Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Customer Managed Devices (On-Premises) Deployment

Note:

“Configuration of Juniper Secure Edge Deployments” and “Add Directory Services” are mandatory for customers using both On-Premises and Secure Edge deployments.

JIMS Server

The JIMS Server is configured by default for localhost connection. Once it is configured, you can only edit the JIMS Server port and Max Data Rate for the server.

A new JIMS server can also be configured. To add a new JIMS Server, follow the below steps:

  1. Click Add to add a new JIMS Server.
  2. Enter the IP address or the fully qualified domain name (FQDN) of the server.
  3. Give a description.
  4. Enter the Username and Password for authentication purposes.
  5. Select the JIMS Server Type from the drop-down menu.
  6. Deselect TLS only if you perform troubleshooting.
  7. The identity JIMS Server Port and Max Data Rate are automatically configured by JIMS. You can either change to a certificate signed by your organization or use the default certificate provided by JIMS.

Directory Services

You must configure at least one directory server for JIMS Collector to collect users, devices, and group memberships. Currently, only Active Directory is supported.

If you plan to use multiple Directory Server with the same credentials, you could create a template to reduce the input for each directory server.

To add a new Directory Server:

  1. Click Add to add a new Directory Server.
  2. Optionally use an already created template to pre-configure the credentials.
  3. The source is selected by default.
  4. Provide a Description.
  5. Enter the Server Hostname or IP Address of the server.
  6. Enter the Login ID) and Password for authentication purposes.
  7. Select TLS Connection if you like to encrypt communication between JIMS and the Directory Server.

Identity Producers

You can configure Identity Producers to gather user and device status events. JIMS uses this information to provide IP address-to-username mappings. JIMS also provides device names with domain names to the enforcement points (SRX Series Firewalls).

The identity producers have 3 tabs/options. Select the appropriate option for your deployment based on the information provided in this section.

Add Event Source

To add a new event source:

  1. Click Add to add a new Event Sources.
  2. Use an existing template to pre-configure the credentials.
  3. Select the type of source from the drop-down menu:

    • Domain Controller

    • Exchange Server

    • Windows Event Collector (WEC)

  4. If you select Windows Event Collector (WEC), enter the Channel Path from which logs should be collected.
  5. Provide an optional description.
  6. Enter the Server Hostname or IP Address of the server.
  7. Enter the Login ID and Password. Use the dedicated service account created with limited privileges.
  8. Enter Startup Event History Catchup Time to ensure JIMS collects historical event logs before the system begins active monitoring.

Add PC Probe

To add a new PC probe:

  1. Click Add to add a new PC Probes.
  2. Enter the Login ID and Password. This is the newly created service account with limited privileges.
  3. Provide an optional description.
  4. After you provide the details, you can move the order of usernames in the sequence you want them executed.

Add Syslog Source

To add a new syslog source:

  1. Click Add to add a new Syslog Source.
  2. Optionally, select a pre-existing Base Configuration to inherit predefined settings.
  3. Enter the IP address or Fully Qualified Domain Name (FQDN) of the Syslog client (server sending the logs).
  4. Provide an optional description.
  5. Click Add to define your matching regular expressions.
  6. Navigate to the Regular Expression Sequences section. On the right-hand side, you will see Add, Edit, and Delete buttons.
  7. Click Add to define a new Regular Expression Sequence. A pop-up window titled Add Regular Expression Builder will appear.
  8. In the pop-up window, fill in the following details:
    1. Description: A brief explanation of the sequence.
    2. ID: Auto-generated, starting with 1 by default.
    3. Type: Select the type of sequence from the drop-down menu:

      • Begin Session

      • End Session

    4. Regular Attribute Categories: Specify applicable attribute categories relevant to the pattern.
    5. Trigger Match Expression: Define the regex pattern that should trigger a match.
    6. Return Count(optional): Set the number of times this expression should return a match.
    7. Starting Time (in minutes)(optional): Specify the time window to begin evaluating matches.
    8. Match Source IP: Enable or disable the checkbox based on whether you want to match the source IP in your expression.
  9. After completing the fields, click Add to save the sequence.
  10. Click OK to populate the Regular Expression Sequences table with your newly defined sequence(s). Once configured, the Regular Expression Sequences will be associated with the selected Syslog Source and used for matching incoming log messages accordingly.

Filters

The JIMS server allows you to filter by:

  • IP Filters—Allows you to include or exclude traffic from the specified IP ranges in reports. The Include IP filters will only include those IP ranges while sending updates to SRX, similarly Exclude IP filters will exclude the IP ranges from its update to SRX. Requires input for IP Range Start and IP Range End.

  • User/Device Filters—Designed to exclude specific users or devices from reports. You can specify usernames or device identifiers to filter out unwanted data. Helps in refining the visibility of events by omitting irrelevant or known sources.

  • Group Filters—Acts as Include Filters, applied to all SRX Series Firewalls across your network. For improved matching, a Domain can also be added alongside the group specification.

  • DN Filters—Used to exclude entries based on Distinguished Names (DN). Ideal for filtering out specific organizational units or user paths from directories.

    Note: Supports the use of regular expressions for more accurate and flexible matching for User/Device Filters, Group Filters and DN Filters.

Settings

The Settings menu consists of two tabs:

Logging

In the Logging section, enter the following details:

  1. Enter the Filename Prefix.
  2. Click on Select to choose the required Directory.
  3. Enter the File Size.
    Note:

    The acceptable file size range is 1 to 2000 MB.
  4. Enter the File Lifetime.
    Note:

    The acceptable file lifetime range is 1 to 30 days.

General

In the General section, enter the following details:

  1. Under Administrative Interface Configuration, enter the TLS (https) Port.
  2. Under User session Configuration, enter the Logoff Time.
    Note:

    The acceptable logoff time frame should fall within 1 to 1440 minutes.
  3. Under the Global Configuration section (which requires a JIMS restart), enter the Syslog Initial Timespan (minutes). Choose the appropriate options: Pass UPN, Permit Compound Usernames and Trust Other Domains based on your requirements.

Enforcement Points

Add Enforcement Points in JIMS UI

You must configure the Enforcement Points (SRX/NFX devices), otherwise, it cannot pull user, device, and group information to enforce identity-aware policies (user Firewall).

If you have many Enforcement Points with the same client id and client secret, you can create a template to reduce the input for each of them.

To add a new Enforcement Point:

  1. Click Add.
  2. Optionally use an already created template to pre-configure the credentials.
  3. Enter the SRX IP Address.
  4. If you have several Enforcement Points within a subnet, you can enter a matching Subnet that covers all of them.
  5. Provide an optional description.
  6. Enable the IPv6 reporting as IPv6 as it is used in your organization. This adds duplicated records in the auth table on the Enforcement Point.
  7. Enter the Client ID and Client Secret used for this device.
  8. The Token Lifetime is enforced. This lifetime can be changed/adjusted.

Configure JIMS in Junos

Configuration of JIMS with SRX Series Firewall

Use the following steps to configure JIMS with SRX Series Firewall:

  1. Configure the FQDN/IP address of the primary/secondary JIMS server.

  2. Configure the client ID and client secret that the SRX Series device provides to the JIMS primary/secondary server as part of its authentication.

  3. Optionally, configure the source-ip or routing instance that should be used to reach JIMS servers.

    Note:

    You can also configure the enforcement point to validate the certificate of the JIMS server, to do so, see advanced section.

  4. Configure the maximum number of user identity items that the device accepts in one batch in response to the query.

  5. Configure the interval in seconds after which the device issues a query request for newly generated user identities.

  6. Configure active directory domains of interest to the SRX Series Firewall. You can specify up to twenty domain names for the filter.

  7. Configure the address book name to include the IP filter.

  8. To configure the referenced address set, trace option file name, trace file size, level of debugging output, and the trace identity management for all modules, use the below commands appropriately:

Configuration of the Device Identity Authentication Source (End-User-Profile)

Specify the device identity authentication source and the security policy. The device obtains the device identity information for authenticated devices from the authentication source. The device searches the device identity authentication table for a device match when traffic issuing from a user’s device arrives at the device. If it finds a match, the device searches for a matching security policy. If it finds a matching security policy, the security policy’s action is applied to the traffic.

Use the following steps to configure device identity authentication source:

  1. Specify the device identity authentication source.

  2. Configure the device identity profile and domain name to which the device belongs.

  3. Configure the profile name attribute device identity string.

Configuration of the Firewall Policy to Match the Source Identity.

Use the following steps to configure one or more firewall policies that control access based on identity.

  1. Create a source or destination address for a security policy and configure the application/service to match the policy.

  2. Define a username or a role (group) name that the JIMS sends to the device. For Example: "jims-dom1.local\user1".

  3. Permit the packet if the policy matches.

  4. To configure the session initiation time and session close time use the below commands:

It is recommended to have a policy or a captive portal that could authenticate users if they are not already logged on to the Active Directory. Ensure that the captive portal is configured to use the below example: