Configuring Ivanti Policy Secure with ScreenOS Firewall

The ScreenOS Enforcer connects to Ivanti Policy Secure over an SSH connection that uses the NetScreen Address Change Notification (NACN) protocol. Ivanti Policy Secure uses the NACN password and serial number for a connection from the ScreenOS Enforcer. When the ScreenOS Enforcer first turns on, it sends an NACN message containing the NACN password and serial number to Ivanti Policy Secure. Ivanti Policy Secure uses the serial number to determine which ScreenOS Enforcer is attempting to connect, and Ivanti Policy Secure uses the NACN password to authenticate the ScreenOS Enforcer. Ivanti Policy Secure then begins communicating with the ScreenOS Enforcer using SSH.

Configuring ScreenOS Infranet Enforcer in Ivanti Policy Secure

To configure a SRX Firewall Infranet Enforcer in Ivanti Policy Secure

  1. Select Endpoint Policy > Infranet Enforcer.

  2. Click New Infranet Enforcer and select ScreenOS Firewall in the Platform drop down.

     

  3. Enter an NACN password for this Infranet Enforcer in the NACN password box. You must enter this same NACN password when configuring the Infranet Enforcer.

  4. In the appropriate boxes, enter the administrator name and password for signing into the Infranet Enforcer

  5. Enter the name of the Infranet Enforcer in the Name box.

  6. Enter the password for the ScreenOS enforcer.

  7. Enter the serial number of the ScreenOS Enforcer. You can view the serial number on the ScreenOS device using the command: get system

  8. Select No 802.1X from the Location Group list if you are not using an Infranet Enforcer as an 802.1X RADIUS client.

  9. Ensure that the server certificate for Ivanti Policy Secure is configured for the interface to which the SRX device is connecting.

  10. Click Save Changes.

When you finish configuring the Infranet Enforcer, the Infranet Enforcer attempts to connect to Ivanti Policy Secure. If the connection is successful, a green dot is displayed next to the Infranet Enforcer icon. Under Enforcer Status select System > Status > Overview. The Infranet Enforcer IP address is also displayed in Endpoint Policy > Infranet Enforcer > Connection.

Configuring Auth Table Mapping Policies

An auth table consists of username, a set of roles, and IP address of the wired adapter, wireless adapter, or virtual adapter of the user device. Using SRX series firewall you can dynamically create auth table entries when a user tries to access the protected resource. An auth table mapping policy specifies which enforcer device can be used for each user role. These policies prevent the Ivanti Policy Secure from creating unnecessary auth table entries on all connected enforcer devices.

For complete configuration information, see Configuring Auth Table Mapping Policies

Configuring Resource Access Policy

A resource access policy specifies which users are allowed or denied access to a set of protected resources. You can specify which users you want to allow or deny by choosing the roles for each firewall enforcer access policy.

For complete configuration procedure, see Configuring Resource Access Policy