ON THIS PAGE
Juniper® Identity Management Service (JIMS) is a standalone Windows service application that collects and maintains a large database of user, device, and group information from Active Directory domains or syslog sources, enabling SRX Series Service Gateways (including the vSRX Virtual Firewall) to rapidly identify thousands of users in a large, distributed enterprise. SRX Series Service Gateways can create, manage, and refine firewall rules that are based on user identity rather than IP address, query Juniper Identity Management Service, obtain the proper user identity information, and then enforce the appropriate security policy decisions to permit or deny access to protected corporate resources and the Internet.
If your network environment uses Contrail Service Orchestration (CSO) to deploy network services in the Cloud CPE Centralized deployment model, Juniper Identity Management Service supports operation with each CSO to facilitate the handling of firewall security policy decisions between the CSO platform and SRX Series devices by providing domain, group, user, and device identity information from Active Directory domains to each CSO.
Juniper Identity Management Service has the following features:
Centralized User Identity Data Collection
Juniper Identity Management Service provides a scalable service that can take over user identity data collection from Microsoft Active Directories, domain controllers, and Exchange servers, serving as a single, centralized data collection source for SRX Series devices and CSO in your network.
For example, Juniper Identity Management Service can replace the connections from individual SRX Series devices to multiple Active Directory domain controllers with a single connection from the service to each domain controller, eliminating scaling limitations.
Starting in Juniper Identity Management Service Release 1.0, you can configure Juniper Identity Management Service to collect user identity information for up to 100 SRX Series devices.
To mitigate brute force attacks, Juniper Identity Management Service only accepts requests from known devices and limits failed login attempts. To further protect against attacks, you should implement strong security business continuity plans, limit the exploitable attack surface, and only allow trusted administrators, networks, and hosts to access Juniper Identity Management Service deployments.
Data Collection from Event Log Sources
Juniper Identity Management Service connects to event log sources to collect user and device status events and provide IP address-to-username mappings to SRX Series devices. For user login events, it collects the domain name and username. For device login events, it collects the domain name and machine name.
An event log source can be a Microsoft Active Directory domain controller or a Microsoft Exchange server. You can configure event log sources for Juniper Identity Management Service that can be a combination of Active Directory domain controllers and Exchange servers.
Starting in Juniper Identity Management Service 1.0, Juniper Identity Management Service supports up to 25 Active Directory domains.
Data Collection from User Information Sources
Juniper Identity Management Service connects to user information sources to collect group information for users and their devices and provide username-to-group mappings to SRX Series devices. The service queries each user information source for its supported domains and selects a source by domain when it needs to initiate user or device information queries. It queries the appropriate user information source each time it receives a login event for a user.
Starting in Juniper Identity Management Service Release 1.0, you can configure up to 100 Active Directories as user information sources for Juniper Identity Management Service.
Data Collection from Syslog Sources
Juniper Identity Management Service connects to syslog sources to collect event data and user information data from an event source such as a DHCP server. The number of syslog entries is limited to 200. You define the IP address and port of the remote syslog server that the JIMS server permits a connect from the remote server. You configure the JIMS server to collect syslog data whenever it detects the occurrence of a logoff event, logon event, or a change in value from the remote server session.
The JIMS server collects data from syslog messages containing username, groups, and/or IP address mappings, and turns those messages into entries in its cache. The JIMS server transmits this information to each SRX Series device for it to use in making policy decisions in the user firewall feature.
Support for Identity-Based Security Policies on SRX Series Devices
Juniper Identity Management Service enables you to apply policies on SRX Series devices (including the vSRX Virtual Firewall) based on user identity information such as usernames and user groups in addition to IP addresses. The service maps IP addresses to users and the associated groups (session information), and provides this information to the SRX Series devices, which use the mapping information to generate entries for their authentication tables that you can use to enforce user-based and group-based security policy control. On SRX Series devices, user groups are known as user roles.
Support for Identity-Based Security Policies on CSO
Support for Identity-Based Security Policies on CSO is supported in Juniper Identity Management Service Release 1.1 and later.
Juniper Identity Management Service is available as a standalone product or as an integrated identity management service from within Contrail Service Orchestration (CSO) running Release 3.3 or a later release.
CSO is deployed in the cloud, and the tenant infrastructure includes the tenant premises behind a firewall and cannot directly access Microsoft Active Directory. Juniper Identity Management Service acts as the communication layer between identity servers such as Microsoft Active Directory and the CSO platform. Juniper Identity Management Service assists CSO in defining user firewall policies to filter traffic on SRX Series devices in a distributed deployment by providing user, device, and group identity information from the Active Directory domains to each CSO.
All communication between Juniper Identity Management Service and CSO is initiated by the JIMS server. Upon startup, or configuring or updating CSO, the JIMS server initiates HTTPS connection to each fully configured CSO.
The information exchange between Juniper Identity Management Service and each fully configured CSO is secure, live, and allows for a full resynchronization at any point in the data collection process.
Templates are supported in Juniper Identity Management Service Release 1.1 and later.
You can develop one or more templates in Juniper Identity Management Service:
SRX Series Device Templates—Support the grouping of client configurations to facilitate the configuration of multiple SRX Series devices.
Data Source Templates—Support the grouping of event or information source configurations to facilitate the configuration of a specific data source.
A template is a way to share common configuration attributes across items within a homogeneous collection without having to re-enter those attributes for each configuration instance (that is IP address). Templates allow configurations to share common data.
A template provides default settings that can be referenced by multiple instances. A special ID provides a single reference that is utilized by multiple configuration items within a type of collection (for example, SRX Series clients, Event Source, or Info Sources).
For example, when using an SRX series device template, you can specify a username and password in a template, and assign that template across all SRX Series devices that require the same login credentials. Utilizing a template allows you to copy the configuration and only re-enter the password for the specific template.
Domain PC Probing
Domain PC probing acts as a supplement to event log reading. When a user logs in to a domain, the event log contains that information. When there is no IP address-to-username mapping from the event log, Juniper Identity Management Service initiates a domain PC probe to the device to get the username and domain of the currently active user. Domain PC probes are also used to determine a device’s status after its logged-in state has expired.
Juniper Identity Management Service initiates a domain PC probe:
When it receives a query from an SRX Series device for a specific IP address when the user is not known.
When a user’s session or a device’s session times out after the configured session timeout period. The PC probe helps to determine a logged-in or logged-out state for the user or device.
Note the following usage considerations about domain PC probing:
Domain PC probing works on Microsoft Windows endpoints only.
Juniper Identity Management Service creates and maintains sessions for Active Directory domain controllers as well as domain PCs. This might result in the service attempting to send PC probes to the domain controllers. To avoid this behavior, add the IP addresses of the domain controllers as an excluded entry in the IP filter on Juniper Identity Management Service. See Configuring IP Address Filters for information about IP filtering.
Session Reporting to SRX Series Devices
When reporting to SRX Series devices, Juniper Identity Management Service generates reports that contain records of the IP address, username, and group relationship information collected from the user identity data sources.
Juniper Identity Management Service generates a report:
When it discovers a new user session.
When a user session is in the logged-in state and then times out waiting for user group information. In this case, the report does not contain the user group information.
When it discovers user group information for an active user session.
When the user session is in the logged-in state and times out waiting for a PC probe response or when a PC probe fails. This results in Juniper Identity Management Service determining a logged-out state for the session.
In response to individual queries for missing information with reports containing the requested information.
The service also generates reports for device-only sessions without sending the username in the report when the username is not available. For SRX Series devices running Junos OS Release 15.1X49-D100, 17.4R1, or a later release, you can enforce security policies based on device authentication as well as on user authentication.
After Juniper Identity Management Service generates a report, it sends the report to the SRX Series devices and CSO in your network.
For SRX Series devices running Junos OS Release 15.1X49-D100, 17.4R1, or a later release, the SRX Series devices can initiate requests for batch reports from the service. A batch report contains multiple records. Based on the information in the report, the SRX Series devices create authentication entries in their authentication tables to enforce security policy control over access to protected corporate resources and the Internet.
For SRX Series devices running Junos OS Release 12.3X48-D45 or later, the service immediately posts reports to the SRX Series devices when using the legacy Web API function (webapi).
Starting in Junos OS Release 18.1R1, SRX Series devices supports IPv6 addresses associated with the source identities in security policies. If an IPv4 or IPv6 entry exists, policies matching that entry are applied to the traffic and access is either allowed or denied.
SRX Series devices search the identity management authentication table for information based on IPv6 addresses. Click the IPv6 Enabled checkbox in the JIMS Administrative Interface to generate session reports containing IPv6 addresses.
Session reports are unique per address. Therefore a user with both an IPv4 and an IPv6 addresses are reported as two distinct sessions to the SRX Series device.
Prior to Junos OS Release 17.4R1, SRX Series devices only handle sessions with IPv4 addresses. Uncheck the client configuration IPv6 Enabled checkbox on JIMS server to avoid sending sessions with IPv6 addresses.
Query Support for SRX Series Devices
Juniper Identity Management Service responds to queries from SRX Series devices with the corresponding IP addresses, usernames, and device names. The service also responds to individual IP address queries with the corresponding usernames and device names.
For SRX Series devices running Junos OS Release 15.1X49-D100, 17.4R1, or a later release, batch queries from individual SRX Series devices can filter information based on a combination of timestamp, domain, and IP address. When SRX Series devices miss data for an existing flow, they can engage a captive portal to get the username. Once the user is authenticated by the captive portal, the SRX Series devices can issue an additional query to Juniper Identity Management Service, specifying the username and IP address to obtain the corresponding group information.
Reports Sent to CSO
Support for Reports Sent to CSO is supported in Juniper Identity Management Service Release 1.1 and later.
When reporting to CSO, Juniper Identity Management Service updates the CSO with a list of reports to be communicated. Juniper Identity Management Service maintains a separate list for each report type: Domains, Groups , Users, and Devices.
When the connection from Juniper Identity Management Service to CSO starts (or restarts), the JIMS server begins to transmit domain or group or user and device reports to CSO.
CSO reports are maintained in a set of active lists for each type of report. If an item being reported changes state (for example, a user changes from enabled to disabled, or a group is deleted), then the old report is replaced with a current report that is transmitted to CSO.
Server Certificates for Authentication with SRX Series Devices
Juniper Identity Management Service enables you to select automatically generated server certificates or configure previously imported certificates for server authentication with the SRX Series devices in your network. Specifying a server certificate enables the JIMS server to authenticate with SRX Series devices before communicating with them. This certificate is used for the TLS connection from the SRX Series device to encrypt the data between the SRX and JIMS server.
The server certificate needs to be installed in the following
Certificates (Local Computer) / Personal /
Note that the JIMS server automatically creates a self-signed root CA certificate as well as a certificate based on the root CA in the above location that is utilized by default. If that certificate expires, it can be deleted, that triggers the JIMS server to recreate it when the JIMS service is restarted.
The certificate configuration is found on the JIMS Administrative Interface at Settings > General > SRX Client Query Configuration. However, it is not recommended that this be changed unless you really understand certificate management on Windows. Note that JIMS requires certain fields to be set to specific values in the certificate in order to utilize it.
System-Level IP Address, Event, and Group Filtering
Juniper Identity Management Service enables you to specify IP address ranges to include in or exclude from reports the JIMS server sends to SRX Series devices. You can also specify Active Directory user groups to include in the reports. These filters are applied to all the SRX Series devices in your network.For SRX Series devices running Junos OS Release Junos OS Release 15.1X49-D100, 17.4R1, or a later release, you can apply IPv4 address filters. For SRX Series devices running Junos OS Release 18.3R1 or later, the JIMS server supports both IPv4 and IPv6 address filtering for the SRX Series devices in your network.
JIMS supports both IPv6 filter from the SRX Series device query and a system-level IPv6 filter. The system-level filter works to filter the IP addresses from the event sources. The system-level IP filters are configured through the JIMS Administrative Interface. JIMS server includes or excludes the IP sessions when JIMS server receives the logon events from the configured event sources. For example: If 192.0.2.1 is added as the exclude IP address in the system-level filter on JIMS server. When a user with 192.0.2.1 logs on the domain controller, JIMS server ignores the session for this user. Thus no entry with 192.0.2.1 is sent to the SRX Series device.
The IPv6 filters used by the SRX Series device query are configured on SRX Series device. The SRX Series device includes or excludes the IP addresses in the batch query that it sends to JIMS server. The JIMS server replies with the entries based on the filters received from the SRX Series device. However, note that the SRX Series devices only apply filter within the context of the system-level filter. For example, If 192.0.2.0/24 is configured on SRX Series device as the include filter. The SRX Series device sends the query with 192.0.2.0/24 as the include subnet to JIMS sever. JIMS server replies with the entries within this subnet only, although JIMS server holds lots of entries other than 192.0.2.0/24.
In addition, the JIMS server allows you to filter by:
Groups—You define the Active Directory user groups to include in reports. Group filters are applied to all the SRX Series devices in your network.
User/Device Event—Event filters on the JIMS server enable you to apply a filter in your network to define users or devices to exclude from reports the JIMS server sends to SRX Series devices. The User/Device Event filter performs regular expression matching to filter specific users or devices by name. The filter ignores events associated with a particular user or device.
For SRX Series devices running Junos OS Release 15.1X49-D100, 17.4R1, or a later release, Juniper Identity Management Service applies the filters it receives from individual SRX Series devices. If filtering is also configured on Juniper Identity Management Service, the service first applies its own filters to all the SRX Series devices in your network, and then applies the filters it receives from the individual SRX Series devices.
Connected Network Device Monitoring
You can monitor the status of the network devices connected to the JIMS server, including:
SRX Series devices
Contrail Service Orchestration (CSO)
Event log sources, which can be Microsoft domain controllers or Exchange Servers
User information sources, which can be Microsoft Active Directories
System log messages (also called syslog messages) logged by network elements as an event source
Domain PC probes to user devices
For troubleshooting purposes, Juniper Identity Management Service
is installed with a default log called jims_yyyymmdd_nnnnn.log, which is stored in
\Program Files (x86)\Juniper
Networks\Juniper Identity Management Service\logs. For example, a default log can be called: jims_20180117_00000.
The log includes the following event types:
System—Configuration, administration, and system-level events
Client—HTTPS/HTTP GET requests from and HTTPS/HTTP POST submissions to the SRX Series devices or CSO (HTTPS request/submissions only)
Event Source—User and device events generated by external networking devices and received via system log messages (also called syslog messages).
Info Source—Active Directory events
PC Probe—PC probe requests per set of administrative credentials
Sessions—Internal session finite state machine (FSM) transitions and internal cache events for domains, sessions, users, devices, and groups
Logging levels for each component can be set to:
Error—Critical events affecting the entire system
Warning—Unexpected per-transaction events
Standard—Minimal logging for a concise view of transaction flows
Detail—Detailed logging for a broader view of transaction flows
Debug—Most detailed logging level for troubleshooting
Each logging level includes events from the previous levels.
Juniper Identity Management Service also supports the ability to receive remote system log event data and user information data from an event source (such as a DHCP server). You define the IP address and port of the remote syslog server that the JIMS server permits a connect from the remote server. You configure the JIMS server to collect syslog data whenever it detects the occurrence of a logoff event, logon event, or a change in value from the remote server session. The JIMS server transmits this information to each SRX Series device and CSO platform (if your network environment uses CSO) for it to use in making policy decisions in the user firewall feature.
JIMS servers can be configured in a primary and secondary (backup) server configuration with SRX Series devices and, if applicable, CSO.
For SRX Series devices, the SRX sends HTTPS queries to the primary JIMS server and falls back to the secondary server when queries to the primary JIMS server fail. The SRX Series devices probe the primary server and change back to it when the primary server becomes available again.
For CSO, both the primary and secondary JIMS server poll the CSO at regular intervals. Data is only sent by the JIMS server that is still active. When the CSO platform detects that the primary JIMS server is down (absence of poll), it requests the secondary server to start sending data. If the primary JIMS server comes back online, the secondary server continues to send data until it goes down. At that point, CSO requests the primary JIMS server to restart sending data.
JIMS servers are agnostic as to whether they are being utilized as a primary or secondary service. There is no configuration specified in the JIMS server to make this distinction between usage as a primary or secondary service.
To implement high availability for the authentication table, an SRX Series device requires both a primary and a secondary JIMS server. CSO supports this configuration by supporting two JIMS servers using the same username and password for authentication for a single tenant.
Once authenticated, each JIMS server requests a PING filter configuration. CSO determines which JIMS server is to be the active source of reports (domains, groups and users) and which JIMS server is to be the backup and responds with either an active filter or a backup filter.
It is expected that both JIMS servers are configured to use the same Active Directory to maintain consistent reports from both servers. However, it is possible that the SRX Series device has active connections to both JIMS servers, so the SRX Series device may select a different JIMS server than CSO if there is a fault between the JIMS server and CSO that not exist between the SRX Series device and the JIMS server.