Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Preparing Juniper Secure Connect Configuration

This topic includes the following sections:

Prerequisites for Deploying Juniper Secure Connect

Before you deploy Juniper Secure Connect, you must ensure that the SRX Series device uses either a signed certificate or a self-signed certificate instead of the default system-generated certificate.

You can generate a certificate request or a self-signed certificate by navigating to Device Administration > Certificate Management > Device Certificates in the J-Web interface as shown in Figure 1.

Below are the minimum of values that you should configure. Ensure that these values matches with your own organization. If you initiate a Certificate Signing Request (CSR), the certificate must be signed by your CA before it is loaded on the SRX Series device.

Figure 1: Generate a Certificate Request or a Self-signed CertificateGenerate a Certificate Request or a Self-signed Certificate

After creating a self-signed or loading a signed certificate, you must bind the certificate to the SRX Series device by navigating to Device Administration > Basic Settings > System Services > HTTPS > HTTPS certificate and select the appropriate name.

When the certificate has been loaded to the SRX Series device, you can validate the certificate by viewing the certificate information in your browser bar. The steps involved in viewing the certificate information depends on your browser and browser version. Figure 2 shows the certificate information that you configured in the SRX Series device.

Figure 2: View Certificate InformationView Certificate Information

Figure 3 shows all the details of the certificate that is configured in the SRX Series device.

Figure 3: Detailed Certificate InformationDetailed Certificate Information

You must check for the following from the certificate information in the browser:

  • Check if the Subject Alternative Name matches with your generated certificate.

  • The Thumbprint/Fingerprint is also important if you not exporting the CA certificate from the SRX Series device to all clients. In such cases, it will be displayed in a warning message.

We recommend that you export the self-signed certificate from the SRX Series device in .pem format, or the CA root certificate from the CA that signed your CSR to each client. You can do this manually or distributed using a client rollout package for Windows and macOS. See Create Installation Packages for Juniper Secure Connect Rollout on Windows and Create Rollout Packages for Juniper Secure Connect Installation on macOS.

Table 1 lists the Juniper Secure Connect application directory location to place the exported certificate on different platforms:

Table 1: Certificate Export File Location in Juniper Secure Connect Directory

Platform

Directory Location

Windows

C:\ProgramData\Juniper\SecureConnect\cacerts\

macOS

/Library/Application Support/Juniper/SecureConnect/cacerts/

Android

/Juniper/Export

iOS

/Files/Secure Connect/

Figure 4: Export Self-signed CertificateExport Self-signed Certificate

How Juniper Secure Connect Works?

Before we start configuring Juniper Secure Connect on SRX Series device, lets understand at high-level how Juniper Secure Connect solution works.

Different stages of establishing connectivity between a Juniper Secure Connect application and an SRX Series device.

  1. A remote user downloads Juniper Secure Connect application on the device such as smart phone, or a laptop, or its distributed by the organizations software distribution system.

  2. When the user initiates a connection, the application validates whether the gateway certificate is valid.

    Note:

    If the SRX Series device has a system-generated certificate enabled, the user cannot establish any connection with the application.

    If the gateway uses a certificate where the root certificate has not been distributed to the application (Create Installation Packages for Juniper Secure Connect Rollout on Windows and Create Rollout Packages for Juniper Secure Connect Installation on macOS), the user will be prompted with a warning message shown in Figure 5, Figure 6, Figure 7, and Figure 8 based on the platform where the Juniper Secure Connect application is installed.

    Figure 5 is a sample warning message on Windows platform if the application does not have a root certificate.

    Figure 5: Sample Certificate Warning Message on Windows PlatformSample Certificate Warning Message on Windows Platform

    Figure 6 is a sample warning message on macOS platform if the application does not have a root certificate.

    Figure 6: Sample Certificate Warning Message on macOS PlatformSample Certificate Warning Message on macOS Platform

    Figure 7 is a sample warning message on Android platform if the application does not have a root certificate.

    Figure 7: Sample Certificate Warning Message on Android PlatformSample Certificate Warning Message on Android Platform

    Figure 8 is a sample warning message on iOS platform if the application does not have a root certificate.

    Figure 8: Sample Certificate Warning Message on iOS PlatformSample Certificate Warning Message on iOS Platform

    The appearance of the warning message page differs based on the platform where the Juniper Secure Connect application is installed.

    Details of the warning message is based on the certificate that is configured on Juniper Secure Connect. Table 2 shows the details in the sample warning message.

    Table 2: Certificate Information

    Certificate Information

    Description

    Issuer

    Name of the certificate issuer.

    CN

    Common name (CN) represents the subject name in the certificate.

    SAN

    Subject Alternative Name (SAN) represents the subject alternative name in the certificate.

    Fingerprint

    Represents the finger and thumbprint section in the certificate.

    You as a system administrator must inform your users what action to take when a warning message is displayed. The easiest way to validate your certificate as an administrator is to click on the warning message in the browser toolbar to display the certificate details as shown in Figure 2 and Figure 3 or load the correct root certificate on the client.

    Below warning message is displayed if the application cannot reach the CRL (Certificate Revocation List) of the signed certificate loaded on the SRX Series device.

    Warning:

    When you use a signed certificate and if the Juniper Secure Connect application cannot reach the Certificate Revocation List (CRL) to validate the gateway certificate, the application prompts the users with the warning message (as shown in Figure 9, Figure 10, Figure 11, and Figure 12) each time they connect until the CRL is accessible. Juniper Networks' strongly recommends you or your user to report this error message to your IT organization to solve the CRL download failure.

    Figure 9: Warning Message when Application Cannot Validate Gateway Certificate (Windows)Warning Message when Application Cannot Validate Gateway Certificate (Windows)
    Figure 10: Warning Message when Application Cannot Validate Gateway Certificate (macOS)Warning Message when Application Cannot Validate Gateway Certificate (macOS)
    Figure 11: Warning Message when Application Cannot Validate Gateway Certificate (Android)Warning Message when Application Cannot Validate Gateway Certificate (Android)
    Figure 12: Warning Message when Application Cannot Validate Gateway Certificate (iOS)Warning Message when Application Cannot Validate Gateway Certificate (iOS)
  3. SRX device authenticates the user based on credentials (user name, password, and domain) or certificates.

  4. After a successful authentication, the client downloads and installs the latest configuration policy defined on the SRX Series device. This step ensures that the client always uses the latest configuration policy defined by the administrator

  5. The client establishes a secure VPN connection based on downloaded configuration profile.

Now that we know how Juniper Secure Connect works, lets understand more about the different authentication methods available.

Authentication Methods

There is two ways to authenticate users establishing secure connectivity with juniper secure connect, either local or external authentication, each of these two ways have certain restrictions described below.

  • Local Authentication—In local authentication, the SRX Series device validates the user credentials by checking them in the local database. In this method, the administrator handles change of password or resetting of forgotten password. Here, it requires that an user must remember a new password. This option is not much preferred from a security standpoint.

  • External Authentication—In external authentication, you can allow the users to use the same user credentials they use when accessing other resources on the network. In many cases, user credentials are domain logon used for Active Directory or any other LDAP authorization system. This method simplifies user experience and improves the organization’s security posture; because you can maintain the authorization system with the regular security policy used by your organization.

    Multi Factor Authentication—To add an extra layer of protection, you can also enable Multi Factor Authentication (MFA). In this method, a RADIUS proxy is used to send a notification message to a device such as the users’ smart phone. Users must accept the notification message to complete the connection.

Table 3 compares different authentication methods in Juniper Secure Connect.

Table 3: Juniper Secure Connect Authentication Types

Authentication Methods

Local Authentication

External Authentication

Details

How it works?

Local database maintains user accounts and user groups and uses configured password to authenticate the users

External RADIUS server manages all user accounts and performs authentication service.

SRX Series Device validates the user credentials by checking them in the local database (local authentication)

External Radius server performs authentication service (external authentication).

Username and password

Yes

Yes

Users must provide user name and password when initiating a new connection.

EAP-MSCHAPv2 (Username and password)

No

Yes

Each client device must be able to validate the certificate used by the SRX Series device.

Certificate validation happens before the user can login using credentials (username/password).

EAP-TLS

No

Yes

Each client device must be able to validate the certificate used by the SRX Series device.

Before the EAP-TLS client authentication can take place, the requirement is—each user must have certificates managed by the trusted Certificate Authority.

Now, we got an idea about the authentication methods that Juniper Secure Connect supports. Now it is time for us to get into J-Web and get ourselves familiar with configuration options and various fields available in the GUI.

Now, we got an idea about the authentication methods that Juniper Secure Connect supports. Now it is time for us to get into J-Web and get ourselves familiar with configuration options and various fields available in the GUI.

Get Yourself Familiar with Juniper Secure Connect Wizard on J-Web

Secure Connect VPN solution lets you create a remote access VPN tunnel between a remote user and the internal network in few steps with intuitive, easy to use VPN wizard in J-Web.

Once you navigate to VPN > IPsec VPN and select Create VPN > Remote Access > Juniper Secure Connect, the Create Remote Access (Juniper Secure Connect) page appears as shown in Figure 13.

Figure 13: J-Web Wizard for Configuring Juniper Secure Connect J-Web Wizard for Configuring Juniper Secure Connect

The VPN configuration wizard allows you to configure Juniper Secure Connect in just few steps as shown in Table 4.

Table 4: Juniper Secure Connect Configuration Wizard Fields

Options

What You Configure Here

Name

Name for the remote access connection. This name will be displayed on the Juniper Secure Connect application on remote client device when you do not select a default profile.

Example:

When default profile not used: https://<srx-series-device-ip-address>/<remote access connection name>)

When default profile is used: https://<srx-series-device-ip-address>/).

Description

Description of remote access connection.

Routing Mode

Routing Mode is set to Traffic Selector (Auto Route Insertion) by default. You cannot change this option.

Authentication Method

Pre-shared: This authentication method is simple and easy to use, but it is less secure than the certificates. If you select pre-shared option, you can use:

  • Authentication with username/password using local authentication

  • Authentication with username/password using external authentication

Certificate-based: This authentication method using Extensible Authentication Protocol (EAP). If you select certificate-based option, you can use:

  • Authentication with username/password using EAP-MSCHAPv2

  • Authentication with client certificate using EAP-TLS.

Auto-create Firewall Policy

Option for auto-creating a firewall policy.

Remote User

  • Juniper Secure Connect application settings.

  • The settings you specify here generates a configuration file.

  • Facilitates auto configuration for Juniper Secure Connect remote clients when an authenticated Juniper Secure Connect application user downloads this file automatically upon connecting to the SRX Series device for first time.

Local Gateway

  • SRX Series device settings such as interfaces, authentication options, tunnel interfaces, SSL VPN, and NAT details including the following options:

  • Network information to enable remote clients to connect to the gateway.

  • Specify how the gateway authenticates users.

IKE and IPSec

  • IKE and IPSec options on the SRX Series device for Juniper Secure Connect remote client connections.

  • IKE Settings and IPsec Settings are advanced options. J-Web is already configured with default values for IKE and IPsec fields.

  • IKE settings used in negotiation of authenticating the device when a Juniper Secure Connect application initiates a connection to the SRX Series device.

  • IPsec settings specify connection settings, and security associations to govern authentication, encryption, encapsulation, and key management.

Now you have understanding about the configuration options. lets get started with the configuration.

Based on the authentication method you have selected, see either of these topics: