Forum

Bildirimler

Hepsini Temizle

SSG & Active Directory integrasyonu

Juniper Networking

Son Cevaplar gön: Murat GUCLU 14 yıl önce

15 Yazılar

7 Üyeler

0 Reactions

497 Görüntüleme

RSS

nkeremk

(@nkeremk)

Gönderiler: 23

Eminent Member

Konu başlatıcı

Merhaba,

SSG 140 üzerinde farklı kullanıcı gruplarına farklı policy ler uygulayabilmek için, hali hazırda tüm kullanıcıların bulunduğu AD üzerinden nasıl authentikasyon yapabiliriz acaba? Böyle bir şey mümkünmüdür, mümkünse bununla ilgili bir link veya dökümana nasıl ulaşabilirim?

çok teşekkürler.

Gönderildi : 05/07/2010 19:42

Fatih KARAALIOGLU

(@fatihkaraalioglu)

Gönderiler: 3039

Illustrious Member

Merhaba;

aşağıdaki makaleyi inceleyebilirmisiniz?

http://www.juniper.net/techpubs/en_US/nsm2008.2/topics/task/configuration/access-management-secure-access-ad-nt-server-instance-configuring-nsm.html

To configure an Active Directory or Windows NT domain server instance:

In the NSM navigation tree, select Device Manager > Devices.

Click the Device Tree tab, and then double-click the Secure Access device for which you want to configure an Active Directory or NT domain instance.

Click the Configuration tab and select Authentication > Auth Servers. The corresponding workspace appears.

Note: If you want to update an existing server instance, click the appropriate link in the Auth Server Name box, and perform the steps 5 through 8.

Click the New button. The New dialog box appears.

In the Auth Server Name list, specify a name to identify the server instance.

Select AD/NT Server from the Auth Server Type list.

Configure the server using the settings described in Table 1.

Click one:
- OK—Saves the changes.
- Cancel—Cancels the modifications.

Table 1: Active Directory or NT Domain Instance Configuration Details

Option	Function	Your Action
AD/NT Settings > General tab
Primary Domain Controller or Active Directory	Specifies the name or IP address for the primary domain controller or Active Directory server.	Enter the name or IP address.
Secondary Domain Controller or Active Directory	Specifies the name or IP address for the backup domain controller or Active Directory server.	Enter the name or IP address.
Domain	Specifies the domain name of the Active Directory or Windows NT server.	Enter the domain name of the Active Directory or Windows NT domain. Note: For example, if the Active Directory domain name is `us.amr.asgqa.net` and you want to authenticate users who belong to the US domain, enter US as the domain.
Allow domain to be specified as part of username	Allows users to sign in by entering a domain name in the Username box in the format: `domain\username`	Select AD/NT Settings > General > Allow domain to be specified as part of username to enable this feature.
Allow trusted domains	Allows users to get group information from all trusted domains within a forest.	Select AD/NT Settings > General >Allow trusted domains to enable this feature.
Admin Username	Specifies an administrator username for the AD or NT server.	Enter an administrator username for the AD or NT server.
Admin Password	Specifies an administrator password for the AD or NT server.	Enter an administrator password for the AD or NT server.
Kerberos (most secure)	Allows the Secure Access device to send user credentials to Kerberos.	Select AD/NT Settings > General >Kerberos (most secure) to enable this feature.
NTLMV2 (moderately secure)	Allows the Secure Access device to send user credentials to NTLMv2.	Select AD/NT Settings > General >NTLMV2 (moderately secure) to enable this feature.
NTLMV1 (least secure)	Allows the Secure Access device to send user credentials to NTLMv1.	Select AD/NT Settings > General >NTLMV1 (least secure) to enable this feature.
Use LDAP to get Kerberos realm name	Allows the Secure Access device to retrieve the Kerberos realm name from the Active Directory server using the specified administrator credentials.	Select AD/NT Settings > General >Specify Kerberos realm name to enable this feature.
Specify Kerberos realm name	Specifies Kerberos realm name.	Enter the name.
AD/NT Settings > Advanced tab
User may belong to Domain Local Groups across trust boundaries	Specifies that the selected user belongs to the Domain Local Groups who honor trust relationships in the Active Directory.	Select AD/NT Settings > Advanced > User may belong to Domain Local Groups across trust boundaries to enable this feature.
Container Name	Specifies the name that the Secure Access device uses to join the specified Active Directory domain as a computer.	Enter the computer name.
Server Catalog > Expressions tab
Name	Specifies a name for the user expression in the Active Directory or NT domain server user directory.	Enter a name.
Value	Specifies a value for the user expression in the Active Directory or NT Domain server user directory.	Enter a value.
Server Catalog > Groups tab
Name	Specifies the name of the group	Enter a name.
Groups	Specifies the admin’s domain local groups information.	Enter a name.
AD Group	Specifies the group that contains the administrators to enable centralized administration in an Active Directory domain.	Enter a name.

Gönderildi : 05/07/2010 20:38

Fatih KARAALIOGLU

(@fatihkaraalioglu)

Gönderiler: 3039

Illustrious Member

Tekrar merhaba;

aynı sayfa altında farklı bir bilgiyi paylaşmak istedim..

http://www.juniper.net/techpubs/en_US/nsm2009.1/topics/task/configuration/access-management-secure-access-ad-nt-server-instance-configuring-nsm.html

Configuring a Secure Access Active Directory or NT Domain Instance (NSM Procedure)

To configure an Active Directory or Windows NT domain server instance:

In the NSM navigation tree, select Device Manager > Devices.

Click the Device Tree tab, and then double-click the Secure Access device for which you want to configure an Active Directory or NT domain instance.

Click the Configuration tab and select Authentication > Auth Servers. The corresponding workspace appears.

Note: If you want to update an existing server instance, click the appropriate link in the Auth Server Name box, and perform the steps 5 through 8.

Click the New button. The New dialog box appears.

In the Auth Server Name list, specify a name to identify the server instance.

Select AD/NT Server from the Auth Server Type list.

Configure the server using the settings described in Table 1.

Click one:
- OK—Saves the changes.
- Cancel—Cancels the modifications.

Table 1: Active Directory or NT Domain Instance Configuration Details

Option	Function	Your Action
AD/NT Settings > General tab
Primary Domain Controller or Active Directory	Specifies the name or IP address for the primary domain controller or Active Directory server.	Enter the name or IP address.
Secondary Domain Controller or Active Directory	Specifies the name or IP address for the backup domain controller or Active Directory server.	Enter the name or IP address.
Domain	Specifies the domain name of the Active Directory or Windows NT server.	Enter the domain name of the Active Directory or Windows NT domain. Note: For example, if the Active Directory domain name is `us.amr.asgqa.net` and you want to authenticate users who belong to the US domain, enter US as the domain.
Allow domain to be specified as part of username	Allows users to sign in by entering a domain name in the Username box in the format: `domain\username`	Select AD/NT Settings > General > Allow domain to be specified as part of username to enable this feature.
Allow trusted domains	Allows users to get group information from all trusted domains within a forest.	Select AD/NT Settings > General >Allow trusted domains to enable this feature.
Domain Controller is a Windows 2008 server	Specifies if the backend domain controller is a Windows 2008 server. Tip: The Windows 2008 server has several enhancements to the Active Directory server, which is now called Active Directory Domain Services.	Select Domain Controller is a Windows 2008 server to enable this feature.
Admin Username	Specifies an administrator username for the AD or NT server.	Enter an administrator username for the AD or NT server.
Admin Password	Specifies an administrator password for the AD or NT server.	Enter an administrator password for the AD or NT server.
Kerberos (most secure)	Allows the Secure Access device to send user credentials to Kerberos.	Select AD/NT Settings > General >Kerberos (most secure) to enable this feature.
NTLMV2 (moderately secure)	Allows the Secure Access device to send user credentials to NTLMv2.	Select AD/NT Settings > General >NTLMV2 (moderately secure) to enable this feature.
NTLMV1 (least secure)	Allows the Secure Access device to send user credentials to NTLMv1.	Select AD/NT Settings > General >NTLMV1 (least secure) to enable this feature.
Use LDAP to get Kerberos realm name	Allows the Secure Access device to retrieve the Kerberos realm name from the Active Directory server using the specified administrator credentials.	Select AD/NT Settings > General >Specify Kerberos realm name to enable this feature.
Specify Kerberos realm name	Specifies Kerberos realm name.	Enter the name.
AD/NT Settings > Advanced tab
User may belong to Domain Local Groups across trust boundaries	Specifies that the selected user belongs to the Domain Local Groups who honor trust relationships in the Active Directory.	Select AD/NT Settings > Advanced > User may belong to Domain Local Groups across trust boundaries to enable this feature.
Container Name	Specifies the name that the Secure Access device uses to join the specified Active Directory domain as a computer.	Enter the computer name.
Server Catalog > Expressions tab
Name	Specifies a name for the user expression in the Active Directory or NT domain server user directory.	Enter a name.
Value	Specifies a value for the user expression in the Active Directory or NT Domain server user directory.	Enter a value.
Server Catalog > Groups tab
Name	Specifies the name of the group	Enter a name.
Groups	Specifies the admin’s domain local groups information.	Enter a name.
AD Group	Specifies the group that contains the administrators to enable centralized administration in an Active Directory domain.	Enter a name.

Gönderildi : 05/07/2010 20:40

nkeremk

(@nkeremk)

Gönderiler: 23

Eminent Member

Konu başlatıcı

Çok teşekkürler. NSM kullanılmıyor fakat web veya cli yönteminide bulurum sanırsam.

Gönderildi : 05/07/2010 20:53

Fatih KARAALIOGLU

(@fatihkaraalioglu)

Gönderiler: 3039

Illustrious Member

R/E
Kolay gelsin...

Gönderildi : 05/07/2010 20:56

Murat GUCLU

(@muratguclu)

Gönderiler: 1164

Noble Member

Selam;

http://www.corelan.be:8800/index.php/2007/11/11/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication/

Buradaki makaleyi denyebilirsin. Ben test ettim problem yok. Çalışıyor

Gönderildi : 06/07/2010 13:17

nkeremk

(@nkeremk)

Gönderiler: 23

Eminent Member

Konu başlatıcı

Selam;

http://www.corelan.be:8800/index.php/2007/11/11/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication/

Buradaki makaleyi denyebilirsin. Ben test ettim problem yok. Çalışıyor

Teşekkürler. Peki bu yöntem ile kullanıcıları authenticate ettikten sonra, kullanıcısına göre farklı web filteringler uygulayabilirmiyim?

Gönderildi : 07/07/2010 17:31

Murat GUCLU

(@muratguclu)

Gönderiler: 1164

Noble Member

Evet uygulabilirsin.

Gönderildi : 07/07/2010 18:14

Vasvi UYSAL

(@vasviuysal)

Gönderiler: 7889

Üye

Evet uygulabilirsin.

hocam bunla ilgili ( gerci adres verdigin yerde var zaten ama ingizlizce) turkce bir dokuman istesek senden cokmu sey istemis oluruz

ayrı kullanıcı gruplarını ayrı policy'ler icerisinde kullanamadım ben

eger mumkun ise şimdiden minnettar kalırım hocam

Gönderildi : 14/07/2010 16:32

Murat GUCLU

(@muratguclu)

Gönderiler: 1164

Noble Member

Mümkündür tabi de ben, ssg 5 i satışa çıkardım eğer yakın bir zamanda satılmaz ise hazırlarım, satılırsa uğraşabileceğim bir ssg im kalmıyor

Gönderildi : 14/07/2010 19:15

Rafet S. AYATA

(@rafets-ayata)

Gönderiler: 3820

Üye

Sen merak etme Murat Hocam o satılmaz ha satılırsa bende var SSG evde duruyor bir türlü seninle karşılılık VPN v.s. tesleri gerçekleştiremedik biliyorsun ikimizde çok yoğun çalışıyoruz. Ama istersen benim evdeki SSG remote ile kullanabilirsin.

Gönderildi : 14/07/2010 19:44

Murat GUCLU

(@muratguclu)

Gönderiler: 1164

Noble Member

Eyvallah Rafetim, sen merak etme, ssg yoksa srx var. Onunla yaparız vpn i 🙂

Gönderildi : 14/07/2010 20:00

Can kocaman

(@Cankocaman)

Gönderiler: 13

Eminent Member

Hocam ben sızın onerınızı denedım fakat calısmıyor ınternetı kesıyor dırek DOmaın olsun olması hepsını kesıyor

Gönderildi : 07/09/2010 12:06

Emre sokullu

(@Emresokullu)

Gönderiler: 36

Trusted Member

Yalnız Juniperin bendenedıgımde sureklı kullanıcı adı sıfre soruyor kullanıcı adı sıfre dogru ıse gırıyor du sıfresız olmuyormu bu*?

Gönderildi : 05/03/2011 08:38

Murat GUCLU

(@muratguclu)

Gönderiler: 1164

Noble Member

LDAP la entegre çalışmıyor. Onun için bir kimlik doğrulama sayfası gelmek zorunda.

Linkteki uygulamda LDAP a sorgu atıyor. Böyle bir kullanıcı varmıdır diye. Var ise kimlik doğrulamdan geçiyor.

Gönderildi : 05/03/2011 12:40

Cevap: Casper notebook ve windows lisansı

Evet web marketlerde olduğu gibi ürün bilgilerinde gene...

Gön: ibrahim yildiz , 8 dakika önce
Arapca ve ingilizce metin sorunu

Visual Studio Asp.net web form projemde ki bir sayfamda...

Gön: Mehmet UGUR , 4 saat önce
Cevap: Casper notebook ve windows lisansı

Casper olmasına gerek yok, üretici faturası olması yete...

Gön: Hakan Uzuner , 6 saat önce
Cevap: Casper notebook ve windows lisansı

O zaman şöyle yapıyoruz . Satıcısı Casper değilse uza...

Gön: Erol DURSUN , 6 saat önce
Cevap: Casper notebook ve windows lisansı

Tamam söylediğim gibi işte, dijital lisanslı satıyor 🙂

Gön: Hakan Uzuner , 6 saat önce
Cevap: Casper notebook ve windows lisansı

Casper sitesi sık sorulanlar altında : Satın almış ol...

Gön: Erol DURSUN , 6 saat önce
Cevap: iVMS-4200 Mac yükleme sorunu

Merhaba, hata çok açık aslında, iVMS-4200 uygulamasının...

Gön: Hakan Uzuner , 7 saat önce
Cevap: Casper notebook ve windows lisansı

Windows kurulum anahtarı istemiyor, gömülü lisans olduğ...

Gön: Hakan Uzuner , 7 saat önce
Cevap: Casper notebook ve windows lisansı

Merhaba , Hocam sorun bu işte bu cihazda gömülü Windo...

Gön: Erol DURSUN , 7 saat önce