Customer Managed Devices (On-Premises) Deployment
“Configuration of Juniper Secure Edge Deployments” and “Add Directory Services” are mandatory for customers using both On-Premises and Secure Edge deployments.
Add JIMS Server
To add a new JIMS server:
- Click Add to add a new JIMS Server.
- Enter the IP address or the fully qualified domain name (FQDN) of the server.
- Give a description.
- Enter the username and password for authentication purposes.
- Select the type of identity server used.
- Deselect TLS only if you perform troubleshooting.
- The identity Server Port and Max Data Rate are automatically configured by JIMS. You can either change to a certificate signed by your organization or use the default certificate provided by JIMS.
Add Directory Services
You must configure at least one directory server for JIMS Collector to collect users, devices, and group memberships. Currently, only Active Directory is supported.
If you plan to use multiple Directory Server with the same credentials, you could create a template to reduce the input for each directory server.
To add a new Directory Server:
Add Identity Producers
You can configure Identity Producers to gather user and device status events. JIMS uses this information to provide IP address-to-username mappings. JIMS also provides device names with domain names to the enforcement points (SRX Series devices).
The identity producers have 3 tabs and the configuration steps for each are listed below.
Add Event Source
To add a new event source:
- Click Add to add a new Event Sources.
- Use an already created template to pre-configure the credentials.
- Select the type of source (Domain Controller or Exchange Server).
- Provide an optional description.
- Enter the IP-address or FQDN of the server.
- Enter the username (Login ID) and password. This should be the newly created service account with limited privileges.
- Click Event History Catchup Time. This ensures JIMS has collected historical data before production usage.
Add PC Probe
To add a new PC probe:
- Click Add to add a new PC Probes.
- Enter the username (Login ID) and password. This is the newly created service account with limited privileges.
- Provide an optional description.
- After you provide the details, you can move the order of usernames in the sequence you want them executed.
Add Syslog Source
To add a new syslog source:
- Click Add to add a new Syslog Source.
- Optionally use an already created base config.
- Enter the IP-address or FQDN of the server (Syslog Client).
- Provide an optional description.
- Click Add to define your matching regular expressions.
Enforcement Points
You must configure the enforcement points, otherwise, the SRX Series devices cannot pull user, device, and group information to enforce identity-aware policies (user Firewall).
If you have many SRX Series devices with the same client id and client secret, you can create a template to reduce the input for each SRX Series device.
To add a new SRX Series device:
- Click Add to add a new SRX.
- Optionally use an already created template to pre-configure the credentials.
- Enter the IP-address or each SRX Series device. If you have several SRX Series device within a subnet, you can enter a matching subnet that covers all of them.
- Provide an optional description.
- Enable the IPv6 reporting as IPv6 as it is used in your organization. This adds duplicated records in the auth table on the SRX Series device.
- Enter the Client ID and Client Secret used for this device.
- The Token Lifetime is enforced. This lifetime can be changed/adjusted.