst at ions. The

NetScreen-Hardwa re Security Client cont ains four Tr ust ed ports t ha t you can use to

connect LANs or workstations:

To conn ect t he device to a LAN via an intern al switch or h ub, use an Eth ernet

cable between a Tru sted port an d a port on the switch or hu b.

To conn ect t he device directly to a workst at ion, u se an Eth ernet cable between a

Trusted port a nd th e worksta tion E thernet port.

&211(&7,1*7+(32:(5To conn ect a power s our ce to the N etScreen-Hardwa re S ecur ity Client device:

1. Plug the DC connector end of the power cable into the DC power receptacle on

th e back of th e device.

2. Plug the AC adapter end of the power cable into an AC power source.

Note: For safety w arnin gs and instru ctions, refer to the NetScreen Sa fety Guide. The

instructions in the S afety Guide w arn you about situations th at could cause bodily injury.

Before working on an y equipm ent, be aware of the hazard s involved wit h electrical

circuitry and be familiar with standard practices for preventing accidents.

Warning:Ju niper N etworks recomm ends u sing a su rge protector for the power

connection.

8/8/2019 ug_HSC

8/23

&KDSWHU&RQQHFWLQJWKH'HYLFH

8VHUV*XLGH

8/8/2019 ug_HSC

9/23


8 u h r ! &RQILJXULQJWKH'HYLFH

This chapter describes how to access an d configure a J un iper Networks

NetScreen-Hardwa re Security Client .

Before you configur e th e device, ensur e th at you have conn ected it to your network an d to

a power source as det ailed in Connecting th e Device on pa ge 1.

After completing t he device configura tion, your network users can a ccess th e Int ernet

thr ough the J un iper Network device while resour ces in your network a re protected from

out side computer s. The J un iper Networks device includes a defau lt policy tha t per mits

your network worksta tions to use an y service to access outside compu ters an d denies

out side computers access to your network workst ations.

To configur e additional policies tha t direct t he J un iper Networks device to permit outside

compu ters to star t specific kinds of sessions with your compu ters, you mu st u se

NetScreen-Secur ity Mana ger 2004 or S creenOS CLI comma nds:

For details on firewall policies in NetScreen-Security Manager, see the

Configur ing Fir ewall Policies chapt er in t he Jun iper N etworks N etScreen-

S ecurity M anager 2004 Ad m inistrators Guid e.

For deta ils on VPN policies in NetScreen-Secur ity Mana ger, see the

Configur ing VPN P olicies chapt er in th e Juniper Networks NetScreen-Security

Mana ger 2004 Adm inistrat ors Guide.

For details on creating or modifying policies with ScreenOS CLI commands, see

the NetS creen Concepts & E xam ples ScreenOS Reference Guide.

After you configure t he d evice, you should ver ify th at th e device is work ing corr ectly (for

details, see Verifying E xter na l Connectivity on pa ge 11).

If you experience problems complet ing a configur at ion, you can rest ore th e device to its

default settings (for details, see Restoring Default Settings on page 11).

Note: Y ou cannot create firewall policies or VPN s usin g the NetS creen-Hardw are Security

Client WebUI.

8/8/2019 ug_HSC

10/23

&KDSWHU&RQILJXULQJWKH'HYLFH

8VHUV*XLGH

$%287'()$8/76(77,1*6

The Net Screen-Ha rdwar e Security Client includes pr e-defined, defau lt sett ings:

Typically, you need to change only a few default settings to make your device operational

on your n etwork. Some sett ings are required, meaning you must chan ge the defau lt

values to values th at are relevant for your network before t he device is opera tiona l. Other

settings are optional, mean ing you can use t he pr e-defined default values.

This guide does not describe optional settings; for details on configuring an optional

setting, see the appr opriat e sections in t he NetS creen Concepts & E xam ples ScreenOS

Reference Guide.

The following sections det ail th e inform at ion you will need t o configur e th e device.

8QWUXVW,QWHUIDFH$GGUHVV5HTXLUHG

The Unt rust interface is boun d to the Unt rus t zone an d is configur ed with the IP a ddress

0.0.0.0/0. You must configur e an IP a ddress for t he Un tru st int erface to enable th e

J un iper Networks device (an d th e workst at ions on your net work) to conn ect t o the

Int ernet . This IP addr ess represents your network to the outside world and is obtained

from your Int ern et Ser vice Pr ovider (ISP) in one of th e following ways:

You r eceive a specific, fixed IP add ress a nd n etm as k for your n etwork from your

Int ernet Service Pr ovider (ISP).

Your net work r eceives an IP a ddress from a ser ver via Dynamic Host

Configur at ion Pr otocol (DHCP ).

Your n etwork receives an IP addr ess from a server via P oint-to-Point P rotocol

over Ethernet (PPPoE).

Trust Interface192.168.1.1/24

Untrust Interface0.0.0.0/0

Trust Zone

Untrust Zone

The Juniper Networksdevice assigns IP

addresses to devicesin your network via

All types of trafficoriginated from yournetwork is allowed to

the Internet, buttraffic originated

from the Internet isnot allowed to your

network.External Router

Hub

Internet

WebUI and Telnetaccess to the

Juniper Networksdevice allowedfrom any device

in thesubnetwork.

8/8/2019 ug_HSC

11/23

$ERXW'HIDXOW6HWWLQJV

NetScreen-Hardware Security Client 5

$GPLQ1DPH3DVVZRUG5HTXLUHG

Any user in the su bnetwork who knows the device adm in na me an d password can access

and configure the J un iper Networks device. Because all Ju niper Networks

FW/VPN devices use th e same default a dmin n am e and password (netscreen, netscreen),

J un iper Networks highly recommen ds th at you cha nge your login a nd pa ssword to the

J un iper Networks device.

3RUW0RGH2SWLRQDO

Th e port mode is th e binding of physical port s, logical int erfaces, and zones. Th e default

port mode, Trust-Unt rust, binds the Tru st interface to the Trust zone an d the U ntru st

interface to the Un tru st zone. Chan ging th e port mode cha nges these bindings.

This guide deta ils h ow to configur e your device in t he Tr ust -Unt ru st port mode only. For

details on port modes an d h ow to cha nge th em, see th e Zones cha pter in Volume 2 of the

NetS creen Concepts & E xam ples ScreenOS Reference Guid e.

0DQDJHPHQW2SWLRQDO

You can configure the following management settings:

Specify the connection protocol (Telnet, SSH) that a host can use to

comm unicate with the device.

Specify the commu nication pa ram eters t ha t en able the device to connect t o

NetScreen-Secur ity Manager 2004 for mana gement.

For details, see the Administration chapter in Volume 3 of the NetS creen Concepts &

Exam ples ScreenOS Reference Guide.

2SHUDWLRQDO0RGH2SWLRQDO

Th e operational mode defines how your device operates with its connected networks. By

defau lt, the NetScreen-Har dware Security Client operat es in Rout e mode with Net work

Address Tran slation (NAT) enabled on th e Trust interface. In t his operational mode,

when worksta tions in the Tru st zone send tr affic to the Int ernet, t he device replaces the

original sour ce IP addr esses with t he IP a ddress of th e Unt rus t inter face. Becau se the

device assigns private IP a ddresses to your network worksta tions, th ese addresses ar enever seen by comput ers outside your network.

For details on configuring the device for Route mode without NAT enabled, see the

Int erface Modes chapt er in Volume 2 of th e NetS creen Concepts & E xam ples ScreenOS

Reference Guide

Warning:Because chan ging the port m ode rem oves an y existing configurations on th e

Ju niper N etworks d evice, you should change the port m ode before configurin g the d evice.

Note: The NetScreen-Hardware Security Client does not support Transparent mode.

8/8/2019 ug_HSC

12/23


8VHUV*XLGH

7UXVW,QWHUIDFH$GGUHVV2SWLRQDO

The Trus t int erface is boun d to the Tr ust zone a nd is configur ed with th e subnet work

addr ess 192.168.1.1/24. All workst at ions t ha t you conn ect t o the Tru st in terface must be

in the same subn etwork a nd ha ve IP addr esses in tha t subnetwork. The

NetScreen-Hard ware Security Client can also use DHCP t o automat ically assign IP

addr esses for t he 192.168.1.1/24 subnet work to your network workst at ions.

You might need to cha nge the IP a ddress an d netm ask of the Tru st inter face to mat ch th e

IP ad dresses tha t alrea dy exist on your network. If you do cha nge the Tru st IP, you m ust

also change th e ran ge of addr esses that the DH CP server as signs to your n etwork

workst ations, or disable the DHCP s erver on t he Tru st inter face.

For details on assigning a different IP a ddress an d netm ask t o th e Trust int erface, see the

Int erfaces chapt er in Volum e 2 of th e NetS creen Concepts & E xam ples ScreenOS

Reference Guide.

For details on chan ging the DHCP sett ings for the J un iper Networks device, see th eSystem P ar amet ers cha pter in Volume 2 of th eJun iper Networks NetS creen Concepts &

Exam ples S creenOS R eference Guid e.

$&&(66,1*7+('(9,&(Before you at tempt to access th e device, ensur e th at you have conn ected it to your

network a nd t o a power sour ce. You can access th e NetScreen-Hardwa re Security Client

usin g one of th e following met hods:

Rapid De ploym e n t , a met hod for configur ing a J un iper Net works device for

management by NetScreen-Security Manager 2004, an integrated management

system for a ll Ju niper Net works FW/VPN devices. In t he Rap id Deploymentprocess, th e NetScreen-Secur ity Mana ger administr at or genera tes a sma ll

configura tion file (called a configlet) in th e ma na gement system, th en sen ds t he

configlet t o the on-site a dministra tor, who u ses t he configlet to a utomat ically

configur e th e device. For deta ils a nd step-by-step in str uctions on using Rapid

Deploymen t t o configur e your device, see the Getting S tarted Guid e for t he

NetScreen-Har dware Security Client.

WebUI, a gra phical user int erface tha t en ables you t o access th e device th rough

a Web browser. To use th e WebUI, you mu st be on th e same subn etwork as th e

device.

Te ln e t , a comman d line application t ha t en ables you t o access th e device

th rough a n IP network. To access an d configur e th e device, you u se ScreenOS

Command Line Int erface (CLI) comma nds in a Telnet session from yourworkst ation. You can a lso access remote J un iper Networks devices using Secure

Shell (SSH) applications. For deta ils on u sing SSH, see the Administr ation

volum e of th e NetS creen Concepts & Exam ples ScreenOS Reference Guide.

Note: T he N etScreen-Hard ware S ecurity Client d oes not h ave a console port.

8/8/2019 ug_HSC

13/23



&21),*85,1*7+('(9,&(

You can configure the required device settings using Rapid Deployment, the WebUI orCLI command s via a Telnet conn ection. For a required sett ing, you must change th e

defau lt value to a value th at is relevan t for your n etwork before the device is operat iona l.

The instructions below detail how to configure your device using the WebUI or CLI

comman d via Telnet. F or instr uction on usin g Rapid Deployment to configure t he device,

see the Getting S tarted Gu ide for th e NetScreen-Ha rdwar e Security Client.

If you experience problems complet ing a configur at ion, you can rest ore th e device to its

defau lt sett ings (see Restoring Default Settings on page 11). To tr oubleshoot basicdevice problems, see th e NetS creen-Hardw are S ecurity Client Adm inistrat ors Guide.

8VLQJWKH:HE8,You can configure the device using the WebUI Initial Configuration Wizard. To use the

WebUI, you mu st be on the sam e subnetwork as t he J un iper Networks device.

$FFHVVLQJWKH'HYLFH

To access th e NetScreen-Har dware Secur ity Client device using t he WebUI:

1. Connect a workstat ion (or your LAN hub) to the Trusted ports , as descr ibed in

Connectin g to the N etwork on page 1.

2. Configure the workstat ion to be on the same subnet as the device using one of

th e following met hods:

Using DHCP. Configure your worksta tion to au tomatically receive an IP

addr ess from the J un iper Networks device using DHCP (ensur e tha t your

intern al network does not already use a DHCP server).

Using a S tatic IP add ress. Configur e your workst ation to use a sta tic IP

addr ess tha t is on t he 192.168.1.0 network.

For help, see your PC operating system documenta tion.

3. If necessary, restar t your workstat ion. Some operat ing systems must be

resta rted before new settings can ta ke effect.

4. Launch a Web browser , type the IP address for the Trust interface in the URL

field, an d then press Enter . After a few moments, t he In itial Configura tion

Wizard appears.

Exam ple: If th e IP add ress of th e Trust interface on th e J un iper Networks device

is 192.168.1.1/24, type the following: 192.168.1.1

Note: T his gu ide does not describe optional settings; for details on configuring a n optional

setting, see the ap propriate sections in the J un iper Networks NetScreen Concepts &

Exam ples ScreenOS Reference Guide.

8/8/2019 ug_HSC

14/23


8VHUV*XLGH

8VLQJWKH:L]DUG

To configure the device using the WebUI, follow the instructions in the Initial

Configura tion Wizard. This wizard appear s when you a ccess th e WebUI for the first t ime,

an d h elps you configur e th e default sett ings on th e device:

1. Select No, use the Initia l Configu ration Wizard instea d ,an d th en click

Ne x t to continue.

If you h ave r eceived a configlet from your N etScreen -Secur ity Man ager

adm inistra tor to help you configur e th e device, do not continue t o use th e

instr uctions below. Please see th e Getting S tarted Guid e for t he

NetScreen-Har dware Security Client for deta ils on using a configlet for Rapid

Deployment.

If you wan t to skip th e Wizar d a nd go directly to the WebUI to configure t he

device, th en s elect No, skip the Wizard and go straigh t to WebUI

ma n a g e me n t se ss io n .

2. Select No P la in Configurat ion Fi le , and th en clickNext to contin ue. The

Initial Configuration Welcome screen appears. clickNext to cont inue.

3. Check the Enable NAT check box if you wan t t he device to be in Route m ode

with NAT ena bled. ClickNext to continue.

4 . Type the device admin name and password . Click Ne x t to contin ue.

5. Type the information th at descr ibes how your device connects to the Internet :

If your device uses DHCP to obtain an IP address for the Untru st zone

inter face, select Dynamic IP v ia D HCP .

If your device uses a PPP oE connection to obtain an IP address for the

Unt ru st zone Int erface, select Dy n a mic IP v ia PP Po E . Selecting this

option enables your J un iper Networks device to act as a PP PoE client th atcan receive an IP addr ess for the Un tru st zone int erface from an ISP. Type

the user na me and pa ssword for your P PP oE account.

If your device uses a static IP address for the Untr ust zone interface,

select Static IP . Selecting this option enables your J un iper Networks

device to use a u nique an d fixed IP addr ess for t he Un tru st zone interface.

Type the IP addr ess, Netma sk, and Ga teway for th e device.

The IP ad dress is the IP a ddress of the int erface tha t is conn ected to the

externa l router, cable modem, or DSL modem. The gat eway addr ess is the

IP a ddress of th e router port conn ected to th e J un iper Networks device.

ClickNext to cont inue.

6. Configure the IP address of the Trust zone interface: To use the exis t ing IP address , s imply cl ickNe x t .

To change the exis t ing IP address, type the new IP address and netmask,

th en clickNext .

8/8/2019 ug_HSC

15/23



If you chan ge the IP a ddress an d netm ask of th e Trust zone interface, your PC

an d th e Trust interface of the J un iper Networks device may th en be on different

subnet works. To continue ma na ging the J un iper Networks device thr ough the

WebUI, ensur e that both your PC an d th e J uniper Networks device are in t he

same IP network and u se the same netmask.

7 . Configure DHCP for the Trust zone in te r face :

Ye s , If using NAT mode, ena ble DHCP t o automa tically assign IP

addr esses to workstat ions in th e Trust zone.

No , If using Route mode, disable DHCP.

ClickNe x t to continue.

8 . Configure the management sys tem for the device :

Select Ye s to configur e th e device to connect t o Net Screen-Securit y

Manager. ClickNe x t to continue a nd go to step 9.

Select No to configure t he connection pr otocols for t he device, but notconnect to NetScreen-Security Manager. ClickNext to continue a nd goto

step 10.

9. Type the communicat ion parameters that enable the device to connect to

NetScreen-Secur ity Manager:

Security Manager Address . Type the IP addr ess of the Secur ity

Mana ger device-server (provided by the Security Ma na ger adm inistra tor).

Device ID . Type th e device ID of th e device (provided by th e Secur ity

Manager administrator).

One Time Passw ord . Type a one time password. When the device

conn ects to Secur ity Manager, th e one time pass word a ut hent icat es the

initial connection.

Port Number. Type the port nu mber on the Security Mana ger

device-server (provided by th e Security Man ager admin istra tor).

Admin Name . Type the na me of th e device adm in.

Admin Passw ord . Type the pa ssword of the device admin.

ClickNe x t to display th e configur at ion summ ar y and goto step 11.

10. Configure the conn ection protocols for the device un tru sted port . You can ena ble

one or both protocols.

SSH . To access an d ma na ge the device remotely using SSH, you m ust

enable SSH on the device un tr usted port.

Telnet . To access an d ma na ge the device remotely using Telnet, you m ust

enable Telnet on th e device unt rust ed port.

ClickNe x t to display th e configur ation sum mar y.

11. Review the configurat ion information:

Click Previous to re-type configuration information.

Click Next to type t he configur ation.

8/8/2019 ug_HSC

16/23


8VHUV*XLGH

After you have configured the device, a confirmation screen appears.

To verify tha t t he device ha s conn ectivity to the Int ernet , see Verifying

External Connectivity on page 11. To use th e WebUI to view or cha nge t he device configur at ion, open a Web

browser and type th e IP addr ess for the Tru st inter face in th e URL field. At th e

login pr ompt, type th e device admin n ame a nd pa ssword a nd clickEnter t o

display the WebUI.

To restore the default device settings on the device, see Restorin g Defau lt

Settings on page 11.

8VLQJ7HOQHWYou can access and configure the device using ScreenOS CLI commands. Follow the

instr uctions in th e sections below to change t he r equired sett ings for th e device.

$FFHVVLQJWKH'HYLFH

To access t he device:

1. Connect your workstat ion (or your LAN hub) to the Trusted ports , as descr ibed

in Connectin g to the N etwork on page 1.

2. Star t a Telnet cl ient applicat ion to the IP address for the Trust interface. For

example, if th e IP addr ess of the Tru st int erface on t he J un iper Networks device

is 192.168.1.1/24, type the following: 192.168.1.1

3. Type netscreen in both the a d min n a me and password prompts. (Use

lowercase letters only. The a dmin n am e an d password fields are both case

sensitive.)

&RQILJXULQJWKH8QWUXVW,QWHUIDFH

Your net work u ses the Un tru st int erface on t he J un iper Networks device to connect to the

Int ernet . If you a re sett ing up your Int ernet conn ection for the first time, cont act your ISP

for inform at ion on your network IP addr ess assignment .

In a Telnet session:

If your ISP gave you a specific, fixed IP addr ess an d n etma sk for your network,

configure the IP a ddress and netmask for t he network an d th e IP a ddress of the

router port conn ected t o the J un iper Net works device by typing th e following

CLI command s:

set interface untrust ipip_addr/mask

set interface untrust gatewayip_addr

save

If your net work r eceives an IP addr ess from a server via DHCP, ena ble the

DHCP client by typing the following CLI commands:

set interface untrust dhcp client enable

save

8/8/2019 ug_HSC

17/23

9HULI\LQJ([WHUQDO&RQQHFWLYLW\


If your n etwork receives an IP addr ess from a server via PP PoE, configure th e

user na me a nd pa ssword a ssigned by your ISP by t yping the following CLI

commands:

set pppoe interface untrust

set pppoe usernamename_strpasswordpswd_str

save

&RQILJXULQJ$GPLQ1DPH3DVVZRUG

Because all J uniper Networks N etScreen products u se the sam e default a dmin nam e and

password (netscreen ), you should change the default adm in na me an d password

immediately.

In a Telnet session, type the following CLI commands:

set admin namename_str

set admin passwordpswd_str

save

For informa tion on creating different levels of admin istra tors, see th e Administrat ion

chapter in Volume 3 of the NetS creen Concepts & Exam ples ScreenOS R eference Guide.

9(5,)

8/8/2019 ug_HSC

18/23


8VHUV*XLGH

To restore the device to its default set tings:

1. Locate the reset pinhole on the back panel. Using a thin, fi rm wire (such as a

paper clip), push the pinh ole unt il th e Stat us LE D tur ns from blinking green toorange, and t hen ba ck to blinking green. Release the pinh ole.

2. Wa it for fou r secon ds .

3 . Push the reset p inhole aga in . When the Sta tus LED turns to red, and then to

green, release th e pinhole.

4. The device resets to i ts original factory settings and restarts. After the device

start s up (should take a bout 30 seconds), ensure tha t t he Power LED a nd Sta tus

LED both blink green.

If you do not follow th e complete sequen ce, th e reset p rocess can cels with out chan ging th e

configura tion, an d th e Stat us LE D blinks green . If the device did not reset, an SNMP

alert is sent t o confirm t he failure.

Reset Pinhole

8/8/2019 ug_HSC

19/23


8 u h r " 0DQDJLQJWKH'HYLFH

This cha pter describes the man agement options for your J un iper Networks NetScreen-

Hardwar e Security Client a nd deta ils t he a ntivirus scann ing feature.

After you h ave conn ected th e device to your net work a nd configur ed it, you can begin

using centralized or local management to control device functionality.

&(175$/,=('0$1$*(0(17Your NetS creen-Har dwar e Secur ity Client is designed t o be man aged using

Netscreen- Secur ity Manager 2004, an integra ted ma na gement system for all NetScreen

FW/VPN devices. For deta ils on u sing NetScreen-Secur ity Mana ger to ma na ge your

NetScreen FW/VPN devices, see the NetS creen-Security M ana ger 2004 Ad m inistrators

Guide.

/2&$/0$1$*(0(17You can use t he WebUI or ScreenOS CLI comma nds (using Telnet or SSH) to ma na ge the


:HE8,The WebUI is a graph ical user in terface that enables you t o mana ge the device using a

Web browser. To use t he WebUI, you m ust be on t he sa me subn etwork as the device.

You can u se th e WebUI to ma na ge specific device fun ctiona lity:

Configur e basic device sett ings

View t he device configura tion

Monitor system, firewall, and VPN st at us

Monitor system, firewall, and VPN event s

Configure t he device for m an agement by NetScreen-Secur ity Mana ger 2004

To mana ge additional device functiona lity, you must use N etScreen-Secur ity Man ager or

ScreenOS CLI comma nds.

&/,ScreenOS Comma nd Line Inter face (CLI) comma nds en able you t o man age th e device in a

Telnet or Secure Shell (SSH) session.

You can use CLI commands to manage all device functionality. For details on ScreenOS

CLI comma nds, see the NetS creen CLI Reference Guide .

8/8/2019 ug_HSC

20/23

&KDSWHU0DQDJLQJWKH'HYLFH

8VHUV*XLGH

$17,9,5866&$11,1*

Your device includes internal antivirus scanning to detect viruses in specific application-layer tra nsactions. When an tivirus scann ing is enabled, the device uses an int erna l

an tivirus scan engine developed by Tren dMicro to examine SMTP, HTTP (webmail only)

or P OP3 tr affic for kn own virus pa tt erns.

By defau lt, the device au tomatically passes a ll permitted SMTP, H TTP, an d POP 3 tra ffic

to the intern al an tivirus scan engine. After verifying tha t it ha s received th e entire

cont ent of th e packet, the intern al ant ivirus scan en gine examines th e data for viruses:

If a viru s is detected, the device drops the conten t a nd sen ds a m essage to the

client indicating tha t t he cont ent wa s infected.

If no viru s is detected, the device forwards the content to its inten ded

destination.

The an tivirus scan engine can examine u p to 16MB of concurr ent m essages. If th e total

size of messages received concurr ently exceeds th is amoun t, th e scan en gine bypasses the

cont ent (does not scan it). For example, the int erna l ant ivirus scan engine can receive and

examine four -4MB messages concurr ently. If the int erna l ant iviru s scan en gine receives

17-1MB messages concurr ently, it would drop or pa ss t he t ra ffic depending on conten t.

For H TTP tr affic scanning, th e device can redirect Web server r esponses t o the inter na l

an tivirus scan engine before forwarding t he t raffic to the client.

For deta ils on th e an tivirus scan en gine, see the AntiViru s Scann ing section in Volume 4

(Attack Detection and Defense Mechanisms) of the NetS creen Concepts & E xam ples

S creenOS Reference Guide.

8/8/2019 ug_HSC

21/23


8 u h r # +DUGZDUH'HVFULSWLRQV

This chapter details the Juniper Networks NetScreen-Hardware Security Client chassis.

3257$1'32:(5&211(&7256The rear pan el of th e NetScreen-Ha rdwa re Security Client cont ains port a nd power

connectors.

Use t he DC power r eceptacle to connect t he device to a power source

Use th e Reset pinhole to reset th e device and r estore its factory defau lt settings.

The N etScreen-Ha rdwar e Security Client includes th e following ports:

67$786/('6The front p anel of th e NetScreen-Hardwa re Security Client device has power and st atu s

LEDs for t he device, and port sta tu s LEDs for t he int erfaces:

3RUW 'HVFULSWLRQ &RQQHFWRU 6SHHG3URWRFRO

8QWUXVWHG (QDEOHVDQ,QWHUQHWFRQQHFWLRQWKURXJKDQ

H[WHUQDOURXWHU'6/PRGHPRUFDEOHPRGHP

5- 0ESV

(WKHUQHW

3RUWV (QDEOHVGLUHFWFRQQHFWLRQVWRZRUNVWDWLRQVRUD/$1FRQQHFWLRQWKURXJKDVZLWFKRUKXE8VHWKLV

FRQQHFWLRQWRPDQDJHWKHGHYLFHWKURXJKD

7HOQHWVHVVLRQRUWKH:HE8,PDQDJHPHQW

DSSOLFDWLRQ

5- 0ESV(WKHUQHW

3RUW6WDWXV/('V6WDWXV/('3RZHU/('

8/8/2019 ug_HSC

22/23

&KDSWHU+DUGZDUH'HVFULSWLRQV

8VHUV*XLGH

,QWHUSUHWLQJ3RZHU6WDWXV/('VThe power sta tu s LED indicat es whether th e device is receiving power and t he sta tus

LED indicat es th e sta te of th e device. The following ta ble describes th e sta tu s possibilities

for each LED:

,QWHUSUHWLQJ3RUW6WDWXV/('VThe port stat us LEDs indicate wheth er th e port s on th e device ar e operat ing properly.

The following table describes the status possibilities for the ports.

/(' /('&RORU 0HDQLQJRIWKH/('

32:(5 *UHHQ 6ROLG2QLQGLFDWHVWKHV\VWHPLVUHFHLYLQJSRZHU

2II 2IILQGLFDWHVWKHV\VWHPLVQRWUHFHLYLQJSRZHU

67$786 $PEHU 6ROLG2QLQGLFDWHVWKHV\VWHPLVQRWFRPPXQLFDWLQJWR106

*UHHQ %OLQNLQJ2QLQGLFDWHVWKHV\VWHPLVIXQFWLRQLQJ

$PEHU %OLQNLQJ2QLQGLFDWHVDIDFWRU\GHIDXOWRUDIDLOHGXSJUDGH

2II 2IILQGLFDWHVWKHV\VWHPLVQRWRSHUDWLRQDO

/(' /('&RORU 0HDQLQJRIWKH/('

/LQN$FWLYLW\ *UHHQ %OLQNLQJ2QLQGLFDWHVWKHGHYLFHGHWHFWV(WKHUQHWWUDIILFIRUWKHSRUW

2IILQGLFDWHVWKHSRUWKDVQRWHVWDEOLVKHGDOLQNZLWKDQRWKHUGHYLFH

6ROLG2QLQGLFDWHVWKHSRUWKDVHVWDEOLVKHGDOLQNZLWKDQRWKHUGHYLFH

*UHHQ 6ROLG2QLQGLFDWHVWKHSRUWLVFRQQHFWHGWRD%DVH7GHYLFH

$PEHU 6ROLG2QLQGLFDWHVWKHSRUWLVFRQQHFWHGWRD%DVH7GHYLFH

8/8/2019 ug_HSC

23/23

$6 r q v 6 6SHFLILFDWLRQV

This appen dix provides general system specificat ions for the J un iper Networks


$WWULEXWHV

+HLJKW LQFKHVFP

'HSWK LQFKHVFP

:LGWK LQFKHVFP

:HLJKW SRXQGVJ

(OHFWULFDO 6ZLWFKLQJ5HJXODWRU /LQHDU5HJXODWRU

$&YROWDJH9$&+]

$&:DWWV:DWWV

'&YROWDJH9ROWV

$&YROWDJH9$&+]

$&:DWWV:DWWV

'&YROWDJH9ROWV

(QYLURQPHQWDO 7HPSHUDWXUH 2SHUDWLQJ

1RUPDODOWLWXGH &)

5HODWLYHKXPLGLW\

1RQFRQGHQVLQJ

&HUWLILFDWLRQV 6DIHW\ (0,

8/&8/

&%

&6$

(1

,(&

36(0DUN70DUN([WHUQDO3RZHU6XSSO\

&(&ODVV%

)&&3DUWFODVV%

&7,&.

%60,

9&&,&ODVV,,

$XVWHO

&RQQHFWRUV 7KH5-WZLVWHGSDLUSRUWVDUHFRPSDWLEOHZLWKWKH,(((7\SH

%DVH7VWDQGDUG

Standard %DVH7;

Media Type &DWHJRU\DQGKLJKHU8QVKLHOGHG

7ZLVWHG3DLU873&DEOH

Maximum Distance \DUGVP

ug_HSC

Documents