cancel
Showing results for 
Search instead for 
Did you mean: 

MAG2600 and SRX210 work together for iPhone/iPad access?

Highlighted
New Contributor

MAG2600 and SRX210 work together for iPhone/iPad access?

I currently have several locations using SRX210's (hub and spoke vpn's).

I need to get iPhone and iPad users access to the headquarters location.

The Pulse client doesn't work with the SRX's.

Will a MAG2600 work ok in conjuntion with the SRX210?

Can I just add it behind my SRX210 and configure it to pass the iPhone traffic to the MAG for authentication?

Or is there a better recommendation?

On another subject...

Even though I'm located in Sunnyvale, I have not been able to get much (any) assistance from Juniper.

Anyone have a recommendation on how or where to get some sales-type support on simple networking setups like this?

Or recommendations on best-practice solutions as I build my simple networks?

Thanks.

Anyone can feel free to contact me off line also.

7 REPLIES 7
Highlighted
New Contributor

Re: MAG2600 and SRX210 work together for iPhone/iPad access?

As an FYI-

My two main uses for the iPhone/iPad (VPN access) via the Pulse client:

- Being able to connect to our internal ShoreTel phone server/system

- Being able to access a couple of internal company websites for production/mfg status

Of course I assume I will find more, but those are the key drivers right now.

TIA...

Highlighted
Occasional Contributor

Re: MAG2600 and SRX210 work together for iPhone/iPad access?

MAG should work just fine in that setup. Give it a public hostname/IP that allows tcp/443 access through the SRX and then Pulse will be able to connect so that you can access internal resources. Users will need to launch Pulse from their iPhone/iPad before accessing internal resources, unless you use Cert-based authentication on the MAG - then they can use a feature called VPN on Demand to auto-launch Pulse when accessing certain hostnames/IPs.

Highlighted
New Contributor

Re: MAG2600 and SRX210 work together for iPhone/iPad access?

Know of any configuration guides or can you help with a suggested configuration on the SRX?

Highlighted
Valued Contributor

Re: MAG2600 and SRX210 work together for iPhone/iPad access?

Are you are refering to getting the MAG up and running behind the SRX?

Highlighted
Respected Contributor

Re: MAG2600 and SRX210 work together for iPhone/iPad access?

Don't forget UDP/4500 open to the MAG2600.
But, yes, that is what you do.
The SRX has good setup guides; the MAG does as well for what is needed to configure for access.
Highlighted
New Contributor

Re: MAG2600 and SRX210 work together for iPhone/iPad access?

Yes, I was referring to getting the MAG set up behind the SRX...

TIA

Highlighted
Valued Contributor

Re: MAG2600 and SRX210 work together for iPhone/iPad access?

On the SRX you need to do the following:

1- Create a NAT rule mapping traffic from the external IP to your internal address:

set security nat static rule-set ssl-vpn from zone untrust
set security nat static rule-set ssl-vpn rule ssl-nat match destination-address XX.XXX.13.30/32
set security nat static rule-set ssl-vpn rule ssl-nat then static-nat prefix 192.168.3.12/32
set security nat proxy-arp interface at-1/0/0.0 address XX.XXX.13.30/32 (optional depending on what external address you use.)

2- Create an address book entry for use in your zone policy:

set security zones security-zone trust address-book address ssl-vpn 192.168.3.12/32

3- Create a zone policyto pass traffic:

set security policies from-zone untrust to-zone trust policy allow-ssl match source-address any
set security policies from-zone untrust to-zone trust policy allow-ssl match destination-address ssl-vpn
set security policies from-zone untrust to-zone trust policy allow-ssl match application junos-http
set security policies from-zone untrust to-zone trust policy allow-ssl match application junos-https
set security policies from-zone untrust to-zone trust policy allow-ssl match application junos-ping
set security policies from-zone untrust to-zone trust policy allow-ssl match application ssl-nc
set security policies from-zone untrust to-zone trust policy allow-ssl then permit

I hope this helps!