Configuring Infranet Controller User Roles (NSM Procedure)

A user role defines user session parameters and personalization settings. You can customize a user role by specifying access restrictions, enabling Host Enforcer (Windows) or agentless or Java agent access, and configuring session settings. You can create and configure user roles through the User Roles page from the Infranet Controller device configuration tree.

To configure a user role:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the Infranet Controller device for which you want to configure the user roles.
  3. Click the Configuration tab. In the configuration tree, select Users > User Roles. The corresponding workspace appears.
  4. Click the New button, the New dialog box appears.
  5. Add or modify settings on the General tab as specified in Table 6.
  6. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.

Table 6: User Role Configuration Details



Your Action

General > Overview tab


Specifies a unique name for the user role.

Enter a name.


Describes the user role.

Enter a brief description for the user role.

Session Options

Specifies the maximum session length, roaming capabilities, and session persistence.

Select General > Session Options to apply the settings to the role.

UI Options

Specifies customized settings for the Infranet Controller welcome page for Odyssey Access Client users mapped to this role.

Select General > UI Options to apply the settings to the role.

Odyssey Settings for IC Access

Specifies the Odyssey Access Client settings for Infranet Controller access.

Select this option to apply the Odyssey Access Client initial configuration settings.

Odyssey Settings for Preconfigured Installer

Specifies the Odyssey Access Client settings for the preconfigured installer.

Select this option to apply the Odyssey Access Client settings for the preconfigured installer.

General > Restrictions tab

Source IP Restrictions

Specifies source IP restrictions.

See "Configuring Infranet Controller Source IP Access Restrictions (NSM Procedure)."

Browser Restrictions

Specifies browser restrictions.

See "Configuring Infranet Controller Browser Access Restrictions (NSM Procedure)."

Certificate Restrictions

Specifies certificate restrictions.

See "Configuring Infranet Controller Certificate Access Restrictions (NSM Procedure)."

Host Checker Restrictions

Specifies Host Checker restrictions.

See "Configuring Infranet Controller Host Checker Access Restrictions (NSM Procedure)."

General > Session Options tab

Max. Session Length (minutes)

Specifies the number of minutes an active nonadministrative user session may remain open before ending. During an end-user session, prior to the expiration of the maximum session length, the Infranet Controller prompts the user to reenter authentication credentials, which avoids the problem of terminating the user session without warning.

Enter the session length in minutes. The default is five minutes, and the minimum is six minutes.

Heartbeat Interval (seconds)

Specifies the frequency at which the endpoint should send out a heartbeat to the Infranet Controller to keep the session alive. For agentless access, the browser refreshes the page with every heartbeat.

Enter the heartbeat interval in seconds.

Users should not navigate away from the browser, as this interrupts the heartbeat and ends the session. The Odyssey Access Client and the Java agent respectively provide the heartbeat. You should ensure that the heartbeat interval of the agent is greater than the Host Checker interval, otherwise performance could be affected.

Heartbeat Timeout (seconds)

Specifies the amount of time that the Infranet Controller should “wait” before terminating a session when the endpoint does not send a heartbeat response.

Enter the heartbeat timeout in seconds.

Roaming session

  • Enabled—Enables roaming user sessions for users mapped to this role. A roaming user session works across source IP addresses, which allows mobile users (laptop users) with dynamic IP addresses to sign in to the Infranet Controller from one location and continue working from another. Disable this feature to prevent users from accessing a previously established session from a new source IP address. This helps protect against an attack spoofing a user’s session, provided the hacker was able to obtain a valid user's session cookie.
  • Limit to subnet—Limits the roaming session to the local subnet specified in the Netmask field. Users may sign in from one IP address and continue using their sessions with another IP address as long as the new IP address is within the same subnet.
  • Disabled—Disables roaming user sessions for users mapped to this role. Users who sign in from one IP address may not continue an active Infranet Controller session from another IP address; user sessions are tied to the initial source IP address.

Select this option to enable, limit, or disable the roaming session.

Roaming netmask

Displays the netmask for the local subnet.

Select this option to view the netmask for the local subnet.

Enable Session Extension

Allows users with a Layer 2 or Layer 3 connection to continue a session beyond the maximum session length.

Select this option to allow users with Odyssey Access Client and agentless access to reauthenticate and extend their current session without interruption.

General > UI Options tab

Headers > Logo image

Displays the logo in the Infranet Controller welcome page.

Browse to your custom image file.

Headers > Background color

Displays the background color for the header area of the Infranet Controller welcome page.

Type the hexadecimal number for the background color, or click the Color Palette icon and pick the desired color.

Greeting > Show notification message

Enables the notification text box.

Select the Show notification message check box (optional).

Greeting > Notification Message

Displays the notification message at the top of the Infranet Controller welcome page.

Enter the message that you want to display.

You may format text and add links using the following HTML tags: <i>, <b>, <br>, <font>, and <a href>. However, the Infranet Controller does not rewrite links on the sign-in page (because the user has not yet authenticated), so you should only point to external sites. Links to sites behind a firewall will fail. You may also use Infranet Controller system variables and attributes in this field.

  • The length of the personalized greeting cannot exceed 12K or 12288 characters.
  • If you use unsupported HTML tags in your custom message, the Infranet Controller may display the end user’s Infranet Controller home page incorrectly.

Other > Show copyright notice and ’Secured by Juniper Networks’ label in footer

Displays the copyright notice and label in the footer.

Select the Show copyright notice and ’Secured by Juniper Networks’ label in footers check box (optional).

This setting applies only to those users whose license permits disabling the copyright notice. For more information about this feature, call Juniper Networks Support.

Related Documentation