JWEB and Dynamic VPN page

There seems to be a confusion about how JWEB and dynamic VPN authentication page are working in parallel.
I hope to give some tips I know in this post. For example, if you have the following config, what does it really mean for JWEB?

[edit]
root@srx# show system services
web-management {
    https {
        system-generated-certificate;
        interface [ ge-0/0/0.0 ge-0/0/1.0 ];
    }
}

This config enforces that JWEB web service can only be served on the configured ge-0/0/0.0 and ge-0/0/1.0 interfaces. Of course if the https service is allowed on the security zone that these interfaces belong to. So far so good but what happens if you enable dynamic VPN service for which you also provide an authentication page. In that case what happens to JWEB? In this case you should look at the IKE gateway stanza. For instance if you have the following IKE gateway config;

gateway gw-dyn-1 {
    ike-policy ike-dyn-pol1;
    dynamic {
        hostname dyn.rtoodtoo.nett;
        connections-limit 2;
    }
    external-interface <strong>ge-0/0/1.0</strong>;
    xauth access-profile dyn-vpn-prof1;
}

Junos will disable JWEB on ge-0/0/1.0 interface and you will be redirected to the dynamic-vpn authentication page. What if the dynamic-vpn page itself returns a 404 not found error. In that case I would recommend you to check if you have proper configuration under “security dynamic-vpn” hierarchy. For example if you don’t have a config like below, you won’t get dynamic-vpn page but a 404 error.

root@srx# show security dynamic-vpn
access-profile vpn-prof;
clients {
    vpn-clients {
        remote-protected-resources {
            192.168.3.0/24;
        }
        remote-exceptions {
            0.0.0.0/0;
        }
        ipsec-vpn myvpn;
        user {
            john;
        }
    }
}

I hope this helps someone out there. Of course if you see any mistake or have comments, don’t hesitate tell.

About: rtoodtoo

Genco has worked for more than 10 years as a Network/Support Engineer. He is also interested in Python, Linux, Security and SD-WAN, currently lives in the Netherlands and works as a Network Support Engineer at Tesla Inc. // JNCIE-SEC #223 / RHCE / PCNSE


2 thoughts on “JWEB and Dynamic VPN page”

  1. Hi there, had a read of this and all sounds logical. I have crossed checked my config file with your examples, and they are correct. But still I am getting 404 not found error.
    This really bugging the hell out me.
    I am not a Junos guru, any ideas why this might be happening?

    Thanks.

    1. Solution is as follows:
      FW-A> show configuration system services
      ssh {
      protocol-version v2;
      connection-limit 5;
      }
      web-management {
      management-url mgmt;
      http {
      port 8080;
      }
      https {
      system-generated-certificate;
      interface vlan.3;
      }
      session {
      idle-timeout 60;
      session-limit 5;
      }
      }

      This means management is listening on:
      http://IP:8080/mgmt

      If you need web access on Untrust interface, be sure to put firewall filter 🙂 Otherwise I have it enabled only on Trust side.

      I think this is limitation if you have /32 (ADSL, VDSL) or optics connection with only one public IP address (/30).

You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.