I currently have several locations using SRX210's (hub and spoke vpn's).
I need to get iPhone and iPad users access to the headquarters location.
The Pulse client doesn't work with the SRX's.
Will a MAG2600 work ok in conjuntion with the SRX210?
Can I just add it behind my SRX210 and configure it to pass the iPhone traffic to the MAG for authentication?
Or is there a better recommendation?
On another subject...
Even though I'm located in Sunnyvale, I have not been able to get much (any) assistance from Juniper.
Anyone have a recommendation on how or where to get some sales-type support on simple networking setups like this?
Or recommendations on best-practice solutions as I build my simple networks?
Thanks.
Anyone can feel free to contact me off line also.
As an FYI-
My two main uses for the iPhone/iPad (VPN access) via the Pulse client:
- Being able to connect to our internal ShoreTel phone server/system
- Being able to access a couple of internal company websites for production/mfg status
Of course I assume I will find more, but those are the key drivers right now.
TIA...
MAG should work just fine in that setup. Give it a public hostname/IP that allows tcp/443 access through the SRX and then Pulse will be able to connect so that you can access internal resources. Users will need to launch Pulse from their iPhone/iPad before accessing internal resources, unless you use Cert-based authentication on the MAG - then they can use a feature called VPN on Demand to auto-launch Pulse when accessing certain hostnames/IPs.
Know of any configuration guides or can you help with a suggested configuration on the SRX?
Are you are refering to getting the MAG up and running behind the SRX?
Yes, I was referring to getting the MAG set up behind the SRX...
TIA
On the SRX you need to do the following:
1- Create a NAT rule mapping traffic from the external IP to your internal address:
set security nat static rule-set ssl-vpn from zone untrust
set security nat static rule-set ssl-vpn rule ssl-nat match destination-address XX.XXX.13.30/32
set security nat static rule-set ssl-vpn rule ssl-nat then static-nat prefix 192.168.3.12/32
set security nat proxy-arp interface at-1/0/0.0 address XX.XXX.13.30/32 (optional depending on what external address you use.)
2- Create an address book entry for use in your zone policy:
set security zones security-zone trust address-book address ssl-vpn 192.168.3.12/32
3- Create a zone policyto pass traffic:
set security policies from-zone untrust to-zone trust policy allow-ssl match source-address any
set security policies from-zone untrust to-zone trust policy allow-ssl match destination-address ssl-vpn
set security policies from-zone untrust to-zone trust policy allow-ssl match application junos-http
set security policies from-zone untrust to-zone trust policy allow-ssl match application junos-https
set security policies from-zone untrust to-zone trust policy allow-ssl match application junos-ping
set security policies from-zone untrust to-zone trust policy allow-ssl match application ssl-nc
set security policies from-zone untrust to-zone trust policy allow-ssl then permit
I hope this helps!