IF-MAP FEDERATION WITH JUNIPER NETWORKS UNIFIED ACCESS CONTROL



Similar documents
PERFORMANCE VALIDATION OF JUNIPER NETWORKS SRX5800 SERVICES GATEWAY

Identity-Based Traffic Logging and Reporting

VMWARE VIEW WITH JUNIPER NETWORKS SA SERIES SSL VPN APPLIANCES

Configuring and Implementing A10

PRODUCT CATEGORY BROCHURE. Juniper Networks SA Series

Secure, Mobile Access to Corporate , Applications, and Intranet Resources

Network and Security. Product Description. Product Overview. Architecture and Key Components DATASHEET

MIGRATING IPS SECURITY POLICY TO JUNIPER NETWORKS SRX SERIES SERVICES GATEWAYS

PRODUCT CATEGORY BROCHURE

Juniper Networks Solution Portfolio for Public Sector Network Security

Monitoring Network Traffic Using sflow Technology on EX Series Ethernet Switches

Identity-Based Application and Network Profiling

Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite

Reasons Enterprises. Prefer Juniper Wireless

Web Filtering For Branch SRX Series and J Series

CONFIGURATION OPTIONS FOR HARDWARE RULE SEARCH (RMS) AND SOFTWARE RULE SEARCH (SWRS)

MONITORING NETWORK TRAFFIC USING sflow TECHNOLOGY ON EX SERIES ETHERNET SWITCHES

SECURE ACCESS TO THE VIRTUAL DATA CENTER

SoLuTIoN guide. CLoud CoMPuTINg ANd ThE CLoud-rEAdy data CENTEr NETWork

Limitation of Riverbed s Quality of Service (QoS)

WEB FILTERING FOR BRANCH SRX SERIES AND J SERIES

NETWORK AND SECURITY MANAGER

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

NETWORK AND SECURITY MANAGER APPLIANCES (NSMXPRESS AND NSM3000)

Meeting PCI Data Security Standards with

Optimizing VoIP Applications with Juniper Networks EX3200 and EX4200 Line of Ethernet Switches

ENTERPRISE SOLUTION FOR DIGITAL AND ANALOG VOICE TRANSPORT ACROSS IP/MPLS

The dramatic growth in mobile device malware. continues to escalate at an ever-accelerating. pace. These threats continue to become more

Voice Modules for the CTP Series

Juniper Networks WX Series Large. Integration on Cisco

WHITE PAPER. Copyright 2011, Juniper Networks, Inc. 1

Demonstrating the high performance and feature richness of the compact MX Series

Deploying IP Telephony with EX-Series Switches

Implementation Consulting

Junos Pulse Secure Access Service Enables Service Providers to Deliver Scalable and On-Demand, Cloud-Based Deployments with Simplicity and Agility

Interoperability Test Results for Juniper Networks EX Series Ethernet Switches and NetApp Storage Systems

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways

Simplifying the Data Center Network to Reduce Complexity and Improve Performance

Juniper Networks Solution Portfolio for Public Sector Network Security

Features and Benefits

Product Description. Product Overview

Mobile Workforce. Connect, Protect, and Manage Mobile Devices and Users with Junos Pulse and the Junos Pulse Mobile Security Suite.

DEPLOYING IP TELEPHONY WITH EX SERIES ETHERNET SWITCHES

Security That Ensures Tenants Do Not Pose a Risk to One Another In Terms of Data Loss, Misuse, or Privacy Violation

Configuring and Deploying the Dynamic VPN Feature Using SRX Series Services Gateways

Electronic Fulfillment of Feature, Capacity and Subscription License Activation Keys via the License Management System (LMS)

Junos Pulse Access Control Service 4.4R4-MDM Supported Platforms Document

JUNOScope IP Service Manager

JUNIPER NETWORKS WIRELESS LAN SOLUTION

ORDERING AND LICENSING GUIDE FOR MAG SERIES JUNOS PULSE GATEWAYS

White Paper. Protect Your Virtual. Realizing the Benefits of Virtualization Without Sacrificing Security. Copyright 2012, Juniper Networks, Inc.

SOLUTION BROCHURE. Juniper Networks. Intelligent Security and Performance for the Distributed Enterprise

White Paper. Copyright 2012, Juniper Networks, Inc. 1

TECHNICAL NOTE SETTING UP A STRM UPDATE SERVER. Configuring your Update Server

Meeting PCI Data Security Standards with Juniper Networks Security Threat Response Manager (STRM)

By default, STRM provides an untrusted SSL certificate. You can replace the untrusted SSL certificate with a self-signed or trusted certificate.

Unless otherwise noted, all references to STRM refer to STRM, STRM Log Manager, and STRM Network Anomaly Detection.

Implementing Firewalls inside the Core Data Center Network

PRODUCT CATEGORY BROCHURE. Juniper Networks Integrated

END-TO-END SECURITY WITH SA SERIES SSL VPN APPLIANCES

JUNOS PULSE APPCONNECT

Security Portfolio. Juniper Networks Integrated Firewall/VPN Platforms. Product Brochure. Internet SRX Fixed Telecommuter or Small Medium Office

Key Strategies for Long-Term Success

What s New in Juniper Networks Secure Access (SA) SSL VPN Version 6.4

After you have created your text file, see Adding a Log Source.

What s New in Juniper SSL VPN Version 7.1

Introduction...3. Scope...3. Design Considerations...3. Hardware Requirements...3. Software Requirements...3. Description and Deployment Scenario...

JUNOS Software: The Power

Understanding Fundamental Issues with TRILL

Service Description. Service Overview DATASHEET

WAN OPTIMIZATION AND IPSEC FOR THE BRANCH OFFICE

Introduction to Automatic Multicast Tunneling as a Transition Strategy for Local Service Providers

Pharmacy. Regulatory Agency. Medical Equipment. Clinic. Customers Guest Partners Vendors WEB

JUNIPER CARE PLUS ADVANCED SERVICES CREDITS

WXOS 5.5 SSL Optimization Implementation Guide for Configuration and Basic Troubleshooting

Unless otherwise noted, all references to STRM refer to STRM, STRM Log Manager, and STRM Network Anomaly Detection.

Six Steps to Ensure Application Performance, Network Resiliency, Data Integrity, and User Access Security

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

Setting up an icap Server for ISG- 1000/2000 AV Support

REPLACING THE SSL CERTIFICATE

Enabling Carrier-Class Unified Communications with Juniper Networks

How To Protect Your Network From Attack From A Malicious Computer (For A Network) With Juniper Networks)

SRX SERIES AND J SERIES NETWORK ADDRESS TRANSLATION

Juniper Networks VPN Decision Guide

Transcription:

IF-MAP FEDERATION WITH JUNIPER NETWORKS UNIFIED ACCESS CONTROL An illustrated Guide to Configuring a Simple IF-MAP Federated Network Juniper Networks, Inc. 1

Table of Contents Introduction...3 Scope...3 Design Considerations...3 Protocol Operation...3 Summary...10 About Juniper Networks...10 Table of Figures Figure 1: Basic setup...3 Figure 2: Connectivity...4 Figure 3: Collaboration 1...4 Figure 4: Collaboration 2...4 Figure 5: User roles...5 Figure 6: Role mapping rule on IC Series 1...5 Figure 7: Assigning resources...6 Figure 8: Creating resource access policies...6 Figure 9: Resource access policy on IC Series 3...7 Figure 10: Matching requirements with resources...7 Figure 11: Session-Export policy on IC Series 1...8 Figure 12: Session-Import policy on IC Series 3...9 Figure 13: User successfully accesses resources...9 Figure 14: IF-MAP Federation information in the Unified Access Control Administration Guide...10 2 Copyright 2009, Juniper Networks, Inc.

Introduction Scope This document is intended to provide a visual overview for configuring a simple IF-MAP Federated network. The example procedure in this document is the next step after configuring the most basic IF-MAP Federated network as outlined in the Unified Access Control Administration Guide. Using this example will give you a better understanding of the way IF-MAP Federation on the Juniper Networks IC Series Unified Access Control Appliances (or Juniper Networks SA Series SSL VPN Appliances) works. In this example, a user (Bthomas) authenticates to an IC Series UAC Appliance in one division of the company and is permitted to access resources on a different IC Series without authenticating to the second IC Series appliance. This example demonstrates how to set up simple Session-Import and Session-Export policies. You can use this example to extrapolate configuration details for more complex IF-MAP Federation scenarios. Design Considerations Protocol Operation With IF-MAP Federation, you can extend your network and provide the optimal user experience by allowing users to authenticate once for access to resources that reside behind multiple IC Series appliances. For further details of the IF-MAP protocol, refer to TNC IF-MAP Binding for SOAP at http://www.trusted computinggroup.com. IC Series 1 IF-MAP Federation Client IC Series 3 IF-MAP Federation Client IC Series 2 IF-MAP Federation Server Figure 1: Basic setup In this example, protected resources reside behind IC Series 3, and users authenticate through IC Series 1. IC Series 2 is a dedicated IF-MAP Federation server. Copyright 2009, Juniper Networks, Inc. 3

IC Series 1 IF-MAP Federation Client IC Series 3 IF-MAP Federation Client IC Series 2 IF-MAP Federation Server Figure 2: Connectivity Before beginning with this sample deployment, ensure that the IF-MAP Federation server can communicate with the IF-MAP Federation clients. See the Unified Access Control Administrator Guide for details on setting up the client and server to communicate. IC Series 1 Administrator IC Series 3 Administrator Figure 3: Collaboration 1 Administrators for IC Series 1 and IC Series 3 collaborate to determine what resources on IC Series 3 should be accessible. 4 Copyright 2009, Juniper Networks, Inc.

IC Series 1 Administrator IC Series 3 Administrator Figure 4: Collaboration 2 Administrators for IC Series 1 and IC Series 3 determine which users on IC Series 1 should be allowed to access what resources on IC Series 3. This planning is critical for configuring Session-Export and Session-Import polices on the devices. User roles, resource access policies, and Session-Export/Import policies must be coordinated between the administrators and then configured on the respective devices. Engineer Role Finance Role ith, Pstewart,... HR Role kn, Phoward,... Bthomas, Lwilson, Gmadison,... Figure 5: User roles We recommend that you devise a worksheet to properly allocate resources and the users who can access them. In this example, administrators group users on IC Series 1 into appropriate roles through role mapping rules. Copyright 2009, Juniper Networks, Inc. 5

Figure 6: Role mapping rule on IC Series 1 In this example, users (including Bthomas) are assigned the HR role through a role mapping rule. Human Resources Server 192.168.100.20 Finance Server 192.168.100.10 Engineering Server 192.168.100.30 Mapping Role Coder Role Employee Role Figure 7: Assigning resources The administrators assign specific resources to separate network addresses on IC Series 3. Next, the administrators create roles that can be used in resource access policies that can be provisioned with permission to access these resources. 6 Copyright 2009, Juniper Networks, Inc.

Human Resources server IP Address192.168.100.20 IC Series 3 Figure 8: Creating resource access policies On IC Series 3, administrators create the resource access polices. For this example, administrators create a resource access policy named Personnel with IP address 192.168.100.20 (the Human Resources server) specified as the resource, and the policy is applied to the Employee role. The policy is shown on the following page. Figure 9: Resource access policy on IC Series 3 In this resource access policy, the Human Resource server (192.168.100.20) is added as a resource, and the Employee role is permitted access. Copyright 2009, Juniper Networks, Inc. 7

Members of the HR role on IC Series 1... Session-Export Policy IF-MAP Federation Server... need to access the Human Resources server that is protected by an Enforcer connected to IC Series 3 Session-Import Policy Figure 10: Matching requirements with resources Administrators configure an IF-MAP Session-Export policy on IC Series 1. The policy is called Employee-Business. The policy is applied to the HR role, with the page defaults preserved for the other values on the page. Then, administrators configure a Session-Import policy on IC Series 3. The policy is called Employment. The Match IF-MAP Capabilities check box is selected, and HR is entered. The Use these roles check box is selected, and the Employee role is selected. In this scenario, all of the sessions for users who are authenticated that belong to the HR role on IC Series 1 are published to the IF-MAP Federation server as capabilities (similar to roles). User Bthomas belongs to the HR role, therefore when Bthomas logs in to IC Series 1; his session information is published to the IF-MAP Federation Server. The session information is linked with the capability HR. User Bthomas attempts to access the HR server on IC Series 3. The Session-Export policy for IC Series 1 and the Session-Import policy for IC Series 2 are shown in Figure 11 and Figure 12. 8 Copyright 2009, Juniper Networks, Inc.

Figure 11: Session-Export policy on IC Series 1 In this Session-Export policy on IC Series 1, the administrator sets IF-MAP capabilities to copy the HR role as a capability on the IF-MAP server. Copyright 2009, Juniper Networks, Inc. 9

Figure 12: Session-Import policy on IC Series 3 In this Session-Import policy, the administrator configures a policy that allows sessions associated with the HR capability on the IF-MAP server to be assigned to the Employee role on IC Series 3. 10 Copyright 2009, Juniper Networks, Inc.

Figure 13: User successfully accesses resources 1. User Bthomas authenticates through IC Series 1. 2. IC Series 1 sends Bthomas session information to the IF-MAP Federation Server database. 3. Bthomas attempts to access the Human Resources server that is behind the firewall. IC Series 3 queries the IF-MAP Federation Server to see if there is session information for Bthomas. 4. Bthomas is a member of the HR role on IC Series 1. The Session-Import policy uses this information to assign the Employee role to Bthomas. The Employee role on IC Series 3 can access the Human Resources server. To more fully understand IF-MAP Federation.. Read the IF-MAP Federation documentation in the Unified Access Control Administration Guide Figure 14: IF-MAP Federation information in the Unified Access Control Administration Guide Summary This is a basic guide to configuring IF-MAP Federation with the Unified Access Control solution. Further reading is recommended to fully understand the protocol and the implementation with UAC. An understanding of concepts and configuration of basic UAC networking is assumed. Copyright 2009, Juniper Networks, Inc. 11

About Juniper Networks Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and applications over a single network. This fuels high-performance businesses. Additional information can be found at www.juniper.net. Corporate and Sales Headquarters Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888.JUNIPER (888.586.4737) or 408.745.2000 Fax: 408.745.2100 APAC Headquarters Juniper Networks (Hong Kong) 26/F, Cityplaza One 1111 King s Road Taikoo Shing, Hong Kong Phone: 852.2332.3636 Fax: 852.2574.7803 To purchase Juniper Networks solutions, please contact your Juniper Networks representative at 1-866-298-6428 or authorized reseller. EMEA Headquarters Juniper Networks Ireland Airside Business Park Swords, County Dublin, Ireland Phone: 35.31.8903.600 Fax: 35.31.8903.601 Copyright 2009 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 8010023-001-EN Apr 2009 Printed on recycled paper. 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information