Preparing Juniper Secure Connect Configuration
This topic includes the following sections:
Prerequisites for Deploying Juniper Secure Connect
Before you deploy Juniper Secure Connect, you must ensure that the SRX Series device uses either a signed certificate or a self-signed certificate instead of the default system-generated certificate.
You can generate a certificate request or a self-signed certificate by navigating to Device Administration > Certificate Management > Device Certificates in the J-Web interface as shown in Figure 1.
Below are the minimum of values that you should configure. Ensure that these values matches with your own organization. If you initiate a Certificate Signing Request (CSR), the certificate must be signed by your CA before it is loaded on the SRX Series device.
After creating a self-signed or loading a signed certificate, you must bind the certificate to the SRX Series device by navigating to Device Administration > Basic Settings > System Services > HTTPS > HTTPS certificate and select the appropriate name.
When the certificate has been loaded to the SRX Series device, you can validate the certificate by viewing the certificate information in your browser bar. The steps involved in viewing the certificate information depends on your browser and browser version. Figure 2 shows the certificate information that you configured in the SRX Series device.
Figure 3 shows all the details of the certificate that is configured in the SRX Series device.
You must check for the following from the certificate information in the browser:
Check if the Subject Alternative Name matches with your generated certificate.
The Thumbprint/Fingerprint is also important if you not exporting the CA certificate from the SRX Series device to all clients. In such cases, it will be displayed in a warning message.
We recommend that you export the self-signed certificate from
the SRX Series device in
or the CA root certificate from the CA that signed your CSR to each
client. You can do this manually or distributed using a client rollout
package for Windows and macOS. See Create Installation Packages for Juniper Secure Connect Rollout on Windows and Create Rollout Packages for Juniper Secure Connect Installation on macOS.
Table 1 lists the Juniper Secure Connect application directory location to place the exported certificate on different platforms:
Table 1: Certificate Export File Location in Juniper Secure Connect Directory
How Juniper Secure Connect Works?
Before we start configuring Juniper Secure Connect on SRX Series device, lets understand at high-level how Juniper Secure Connect solution works.
Different stages of establishing connectivity between a Juniper Secure Connect application and an SRX Series device.
A remote user downloads Juniper Secure Connect application on the device such as smart phone, or a laptop, or its distributed by the organizations software distribution system.
When the user initiates a connection, the application validates whether the gateway certificate is valid.
If the SRX Series device has a system-generated certificate enabled, the user cannot establish any connection with the application.
If the gateway uses a certificate where the root certificate has not been distributed to the application (Create Installation Packages for Juniper Secure Connect Rollout on Windows and Create Rollout Packages for Juniper Secure Connect Installation on macOS), the user will be prompted with a warning message shown in Figure 5, Figure 6, and Figure 7 based on the platform where the Juniper Secure Connect application is installed.
Figure 5 is a sample warning message on Windows platform if the application does not have a root certificate.
Figure 6 is a sample warning message on macOS platform if the application does not have a root certificate.
Figure 7 is a sample warning message on Android platform if the application does not have a root certificate.
The appearance of the warning message page differs based on the platform where the Juniper Secure Connect application is installed.
Details of the warning message is based on the certificate that is configured on Juniper Secure Connect. Table 2 shows the details in the sample warning message.
Table 2: Certificate Information
Name of the certificate issuer.
Common name (CN) represents the subject name in the certificate.
Subject Alternative Name (SAN) represents the subject alternative name in the certificate.
Represents the finger and thumbprint section in the certificate.
You as a system administrator must inform your users what action to take when a warning message is displayed. The easiest way to validate your certificate as an administrator is to click on the warning message in the browser toolbar to display the certificate details as shown in Figure 2 and Figure 3 or load the correct root certificate on the client.
Below warning message is displayed if the application cannot reach the CRL (Certificate Revocation List) of the signed certificate loaded on the SRX Series device.
When you use a signed certificate and if the Juniper Secure Connect application cannot reach the Certificate Revocation List (CRL) to validate the gateway certificate, the application prompts the users with the warning message (as shown in Figure 8, Figure 9, and Figure 10) each time they connect until the CRL is accessible. Juniper Networks' strongly recommends you or your user to report this error message to your IT organization to solve the CRL download failure.
SRX device authenticates the user based on credentials (user name, password, and domain) or certificates.
After a successful authentication, the client downloads and installs the latest configuration policy defined on the SRX Series device. This step ensures that the client always uses the latest configuration policy defined by the administrator
The client establishes a secure VPN connection based on downloaded configuration profile.
Now that we know how Juniper Secure Connect works, lets understand more about the different authentication methods available.
There is two ways to authenticate users establishing secure connectivity with juniper secure connect, either local or external authentication, each of these two ways have certain restrictions described below.
Local Authentication—In local authentication, the SRX Series device validates the user credentials by checking them in the local database. In this method, the administrator handles change of password or resetting of forgotten password. Here, it requires that an user must remember a new password. This option is not much preferred from a security standpoint.
External Authentication—In external authentication, you can allow the users to use the same user credentials they use when accessing other resources on the network. In many cases, user credentials are domain logon used for Active Directory or any other LDAP authorization system. This method simplifies user experience and improves the organization’s security posture; because you can maintain the authorization system with the regular security policy used by your organization.
Multi Factor Authentication—To add an extra layer of protection, you can also enable Multi Factor Authentication (MFA). In this method, a RADIUS proxy is used to send a notification message to a device such as the users’ smart phone. Users must accept the notification message to complete the connection.
Table 3 compares different authentication methods in Juniper Secure Connect.
Table 3: Juniper Secure Connect Authentication Types
How it works?
Local database maintains user accounts and user groups and uses configured password to authenticate the users
External RADIUS server manages all user accounts and performs authentication service.
SRX Series Device validates the user credentials by checking them in the local database (local authentication)
External Radius server performs authentication service (external authentication).
Username and password
Users must provide user name and password when initiating a new connection.
EAP-MSCHAPv2 (Username and password)
Each client device must be able to validate the certificate used by the SRX Series device.
Certificate validation happens before the user can login using credentials (username/password).
Each client device must be able to validate the certificate used by the SRX Series device.
Before the EAP-TLS client authentication can take place, the requirement is—each user must have certificates managed by the trusted Certificate Authority.
Now, we got an idea about the authentication methods that Juniper Secure Connect supports. Now it is time for us to get into J-Web and get ourselves familiar with configuration options and various fields available in the GUI.
Get Yourself Familiar with Juniper Secure Connect Wizard on J-Web
Secure Connect VPN solution lets you create a remote access VPN tunnel between a remote user and the internal network in few steps with intuitive, easy to use VPN wizard in J-Web.
Once you navigate to VPN > IPsec VPN and select Create VPN > Remote Access > Juniper Secure Connect, the Create Remote Access (Juniper Secure Connect) page appears as shown in Figure 11.
The VPN configuration wizard allows you to configure Juniper Secure Connect in just few steps as shown in Table 4.
Table 4: Juniper Secure Connect Configuration Wizard Fields
What You Configure Here
Name for the remote access connection. This name will be displayed on the Juniper Secure Connect application on remote client device when you do not select a default profile.
When default profile not used: https://<srx-series-device-ip-address>/<remote access connection name>)
When default profile is used: https://<srx-series-device-ip-address>/).
Description of remote access connection.
Routing Mode is set to Traffic Selector (Auto Route Insertion) by default. You cannot change this option.
Pre-shared: This authentication method is simple and easy to use, but it is less secure than the certificates. If you select pre-shared option, you can use:
Certificate-based: This authentication method using Extensible Authentication Protocol (EAP). If you select certificate-based option, you can use:
Auto-create Firewall Policy
Option for auto-creating a firewall policy.
IKE and IPSec
Now you have understanding about the configuration options. lets get started with the configuration.
Based on the authentication method you have selected, see either of these topics: