Hi,   Basicly you could start with reading about appsecure. If you're looking for how to configure it, the security configurations guide is a good startpoint. http://www.juniper.net/techpubs/en_US/junos12.1/information-products/topic-collections/security/software-all/security/junos-security-swconfig-security.pdf part 11.   After you created working rules based on ip make a connection to the uac for the policy you want and start using source-idendity. You then can apply policies to users in specific UAC roles.   Read here about configuring AUC to work with SRX   http://www.juniper.net/techpubs/software/uac/4.2xguides/j-ic-uac-4.2-srxsolution.pdf   Greetings,   Michel ... View more

For L2 enforcement you can use any 802.1x speaking device, as long as send the attribute back. For L3 you can use either ScreenOS device or (I would prefer) SRX devices. ... View more

http://www.juniper.net/techpubs/software/uac/4.1xrelnotes/j-ic-uac-4.1R1-b17057-supportedplatforms.pdf ? ... View more

Isn't that the case very often: it depends? ... View more

We also use rapidsll, never a problem! ... View more

The policy would come from the IC in this case! There's just one polcy in the firewall allowing authenticated user access. The IS does the authentication, most commonly using a odysee access client on the end-user pc. ... View more

It's not mandatory! You can set-up in a one-leg setup. However it's common to "by-pass" the DMZ to internall segments of a firewall. Externall port in DMZ zone on firewall allowing only HTTPS to it and connecting internall port to trusted network. One-leg in DMZ has the disadvantage of allowing many protocols through the firewall from DMZ to internall. ... View more

You can go to system log/monitoring and look in the user acces log. If needed select logon / logof in settings or define a filter for this events. ... View more

But if you confugure the ssg to use the same internall dns server your clients use everything will work fine, won't it?! ... View more

Hi, why don't you use DNS and FQDN to list those spedifc hosts? When you create adress book entries that's possible. ... View more

I googled: this looks like a ready to use freeware http://www.softpedia.com/get/Security/Encrypting/LightCA.shtml or maybe you have a AD server in your lab? You can install a MS certserver on a AD server. ... View more

Easiest thing to do is download a simple (freeware) CA. copy root certs to IC and SSG and create two certs requests. Install the device certs and go with it. ( check this http://www.netcraftsmen.net/welcher/papers/certauth01.html ) Message Edited by Screenie on 06-21-2009 10:06 PM Message Edited by Screenie on 06-21-2009 10:10 PM ... View more

Or, to look at active VPN sessions: get sa active. ... View more

How about a radius server as accounting server? ... View more

Hi, Did you read in this manual http://www.juniper.net/techpubs/software/uac/3.0xguides/530-029876-01-AdminGuide.pdf the passage authentication and directory servers, Configuring a radius server instance ? I think tis is the documentation you are looking for. ... View more

Yes, they should apply! ... View more

You could upload your own prefered telnet emulator applet. I don't know why you can't change setting, I certainly never had this problem. ... View more

On the 5GT there where two addional licenses: the plus for more users with base functionality and the extended for adding DMZ zone etc. SSG (5 and 20) doesn't have the user count restriction. You can add more functionality with the advanced license. Increases some counters (VPN tunnels, VLAN's see fact sheet) and add A/P NSRP to the box. ... View more

Nothing? Are you using spilt tunnel? If so, is traffic for those faling networks routed to the SA? Did you check the routing table on the client? ... View more

What does the logging show about the failing sessions? ... View more

Are other resources (network beyond the one you're connecting to) allowed by the resource policy? Is traffic forwarded to the right gateway? (netstat -r on your PC shows the routing) ... View more

Are the certs signed by ca your client has a trust relation with? Otherwise install the root cert from the ca in the client. ... View more

file path to deep: a symlink pointing to itself or something? Sounds like recursive dir entry. ... View more

You can check on registry values. So look for a value in your registry unique for the version. best regards, Screenie. Juniper Ambassador, JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it. ... View more