Juniper ScreenOS : Active/Passive clustering
Introduction In this blog post, I’ll show the easy steps to set up a screenOS based active/passive cluster. I’m not going to discuss the configuration of active/active clusters because, in my opinion, this configuration is only needed in rare circumstances and may introduce some weird behaviour issues. Furthermore, active/passive clusters have been working quite well […]
Juniper ScreenOS : default route manipulations and redistributions
The default route or “route of last resort” is an important route in most present inter-network connectivity configurations. It contains all public and private routes possible and is responsible for directing traffic to a next hop when no better route is found. In most cases, it is used to allow networks to access the internet, […]
Juniper ScreenOS : defeating iBGP full mesh requirement using route reflectors and confederations
As explained in one of my earlier posts, one of the requirements to successfully setup and operate an iBGP configuration is that all iBGP clients need to have a BGP connection to all other iBGP clients. (= full mesh). This is required because an iBGP device only exchanges information about its own networks and it […]
Juniper : Netscreen/ScreenOS to HTML (ns2html) + audit your firewall config (nipper)
A short while ago, I came across 2 really nice tools that will help – visualizing screenos configs into html pages – auditing firewall configs Converting screenos to html The first tool, called ns2html, was developed by Rodrigo Pace de Barros and can be found at http://ns2html.sourceforge.net/ It is written in perl and both […]
Juniper Screenos : Redundant multi-exitpoint ISP routing failover using multiple vrouters, multiple OSPF areas and eBGP
Introduction As you most likely already know, Juniper screenOS supports a couple of dynamic routing protocols (OSPF, BGP, RIP). These protocols can be used to build very powerful and redundant networks, however there are some screenos specific issues with these implementations, and these issues may introduce a little bit of complexity in the design and […]
Juniper : Netscreen Remote Dial-UP VPN with AD Radius Authentication and route based VPN / tunnel interface
The following procedure explains how to set up a Juniper ScreenOS based firewall to accept Netscreen Remote Client VPN connections and authenticate users using Active Directory (Radius via Windows 2003 IAS or Windows 2008 NPS). We’ll assume that all traffic to from the client to the 192.168.0.0/16 networks needs to pass via the client VPN […]
Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates
Before looking at the various configuration steps, we’ll have to take the following assumptions into account : – We don’t want to use the Netscreen Remote client, but we want to use the Windows XP built-in dialup VPN technology that allows us to build PPTP or L2TP/IPSec connections. Juniper screenOS does not support PPTP (which […]
IPSec VPN between Windows Server 2008 and Juniper ScreenOS
In this blog post, I will show you how to set up a IPSec VPN tunnel between a Windows Server and a Juniper ScreenOS based firewall and route traffic between hosts that are located behind these 2 VPN gateways. The Windows Server will acts as a gateway to build a VPN tunnel towards the Juniper […]
Juniper ScreenOS Admin authentication using Windows based IAS (Radius)
On popular request, this is a quick write-up on how to set up a Juniper screenOS firewall to use an external Radius server (I’ll use Windows IAS) to authenticate administrators and to let the Radius server to assign admin privileges (read-only or read-write) First, you will need to set up an dedicated external Authentication server […]
Donate
Your donation will help funding server hosting.
It started snowing today, so I guessed it would be the perfect timing to write a quick and dirty howto on getting connected to the internet over IPv6, using a Juniper ssg5. I’ll also discuss the easy steps to configure Windows and Linux clients for IPv6 and access to the internet. Before looking at the […]