SRX

 View Only
last person joined: 16 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Web Administration with Secure Connection Client.

    Posted 07-03-2021 09:21
    I have noticed a very concerning issue with running Client VPN with Secure Connect. I notice account lockouts in our SIEM. Under system services web-management we have added an access port e.g. 443 and NO interfaces. The external security zone interface has https/tcp-encps and ike open for the VPN clients to connect. What I have notice now is that Web Admin is open externally. We are running V20.4R2. We are finding no real way around this issue as we require the VPN access do to COVID but our security team are not happy with Webmin open. Normally we don't have Webin enabled on any deployment. With the Pulse client as long as you had the external interfaces not listed in the web-management list no external admin was offered. I have a JTAC ticket in place but hoping if anyone has seen the same issue?

      

     


    ------------------------------
    Steven Waite
    ------------------------------


  • 2.  RE: Web Administration with Secure Connection Client.

    Posted 07-04-2021 11:47
    I'm surprised removing the desired interface no longer excludes it.  Hopefully that will be patched in a release soon.

    Perhaps you could use the option to change to a custom port for web management to get around the issue.  Putting it on 8443 custom port and having that not allowed on the host inbound services for the untrust zone should block the external access.

    But allowing the port on the internal zones would still allow it to function internally.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Web Administration with Secure Connection Client.

    Posted 07-04-2021 21:50
    JTAC got back to me late last night. Some good news is that its fixed on the releases that came out last week.
    junos:20.4R2-S1 << Available
    junos:20.4R3 << Sep 21
    junos:21.1R1-S1 << Available
    junos:21.1R2 << Aug 21
    junos:21.2R1 << Available
    junos:21.3R1 << No timeline yet


    ------------------------------
    Steven Waite
    ------------------------------



  • 4.  RE: Web Administration with Secure Connection Client.

    Posted 07-05-2021 07:18
    Thanks for the update, glad to see this was already in the pipeline.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: Web Administration with Secure Connection Client.

    Posted 07-05-2021 10:47
    Hi bro,

    Is it means we dont need to put host inbound https on public zone to make sure "secure connection client"  can work? Or we need to fine tune the config?


    Thanks and appreciate your feedback


  • 6.  RE: Web Administration with Secure Connection Client.

    Posted 07-05-2021 20:28
    You do need host inbound https for secure connect client.

    I was suggesting changing the port used by the web interface and then NOT allowing this new custom port on the public zone.

    This was just to get around the bug where Junos was exposing the web interface even when the public interface was NOT included as a valid web mgmt destination interface.

    Naturally upgrading to the patched and fixed version is a better solution since it has been released.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 7.  RE: Web Administration with Secure Connection Client.

    Posted 07-05-2021 21:06
    Hi Spuluka,


    When i look this youtube it required to enable https on host-inbound https://www.youtube.com/watch?v=RsswMJcTDSg&t=615s

    When u said custom port are u referring change under system service? Previously i test on vSRX.

    Appreciate your feedback.