Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure Prelogon Compliance (CLI Procedure)

Read this topic to know about prelogon compliance checks and how to configure them in Juniper Secure Connect.

What is Prelogon Compliance

Juniper Secure Connect application exchanges details with the SRX Series Firewall to perform prelogon compliance checks. The administrator configures the prelogon compliance rules on the SRX Series Firewall to validate the status of a connecting client device. These prelogon compliance checks refers to validations that are performed prior to authentication. Based on the different match criteria, action is taken to admit or reject a connecting client device.

This feature ensures that the Juniper Secure Connect application fulfills the connection criteria with the SRX Series Firewall, thereby providing enhanced security measures set by the administrator.

The purpose of prelogon compliance policies is to validate the endpoint's current context based on the compliance criteria set by your organization. You authorize the access based on these compliance policies. The device performs the prelogon compliance check using prelogon compliance policies prior to the user authentication.

As an administrator you configure a set of rules on your SRX Series Firewall to allow or reject an endpoint before establishing a remote access VPN connection. Here endpoint refers to the client or the host on which Secure Connect application is installed. You create rules based on the supported client platforms like Windows, macOS, Android and iOS. You can use multiple other match criteria like Device ID, hostname, ms-domain name and ms-workgroup name for the match criteria.

The SRX Series Firewall processes these rules based on certain evaluation criteria. See compliance (Juniper Secure Connect) evaluation criteria for further details on evaluation criteria. For more details on the compliance rule name, term rule name, match criteria and action, see compliance (Juniper Secure Connect).

How to Configure Prelogon Compliance Rules

Let us consider the following rules mentioned in Table 1 for this configuration task -

Table 1: Prelogon Compliance Rules
Compliance Rule Name Term Name Match Criteria

(Values)

Action
Compliant SecureConnect

platform

  • windows

    • app-version<23.4.13.14.29669

  • macos

    • os-version<12.5.1

reject
Decommissioned deviceid
  • c8163be5d7077d35989e0b0e6b9271bfa53003e4251a24e588c10302c4972123

reject
BYOD deviceid
  • c8163be5d7077d35989e0b0e6b9271bfa5312fa2251a24e588c10302c4903kd2

accept
CorpDevices
  • hostname

    • device1

    • device2

  • ms-domain

    • example.net

  • deviceid

    • c8163be5d7077d35989e0b0e6b9271bfa5300fa2251a24e578c10302c4972aff

    • c8163be5d7077d35989e0b0e6b9271bfa5300fa2251a24e588c10302c4972124

accept

To configure prelogon compliance rules using the command line interface:

  1. Log in to your SRX Series Firewall using the command line interface (CLI).

  2. Configure remote-access VPN in full tunnel configuration mode. See one of the following procedures based on the authentication method used -

  3. Refer to the prelogon compliance rules as shown in Table 1 to configure the rules on your SRX Series Firewall.

  4. Configure prelogon compliance policy Compliant at [edit security remote-access] hierarchy level -

    • With term rule SecureConnect and its match criteria and action -

      In this term rule, for the specified Juniper Secure Connect app-version for Windows and macOS endpoints, the connection will be rejected. To know your app-version, see Juniper Secure Connect User Guide for the specific endpoint based on the supported Operating System.

    • With term rule OS and its match criteria and action -

      In this term rule, for the specified os-versions for Windows and macOS endpoints, the connection will be rejected.

    • With term rule Decommissioned and its match criteria and action -

      In this term rule, for the specified Device ID, the connection will be rejected. To get the Device ID, seeJuniper Secure Connect User Guide

    • With term rule BYOD and its match criteria and action -

      In this term rule, for the specified Device ID, the connection will be accepted. To know the Device ID, see Juniper Secure Connect User Guide

    • With term rule CorpDevices and its match criteria and action -

      In this term rule, for the specified hostnames, ms-domain name and Device ID the connection will be accepted. To know the Device ID, seeJuniper Secure Connect User Guide

  5. For any other criteria that is not defined in this compliance rule Compliant, i.e. when no further term rule is specified for an unmatched rule, the default action is reject.

  6. Once the compliance rules are defined for a compliance policy, attach the compliance policy to the remote-access profile, ra.example.com created in step 2 -

  7. When you are done configuring the feature on your device, enter commit from configuration mode.

  8. Based on the use case, you can create multiple compliance policies like SecureConnect and attach each of them to the remote-access profiles that you create. Ensure one compliance policy is associated to a remote-access profile.

This features ensures that the Juniper Secure Connect application fulfills the connection criteria with the SRX Series Firewall, thereby providing enhanced security measures set by the administrator.