Features
The following features are new in Juniper Identity Management Service (JIMS) v1.1:
Contrail Service Orchestrator (CSO) Integration—If your network environment uses Contrail Service Orchestration (CSO), Juniper Identity Management Service supports operation with each CSO to facilitate the handling of firewall security policy decisions between the CSO platform and SRX Series devices by providing domain, group, user, and device identity information from Active Directory domains to each CSO. Juniper Identity Management Service is available as a standalone product or as an integrated identity management service from within Contrail Service Orchestration (CSO)
CSO is deployed in the cloud, and the tenant infrastructure includes the tenant premises behind a firewall and cannot directly access Microsoft Active Directory in the customer’s domain. Juniper Identity Management Service acts as the communication layer between identity servers such as Microsoft Active Directory and the CSO platform. Juniper Identity Management Service assists CSO in making policy user firewall decisions to filter traffic on SRX Series devices in a distributed deployment by providing user, device, and group identity information from the Active Directory domains to each CSO.
All communication between Juniper Identity Management Service and CSO is initiated by the JIMS server. Upon startup, or configuring or updating CSO, the JIMS server initiates HTTPS connection to each fully configured CSO. The information exchange between Juniper Identity Management Service and each fully configured CSO is secure, live, and allows for a full resynchronization at any point in the data collection process.
[See Introduction and Configuring the Connection to a CSO Client.]
Templates—You can develop one or more templates in Juniper Identity Management Service:
SRX Series Device Templates—Support the grouping of client configurations to facilitate the configuration of multiple SRX Series devices.
Data Source Templates—Support the grouping of event or information source configurations to facilitate the configuration of a specific data source.
A template is a way to share common configuration attributes across items within a homogeneous collection without having to re-enter those attributes for each configuration instance. Templates allow configurations to share common data. A template provides default settings that can be referenced to create an instance.
For example, when using an SRX series device template, you can specify a username and password in a template, and assign that template across all SRX Series devices that require the same login credentials. Utilizing a template allows you to copy the configuration and only re-enter the password for the specific template.
[See Configuring SRX Series Device Templates and Configuring Data Source Templates.]
User/Device Event Filters—Event filters on the JIMS server enable you to apply a filter in your network to define users or devices to exclude from reports the JIMS server sends to SRX Series devices. The User/Device Event filter performs regular expression matching to filter specific users or devices by name. The filter ignores events associated with a particular user or device.
Support IPv6 Reports—The JIMS server allows IPv6-related report information to pass from the JIMS server to SRX Series devices.
Note SRX Series devices must be running the Junos OS 18.1R1 release, or a later release, to receive IPv6 reports.
Processing Events—On startup, the JIMS server now attempts to learn all groups and then all users from the user directories before processing events. If the learn procedure takes more than 90 seconds, the JIMS server will begin to process events for users which have already been learned. For a domain that is still learning, an event may continue to wait up to 4 minutes for a particular user to be read before the JIMS server begins executing parallel queries in an attempt to process the event.