IMPLEMENTATION GUIDE - Juniper Networks SRX Series Services Gateways/Websense V10000
8. Create a Websense-specific security application definition for the Websense redirect protocol—TCP/15871.
admin@SRX# show applications application webs-redirect {
protocol tcp; destination-port 15871;
}
9.Add a security policy from user-lan to management only to the V10000 “C” port and only for the TCP/15871 traffic. This step is necessary so that the user Web browser can be redirected to the V10000 “Block Page.” Normally User LAN traffic should not be allowed to access the management security zone.
admin@SRX# show security policies from-zone lanA to-zone management {
policy redirect-only { match {
source-address local-hosts; destination-address V10000-c; application webs-redirect;
}
then { permit;
}
}
}
10. Add any NAT necessary to support both web-redirect traffic as well as user-lan traffic out toward the public Internet.
admin@SRX# show security nat source rule-set websense {
from zone web-redirect; to zone public-inet; rule ifnat-all {
match {
source-address 192.168.10.0/24; destination-address 0.0.0.0/0;
}
then { source-nat {
interface;
}
}
}
}
rule-set user-lan { from zone user-lan;
to zone [ public-inet web-redirect ]; rule ifnet-all {
match {
destination-address 0.0.0.0/0;
}
then { source-nat {
interface;
}
}
}
}
Copyright © 2010, Juniper Networks, Inc. | 11 |
