IVE Quick Startup Guide - OS 4.0 Initial Setup Once you receive the IVE device, unpack the IVE and connect it to a PC or Laptop using the console (null modem) cable provided with the IVE. You have to connect the IVE console port (9 pin D type Male) to the serial port on your workstation with the VT100 terminal emulation program. The pin configuration of console cable is given below: Pin No. Signal Description 1 Data Carrier Detect 2 Receive Data 3 Transmit Data 4 Data Terminal Ready 5 Signal Ground 6 Data Set Ready 7 Request to Send 8 Clear to Send 9 Ring Indicator Netscreen IVE DB-9 DB-9 Connector to (Female) PC or Laptop 2 3 3 2 1 and 8 7 7 1 and 8 5 5 4 6 6 4 After connecting the console port to the PC configure Hyper Terminal as given below: 1. Go to Start Program Accessories Communication Hyper Terminal. 2. You can enter any thing in the Name filed. It is just a display name. 3. From Connect using drop down select the communication port on which you have connected the IVE. Usually it s COM1 or COM2. If you have only one communication port then it will be COM1. 4. The COM1 Properties will be as given below: Bit per second : 9600 Data bits : 8 Parity : None Stop bits : 1 Flow control : None
You will see following on the screen: Wait until you get the following screen shot These are interactive options. Please follow the screen instructions (including entering the network settings) and few suggestions given below: 1. For Link Speed select Auto. 2. For Common name use the URL which you or users are going to use for connecting. E.g. connect.neoteris.com and when users connect to IVE they will use https://connect.neoteris.com. If this URL is different from the URL which you or users will be using, they will be prompted for certificate every time when ever they connect to IVE.
3. Random text generates the self signed certificate for your company for the URL entered in the Common name. Once you are done with the above configuration you will see the following screen: When you press enter you will see the following screen: Description of above options: 1. View/set network settings (IP, netmask, gateway, link speed, DNS, WINS): You can use this option to change the network settings from the console. The current option is displayed in square brackets. 2. Create admin username and password: Using this option you can create new admin accounts. This option is used if you have forgotten the password for the previous admin account. You cannot create the same admin account or reset the password for the previous admin account from console. 3. Display Log: It will display the admin logs.
4. Ping to a server: Using this option you can test the connectivity to the server i.e. you can check whether the IVE can reach the server or not. 5. Trace route to a server: You can see the path and number of hops IVE takes to reach a server. 6. Remove all static routes: If you have configured any static routes and you are not able to get into IVE or if you are not able to delete the route from GUI, in that case you can use this option. 7. Reboot IVE 8. Toggle password protection for the console (Off): Using this option you can give password to the console. You have to provide the password to access the console. If you forget the console password then you need to rollback or do a factory reset. 9. Create a Super Admin session: By any chance if you have changed the admin realm or sign-in page or you are not able to access the admin page for any reason, you can use this option to generate a code using which you can connect to the IVE as super admin and do the changes. This code is only valid for three minutes. You have to connect to https://<ive-host>/dana-na/auth/recover.cgi and enter the recovery token within that three minutes. 10. Print ARP Cache: You can see the IVE ARP cache information. 11. Clear ARP Cache: You can clear the IVE ARP cache. 12. Print Routing Table: You can see the IVE routing table. For logging-in to IVE as administrator from GUI you can use the URL https://<ive IP address>/admin or https://<ive FQDN>/admin and use the administrator username and password which you created at the time of initial setup. If you have forgotten the username and password you can connect back to console and use option 2 to cerate a new admin username and password. Upgrading the IVE OS You may sign-in with your support credentials to Juniper support site and download the latest OS version and save it on your hard disk (http://www.juniper.net/support). 1. Sign-in to the IVE as Administrator. 2. Go to Maintenance System Upgrade/Downgrade. 3. In Service package to install filed select the OS which you have downloaded. 4. Make sure that Delete all system user data is unchecked and click on Install Now tab. Installation will take about 10 15 minutes. After 10 15 minutes, if you are unable to access the IVE, connect the IVE console to a laptop or PC and check the installation status. If it is stuck at some point please contact the Juniper support.
License Installation Login to the IVE as administrator and go to Configuration Licensing and install the license that was sent to you by email. To install the license copy the Company name from the email and paste in the Company Name field and then copy everything under License (Permanent) and paste in the License Key(s) field. Before clicking Save Changes, make sure that there are no spaces in front and back of each line in Company Name and License Key(s) fields. Certificate Installation In initial configuration, IVE installs a self signed certificate. If you use the same URL which you entered while generating the self signed certificate, users will not be prompted for the certificate and you can use the same certificate. If you have bought a valid certificate from a CA, follow the steps given below to install it on the IVE. 1. Go to Configuration Certificate Server Certificates. 2. Click on Import/Renew. 3. Save the certificate sent by CA on the system. 4. Under Import the Certificate for a pending CSR: select the certificate saved on the system and click on Import. Administrator Timeout & External Access Configuration 1. Go to Administrator Delegation.Administrators. 2. Under General go to Session Option. 3. You may change the value of Idle Timeout here. 4. You may change the value of Max. Session Length here. This value should be higher than the Idle Timeout. 5. For enabling external access for administrator go to Administrator Authentication Admin Users Authentication Policy. 6. In Source IP under Administrators sign in on the external port check the box Enable administrators to sign in on the external port. This will allow administrators to login as admin to the IVE s external port. To enable user access you have to perform the 4-step basic configuration given below: I. Creating a role. II. III. IV. Configure resource policies for the above role. Creating an authentication server. Creating a realm. I. Creating Role(s)
1. Go to Users Roles. 2. Click on New Role. 3. In the Name and Description field you can enter any name arbitrary. 4. If you want to use the default option for Session Options and UI Options under Options, then uncheck the box or click on Edit and change the options. 5. Under Access features check the feature you want to enable for this particular role. For initial configuration and testing select Web. 6. Go to Users Roles Select the Role Web Options. 7. Select the options depending on type of access or permissions you want to give to users. If you check the box Auto-allow role bookmarks, IVE will automatically create a resource policy for the bookmark. 8. Go to Users Roles Select the Role Web Bookmarks. 9. Click on New Bookmark. 10. In the Name and Description field you can enter any name arbitrary. 11. In the URL field enter the URL of the website which users can access via IVE. E.g. http://www.yahoo.com or http://intranet.yourcompany.com. 12. Save the changes. Note: You can also configure Secure Application Manager, Windows and UNIX/NFS file share, Network, Telnet/SSH, Meeting, Email Client etc. For configuring all these option refer to the administrator guide. II. Creating Resource Policies 1. Continuing on the Web theme, go to Resource Policies Web. 2. While configuring role if you have not selected Auto-allow role bookmarks, you will not see any policies. If there is no policy please click on New Policy. 3. For testing purpose let s create an open policy. In the Name and Description field you can enter any name arbitrary. 4. Under Resources in Resources field enter an * (This will be an open policy). If you want to create policies only for the resources or bookmarks you have created, enter the FQDN or Hostname or IP address of the resource or the web site for which you have created the bookmark. The Resources field will have http://www.yahoo.com or http://intranet.yourcompany.com value for the example mentioned in step 11 of Creating Roles. 5. Under Roles select Policy applies to SELECTED roles, select the role which you created above from the Available roles list and on Add. 6. Under Action select Allow access.
7. Save the Changes III. Creating Authentication Server(s) 1. Go to Signing-In Servers 2. From New drop down menu select the Authentication Server. 3. Click on New Server. Assume that in step 2 you selected Active Directory / Windows NT. 1. In the Name field you can enter any name arbitrary. 2. In Primary Domain Controller or Active Directory and Backup Domain Controller or Active Directory field enter the FQDN or Hostname or IP address Primary Domain Controller or Active Directory and Backup Domain Controller or Active Directory. IVE should be able to resolve the FQDN or Hostname. 3. In Domain field enter the AD or NT domain. 4. If you do group lookup or want to allow users to change there AD password via IVE, then enter the AD administrator or AD domain administrator username and password. 5. Save the changes. Assume that in step 2 you have selected Radius 1. In the Name field you can enter any name arbitrary. 2. In Radius Server field enter the FQDN or Hostname or IP address of the Radius Server. IVE should be able to resolve the FQDN or Hostname. 3. In the Port field enter the port number on which radius is listening for authentication. Usually it is 1645 or 1812. 4. In Radius you have to add the IVE as a client and create a secret. Enter the same secret in the Shared Secret field. 5. If you have secondary Radius then enter the FQDN or Hostname or IP address of the Radius Server in the Secondary Radius Server field. 6. In the Secondary Radius Port field enter the port number on which radius is listening for authentication. Usually it is 1645 or 1812. 7. In Secondary Radius also you have to add the IVE as a client and create a secret. Enter the same secret in the Secondary Radius Secret field. 8. Save the changes. IV Creating Realm(s) 1. Go to Users Authentication. 2. Click on New.
3. In the Name and Description field you can enter any name arbitrary. 4. Under Server from the Authentication server select the authentication server you have created that you intend to use. 5. You may use AD as LDAP or any other LDAP server for group lookup. If you are doing group lookup then select the server from the Directory/Attribute server drop down menu. For initial setup you may leave this option or refer to admin guide for more details. 6. Check the box When editing, start on the Role Mapping page. Next time you click on the realm it will take you directly to the role mapping page. 7. Save the changes. 8. Go to Users Authentication Role Mapping. 9. Click on New Rule. 10. For testing purpose select Username from the Rule base on drop down menu. 11. Under Rule: If username... enter an *. 12. Under then assign these roles select the role which you created above and click on Add. 13. Save the changes. URL for user sign-in: https://<ive IP address> or https://<ive FQDN>. Login as a user and test the configuration. Note: You may look at the user access log for more information in case the authentication is unsuccessful.