I'm pretty new to almost everything from Juniper and I did my first SSL VPN install at a customer.
Everything works fine, the OWA, file shares, Citrix, network connect and so on. But I am having trouble with some requests from the customer.
I will sum up their requests and hopefully I can get some help with this.
Thank you for any help!
1. Not sure about this, I thought it did this by default but seems not.
2. You should be able to do this with a custom sign in pages. Edit LoginPage.thtml to hide the Realm List and then create a script that intercepts the post, parses the username field then uses this to set the username and selected Realm before posting the form.
3. This questions was asked in another post:
the answer was basically save config, reset device, restore config without certificate. If you don't need a publicly signed certificate it may be just as easy to use something like openssl to generate a certificate based on a CSR.
Thank for all the useful tips.
I know now why the redirect doesn't work, I also need to forward the http port through the firewall. It does do it by default.
Thank you for the tips for the realm parsing, I will discuss with the end-user if it is worth the trouble or not.
I will also back-up the config, reset the device and create the proper certificates.
1) Yes, the IVE will do this; however, as you found, the firewall needs to allow the HTTP -> HTTPS redirect.
2) No. It *may* be possible to create the custom script as discussed by dcvers; but the IVE does not allow for this to be done in any of the standard config options.
3) That is correct, a new self-generated-on-the-IVE certificate cannot be done without doing a factory reset; however, if you or the customer has a Microsoft server with certificate server running, you can generate the CSR on the IVE and then get the certificate from the MS certificate server. Another option, if you are comfortable with it, would be to generate the CSR on the IVE and then use OpenSSL to generate the certificate to import. Be sure to note that with option 1 & 3 the users will receive certificate warnings unless they install the certificate into their browser because they are not trusted; with option #2 they may still have the warning, but it depends on if the local certificate server certificate has been pushed out to users.
Thank you for your reply.
You were correct, I only created a nat rule for https and not for http, that's why the redirect didn't work.
Thank you for pointing this out, this has been fixed now.
I also created a case with Juniper for the custom sign-in page. A team is now going to pick up the case and maybe create the page. I will update on that.
I just did it the quick and dirty way, backed up my config, gave the IVE a reset, configured the correct certificate and restored my backup config.
The customer is planning to buy a real certificate soon so that will also resolve the security messages.