Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

JIMS with SRX Series Firewall

JIMS with SRX Series Firewall

Juniper Identity Management Service (JIMS) is a Windows service application designed to collect and manage the database of user, device, and group information from Active Directory domains.

Before you install and configure Juniper Identity Management Service, prepare the SRX Series Firewalls (including the vSRX Virtual Firewall Virtual Firewall) in your network to work with the JIMS server by performing a series of configuration tasks.

For the SRX Series or NFX Series devices, JIMS plays a crucial role in obtaining user identity information, like LDAP.

SRX first attempts to connect to the primary server and switches to the secondary server if the connection fails. Even when connected to the secondary server, the device periodically probes the failed primary server and reverts to it once it becomes available again.

Connection to JIMS server should only be used with HTTPS connections which is currently available only for testing purpose.

After successful authentication with the JIMS server, the device receives an access token, which it must use to query JIMS for identity information.

There are two methods for obtaining user identity information from JIMS:

  • Batch queries:

    SRX sends a batch query message to JIMS every 5 seconds by default to obtain available identity information.

  • IP queries:

    When SRX is missing information about a specific IP-address, it can send an ip-query to JIMS which then returns its status for that specific ip-address. If JIMS does not contain an entry for the specified IP address, SRX will threat this IP as it is an unknown-user.

In the SRX, it’s possible to define filters which can be used to filter out identity information known to JIMS. You can either subscribe to certain domains and or include or exclude information related to certain ip-prefixes defined by address-book entries or address-sets. Changes to these filters will only take place during the next batch query.

You can select up to xxx address-book/sets entries for include or exclude filters, and the total number of xxx address-book entries is combined by both sets and books.

You can add a maximum of 25 domains to the filter list. Each address-set can include x number of address book entries, if address-sets are included in an address-set, set services user-identification identity-management filter

You can refresh the user identity information in your identity management authentication table obtained from JIMS. Identity information will be update during the next batch query, clear services user-identification authentication-table authentication-source identity-management

To search user identity information and validate the authentication source to grant access to the device, use run show services user-identification authentication-table authentication-source all

The following configuration illustrates a basic JIMS server configuration on an SRX Series Firewall:

root@srx1# show services user-identification identity-management

Configuration of JIMS with SRX Series Firewall

To configure a connection to an SRX Series Firewall, see Configuring the Connection to an SRX Series Device.

Use the following steps to configure JIMS with SRX Series Firewall:

  1. Configure the IP/FQDN address of the primary/secondary JIMS server.

  2. Configure the client ID and client secret that the SRX Series device provides to the JIMS primary/secondary server as part of its authentication.

  3. Configure the maximum number of user identity items that the device accepts in one batch in response to the query.

  4. Configure the interval in seconds after which the device issues a query request for newly generated user identities.

  5. Configure active directory domains of interest to the SRX Series Firewall. You can specify up to twenty domain names for the filter.

  6. Configure the address book name to include the IP filter.

  7. To configure the referenced address set, trace option file name, trace file size, level of debugging output, and the trace identity management for all modules, use the below commands appropriately:

Configuration of the Device Identity Authentication Source (End-User-Profile)

Specify the device identity authentication source and the security policy. The device obtains the device identity information for authenticated devices from the authentication source. The device searches the device identity authentication table for a device match when traffic issuing from a user’s device arrives at the device. If it finds a match, the device searches for a matching security policy. If it finds a matching security policy, the security policy’s action is applied to the traffic.

Use the following steps to configure device identity authentication source:

  1. Specify the device identity authentication source.

  2. Configure the device identity profile.

  3. Configure the domain name to which the device belongs.

Configuration of the Security Policy to Match the Source Identity.

Use the following steps to configure the security policy to match the source identity:

  1. 1. Create a source or destination address for a security policy.

  2. Configure the port-based application to match the policy.

  3. Define a username or a role (group) name that the JIMS sends to the device. For Example: "jims-dom1.local\user1".

  4. Permit the packet if the policy matches.

  5. To configure the session initiation time and session close time use the below commands: