Hi Kannan,   Thank you for your responsse.   in ipad using EAP-TLS and in mag also enable for this protocol. does it have to use junos pulse on ipad to do certificate authentication or just can use wifi connection only?   and how to create CA and client certificate ?   Thanks   ... View more

Hi Kannan,   Thanks for your information.   What about if IC series will use as only radius server, should by concurrent user license also or only radius license ? ... View more

Hi Jay,   I've configured ptp using virtual hostname : test.company.com and the web resource is http://my.company.com. Add host entry in my pc ex: 2.2.2.2 for test.company.com (2.2.2.2 is SA public IP).  I tried access from browser : test.company.com but cannot  appears the login page. Is it something missing in my confguration?   ... View more

Hi Jay,   I have configured virtual hostname for PTP in SA and configure host entry in PC mapping to public ip of SA (using your pdf guide). but when try to access the virtual hostname from browser: the certicate warning in browser appears as usual and click continue  but after that the page login did not show up.   what is the problem ? ... View more

Hi Jay,   We just want to use 1 url map to PTP public IP.   What is the disadvaantange if using the same public IP for SA and PTP?   can i create certificate for wildcard using openssl? and if using virtual hostname, is it have to bind the certitifacte to this virtual hostname? or if just using virtual port  we should have to bind certificate to this virtual port?   thanks  ... View more

Hi Jay,   So do you mean :   1. we can stiil use the same hostname for PTP which as same as hostname of backend server? 2. we have to add one more public IP for PTP besides public IP of SA ? 3. then this Public IP of PTP will publish to external dns server ( domain : my.company.com will publish using this public ip of PTP, not using public IP of internal interface SA ?   Thanks  ... View more

Hi Paul,   yes, i have asked to Local Juniper SE.   Thank you ... View more

Hi Jay,   Actually the current application is web using port 80 example : my.company.com ( this domain still publish to external DNS server for now. This domain will via SA for next, so we doing PoC to make sure can be implemented) later after we have make sure it can be secured through  SA then this domain : my.company.com will move to public IP of SA.   in this PoC we using one new ip public for SA and regarding your sugestion adding host entry (my.company.com pointing to public IP of SA) in pc and configure SA using hostname in PTP. is it right?   So i think if this can be done in PoC, better will be using hostname than using Via Port SA, because customer want for this change sttil want to keep user still access with the same name : my.company.com (with not adding port behind this domain, e.x : my.company.com : 11000).  can we do like this? ... View more

Hi Paul,   Thanks for your confirmation. actually my company are juniper partner :D     I have already searching in many techincal documentation and juniper knowledge base but still not find that informaton about no. of auth table in SSG series.   Thanks again for your information. ... View more

Hi Jay,   Thank you for your explaination.   regarding of what your said : "The reason PTP configuration using port is recommended is because if you do it by hostname, you will need to create a Certificate for that PTP virtual hostname"   So based on the guide of PTP there are 2 methods doing PTP in SA : Via an SA port and Via external DNS resolution.   So do you mean using Via port method in SA is better recomended then using Via external DNS resolution ? ... View more

Hi Jay,   the topology like this:   Internet ----------------------Firewall -------------------Switch -------------- SA and web server   in SA, i just using internal port with local IP (not use external port). Public IP for this SA is in Firewall.   so for this PoC, user from internet access to public IP SA, after login through SA, user can accees the web application.   So based on your suggestion is, adding host entry in hostfile in PC user from internet accessing domain that pointing to SA public IP, am i right?   for this test, i have to open port 11000-11099 in Firewall?   Thanks ... View more

Hi Paul,     So do you mean when using manual mapping policy, when user authenticated to IC then IC will push auth. table entry even user is not access the protected resource?   and when using dynamic auth. table allocation/provisioning, when user authenticated to IC then IC will not push auth. table entry to enforcer, unless user accessing the protected resource and then IC will push auth. table entry to enforcer.  am i correct ?   what about the total number of auth. table entry in enforcer like SSG20, how many can support? do you have a list for every SSG series?   Thanks   ... View more

Hi Jay,   I read on PTP document that you give. There is rewrite feature. is it the same with the rewrite feature in role configuration?   if this is because the rewrite fature on SA makes taking longer time. Is it any different using rewrite feature in role and rewrite feature in PTP?   Now i use one new ip public for SA (NAT in Firewall to SA local IP), not publish to external domain yet. So i have to use PTP SA port method, right? ... View more

Hi Jay,   Thanks for your question.   yes, i have tried adding host entry in SA for domain my.abc.com with the local IP, but still the same.   is it have to remove DNS IP in Network configuration when adding this host entry in SA?     ... View more

Hi Paul,   Abou dynamic auth. table provisioning i have already read it in knowledge base.  One more question about dynamic auth.table provisioning : If using this feature, let say user A authenticated to IC, so this user information will added to all SSG's auth table entry?  Because what i understand if using manual auth.table mapping policy we can define which user and role connecting to which ssg and if using dynamic auth table provisioning each authenticated user information wiil be added to auth table entry in all ssg but will be remove automaticaly after user disconnected, am i right?   And if using dynamic auth table provisioning we just delete auth table configuration in IC, right?   How many auth table entry in ssg20 can support? ... View more

  Hi Paul,   If doing like that, we have to configure more role per site and define more group in AD (because auth server using AD, right now users in all site using one group in AD) right? If so there are many things to configure. Does any other way that more simple? ... View more

Hi Paul,   Sorry for confusing you. This the example :     SSG20 site A & SSG20 site B   ------------connected-------------------> IC Cluster A/P   let say user 1 & user 2 are behind SSG site A and user 3 & user 4 are behind SSG site B.   When user 1 & 2 authenticated to IC, in auth. table in SSG site A can see user 3 and user 4 also,eventhough user 3 and 4 in different SSG (SSG site B).   What i want is : in SSG site A only user 1 and 2 in auth table or user 3 & 4 only in auth. table SSG Site B.   because there are more than 200 SSG20 will connected to IC and users in each site SSG are many, i concern if all users authenticated to IC appears in each SSG auth. table , will make resource of SSG increase and maybe decrease performance of SSG. i dont want like this.   Any idea?   Thanks         ... View more

Hi Paul,   With Auth. Table mapping policy in IC can we define that each authenticated user behind it's own SSG firewall only appears in it's own SSG's auth table, not in all SSG that connected to IC?   Thanks  ... View more

Hi Paul,   I know  your suggestion about click cancel button and second popup will show up to asking disable infranet controller connection,but actually this OAC is cutomize ( custom installer) and defined that user cannot disabled infranet controller connection checkbox. So if  even click cancel button this popup will show up again asking for password. In this custom installer of OAC, user cannot change anything, because all option in sidebar of OAC is hide and infranet controller checkbox connection is in grey color means that user cannot uncheck it. ... View more

Hi,   Yes,  i think this is the default behaviour of OAC. i have tested configure re-authentication on OAC preference but still keep pop-up for password. This deployment is layer 3 only means just using UAC and Juniper firewall ssg as infranet enforcer, not using switch. I have tested when we turn off or plug-off the ethernet connection from pc, it does not show up anymore, but if we plug-in the utp cable again, the windows pop-up is show up again I'm still looking the solution. Any others idea? ... View more

Hi, Thanks for the information... ... View more

Hi Spuluka, yes, i think your opinion to setup new public ip address for this domain: my.abc.com that pointing to SA login page is best solution and then SA will forwarding to web app server when user click on bookmarks defined on SA and dns ip must be configured on SA so it can resolve this domain. like your said "You will then delete the secured application DNS entry so this will no longer forward or work without using the SA" could you explain more details about the meaning? Thank you ... View more

Hi Spuluka, yes, first what you are said is correct about: "Currently the three sites are publicly avaialbe using a standard firewall to forward to your web server. The server uses host headers to sort out the three sites on the single ip address. The internal HQ users override the DNS and use the same host names to the internal ip address and this will not change." after discussion with them, they decide internal HQ users will be keep using the current condition (not via SA), but for the user from internet will be using SA. user must be login to their web apps, so just for 1 web apps will be securing through SA, the 2 others web apps will still publish on internet/not through SA. So the task just for 1 web apps want to be secured and not publish anymore on internet. The server uses host headers to sort out the three sites on the single ip address. this will keep like this using 1 public ip address. let say the current domain use for this web apps is my.abc.com, so currently when user access this domain firewall will direct to web server local ip address. If i want to keep using this domain but change firewall directing to local IP of SA, is it possible right? or is it better solution to change public IP for domain my.abc.com? one more question: i want to put the SA in HQ site(not in same location with web app server) and they have not internal dns server, like i mentioned before user in HQ using host-file define on their PC "override the DNS and use the same host names to the internal web server ip address and this will not change" question is: is it possible to configure host-file in SA, like on user's pc, because there is no internal dns server which can be configured on SA's DNS setting? Thank you ... View more

Hi, after i gather information from them, the condition is: Local user using Host File define in their PC if they access their web apps. This host file is contain domain name and it's IP local of the server which located in other site(not at HQ). and for user from external site/internet to access this web apps is forwarding using web alias configured in web server( they said like that) for the local user, i have clear about that. I just not clear about external user/internet traffics flow. Let say is user from internet access this web apps, ex: abc.com : the flow is through ISP's DNS forwarding to Public IP of web apps server in which in this web app server contains 3 web apps using the same Public IP. If i want installed SA SSL VPN using the same domain : abc.com, so when user access this web apps is forwarding to SA SSL VPN and then access this web apps through SA SSL VPN. Any idea how is the flow or concept to accompish this ? for your info this web apps is plan to not publish into internet anymore if using SA SSL VPN. or the solution is to give the new public IP for this domain that will be using for SA? I think this can be okay, but need more time to update this domain with new public IP. Thanks ... View more