Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Communication Between Infranet Controller (IC) and SSG

andre_
Contributor
‎02-26-2008 07:40:PM
‎02-26-2008 07:40:PM

Communication Between Infranet Controller (IC) and SSG

Hi Guys,

I need any suggestions about my question below :

I have configured IC and SSG to communicate each other without L2 switch authentication,so only IC and SSG firewall. they have already connected each other and when
i created policy access in IC between 2 subnets let say subnet 172.16.1.x and 172.16.2.x and it's automatic appears in SSG policy, the question is i cannot ping from subnet 172.16.1.x to 172.16.2.x with any application allowed. And in the policy SSG (Edit --> advanced button) when we click there are authentication with 3 options : no redirect, redirect...., and redirect all. my question is which one we choose??? and redirect means direct traffic where????
is it the problem in the policy or not that caused cannot ping from subnet 172.16.1.x to 172.16.2.x?????


any suggestions is appreciated

thank you guys

Andre
0 Kudos
2 REPLIES 2
aronow_
Contributor
‎02-27-2008 05:00:PM
‎02-27-2008 05:00:PM

Re: Communication Between Infranet Controller (IC) and SSG

Andre, So I think I'll work backwards. - You had a question about Firewall policy options, Advanced settings dealing with redirect. The firewall has the ability to act as a captive portal for web (port 80) traffic. If a packet matches a FW policy for UAC, the policy will check the redirect options. If the packet is port 80 web traffic, and the policy is configured to redirect unauthenticated traffic or redirect all traffic, then the FW will redirect the port 80 request to the IC. In practical terms, if you open a web browser and go to www.juniper.net and you hit this policy on the firewall, then you will see an IC page instead of www.juniper.net. Now the redirect has a couple of options. No redirect does not redirect any traffic to the IC. If you are not authenticated to the IC and you try to send any traffic, it will just get dropped by the FW (as per normal FW policy behavior). If you specify redirect unauthenticated, then if you are not authenticated to the IC, all traffic will get dropped except port 80 http which will get redirected to the IC. This is done with an HTTP 302 redirect sent from the firewall to your browser. Then your browser connects to the IC instead of your intended destination. Lastly, if you have the firewall setup for redirect all then any traffic that is not IPSec traffic will get dropped unless its port 80 http traffic. Then the port 80 http traffic will get redirected to the IC. By default, the port 80 http traffic will get an http 302 redirect telling your browser to visit the ICÍs default sign in policy (*/). If you want to change this, or use any of the advanced redirect options, you can set this information under the Infranet Auth sever entry in the configuration section. Now that this is all said and done, I guess my question back to you is how exactly do you have things setup? It didnÍt sound like you were trying to do redirect. What you should be looking at is making sure that once youÍve authenticated your clients, that you are getting an infranet auth table entry. If you want, you can attach a ñget configî from the firewall, and just snip out the sensitive bits. Also, do a ñget auth table infraî. This will show your infranet auth table entries. You must have authenticated to the IC and you must have gotten roles on the IC that map to Infranet Enforcer resource policies that allow your client to access the desired subnets. These resource policies will get pushed to the firewall once you authenticate. If you havenÍt authenticated, then you wonÍt have roles that give you access to any resources. The policy that you can see on the firewall is ONLY used to match a packet to then compare that packet against the infranet auth table. The infranet auth table, when doing source IP enforcement, checks to see if there is an entry containing your IP as the source, and that the destination in your packet matches the things allowed by your roles. If so, then the FW passes your packet. Anyway, hope some of that helps! Thanks-Jeff
0 Kudos
andre_
Contributor
‎02-27-2008 10:06:PM
‎02-27-2008 10:06:PM

Re: Communication Between Infranet Controller (IC) and SSG

first, thanks aronow for the reply.

i have setup the IC and SSG that connected each other. when i create the the resource policy in IC that push to SSG the option in policy SSG (advanced button) authentication as default no redirect option is selected. is it always like that? i mean it has to manually change that to redirect.....???or any automatically way??

the second is in the resource policy in IC there are IPSEC and SOURCEIP for create policy that push to SSG, what is the meaniing of SOURCEIP?
according to me the SOURCEIP is the destination resource that can be allow for user or not, is it true???

thank you

Andre
0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.