Implementing the Juniper Junos Pulse Secure Access Service: The right way

The estimated reading time for this post is 2 minutes

Junos Pulse Secure Access Service

Think of Security upon implementation:

Interfaces
  • Use External & internal interfaces
    • Both interfaces should be behind a firewall
    • if same firewall used – each interface should be connected to a different Zone
    • internal & external interfaces should be on different subnets
    • make sure internal interface is on own network with no other devices
Management
  • if a Management interface is available – use it
  • make sure external interface disabled for Management access
  • Management Authentication should be using Internal database or encrypted connection to external database
  • Strong password should be used
  • management should be limited to selected LAN subnets only
External ports through Firewall – to Junos Pulse Secure Access Service
  • HTTP (auto redirect to HTTPS)
  • HTTPS
  • IKEv2 (UDP 500)
  • ESP – NAT Traversal (UDP 4500)
Internal ports through Firewall – Services to LAN
  • NTP
  • DNS
  • LDAPS (TCP 636)
  • Kerberos (UDP 88) , (TCP 464 & UDP 464)
  • SCP (SSH)
Less Secure Protocols if needed – Services to LAN
  • NTLM
  • LDAP (TCP 389)
  • RADIUS (UDP 1812/1813)
  • FTP
  • SMB (TCP/UDP 135 -139), (TCP 445)
Roles
  • Should represent User Groups
  • Unmanaged Apple/Android
  • Unmanaged Partner (Windows)
  • Unmanaged Support (Windows)
  • Unmanaged User (Windows)
  • Managed User (Windows)
  • Remediation Managed User (Windows)
Sign in Policies
  • */ = Windows Users Realm
  • */tablet= Apple/Android Users Realm
  • */external = Third-Parties Realm
Apple/Android Users Realm
  • Token Authentication
  • AD Authentication
  • No Host Checking Authentication Policy
  • *Ipad* Browser Authentication Policy
  • *Macintosh* Browser Authentication Policy
  • *Android* Browser Authentication Policy
  • Unmanaged Apple/Android Devices Group = Pulse VPN Client with Restricted ACL & No split tunneling
Windows Users Realm
  • Token Authentication
  • AD Authentication
  • Selected AV Host Checking Authentication Policy – Managed Device
  • Any AV Host Checking Authentication Policy – Unmanaged Device
  • Registry Key Host Checking Authentication Policy – Managed Device
  • *Windows* Browser Authentication Policy
  • *Pulse* Browser Authentication Policy
  • Managed Device Group = Pulse VPN Client (Access as required)
  • Unmanaged Device Group = OWA Only
  • Remediation Devices = Pulse VPN Client – restricted to Remediation Servers
Third-Parties Realm
  • AD Authentication
  • Restricted times on Support AD Accounts
  • Any AV Host Checking Authentication Policy
  • Windows 7/8 Host Checking Authentication Policy
  • *Windows* Browser Authentication Policy
  • *Pulse* Browser Authentication Policy
  • Partners Group = Web Resources
  • Support Group = Pulse VPN Client – restricted access
Resource Profiles
  • User wherever possible
  • use templates where possible
Pulse Client
  • Apple/Android users – manual start of Pulse, can change settings & */tablet connection – Pool A
  • External Third Party users – manual start of Pulse, can change settings &  */external connection – Pool B
  • Internal Windows Users – location awareness rules, can not change settings & default connection – Pool C