SRX

 View Only
last person joined: 20 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Troubleshooting AD User Firewall

    Posted 08-19-2021 16:33

    Greetings,
    We're trying to set up the Active Directory based user firewall.  We've followed the basic set up here: Configure Integrated User Firewall

    However, I've made the changes to fit into our AD system, but still can't seem to get any users through.  Probably just misconfiguration on my end, but not sure where.  I've been trying to figure out how to turn on logging that will give some kind of feedback on what particular config isn't right.  Anyhow, I reckon it probably starts with the arcane LDAP base distinguished name syntax and goes on from there.

    Does anyone out there have any experience with setting this up?

    Thank you.



  • 2.  RE: Troubleshooting AD User Firewall

    Posted 08-23-2021 08:39
    Debug logging is via trace options.  So I think your best starting point is to enable under
    set services user-identification traceoptions file MYLOGNAME
    set services user-identification traceoptions flag all

    To view the logs after a transaction
    show log MYLOGNAME

    These will auto roll to 5 files I think so to see the number of files and the dates

    show log MYLOGNAME?

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Troubleshooting AD User Firewall

    Posted 08-25-2021 11:01
    Thanks, Steve.  Unfortunately, it seems like this user based firewall with AD integration doesn't work for multiple users on the same computer.  Do you know if this is actually true?  If so, seems like it defeats the purpose of integrating with AD.


  • 4.  RE: Troubleshooting AD User Firewall

    Posted 08-26-2021 05:25
    I'm not sure but I don't think that Juniper supports the scenario of terminal servers with multiple users at the same time.  For this operation you do need an agent on the server as the information on the wire alone is not enough to sort out the multiple users on the same machine.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------