Allows for variable-width spine. Assume for now that spine is 1.25" wide; maximum spine width is 2.5". M M - s 3 e r 2 i e 0 s ™ ™ R I o n u t t i e www.juniper.net n g r n P e NetScreen Secure Access l a t t CORPORATE HEADQUARTERS f o R NetScreen Secure Access FIPS Juniper Networks, Inc. r 1194 North Mathilda Avenue m o r Sunnyvale, CA 94089 USA s u NetScreen Secure Meeting a Phone 408 745 2000 or 888 JUNIPER t b Fax 408 745 2100 e e r Administration u H l Juniper Networks, Inc. has sales offices worldwide. b a For contact information, refer to www.juniper.net. d r d n w a a e n r e i l e G u u l b i d s e a h : n o i s r e v e r a w d r J a u h n ip e e h r t N s e i t w s i o h r k T Junsiper , Netw orks, I Printed on recycled paper n Incc. NetScreen Instant Virtual Extranet Platform 530-010089-01, Revision 1 . A book with .25" spine would cut here. A 1.25" spine would fold here. Cover size is 8.3 x 10.75". A book with 2.5" spine would cut here. A 2.5" spine would fold here. Juniper Networks NetScreen-SA Juniper Networks NetScreen-SA FIPS Juniper Networks NetScreen-SM Administration 5.0 release 1 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000 www.juniper.net Part Number: 50R1060205 Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, the NetScreen logo, NetScreen-Global Pro, ScreenOS, and GigaScreen are registered trademarks of Juniper Networks, Inc. in the United States and other countries. Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, Neoteris, Neoteris-Secure Access, Neoteris-Secure Meeting, NetScreen-SA 1000, NetScreen-SA 3000, NetScreen-SA 5000, IVE, GigaScreen, and the NetScreen logo are registered trademarks of Juniper Networks, Inc. NetScreen-5GT, NetScreen-5XP, NetScreen-5XT, NetsukePart Number: 50B051605en-25, NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-5200, NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of Juniper Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies. Copyright © 2001 D. J. Bernstein. Copyright © 1985-2003 by the Massachusetts Institute of Technology. All rights reserved. Copyright © 2000 by Zero-Knowledge Systems, Inc. Copyright © 2001, Dr. Brian Gladman <[email protected]>, Worcester, UK. All rights reserved. Copyright © 1989, 1991 Free Software Foundation, Inc. Copyright © 1989, 1991, 1992 by Carnegie Mellon University. Derivative Work - 1996, 1998-2000. Copyright © 1996, 1998-2000 The Regents of the University of California. All Rights Reserved. Copyright © 1999-2001 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted. Copyright © 1995 Tatu Ylonen <[email protected]>, Espoo, Finland. All rights reserved. Copyright © 1986 Gary S. Brown. Copyright © 1998 CORE SDI S.A., Buenos Aires, Argentina. Copyright © 1995, 1996 by David Mazieres <[email protected]>. Copyright © 1998-2002. The OpenSSL Project. All rights reserved. Copyright © 1989-2001, Larry Wall. All rights reserved. Copyright © 1989, 1991 Free Software Foundation, Inc. Copyright © 1996-2002 Andy Wardley. All Rights Reserved. Copyright © 1998-2002. Canon Research Centre Europe Ltd. Copyright © 1995-1998. Jean-loup Gailly and Mark Adler. Juniper Networks NetScreen-SA, NetScreen-SA FIPS, and NetScreen-SM Administration, 5.0 release 1 Copyright © 2005, Juniper Networks, Inc. All rights reserved. Printed in USA. Writers: Bill Baker, Paul Battaglia, Claudette Hobbart, Mark Smallwood Editors: Bill Baker, Paul Battaglia, Claudette Hobbart, Mark Smallwood Revision History 02 June 2005 — 5.0 release 1 Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Table of Contents About This Guide xi Part 1 IVE products and features 1 Chapter1 IVE series 3 Introducing the NetScreen Instant Virtual Extranet platform............................5 What is the IVE platform?..........................................................................5 How do products built on the IVE platform work?.....................................6 Access Series overview....................................................................................9 Access management overview.......................................................................11 Policies, rules & restrictions, and conditions............................................11 Access and authorization flowchart.........................................................13 Dynamic Policy Evaluation......................................................................17 Configuring security requirements...........................................................18 Authentication realms overview.....................................................................23 Authentication servers.............................................................................23 Authentication policies............................................................................25 Directory servers.....................................................................................25 Role mapping rules..................................................................................25 Sign-in policies overview................................................................................27 Multiple sign-in policies...........................................................................27 Sign-in policy evaluation..........................................................................28 Sign-in pages...........................................................................................28 User roles overview........................................................................................32 Role types................................................................................................32 Role components....................................................................................32 Role evaluation........................................................................................33 Resource policies overview............................................................................36 Resource policy types..............................................................................36 Resource policy components...................................................................38 Resource policy evaluation......................................................................38 Resource policy detailed rules.................................................................39 Chapter2 Authentication and authorization 41 Certificates overview......................................................................................43 IVE server certificates..............................................................................43 Trusted client CAs....................................................................................46 Trusted server CAs..................................................................................50 Code-signing certificates..........................................................................50 Delegated administration overview................................................................53 (cid:132) iii Juniper Networks NetScreen Secure Access and Secure Meeting Administration Guide Endpoint defense overview............................................................................54 Host Checker overview............................................................................55 Cache Cleaner overview..........................................................................65 LDAP password management overview.........................................................71 Single sign-on overview.................................................................................75 Multiple sign-in credentials overview.......................................................76 SAML overview..............................................................................................84 SAML SSO profiles overview....................................................................86 Access control policy overview................................................................88 Creating a trust relationship between SAML-enabled systems.................89 Chapter3 Remote access 95 Network Connect overview............................................................................97 Automatic Network Connect sign-in using GINA....................................100 Provisioning your network for Network Connect...................................102 Defining access methods with Network Connect resource policies........103 Client-side logging.................................................................................104 Network Connect proxy support............................................................104 Secure Application Manager overview..........................................................107 Windows Secure Application Manager (W-SAM) overview.....................107 Java Secure Application Manager (J-SAM) overview...............................111 MS Exchange enhanced support............................................................117 Lotus Notes enhanced support...............................................................119 Citrix Web Interface for MetaFrame (formerly NFuse Classic) enhanced support...........................................................................................121 Email Client overview..................................................................................123 Choosing an email client.......................................................................123 Working with a standards-based mail server.........................................124 Working with the Microsoft Exchange Server........................................124 Working with Lotus Notes and the Lotus Notes Mail Server...................126 Java applet upload overview.........................................................................128 Uploading java applets to the IVE..........................................................128 Signing uploaded java applets................................................................129 Creating HTML pages that reference uploaded java applets...................130 Accessing java applet bookmarks..........................................................130 Use case: Creating a Citrix JICA 8.0 java applet bookmark.....................130 Pass-through proxy overview.......................................................................133 Remote SSO overview..................................................................................136 Terminal Services overview.........................................................................137 Meeting Series overview..............................................................................140 Secure Meeting user experience............................................................141 Permissive merge guidelines for Secure Meeting...................................147 Troubleshooting Secure Meeting............................................................148 Chapter4 System management and services 151 Central Manager overview...........................................................................153 Clustering overview......................................................................................154 Cluster overview....................................................................................154 Deploying two nodes in an Active/Passive cluster..................................156 Deploying two or more units in an Active/Active cluster........................157 State synchronization............................................................................158 Deploying a cluster in an Access Series FIPS environment....................160 Network settings overview...........................................................................161 iv (cid:132) Configuring general network settings....................................................161 Configuring internal and external ports.................................................161 Configuring virtual ports........................................................................162 Configuring static routes for network traffic..........................................162 Creating ARP caches..............................................................................163 Specifying host names for the IVE to resolve locally..............................163 Specifying IP filters................................................................................163 Log and Monitoring overview.......................................................................165 Log file severity levels............................................................................166 Custom filter log files.............................................................................167 Dynamic log filters................................................................................167 Configuration files overview.........................................................................168 Archiving IVE configuration files............................................................168 Creating local backups of IVE configuration files...................................169 Importing and exporting IVE configuration files....................................169 Importing and exporting XML configuration files...................................170 Strategies for working with XML instances............................................180 Pushing configurations from one IVE to another...................................181 Troubleshooting overview............................................................................182 Simulating or tracking events................................................................182 Recording sessions................................................................................184 Creating snapshots of the IVE system state...........................................184 Creating TCP dump files........................................................................185 Testing IVE network connectivity..........................................................185 Running debugging tools remotely........................................................186 Creating debugging logs........................................................................186 Multi-language support overview..................................................................187 Encoding files........................................................................................187 Localizing the user interface..................................................................188 Localizing custom sign-in and system pages..........................................188 Handheld devices and PDAs overview.........................................................189 Compression overview.................................................................................192 Access Series FIPS overview........................................................................195 How does NetScreen Access Series FIPS work?.....................................195 Creating administrator cards.................................................................196 Part 2 IVE configuration 199 Task summaries 201 Chapter5 System settings 203 Configuring the Status page.........................................................................205 Overview tab.........................................................................................205 Active Users tab.....................................................................................208 Meeting Schedule tab............................................................................209 Configuring the Schedule page.....................................................................210 Configuring the Configuration page..............................................................212 Licensing tab.........................................................................................212 Security tabs..........................................................................................213 Certificates tabs.....................................................................................231 NCP tab.................................................................................................243 Client Types tab.....................................................................................244 (cid:132) v Juniper Networks NetScreen Secure Access and Secure Meeting Administration Guide Configuring the Network page......................................................................247 Overview tab.........................................................................................247 Internal Port tabs...................................................................................248 External Port tabs..................................................................................251 Hosts tab...............................................................................................253 Network Connect tab.............................................................................253 Configuring the Clustering page...................................................................255 Create tab..............................................................................................256 Join tab..................................................................................................257 Status tab..............................................................................................260 Properties tab........................................................................................263 Serial console procedures......................................................................265 Configuring the Log Monitoring page...........................................................270 Events, User Access, Admin Access, and NC Packet tabs.......................270 SNMP tab...............................................................................................275 Statistics tab..........................................................................................280 Configuring the Signing-in page...................................................................281 Sign-in Policies tab................................................................................281 Sign-in Pages tab...................................................................................284 Servers tab............................................................................................289 Configure an ACE/Server instance.........................................................291 Configure an Active Directory or NT Domain instance..........................294 Configure an anonymous server instance..............................................298 Configure a certificate server instance...................................................300 Configure an LDAP server instance........................................................302 Configure a local authentication server instance....................................306 Configure an NIS server instance...........................................................311 Configure a RADIUS server instance......................................................312 Configure a Netegrity SiteMinder server instance..................................319 View and delete user sessions...............................................................339 Chapter6 Administrator settings 341 Configuring the Authentication page............................................................343 General tab............................................................................................343 Authentication Policy tab.......................................................................345 Role Mapping tab..................................................................................346 Configuring the Delegation page..................................................................355 Configure administrator roles................................................................355 General tabs..........................................................................................357 System tab............................................................................................360 Users tabs..............................................................................................361 Resource Policies tab.............................................................................363 Chapter7 User settings 365 Configuring the Authentication page............................................................367 Configuring the Roles page..........................................................................368 Configuring the General page.......................................................................369 Overview tab.........................................................................................369 Restrictions tab......................................................................................370 Source IP tab.........................................................................................370 Session Options tab...............................................................................371 UI Options tab.......................................................................................373 Configuring the Web page............................................................................378 vi (cid:132) Bookmarks tab......................................................................................378 Options tab............................................................................................381 Configuring the Files page............................................................................385 Windows Bookmarks tab.......................................................................385 UNIX Bookmarks tab.............................................................................386 Options tab............................................................................................387 Configuring the SAM page............................................................................388 Applications tab.....................................................................................388 Options tab............................................................................................394 Configuring the Telnet/SSH page..................................................................398 Sessions tab...........................................................................................398 Options tab............................................................................................399 Configuring the Terminal Services page.......................................................401 Sessions tab...........................................................................................401 Options tab............................................................................................405 Configuring the Meetings page.....................................................................408 Options tab............................................................................................408 Auth Servers tab....................................................................................411 Configuring the Network Connect page........................................................414 Configuring the New User page....................................................................416 Chapter8 Resource Policy settings 417 Specifying resources for a resource policy.............................................417 Writing a detailed rule...........................................................................419 Configuring the Web page............................................................................421 Access tab.............................................................................................423 Caching tabs..........................................................................................424 Java tabs................................................................................................428 Rewriting tabs.......................................................................................431 Remote SSO tabs...................................................................................438 SAML tabs.............................................................................................441 Web Proxy tabs.....................................................................................449 Launch JSAM tab...................................................................................451 Compression tab...................................................................................452 Options tab............................................................................................454 Configuring the Files page............................................................................455 Windows Tabs.......................................................................................457 UNIX/NFS tab........................................................................................459 Compression tab...................................................................................460 Encoding tab.........................................................................................461 Options tab............................................................................................462 Configuring the SAM page............................................................................463 Access tab.............................................................................................463 Options tab............................................................................................464 Configuring the Telnet/SSH page..................................................................466 Access tab.............................................................................................466 Options tab............................................................................................467 Configuring the Terminal Services Policies page..........................................469 Access tab.............................................................................................469 Options tab............................................................................................470 Configuring the Network Connect page........................................................472 Network Connect Access Control tab.....................................................472 Network Connect Logging tab................................................................473 Network Connect Connection Profiles tab.............................................474 (cid:132) vii Juniper Networks NetScreen Secure Access and Secure Meeting Administration Guide Network Connect Split Tunneling tab....................................................478 Use case: Network Connect resource policy configuration.....................480 Configuring the Meetings page.....................................................................482 Configuring the Email Client page................................................................484 Chapter9 Maintenance settings 487 Configuring the System page.......................................................................489 Platform tab..........................................................................................489 Upgrade/Downgrade tab........................................................................490 Options tab............................................................................................491 Installers tab..........................................................................................492 Configuring the Import/Export page.............................................................494 Configuration tab...................................................................................494 User Accounts tab..................................................................................495 XML Import/Export tab..........................................................................496 XML Import/Export use cases................................................................498 Configuring the Push Config page................................................................504 Configuring the Archiving page....................................................................507 FTP Server tab.......................................................................................507 Local Backups tab..................................................................................508 Configuring the Troubleshooting page..........................................................510 User tabs...............................................................................................510 Session Recording tab...........................................................................512 System Snapshot tab.............................................................................513 TCP Dump tab.......................................................................................514 Commands tab......................................................................................515 Remote Debugging tab..........................................................................515 Debug Log tab.......................................................................................516 Part 3 Supplemental information 517 Appendix A Using the IVE serial console 519 Connect to an IVE appliance’s serial console................................................519 Roll back to a previous system state............................................................520 Reset an IVE appliance to the factory setting...............................................522 Perform common recovery tasks.................................................................525 Create additional administrator cards (Access Series FIPS only)...................526 Create a new security world (Access Series FIPS only).................................527 Recover an archived security world (Access Series FIPS only)......................528 Appendix B Writing custom expressions 531 Custom expressions.....................................................................................531 System variables and examples...................................................................535 Using system variables in realms, roles, and resource policies.....................543 Appendix C Customizable sign-in pages 547 Understanding the template toolkit language...............................................547 Accessing and updating variables and files............................................549 Creating conditional statements............................................................549 Creating looping constructs...................................................................550 viii (cid:132)