Preparing Juniper Secure Connect Configuration

Before you deploy Juniper Secure Connect, you must ensure that the SRX Series Firewall uses either a signed certificate or a self-signed certificate instead of the default system-generated certificate.

You can generate a certificate request or a self-signed certificate by navigating to Device Administration > Certificate Management > Device Certificates in the J-Web interface as shown in Figure 1.

Below are the minimum of values that you should configure. Ensure that these values matches with your own organization. If you initiate a Certificate Signing Request (CSR), the certificate must be signed by your CA before it is loaded on the SRX Series Firewall.

After creating a self-signed or loading a signed certificate, you must bind the certificate to the SRX Series Firewall by navigating to Device Administration > Basic Settings > System Services > HTTPS > HTTPS certificate and select the appropriate name.

When the certificate has been loaded to the SRX Series Firewall, you can validate the certificate by viewing the certificate information in your browser bar. The steps involved in viewing the certificate information depends on your browser and browser version. Figure 2 shows the certificate information that you configured in the SRX Series Firewall.

Figure 3 shows all the details of the certificate that is configured in the SRX Series Firewall.

You must check for the following from the certificate information in the browser:

• Check if the Subject Alternative Name matches with your generated certificate.

• The Thumbprint/Fingerprint is also important if you not exporting the CA certificate from the SRX Series Firewall to all clients. In such cases, it will be displayed in a warning message.

We recommend that you export the self-signed certificate from the SRX Series Firewall in .pem format, or the CA root certificate from the CA that signed your CSR to each client. You can do this manually or distributed using a client rollout package for Windows and macOS. See Create Installation Packages for Juniper Secure Connect Rollout on Windows and Create Rollout Packages for Juniper Secure Connect Installation on macOS.

Table 1 lists the Juniper Secure Connect application directory location to place the exported certificate on different platforms:

Table 1: Certificate Export File Location in Juniper Secure Connect Directory

Platform	Directory Location
Windows	C:\ProgramData\Juniper\SecureConnect\cacerts\
macOS	/Library/Application Support/Juniper/SecureConnect/cacerts/
Android	/Juniper/Export
iOS	/Files/Secure Connect/

Before we start configuring Juniper Secure Connect on SRX Series Firewall, let's understand at high-level how Juniper Secure Connect solution works.

Different stages of establishing connectivity between a Juniper Secure Connect application and an SRX Series Firewall.

1. A remote user downloads Juniper Secure Connect application on the device such as smart phone, or a laptop, or its distributed by the organizations software distribution system.

2. When the user initiates a connection, the application validates whether the gateway certificate is valid.

   Note:

   If the SRX Series Firewall has a system-generated certificate enabled, the user cannot establish any connection with the application.

   If the gateway uses a certificate where the root certificate has not been distributed to the application (Create Installation Packages for Juniper Secure Connect Rollout on Windows and Create Rollout Packages for Juniper Secure Connect Installation on macOS), the user will be prompted with a warning message shown in Figure 5, Figure 6, Figure 7, and Figure 8 based on the platform where the Juniper Secure Connect application is installed.

   Figure 5 is a sample warning message on Windows platform if the application does not have a root certificate.

   Figure 5: Sample Certificate Warning Message on Windows Platform

   Figure 6 is a sample warning message on macOS platform if the application does not have a root certificate.

   Figure 6: Sample Certificate Warning Message on macOS Platform

   Figure 7 is a sample warning message on Android platform if the application does not have a root certificate.

   Figure 7: Sample Certificate Warning Message on Android Platform

   Figure 8 is a sample warning message on iOS platform if the application does not have a root certificate.

   Figure 8: Sample Certificate Warning Message on iOS Platform

   The appearance of the warning message page differs based on the platform where the Juniper Secure Connect application is installed.

   Details of the warning message is based on the certificate that is configured on Juniper Secure Connect. Table 2 shows the details in the sample warning message.

   Table 2: Certificate Information

   Certificate Information	Description
   Issuer	Name of the certificate issuer.
   CN	Common name (CN) represents the subject name in the certificate.
   SAN	Subject Alternative Name (SAN) represents the subject alternative name in the certificate.
   Fingerprint	Represents the finger and thumbprint section in the certificate.

   You as a system administrator must inform your users what action to take when a warning message is displayed. The easiest way to validate your certificate as an administrator is to click on the warning message in the browser toolbar to display the certificate details as shown in Figure 2 and Figure 3 or load the correct root certificate on the client.

   Below warning message is displayed if the application cannot reach the CRL (Certificate Revocation List) of the signed certificate loaded on the SRX Series Firewall.

   Warning:

   When you use a signed certificate and if the Juniper Secure Connect application cannot reach the Certificate Revocation List (CRL) to validate the gateway certificate, the application prompts the users with the warning message (as shown in Figure 9, Figure 10, Figure 11, and Figure 12) each time they connect until the CRL is accessible. Juniper Networks' strongly recommends you or your user to report this error message to your IT organization to solve the CRL download failure.

   Figure 9: Warning Message when Application Cannot Validate Gateway Certificate (Windows)
   Figure 10: Warning Message when Application Cannot Validate Gateway Certificate (macOS)
   Figure 11: Warning Message when Application Cannot Validate Gateway Certificate (Android)
   Figure 12: Warning Message when Application Cannot Validate Gateway Certificate (iOS)

3. The SRX Series Firewall validates the status of the connecting client device prior to authentication based on the match criteria configured by the administrator.

4. SRX Series Firewall authenticates the user based on credentials (user name, password, and domain) or certificates.

5. After a successful authentication, the client downloads and installs the latest configuration policy defined on the SRX Series Firewall. This step ensures that the client always uses the latest configuration policy defined by the administrator

6. The client establishes a secure VPN connection based on downloaded configuration profile.

Now that we know how Juniper Secure Connect works, let's understand more about the different authentication methods available.

When the user initiates a connection to the SRX Series Firewall using Juniper Secure Connect, the application validates the gateway certificate. Juniper Secure Connect supports multiple connection profiles with different URLs in FQDN/RealmName format. To ensure that these connection requests do not show any certificate warning, as an administrator, you can bind multiple certificates to multiple domains or single certificate to multiple domains in the SRX Series Firewall. These URLs contain domain names used in connection profiles on your Juniper Secure Connect application.

To work with multiple certificates and domains, see Multiple Certificates and Domains Configuration (CLI Procedure).

Juniper Secure Connect application exchanges details with the SRX Series Firewall to perform prelogon compliance checks. The administrator configures the prelogon compliance rules on the SRX Series Firewall to validate the status of a connecting client device. These prelogon compliance checks refers to validations that are performed prior to authentication. Based on the different match criteria, action is taken to admit or reject a connecting client device.

To configure prelogon compliance rules, see compliance (Juniper Secure Connect).

There are two ways to authenticate users establishing secure connectivity with juniper secure connect, either local or external authentication, each of these two ways have certain restrictions described below.

• Local Authentication—In local authentication, the SRX Series Firewall validates the user credentials by checking them in the local database. In this method, the administrator handles change of password or resetting of forgotten password. Here, it requires that an user must remember a new password. This option is not much preferred from a security standpoint.

• External Authentication—In external authentication, you can allow the users to use the same user credentials they use when accessing other resources on the network. In many cases, user credentials are domain logon used for Active Directory or any other LDAP authorization system. This method simplifies user experience and improves the organization’s security posture; because you can maintain the authorization system with the regular security policy used by your organization.

  Multi Factor Authentication—To add an extra layer of protection, you can also enable Multi Factor Authentication (MFA). In this method, a RADIUS proxy is used to send a notification message to a device such as the users’ smart phone. Users must accept the notification message to complete the connection.

  LDAP Authentication using Juniper Secure Connect—Starting with Junos OS Release 23.1R1, we’ve introduced group-based controlled LDAP authentication. You can use the Lightweight Directory Access Protocol (LDAP) to define one or more LDAP groups. Use the allowed-groups statement at the [edit access ldap-options] hierarchy level to specify the list of groups that LDAP authenticates. An user can belong to multiple LDAP groups. You can map the group to an address pool. Based on the LDAP group membership, the system assigns an IP addresses to the user.

Authentication Methods compares different authentication methods in Juniper Secure Connect.

Table 3: Juniper Secure Connect Authentication Types

Authentication Methods	Credentials (Username and Password)	End-User Certificate	Local Authentication	External Authentication Radius	External Authentication LDAP
IKEv1 - pre-shared-key	Yes	No	Yes	Yes	Yes
IKEv2-EAP-MSCHAPv2	Yes	No	No	Yes	No
IKEv2-EAP-TLS	No	Yes	No	Yes	No

Regardless of the authentication method employed, you continue to use the username and password for external user authentication using the RADIUS server to download the initial configuration, even when implementing EAP-TLS authentication.

Now, we got an idea about the authentication methods that Juniper Secure Connect supports. Now it is time for us to get into J-Web and get ourselves familiar with configuration options and various fields available in the GUI.

Application bypass feature enables users of the Juniper Secure Connect application to bypass specific applications based on domain names and protocols, eliminating the need for the traffic to pass through the VPN tunnel. This is different from split tunnel where you leverage VPN to encrypt confidential data while still have direct access to the internet. With application bypass, you still use VPN to encrypt confidential data, however, you can bypass VPN for certain applications defined by the administrator based on domain names and protocols.

Application bypass is supported on full tunnel configuration. Administrators configure this feature in the SRX Series Firewall in remote access client configuration parameters. These parameters define how Juniper Secure Connect client establishes VPN tunnel with your security device.

See application-bypass (Juniper Secure Connect).

Secure Connect VPN solution lets you create a remote access VPN tunnel between a remote user and the internal network in few steps with intuitive, easy to use VPN wizard in J-Web.

Once you navigate to VPN > IPsec VPN and select Create VPN > Remote Access > Juniper Secure Connect, the Create Remote Access (Juniper Secure Connect) page appears as shown in Figure 13.

The VPN configuration wizard allows you to configure Juniper Secure Connect in just few steps as shown in Table 4.

Table 4: Juniper Secure Connect Configuration Wizard Fields

Options	What You Configure Here
Name	Name for the remote access connection. This name will be displayed on the Juniper Secure Connect application on remote client device when you do not select a default profile. Example: When default profile not used: https://<srx-series-device-ip-address>/<remote access connection name>) When default profile is used: https://<srx-series-device-ip-address>/).
Description	Description of remote access connection.
Routing Mode	Routing Mode is set to Traffic Selector (Auto Route Insertion) by default. You cannot change this option.
Authentication Method	Pre-shared: This authentication method is simple and easy to use, but it is less secure than the certificates. If you select pre-shared option, you can use: Authentication with username/password using local authentication Authentication with username/password using external authentication
	Certificate-based: This authentication method using Extensible Authentication Protocol (EAP). If you select certificate-based option, you can use: Authentication with username/password using EAP-MSCHAPv2 Authentication with client certificate using EAP-TLS.
Auto-create Firewall Policy	Option for auto-creating a firewall policy.
Remote User	Juniper Secure Connect application settings. The settings you specify here generates a configuration file. Facilitates auto configuration for Juniper Secure Connect remote clients when an authenticated Juniper Secure Connect application user downloads this file automatically upon connecting to the SRX Series Firewall for first time.
Local Gateway	SRX Series Firewall settings such as interfaces, authentication options, tunnel interfaces, SSL VPN, and NAT details including the following options: Network information to enable remote clients to connect to the gateway. Specify how the gateway authenticates users.
IKE and IPSec	IKE and IPSec options on the SRX Series Firewall for Juniper Secure Connect remote client connections. IKE Settings and IPsec Settings are advanced options. J-Web is already configured with default values for IKE and IPsec fields. IKE settings used in negotiation of authenticating the device when a Juniper Secure Connect application initiates a connection to the SRX Series Firewall. IPsec settings specify connection settings, and security associations to govern authentication, encryption, encapsulation, and key management.

Now you have understanding about the configuration options. let's get started with the configuration.

Based on the authentication method you have selected, see either of these topics:

• Local User Authentication Using Pre-shared Key

• External User Authentication Using RADIUS

• Certificate-Based Validation Using EAP-MSCHAPv2 Authentication

• Certificate-Based Validation Using EAP-TLS Authentication