Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Features

 

Juniper Identity Management Service (JIMS) has the following features:

  • Support for identity-based security policies on SRX Series devices—Juniper Identity Management Service enables you to filter traffic on SRX Series devices based on user identity information such as usernames and user groups in addition to IP addresses. The service provides IP address-to-username-to-group mapping information to the SRX Series devices, which use the mapping information to generate entries for their authentication tables that you can use to enforce user-based and group-based security policy control.

    Note

    On SRX Series devices, user groups are known as user roles.

    [See Introduction]

  • Centralized user identity data collection—Juniper Identity Management Service provides a scalable service that can take over user identity data collection from Microsoft Active Directories, domain controllers, and Exchange servers, serving as a single, centralized data collection source for all SRX Series devices in your network.

    For example, Juniper Identity Management Service can replace the connections from individual SRX Series devices to multiple Microsoft Active Directory domain controllers with a single connection from the service to each domain controller, eliminating scaling limitations.

    [See Introduction]

  • Data collection from event log sources—Juniper Identity Management Service connects to event log sources to collect user and device status events and provide IP address-to-username mappings to the SRX Series devices. For user login events, it collects the domain name and username. For device login events, it collects the domain name and machine name.

    An event log source can be a Microsoft Active Directory domain controller or a Microsoft Exchange server.

    [See Introduction]

  • Data collection from user information sources—Juniper Identity Management Service connects to user information sources to collect group information for users and their devices and provide username-to-group mappings to the SRX Series devices. The service queries each user information source for its supported domains and selects a source by domain when it needs to initiate user or device information queries. It queries the appropriate user information source each time it receives a login event for a user. Microsoft Active Directories are used as user information sources for Juniper Identity Management Service.

    [See Introduction]

  • Domain PC probing—Domain PC probing acts as a supplement to event log reading. When a user logs into a domain, the event log contains that information. When there is no IP address-to-username mapping from the event log, Juniper Identity Management Service initiates a domain PC probe to the device to get the username and domain of the currently active user. Domain PC probes are also used to determine a device’s status after its logged-in state has expired.

    Note

    Domain PC probing works on Microsoft Windows endpoints only.

    [See Introduction]

  • User identity information reporting—Juniper Identity Management Service generates reports that contain records of the IP address, username, and group relationship information collected from the user identity data sources.

    The service also generates reports for device-only sessions without sending the username in the report when the username is not available. SRX Series devices running Junos OS Release 15.1X49-D100, 17.4R1, or a later release can enforce security policies based on device authentication as well as on user authentication.

    [See Introduction]

  • SRX Series device query support—Juniper Identity Management Service responds to queries from SRX Series devices with the corresponding IP addresses, usernames, and device names. The service also responds to individual IP address queries with the corresponding usernames and device names.

    For SRX Series devices running Junos OS Release 15.1X49-D100, 17.4R1, or a later release, batch queries from individual SRX Series devices can filter information based on a combination of timestamp, domain, and IP address. When SRX Series devices miss data for an existing flow, they can engage a captive portal to get the username. Once the user is authenticated by the captive portal, the SRX Series devices can issue an additional query to Juniper Identity Management Service, specifying the username and IP address to obtain the corresponding group information.

    [See Introduction]

  • Server certificates for authentication with SRX Series devices—Juniper Identity Management Service enables you to select automatically generated server certificates or import previously configured certificates for server authentication with the SRX Series devices in your network. Specifying a server certificate enables the JIMS server to authenticate with SRX Series devices before communicating with them.

    [See Introduction]

  • System-level IP address and user group filtering—Juniper Identity Management Service enables you to specify IP address ranges to include in or exclude from the reports sent to the SRX Series devices. You can also specify Active Directory user groups to include in the reports. These filters are applied to all the SRX Series devices in your network.

    [See Introduction]

  • Connected network device monitoring—You can monitor the status of the network devices connected to the JIMS server, including:

    • SRX Series devices

    • Event log sources, which can be Microsoft Active Directory domain controllers or Exchange servers

    • User information sources, which can be Microsoft Active Directories

    • Domain PC probes to user devices

    [See Introduction]

  • System logging—For troubleshooting purposes, Juniper Identity Management Service is installed with a default log called jims_yyyymmdd_nnnnn.log, which is stored in \Program Files (x86)\Juniper Networks\Juniper Identity Management Service\logs. For example, a default log can be called: jims_20170707_00000. The log includes the following event types:

    • System—Configuration, administration, and system-level events

    • Client—HTTPS/HTTP GET requests from and HTTPS/HTTP POST submissions to the SRX Series devices

    • Event source—User and device login events per Active Directory domain controller and Exchange server

    • Info source—Active Directory events

    • PC probe—PC probe requests per set of administrative credentials

    • Sessions—Internal session finite state machine (FSM) transitions and internal cache events for domains, sessions, users, devices, and groups

    Logging levels for each component can be set to:

    • None—No logging

    • Error—Critical events affecting the entire system

    • Warning—Unexpected per-transaction events

    • Standard—Minimal logging for a concise view of transaction flows

    • Detail—Detailed logging for a broader view of transaction flows

    • Debug—Most detailed logging level for troubleshooting

    Each logging level includes events from the previous levels.

    [See Introduction]

  • High availability—JIMS servers can be configured in a primary and secondary server configuration on SRX Series devices running Junos OS Release 15.1X49-D100, 17.4R1, or a later release. The SRX Series devices send HTTPS queries to the primary JIMS server and fall back to the secondary server when queries to the primary server fail. The SRX Series devices probe the primary server and revert back to it when it becomes available again.

    [See Introduction]

  • OpenSSL release 1.0.2n—With JIMS Release 1.0.2, the JIMS server now utilizes release 1.0.2n of the OpenSSL toolkit.