Supported Platforms
Related Documentation
- SRX Series
- Understanding the Three-Tiered User Firewall Features
- LDAP Functionality in Integrated User Firewall
- Understanding How the WMIC Reads the Event Log on the Domain Controller
- Using Firewall Authentication as an Alternative to WMIC
- Understanding Active Directory Authentication Tables
- Understanding Integrated User Firewall Domain PC Probing
- Example: Configuring Integrated User Firewall
- user-identification (Services)
Overview of Integrated User Firewall
This topic includes the following sections:
Integrated User Firewall and Authentication Sources
The SRX Series device already supports Unified Access Control (UAC) integration with Network Access Control (NAC) and a user firewall that can derive its authentication source from Windows Active Directory via the UAC MAG Series Junos Pulse Gateway. However, many customers want simple user firewall functionality without full NAC, and do not want the additional cost or complexity of user role firewall (which has Active Directory dependencies such as Kerberos, SPNEGO on Browsers, Active Directory DNS/Certs, and UAC configuration).
The integrated user firewall feature fulfills the requirement for simplicity. It retrieves user-to-IP address mappings from the Windows Active Directory to use in firewall policies as match criteria. This feature consists of the SRX Series polling the event log of the Active Directory controller to determine, by username and source IP address, who has logged in to the SRX Series device. Then the username and group information are queried from the LDAP service in the Active Directory controller. Once the SRX Series has the IP address, username, and group relationship information, it generates authentication entries. With the authentication entries, the SRX Series UserFW module enforces user-based and group-based policy control over traffic.
For a comparison of integrated user firewall, user role firewall, and UAC NAC, see Understanding the Three-Tiered User Firewall Features.
Benefits of Integrated User Firewall
The integrated user firewall feature introduces an authentication source via integration with Microsoft Active Directory technology.
- It provides visibility into who is accessing the SRX Series and best-effort security for access to the SRX Series.
- It is a single-box solution, requiring only an SRX Series.
- It requires fewer configuration steps than the UAC integration with NAC, which uses the UAC MAG Series.
- It does not require the configuration of a captive portal, although that option is available to enforce on users who do not authenticate.
- It is ideal for small-to-medium businesses and low-scale deployments.
- It supports High Availability (HA).
How the Integrated User Firewall Works
At a high level, this feature involves the UserID process in the SRX Series Routing Engine, which reads the Windows event log from the Active Directory controller and abstracts IP address-to-user mapping information. The process correlates users to the groups to which they belong, via the LDAP protocol with LDAP service in the Active Directory controller. Thus, the process has gathered enough information to generate authentication entries. The network administrator then references the authentication entries in user firewall security policies to control traffic.
A more detailed explanation of how this feature works is as follows:
- The SRX Series reads the Active Directory event log to get source IP address-to-username mapping information. To do so, a process in the SRX Series Routing Engine implements a Windows Management Instrumentation (WMI) client with Microsoft Distributed COM/Microsoft RPC stacks and an authentication mechanism to communicate with a Windows Active Directory controller in an Active Directory domain. Using event log information retrieved from the Active Directory controller, the process knows the IP addresses of active Active Directory users and abstracts IP-to-Active Directory username mapping information. The process monitors Active Directory event log changes via the same WMI DCOM interface to adjust local mapping information to reflect any change in the Active Directory server.
- The process uses LDAP to query the LDAP service interface of the Active Directory to identify the groups to which users belong. Having the IP address, the Active Directory user, and the groups, the process can generate authentication entries accordingly.
- The process pushes the authentication entries to the Packet Forwarding Engine authentication table. The Packet Forwarding Engine uses the entries and user policy to apply user firewall access control to traffic.
This feature supports two domains and up to 10 Active Directory controllers in a domain.
Deployment Scenario for User Firewall Integration with Windows Active Directory
Figure 1 illustrates a typical scenario where the integrated user firewall feature is deployed. Users in the Active Directory domain and users outside the Active Directory domain want access to the Internet through an SRX Series device. The domain controller might also act as the LDAP server.
Figure 1: Scenario for Integrated User Firewall
The SRX Series device reads and analyzes the event log of the domain controller and generates an authentication table as an Active Directory authentication source for this feature. The user firewall is aware of any domain user on an Active Directory domain device via the Active Directory authentication source. The SRX Series device administrator configures a user firewall policy that enforces the desired user-based or group-based access control.
For any non-domain user or domain user on a non-domain machine, the administrator specifies a captive portal to force the user to do firewall authentication (if the SRX Series supports captive portal for the traffic type). After the user enters a name and password and passes firewall authentication, the SRX Series gets firewall authentication user/group information and can enforce user firewall policy to control the user accordingly.
In addition to captive portal, if the IP address or user information is not available from the event log, the user can again log in to the Windows PC to generate an event log entry. Then the system generates the user’s authentication entry accordingly.
Limitations
- Windows Active Directory controllers older than Windows 2003 are not supported.
- Tracking the status of non-Windows Active Directory users is not supported.
- IPv6 addresses are not supported.
- Logical systems are not supported.
- The WMIC does not support multiple users logged onto the same PC.
- Domain controllers and domain PCs must be running Windows OS. The minimum support for a Windows client is Windows XP. The minimum support for a server is Windows Server 2003.
Related Documentation
- SRX Series
- Understanding the Three-Tiered User Firewall Features
- LDAP Functionality in Integrated User Firewall
- Understanding How the WMIC Reads the Event Log on the Domain Controller
- Using Firewall Authentication as an Alternative to WMIC
- Understanding Active Directory Authentication Tables
- Understanding Integrated User Firewall Domain PC Probing
- Example: Configuring Integrated User Firewall
- user-identification (Services)
Published: 2014-09-18
Supported Platforms
Related Documentation
- SRX Series
- Understanding the Three-Tiered User Firewall Features
- LDAP Functionality in Integrated User Firewall
- Understanding How the WMIC Reads the Event Log on the Domain Controller
- Using Firewall Authentication as an Alternative to WMIC
- Understanding Active Directory Authentication Tables
- Understanding Integrated User Firewall Domain PC Probing
- Example: Configuring Integrated User Firewall
- user-identification (Services)
