Juniper_SA_基本配置手册

1JuniperSA基本配置手册联强国际-李铭2009年10月第一章JuniperSA配置步骤、名词解释..............................................................................2第二章初始化、基本配置.......................................................................................................42.1Console下进行初始化配置.........................................................................................42.2Web中管理员身份登录...............................................................................................62.3基本配置.......................................................................................................................7第三章认证服务器的配置(Auth.Server).............................................................................11第四章用户角色的配置(Role)..............................................................................................13第五章用户区域的配置(Realm)...........................................................................................16第六章资源访问策略的配置（resourcepolicy)..................................................................19第七章用户登陆的配置（signinpolicy)...........................................................................23第八章SAM的应用与配置....................................................................................................268.1功能SAM介绍：........................................................................................................268.2WSAM-ClientApplications应用范例......................................................................268.3WSAMDestinations应用范例................................................................................318.4JSAM应用范例..........................................................................................................348.5SAM的选项................................................................................................................38第九章NC的应用与配置.......................................................................................................409.1NC功能介绍.....................................................................................................................409.2NC功能应用范例.............................................................................................................40................................................................................................................................................40第十章端点安全(EndpointSecurity)配置（可选）...........................................................4410.1端点安全的介绍.............................................................................................................4410.2HostChecker的使用（ESAPPackage）的安装...........................................................452第一章JuniperSA配置步骤、名词解释RADIUS、LDAP、LocalAuthentication：认证服务器的类型AuthServer：认证服务器（具体员工）Realm：用户区域=用户群（如：人事部门、财务部门、公司老总）Role：用户角色=资源组（如：财务资源、销售资源）上图中的对应关系可以清晰的看到从用户到资源的映射过程，在各个元素映射的过程中，可以是一对多的映射。所以JuniperSA产品可以面对更为复杂的企业网络应用环境。配置JuniperSA的步骤：1、初始化、基本配置z网络地址信息、时间、升级、License2、认证服务器的配置(Auth.Server)z配置用户要使用的认证服务器（本地的或者第三方的）z可以多个认证服务器3、用户角色的配置(Role)z具有相同资源访问权限的同一组用户z权限分配的基础，所有的访问控制策略都是基于ROLE4、用户区域的配置(Realm)z使用相同的认证服务器的同一组用户z该组用户根据访问资源权限的不同，与不同的ROLE进行映射5、资源访问策略的配置（resourcepolicy)z对于目标资源的访问控制，如WEB服务器，文件服务器等z针对于ROLE的访问权限控制（某个ROLE有何种访问权限）36、用户登陆的配置（signinpolicy)z定制用户登陆界面（提供缺省界面）z默认用户登陆URL(缺省为*/)z默认管理员登陆URL(缺省为*/admin)7、用户的安全性检查（EndpointSecurity）（可选）z定制HOSTCHECK策略z定制CACHECLEANER策略z定制SecureVirtualWorkspace策略4第二章初始化、基本配置设备出厂时无IP地址、密码、License，需要连接Console进行初始配置。2.1Console下进行初始化配置初始开机信息如下：Welcometotheinitialconfigurationofyourserver!NOTE:Press'y'ifthisisastand-aloneserverorthefirstmachineinaclusteredconfiguration.Ifthisisgoingtobeamemberofanalreadyrunningclusterpressntoreboot.Whenyouseethe'HitTABforclusteringoptions'messagepressTABandfollowthedirections.Wouldyouliketoproceed(y/n)?:yNotethatcontinuingsignifiesthatyouacceptthetermsoftheJuniperlicenseagreement.Typertoreadthelicenseagreement(thetextisalsoavailableatanytimefromtheLicensetabintheAdministratorConsole).Doyouagreetothetermsofthelicenseagreement(y/n/r)?:y输入网络地址信息：PleaseprovideethernetconfigurationinformationIPaddress:10.104.2.10Networkmask:255.255.255.0Defaultgateway:10.104.2.254PleaseprovideDNSnameserverinformation:PrimaryDNSserver:10.104.1.183Secondary(optional):10.104.1.182DNSdomain(s):dns.comPleaseprovideMicrosoftWINSserverinformation:WINSserver(optional):10.104.1.251确认输入的网络地址信息：Pleaseconfirmthefollowingsetup:IPaddress:10.104.2.10Networkmask:255.255.255.0GatewayIP:10.104.2.254Linkspeed:AutoPrimaryDNSserver:10.104.1.183SecondaryDNS:10.104.1.182DNSdomain(s):dns.comWINSserver:10.104.1.251Correct?(y/n):yInitialnetworkconfigurationcomplete.5输入Admin管理员账号、密码：InternalNIC:.........................................................[Downcode=0x1]Pleasecreateanadministratorusernameandpassword.Adminusername:admin（可自定义）Password:（此处输入密码不会显示）Confirmpassword:Theadministratorwassuccessfullycreated.输入域名、组织名信息：Pleaseprovideinformationtocreateaself-signedWebserverdigitalcertificate.Commonname(example:secure.company.com):(example:CompanyInc.):synnex输入任意字符生成自签名证书：Pleaseentersomerandomcharacterst