Dynamic VPN Overview

Virtual private network (VPN) tunnels enable users to securely access assets such as e-mail servers and application servers that reside behind a firewall. End-to-site VPN tunnels are particularly helpful to remote users such as telecommuters because a single tunnel enables access to all of the resources on a network—the users do not need to configure individual access settings to each application and server.

Figure 69: Using a VPN Tunnel to Enable Remote Access to a Corporate Network

The dynamic VPN feature further simplifies remote access by enabling users to establish Internet Protocol Security (IPsec) VPN tunnels without having to manually configure VPN settings on their PCs or laptops. Instead, authenticated users can simply download the Access Manager Web client to their computers. This Layer 3 remote access client uses client-side configuration settings that it receives from the server to create and manage a secure end-to-site VPN tunnel to the server.

From the user’s perspective, creating a secure VPN tunnel is very simple. The first time a user needs to establish a VPN tunnel, they simply navigate to https://<serverhost>/dynamic-vpn and enter their username and password in the login page that appears. Assuming that the user authenticates successfully and has administrator privileges, the Juniper Networks device (also called the Remote Access Server) installs Access Manager on the user’s computer and provides a VPN configuration that is specific to the user. The Access Manager client provides the user with a simple GUI for launching the client configuration; the client configuration does all the work of establishing and negotiating the IPsec VPN tunnel for the user. Once installed, Access Manager and the client configuration are available for future IPsec VPN sessions.

The following sections describe how the Remote Access Server, Access Manager, and the client configuration work together to make the user experience simple:

• Connecting to the Remote Access Server for the First Time (Pre-IKE Phase)
• Connecting to the Remote Access Server for Subsequent Sessions (Pre-IKE Phase)
• Establishing an IPsec VPN Tunnel (IKE Phase)
• Related Topics

Connecting to the Remote Access Server for the First Time (Pre-IKE Phase)

In order to establish a secure VPN tunnel from the user’s computer to the Remote Access Server, the user must first authenticate into the server and download the client-side files as follows:

1. The user accesses the server’s URL. The user navigates to the https://<serverhost>/dynamic-vpn URL through a Web browser. This URL directs the user to the dynamic VPN login page on the Remote Access Server.
2. The user signs into the server. The user enters the appropriate username and password into the login page, and the Remote Access Server sends them to the authentication server for validation.
3. The server retrieves a client configuration. Once the server determines that the user has successfully authenticated, the server determines which client configuration to use when creating a secure VPN tunnel. The configuration includes an IKE ID for the user (such as johndoe.yourcompany.com), a Phase 1 security key, and a generated token to establish eligibility for future client downloads.
4. The server downloads the setup client to the user’s computer. The server downloads the setup client (along with the client version information, client initialization parameters, and client VPN configuration parameters) to the user’s computer:
   • If the user is using Internet Explorer with Active-X enabled, the Remote Access Server downloads an Active-X setup client to the user’s computer.
   • Otherwise, if the user is using a Web browser with Java enabled, the Remote Access Server downloads an Java setup client to the user’s computer.
   • If the user does not have Active-X or Java enabled, the server presents a download page to the user, enabling the user to manually download the setup client.
5. The setup client checks that the user has administrator privileges. Once the server has successfully downloaded the setup client to the user’s computer, the setup client checks that the user has the proper rights to install a new client. (Administrator privileges are required only to install the client, but not to upgrade it.)
6. The setup client installs Access Manager. The setup client installs Access Manager on the user’s computer. The user will be prompted to restart the computer to finish the installation.

Once the Access Manager client is successfully launched, the user can initiate a secure VPN connection to the Remote Access Server from Access Manager. For more information, see Establishing an IPsec VPN Tunnel (IKE Phase).

You can also download the latest version of the Access Manager client from the Juniper Networks Support site. The user can connect to the Remote Access Server and initiate a client download before you have finished configuring the dynamic VPN feature. In this case, the user can still authenticate into the server, but will not be able to establish a secure VPN tunnel.

Figure 70: Access Manager User Login

Figure 71: Access Manager Setup Client Installation Prompt

Figure 72: Access Manager Manual Installation Prompt

Figure 73: Downloading Access Manager

Figure 74: Installing Access Manager

Figure 75: Access Manager Reboot Prompt

Connecting to the Remote Access Server for Subsequent Sessions (Pre-IKE Phase)

If the user has already downloaded Access Manager, the process for signing into the Remote Access Server for subsequent sessions is as follows:

1. The user accesses the server. The user launches the Access Manager client that is preinstalled on the computer (recommended). Alternatively, the user can access the server through the dynamic VPN URL (https://<serverhost>/dynamic-vpn). If the user chooses to use this method, however, the server downloads Access Manager to the user’s desktop—even if the client already exists. As part of this process, the Remote Access Server prompts the user for a username and password, checks that the user has the proper install privileges, generates a new connection token, and downloads the setup client, as explained in Connecting to the Remote Access Server for the First Time (Pre-IKE Phase).
2. The client determines if an upgrade is required. The client checks the client configuration version installed on the user’s computer. If a more recent version of the client is available, the client code either automatically upgrades the client software (if you have enabled the Force Upgrade option) or gives the user the option of upgrading (if you have not enabled the Force Upgrade option.

The user can initiate a secure VPN connection to the Remote Access Server from Access Manager once it is successfully launched. For more information, see Establishing an IPsec VPN Tunnel (IKE Phase).

Establishing an IPsec VPN Tunnel (IKE Phase)

Once Access Manager is installed, the user can use it to initiate a secure VPN tunnel to the Remote Access Server as follows:

1. The user launches Access Manager. The user can launch Access Manager by using either of the following methods:

   • Choose All Programs>Juniper Networks>Access Manager from the Windows Start menu.
   • Select the Access Manager icon in the system tray at the lower right corner of the Windows screen.
   When the user launches the client, the Access Manager dialog box appears.

2. The user creates a connection to the server, if necessary. If no connections are available in the Access Manager dialog box, the user must specify a connection server:

   1. From the File menu, choose Setup Connection.
   2. In the New Connection dialog box that appears, enter the hostname of the Remote Access Server and the appropriate username.
   3. Click OK. The specified connection appears in the Access Manager dialog box.

3. The user starts the connection. In the Access Manager dialog box, the user selects which server connection to initiate by using one of the following methods:

   • Select one of the connections, right-click, and choose Connect.
   • Select one of the connections, and from the File menu, choose Start Connection.
4. The server checks for a valid license. When the user initiates a connection to a Remote Access Server, the server checks that a seat license is currently available for the user’s session.
5. The user signs into the server. The user enters the appropriate username and password into the login page, and the Remote Access Server sends them to the authentication server for validation.

   Note: The username and password entered here are used to validate the user’s eligibility to establish the VPN session. These credentials are separate from those used to validate client the user’s eligibility to download the client (as explained in Connecting to the Remote Access Server for the First Time (Pre-IKE Phase)).

6. The client initiates the VPN session. Once the user has successfully authenticated, the client sends a preshared key to the Remote Access Server. (The client initially received this key as part of the initial client configuration download.) The client and server use an AutoKey IKE exchange to create security associations (SAs) and establish a secure VPN tunnel (as explained in Internet Protocol Security (IPsec)).

Figure 76: Access Manager System Tray Icon

Figure 77: Access Manager Dialog Box

Figure 78: Creating a Firewall Connection in Access Manager

Figure 79: Starting a Firewall Connection in Access Manager

Figure 80: Successful Firewall Connection in Access Manager

Related Topics

Configuring a Dynamic VPN—Overview

Access Manager Client-Side Reference