Juniper SA 基本配置手册
联强国际-李铭
2009 年 10 月
第一章
Juniper SA 配置步骤、名词解释..............................................................................2
第二章 初始化、基本配置.......................................................................................................4
2.1 Console下进行初始化配置 .........................................................................................4 2.2 Web中管理员身份登录 ...............................................................................................6 2.3 基本配置.......................................................................................................................7 第三章 认证服务器的配置(Auth.Server) ............................................................................. 11 第四章 用户角色的配置(Role) ..............................................................................................13 第五章 用户区域的配置(Realm) ...........................................................................................16 第六章 资源访问策略的配置(resource policy)..................................................................19 第七章 用户登陆的配置 (sign in policy) ...........................................................................23 第八章 SAM的应用与配置....................................................................................................26
8.1 功能SAM介绍:........................................................................................................26 8.2 WSAM-Client Applications应用范例 ......................................................................26 8.3 WSAM Destinations 应用范例 ................................................................................31 8.4 JSAM应用范例 ..........................................................................................................34 8.5 SAM的选项................................................................................................................38 第九章 NC的应用与配置 .......................................................................................................40
9.1 NC功能介绍 .....................................................................................................................40 9.2 NC功能应用范例 .............................................................................................................40 ................................................................................................................................................40 第十章 端点安全(Endpoint Security)配置(可选) ...........................................................44
10.1 端点安全的介绍.............................................................................................................44 10.2 Host Checker的使用(ESAP Package)的安装 ...........................................................45
1
第一章 Juniper SA 配置步骤、名词解释
RADIUS、LDAP、Local Authentication:认证服务器的类型 Auth Server:认证服务器(具体员工)
Realm:用户区域=用户群(如:人事部门、财务部门、公司老总) Role:用户角色=资源组(如:财务资源、销售资源)
上图中的对应关系可以清晰的看到从用户到资源的映射过程,在各个元素映射的过程 中,可以是一对多的映射。所以 Juniper SA 产品可以面对更为复杂的企业网络应用环境。
配置 Juniper SA 的步骤:
1、 初始化、基本配置
z 网络地址信息、时间、升级、License
2、 认证服务器的配置(Auth.Server)
z 配置用户要使用的认证服务器(本地的或者第三方的) z 可以多个认证服务器
3、 用户角色的配置(Role)
z 具有相同资源访问权限的同一组用户
z 权限分配的基础,所有的访问控制策略都是基于 ROLE
4、 用户区域的配置(Realm)
z 使用相同的认证服务器的同一组用户 z 该组用户根据访问资源权限的不同,与不同的 ROLE 进行映射
5、 资源访问策略的配置(resource policy)
z 对于目标资源的访问控制,如 WEB 服务器,文件服务器等 z 针对于 ROLE 的访问权限控制(某个 ROLE 有何种访问权限)
2
6、 用户登陆的配置 (sign in policy)
z 定制用户登陆界面(提供缺省界面) z 默认用户登陆 URL(缺省为*/)
z 默认管理员登陆 URL(缺省为*/admin) 7、 用户的安全性检查(Endpoint Security)(可选)
z 定制 HOST CHECK 策略 z 定制 CACHE CLEANER 策略
z 定制 Secure Virtual Workspace 策略
3
第二章 初始化、基本配置
设备出厂时无 IP 地址、密码、License,需要连接 Console 进行初始配置。 2.1 Console 下进行初始化配置 初始开机信息如下:
Welcome to the initial configuration of your server! NOTE: Press 'y' if this is a stand-alone server or the first machine in a clustered configuration.
If this is going to be a member of an already running cluster
press n to reboot. When you see the 'Hit TAB for clustering options' message press TAB and follow the directions. Would you like to proceed (y/n)?: y
Note that continuing signifies that you accept the terms of the Juniper license agreement. Type \license agreement (the text is also available at any time from the License tab in the Administrator Console).
Do you agree to the terms of the license agreement (y/n/r)?: y
输入网络地址信息:
Please provide ethernet configuration information IP address: 10.104.2.10 Network mask: 255.255.255.0 Default gateway: 10.104.2.254
Please provide DNS nameserver information: Primary DNS server: 10.104.1.183 Secondary (optional): 10.104.1.182 DNS domain(s): dns.com
Please provide Microsoft WINS server information: WINS server (optional): 10.104.1.251 确认输入的网络地址信息:
Please confirm the following setup: IP address: 10.104.2.10 Network mask: 255.255.255.0 Gateway IP: 10.104.2.254 Link speed: Auto
Primary DNS server: 10.104.1.183 Secondary DNS: 10.104.1.182 DNS domain(s): dns.com WINS server: 10.104.1.251 Correct? (y/n): y
Initial network configuration complete.
4
输入 Admin 管理员账号、密码:
Internal NIC: .........................................................[Down code=0x1] Please create an administrator username and password. Admin username: admin (可自定义) Password:(此处输入密码不会显示) Confirm password:
The administrator was successfully created.
输入域名、组织名信息:
Please provide information to create a self-signed Web server digital certificate.
Common name (example: secure.company.com): www.synnex.com.cn Organization name (example: Company Inc.): synnex
输入任意字符生成自签名证书:
Please enter some random characters to augment the system's
random key generator. We recommend that you enter approximately thirty characters.
Random text (hit enter when done): jklfjwwl&^%^&*(09897655RTY&&TYGu8yuhu Creating self-signed digital certificate...
The self-signed digital certificate was successfully created.
初始配置完成:
Congratulations! You have successfully completed the initial set up of your server.
To administer the system, please browse to an appropriate URL: https://
Example: https://10.10.22.34/admin -----举例:管理员登陆地址If a DNS name already exists for this IVE, you can also use: https://
Example: https://ive.mycompany.com/admin ----------------------------------- System is now ready.
Press Enter to modify system settings.
Console 菜单:
Welcome to the Juniper Networks IVE Serial Console!
Current version: 5.1R2 (build 9029) -----设备初始版本(恢复出厂后的版本) Reset version: 5.1R2 (build 9029)
Licensing Hardware ID: 0152MMY3N0MY5XXX
Please choose from among the following options:
1. Network Settings and Tools
-----网络设定
5