APPLICATION NOTE Juniper NETWORKS SSL VPN and Windows Mobile Secure, Mobile Access to Corporate Email, Applications, and Intranet Resources
Table of Contents Introduction......................................................................................... 1 Scope.............................................................................................. 1 Description and Deployment Scenario................................................................... 1 Clientless Access (ActiveSync, Web, and File Sharing)................................................. 1 Windows Secure Application Manager (WSAM)....................................................... 2 Endpoint Security (Host Checker).................................................................. 3 Localization.................................................................................... 4 Summary........................................................................................... 4 About Juniper Networks.............................................................................. 4 ii
Introduction Juniper Networks SA Series SSL VPN Appliances lead the SSL VPN market with a complete range of remote access appliances. The SA Series is based on the Instant Virtual Extranet (IVE) software that uses SSL, the security protocol found in all standard Web browsers. Enhanced access methods enable the enterprise to provision secure access, by purpose, for virtually any resource including Exchange, Terminal Services, intranet applications, and much more. With the introduction of Juniper Networks IVE 6.2 software, Windows Mobile devices (including Pocket PC and Smartphone) can securely access internal resources through the SSL VPN. Supported SA Series features include WSAM (Windows Secure Application Manager), Core Access for Web and Files, and Clientless ActiveSync. Scope This document provides a high-level overview of the features and functionality supported by Juniper Networks IVE software release v6.2 and Microsoft Windows Mobile 5.0 or higher. Description and Deployment Scenario Clientless Access (ActiveSync, Web, and File Sharing) SA Series SSL VPN Appliances offer several benefits to Windows Mobile users, even in a purely clientless form. That is, no special software is installed on the Windows Mobile device, nor is it necessary. Authentication is handled with a traditional username/password, one-time token, or Client Certificates. Core Access dynamically builds a portal page for authenticated users, and can provide links to all of their applications as well as single sign-on (SSO) to backend Web resources such as a corporate intranet, Microsoft OWA/OMA, SharePoint, and much more. The SSO framework supports Basic Auth, NTLM2/1, headers, cookies, SAML, and Form POST methods. In addition to Core Access to Web applications, the SA Series can also securely front-end Windows and UNIX (SMB and NFS) file shares, making them into a Web interface. This enables mobile users to download and upload documents easily from network shares, and can even provide a dynamic bookmark to users home directories. The file-sharing feature also supports SSO (NTLM and Kerberos) and allows users to Download a File, Upload a File, Upload a Zip File and extract its contents, or download multiple files in a Zip file. File Sharing and Web Access are both further secured with Resource Policies to permit/deny access to certain resources. For Web, access control is very granular to the object level. For File Sharing, access control not only permits access, but it permits read-only access, if desired. 1
ActiveSync is also natively supported with IVE 6.2 and later. This HTTP proxy feature enables mobile devices that support Microsoft ActiveSync to seamlessly connect to backend Exchange environments. The SSL VPN is configured to proxy Exchange traffic over a special Authorization Only VIP, and forwards the raw HTTP payload to the Exchange server. This framework enables organizations to deploy Push Email without having to put the Exchange server in the demilitarized zone (DMZ). Direct Push is fully supported, as well as bidirectional synchronization of Email, Contacts, Calendar, and Tasks. Additional authorization policies may also be implemented here, such as locking down to a Source IP/range, User-Agent, DeviceID, and more. One additional note: Users who are connected with Clientless ActiveSync do not count against the IVE concurrent user licenses, allowing customers to easily and cost-effectively scale their SSL VPN mobile deployments. Windows Secure Application Manager (WSAM) Juniper Networks SA Series SSL VPN Appliances offer WSAM support for Pocket PC and Smartphone devices running Windows Mobile version 5.0 and later. This agent, installed on the fly via Pocket IE, seamlessly tunnels applications from the mobile device back to a corporate intranet. This technology enables configured applications such as ActiveSync, Terminal Services, Email, and more to be encapsulated and sent over an SSL tunnel to the remote SSL VPN gateway, where the payload is then extracted from the SSL tunnel and put onto the internal corporate network. Client/server applications are supported, and both UDP and TCP (fixed and dynamic port) protocols can be tunneled in this manner. WSAM also provides several options to ease usability, including Auto- Launch (at WM boot), Certificate Authentication, and application status, which shows applications that are actively being secured.
WSAM can be configured in two modes: Application or Host mode. Policies are configured on the SSL VPN gateway and pushed down when WSAM agents connects. With Application mode, a set of applications/programs is configured so all of the data/transactions are tunneled over WSAM. With Host mode, a destination IP/network is configured so that any application or program attempting to access that IP/network will be tunneled. Endpoint Security (Host Checker) With IVE version 6.2 and later, Host Checker can now provide endpoint security policy enforcement for Windows Mobile devices. For example, if an organization wants to mandate that all mobile devices are running a particular Smartphone security agent, Host Checker can be configured to enforce that before allowing access to vital company resources. In this case, the agent is not running and the mobile device is not in compliance with the policy the device can be quarantined and may be granted access only to limited network resources. Host Checker s famous Remediation framework is also supported for Windows Mobile devices. This means users who are not in compliance can receive valuable feedback letting them know what needs to be done in order to get back into compliance. This type of self-service model is just one of the many features that make Juniper s SSL VPN so popular. By being able to implement stronger endpoint controls, organizations are able to broaden remote and mobile access to critical resources, without increasing the overall security risk.
Localization To support a wide range of users, Juniper s SSL VPN supports a localized end user interface as well. Eight languages are supported including Spanish, Korean, Japanese, Chinese (Traditional), Chinese (Simplified), German, French, and English. The end user UI is fully localized, and largely customizable. Login pages are fully customizable, and the WSAM agent is also localized into each language. This is just another example of how Juniper s SSL VPN provides a truly ubiquitous entry point for all users, even those with mobile devices. Summary With the introduction of Juniper Networks IVE 6.2 software, hand-held mobile devices running Microsoft Windows Mobile 5.0 or later can be used with Juniper Networks SA Series SSL VPN Appliances for secure clientless remote access, enabling users to flexibly access desktop applications and data. The robust authentication, localization options, and multiple access methods provide enterprises with the security and flexibility they need to safely propagate hand-held mobile devices throughout their workforce, keeping employees connected and empowered to conduct business on the move without introducing unnecessary network security risks. About Juniper Networks Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and applications over a single network. This fuels high-performance businesses. Additional information can be found at www.juniper.net. Corporate and Sales Headquarters Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888.JUNIPER (888.586.4737) or 408.745.2000 Fax: 408.745.2100 APAC Headquarters Juniper Networks (Hong Kong) 26/F, Cityplaza One 1111 King s Road Taikoo Shing, Hong Kong Phone: 852.2332.3636 Fax: 852.2574.7803 To purchase Juniper Networks solutions, please contact your Juniper Networks representative at 1-866-298-6428 or authorized reseller. EMEA Headquarters Juniper Networks Ireland Airside Business Park Swords, County Dublin, Ireland Phone: 35.31.8903.600 Fax: 35.31.8903.601 Copyright 2009 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 3500106-001-EN Mar 2009 Printed on recycled paper. 4