Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Customer Managed Devices (On-Premises) Deployment

Note:

“Configuration of Juniper Secure Edge Deployments” and “Add Directory Services” are mandatory for customers using both On-Premises and Secure Edge deployments.

JIMS Server

The JIMS Server is configured by default for localhost connection. Once it is configured, you can only edit the JIMS Server port and Max Data Rate for the server.

A new JIMS server can also be configured. To add a new JIMS Server, follow the below steps:

  1. Click Add to add a new JIMS Server.
  2. Enter the IP address or the fully qualified domain name (FQDN) of the server.
  3. Give a description.
  4. Enter the Username and Password for authentication purposes.
  5. Select the JIMS Server Type from the drop-down menu.
  6. Deselect TLS only if you perform troubleshooting.
  7. The identity JIMS Server Port and Max Data Rate are automatically configured by JIMS. You can either change to a certificate signed by your organization or use the default certificate provided by JIMS.

Directory Services

You must configure at least one directory server for JIMS Collector to collect users, devices, and group memberships. Currently, only Active Directory is supported.

If you plan to use multiple Directory Server with the same credentials, you could create a template to reduce the input for each directory server.

To add a new Directory Server:

  1. Click Add to add a new Directory Server.
  2. Optionally use an already created template to pre-configure the credentials.
  3. The source is selected by default.
  4. Provide a Description.
  5. Enter the Server Hostname or IP Address of the server.
  6. Enter the Login ID) and Password for authentication purposes.
  7. Select TLS Connection if you like to encrypt communication between JIMS and the Directory Server.

Identity Producers

You can configure Identity Producers to gather user and device status events. JIMS uses this information to provide IP address-to-username mappings. JIMS also provides device names with domain names to the enforcement points (SRX Series Firewalls).

The identity producers have 3 tabs/options. Select the appropriate option for your deployment based on the information provided in the Identity Producers section.

Add Event Source

To add a new event source:

  1. Click Add to add a new Event Sources.
  2. Use an already created template to pre-configure the credentials.
  3. Select the type of source (Domain Controller or Exchange Server).
  4. Provide an optional description.
  5. Enter the Server Hostname or IP Address of the server.
  6. Enter the Login ID and Password. This should be the newly created service account with limited privileges.
  7. Enter Startup Event History Catchup Time. This ensures JIMS has collected historical data before production usage.

Add PC Probe

To add a new PC probe:

  1. Click Add to add a new PC Probes.
  2. Enter the Login ID and Password. This is the newly created service account with limited privileges.
  3. Provide an optional description.
  4. After you provide the details, you can move the order of usernames in the sequence you want them executed.

Add Syslog Source

To add a new syslog source:

  1. Click Add to add a new Syslog Source.
  2. Optionally use an already created base config.
  3. Enter the IP-address or FQDN of the server (Syslog Client).
  4. Provide an optional description.
  5. Click Add to define your matching regular expressions.

Filters

The JIMS server allows you to filter by:

  • IP Filters—Provide the IP Range Start and IP Range End.

  • Event/Groups Filters—Enter the User or Device to include in reports. Group filters are applied to all the SRX Series Firewalls in your network. Also specify the Domain.

  • DN Filters—Enter the DN Filter. It is recommended to use regular expression.

Settings

The Settings menu consists of two tabs:

Logging

In the Logging section, enter the following details:

  1. Enter the Filename Prefix.
  2. Click on Select to choose the required Directory.
  3. Enter the File Size.
    Note:

    The acceptable file size range is 1 to 2000 MB.
  4. Enter the File Lifetime.
    Note:

    The acceptable file lifetime range is 1 to 30 days.

General

In the General section, enter the following details:

  1. Under Administrative Interface Configuration, enter the TLS (https) Port.
  2. Under User session Configuration, enter the Logoff Time.
    Note:

    The acceptable logoff time frame should fall within 1 to 1440 minutes.
  3. Under the Global Configuration section (which requires a JIMS restart), enter the Syslog Initial Timespan (minutes). Choose the appropriate options: Pass UPN, Permit Compound Usernames and Trust Other Domains based on your requirements.

Enforcement Points

Add Enforcement Points in JIMS UI

You must configure the Enforcement Points (SRX/NFX devices), otherwise, it cannot pull user, device, and group information to enforce identity-aware policies (user Firewall).

If you have many Enforcement Points with the same client id and client secret, you can create a template to reduce the input for each of them.

To add a new Enforcement Point:

  1. Click Add.
  2. Optionally use an already created template to pre-configure the credentials.
  3. Enter the SRX IP Address.
  4. If you have several Enforcement Points within a subnet, you can enter a matching Subnet that covers all of them.
  5. Provide an optional description.
  6. Enable the IPv6 reporting as IPv6 as it is used in your organization. This adds duplicated records in the auth table on the Enforcement Point.
  7. Enter the Client ID and Client Secret used for this device.
  8. The Token Lifetime is enforced. This lifetime can be changed/adjusted.

Configure JIMS in Junos

Configuration of JIMS with SRX Series Firewall

Use the following steps to configure JIMS with SRX Series Firewall:

  1. Configure the FQDN/IP address of the primary/secondary JIMS server.

  2. Configure the client ID and client secret that the SRX Series device provides to the JIMS primary/secondary server as part of its authentication.

  3. Optionally, configure the source-ip or routing instance that should be used to reach JIMS servers.

    Note:

    You can also configure the enforcement point to validate the certificate of the JIMS server, to do so, see advanced section.

  4. Configure the maximum number of user identity items that the device accepts in one batch in response to the query.

  5. Configure the interval in seconds after which the device issues a query request for newly generated user identities.

  6. Configure active directory domains of interest to the SRX Series Firewall. You can specify up to twenty domain names for the filter.

  7. Configure the address book name to include the IP filter.

  8. To configure the referenced address set, trace option file name, trace file size, level of debugging output, and the trace identity management for all modules, use the below commands appropriately:

Configuration of the Device Identity Authentication Source (End-User-Profile)

Specify the device identity authentication source and the security policy. The device obtains the device identity information for authenticated devices from the authentication source. The device searches the device identity authentication table for a device match when traffic issuing from a user’s device arrives at the device. If it finds a match, the device searches for a matching security policy. If it finds a matching security policy, the security policy’s action is applied to the traffic.

Use the following steps to configure device identity authentication source:

  1. Specify the device identity authentication source.

  2. Configure the device identity profile and domain name to which the device belongs.

  3. Configure the profile name attribute device identity string.

Configuration of the Firewall Policy to Match the Source Identity.

Use the following steps to configure one or more firewall policies that control access based on identity.

  1. Create a source or destination address for a security policy and configure the application/service to match the policy.

  2. Define a username or a role (group) name that the JIMS sends to the device. For Example: "jims-dom1.local\user1".

  3. Permit the packet if the policy matches.

  4. To configure the session initiation time and session close time use the below commands:

It is recommended to have a policy or a captive portal that could authenticate users if they are not already logged on to the Active Directory. Ensure that the captive portal is configured to use the below example: