Configuring the SRX Series and J Series Devices as a JUNOS Enforcer

To configure a SRX Series or J Series devices to act as a JUNOS Enforcer in a Unified Access Control (UAC) deployment, you must specify an Infranet Controller to which the SRX Series or J Series device should connect.

Before You Begin
For background information, read Unified Access Control Overview. Enable UAC through the relevant JUNOS security policies. See Enabling Unified Access Control on SRX Series and J Series Devices (Optional) Import the Infranet Controller’s server certificate onto the SRX Series or J Series device and create a profile for the certificate authority (CA) that signed the certificate. See Using Digital Certificates for background information and Loading CA and Local Certificates Manually for instructions. Configure user authentication and authorization by setting up user roles, authentication and authorization servers, and authentication realms on the Infranet Controller. For more information, see the Unified Access Control Administration Guide. Configure resource access policies on the Infranet Controller to specify which endpoints are allowed or denied access to protected resources. For more information, see the Unified Access Control Administration Guide.

Specify the Infranet Controller(s) to which the SRX Series or J Series device should connect:

Specify the Infranet Controller’s host name:
edit services unified-access-control infranet-controller hostname
Specify the Infranet Controller’s IP address:
edit services unified-access-control infranet-controller hostname address ip-address

Note: When configuring access to multiple Infranet Controllers, you must define each separately. For example:


                                 
                                    edit services unified-access-control infranet-controller
                                       IC1
                                    
                                    edit services unified-access-control infranet-controller
                                       IC2
                                    
                                    edit services unified-access-control infranet-controller
                                       IC3


                                 
                                    edit services unified-access-control infranet-controller
                                       IC1 address 10.10.10.01
                                    
                                    edit services unified-access-control infranet-controller
                                       IC2 address 10.10.10.02
                                    
                                    edit services unified-access-control infranet-controller
                                       IC3 address 10.10.10.03

Make sure that all of the Infranet Controllers are members of the same cluster.

Specify the Infranet Controller port to which the SRX Series or J Series device should connect:


                  
                     edit services unified-access-control infranet-controller hostname port port

Specify the JUNOS interface to which the Infranet Controller should connect:


                  
                     edit services unified-access-control infranet-controller hostname interface interface-name

Specify the password that the SRX Series or J Series device should use to initiate secure communications with the Infranet Controller:


                  
                     edit services unified-access-control infranet-controller hostname password password

(Optional) Specify information about the certificate that the device should use for SSL communications with the Infranet Controller:

Specify the certificate that the device should use:
edit services unified-access-control infranet-controller hostname server-certificate-subject certificate-name
Specify the certificate authority (CA) profile associated with the certificate:
edit services unified-access-control infranet-controller hostname ca-profile ca-profile

CLI Configuration

Related Topics