SRX

 View Only
last person joined: 17 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Identification of users on the terminal server.

    Posted 11-23-2017 05:57

    Good afternoon. I have a SRX 320 router. I configure the user identification through the WMI. But I have a problem with this. When 2 or more users are logged on, the security policy is processed by the last logged user, because in the authentication table there is always only one entry IP ADDRESS - LOGIN. How do I configure the correct operation of policies for users working simultaneously on one terminal server.

     

    fluoro@r80-02# show security policies from-zone trust to-zone INTERNET policy MGP_SRV01-TO-INTERNET_TEST_PROXY_2
    match {
    source-address MGP-SRV01;
    destination-address YA_RU;
    destination-address-excluded;
    application any;
    source-identity "lanrtmd.ru\mgp_permit_all";
    }
    then {
    permit;
    }

    fluoro@r80-02# show services user-identification
    active-directory-access {
    domain lanrtmd.ru {
    user {
    srxnonadmin;
    password "++++++++++++++++++++++++++++++++++++++++++++++++++++++"; ## SECRET-DATA
    }
    domain-controller XI {
    address 192.168.97.19;
    }
    user-group-mapping {
    ldap {
    base DC=lanrtmd,DC=ru;

     

     



  • 2.  RE: Identification of users on the terminal server.

    Posted 11-24-2017 03:14

    Unfortunately, distinquishing between multiple users on a terminal server for user id is not supported.

     

    So your best option right now is to treat the terminal server address as a single "group" and write your security policies based on what you want the entire user population on that terminal server to be able to do.

     

    I'm pretty sure there is an active request for this feature, so mention it to your sales engineer to get more push behind it.

     



  • 3.  RE: Identification of users on the terminal server.

    Posted 11-24-2017 03:21

    Maybe can help me product JISM (Juniper Identity Service Manage)?



  • 4.  RE: Identification of users on the terminal server.

    Posted 11-24-2017 04:16

    The JIMS will not help you as it still only collects info from domain controllers on user<->IP mappings.

     

    Conceptual on a terminal server each user will be preassigned a specific range of source ports making it possible to differentiate connections from different users.

     

    To handle Terminal Servers correctly there would be need of an agent installed on each terminal server to report who are logged in and which source ports are allocated for the user(s).

     

    So for now SRX/JIMS cannot differentiate between users on the same terminal server.



  • 5.  RE: Identification of users on the terminal server.

    Posted 11-24-2017 04:34

    As I understand,  does the customer not yet exist for SRX?



  • 6.  RE: Identification of users on the terminal server.
    Best Answer

    Posted 11-25-2017 04:42

    Correct Fluoro, this feature to distinguish user-id for accounts on the same terminal server does not yet exist for the SRX.  Your only option right now is to treat the entire server ip address as a "group" that includes any and all users that will browse from that platform.