NetScreen Secure Access NetScreen Secure Access FIPS Getting Started

Transcription

1 NetScreen Secure Access NetScreen Secure Access FIPS Getting Started, NetScreen Instant Virtual Extranet Platform

2

3 Juniper Networks NetScreen Secure Access Series Juniper Networks NetScreen Secure Access Series FIPS Getting Started Release 4.x Juniper Networks, Inc North Mathilda Avenue Sunnyvale, CA USA Part Number:

4 Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, the NetScreen logo, NetScreen-Global Pro, ScreenOS, and GigaScreen are registered trademarks of Juniper Networks, Inc. in the United States and other countries. Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, Neoteris, Neoteris-Secure Access, Neoteris-Secure Meeting, NetScreen-SA 1000, NetScreen-SA 3000, NetScreen-SA 5000, IVE, GigaScreen, and the NetScreen logo are registered trademarks of Juniper Networks, Inc. NetScreen-5GT, NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-5200, NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of Juniper Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies. Copyright 2001 D. J. Bernstein. Copyright by the Massachusetts Institute of Technology. All rights reserved. Copyright 2000 by Zero-Knowledge Systems, Inc. Copyright 2001, Dr. Brian Gladman Worcester, UK. All rights reserved. Copyright 1989, 1991 Free Software Foundation, Inc. Copyright 1989, 1991, 1992 by Carnegie Mellon University. Derivative Work , Copyright 1996, The Regents of the University of California. All Rights Reserved. Copyright The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted. Copyright 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland. All rights reserved. Copyright 1986 Gary S. Brown. Copyright 1998 CORE SDI S.A., Buenos Aires, Argentina. Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. Copyright The OpenSSL Project. All rights reserved. Copyright , Larry Wall. All rights reserved. Copyright 1989, 1991 Free Software Foundation, Inc. Copyright Andy Wardley. All Rights Reserved. Copyright Canon Research Centre Europe Ltd. Copyright Jean-loup Gailly and Mark Adler. Juniper Networks NetScreen Secure Access and Juniper Networks NetScreen Secure Access FIPS Getting Started, Release 4.x Copyright 2004, Juniper Networks, Inc. All rights reserved. Printed in USA. Writer: Carolyn A. Harding Editor: Claudette degiere Revision History 14 May 2004 Beta draft 28 May 2004 Final draft Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

5 Table of Contents Step 1: Install the hardware...1 Step 2: Perform basic setup...3 Step 3: Upgrade and license the IVE...6 Step 4: Verify user accessibility...8 Step 5: Create a test scenario to learn IVE concepts and best practices...10 Default settings for administrators...23 Table of Contents iii

6 iv Table of Contents

7 Thank you for choosing the Juniper Networks NetScreen Instant Virtual Extranet (IVE) appliance! You can install the IVE and start configuring your system in five easy steps: Step 1: Install the hardware...1 Step 2: Perform basic setup...3 Step 3: Upgrade and license the IVE...6 Step 4: Verify user accessibility...8 Step 5: Create a test scenario to learn IVE concepts and best practices We recommend that you install the NetScreen Secure Access or NetScreen Secure Access FIPS appliance in your LAN to ensure that it can communicate with the appropriate resources, including: Authentication servers DNS servers Internal Web servers via HTTP/HTTPS External Web sites via HTTP/HTTPS (optional) Windows file servers (optional) NFS file servers (optional) Client/server applications (optional) If you decide to install your appliance in your DMZ, make sure that the IVE appliance can connect to these resources. French, German, and Japanese versions of this guide are available on the support site. Step 1: Install the hardware The IVE appliance ships with mounting brackets attached to the front of the chassis. Using these brackets, rack mount, power on, and connect the included cables to the machine following these steps: 1. Mount the IVE appliance in your server rack. 2. On the rear panel, plug the power cord into the AC receptacle and press the power switch to turn on the unit. Step 1: Install the hardware 1

8 3. On the front panel: 1. Push the toggle switch in the right corner one time. The green LED to the right of the power switch turns on. For Secure Access FIPS appliances, the IVE hard drive light turns on whenever data is read from or written to the IVE hard drive. 2. Plug the ethernet cable into the left port. The left port uses two LEDs to indicate the LAN connection status, which is described in Table 1 on page 3. Figure 1: The left port is located on the front panel. 3. Plug the serial cable into the serial port: Figure 2: The serial port is located on the front panel. 4. If you are installing a Secure Access FIPS appliance, perform the following steps on the hardware security module s panel: 1. Set the mode switch to I (initialization mode). The hardware security module status (HSM) light indicates the hardware security module s mode, which is described in Table 2 on page Plug the smart card reader cable into the reader port. 3. Insert one of the smart cards into the reader with the contacts facing up. The green HSM LED turns on. Do not remove the card while the module is in I mode. Figure 3: Secure Access FIPS Detailed View of Front Panel 2 Step 1: Install the hardware

9 Hardware installation is complete after you rack-mount the appliance, connect the power, network, and serial cables to the appliance, and power on the machine. The next step is to connect to the appliance s serial console so that you can enter basic machine and network settings. Table 1: Secure Access and Secure Access FIPS Left Port LEDs LAN Status LED 1 LED2 10 Mbps connection Off N/A Access 1000/3000/ Mbps connection Green N/A Access 1000/3000/ Mbps connection Orange N/A Access 1000/3000/5000 Data is being transferred Orange, Green, or Off Blinking No connection Off Off Table 2: Secure Access FIPS Hardware Security Module Status Light LAN Status LED 1 Description Pre-initialization state Single, short flashes The module is ready for initialization. Operational state Mainly on but regularly blinks off The mode switch is set to O (operational). Set to I to start initialization. Pre-maintenance state Single, long flashes The mode switch is set to M (maintenance). Set to I to start initialization. Step 2: Perform basic setup When you boot an unconfigured IVE appliance, you need to enter basic network and machine information through the IVE serial console to make the appliance accessible to the network. After entering these settings, you can continue IVE configuration through the administrator s Web console. This section describes the required serial console setup and the tasks you need to perform when connecting to your IVE through the Web console for the first time. To perform basic setup: 1. Configure a console terminal or terminal emulation utility running on a computer, such as HyperTerminal, to use these serial connection parameters: 9600 bits per second 8-bit No Parity (8N1) 1 Stop Bit No flow control Step 2: Perform basic setup 3

10 2. Connect the terminal or laptop to the serial cable plugged in to the appliance s serial port and press Enter until you are prompted by the initialization script. Figure 4: Welcome Screen for the IVE Serial Console 3. Enter y to proceed and then y to accept the license terms (or r to read the license first). 4. Enter the machine information for which you are prompted, including the: IP address of the internal port (optionally configure the external port through the administrator s Web console after initial configuration) Network mask Default gateway address Network interface card (NIC) speed Primary DNS server address Secondary DNS server address (optional) Default DNS domain name (example: acmegizmo.com) WINS server name or address (optional) Administrator username Administrator password Common machine name (example: connect.acmegizmo.com) 4 Step 2: Perform basic setup

11 Organization name (example: Acme Gizmo, Inc.) The last two pieces of data are used to create a self-signed digital certificate for use during product evaluation and initial setup. We highly recommend that you import a signed digital certificate from a trusted certificate authority (CA) before deploying the IVE for production use. After entering this information, you have completed the serial console setup. When the IVE prompts you with the option to modify your settings, choose the appropriate option or continue. 5. If you are installing a Secure Access FIPS appliance, set the mode switch to O (operational mode). 6. In a browser, enter the machine s URL followed by /admin to access the administrator sign-in page. The URL is in the format: where a.b.c.d is the machine IP address you entered in step 4. When prompted with the security alert to proceed without a signed certificate, click Yes. If the administrator sign-in page appears, you have successfully connected your IVE appliance to the network. Figure 5: Administrator Sign-in Page 7. On the sign-in page, enter the administrator username and password you created in step 4 and then click Sign In. The administrator s Web console opens to the System>Status>Overview page. Step 2: Perform basic setup 5

12 Figure 6: System > Status > Overview page 8. Next to System Date and Time, click Edit. On the Date and Time page, specify the machine time and then click Save Changes. 9. Choose Administrators>Delegation (optional). On the Delegated Admin Roles page, click.administrators, which links to the configuration pages for the built-in.administrators role. For this role: 1. Choose General>Session Options, and under Session Lifetime, change the values for the idle timeout and maximum session length. 2. Click Save Changes. After you perform this basic setup through the serial and Web consoles, you are ready to install the most current IVE OS service package and then license the IVE. Step 3: Upgrade and license the IVE Before testing user accessibility, take the time to upgrade your IVE with the most current IVE OS service package to make sure that you have access to the latest product features and documentation. You need to download the service package from the Juniper support site to a network directory accessible to the IVE. The welcome from Juniper contains the support URL and your sign-in credentials. To upgrade and license the IVE: 1. In a Web browser, enter the support site URL contained in the sent to you by Juniper. 2. On the support sign-in page, enter the credentials (username and password) contained in the , and then click Sign In. After successfully signing in to the site, navigate to the software release page of the support site. 3. Select the link for the most current production release and then click on its corresponding service package link. When prompted, save the package to a network directory. 6 Step 3: Upgrade and license the IVE

13 4. In a Web browser, enter the IVE URL followed by /admin to access the administrator sign-in page. The URL is in the format: where a.b.c.d is the machine IP address you entered in step 2-4. When prompted with the security alert to proceed without a signed certificate, click Yes. 5. On the administrator sign-in page, enter the administrator username and password you created in step 2-4, and then click Sign In. The administrator s Web console opens to the System>Status>Overview page. 6. Choose Maintenance>System>Upgrade/Downgrade. 7. On the Install Service Package page, click browse to the IVE OS service package you downloaded to your network. After you select the package and the file name appears in the Service package to install field, click Install Now. The IVE uploads the service package from the network directory and begins to install it. The process takes several minutes. You can monitor the status through the Web console or the serial console. When the IVE finishes installing the service package, the system reboots. After the IVE reboots, sign in to the administrator Web console again to enter the system license(s). 8. Choose System>Configuration>Licensing. On the Licensing page: 1. In the Company Name field, enter your company name as it appears in the sent to you by Juniper. 2. In the License Key(s) field, enter the licenses listed in the sent to you by Juniper. You can select all of the licenses in the , copy them, and then paste them into the License Key(s) field. 3. Click Save Changes. Your license code information appears on the Licensing page. If you purchased Juniper Networks NetScreen-SA Central Manager, the user interface appearance changes to a gray background color after saving the licenses. The remaining figures in this guide reflect the Central Manager user interface. After you install the most current IVE OS service package and license your IVE, you are ready to verify user accessibility. Step 3: Upgrade and license the IVE 7

14 Step 4: Verify user accessibility You can easily create a user account in the system authentication server for use in verifying user accessibility to your IVE. After creating the account through the administrator s Web console, sign in as the user on IVE user sign-in page. To verify user accessibility: 1. In the administrator s Web console, choose Users>New User. 2. On the New Local User page, enter testuser1 as the username and a password, and then click Save Changes. The IVE creates the testuser1 account. 3. In another browser window, enter the machine s URL to access the user sign-in page. The URL is in the format: where a.b.c.d is the machine IP address you entered in Step 2-4. When prompted with the security alert to proceed without a signed certificate, click Yes. If the user sign-in page appears, you have successfully connected to your IVE appliance. Figure 7: User Sign-in Page 4. On the sign-in page, enter the username and password you created for the user account and then click Sign In to access the IVE home page for users. Figure 8: User Home Page (default) 8 Step 4: Verify user accessibility

15 5. In the browser Address field, enter the URL to an internal Web server and click Browse. The IVE opens the Web page in the same browser window, so to return to the IVE home page, click the center icon in the browsing toolbar that appears on the target Web page. Figure 9: Example Internal Web Page with Browsing Toolbar 6. On the IVE home page, enter the URL to your external corporate site and click Browse. The IVE opens the Web page in the same browser window, so use the browsing toolbar to return to the IVE home page. 7. On the IVE home page, click Browsing>Windows Files to browse available Windows file shares or Browsing>UNIX/NFS Files to browse available UNIX/NSF file shares. After verifying user accessibility, return to the administrator Web console to perform step 5, which introduces the IVE access management system. Step 4: Verify user accessibility 9

16 Step 5: Create a test scenario to learn IVE concepts and best practices The IVE provides a flexible access management system that makes it easy to customize a user s remote access experience through the use of roles, resource policies, authentication servers, authentication realms, and sign-in policies. To enable you to quickly begin working with these entities, the IVE ships with system defaults for each. This section describes these system defaults and shows you how to create each access management entity by performing the following tasks: Define a user role...10 Define a resource policy...13 Define an authentication server...15 Define an authentication realm...17 Define a sign-in policy...19 The IVE supports two types of users: Administrators An administrator is a person who may view or modify IVE configuration settings. You create the first administrator account through the serial console. Users A user is a person who uses the IVE to gain access to corporate resources as configured by an administrator. You create the first user account (testuser1) in Step 4: Verify user accessibility on page 8. The following test scenario focuses on using the IVE access management elements to configure access parameters for a user. For information about the system default settings for administrators, see Default settings for administrators on page 23. Define a user role A user role is an entity that defines session parameters, personalization settings, and enabled access features 1 for users. The IVE maps an authenticated user to one or more roles. The options specified for the role(s) define what types of resources the user may access during the IVE session. The IVE is pre-configured with one user role called Users. This pre-defined role enables the Web and file browsing access features, enabling any user mapped to the Users role to access the Internet, corporate Web servers, and any available Windows and UNIX/NFS file servers. You can view this role on the Users>Roles page. After you enable an access feature for a role (on the Users>Roles>RoleName page), configure the appropriate corresponding options that are accessible from the access feature s configuration tab. To define a user role: 1. In the administrator s Web console, choose Users>Roles. 1. Access features include Web browsing, file browsing, Secure Application Manager, Telnet/SSH, Windows Terminal Services, Network Connect, Secure Meeting, and Secure Client. 10 Step 5: Create a test scenario to learn IVE concepts and best practices

17 2. On the Roles page, click New Role. 3. On the New Role page, enter Test Role in the Name field and then click Save Changes. Wait for the IVE to display the General>Overview page for Test Role. 4. On the Overview page, select the Web checkbox under Access features and then click Save Changes. 5. Choose Web>Options. 6. Under Browsing, select the User can type URLs checkbox, and then click Save Changes. After completing these steps, you have defined a user role. When you create resource policies, you can apply them to this role. You can also map users to this role through role mapping rules defined for an authentication realm. To quickly create a user role that enables Web and file browsing, duplicate the Users role, and then enable additional access features as desired. Figure 10: Users > Roles > New Role page Step 5: Create a test scenario to learn IVE concepts and best practices 11

18 Figure 11: Users > Roles > Test Role > General > Overview 12 Step 5: Create a test scenario to learn IVE concepts and best practices

19 Define a resource policy A resource policy is a system rule that specifies: Resources to which the policy applies (such as URLs, servers, and files), Users to whom the policy applies (specified by roles and other session variables), and Whether the IVE grants access to a resource or performs an action. The IVE is pre-configured with two types of resource policies: Web Access The pre-defined Web Access resource policy enables all users to access the Internet and all corporate Web servers through the IVE. By default, this resource policy applies to the Users role. Windows Access The pre-defined Windows Access resource policy enables all users mapped to the Users role to access all corporate Windows file servers. By default, this resource policy applies to the Users role. You can view the default Web and file resource policies on the Resource Policies>Web>Access and Resource Policies>Files>Windows>Access pages. Delete the default Web Access and Windows Access resource policies if you are concerned about users having access to all of your Web and file content. To define a resource policy: 1. In the administrator s Web console, choose Resource Policies>Web>Access. 2. On the Web Access Policies page, click New Policy. 3. On the New Policy page: 1. In the Name field, enter: Test Web Access 2. In the Resources field, enter: 3. Under Roles, select Policy applies to SELECTED roles, and then select Test Role in the Available Roles field and click Add to move it to the Selected Roles field. 4. Under Action, select Deny access. 5. Click Save Changes. The IVE adds Test Web Access to the Web Access Policies page. 6. On the Web Access Policies page, click the checkbox next to Test Web Access in the Policies list. The IVE highlights the table row in yellow. Step 5: Create a test scenario to learn IVE concepts and best practices 13

20 7. Click the up arrow at the top of the page to move the Test Web Access row above the built-in Initial Open Policy row, and then click Save Changes. The IVE processes resource policies in order, starting with the first policy in the list. To ensure that the IVE applies the appropriate resource restrictions to users, order policies in a resource policies list from the most restrictive to the least restrictive, with the most restrictive policy as the first item in the list. After completing these steps, you have configured a Web Access resource policy. Note that even though the next policy in the Web Access Policies list allows all users to access all Web resources, users mapped to Test Role are still prohibited from accessing because they meet the conditions of the first policy, Test Web Access, which takes precedence over the next policy. Figure 12: Resource Policies > Web > Access > New Policy 14 Step 5: Create a test scenario to learn IVE concepts and best practices

21 Figure 13: Resource Policies > Web > Access Changing the Order of Policies Define an authentication server An authentication server is a database that stores user credentials username and password and typically group and attribute information. When a user signs in to an IVE, the user specifies an authentication realm, which is associated with an authentication server. The IVE forwards the user s credentials to this authentication server to verify the user s identity. The IVE supports the most common authentication servers, including Windows NT Domain, Active Directory, RADIUS, LDAP, NIS, RSA ACE/Server, and Netegrity SiteMinder, and enables you to create one or more local databases of users who are authenticated by the IVE. The IVE is pre-configured with one local authentication server for users called System Local. This pre-defined local authentication server is an IVE database that enables you to quickly create user accounts for user authentication. This ability provides flexibility for testing purposes and for providing third-party access by eliminating the need to create user accounts in an external authentication server. You can view the default local authentication server on the System>Signing In> Servers page. The IVE also supports authorization servers. An authorization server (or directory server) is a database that stores user attribute and group information. You can configure an authentication realm to use a directory server to retrieve user attribute or group information for use in role mapping rules and resource policies. To define an authentication server: 1. In the administrator s Web console, choose System>Signing In>Servers. 2. On the Servers page, choose IVE Authentication from the New list and then click New Server. 3. On the New IVE Authentication page, enter Test Server in the Name field and then click Save Changes. Wait for the IVE to notify you that the changes are saved, after which additional configuration tabs appear. Step 5: Create a test scenario to learn IVE concepts and best practices 15

22 4. Click the Users tab and then click New. 5. On the New Local User page, enter testuser2 in the Username field, enter a password, and then click Save Changes to create the user s account in the Test Server authentication server. After completing these steps, you have created an authentication server that contains one user account. This user can sign in to an authentication realm that uses the Test Server authentication server. Figure 14: System > Signing In > Servers > New Server Figure 15: System > Signing In > Servers > Test Server > New User Figure 16: System > Signing In > Servers 16 Step 5: Create a test scenario to learn IVE concepts and best practices

23 Define an authentication realm An authentication realm is a grouping of authentication resources, including: An authentication server, which verifies a user s identity. The IVE forwards credentials submitted on a sign-in page to an authentication server. An authentication policy, which specifies realm security requirements that need to be met before the IVE submits credentials to an authentication server for verification. A directory server, which is an LDAP server that provides user and group attribute information to the IVE for use in role mapping rules and resource policies (optional). Role mapping rules, which are conditions a user must meet in order for the IVE to map a user to one or more roles. These conditions are based on information returned by the realm's directory server, the person s username, or certificate attributes. The IVE is pre-configured with one user realm called Users. This pre-defined realm uses the System Local authentication server, an authentication policy that requires a minimum password length of four characters, no directory server, and contains one role mapping rule that maps all users who sign in to the Users realm to the Users role. The testuser1 account you create in Step 3: Upgrade and license the IVE on page 6 is part of the Users realm, because this account is created in the System Local authentication server. The testuser2 account you create in Define an authentication server on page 15 is not part of the Users realm, because you create the user account in the new Test Server authentication server, which is not used by the Users realm. You can view the default user authentication realm on the Users>Authentication page. To define an authentication realm: 1. In the administrator s Web console, choose Users>Authentication. 2. On the User Authentication Realms page, click New. 3. On the New Authentication Realm page: 1. In the Name field, enter: Test Realm 2. Under Servers, choose Test Server from the Authentication server list. 3. Click Save Changes. Wait for the IVE to notify you that the changes are saved and to display the realm s configuration tabs. 4. On the Role Mapping tab, click New Rule. 5. On the Role Mapping Rule page: 1. Under Rule: If username..., enter testuser2 in the value field. 2. Under...then assign these roles, select Test Role in the Available Roles field and click Add to move it to the Selected Roles field. Step 5: Create a test scenario to learn IVE concepts and best practices 17

24 3. Click Save Changes. After completing these steps, you have finished creating an authentication realm. This realm uses Test Server to authenticate users and a role mapping rule to map testuser2 to Test Role. Because the Test Web Access resource policy applies to Test Role, any user mapped to this role cannot access Figure 17: Users > Authentication > New Realm Figure 18: Users > Authentication > Test Server > New Rule 18 Step 5: Create a test scenario to learn IVE concepts and best practices

25 Define a sign-in policy A sign-in policy is a system rule that specifies: A URL at which a user may sign in to the IVE, A sign-in page to display to the user, Whether or not the user needs to type or select an authentication realm to which the IVE submits credentials, and The authentication realms to which the sign-in policy applies. All Access Series and Access Series FIPS IVEs are pre-configured with one sign-in policy that applies to users: */. This default user sign-in policy (*/) specifies that when a user enters the URL to the IVE, the IVE displays the default sign-in page for users and requires the user to select an authentication realm (if more than one realm exists). The */ sign-in policy is configured to apply to the Users authentication realm, therefore this sign-in policy does not apply to the authentication realm you create in Define an authentication realm on page 17. You can view the default user sign-in policy on the System>Signing In>Sign-in Policies page. If your IVE has the Secure Meeting Upgrade license, the */meeting sign-in policy is also listed on this page. This policy enables you to customize the sign-in page for secure meetings. The default sign-in policy applies to all users. You can modify the URL to the IVE user sign-in page by adding to the path, such as */employees, but you cannot create additional sign-in policies unless you purchase the Advanced license for your IVE. To define a sign-in policy: 1. In the administrator s Web console, choose System>Signing In>Sign-in Policies. 2. On the Sign-in Policies page, click */. 3. On the */ page: 1. In the Sign-in URL field, enter test after */. 2. Under Authentication realm, select User picks from a list of authentication realms, and then select Test Realm in the Available Roles field and click Add to move it to the Selected Roles field. (Repeat this process for the Users role if it is not already in the Selected Roles field.) 3. Click Save Changes. After completing these steps, you have finished modifying the default users sign-in policy. Optional: 1. Choose System>Signing In>Sign-in Pages, and then click New Page. 2. On the New Sign-In Page page, enter Test Sign-in Page in the Name field, enter #FF0000 (red) in the Background color field, and then click Save Changes. Step 5: Create a test scenario to learn IVE concepts and best practices 19

26 3. Choose System>Signing In>Sign-in Policies, and then click */test/ under User URLs. 4. On the */test/ page, choose Test Sign-in Page from the Sign-in page list and then click Save Changes. After completing these optional steps, you have finished defining a new sign-in page that is associated with the */test/ sign-in policy. Figure 19: System > Signing In > Sign-in Policies > */ Figure 20: System > Signing In > Sign-in Pages > New Page Optional New Sign-in Page 20 Step 5: Create a test scenario to learn IVE concepts and best practices

27 Figure 21: System > Signing In > Sign-in Policies > */test/ Using New Sign-in Page Use the test scenario The test scenario enables you to: Access the user s Web console using the modified default sign-in policy Sign in as the user created in Test Server to the Test Realm Test your Web browsing capabilities, which are dependent upon the proper configuration of Test Role and Test Web Access To use the test scenario: 1. In a browser, enter the machine s URL followed by /test to access the user sign-in page. The URL is in the format: where a.b.c.d is the machine IP address you entered in Step 2-4. When prompted with the security alert to proceed without a signed certificate, click Yes. If the user sign-in page appears, you have successfully connected to your IVE appliance. Figure 22: User Sign-in Page If you performed the optional configuration steps in Define a sign-in policy on page 19, the header color is red. 2. On the sign-in page, enter the username and password you created for the user account in Test Server, select Test Realm from the Realm list, and then click Sign In to access the IVE home page for users. Step 5: Create a test scenario to learn IVE concepts and best practices 21

28 The IVE forwards the credentials to Test Realm, which is configured to use Test Server. Upon successful verification by this authentication server, the IVE processes the role mapping rule defined for Test Realm, which maps testuser2 to Test Role. Test Role enables Web browsing for users. Figure 23: User Home Page 3. In the browser Address field, enter the URL to your corporate Web site and click Browse. The IVE opens the Web page in the same browser window, so to return to the IVE home page, click the center icon in the browsing toolbar that appears on the target Web page. 4. On the IVE home page, enter and click Browse. The IVE displays an error message, because the Test Web Access resource policy denies access to this site for users mapped to Test Role. Figure 24: Example Error Message for Denied Resource 5. Return to the IVE home page, click Sign Out, and then return to the user sign-in page. 6. Enter the credentials for testuser1, select the Users realm, and then click Sign In. 7. On the IVE home page, enter and click Browse. The IVE opens the Web page in the same browser window. The test scenario demonstrates the basic IVE access management mechanisms. You can create very sophisticated role mapping rules and resource policies that control user access depending on factors such as a realm s authentication policy, a user s group membership, and other variables. To learn more about IVE access management, we recommend that you take a few minutes to review the online Help to familiarize yourself with its contents. 22 Step 5: Create a test scenario to learn IVE concepts and best practices

29 When you configure the IVE for your enterprise, we recommend that you perform user access configuration in the order presented in this section. For detailed configuration information, see the online Help or the administration guide PDF, which is accessible from the online Help and is also available on the support site. Before you make your IVE available from external locations, we recommend that you import a signed digital certificate from a trusted certificate authority (CA). Default settings for administrators Just like for users, the IVE provides default settings that enable you to quickly configure accounts for administrators. This list summarizes the system default settings for administrators: Administrator roles.administrators This built-in role permits administrators to manage all aspects of the IVE. The administrator user you create in the serial console is mapped to this role..read-only Administrators This built-in role permits users mapped to the role to view (but not configure) all IVE settings. You need to map administrators to this role if you want to restrict their access. You need the Advanced license in order to create additional administrator roles. Administrators local authentication server The Administrators authentication server is an IVE database that stores administrator accounts. You create the first administrator account in this server through the serial console. (The IVE adds all administrator accounts created through the serial console to this server.) You cannot delete this local server. Admin Users authentication realm The Admin Users authentication realm uses the default Administrators authentication server, an authentication policy that requires a minimum password length of four characters, no directory server, and contains one role mapping rule that maps all users who sign in to the Admin Users realm to the.administrators role. The administrator account you create in the serial console is part of the Admin Users realm. */admin sign-in policy The default administrator sign-in policy (*/admin) specifies that when a user enters the URL to the IVE followed by /admin, the IVE displays the default sign-in page for administrators. This policy also requires the administrator to select an authentication realm (if more than one realm exists). The */admin sign-in policy is configured to apply to the Admin Users authentication realm, therefore this sign-in policy applies to the administrator account you create through the serial console. Default settings for administrators 23

30 24 Default settings for administrators

31

32 CORPORATE HEADQUARTERS Juniper Networks, Inc North Mathilda Avenue Sunnyvale, CA USA Phone or 888 JUNIPER Fax Juniper Networks, Inc. has sales offices worldwide. For contact information, refer to Printed on recycled paper N