Solutions in this chapter:
■ Initial CLI Setup
■ Initial Web Setup
■ Certifi cates
■ Security and System Settings
˛ Summary
˛ Solutions Fast Track
˛ Frequently Asked Questions
Setup
Introduction
As you can see by the size of this book, you can design and confi gure quite a bit when it comes to the Juniper Secure Sockets Layer (SSL) virtual private network (VPN). Fortunately, you must complete relatively few tasks to get the box up and running on your network. In this chapter, we will focus on those initial steps that involve everything you need to know to get the IVE up and running. We will then go into some detail about IVE licensing (features and support), as well as certifi cates and other system wide settings to be confi gured on the IVE.
The tools we discuss in this chapter will enable you to get your box up and running on the network. Unlike some other appliances, you do very little through the command-line interface (CLI) on the Juniper IVE. Juniper has left most of the confi guration to its AdminUI, which you can access in virtually any Web browser. The CLI is basically enabled to allow for the initial setup, as well as for some last-resort troubleshooting techniques which you may have to employ if you lose your connection to the IVE or are locked out for one reason or another. In any event, you will fi nd that the IVE provides you with the tools you need to set up your IVE, as well as maintain the system that your organization will no doubt rely heavily upon.
Initial CLI Setup
We start our IVE endeavor with a task in which many of you no doubt have much experience: the command line. Although this may seem like an odd place to start the confi guration, Juniper has good reason for beginning the initial confi guration at this spot. Essentially, you accomplish all IVE confi guration within the AdminUI, which is a Web-based interface that allows you to confi gure all of the IVE’s great aspects. But before we can confi gure the device through a Web browser, we must make some initial confi gurations on the IVE to give it basic network information, as well as set up a login account (we actually will need to complete a few more steps, but not many). Like many other appliances, the IVE does not waste system resources (software or hardware) on providing a keyboard, video, and mouse (KVM) interface with a graphical user interface (GUI) such as a desktop. Rather, Juniper has designed the underlying operating system to be as lightweight as possible, so it can maximize the IVE’s performance for its intended purpose (which is to deliver applications and remote access securely to remote users). To help incorporate this feature, Juniper uses a simple console-based setup to confi gure the IVE.
IVE Console Setup
On the front of every IVE model is a console serial port which is an RS-232 DB9 male connector. Your IVE should come with a console cable to connect to a serial port on a workstation, laptop, or server. Many newer-model computers do not have an RS-232 serial
port built in, so you may have to use a USB-to-Serial converter or an Ethernet-to-RS-232 DB9 converter, which you should be able to fi nd in a good local computer store or at an online retailer (such as Newegg, www.newegg.com). The IVE follows the same connection properties as many other manufacturers, and it uses the following settings for the serial connection:
■ Bits per second: 9600
■ Data bits: 8
■ Parity bits: None
■ Stop bits: 1
■ Flow control: None
You can use your favorite terminal emulator program to manage the serial connection on your workstation. HyperTerminal is popular because it comes with many distributions of Windows, but TeraTerm and Minicom are also popular for other platforms. At this point, you can go ahead and power up your box with your console cable connected to your machine. In the following sections, we will discuss how to set up the console connection as well as how to perform the initial confi guration steps.
Confi guring HyperTerminal
for Connecting to the IVE Console Port
We will start our confi guration with an example using HyperTerminal in Microsoft Windows. If you are using a different application, consult the documentation for that application to perform the same steps. If you are already familiar with setting up your machine to perform console connections, there are no surprises here and you can skip this example.
1. Go to Start | Run and enter hypertrm.exe.
2. You will be prompted with a Connection Description window. Enter a Name to give to this session and click OK.
3. You will be asked to defi ne some properties of the connection. There is really only one value that we are concerned with here, and that is the Connect Using value. Expand the drop-down menu and look for the COM port that you are plugged into on your machine. If there are multiple COM ports, you might have to try each one to determine the right port. When you have a single physical RS-232 port on your machine, this is often COM1, but it can be different, especially if you have to use a USB-to-RS-232 converter to make the connection.
5. The last thing you will have to do before you connect is to confi gure the properties of the session, as we described earlier. This means you will set the following
properties:
Bits per second: 9600 Data bits: 8
Parity bits: None Stop bits: 1
Flow control: None
6. Click OK, and assuming that you entered the right information you should be connected. If your IVE has already had a chance to power on, press Enter, which should bring up the Initial Confi guration message:
Welcome to the initial confi guration of your server!
NOTE: Press ‘y’ if this is a stand-alone server or the fi rst machine in a clustered confi guration.
If this is going to be a member of an already running cluster
press n to reboot. When you see the ‘Hit TAB for clustering options’ message press TAB and follow the directions.
Would you like to proceed (y/n)?
Initial Confi guration
In this example, we will confi gure the IVE for the fi rst time. When you access an IVE that has not been confi gured, you will be given a message asking you whether you would like to proceed with the confi guration. Assuming you say yes, you will have a few tasks to perform:
■ Agree to the license.
■ Apply an Internet Protocol (IP) address, subnet mask, and default gateway for the internal interface.
■ Defi ne Primary and optionally secondary domain name system (DNS) servers.
■ Defi ne a domain name.
■ Provide an address for a Windows Internet Name Service (WINS) Server (optional).
■ Create a default admin name and password.
■ Provide the common name for the IVE.
1. After you have connected to the console and the IVE has booted up, you will be asked whether you wish to perform the initial confi guration steps. Type y and press Enter.
2. You will be prompted with the license agreement. You can type y, n, or r. These stand for Yes, No, and Read, respectively. After you have read the license agreement by typing r, type y and press Enter to agree to the license agreement and
to continue.
3. You will be prompted for the IP Address of your IVE’s internal interface. Enter the IP address that you wish to defi ne for the IVE and press Enter.
4. Defi ne the Subnet Mask that will be applied to the internal interface and press Enter.
5. Defi ne the Default Gateway for the internal interface. The IVE does not act exactly like a router, but it must have routing knowledge to your internal network. If you do use an external interface, the IVE will maintain a separate default route for the external interface, but we will confi gure that in the AdminUI.
6. The IVE will prompt you to defi ne Primary and Secondary DNS Servers. These DNS servers are typically internal DNS servers, but if you do not have internal DNS servers you can use the DNS servers your Internet service provider (ISP) gives you. Enter the Primary DNS Server and press Enter. If you have a Secondary DNS Server for redundancy, enter its IP address; otherwise, just press Enter.
7. If your organization uses WINS for name resolution, you can provide the IP address of the WINS Server; otherwise, just press Enter.
8. The IVE will force you to create a default username and password for the Admin account which you will initially use to confi gure the AdminUI. Later, you can choose to use another mechanism to provide Admin authentication (such as a RADIUS [Remote Authentication Dial-in User Service] server or Active
Directory), but initially, you must confi gure an Admin account that is located locally on the IVE. To do so, you must fi rst provide an Admin Name as well as an Admin Password at the respective prompts. Your password must be at least six characters long.
9. You will be prompted for the Common Name for the IVE, which will be used to connect to the IVE. This is typically confi gured as the fully qualifi ed domain name (FQDN, such as vpn.mycompany.com); this could also be an IP address, but it is usually the former because users usually connect to the IVE by the DNS name rather than the IP address. In the end, this step isn’t too important because you will most likely provide your own valid certifi cate rather than use the self-signed certifi cate,
but either way, defi ne the Common Name that you would like to apply to the IVE for the self-signed SSL certifi cate.
10. Defi ne the Organization Name that will be used in the certifi cate.
11. You will be asked to enter some Random Data that will be used to generate the self-signed certifi cate. Just enter a bunch of random characters (30 or so) and press Enter. You must create a certifi cate in the initial confi guration because the IVE requires secure access to the IVE via HTTPS, which must use a
certifi cate.
12. When you see the following message, you will have completed the initial confi guration on the IVE, and you can proceed to confi gure the IVE in the AdminUI:
Congratulations! You have successfully completed the initial set up of your server.
To administer the system, please browse to an appropriate URL: https://<IVE-IP-Address>/admin (note the ‘s’ in https://) Example: https://10.10.22.34/admin
If a DNS name already exists for this IVE, you can also use: https://<IVE-Host-Name>/admin
Example: https://IVE.mycompany.com/admin
Initial Web Setup
As you can see, you simply confi gure the basics on the IVE console to get the box up and running. In this section, we will cover the basic steps you should confi gure on the box now that you have access to the AdminUI. Note that most of the aspects of IVE confi guration will be broken out into individual sections in this book, so this chapter is not going to go into much detail, but rather will cover the issues you will most likely need to know to get the basics set up before expanding into the other parts of the confi guration.
Accessing the IVE through the WebUI
Now that you have the device up and running (and we assume you have it on your network), you should be able to access the IVE from your machine. Simply open a Web browser and enter the following in the URL fi eld: https://<ipaddress>/admin, where
<ipaddress> is the IP address you assigned to the internal port of the IVE in the console setup. Your browser will prompt you to continue because it will not “trust” the certifi cate (different browsers go about this differently), but for now, just accept the certifi cate and continue. You will be brought to the IVE default Admin page, which will look like Figure 2.1.
Enter the Admin username and password that you confi gured on the console during the initial setup and click the Sign In button. You will then be brought to the AdminUI. The fi rst time you connect to the AdminUI, you will see a sidebar tip sheet that lists some tasks you will need to perform (see Figure 2.2). We will cover those in the next few examples. Figure 2.1 Accessing the Admin Sign-in Page
Figure 2.2 Initial AdminUI When You First Connect to the IVE
Confi guring Date and Time
In this example, we will confi gure the date and time for your IVE. Confi guring the date and time is a very important task, and it is more than just good practice. The IVE relies on time
settings being accurate for a number of functions (particularly with SSL and certifi cate validation). Of course, the IVE also uses the date and time to record a timestamp in each log entry, so if there is a problem you will want to know that the correct time is on your IVE.
1. In the AdminUI, go to the Status page, which is the default page you will be brought to each time you log into the IVE. You will see a System Date and Time label, with the Edit fi eld beside it. Under those fi elds, you will see the date and time to which the IVE is currently set. If this value is not accurate, you should defi nitely reset it. You may also wish to incorporate a feature such as NTP to automatically manage the time of your device for you. Click the Edit button to continue.
2. You will be brought to the Date and Time screen. The fi rst thing you should do is set the Time Zone if it is different from your time zone. Click Save Changes. Go back into the Date and Time screen. If you confi gure multiple steps at once, you will most likely end up misconfi guring your time.
3. You have two options for defi ning the time. You can Use NTP Server, in which case you must defi ne the NTP Server (either hostname or IP address) as well as defi ne an Update Interval (in minutes) to update the server. Click Save Changes. 4. Your other option is to just Set Time Manually, which allows you to defi ne the
time without having an external update source. You can either defi ne the Date and Time in the mm/dd/yyyy hh:mm:ss (with selecting a.m./p.m.) format; or you can just click Get from Browser which will automatically populate this fi eld (see Figure 2.3). Click Save Changes.
Confi guring Licensing on the IVE
The IVE has multiple options as far as licensing for the device, but before you can enter a license key, you must generate a license. Most likely, your Juniper reseller will provide you with an authorization code generated by Juniper to create the license. You use this authorization code in combination with the serial number or hardware ID of the box to generate the license.
Generating a License on the Juniper Web Site
After you have purchased an IVE or an additional license from a Juniper reseller, you should be provided an e-mail with an attached PDF which will contain an authorization code. This code is a 16-character code which would look like the following: RAdu-CNet-nJep-NAmV. Once you generate the license, you will receive another e-mail which will provide you with the actual license key to apply to your IVE. In this example, we will show you how to generate a license key for your IVE assuming that you have an authorization code:
1. Go to www.juniper.net/customers/support/ and click on Contracts & Product Management on the left-hand side of the Web page. You will be forced to log into the Juniper support page. If you do not already have a login, contact the Juniper Technical Assistance Center ( JTAC) at 1-888-314-JTAC to have an account set up (they can also generate the license for you if you would like). Sign into the Juniper support site. 2. Click on License Key Generator when you are brought to the Contract and
Product Management page.
3. Select the Secure Access SSL VPN from the product’s drop-down menu. Juniper has provided license generation for most of its products through this same mechanism, so you must be sure to apply your license to the appropriate platform. Click Go. Note that should you ever need to generate a license for an RMA device, you will follow this same procedure, but go to Generate License Keys for RMA Device rather than selecting the SSL VPN from the drop-down menu.
4. Provide the hardware ID for your IVE. This code is available at the console ( just console in and press Enter, which will bring up a menu that will list the hardware ID), or you can view the hardware ID for your IVE on the licensing page of your IVE at System | Confi guration | Licensing. The hardware ID (which is different from the serial number for your IVE) looks something like
SA50ARM0J0DAL3ML. Provide the hardware ID in the Licensing Hardware ID fi eld and the authorization code in the Authorization Code fi eld, and click Generate. See Figure 2.4, which shows how this is confi gured within the IVE. 5. Assuming that your auth code and hardware ID check out, you will be brought to
6. Once you have the license key, you will want to apply it to your IVE. To do so, go to the AdminUI of the IVE. You apply the license at System | Confi guration | Licensing. 7. Enter one license key per line in the License Key text box. Once you add the
licenses to the IVE, click Add. Assuming that you applied the correct licenses to the IVE, you should see them appear in the Installed Licenses Detail. Because licenses are tied to a hardware ID, make sure you are applying the correct license to the correct