Category Archives: Pulse Secure

Articles on Juniper & Pulse secure SA & MAG Devices when running Pulse Secure Access Service

Juniper SSL VPN – Access your Work Desktop PC through RDP

RDP to your Work Desktop PC –
using Juniper MAG

You can access your desktop via a neat feature – using LDAP multi-valued attribute to create dynamic terminal services bookmarks

SUMMARY:
We can use LDAP Multi-valued attribute to create dynamic bookmarks based on a returned number of values. It is represented with where, if used as a variable in terminal services bookmarks, it will create a bookmark for each returned value.

PROBLEM OR GOAL:
Administrators can define the terminal servers/desktops that users can access by defining the servers/desktops under the LDAP Multi-valued attribute. For example, for the attribute otherIpPhone, we can use any mv attribute.

CAUSE:

SOLUTION:
Configuration on the Windows server and SA/MAG
On the Server Define the terminal servers/desktops under the user properties:
RDP-to-MAG-1

On the SA/MAG
1. Create an LDAP server instance.
2. Under the REALM role mapping, add the mv user attribute and do the role mapping as shown below :
RDP-to-MAG-2
3. Create the Terminal Services Resource Profile.
RDP-to-MAG-3
4. Define the bookmark:
RDP-to-MAG-4
5. User will see the defined values on the home page:
RDP-to-MAG-5

CESG IPSEC Guides (2013) & Juniper Appliances

cesg

About CESG

CESG protects the vital interests of the UK by providing policy and assistance on the security of communications and electronic data, working in partnership with industry and academia.

CESG IPSEC GUIDES

CESG have produced some guidance for IPSEC VPN’s – guidance adhered to by government departments & associated bodies.

  • Version2.1 CESG IPSEC Security Gateway Guide can be found on the CESG site
  • Version 2.3 CESG IPSEC VPN FOR REMOTE WORKING – SOFTWARE CLIENT Guide can be found on the CESG site

Juniper MAG Devices with Juniper Pulse Secure Access Service

The Juniper Pulse Secure Access Service running version 7.4+ software on a Juniper MAG device can be used for CESG IPSEC VPNs which supports ECDHE Ciphers & IKEv2

A caveat is that MAG devices don’t support FIPS level 3 compliant cryptographic modules – but FIPS is not referenced directly in the guide.

ECDHE Ciphers supported by SA

With Elliptic-Curve Cryptography (ECC) certificates:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

With RSA Certificates:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

IKEv2 Clients

Any IKEv2 Client can be used for CESG IPSEC eg:

About IKEv2

CESG IPSEC refers to use of IKEv2. More information can be found on the Juniper Website. Also please note the following:

  • On the Juniper SA/MAG Device – IKEv2 does not support automatic cluster failover. After cluster failover, IKEv2 users must reconnect to Secure Access Service.
  • On the Juniper SA/MAG Device -IKEv2 uses UDP port 500 with Juniper Pulse Secure Access Service.

Notes about use with Certificates

For IKEv2 with client certification authentication to work with Windows 7 IKEv2 client, the certificate imported in to Secure Access Service must have the enhanced key usage (EKU) value set to serverAuth(1.3.6.1.5.5.7.3.1)

Also ECC certificates are currently only supported on MAG and Virtual Appliance platforms, they are not usable on SAx500 devices.  See Chapter 32, Elliptic Curve Cryptography, in the 7.4 or later Admin Guide for more details on these certificates and setting custom cipher options.

FIPS level 1 Supported Platforms

  • The following platforms support FIPS level 1:
    • Junos Pulse Gateway MAG2600
    • Junos Pulse Gateway MAG4610
    • Junos Pulse Gateway MAG6610
    • Junos Pulse Gateway MAG6611
    • Junos Pulse Gateway MAG-SM160
    • Junos Pulse Gateway MAG-SM360
    • Secure Access Service and Access Control Service virtual appliances

More info here

FIPS  Level 3 Supported Platforms

  • Juniper SA4500 FIPS
  • Juniper SA6500 FIPS
Note
  • FIPS Level 3 refers to a Cryptographic Hardware Security Module
  • You cannot run FIPS level 1 support on a hardware FIPS platform such as the SA4500/6500 FIPS SSL VPN Appliance
  • SA4500/6500 FIPS SSL VPN Appliances do not support newer ECC certificates.

The last point leaves a conundrum – go with MAG and have a higher encrypted channel across the Internet or go with SA and have a weaker encrypted channel & a higher protected stored private key.

 

Junos Pulse Secure Access Service Release 8.0

juniper

Junos Pulse Secure Access

8.0R1.0 Released: 2nd Dec 2013

Current version (as of this post): 8.0R2.0: 17th Feb 2014

JTAC Recommended release for this product is still: 7.4R8.0

Full Documentation here

Whats New Guide here

Executive Summary
Juniper announces new partnerships with leading mobile device
management (MDM) companies AirWatch and MobileIron as well
as new releases of Juniper Networks® Junos® Pulse Access Control
Service v5.0 and Junos Pulse Secure Access Service 8.0 products.
This update focuses on making Juniper’s industry-leading mobile
connectivity security suite more open and easier to deploy, offering
customers a better Bring Your Own Device (BYOD) solution.
What’s New
Juniper announces multiple updates and partnerships that solve
customers’ growing security problems as well as ease deployment
and management concerns in the BYOD space.
• Mobile Device Management (MDM) and Mobile Application
Management (MAM) vendor integration with AirWatch and
MobileIron makes BYOD solutions smarter and simpler to manage.
— Leverages a rich set of policy metrics from MDM/MAM solutions
— Enables more granular policy controls in the Junos Pulse Access
Control Service
— Augments existing network and device-level controls
— Provides easy no-touch SSL VPN client provisioning through
MDM/MAM partners
— Improves operational visibility and security through
consolidated management dashboards
• New Pulse AppConnect per-app VPN for iOS7 and Android devices
secures and separates corporate and private communications.
— Supplements application containerization with transparent and
secure per-application connectivity
— Enables IT to develop in-house completely private and secure
applications
• Junos Pulse Access Control service v5.0 and Junos Pulse Secure
Access Service v8.0 extends platform coverage and increases
performance and ease of use
— New Windows 8.1, Windows RT, WES 7, Mavericks, iOS 7 extend
client support
— In Box support for 8.1 and Windows RT. No client download
required
— New KVM support increases flexibility and support for any IT
environment
— RSA soft token support for mobile directly connects users to
private networks
— Junos Pulse Client customization offers a better end-user
experience