Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING INFRANET CONTROLLER GUIDE REV 01 User Manual

Download

Network and Security Manager

Configuring Infranet Controllers Guide

Release

2010.4

Published: 2010-11-17

Revision 01

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net

This product includes the EnvoySNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright © 1986-1997, Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain.

This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright © 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.

GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’s HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright © 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright © 1991, D. L. S. Associates.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Network and Security Manager Infranet Controller Configuration Guide

Revision History 18 November 2010—01

The information in this document is current as of the date listed in the revision history.

END USER LICENSE AGREEMENT

READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE.

BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE, AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.

1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customer’sprincipal office is locatedoutside the Americas)(such applicable entity being referred to herein as “Juniper”), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (“Customer”) (collectively, the “Parties”).

2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, for which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customer purchased from Juniper or an authorized Juniper reseller. “Software” also includes updates, upgrades and new releases of such software. “Embedded Software” means Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacements which are subsequently embedded in or loaded onto the equipment.

3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer a non-exclusive and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:

a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniper or an authorized Juniper reseller.

b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whether such computers or virtualizations are physically contained on a single chassis.

c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limits to Customer’s use of the Software. Such limits may restrict use to a maximum number of seats,registeredendpoints, concurrent users, sessions, calls, connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features, functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing, temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Software to be used only in conjunction with other specific Software. Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable licenses.

d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the Software. Customer may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trial period by re-installing the Software after the 30-day trial period.

e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s enterprise network. Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support any commercial network access services.

The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable license(s) for the Software from Juniper or an authorized Juniper reseller.

4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software,in any form, to any third party; (d) remove any proprietary notices, labels, or marks on or in any copy of the Software or any product in which the Software is embedded; (e) distribute any copy of the Software to any third party, including as may be embedded in Juniper equipment sold in the secondhand market; (f) use any ‘locked’or key-restricted feature,function, service, application, operation,or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper to any third party; (h) use the

Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper reseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that the Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software to any third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.

5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish such records to Juniper and certify its compliance with this Agreement.

6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer shall exercise all reasonable commercial efforts to maintain the Software and associateddocumentation in confidence, which at a minimum includes restricting access to the Software to Customer employees and contractors having a need to use the Software for Customer’s internal business purposes.

7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software, associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.

8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statementthat accompanies the Software(the “Warranty Statement”). Nothing in this Agreement shall give rise to any obligationto support the Software. Support services may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTSOR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES,OR FOR ANY SPECIAL, INDIRECT,OR CONSEQUENTIALDAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE,OR ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE.IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW, JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’ or licensors’ liability to Customer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the Parties.

9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer’s possession or control.

10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase of the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper prior to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of any applicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniper with valid tax receipts and other required documentation showing Customer’s payment of any withholding taxes; completing appropriate applications that would reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder. Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related to any liability incurred by Juniper as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligations under this Section shall survive termination or expiration of this Agreement.

11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license.

12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use, duplication, or disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS

227.7201 through 227.7202-4, FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.

13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any. Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable terms and conditions upon which Juniper makes such information available.

14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technology are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with the Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License (“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of the LGPL

at http://www.gnu.org/licenses/lgpl.html .

15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de même que tous les documents y compris tout avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be in the English language)).

Table of Contents

About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

List of Technical Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Part 1 Getting Started

Chapter 1 Understanding an Infranet Controller Configuration . . . . . . . . . . . . . . . . . . . . 3

NSM and Device Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Communication Between an Infranet Controller and NSM Overview . . . . . . . . . . . 3

Infranet Controller Services and Device Configurations Supported in NSM . . . . . . 5

Chapter 2 Infranet Controller and NSM Installation Overview . . . . . . . . . . . . . . . . . . . . . 7

UAC Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

NSM Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Part 2 Integrating Infranet Controllers

Chapter 3 Adding Infranet Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Importing an Infranet Controller Device Through Not Reachable Workflow . . . . . . 11

Installing and Configuring the Infranet Controller Device . . . . . . . . . . . . . . . . . 12

Adding the Infranet Controller Device Through NSM . . . . . . . . . . . . . . . . . . . . 12

Configuring and Enabling the DMI Agent on the Infranet Controller

Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Confirming Connectivity and Importing the Infranet Controller Device

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Requirementsfor Importing an Infranet Controllerinto NSM Througha Reachable

Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Importing an Infranet Controller Through Reachable Workflow . . . . . . . . . . . . . . . 15

Importing Multiple Infranet Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Creating the CSV File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Validating the CSV File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Adding and Importing Multiple Infranet Controllers . . . . . . . . . . . . . . . . . . . . . 18

Verifying Imported Device Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Using Device Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Using Device Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Using Job Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

NSM Infranet Controller Configuration Guide

Chapter 4 Adding Infranet Controller Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Infranet Controllers Clusters in NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Adding an Infranet Controller Cluster with Imported Cluster Members . . . . . . . . . 24

Chapter 5 Using Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Creating and Applying an Infranet Controller Template . . . . . . . . . . . . . . . . . . . . . 29

Promoting an Infranet Controller Configuration to a Template . . . . . . . . . . . . . . . . 31

Reverting an Infranet Controller Configuration to Default Values of a

Using Configuration Summaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Installing and Configuring the Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Adding the Cluster in NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Adding the Cluster Members in NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Configuring and Enabling the DMI Agent on the Cluster . . . . . . . . . . . . . . . . . 27

Importing Cluster Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Creating the Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Applying the Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Part 3 Configuring an Infranet Controller

Chapter 6 Configuring User Roles and Administrator Roles . . . . . . . . . . . . . . . . . . . . . . 35

Configuring Infranet Controller User Roles (NSM Procedure) . . . . . . . . . . . . . . . . 35

Configuring Access Options on an Infranet Controller User Role (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Configuring OAC Settings for a User Role (NSM Procedure) . . . . . . . . . . . . . . . . . 42

Creating and Configuring Infranet Controller Administrator Roles (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Delegating Management Tasks to Infranet Controller Administrator Roles (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Chapter 7 Configuring Security Requirements for Administrators and Users . . . . . . . . 61

Configuring Infranet Controller Source IP Access Restrictions (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Configuring Infranet Controller Browser Access Restrictions (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Configuring Infranet Controller Certificate Access Restrictions (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Configuring Infranet Controller Password Access Restrictions (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Configuring Infranet Controller Host Checker Access Restrictions (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Configuring Infranet Controller RADIUS Request Attribute Restrictions for User

Realms (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Configuring the Number of Concurrent Sessions and Concurrent Users for Infranet

Controller Users (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Table of Contents

Chapter 8 Configuring the Infranet Controller RADIUS Server and Layer 2 Access . . . 73

Configuring the Infranet Controller as a RADIUS Server (NSM Procedure) . . . . . . 73

Configuring Authentication Protocol Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Using RADIUS Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Using the Infranet Controller for 802.1X Network Access (NSM Procedure) . . . . . 75

Configuring Location Groups (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Configuring RADIUS Clients (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Uploading a New RADIUS Client Dictionary . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Creating a RADIUS Dictionary Based on an Existing Model . . . . . . . . . . . . . . 78

Configuring a New RADIUS Vendor (NSM Procedure) . . . . . . . . . . . . . . . . . . 78

Creating a RADIUS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Configuring RADIUS Return Attributes Policies (NSM Procedure) . . . . . . . . . . . . 80

Configuring RADIUS Request Attributes Policies (NSM Procedure) . . . . . . . . . . . 83

Configuring an Infranet Enforcer as a RADIUS Client of the Infranet Controller

(NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Non-Juniper 802.1X Supplicant Configuration Overview . . . . . . . . . . . . . . . . . . . . 85

Chapter 9 Configuring Authentication Realms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Creating an Authentication Realm (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . 87

Configuring Role Mapping Rules (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . 90

Configuring Infranet Controller Authentication Policies (NSM Procedure) . . . . . . 92

Chapter 10 Configuring Infranet Enforcer Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Configuring Infranet Enforcer Resource Access Policies (NSM Procedure) . . . . . . 93

Configuring Infranet Controller IPsec Routing Policies (NSM Procedure) . . . . . . . 95

Configuring Infranet Controller IP Address Pool Policies (NSM Procedure) . . . . . 98

Configuring Infranet Controller Source Interface Policies (NSM Procedure) . . . . 99

Configuring an Infranet Controller to Connect to a ScreenOS Enforcer (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Configuring an Infranet Controller to Connect to a JUNOS Enforcer (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Chapter 11 Configuring Host Enforcer Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Configuring Infranet Controller Host Enforcer Policies (NSM Procedure) . . . . . . 105

Chapter 12 Configuring IF-MAP Federation Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Configuring IF-MAP Server Settings on the Infranet Controller (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Configuring IF-MAP Client Settings on the Infranet Controller (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Configuring IF-MAP Session Export Policy on the Infranet Controller (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Configuring IF-MAP Session Import Policy on the Infranet Controller (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Configuring IF-MAP Server Replicas (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . 114

Chapter 13 Configuring Authentication Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Configuring an Infranet Controller Anonymous Server Instance (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Creating a Custom Expression for an Authentication Server (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

NSM Infranet Controller Configuration Guide

Configuring an Infranet Controller RSA ACE/Server Instance (NSM

Configuring an Infranet ControllerActiveDirectory or NT Domain Server Instance

Configuring an Infranet Controller Certificate Server Instance (NSM

Configuring an Infranet Controller LDAP Server Instance (NSM Procedure) . . . . 125

Configuring an Infranet Controller Local Authentication Server Instance (NSM

Configuring an Infranet Controller NIS Server Instance (NSM Procedure) . . . . . . 133

Configuring an Infranet Controller RADIUS Server Instance (NSM Procedure) . . 134 Configuring an Infranet Controller eTrust SiteMinder Server Instance (NSM

Configuring an Infranet Controller MAC Address Authentication Server for

Chapter 14 Configuring Sign-In Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Configuring Infranet Controller Sign-in Policies (NSM Procedure) . . . . . . . . . . . 149

Configuring Infranet Controller Standard Sign-in Pages (NSM Procedure) . . . . . 153

Chapter 15 Configuring Host Checker Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Creating Infranet Controller Global Host Checker Policies Overview . . . . . . . . . . 155

Configuring Advanced Endpoint Defense Policy (NSM Procedure) . . . . . . . . . . . 157

Configuring New Client-Side Policies (NSM Procedure) . . . . . . . . . . . . . . . . . . . . 157

Configuring Virus Signature Version Monitoring and Patch Assessment (NSM

Specifying Customized Requirements Using Custom Rules (NSM Procedure) . . 161

Configuring a Patch Assessment Custom Rule (NSM Procedure) . . . . . . . . . . . . 165

Configuring the Remote IMV Server (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . 167

Enabling Customized Server-Side Policies (NSM Procedure) . . . . . . . . . . . . . . . 168

Executing Host Checker Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Implementing Infranet Controller Host Checker Policies (NSM Procedure) . . . . . 172

Remediating Infranet Controller Host Checker Policies . . . . . . . . . . . . . . . . . . . . 174

Configuring Infranet Controller General Host Checker Options (NSM

Configuring Host Checker Automatic Installation (NSM Procedure) . . . . . . . . . . 176

Configuring Infranet Controller Host Checker Logs (NSM Procedure) . . . . . . . . . 177

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

(NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Unmanageable Devices (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Configuring Administrator Sign-In Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Configuring User Sign-in Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Restricting Infranet Controller and Resource Access Through Host

Checker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Configuring Host Checker Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Table of Contents

Part 4 Managing an Infranet Controller

Chapter 16 Unified Access Control Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

UAC Manager in NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Associating Enforcement Points with an Infranet Controller Using the UAC

Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Disassociatingthe Configuration Betweenan EnforcementPoint and an Infranet

Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Enabling Dot1x Ports on the Enforcement Points Using the UAC Manager . . . . . 184

Disabling the Dot1x Ports on an Enforcement Point Using the UAC Manager . . . 185

Chapter 17 Using System Management Features in an Infranet Controller . . . . . . . . . 187

Managing Large Binary Data Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Configuring Infranet Controller System Options (NSM Procedure) . . . . . . . . . . . 188

Removing an Infranet Controller from NSM Management (NSM Procedure) . . . 190

Deactivating a DMI Agent in an Infranet Controller (NSM Procedure) . . . . . . . . . 190

Chapter 18 Configuring the Infranet Controller to Interoperate with IDP . . . . . . . . . . . 193

Configuring ISG-IDP as a Sensor on the Infranet Controller (NSM Procedure) . . 193 Configuring Infranet Controller Sensor Settings for Connecting to a Standalone

IDP Device (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Creating an IDP Device Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Enabling or Disabling the Connection to an Existing IDP Device . . . . . . . . . . 195

Configuring Sensor Event Policies (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . 196

Creating a Custom Expression for Sensor Settings (NSM Procedure) . . . . . . . . . 198

Chapter 19 Troubleshooting an Infranet Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Troubleshooting the IF-MAP Federation Network (NSM Procedure) . . . . . . . . . . 201

Part 5 Monitoring and Configuring Logs in an Infranet Controller

Chapter 20 Monitoring an Infranet Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Realtime Monitor Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Viewing Device Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Viewing Device Monitor Alarm Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Chapter 21 Configuring Logs in an Infranet Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Configuring RADIUS Attribute Logs (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . 211

Configuring Event Logs (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Configuring User Access Logs (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Configuring Administrator Access Logs (NSM Procedure) . . . . . . . . . . . . . . . . . . 214

Configuring Client-Side Logs (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Configuring the Infranet Controller as an SNMP Agent (NSM Procedure) . . . . . . 216

Configuring Custom Log Filters (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . 218

Part 6 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

NSM Infranet Controller Configuration Guide

About this Guide

•

Objectives on page xiii

•

Audience on page xiii

•

Conventions on page xiii

•

List of Technical Publications on page xv

•

Requesting Technical Support on page xvi

Objectives

Network and Security Manager (NSM) is a software application that centralizes control and management of your Juniper Networks devices. With NSM, Juniper Networks delivers integrated, policy-based security and network management for all security devices.

Unified Access Control (UAC) solution is an IP-based enterprise infrastructure that coordinates network, application, and endpoint security compliance and provides the control required to support network applications, manage network use, and reduce threats.

This guide provides the information you need to understand, configure, and maintain an Infranet Controller device using NSM. This guide explains how to use basic and advanced NSM functionality, including adding new devices, deploying new device configurations, updating device firmware, viewing log information, and monitoring the status of your Infranet Controller device.

Audience

This guide is intended for the systemadministratorresponsible for configuring the Infranet Controller device.

Conventions

Table 1 on page xiv defines notice icons used in this guide.

NSM Infranet Controller Configuration Guide

Table 1: Notice Icons

Table 2 on page xiv defines text conventions used in this guide.

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Table 2: Text Conventions

Bold typeface like this

fixed-width font

Keynames linked with a plus (+) sign

Italics

The angle bracket (>)

•

Represents commands and keywords in text.

•

Represents keywords

•

Represents UI elements

Represents information as displayed on the terminal screen.

keys simultaneously.

•

Emphasizes words

•

Identifies variables

Indicates navigation paths through the UI by clicking menu options and links.

ExamplesDescriptionConvention

•

Issue the clock source command.

•

Specify the keyword exp-msg.

•

Click User Objects

user inputRepresents text that the user must type.Bold typeface like this

host1#

show ip ospf

Routing Process OSPF 2 with Router ID 5.5.0.250 Router is an area Border Router (ABR)

Ctrl + dIndicates that you must press two or more

•

The product supports two levels of access, user and privileged.

•

clusterID, ipAddress.

Object Manager > User Objects > Local Objects

Table 3 on page xv defines syntax conventions used in this guide.

Table 3: Syntax Conventions

About this Guide

ExamplesDescriptionConvention

terminal lengthRepresent keywordsWords in plain text

mask, accessListNameRepresent variablesWords in italics

Words separated by the pipe ( | ) symbol

Words enclosed in brackets followed by and asterisk ( [ ]*)

variable to the left or right of this symbol. The keywordor variable can be optional or required.

can be entered more than once.

Represent required keywords or variables.Words enclosed in braces ( { } )

diagnostic | lineRepresent a choice to select one keyword or

[ internal | external ]Represent optional keywords or variables.Words enclosed in brackets ( [ ] )

[ level1 | level2 | 11 ]*Represent optional keywords or variables that

{ permit | deny } { in | out } { clusterId | ipAddress }

List of Technical Publications

Table 4: Network and Security Manager and Unified Access Control Solutions Publications

Network and Security Manager Installation Guide

Network and Security Manager Administration Guide

Details the steps to install the NSM management system on a single server or on separate servers. It also includes information on how to install and run the NSM user interface. This guide is intended for IT administrators responsible for the installationand/orupgrade of NSM.

Describes how to use and configure key management features in the NSM. It provides conceptual information, suggested workflows, and examples where applicable. This guide is best used in conjunction with the NSM Online Help, which provides step-by-step instructions for performing management tasks in the NSM UI.

Network and Security Manager Configuring Firewall/VPN Devices Guide

Network and Security Manager Online Help

Unified Access Control Administration Guide

Unified Access Control Quick Start Guide

This guide is intended for application administrators or those individuals responsible for owning the server and security infrastructure and configuring the product for multi-user systems. It is also intended for device configuration administrators, firewall and VPN administrators, and network security operation center administrators.

Describes NSM features that relate to device configuration and management. It also explains how to configure basic and advanced NSM functionality, including deploying new device configurations, managing Security Policies and VPNs, and general device administration.

Provides task-oriented procedures describing how to perform basic tasks in the NSM user interface. It also includes a brief overview of the NSM system and a description of the GUI elements.

Provides comprehensive information about configuring the Unified Access Control solution and the Infranet Controller 4500 and 6500 appliances.

Provides an example of configuring the Unified Access Control solution for a front-end server deployment scenario.

NSM Infranet Controller Configuration Guide

Table 4: Network and Security Manager and Unified Access Control Solutions Publications (continued)

Unified Access Control Installation Guide

Details the steps to install the Infranet Controller and Infranet Enforcer Appliances. This guide is intended for IT administrators responsible for the installation and/or upgrade of Infranet Controller.

Requesting Technical Support

Technicalproduct support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC.

•

JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .

•

Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/ .

•

JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

•

Find CSC offerings: http://www.juniper.net/customers/support/

•

Search for known bugs: http://www2.juniper.net/kb/

•

Find product documentation: http://www.juniper.net/techpubs/

•

Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

•

Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

•

Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

•

Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

•

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verify service entitlement by product serial number,use our Serial Number Entitlement (SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

About this Guide

•

Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

•

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting-support.html .

NSM Infranet Controller Configuration Guide

PART 1

Getting Started

•

Understanding an Infranet Controller Configuration on page 3

•

Infranet Controller and NSM Installation Overview on page 7

NSM Infranet Controller Configuration Guide

CHAPTER 1

Understanding an Infranet Controller Configuration

•

NSM and Device Management Overview on page 3

•

Communication Between an Infranet Controller and NSM Overview on page 3

•

Infranet Controller Services and Device Configurations Supported in NSM on page 5

NSM and Device Management Overview

NSM is the Juniper Networks network management tool that allows distributed administration of network appliances. You can use the NSM application to centralize status monitoring, logging, and reporting, and to administer Infranet Controller configurations.

With NSM you can manage the Infranet Enforcer and Intrusion Detection and Prevention (IDP) devices,and you can administer the completeUnified AccessControl (UAC) solution from a single management interface.

In addition, NSM lets you manage most of the parameters that you can configure through the Infranet Controller admin console. The configuration screens rendered through NSM are similar to the screens in the Infranet Controller admin console.

NSM incorporates a broad configuration management framework that allows co-management using other methods. To manage the Infranet Controller configuration, you can also use the XML files import and export feature, or you can manage from the Infranet Controller admin console.

Documentation

Communication Between an Infranet Controller and NSM Overview on page 3•

• Infranet Controller Services and Device Configurations Supported in NSM on page 5

Communication Between an Infranet Controller and NSM Overview

The Infranet Controller and the NSM application communicate through the Device Management Interface (DMI). DMI is a collection of schema-driven protocols that run on a common transport (that is, TCP). DMI is designed to work with Juniper Networks platforms to make device management consistent across all administrative realms.

NSM Infranet Controller Configuration Guide

Supported DMI protocols include:

•

NetConf (for inventory management, XML-based configuration, text-based configuration, alarm monitoring, and device specific commands)

•

Structured syslog

•

Threat flow for network profiling

DMI supports third-party network management systems that incorporate the DMI standard; however, only one DMI-based agent per device is supported.

The Infranet Controller’s configuration is represented as a hierarchical tree of configuration items. This structure is expressed in XML and can be manipulated with NetConf. NetConf is a network management protocol that uses XML. DMI uses NetConf’s generic configuration management capability to allow remote configuration of the device.

To allow NSM to manage the Infranet Controller using the DMI protocol, NSM must import the schema and metadatafiles from the Juniper NetworksSchema Repository, a publicly accessible resource that is updated with each device release. In addition to downloading the Infranet Controller’s current schema, NSM may also download upgraded software.

The Schema Repository enables access to XSD and XML files defined for each device, model, and software version.

Before attempting to communicate with NSM, you must first complete the initial configuration of the Infranet Controller. Initial configuration includes network interface settings, DNS settings, licensing, and password administration.

If you have severalInfranet Controllers that will be configured in a clustering environment, the cluster abstraction must first be created in the NSM Cluster Manager. Then you can add individual nodes.

After you have completed the initial network configuration, you can configure the Infranet Controller to communicate with NSM using the appropriate network information. Once the Infranet Controller has been configured to communicate with NSM, the Infranet Controllercontacts NSM and establishes a DMI session through an initial TCP handshake.

All communications between the Infranet Controller and NSM occur over SSH to ensure data integrity.

After the Infranet Controller initially contacts NSM and a TCP session is established, interaction between the Infranet Controller and NSM is driven from NSM, which issues commands to get hardware, software, and license details of the Infranet Controller. NSM connectsto the Schema Repository to download the configuration schema that is specific to the Infranet Controller.

NSM then issues a command to retrieve configuration information from the Infranet Controller. If NSM is contacted by more than one Infranet Controller as a member of a cluster, information from only one of the cluster devices is gathered. NSM attempts to validate the configuration received from the Infranet Controller against the schema from Juniper Networks.

Chapter 1: Understanding an Infranet Controller Configuration

Once the Infranet Controller and NSM are communicating,the InfranetController delivers syslog and event information to NSM.

After NSM and the Infranet Controller are connected, you can make any configuration changes directly on the Infranet Controller, bypassing NSM. NSM automatically detects these changes and imports the new configuration data. Changes to Infranet Controller cluster members will similarly be detected by NSM.

When you make changes to the Infranet Controller configuration through NSM you must push the changes to the device by performing an Update Device operation.

When you double-click the Infranet Controller device icon in the Device Manager and select the Configuration tab, the configuration tree appears in the main display area in the same orientation as items appear on the Infranet Controller admin console.

Documentation

NSM and Device Management Overview on page 3•

• Infranet Controller Services and Device Configurations Supported in NSM on page 5

Infranet Controller Services and Device Configurations Supported in NSM

The Infranet Controller supports the following services in NSM:

•

Inventory management service—Enables management of the Infranet Controllers software, hardware, and licensing details. Adding or deleting licenses and upgrading or downgrading software are not supported.

•

Status monitoring service—Allows the Infranet Controller’s status to be obtained, including name, domain, OS version, synchronization status, connection details, and current alarms.

•

Logging service—Allowsthe Infranet Controller’s logs to be obtained in a time-generated order. Logging configuration details that are set on the Infranet Controller will apply to NSM.

•

XML-based configuration management service—Enables NSM to manage the configurationof the Infranet Controller. NSM uses the same XML schema as the Infranet Controller, so you can troubleshoot NSM using XML files downloaded from the Infranet Controller.

The following device configurations are not supported:

•

Editing licensing information, although licenses can be viewed

•

Packaging log files or debug files for remote analysis

Documentation

• NSM and Device Management Overview on page 3

• Communication Between an Infranet Controller and NSM Overview on page 3

NSM Infranet Controller Configuration Guide

CHAPTER 2

Infranet Controller and NSM Installation Overview

•

UAC Installation Overview on page 7

•

NSM Installation Overview on page 8

UAC Installation Overview

NOTE: For important safety information, read Juniper Networks Security Products Safety Guide.

The UAC components to be installed are the following:

1. Install Infranet Enforcer and/or 802.1X hardware and perform the basic setup. See

the documentation that shipped with the system or visit the Juniper Networks Web site at http://www.juniper.net/techpubs/ to download the appropriate documentation.

Documentation

2. Install Infranet Controller hardware and perform the basic setup using the serial

console. See the Juniper Networks Unified Access Control Installation Guide.

3. License the Infranet Controller and verify user accessibility. Follow the initial

configurationTask Guide instructions embedded in the Infranet ControllerWebconsole.

4. Configure an SSL connection between the Infranet Controller appliance and your

Infranet Enforcer appliances and/or 802.1X switches. See the Juniper Networks Unified

Access Control Quick Start Guide or Part 1, “Getting Started,” of the Juniper Networks Unified Access Control Administration Guide.

NSM Installation Overview on page 8•

• NSM and Device Management Overview on page 3

• Communication Between an Infranet Controller and NSM Overview on page 3

NSM Infranet Controller Configuration Guide

NSM Installation Overview

NSM is a software application that enables you to integrate and centralize management of your Juniper Networks environment. Youneed to install two main software components to run NSM: the NSM management system and the NSM user interface (UI).

See the Network Security Manager Installation Guide for the steps to install the NSM management system on a single server or on separateservers. It also includes information on how to install and run the NSM user interface. The Network Security Manager Installation Guide is intended for IT administrators responsible for installing or upgrading NSM.

Documentation

• UAC Installation Overview on page 7

• NSM and Device Management Overview on page 3

PART 2

Integrating Infranet Controllers

•

Adding Infranet Controllers on page 11

•

Adding Infranet Controller Clusters on page 23

•

Using Templates on page 29

NSM Infranet Controller Configuration Guide

CHAPTER 3

Adding Infranet Controllers

•

Importing an Infranet Controller Device Through Not Reachable Workflow on page 11

•

Requirements for Importing an Infranet Controller into NSM Through a Reachable Workflow on page 15

•

Importing an Infranet Controller Through Reachable Workflow on page 15

•

Importing Multiple Infranet Controllers on page 16

•

Verifying Imported Device Configurations on page 19

Importing an Infranet Controller Device Through Not Reachable Workflow

You can add an Infranet Controller to your existing network using NSM and import its configurations. Using the Add Device Wizard, you can configure a connection between the management system and the physical device, and then import all device parameters, policies, objects, VPNs, and so on.

Import an Infranet Controller through Not Reachable workflow into NSM by following these procedures:

Installing and Configuring the Infranet Controller Device on page 12

Adding the Infranet Controller Device Through NSM on page 12

Configuring and Enabling the DMI Agent on the Infranet Controller Device on page 13

Confirming Connectivity and Importing the Infranet Controller Device Configuration on page 14

NSM Infranet Controller Configuration Guide

Installing and Configuring the Infranet Controller Device

Before you can add the Infranet Controller to NSM, you must install and configure the Infranet Controller device to have logon credentials for an NSM administrator.

To install and configure the Infranet Controller:

1. Select System > Network > Overview on the device’s admin console and ensure that

basic connection information such as the following are configured on the Infranet Controller.

•

Network interface settings

•

DNS settings

•

Password

2. Select Authentication > Auth Servers and enter the username and password of the

NSM administrator in the applicable authentication server.

NOTE: Only password-based authentication servers can be used. One-time

password authentication is not supported.

3. Select Administrators > Admin Roles and create a DMI agent role.

4. Select Administrators > Admin Realms and create a DMI agent administrator realm

for the DMI agent on the device and use role mapping to associate the DMI agent role and realm.

NOTE: Ensure that the Host Checker, browser, and certificate restrictions

are not applied for the DMI agent role or realms.

For complete details on installing and configuring Infranet Controller devices, see the Juniper Networks Unified Access Control Administration Guide.

Adding the Infranet Controller Device Through NSM

To add the Infranet Controller device through the NSM UI:

1. From the left pane of the NSM UI, click Configure.

2. Expand Device Manager and select Devices. The Devices workspace appears on the

right side of the screen.

3. Click the Device Tree tab, click the New button, and select Device. The New-Device

dialog box appears.

4. Select Device is Not Reachable and click Next.

5. Enter the device name, and select the required color, OS name (IC), platform, and

managed OS version from the drop-down lists.

+ 212 hidden pages

Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING INFRANET CONTROLLER GUIDE REV 01 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual