Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

MAG2600 and SRX210 work together for iPhone/iPad access?

j_rabb_
New Contributor
‎04-24-2012 12:32:PM
‎04-24-2012 12:32:PM

MAG2600 and SRX210 work together for iPhone/iPad access?

I currently have several locations using SRX210's (hub and spoke vpn's).

I need to get iPhone and iPad users access to the headquarters location.

The Pulse client doesn't work with the SRX's.

Will a MAG2600 work ok in conjuntion with the SRX210?

Can I just add it behind my SRX210 and configure it to pass the iPhone traffic to the MAG for authentication?

Or is there a better recommendation?

On another subject...

Even though I'm located in Sunnyvale, I have not been able to get much (any) assistance from Juniper.

Anyone have a recommendation on how or where to get some sales-type support on simple networking setups like this?

Or recommendations on best-practice solutions as I build my simple networks?

Thanks.

Anyone can feel free to contact me off line also.

0 Kudos
Reply
7 REPLIES 7
j_rabb_
New Contributor
‎04-24-2012 12:39:PM
‎04-24-2012 12:39:PM

Re: MAG2600 and SRX210 work together for iPhone/iPad access?

As an FYI-

My two main uses for the iPhone/iPad (VPN access) via the Pulse client:

- Being able to connect to our internal ShoreTel phone server/system

- Being able to access a couple of internal company websites for production/mfg status

Of course I assume I will find more, but those are the key drivers right now.

TIA...

0 Kudos
Reply
aweck_
Occasional Contributor
‎04-24-2012 11:35:PM
‎04-24-2012 11:35:PM

Re: MAG2600 and SRX210 work together for iPhone/iPad access?

MAG should work just fine in that setup. Give it a public hostname/IP that allows tcp/443 access through the SRX and then Pulse will be able to connect so that you can access internal resources. Users will need to launch Pulse from their iPhone/iPad before accessing internal resources, unless you use Cert-based authentication on the MAG - then they can use a feature called VPN on Demand to auto-launch Pulse when accessing certain hostnames/IPs.

0 Kudos
Reply
j_rabb_
New Contributor
‎04-26-2012 06:20:PM
‎04-26-2012 06:20:PM

Re: MAG2600 and SRX210 work together for iPhone/iPad access?

Know of any configuration guides or can you help with a suggested configuration on the SRX?

0 Kudos
Reply
muttbarker_
Valued Contributor
‎04-27-2012 09:00:AM
‎04-27-2012 09:00:AM

Re: MAG2600 and SRX210 work together for iPhone/iPad access?

Are you are refering to getting the MAG up and running behind the SRX?

0 Kudos
Reply
zanyterp_
Respected Contributor
‎04-27-2012 09:55:AM
‎04-27-2012 09:55:AM

Re: MAG2600 and SRX210 work together for iPhone/iPad access?

Don't forget UDP/4500 open to the MAG2600.
But, yes, that is what you do.
The SRX has good setup guides; the MAG does as well for what is needed to configure for access.
0 Kudos
Reply
j_rabb_
New Contributor
‎04-27-2012 12:48:PM
‎04-27-2012 12:48:PM

Re: MAG2600 and SRX210 work together for iPhone/iPad access?

Yes, I was referring to getting the MAG set up behind the SRX...

TIA

0 Kudos
Reply
muttbarker_
Valued Contributor
‎04-30-2012 06:11:AM
‎04-30-2012 06:11:AM

Re: MAG2600 and SRX210 work together for iPhone/iPad access?

On the SRX you need to do the following:

1- Create a NAT rule mapping traffic from the external IP to your internal address:

set security nat static rule-set ssl-vpn from zone untrust
set security nat static rule-set ssl-vpn rule ssl-nat match destination-address XX.XXX.13.30/32
set security nat static rule-set ssl-vpn rule ssl-nat then static-nat prefix 192.168.3.12/32
set security nat proxy-arp interface at-1/0/0.0 address XX.XXX.13.30/32 (optional depending on what external address you use.)

2- Create an address book entry for use in your zone policy:

set security zones security-zone trust address-book address ssl-vpn 192.168.3.12/32

3- Create a zone policyto pass traffic:

set security policies from-zone untrust to-zone trust policy allow-ssl match source-address any
set security policies from-zone untrust to-zone trust policy allow-ssl match destination-address ssl-vpn
set security policies from-zone untrust to-zone trust policy allow-ssl match application junos-http
set security policies from-zone untrust to-zone trust policy allow-ssl match application junos-https
set security policies from-zone untrust to-zone trust policy allow-ssl match application junos-ping
set security policies from-zone untrust to-zone trust policy allow-ssl match application ssl-nc
set security policies from-zone untrust to-zone trust policy allow-ssl then permit

I hope this helps!

0 Kudos
Reply
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.