Configuring JIMS for an SRX Device
Before you begin, you need the following information:
-
The IP address of the primary and secondary (optional) JIMS server.
-
The client ID to obtain an OAuth token from the JIMS server for user queries.
-
The client secret to obtain an OAuth token from the JIMS server for user queries.
Before you begin, you need to also ensure that you have configured reachability
between the SRX and the JIMS server. You can do it either through the Junos CLI in
SRX (by using the command set routing-options static route
ip-address next-hop
ip-address
) or through the configuration templates
on CSO (See Add Configuration Templates).
Configuring the connection between SRX Series Firewalls to JIMS allows the JIMS server to send the IP address, username, and group relationship information to SRX Series Firewalls through CSO. You can also configure a set of optional advanced settings for authentication timeout, domain filters, and choose to include or exclude user identity information in the communication between the JIMS server and the SRX Series Firewall.
For every SRX Series Firewall, you can configure the primary and secondary JIMS servers. The SRX Series Firewall always queries the primary JIMS server. The secondary JIMS server is available as a fallback option with limited resources. The secondary JIMS server is used when a number of queries to the primary JIMS server fails. The SRX Series Firewall constantly scrutinizes the failed primary JIMS server and reverts to the primary JIMS server, once it is up and running.
To configure a connection between an SRX Series Firewall and JIMS:
Table 1 provides guidelines on using the fields on the SRX-to-JIMS Configuration panel.
Field |
Description |
---|---|
Identity | |
IP Address |
Enter a valid IPv4 or IPv6 address of the primary JIMS server. SRX Series Firewalls always query the primary JIMS to obtain the user identities. |
Secondary Identity |
Enable this option to use the secondary JIMS server as a fallback when the primary JIMS server fails. By default, this option is disabled. |
Secondary IP Address |
Enter a valid IPv4 or IPv6 address of the secondary JIMS server. The secondary JIMS is available as a fall back option with limited resources. Use the secondary JIMS when the HTTP GET query or number of queries to the primary JIMS fails. |
Client Credentials | |
Client ID |
Enter the client ID that the SRX Series Firewall provides to JIMS server as part of its authentication. The SRX Series Firewall must authenticate itself with the JIMS server to obtain an access token that allows the it to query the JIMS server for user identity information. The client ID must be consistent with the CSO client ID or username configured on the JIMS server. |
Client Secret |
Enter the client secret that the SRX Series Firewall provides to the JIMS server as part of its authentication. The client secret must be consistent with the CSO client secret or password configured on the JIMS server. |
Advanced Settings | |
Authentication Entry Timeout |
Enter the timeout interval (in minutes) after which, the idle entries in the JIMS authentication table expire. The timeout interval begins from when the user authentication entry is added to the authentication table. This value can be between 10 and 1440 minutes, where a value of 0 means no timeout. The default value is 69 minutes. |
Include IP Address(es) |
The SRX Series Firewall sends a query to JIMS for the user identity information only for the IP addresses present in the selected address group; JIMS responds with the requested user identity information. Click Add New Address to create a new IP address group, see Creating Addresses or Address Groups. |
Exclude IP Address(es) |
The SRX Series Firewall does not query JIMS for the user identity information for the excluded IP addresses present in the selected address group. Click Add New Address to create a new IP address group, see Creating Addresses or Address Groups. |
Filter Domain(s) |
The SRX Series Firewall sends a query to JIMS for the user identity information within the specified domains. Enter a comma-separated list of up to 25 domain names. A domain name can be an alphanumeric string of up to 64 characters that can also contain dashes, underscores, and dots. Example: example.net |