Juniper Identity Management Service (JIMS) has the following features:
Support for identity-based security policies on SRX Series devices—Juniper Identity Management Service enables you to filter traffic on SRX Series devices based on user identity information such as usernames and user groups in addition to IP addresses. The service provides IP address-to-username-to-group mapping information to the SRX Series devices, which use the mapping information to generate entries for their authentication tables that you can use to enforce user-based and group-based security policy control.
On SRX Series devices, user groups are known as user roles.
Centralized user identity data collection—Juniper Identity Management Service provides a scalable service that can take over user identity data collection from Microsoft Active Directories, domain controllers, and Exchange servers, serving as a single, centralized data collection source for all SRX Series devices in your network.
For example, Juniper Identity Management Service can replace the connections from individual SRX Series devices to multiple Microsoft Active Directory domain controllers with a single connection from the service to each domain controller, eliminating scaling limitations.
Data collection from event log sources—Juniper Identity Management Service connects to event log sources to collect user and device status events and provide IP address-to-username mappings to the SRX Series devices. For user login events, it collects the domain name and username. For device login events, it collects the domain name and machine name.
An event log source can be a Microsoft Active Directory domain controller or a Microsoft Exchange server.
Data collection from user information sources—Juniper Identity Management Service connects to user information sources to collect group information for users and their devices and provide username-to-group mappings to the SRX Series devices. The service queries each user information source for its supported domains and selects a source by domain when it needs to initiate user or device information queries. It queries the appropriate user information source each time it receives a login event for a user. Microsoft Active Directories are used as user information sources for Juniper Identity Management Service.
Domain PC probing—Domain PC probing acts as a supplement to event log reading. When a user logs into a domain, the event log contains that information. When there is no IP address-to-username mapping from the event log, Juniper Identity Management Service initiates a domain PC probe to the device to get the username and domain of the currently active user. Domain PC probes are also used to determine a device’s status after its logged-in state has expired.
Domain PC probing works on Microsoft Windows endpoints only.
User identity information reporting—Juniper Identity Management Service generates reports that contain records of the IP address, username, and group relationship information collected from the user identity data sources.
The service also generates reports for device-only sessions without sending the username in the report when the username is not available. SRX Series devices running Junos OS Release 15.1X49-D100, 17.4R1, or a later release can enforce security policies based on device authentication as well as on user authentication.
SRX Series device query support—Juniper Identity Management Service responds to queries from SRX Series devices with the corresponding IP addresses, usernames, and device names. The service also responds to individual IP address queries with the corresponding usernames and device names.
For SRX Series devices running Junos OS Release 15.1X49-D100, 17.4R1, or a later release, batch queries from individual SRX Series devices can filter information based on a combination of timestamp, domain, and IP address. When SRX Series devices miss data for an existing flow, they can engage a captive portal to get the username. Once the user is authenticated by the captive portal, the SRX Series devices can issue an additional query to Juniper Identity Management Service, specifying the username and IP address to obtain the corresponding group information.
Server certificates for authentication with SRX Series devices—Juniper Identity Management Service enables you to select automatically generated server certificates or import previously configured certificates for server authentication with the SRX Series devices in your network. Specifying a server certificate enables the JIMS server to authenticate with SRX Series devices before communicating with them.
System-level IP address and user group filtering—Juniper Identity Management Service enables you to specify IP address ranges to include in or exclude from the reports sent to the SRX Series devices. You can also specify Active Directory user groups to include in the reports. These filters are applied to all the SRX Series devices in your network.
Connected network device monitoring—You can monitor the status of the network devices connected to the JIMS server, including:
SRX Series devices
Event log sources, which can be Microsoft Active Directory domain controllers or Exchange servers
User information sources, which can be Microsoft Active Directories
Domain PC probes to user devices
System logging—For troubleshooting purposes, Juniper Identity Management Service is installed with a default log called
jims_yyyymmdd_nnnnn.log, which is stored in
\Program Files (x86)\Juniper Networks\Juniper Identity Management Service\logs. For example, a default log can be called: jims_20170707_00000. The log includes the following event types:
System—Configuration, administration, and system-level events
Client—HTTPS/HTTP GET requests from and HTTPS/HTTP POST submissions to the SRX Series devices
Event source—User and device login events per Active Directory domain controller and Exchange server
Info source—Active Directory events
PC probe—PC probe requests per set of administrative credentials
Sessions—Internal session finite state machine (FSM) transitions and internal cache events for domains, sessions, users, devices, and groups
Logging levels for each component can be set to:
Error—Critical events affecting the entire system
Warning—Unexpected per-transaction events
Standard—Minimal logging for a concise view of transaction flows
Detail—Detailed logging for a broader view of transaction flows
Debug—Most detailed logging level for troubleshooting
Each logging level includes events from the previous levels.
High availability—JIMS servers can be configured in a primary and secondary server configuration on SRX Series devices running Junos OS Release 15.1X49-D100, 17.4R1, or a later release. The SRX Series devices send HTTPS queries to the primary JIMS server and fall back to the secondary server when queries to the primary server fail. The SRX Series devices probe the primary server and revert back to it when it becomes available again.
OpenSSL release 1.0.2n—With JIMS Release 1.0.2, the JIMS server now utilizes release 1.0.2n of the OpenSSL toolkit.