JWEB and Dynamic VPN page
There seems to be a confusion about how JWEB and dynamic VPN authentication page are working in parallel.
I hope to give some tips I know in this post. For example, if you have the following config, what does it really mean for JWEB?
[edit] root@srx# show system services web-management { https { system-generated-certificate; interface [ ge-0/0/0.0 ge-0/0/1.0 ]; } }
This config enforces that JWEB web service can only be served on the configured ge-0/0/0.0 and ge-0/0/1.0 interfaces. Of course if the https service is allowed on the security zone that these interfaces belong to. So far so good but what happens if you enable dynamic VPN service for which you also provide an authentication page. In that case what happens to JWEB? In this case you should look at the IKE gateway stanza. For instance if you have the following IKE gateway config;
gateway gw-dyn-1 { ike-policy ike-dyn-pol1; dynamic { hostname dyn.rtoodtoo.nett; connections-limit 2; } external-interface ge-0/0/1.0; xauth access-profile dyn-vpn-prof1; }
Junos will disable JWEB on ge-0/0/1.0 interface and you will be redirected to the dynamic-vpn authentication page. What if the dynamic-vpn page itself returns a 404 not found error. In that case I would recommend you to check if you have proper configuration under “security dynamic-vpn” hierarchy. For example if you don’t have a config like below, you won’t get dynamic-vpn page but a 404 error.
root@srx# show security dynamic-vpn access-profile vpn-prof; clients { vpn-clients { remote-protected-resources { 192.168.3.0/24; } remote-exceptions { 0.0.0.0/0; } ipsec-vpn myvpn; user { john; } } }
I hope this helps someone out there. Of course if you see any mistake or have comments, don’t hesitate tell.
Hi there, had a read of this and all sounds logical. I have crossed checked my config file with your examples, and they are correct. But still I am getting 404 not found error.
This really bugging the hell out me.
I am not a Junos guru, any ideas why this might be happening?
Thanks.
Solution is as follows:
FW-A> show configuration system services
ssh {
protocol-version v2;
connection-limit 5;
}
web-management {
management-url mgmt;
http {
port 8080;
}
https {
system-generated-certificate;
interface vlan.3;
}
session {
idle-timeout 60;
session-limit 5;
}
}
This means management is listening on:
http://IP:8080/mgmt
If you need web access on Untrust interface, be sure to put firewall filter 🙂 Otherwise I have it enabled only on Trust side.
I think this is limitation if you have /32 (ADSL, VDSL) or optics connection with only one public IP address (/30).