Hi Badar,

You have to set the policy in both ( Firewall and UAC ) . You did it in the firewall but did you set an authorization for your role in the UAC ?

In the enforcer Menu, there is a section with policy , you have to authorize a destination network ( 0.0.0.0/0 in your case ) for a predefined role.

Also check if the connection beetween the UAC and the SSG140 is okay ( Green Light in the Main menu of the UAC ).

Dear sylvain,

Thanx alot for your help, it really worked as u said.

Now same problem occurs when i use to access a resource from Untrust to Trust.

SSG-140 Untrust 192.168.1.168

Trust 10.1.1.100

UAC internal port 10.1.1.1

web server IP 10.1.1.10

now i want to access the resource at port 80 which reside on 10.1.1.10/24. i want to give access to this resource from 192.168.1.0/24 network.

I created same screenOS policy (Untrust trust source IP) from UAC, and it is pushed into the SSG140. i also redirected all un-aunthenticated traffic to UAC.

when i try to connect to http://10.1.1.10:80 ot https://10.1.1.1/agentless or https://10.1.1.1/admin, the broswer use to stuck and below the broswer it is shown that it is "connected to 10.1.1.1" which is the IP of UAC. same error is again visible from the policy log that the TRAFFIC DENIED sent/receive packets 0, Translated (SA/port and DA/port) shows 0.0.0.0,

it is the same problem as it was before from Trust to Untrust. in the UAC routes, default route 0.0.0.0 GW 10.1.1.100 which is the IP of SSG140 trust interface.

i added this 192.168.1.0/24 in realm level and also at role level, but still i am unable to connect to 10.1.1.0/24 from 192.168.1.0/24

Please guide me to a solution, thanx Sylvain

Hi Badar,

Did you create a simple policy in the Firewall ( without UAC enforcement from untrust to trust ) to access to 10.1.1.1 from the Untrust Zone : In order to let your user to authenticate.

Sylvain

Thx Sylvain

It is done now i can move traffic from trust to Untrust and vice versa.

Few questions, while using agenltess approach.

1. i ve 130 SSG-140, all making IPSEC tunnels with ISG 2000 at central location. can i place UAC in DMZ and can i redirect traffic which is going towards protected reousrces to first authneticate from UAC for endpoint security???

2. Trust (protected resources) 192.168.1.0/24 (web, email etc)

3. Untrust (130*IPSEC tunnels) 10.16.1.0/24, 10.16.2.0/24 ..........................10.16.130.0/24

4. DMZ 172.16.1.0/24

what is the best place to install UAC, or can i install UAC in any of the zone whether Trust or DMZ, remember they are using proxy in their envoirnment as well.

agentless option cant work in the presence of proxy. written in the documentation.

Best Regards and many thx.

Hi Badar,

1 - Yes you can but be careful to authorize ( without UAC enforcement ) an HTTPS access to your UAC. Then try to centralyze all your policies on the ISG 2000.

2 - UAC in a special DMZ with a Direct access ( without proxy ) from the IPSEC tunnel

Hope everything has helped

Sylvain

Hi Sylvain,

I am sorry that i could not replied earlier, i am not able to test this last solution about DMZ, rest all the communications from Trust to Untrust and Untrust to Trust is working fine as per your directions.

I will do this in first week of july as i am forced to do some other citical tasks.

thx again for your kind support and will let u know as soon as i get chance to work on this UAC project.

Hi all,

This is continuation of the same project for the deployment of IC4000 in agentless envoirnment.

Now i want make a cluster, 2nd ic4000 is on factory setting i just upgraded this device to 2.0.

1. Should i ve to generate a separate certificate from the certificate server for the 2nd device.??? or it will automatically get the certificate from the first device???

2. Should i install the separate license for this 2nd device or it will get the license from the first IC4000 which is having 2000 user license after installing the cluster licenseing???

3. Cluster license has to install on each deivce separately????

4. I want to make it as Active/Passive mode.???

5. should i configure the first device fully and then add 2nd device in cluster or should i make a cluster first and then configiure the master device????

6. one more thing is that on the first device i got the 2000 user license and when i register the 2nd ic4000 on juniper site and when given license key is installed on the 2nd device it shos only one license for 0 users. what is this all about???

when we add this 2nd device into cluster only then it will pick up the license for 2000 users???? confusion????

Plz reply