Secure, Mobile Access to Corporate , Applications, and Intranet Resources

Download (0)

Full text

(1)

Copyright © 2009, Juniper Networks, Inc.

Juniper neTWOrKS SSL Vpn and

WindOWS MObiLe

(2)

ii Copyright © 2009, Juniper Networks, Inc.

Table of Contents

introduction . . . . 1

Scope . . . . 1

description and deployment Scenario . . . . 1

Clientless Access (ActiveSync, Web, and File Sharing) . . . 1

Windows Secure Application Manager (WSAM). . . 2

Endpoint Security (Host Checker) . . . 3

Localization . . . 4

Summary . . . . 4

(3)

Copyright © 2009, Juniper Networks, Inc. 1

Introduction

Juniper Networks® SA Series SSL VPN Appliances lead the SSL VPN market with a complete range of remote access appliances. The SA Series is based on the Instant Virtual Extranet (IVE) software that uses SSL, the security protocol found in all standard Web browsers. Enhanced access methods enable the enterprise to provision secure access, by purpose, for virtually any resource—including Exchange, Terminal Services, intranet applications, and much more. With the introduction of Juniper Networks IVE 6.2 software, Windows Mobile devices (including Pocket PC and Smartphone) can securely access internal resources through the SSL VPN. Supported SA Series features include WSAM (Windows Secure Application Manager), Core Access for Web and Files, and Clientless ActiveSync.

Scope

This document provides a high-level overview of the features and functionality supported by Juniper Networks IVE software release v6.2 and Microsoft Windows Mobile 5.0 or higher.

Description and Deployment Scenario

Clientless Access (ActiveSync, Web, and File Sharing)

SA Series SSL VPN Appliances offer several benefits to Windows Mobile users, even in a purely clientless form. That is, no special software is installed on the Windows Mobile device, nor is it necessary. Authentication is handled with a traditional username/password, one-time token, or Client Certificates. Core Access dynamically builds a portal page for authenticated users, and can provide links to all of their applications as well as single sign-on (SSO) to backend Web resources—such as a corporate intranet, Microsoft OWA/OMA, SharePoint, and much more. The SSO framework supports Basic Auth, NTLM2/1, headers, cookies, SAML, and Form POST methods.

In addition to Core Access to Web applications, the SA Series can also securely front-end Windows and UNIX (SMB and NFS) file shares, making them into a Web interface. This enables mobile users to download and upload documents easily from network shares, and can even provide a dynamic bookmark to users’ home directories. The file-sharing feature also supports SSO (NTLM and Kerberos) and allows users to Download a File, Upload a File, Upload a Zip File and extract its contents, or download multiple files in a Zip file.

(4)

 Copyright © 2009, Juniper Networks, Inc.

ActiveSync is also natively supported with IVE 6.2 and later. This HTTP proxy feature enables mobile devices that support Microsoft ActiveSync to seamlessly connect to backend Exchange environments. The SSL VPN is configured to proxy Exchange traffic over a special “Authorization Only” VIP, and forwards the raw HTTP payload to the Exchange server. This framework enables organizations to deploy Push Email without having to put the Exchange server in the demilitarized zone (DMZ). Direct Push is fully supported, as well as bidirectional synchronization of Email, Contacts, Calendar, and Tasks. Additional authorization policies may also be implemented here, such as locking down to a Source IP/range, User-Agent, DeviceID, and more. One additional note: Users who are connected with Clientless ActiveSync do not count against the IVE concurrent user licenses, allowing customers to easily and cost-effectively scale their SSL VPN mobile deployments.

Windows Secure Application Manager (WSAM)

(5)

Copyright © 2009, Juniper Networks, Inc. 

WSAM can be configured in two modes: Application or Host mode. Policies are configured on the SSL VPN gateway and pushed down when WSAM agents connects. With Application mode, a set of applications/programs is configured so all of the data/transactions are tunneled over WSAM. With Host mode, a destination IP/network is configured so that any application or program attempting to access that IP/network will be tunneled.

Endpoint Security (Host Checker)

With IVE version 6.2 and later, Host Checker can now provide endpoint security policy enforcement for Windows Mobile devices. For example, if an organization wants to mandate that all mobile devices are running a particular Smartphone security agent, Host Checker can be configured to enforce that—before allowing access to vital company resources. In this case, the agent is not running and the mobile device is not in compliance with the policy—the device can be quarantined and may be granted access only to limited network resources.

(6)

4

Corporate and Sales Headquarters Juniper Networks, Inc.

1194 North Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888.JUNIPER (888.586.4737) or 408.745.2000 Fax: 408.745.2100 apaC Headquarters

Juniper Networks (Hong Kong) 26/F, Cityplaza One

1111 King’s Road Taikoo Shing, Hong Kong Phone: 852.2332.3636 Fax: 852.2574.7803

eMea Headquarters Juniper Networks Ireland Airside Business Park Swords, County Dublin, Ireland

Phone: 35.31.8903.600 Fax: 35.31.8903.601

Copyright 2009 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

3500106-001-EN Mar 2009 Printed on recycled paper.

To purchase Juniper Networks solutions, please

contact your Juniper Networks representative

at 1-866-298-6428 or authorized reseller.

Localization

To support a wide range of users, Juniper’s SSL VPN supports a localized end user interface as well. Eight languages are supported—including Spanish, Korean, Japanese, Chinese (Traditional), Chinese (Simplified), German, French, and English. The end user UI is fully localized, and largely customizable. Login pages are fully customizable, and the WSAM agent is also localized into each language. This is just another example of how Juniper’s SSL VPN provides a truly ubiquitous entry point for all users, even those with mobile devices.

Summary

With the introduction of Juniper Networks IVE 6.2 software, hand-held mobile devices running Microsoft Windows Mobile 5.0 or later can be used with Juniper Networks SA Series SSL VPN Appliances for secure clientless remote access, enabling users to flexibly access desktop applications and data. The robust authentication, localization options, and multiple access methods provide enterprises with the security and flexibility they need to safely propagate hand-held mobile devices throughout their workforce, keeping employees connected and empowered to conduct business on the move without introducing unnecessary network security risks.

About Juniper Networks

Figure

Updating...

References

Related subjects :