DATASHEETSA Series SSL VPNAppliancesSA2500, SA4500, SA6500Product OverviewJuniper Networks SA Series SSLVPN Appliances provide a completerange of remote access appliancesfor all size companies, as well asJuniper Networks SA Series SSL VPNVirtual Appliances (see separatedatasheet). The SA Series includesJuniper Networks Junos Pulse, whichprovides a simple, intuitive enablinguser interface that provides secure,authenticated access for mobile andremote users from any web-enableddevice The SA Series combines thesecurity of SSL with standards-basedaccess controls, granular policycreation, and unparalleled flexibility.The result is ubiquitous security forall enterprise tasks, with optionsfor increasingly stringent accesscontrol to protect the most sensitiveapplications and data, and deliverlower total cost of ownership overtraditional IPsec client solutions.Product DescriptionThe Juniper Networks SA2500, SA4500, and SA6500 SSL VPN Appliances meet the needsof companies of all sizes. SA Series SSL VPN Appliances use SSL, the security protocolfound in all standard Web browsers. The use of SSL eliminates the need for pre-installedclient software, changes to internal servers, and costly ongoing maintenance and desktopsupport. The SA Series also offers sophisticated partner/customer extranet features thatenable controlled access to differentiated users and groups without requiring infrastructurechanges, demilitarized zone (DMZ) deployments, or software agents.The SA Series includes Juniper Networks Junos Pulse, a dynamic, integrated, multiservicenetwork interface for mobile and nonmobile devices. Junos Pulse enables optimized,accelerated, anytime, anywhere access to corporate networks, clouds, and the data theyhold. Junos Pulse enables secure SSL access from a wide range of mobile and nonmobiledevices, including smartphones, tablets, laptops, and desktop PCs, as well as Wi-Fi or3G/4G and Long Term Evolution (LTE)-enabled devices. Junos Pulse delivers enterprisesimproved productivity and secure, ubiquitous access to corporate applications and data—anytime, anywhere.Architecture and Key ComponentsThe SA2500 SSL VPN Appliance enables small to medium-sized businesses (SMBs) todeploy granular, cost-effective mobile and remote network and cloud access, as well asintranet security and business continuity in case of disaster or emergency. Users can accessthe corporate resources and applications from any endpoint device over the Web. TheSA2500 offers high availability (HA) with seamless user failover. And because the SA2500runs the exact same software as the larger SA4500 and SA6500, even smaller organizationsgain the same high performance, administrative flexibility, and end user experience.The SA4500 SSL VPN Appliance enables mid- to large-sized organizations to provideefficient, role-based corporate network, cloud, and application access to mobile andremote employees, as well as authorized contractors and partners, requiring only aWeb browser connected to the Internet. The SA4500 features rich access privilegemanagement functionality that can be used to create secure customer/partner extranetsand to enable secure access to the corporate intranet, so that employees and otherauthorized users can use the same access means but with differentiated, role-basedaccess while still adhering to enterprise security policies. Built-in compression for alltraffic types speeds performance, and SSL acceleration is available for more demandingenvironments. The SA4500 also offers HA with seamless user failover.1
The SA6500 SSL VPN Appliance is purpose-built for largeenterprises and service providers. It features best-in-classperformance, scalability, and redundancy for organizations withhigh volume secure access and authorization requirements.Additionally, the SA6500 offers HA with seamless user failover.The SA6500 also features a built-in compression for Web andfiles, and a state-of-the-art SSL acceleration chipset to speedCPU-intensive encryption/decryption processes.Because each of the SA Series SSL VPN Appliances runs the samesoftware, there is no need to compromise user or administratorexperience based on which appliance you choose. All devices offerleading performance, stability, and scalability. Therefore, decidingwhich device best fits the needs of your organization is easilydetermined by matching the required number of concurrent users,and perhaps system redundancy and large-scale accelerationoptions, to the needs of your growing mobile and remote accessuser population. SA2500: Supports SMBs as a cost-effective solution that caneasily handle up to 100 concurrent users on a single system ortwo-unit cluster. SA4500: Enables mid-sized to large-sized organizations to growto as many as 1,000 concurrent users on a single system, andoffers the option to upgrade to hardware-based SSL accelerationfor those who demand the most performance available underheavy load. SA6500: Purpose-built for large enterprises and service providers,the SA6500 features best-in-class performance, scalability, andredundancy for organizations with high volume secure access andauthorization requirements—with support for as many as 10,000concurrent users on a single system or tens of thousands ofconcurrent users across a four-unit cluster.Features and BenefitsJunos PulseJunos Pulse is an integrated, multiservice network interfaceenabling anytime, anywhere connectivity and access, security,network access control, acceleration, and collaboration with asimplified user experience that requires minimal user interaction.Junos Pulse makes secure network and cloud access easy throughvirtually any device—mobile or nonmobile, Wi-Fi or 3G/4G/LTE-enabled, managed or unmanaged—over a broad array ofcomputing and mobile operating systems. The following tableprovides the key features and benefits of Junos Pulse working withthe SA Series appliances.FeaturesBenefitsLayer 3 SSL VPN Layer 3 VPN connectivity with granular access control is provided. Supports SSL mode or Encapsulating Security Payload (ESP) transport mode.Ease of use Seamless roaming from remote access (to SA Series) to local LAN access (via JuniperNetworks Unified Access Control) is provided for laptops. Junos Pulse can be preconfigured by administrators to automatically prompt endusers for credentials to authenticate to the SA Series when they are remote.Endpoint security Full Host Checker capability enables endpoint security to be checked for Windows,Mac OS, and Linux devices as well as Apple iOS and Google Android mobile devices.Host Checker for iOS and Android platforms enables administrators to restrict orprohibit VPN access from noncompliant devices based on centrally defined corporatepolicies, including mobile OS version restrictions, jail-broken or rooted status, orpresence and/or enablement of Junos Pulse Mobile Security Suite.Split tunneling options (enable or disable with overridingroute capability and route monitoring) Key split tunneling options are supported. Secure, granular access control is enforced.Flexible launch options (standalone client, browser-basedlaunch) Users can easily launch Junos Pulse via the Web from the SA Series landing page. Remote users can simply launch Junos Pulse from their desktop or mobile device.Preconfiguration options (preconfigured installer to containlist of SA Series appliances) For laptops and desktop PCs, administrators can preconfigure a Junos Pulsedeployment with a list of corporate SA Series appliances for end users to choose from.Connectivity options (max/idle session timeouts, automaticreconnect, logging) Administrators can set up flexible connectivity options for remote users.Authentication options (hardware token, smart cards, orsoft token) Administrators can deploy Junos Pulse for remote user authentication by using ahardware token or smart cards. Junos Pulse supports integration with RSA SoftID, allowing automatic access to theuser’s RSA passcodes using the PIN entered by the user.For more details on Junos Pulse, please visit unos-platform/junos-pulse.2
High Scalability Support on SA6500SSL VPN Appliance Three-unit cluster of SA6500 devices: Supports up to 26,000concurrent usersThe SA6500 is designed to meet the growing needs of largeenterprises and service providers with its ability to supportthousands of users accessing the network remotely. The followinglist shows the number of concurrent users that can be supportedon the SA6500 platform:All performance testing is done based on real-world scenarioswith simulation of traffic based on observed customer networks. Single SA6500 device: Supports up to 10,000 concurrent users Two-unit cluster of SA6500 devices: Supports up to 18,000concurrent users Four-unit cluster of SA6500 devices: Supports up to 30,000concurrent usersEnd-to-End Layered SecurityThe SA2500, SA4500, and SA6500 provide complete end-to-endlayered security, including endpoint client, device, data, and serverlayered security controls.Table 1: End-to-End Layered Security Features and BenefitsFeatureFeature DescriptionBenefitsPatch auto-remediation(optional)Automatically remediates noncompliant endpoints by updatingsoftware applications that do not comply to corporate securitypolicies. Does not require Microsoft SMS protocol for remediationand covers patches for not only Microsoft but other vendors such asAdobe, Firefox, Apache, RealPlayer, etc. Directly downloads missingpatches from vendor’s website without going through the SA Seriesappliance.Improves productivity of remote users by enablingthem to gain immediate access to the corporatenetwork without having to wait for periodic updatesof software applications.Ensures compliance with corporate security policies.Host Checker for clientcomputersClient computers can be checked both prior to and during a sessionto verify an acceptable device security posture requiring installed/running endpoint security applications (antivirus, firewall, other).Host Checker also supports custom-built checks including verifyingports opened/closed, checking files/processes and validating theirauthenticity with Message Digest 5 (MD5) hash checksums, verifyingregistry settings, machine certificates, and more. Includes cachecleaner that erases all proxy downloads and temp files at logout.Verifies/ensures that endpoint device meetscorporate security policy requirements beforegranting access, remediating and quarantiningdevices when necessary.Ensures that no potentially sensitive data is leftbehind on the endpoint device.Host Checker for mobiledevicesHost Checker support for mobile devices running the Apple iOSor Google Android operating systems allows administrators torestrict or prohibit VPN access from noncompliant devices based oncorporate-defined security policies.Secures mobile remote network, cloud, andapplication access via SSL VPN for iOS and Androiddevices based on the integrity of the device andmobile OS.Host Checker APICreated in partnership with best-in-class endpoint security vendors.Enables enterprises to enforce an endpoint trust policy for managedPCs that have personal firewall, antivirus clients or other installedsecurity clients, and quarantine noncompliant devices. For mobiledevices, Host Checker can enforce policies based on mobile OSversion, jail-broken/rooted status, and/or status of the Junos PulseMobile Security Suite on the device (installed/not installed, active/inactive).Uses current security policies with remote users anddevices; provides easier management.Trusted Network Connect(TNC) support on HostCheckerAllows standards-based interoperability with diverse endpointsecurity solutions from antivirus to patch management tocompliance management solutions.Enables customers to leverage existing investmentsin endpoint security solutions from third-partyvendors.Policy-basedenforcementAllows the enterprise to establish trustworthiness of non-APIcompliant hosts without writing custom API implementations, orlocking out external users such as customers or partners who runother security clients.Enables access to extranet endpoint devices suchas PCs from partners that might run differentsecurity clients than that of the enterprise.Hardened securityapplianceDesigned on a purpose-built operating system.Not designed to run any additional services and isthus less susceptible to attacks.No “backdoors” to exploit or hack.Security services withkernel-level packetfiltering and safe routingUndesirable traffic is dropped before it is processed by the TCPstack.Ensures that unauthenticated connection attemptssuch as malformed packets or denial-of-service(DoS) attacks are filtered out.Secure virtual workspaceA secure and separate environment for remote sessions thatencrypts all data and controls I/O access (printers, drives).Ensures that all corporate data is securely deletedfrom unsecure kiosks after a session.3
Ease of AdministrationIn addition to enterprise-class security benefits, the SA2500, SA4500, and SA6500 appliances have a wealth of features that make iteasy for the administrator to deploy and manage.Table 2: Ease of Administration Features and BenefitsFeatureFeature DescriptionBenefitsBridge certificate authority(CA) supportEnables the SA Series to support federated public keyinfrastructure (PKI) deployments with client certificateauthentication. Bridge CA is a PKI extension (as specifiedin RFC 5280) to cross-certify client certificates that areissued by different trust anchors (root CAs). Also, enablesthe customer to configure policy extensions in the SASeries admin UI to enforce during certificate validation.These policy extensions can be configured according toRFC 5280 guidelines.Enables customers who use advanced PKI deploymentsto deploy the SA Series to perform strict standardscompliant certificate validation before allowing data andapplications to be shared between organizations andusers.Based on industry standardprotocols and securitymethodsNo installation or deployment of proprietary protocols isrequired.SA Series investment can be leveraged across manyapplications and resources over time.Extensive directory integrationand broad interoperabilityExisting directories in customer networks can beleveraged for authentication and authorization, enablinggranular secure access without recreating those policies.Existing directory investments can be leveraged with noinfrastructure changes—there are no APIs for directoryintegration, as they are all native/built in.Integration with strongauthentication and identityand access management(IAM) platformsProvides ability to support SecurID; Security AssertionMarkup Language (SAML), including standards-basedSAML v2.0 support, and PKI/digital certificates. IncludesSAML 2.0 support for web/cloud single sign-on (SSO).Leverages existing corporate authentication methods tosimplify administration, and allows enterprises to easilyand securely federate user identity with Software-as-aService (SaaS) and other cloud-based applications.Multiple hostname supportProvides the ability to host different virtual extranetwebsites from a single SA Series appliance.Saves the cost of incremental servers, easesmanagement overhead, and provides a transparent userexperience with differentiated entry URLs.Customizable user interfaceAllows for creation of completely customized sign-onpages, including customized landing pages for tablets.Provides an individualized look for specified roles,streamlining the user experience.Juniper Networks Network andSecurity Manager (NSM)Provides intuitive centralized UI for configuring, updating,and monitoring SA Series appliances within a singledevice/cluster or across a global cluster deployment.Enables companies to conveniently manage, configure,and maintain SA Series appliances and other Juniperdevices from one central location.In Case of Emergency (ICE)(option)Provides licenses for a large number of additional userson an SA Series appliance for a limited time when adisaster or epidemic occurs.Enables a company to continue business operations bymaintaining productivity, sustaining partnerships, anddelivering continued services to customers when theunexpected happens.Cross-platform supportProvides the ability for any platform to gain access toresources such as Windows, Mac OS, Linux, or mobiledevices running various mobile operating systems,including Apple iOS, Google Android, Microsoft WindowsMobile, Nokia Symbian, and RIM Blackberry.Provides flexibility in allowing users to access corporateresources from virtually any type of device using virtuallyany type of OS.Enterprise licensingAllows any organization with one or more devices toeasily lease licenses from one appliance to another asrequired to adapt to changing organizational needs.Provides administrators the ability to start with minimalper-device licensing costs and then incrementallyupgrade to enterprise leased licensing capabilities asneeded.Rich Access Privilege Management CapabilitiesThe SA2500, SA4500, and SA6500 provide dynamic access privilege management capabilities without infrastructure changes, customdevelopment, or software deployment/maintenance. This facilitates the easy deployment and maintenance of secure remote access, aswell as secure extranets and intranets. When users log in to the SA Series SSL VPN Appliances, they pass through a pre-authenticationassessment and are then dynamically mapped to the session role that combines established network, device, identity, and session policysettings. Granular resource authorization policies further ensure exact compliance to security restrictions.4
Table 3: Access Privilege Management Features and BenefitsFeatureFeature DescriptionBenefitsUAC-SA federationSeamlessly provision SA Series user sessions into JuniperNetworks Unified Access Control upon login—or thealternative (provisioning of UAC sessions into the SASeries). Users need to authenticate only one time to getaccess in these types of environments.Provides users—whether remote or local—seamlessaccess with a single login to corporate resources that areprotected by access control policies from UAC or the SASeries.Simplifies the end user experience.Certificate authentication tobackend serversEnables customers to enforce client authentication ontheir secure backend servers, and allows the SA Series topresent an administrator-configured certificate to theseservers for authentication.Allows customers to mandate strict SSL policies on theirbackend servers by configuring client authentication.Client certificateauthentication for ActiveSyncAny mobile device supporting ActiveSync, along withclient-side certificates, can now be challenged by the SASeries for a valid client certificate before being allowedaccess to the ActiveSync server.Enables the administrator to enforce strict mobileauthentication policies for ActiveSync access frommobile devices.Multiple sessions per userAllows remote users to launch multiple sessions to theSA Series appliance.Enables remote users to have multiple authenticatedsessions open at the same time.User-record synchronizationSupports synchronization of user records such as userbookmarks across different standalone (non-clustered)SA Series appliances.Ensures ease of experience for users who often travelfrom one region to another and therefore need toconnect to different SA Series appliances.Virtual Desktop Infrastructure(VDI) supportAllows interoperability with VMware View Manager toenable administrators to deploy virtual desktops with theSA Series appliances.Provides seamless access to remote users to their virtualdesktops hosted on VMware servers. Provides dynamicdelivery of the VMware View Client, including dynamicclient fallback options to allow users to easily connect totheir virtual desktops.ActiveSync featureProvides secure access connectivity from mobile devices(such as mobile devices running Symbian, WindowsMobile, iOS, or Android) to the Exchange server with noclient software installation.Enables up to 5,000 simultaneous sessions on theSA6500.Enables customers to allow a large number of users—including employees, and authorized contractors andpartners—to access corporate resources through mobiledevices via ActiveSync.Mobile-friendly SSL VPN loginpagesProvides predefined HTML pages that are customized formobile devices, including Apple iPhones and iPad, GoogleAndroid, and other mobile devices.Provides mobile device users with a simplified andenhanced user experience with Web pages customized totheir device types.Dynamic role mapping withcustom expressionsCombines network, device, and session attributes todetermine which types of access are allowed. A dynamiccombination of attributes on a per-session basis can beused to make the role mapping decision. Customizedvariables as well as FASC-N attributes are supported.Enables the administrator to provision by purpose foreach unique session.Resource authorizationProvides extremely granular, differentiated access controlto the URL, server, or file level for users based on theirdifferent roles.Allows administrators to tailor security policies to specificgroups and user roles, providing authorized access only toessential data.Granular auditing and loggingCan be configured to the per-user, per-resource, andper-event level for security purposes as well as capacityplanning.Provides fine-grained auditing and logging capabilities ina clear, easy-to-understand format.Suitable for regulatory compliance and associatedaudits.Flexible Single Sign-On (SSO) CapabilitiesThe SA2500, SA4500, and SA6500 offer comprehensive SSO features. These features increase end user productivity and quality ofexperience, greatly simplify administration of large diverse user resources, and significantly reduce the number of help desk calls.Table 4: Flexible Single Sign-on Features and BenefitsFeatureFeature DescriptionBenefitsKerberos ConstrainedDelegationProvides support for Kerberos Constrained Delegationprotocol. When a user logs in to the SA Series witha credential that cannot be proxied through to thebackend server, the SA Series appliance retrieves aKerberos ticket on behalf of the user from the ActiveDirectory infrastructure. The ticket is cached on the SASeries appliance throughout the session. When the useraccesses Kerberos-protected applications, the SA Seriesuses the cached Kerberos credentials to log the user intothe application without prompting for a password.Eliminates the need for companies to manage staticpasswords, resulting in reduced administration time andcosts.5
Product OptionsThe SA2500, SA4500, and SA6500 appliances include variouslicense options for greater functionality.User License (Common Access License)With the release of the SA2500, SA4500, and SA6500 appliances,purchasing has been simplified, thanks to a combination of featuresthat were once separate upgrades. Now, there is only one licensethat is needed to get started: the user licenses.With SSL VPN 7.1 software (or later), common access licenses arenow available as user licenses. With common access licensing, userlicenses can either be used for SA Series user sessions or JuniperNetworks IC Series Unified Access Control Appliances user sessions.This simplifies the licensing model that can be used across SASeries and UAC models. Please see the “Ordering Information”section for the common access license SKUs that can be used forthe SA Series or for the UAC models going forward.User licenses provide the functionality that allows the mobile,remote, and intranet user to access the network, cloud, and theirresources. They fully meet the needs of both basic and complexdeployments with diverse audiences and use cases, and theyrequire little or no client software, server changes, DMZ build-outs,or software client deployments. And for administrative ease ofuser license counts, each license only enables as many users asspecified in the license and are additive. For example, if a 100-userlicense was originally purchased, and the concurrent user countgrows over the next year to exceed that amount, simply addinganother 100-user license to the system now allows for up to 200concurrent users.Key features enabled by this license include: Junos Pulse, Secure Application Manager, and Network Connectprovide cross-platform support for client/server applications usingSAM, as well as full network-layer access using either the ESP orSSL transport mode o
The Juniper Networks SA2500, SA4500, and SA6500 SSL VPN Appliances meet the needs of companies of all sizes. SA Series SSL VPN Appliances use SSL, the security protocol found in all standard Web browsers. The use of SSL eliminates the need for pre-installed client software, changes to int
Go to SETUP - VPN Settings - SSL VPN Server - SSL VPN Policies, create a policy that allow the SSL VPN users to access remote network. Add a SSL VPN policy and follow below parameters on SSL VPN Policy Configuration Page. Policy For: Global Apply Policy to: All Addresses Policy Name: Allow_all_address Begin: 0 End: 65535 Service: All .
Juniper Networks SA Series SSL VPN Appliances lead the SSL VPN market with a complete range of remote access appliances, including the new, next-generation Juniper Networks SA2500, SA4500, and SA6500 SSL VPN Appliance with its high scalability and redundancy capabilities that are specifically designed for large enterprises and service providers.
SSL VPN Client for Windows/Mac OS ZyWALL 110 VPN Firewall ZyWALL 1100 VPN Firewall USG20W-VPN VPN Firewall ZyWALL 310 VPN Firewall. Datasheet ZyWALL 110/310/1100 and USG20(W)-VPN 5 Model ZyWALL 110 ZyWALL 310 ZyWALL 1100 USG20-VPN USG20W-VPN Prod
7. SSL VPN requires DUO 2FA. In this illustration, DUO Push is used. Tap Login request Approved to complete the profile setup. The setup is now completed and a SSL VPN connection is made too. D. Connect to CUHK SSL VPN 1. Open ArubaVIA , VPN DISCONNECTED will then be prompted. Click to Connect to establish a SSL VPN connection
IPsec VPN Throughput (512 byte) 1 98 Gbps Gateway-to-Gateway IPsec VPN Tunnels 20,000 Client-to-Gateway IPsec VPN Tunnels 100,000 SSL-VPN Throughput 10 Gbps Concurrent SSL-VPN Users (Recommended Maximum, Tunnel Mode) 30,000 SSL Inspection Throughput (IPS, avg. HTTPS) 3 17 Gbps SSL Inspection CPS (IPS, avg. HTTPS) 3 9,500 SSL Inspection .
The information in this document applies both to IPsec VPNs and SSL VPNs unless otherwise noted. The encrypted tunnels for SSL VPNs use TCP port 443, which is usually allowed by intermediate firewalls by default. SSL VPN tunnels and the SSL VPN Portal are different remote access methods. You access SSL VPN tunnels using the Stonesoft VPN .
VPN Passthrough: having the device installed as an intermediate part of a secure VPN, requires additional VPN gateway. Remote User VPN Site-to-Site VPN Termination PPTP Termination ( refer to page 15) Peplink Site-to-Site VPN ( refer to page 10) . t Requirement System Requirement for Site-to-Site VPN Configuration When configuring a VPN .
a group level, or would be more usefully reported at business segment level. In some instances it may be more appropriate to report separately KPIs for each business segment if the process of aggregation renders the output meaningless. For example it is clearly more informative to report a retail business segment separately rather than combining it with a personal ﬁ nancial services segment .