Logging in to the Juniper SA SSL VPN through user (browser) certificates.

This process is fairly straightforward. The first step is to create a valid certificate, import the certificate into the user browser(s) and then download the CA certificate. Next this certificate will be uploaded into the SA SSL VPN. Then an authorization server will be created along with a user realm that will use the authorization server. Finally it will be necessary to add the new realm to a sign page(s). This is a high level overview and assumes familiarity with the certificate generation process and a degree of familiarity with the SA SSL VPN unit. This document is intended to assist in the creation of a test environment. For assistance with production installations please contact the author. This document does not cover the creation or implementation of a certificate server. For explanatory and test purposes a certification server was setup on a Windows 2003 Domain Controller and was used for generation of the browser and SA SSL VPN certifications. The author assumes that the individuals reading this document will either create a test CA server or will have access to a production instance of same.

CERTIFICATE SERVER SCREENS

Generate a certificate for the user browser: Login to the MS Certificate Server using appropriate credentials and from the initial menu select Request a certificate

The following screen will be displayed. Select User Certificate

The following screen will be displayed: Select the Submit > button

The following screen will be displayed. Click Yes to continue. This will generate the user certificate for installation in the browser.

The following screen will be displayed. Click on Install this certificate to install into your local browser.

The following screen will be displayed. Click Yes to continue the installation of the certificate.

The following screen will be displayed upon completion of the install. Click the Home radio button to continue. To verify certificate installation into the browser Select Internet Options/Content/Certificates from the Tools tab. The certificate should be shown under the Personal settings. (Based on IE7 settings)

Generate a CA Certificate for installation into the SA SSL VPN unit: The following screen will be displayed. Select Download a CA Certificate

The following screen will be displayed. The CA certificate name should match to your Cert Server name. Select an Encoding Method of Base 64 and then select Download CA certificate

The following screen will displayed. Save the file to your local hard drive.

SSL VPN SETUP SCREENS

Certificate Server Import Page (System / Configuration / Certificates / Trusted Client CAs) This page is used to Import the CA Certificate generated and saved in the prior step. From this screen select the Import CA Certificate button.

From this screen select the Browse button, navigate to the downloaded CA Certificate and select the Import Certificate button.

The following screen will be displayed. Select the Save Changes button to finish the import process

Authentication Server Setup Page (Authentication / Auth. Servers) This page is used to define the Authentication Server that will be used by the user defined realm for login purposes. For basic certificate authentication use the default value for User Name Template.

Basic Certification Realm Setup (Users / User Realms) This page is used to tie the authentication server setup above to the realm that will use certificates for authentication. Note that Directory/Attribute is left set to None. This is recommended until basic login functionality has been validated. Once that takes place then set this to LDAP or another appropriate value.

Basic Role Map setup for Certification Login Until sign-in via certification server is validated it is recommended that the role mapping be left generic as follows:

Testing the Certification Login Process

Using the PC that had the browser certification installed access the SA SSL VPN unit. Select the certification realm built in the prior steps. As this test is to validate the login process with a certificate there is NO NEED to enter in a User ID and Password. Successful submission should result in the presentation of the appropriate User Role entry. For a production environment the recommendation would be to create a custom sign in page and URL that would simply place the user into the SA SSL VPN unit in the appropriate role.