Categorie archief: Juniper SA – MAG

How to publish web resource using proxy pass-through with different FQDN and certificates

Sometimes you would like to publish certain web resources like Microsoft ActiveSync or Exchange auto discovery URLS on the internet using different FQDN and SSL certificates.

If you have a Juniper SA or MAG you are able to do this without the need of extra user licenses.

In this example I’m using the following Lab setup:

SA-Visio

As you can see I have a Juniper SA through which I like to publish two resources on the internet being; the normal juniper SA portal access using the remote.egineers.com FQDN and a ActiveSync synchronization URL using the pda.employees.com FQDN. Apart from that I want both resources to use valid certificates. Note that the use of a wildcard certificate is scenario is not an option as both domain names differ (engineers.com vs. employees.com)

To realize this setup follow the steps below:

  • Login on the Admin portal of you Juniper SA or MAG
  • Browse to System -> Network -> Internal Port -> Virtual Ports

– Create a new Virtual port using the beginning of the FQDN you like the ActivSync clients to connect to:

sa virtual port

  • Browse to System -> Configuration -> Certificates -> Device Certificates

– Import a valid or self-signed certificate for the FQDN you like ActivSync clients to connect to

– In our case this is pda.employees.com

– Bind this certificate to the virtual port you created earlier

sa cert

*Note that the remote.engineers.com certificate is already bound to the internal interface. If you like to use a different certificate for this follow steps 5 and bind the certificate to the internal interface

  • Browse to Users -> User Roles

– Create a new User Role with the following options set:

– Session Options

– UI Options

– Access features -> Web options

sa roles

sa roles-2

  • Browse to Authentication -> Signing In -> Sign-In Policies

– Create a new URL

sa sign-in-01

– Specify it is for  Authorization Only Access & enter the following information:

– Enter the FQDN in the Virtual Hostname field (pda.employees.com)

– Enter the IP or URL of the backend server *note URL paths are not supported (https://192.168.75.100:433)

– Select No Authorization in the Authorization Server field

– Select the user role you created earlier

* Option select Allow ActiveSync Traffic Only if this is only to be used to mail synchronization

sa sign-in-02

  • Create an external DNS registration for the FQDN you like ActivSync clients to connect to in our example pda.employees.com
  • Check you are able to reach the website and check the User Log entries:

sa -log