That's a great question and one that I'm not sure of yet.... we have deployed an SA700 appliance and an SRX210 so far - both have similar "web based VPN" options. In both cases though it installs a piece of software on the client computer pretty much which wasn't what we expected. I had expected literally a pop up window in a web browser with a small plugin - or else I would have just installed an IPSec client basically....
The nice thing is pushing down a pre-canned config with shared secret etc but both of these two deployments are VERY small so having these users bring us their notebooks and configure them for them would have taken less than an hour for both sites combined.... The split-tunneling thing is really a show stopper and I'm hoping that JTAC is wrong and someone has a solution..... it only applies to the SRX - on the SA700 it works perfectly so far... ;) Paul -----Original Message----- From: Glenn Krutsinger [mailto:gkrutsin...@us.ci.org] Sent: Tuesday, June 08, 2010 1:29 PM To: Paul Stewart; juniper-nsp@puck.nether.net Subject: RE: [j-nsp] Dynamic VPN Question Hello Paul, Thanks for sharing your findings. We also require full tunneling for our VPN users, I'm not sure why the brains at Juniper are forcing split-tunneling for client VPN on the SRX. I am in the midst of configuring SRX firewalls to replace some SSG5's. Reading up on the Dynamic VPN configuration, it looks like I need to make local users that map to RADIUS users to auth for web access and client download, and build a gateway for each user. With 30+ sites and 10-25 users per site, this doesn't seem very "Dynamic" to me. I have opted to use dynamic VPN (note the lower case "d") and XAUTH for an AD-authenticated VPN login. Since the users need access to both local and enterprise resources, I use RADIUS to assign the client an IP address and internal DNS server. Using the Netscreen Remote client, I route all traffic through the tunnel. What does the licensed Dynamic VPN feature buy you? From what I can see: 1) A web interface to download the VPN client and config 2) More device management and less client compatibility Am I missing something here? Thanks! Glenn -----Original Message----- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Paul Stewart Sent: Tuesday, June 08, 2010 9:02 AM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Dynamic VPN Question Hi there.. We have our first SRX up and running with Dynamic VPN configured. While sorting this out with JTAC we found a few things that I wanted to share with the list (and of course a question at the end): Windows 7 appears to work quite well - JTAC said it doesn't work at all and then said it "kinda works". Our experience has been very good so far. YMMV. Local authentication *does* work - in fact it works very well - again YMMV. Their documentation and also their front line JTAC folks tell you that you must have Radius. Now that I got that off my chest, the one challenge left is that of split-tunnelling. We are getting used to the SA appliances and with them, once you connect to the VPN you then surf out to the Internet *from* the IP address of the SA appliance because that's the way we've configured it. This is ideal behavior for our needs. On the SRX we cannot get this behavior to occur and have been told by TJAC that it's not possible. Not only is this a problem for us but it raises some security related concerns too. Has anyone seen able to get this behavior to work on an SRX or found a work around? We want to connect to the SRX and then force people to surf "out to the Internet" from the IP of the SRX. Thanks for your time, Paul _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp