Configuring SRX Series Device Transport Settings
Support for Configuring SRX Series Device Transport Settings is supported in Juniper Identity Management Service Release 1.1 and later.
In the SRX Client Query Configuration section of the Settings > General tab, you can configure the following SRX Series device transport settings to communicate with the JIMS server:
Server certificate for the JIMS server’s HTTPS server that is used to authenticate with SRX Series devices and provide a secure data transfer. You can specify either an automatically generated server certificate or a previously configured certificate. You configure one server certificate to authenticate with all SRX Series devices in your network. This certificate is used for the TLS connection from the SRX Series device to encrypt the data between the SRX and JIMS server.
The server certificate needs to be installed in the following location:
Certificates (Local Computer) / Personal / Certificates.
You must also configure a client certificate on the SRX Series devices.
Transport Layer Security (TLS) HTTPS port used by the JIMS server to communicate with SRX Series devices. TLS ensures that the traffic is encrypted between the JIMS server and the SRX Series devices. By default, the HTTPS port is 443.
The JIMS server communicates with SRX Series devices over TCP sockets. The JIMS server requires that the utilized TCP ports be enabled in the Windows Firewall to allow this communication. During installation, the installer script modifies the firewall settings to allow the correct ports to be enabled. If you subsequently change the ports, you must modify the firewall configuration to allow TCP communication over those sockets.
You have the option to enable the Debug (HTTP) port. By default, the Debug (HTTP) port is disabled. You have the option to enable the Debug (HTTP) port to allow packet traces to be captured to diagnose communication issues between the SRX Series devices and JIMS server. By default, the Debug port is 8082.
Before you begin, note the following JIMS-SRX Series device transport configuration considerations:
If using a previously created server certificate, you must import the certificate to the JIMS server using the Microsoft Management Console (mmc) application with the Certificates snap-in. If you import a server certificate, be sure to use the local computer certificate store.
All SRX Series devices connected to a JIMS server are required to match the port configuration specified in the SRX Client Query Configuration section of the General tab to properly communicate with the JIMS server. Use the show configuration services user-identification command to confirm the SRX Service device configuration settings.
Multiple services running on the same Windows Server instance cannot utilize the same port numbers. If you are unclear as to which port to select, execute the
netstatcommand from the Windows Command Prompt to determine if there is a conflict. The same command can also verify that the JIMS server is listening on those particular ports.
For SRX Series devices running Junos OS Release 18.3R1 or later, the JIMS server supports IPv6 connectivity between the JIMS server and SRX Series devices. By default, the JIMS server listens for IPv4 incoming IP addresses from SRX Series devices on the specified port. Click the Advanced button to configure IPv6 connections or IPv6 with dual-stack between the JIMS server and the SRX Series device.
To configure transport configuration settings for communication between the JIMS server and SRX series devices:
- In the navigation pane, select Settings and then select the General tab.
- Click Edit.
- In the SRX Client Query Configuration section, select the automatically generated certificate or an imported certificate from the Certificate drop-down list.
- To modify the TLS port value to use for communication with SRX Series devices, enter a value in the TLS (HTTPS) Port field. This value must be a valid TCP port number between 1024 and 65,535, and it must match the SRX WebAPI configuration. The default value for the HTTPS port is 443.
- By default, Debug (HTTP) Port is disabled. If you want
to enable it, click the check box and enter the HTTP port number on
the SRX Series device to use for communication with the JIMS server.
This value must be a valid TCP port number between 1024 and 65,535,
and it must match the SRX WebAPI configuration. The default value
for the HTTP port is 8082.
For security considerations, we recommend that you specify an HTTPS port rather than an HTTP port. HTTP is supported primarily for debugging purposes.
If you enable the Debug (HTTP) port and change the port value, ensure that the corresponding port configuration on the SRX Series devices is modified to match this setting.
- To configure a more detailed set of HTTPS and HTTP transport
communication settings with SRX Series devices, including support
for IPv6 connections (SRX Series devices running Junos OS Release
18.3R1 or later), click the Advanced button. The Advanced
SRX Transport Configuration page appears. From this page you can configure
the following advanced communication settings for the TLS (HTTPS)
Transport and Debug (HTTP) Transport ports.
Port—TCP port for handling incoming TLS (HTTPS) or Debug (HTTP) connections. The default value for the HTTPS port is 443 and the default value for the HTTP port is 8082. This value must be a valid TCP port number between 1024 and 65,535
Max Threads—Maximum number of simultaneous processing threads to handle requests on this port.
Connections Per Thread—Maximum number of allocated connections per thread open to the server.
Allow IPv6 Connections—Enables support for only IPv6 connections between the JIMS server and SRX Series devices running Junos OS Release 18.3R1 or later.
Allow Dual-Stack—Enables socket support to allow IPv4 or IPv6 connections from SRX Series devices running Junos OS Release 18.3R1 or later.
Click the Allow Dual-Stack check box only if you have clicked the Allow IPv6 Connections check box.
Address—Restricts access by entering a specific IPv6 address in the Address field. This address must match the IPv6 address shown in the output of the ipconfig command, entered from a Windows command prompt.
Entering an IP address in the Address field is optional. By default, the JIMS server listens for all incoming IP addresses on the specified port for IPv4 or IPv6 connections, based on the settings of the Allow IPv6 Connections and Allow Dual-Stack check boxes.
Windows IP Configuration Ethernet adapter Ethernet: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::64ab:5dbd:f8ed:5284 IPv4 Address. . . . . . . . . . . : 172.16.1.21 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : fe80::1ab1:69ff:fe2c:5ed8 172.16.1.252
Click OK to save the advanced transport configuration settings.
- Click Save to save the settings.