DATASHEET UNIfIED ACCESS CONTROL IC Series Unified Access Control Appliances, UAC Agent, Junos Pulse and Enforcement Points Product Description Product Overview ® Juniper Networks Unified Access Control (UAC) delivers comprehensive, granular network Network access control ensures users and application access control for even the most diverse, complex environments, reducing and devices are authorized to access cost and maximizing efficiencies. UAC offers best-in-class performance and scalability the network and its resources, and with centralized policy management, simplifying deployment, administration, and meet security posture. Organizations management. UAC combines user identity, device security state, and network location need a flexible solution that protects information to create a unique, dynamic access control policy—per user and per session. their network investments today UAC incorporates different levels of session-specific policy to create extremely granular and in the future, supports phased access control that is easy to deploy, maintain, and dynamically modify. deployments and grows to cover an Juniper Networks UAC can be enabled at Layer 2 using 802.1X, at Layer 3 using an overlay entire enterprise. Juniper Networks deployment, or in mixed mode using 802.1X for network admission control and a Layer 3 is the only vendor who can deliver overlay deployment for resource access control. UAC fully integrates with any vendor’s comprehensive, standards-based 802.1X-enabled access points or switches, including Juniper Networks EX Series Ethernet enterprise-wide access control. Switches which, when combined with UAC, deliver additional, rich policy enforcement Juniper Networks Unified Access capabilities. You can leverage your existing 802.1X infrastructure; any Juniper Networks Control is a uniquely extensible, open firewall platform, including the SRX Series Services Gateways; or both for policy solution that delivers granular access enforcement and granular access control without the need to redeploy anything. UAC also control to the entire distributed supports the Juniper Networks J Series Services Routers as Layer 3 enforcement points. enterprise, from remote users and UAC is the first access control solution to support Layer 2 – Layer 7 policy enforcement branch offices to the data center, with unparalleled visibility into application traffic at Layer 7 by leveraging the standalone while reducing cost and complexity. Juniper Networks IDP Series Intrusion Detection and Prevention Appliances as UAC UAC addresses myriad network enforcement points. challenges such as insider threats, guest access, secure outsourcing, UAC offers and operates with the UAC Agent and its agent-less mode, as well as offering ® and regulatory compliance, while and incorporating Juniper Networks Junos Pulse, Juniper’s integrated, multi-service network delivering scalable, adaptive access client which enables anytime, anywhere connectivity, security and acceleration with a control—protecting networks, their simplified user experience. Standards-based Junos Pulse serves as the end user client for mission-critical applications, and the multi-service, interoperable Junos Pulse Gateways, including the IC Series Unified Access sensitive data. Control Appliances, delivering dynamic, granular identity- and role-based network and application access control. Easy to deploy and manage, Junos Pulse enables safe, protected cloud and network access for a diverse user audience using a variety of devices. 1 Juniper Networks UAC is deployed quickly and easily. UAC session data between IC Series Unified Access Control Appliances includes an optional “step-by-step” configuration wizard to and SA Series appliances is a vital part of the Location Awareness aid administrators in configuring common UAC deployment and Session Migration capabilities found within Junos Pulse. scenarios. UAC also allows you and your users to ease into Similarly, federation allows users authenticated to one IC Series policy enforcement by enabling you to phase your access control UAC Appliance to also access resources protected by another deployment and allowing it to be run in audit mode. IC Series appliance on the network without reauthentication, enabling “follow-me” policies. UAC offers industry-leading, dynamic, pre-authentication antispyware protection for Microsoft Windows endpoint devices attempting Juniper Networks UAC is composed of three components: network access. UAC also provides device patch assessment checks, IC Series UAC Appliance including endpoint inspection for targeted operating system or At the heart of UAC are the IC Series UAC Appliances—hardened, application hot fixes, and patch remediation services for devices that purpose-built, centralized policy management servers that work do not meet policy and require patch updates. with Junos Pulse, the UAC Agent, or UAC’s agent-less mode to Juniper Networks is a strong supporter of open standards, obtain user authentication, endpoint security state, and device including those of the Trusted Computing Group’s (TCG) Trusted location data from a user’s endpoint device. The IC Series Network Connect (TNC) Work Group, which ensure interoperability appliances use this data to create dynamic policies that are with a host of network and security offerings. Through its support propagated to policy enforcement points across the distributed of the TNC standard Statement of Health (SOH) protocol, UAC network. The IC Series appliances manage and administer access interoperates with the Microsoft Windows SOH and embedded control prior to session login and throughout the session. No Microsoft Network Access Protection (NAP) Agents, enabling you forklift upgrade of existing infrastructure is required to deploy UAC. to use your existing Microsoft Windows 7, Windows Vista and/ UAC leverages Juniper’s market-leading SA Series SSL VPN or Windows XP SP3 clients with Juniper Networks UAC. UAC also Appliances’ policy control engine and their ability to seamlessly supports the TNC’s open standard Interface for Metadata Access integrate with existing AAA/identity and access management Point (If-MAP), enabling integration with third-party network infrastructure. IC Series appliances also feature integrated RADIUS and security devices—including nearly any device that supports capabilities and enhanced services from Juniper Networks SBR the If-MAP standard and which collects information about the Enterprise Series Steel-Belted Radius Servers, which support happenings on or status of your network. UAC can leverage this an 802.1X transaction when an endpoint attempts network data when formulating control decisions, taking any necessary connection. The IC Series UAC Appliances may also be licensed as and appropriate actions. standalone RADIUS servers, too. UAC leverages other network components to ensure secure You can implement access control quickly and simply within network and application access control, address specific use your heterogeneous network by deploying a single IC Series UAC cases, and centralize network policy management. UAC integrates Appliance with your existing vendor-agnostic 802.1X switches with the standalone Juniper Networks IDP Series appliances and or access points, Juniper Networks EX Series switches, Juniper the SRX Series data center gateways to deliver broad application Networks firewalls including the SRX Series Services Gateways, or traffic visibility, mitigating insider threats by isolating threats to J Series routers. the user or device level and employing an applicable policy action against an offending user or device. UAC ties user identity and IC Series appliances are available in several different form role information to network and application access, addressing factors. Juniper Networks IC4500 Unified Access Control regulatory compliance and audit demands. Appliance addresses the access control needs of medium to large organizations or remote and branch offices. It scales to handle UAC has also enhanced its guest user access control capabilities thousands of simultaneous endpoints and may be deployed which provide role-based access control for guests, partners, in cluster pairs for high availability (HA). Juniper Networks and contractors. UAC’s guest user access control delivers secure, IC6500 Unified Access Control Appliance is designed for use authorized network resource access for guests, partners and in large organizations and government agencies, offering the contractors, manages their network use, and reduces threats from capacity to handle tens of thousands of simultaneous endpoints. unauthorized users and compromised devices. UAC also enables The IC6500 fIPS meets the needs of the most demanding enterprise selected and approved Guest User Account Managers and complex government agencies and secure enterprise to provision time limited temporary guest access accounts for environments—offering the same functionality available on the corporate guest users. IC6500 appliance, while adding a dedicated fIPS 140-2 Level 3 The implementation and enforcement of consistent remote certified hardware security module to handle all cryptographic and local access control policy across a distributed enterprise is operations. These devices offer a number of redundant and HA assured when UAC is deployed with Juniper Networks Network and features, including dual, hot swappable mirrored SATA hard drives, Security Manager (NSM) and the market-leading Juniper Networks dual, hot swappable fans, and, as an option, dual, hot swappable SA Series SSL VPN Appliances. UAC enables the federation of power supplies (IC6500 and IC6500 fIPS). The IC6500 and user session data between the SA Series and UAC, seamlessly IC6500 fIPS may be deployed in multi-unit clusters to increase provisioning SSL VPN user sessions into UAC upon login, or performance and provide additional scalability, able to handle alternatively UAC user sessions into SSL VPN. The federation of 2 multiple tens of thousands of simultaneous endpoints. Also, with from the endpoint to a firewall for session integrity and privacy, UAC’s adoption of the TNC’s If-MAP open, standard specification, and single sign-on (SSO) to Microsoft Active Directory. The UAC the IC4500, IC6500, and IC6500 fIPS can serve as mixed UAC Agent’s integrated Host Checker functionality, which is used in policy managers and Metadata Access Point (MAP) servers (with thousands of SA Series SSL VPN deployments, enables you to at least 50 concurrent user license minimum), or as standalone define policy that scans endpoints attempting to connect to your MAP servers (through a separate, dedicated If-MAP license), network for a variety of security applications and states—including extending UAC’s integration with third-party network and security antivirus, antimalware, and personal firewalls. It also enables devices. custom checks of elements such as registry and port status, and can perform an MD5 checksum to verify application validity. UAC Also, the IC4500, IC6500 and IC6500 fIPS (with UAC 3.0 R2) also offers industry-tested, dynamic antispyware/antimalware have met the target assurance level of EAL3+ (augmented with protection for Microsoft Windows endpoint devices that attempt ALC_fLR.2), and this evaluation was conducted in accordance with network access, scanning device memory, registry and load the Common Criteria. points, pre-authentication, for spyware and keyloggers. The UAC Agent’s Host Checker can also assess an endpoint during machine UAC Agent and Junos Pulse authentication, mapping the device to a different role and placing The UAC Agent is a dynamically downloadable agent that can it into remediation based on assessment results. Deployment be preconfigured through the Odyssey Client Administrator, is simplified through predefined Host Checker policies and the provisioned in real time by the IC Series, installed using Juniper’s automatic monitoring of antivirus and antispyware signatures Installer Service, delivered via Systems Management Server and patches for the latest definition files for posture assessment. (SMS), or deployed by other distribution means. The same UAC Supporting the most popular enterprise computing platforms, the Agent can be used in wired, wireless, or combined deployments. UAC Agent delivers cross-platform support, including Layer 2 and The UAC Agent is also available as a cross-platform, dynamically Layer 3 authentication and endpoint integrity for devices running downloadable lightweight agent. UAC also supplies an agent-less Microsoft Windows 7 Enterprise, Windows Vista (32- and 64-bit), mode for circumstances where the download of software is not Windows XP, and Windows 2000 operating systems, as well as feasible. The UAC Agent can be delivered based on role, linking devices running Apple Mac OS operating system software. agent-based or agent-less access dynamically to user or device identity. The UAC Agent collects user and device credentials, Juniper also offers Junos Pulse as an option for UAC customers and assesses the endpoint’s security state. It delivers integrated with Microsoft Windows based devices. Like the UAC Agent, Junos 802.1X functionality from Juniper Networks Odyssey Access Pulse deployed with UAC delivers granular access control based Client (OAC)—an 802.1X client/supplicant—as well as Layer on user identity and role, device type and integrity, and location. 3-7 functionality, including an integrated personal firewall for UAC customers are able select a dynamic download of Junos dynamic client-side policy enforcement. It also includes specific Pulse or the UAC Agent from their IC Series appliance. Junos functionality for Microsoft Windows devices such as IPsec VPN Pulse operates like the UAC Agent, gathering user and device as an optional secure transport using IPsec to enable encryption credentials, and checking an endpoint’s security status. Junos SA Series SA Series Policies Policies NSM SBR Enterprise Series IC Series UAC Appliance STRM Series Firewall EX Series IDP Series UAC Agent SSG Series UAC Switch Access Agent-less Application Point Mode Servers ISG Series SRX Series Odyssey Access J Series Client (OAC) Figure 1: Standards-based Juniper Networks Unified Access Control (UAC) works with existing and new network components to deliver comprehensive network and application access control 3 Pulse also includes Host Checker functionality as well as offering benefits of access control without requiring a hardware overhaul. dynamic antispyware/antimalware protection for Microsoft The EX Series switches, when used in conjunction with UAC, can Windows based devices, like the UAC Agent. Junos Pulse, though, apply quality of service (QoS) policies or mirror user traffic to a leverages and integrates with the native 802.1X supplicant central location for logging, monitoring, or threat detection with available within the Microsoft Windows operating systems to intrusion prevention systems. J Series routers may also serve as deliver Layer 2 access control, in addition to delivering Layer 3 Layer 2 UAC enforcement points. And, with Juniper’s standalone authentication and IPsec tunneling with any Juniper Networks IDP Series appliances serving as role-based application-level firewall including the SRX Series gateways. policy enforcement points, UAC is able to deliver access control to UAC Enforcement Points the application layer within your network. UAC enforcement points include any 802.1X compatible wireless Many Juniper Networks firewalls also support unified threat access point and switch, including the Juniper Networks EX2200, management (UTM) capabilities including IPS functionality, EX3200, EX4200 and EX8200 line of switches; any Juniper network-based antivirus, antispam, anti-adware, antiphishing, and Networks firewall/VPN platform; J Series Services Routers URL filtering capabilities. This functionality can be dynamically (running up to Junos OS 10.4); and standalone IDP Series leveraged as part of UAC to enforce and unify access control appliances, as well as SRX Series gateways providing role-based, and security policies on a per user and per session basis, application-level policy enforcement. Juniper Networks firewall delivering comprehensive network access and threat control. UAC products, including the SRX Series, Juniper Networks SSG Series enforcement points may also be implemented in transparent Secure Services Gateways, and Juniper Networks ISG Series mode, which requires no rework of routing and policies, or changes Integrated Security Gateways act as Layer 3-7 overlay enforcement to the network infrastructure. They may also be set up in audit points for UAC. for organizations desiring Layer 2 port-based mode to determine policy compliance without enforcement, enforcement, UAC’s support for vendor-agnostic 802.1X switches enabling you and your users to ease into access control. and wireless access points enables them to quickly realize the Features and Benefits Table 1: Advanced Network and Application Protection Juniper Networks UAC is a self-administering platform which intelligently quarantines non-compliant users and devices, and delivers extended remediation capabilities. It enables the automatic quarantine and remediation of users and devices that do not meet access and security policies prior to granting network access, as well as users and devices that do not adhere to policy during their network session. UAC also delivers automatic remediation for non-compliant devices, many times without user intervention or other assistance. UAC’s self-administering platform saves time and cost, while increasing user and support staff productivity by minimizing user downtime and help desk calls. Features Feature Description Benefits Role-based • Leverages standalone IDP Series appliances as enforcement points • The first access control solution application-level to support full Layer 2 - Layer 7 • Enables application-specific policy rules to be enforced via any level of policy enforcement enforcement granularity • Enables access control and security • Policies can also be defined to control time of day and bandwidth policies to be applied to the application- restrictions per application or per role level, granularly protecting your network, applications, and data • Ensures that users adhere to application usage policies, controlling access to applications such as instant messaging, peer-to-peer, and other corporate applications Automated patch • Provides device patch assessment checks through OEM integration of • Enables more enhanced, granular assessment checks Shavlik Technologies’ Shavlik NetChk Protect predefined patch assessment endpoint device health and security and remediation technologies, including endpoint inspection for targeted operating systems state assessments or application hot fixes • Minimizes user interaction and • Can tie access directly to the presence or absence of specific hot fixes for downtime through automatic defined operating systems and applications, and performs role-based, remediation and management of predefined patch management checks according to vulnerability severity level patches for endpoint devices, reducing help desk calls • Installed Systems Management Server (SMS) or System Center Configuration Manager (SCCM) 2007 can be leveraged to automatically check for patch updates, quarantining, remediating, and providing authorized network access once a device has been remediated • Shavlik’s automatic patch remediation capabilities are available, which enables specific patches to be identified and applied, if needed. Shavlik NetChk Protect provides Microsoft patches and supports patches for non-Microsoft products, directly downloading missing patches from the appropriate vendor’s website. Internet connectivity is required for Shavlik remediation to work 4 Table 1: Advanced Network and Application Protection (continued) Features Feature Description Benefits Dynamic antispyware/ • Offers industry-leading, dynamic antispyware/antimalware protection from • Ensures unmanaged and managed antimalware protection market-leader Webroot which, before authentication, scans the memory, Windows devices are not running registry and load points of an endpoint device for spyware, keyloggers and spyware, keyloggers or other malware other malware before authentication • Ties into UAC’s existing granular policy management framework to allow • Quarantines or restricts device access administrators to quarantine or restrict network access of infected devices through UAC’s existing granular policy management framework • Spyware signatures are automatically downloaded and updated • Works with all Windows-based UAC Agents and Junos Pulse, as well as in UAC’s agent-less mode • Antispyware/antimalware is also available in SA Series SSL VPN Appliances Coordinated Threat • Leverages robust features and capabilities of the standalone IDP Series • Addresses and mitigates network insider Control appliances and Juniper Networks SRX3400, SRX3600, SRX5600 and threats quickly and simply SRX5800 Services Gateways to deliver broad Layer 2 - Layer 7 visibility into • Minimizes network and user downtime application traffic • Isolates a threat down to the user or device level—in conjunction with the IDP Series appliances and SRX3400, SRX3600, SRX5600 and SRX5800 gateways—and employs a specific, configurable policy action against the offending user or device Captive Portal • If a user attempts unauthorized network access via a web browser, • Redirects users to login to the IC Series administrators have an option to redirect the user to an IC Series appliance appliance before they can reach their for authentication desired resource within the network, providing further network protection • Once the user logs in to the IC Series appliance with appropriate credentials, the IC Series will redirect the web browser back to the original resource from which it had been redirected Table 2: Identity-Enabled Network and Application Control, Visibility, and Monitoring UAC correlates user identity and role information to network and application security and usage. With UAC, you will know who is accessing your network and applications, when your network and applications are being accessed, what is being accessed, and where the user and device has been on your network. UAC provides valuable, effective tracking and auditing of network and application access, which helps address regulatory compliance requirements and audits. Features Feature Description Benefits federation – • federation of user sessions between SA Series SSL VPN Appliances • Provides users—whether remote and UAC enables seamless provisioning of SSL VPN user sessions into or local— with seamless access to UAC – SA Series and IC UAC upon login, or alternatively UAC user sessions into SSL VPN at corporate resources protected by Series – IC Series login uniform access control policies through a single login, offering a consistent user • Users authenticated to one IC Series appliance may, if authorized, access experience access resources protected by another IC Series UAC Appliance, enabling “follow-me” policies • Enables the Location Awareness and Session Migration capabilities of Junos • UAC leverages the Trusted Computing Group’s (TCG) Trusted Network Pulse Connect (TNC) standard protocol Interface for Metadata Access Point (If-MAP) to enable federation Role-based Unified Threat Create and apply role-based threat management policies, such as Delivers dynamic access control and Management (UTM) policy network IPS, network antivirus, network antispyware, and/or network URL dynamic threat control application filtering Identity-enabled data center • Combines UAC’s identity-aware capabilities with the robust networking • Drastically increases scalability for data and branch firewalling and security services of the SRX Series Services Gateways center environments and branch office alike • Enables SRX Series gateways to be employed as UAC enforcement points • Enables organizations to leverage enforcement in the world’s most • Adds “Username” and “Role” information to the SRX Series Services demanding and high-performance data Gateways’ logs, enhancing monitoring, troubleshooting, and regulatory centers compliance • Available on all SRX Series Services Gateways running Juniper Networks ® Junos operating system 9.4 or higher 5 Table 3: Standards-Based, Interoperable Access Control Juniper Networks UAC provides standards-based, vendor-agnostic access control and seamless support for existing, heterogeneous network environments. UAC leverages industry-standards including 802.1X, RADIUS, and IPsec, as well as innovative, open standards, such as the Trusted Network Connect’s (TNC) standards for network access control and network security, delivering a comprehensive, standards-based access control solution. UAC has been built on industry leading products, including the policy engine, AAA capabilities, and host checking of Juniper Networks SA Series SSL VPN Appliances, RADIUS capabilities from SBR Enterprise Series Steel-Belted Radius Servers, 802.1X capabilities from OAC in the UAC Agent, and interoperability with the Microsoft Windows native 802.1X client/ supplicant for Junos Pulse. Standards-based UAC facilitates quick, simple, and flexible access control deployments, delivers investment protection, time and cost savings, and alleviates single vendor lock-in. Features Feature Description Benefits Junos Pulse • Integrated, multi-service network client that enables anytime, anywhere • Delivers granular access control based connectivity, security and acceleration with a simplified user experience on user identity and role, device type and integrity, and location • When deployed as the client for UAC, delivers dynamic, granular identity- and role-based network access control (NAC) • Helps identify who is accessing a network and its applications, when, how, • Leverages existing 802.1X client/supplicant native to Microsoft from where, and by what device Windows to deliver Layer 2 access control • Delivers Layer 3 authentication and IPsec tunneling with Juniper firewalls and SRX Series Services Gateways • Supports Microsoft Windows XP, Vista (32- and 64-bit) and Windows 7 (32- and 64-bit) TNC open standards Adopts and provides strong support for the TCG’s TNC open standards for • Enables choice by empowering support network access control and security organizations to select endpoint and network security solutions that meet their needs without concern for interoperability • Enables ease-of-deployment, leading to faster ROI If-MAP support • Adopts and utilizes the TNC’s open standard If-MAP • Integrates existing, third-party network and security devices into the access • Enables integration with third-party network and security devices, control platform including devices that collect and through If-MAP, share information on the state and status of a network, user or device • Enhances visibility into the state of and actions on or by a network, user and • Allows devices to report back to the IC Series appliances serving as device—and collects and incorporates MAP (Metadata Access Point) servers, enabling the collected data to that data into the access control policy be used in formulating policies and appropriate access actions decision process • Enables IC Series appliances to serve as standalone MAP servers (through a separate, dedicated If-MAP license), or as mixed IC Series appliances and MAP servers (with at least a 50 concurrent user license) • Supports a MAP server running on standalone IC Series or in active/ passive cluster pairs Windows Statement • Allows organizations—through the TNC SOH standard—to leverage • Streamlines client deployment of Health (SOH) and their pre-installed Microsoft Windows 7, Windows Vista and XP SP3 • Simplifies access control rollout and embedded NAP agent clients with UAC for access control implementation support • Allows the use of the Windows Security Center (WSC) SOH in access control decisions • Can pass the SOH to a Microsoft NPS server for external enforcement and validation of the SOH and transmit the information back to the IC Series for use in access control decisions EX Series Ethernet Switch • EX2200, EX3200, EX4200 and EX8200 interoperate with and serve as Delivers a complete, standards-based, interoperability enforcement points within UAC—using standards-based 802.1X port- best-in-class network access control level access control and Layer 2-4 policy enforcement (NAC) solution, allowing organizations to enjoy value-added features and • When deployed with UAC, EX Series switches can enforce user-based economies of scale for support and service QoS policies, or mirror user traffic to a central location for logging, monitoring, or threat detection fIPS Compliance • IC6500 fIPS offers the same functionality as the IC6500 UAC Enables agencies to deploy Appliance while adding a dedicated fIPS 140-2 Level 3 certified comprehensive, scalable network access hardware security module (HSM) to handle all cryptographic control which meets government approved operations, and tamper evident labels to deter physical security standards breaches and provide a visual indication of device integrity • Can be deployed with OAC fIPS Edition (using Juniper Networks Odyssey Security Component cryptographic module fIPS 140-2 Level 1, Certificate #569, conforming to NIST and DoD guidelines for the use of 802.11i and TLS-based EAP methods) Common Criteria IC Series UAC Appliances (with UAC 3.0 R2) meet the target assurance Adheres to U.S. government and Acceptance level of EAL3+ (augmented with ALC_fLR.2), with this evaluation international regulatory standards in conducted in accordance with the Common Criteria. delivering robust, standards-based network access control (NAC) 6 Table 4: Simple, Flexible Deployment The innovative design of the standards-based Juniper Networks UAC enables organizations to begin controlling network and application access quickly and simply. Organizations are encouraged to initiate network access control with UAC in a phased approach, beginning with a small deployment and growing to support hundreds of thousands of concurrent users through UAC’s unparalleled scalability. Organizations may also wish to initially deploy UAC in audit mode, which enables an organization to track user and device policy compliance without enforcing policies. This allows users and administrators alike to become familiar with access control policies and enables the organization to phase in policy compliance enforcement. This approach ultimately saves access control deployment time and cost. Features Feature Description Benefits Guest Access support • One-time guest user accounts available Enhances and simplifies an organization’s ability to provide secure, differentiated • Guest user accounts may also be provisioned with a predefined guest user access to their networks timeout period • Administrators control the maximum time duration allowed • Allows reception and other non-technical enterprise employees to host/provision secure guest user accounts dynamically through easy-to-use guest user account management Centralized policy management • Centralized policy management is delivered when UAC is deployed • Saves administrative time and cost, with Network and Security Manager (NSM) and SA Series and offers a consistent user and administrative experience by delivering • Common configuration templates can be shared between SA common remote and local access Series (remote access control) and UAC (network access control) control policy implementation and deployments using NSM enforcement across a distributed • NSM also provides a single management server that can configure enterprise key components of a UAC deployment • Makes possible and simplifies enterprise-wide deployment of uniform access control policies Common Access Licensing • Requires only user licenses (with appropriate IC Series appliance) • Simplifies the product licensing model to initiate access control that can be used across UAC and the SA Series appliances • User licenses can either be used for concurrent user sessions on the IC Series UAC Appliances, or the SA Series SSL VPN • Please see the Ordering Information Appliances section for the new common access license SKUs that can now be used for the IC Series and SA Series appliances Wizard-based Configuration • An optional, step by step configuration wizard to aid Aids administrators in navigating and administrators in the configuration of five of the most common familiarizing themselves with configuration UAC deployment scenarios, including: tasks in the UAC Admin UI - System Setup - RADIUS Configuration - Guest User Management - UAC Layer 2 Enforcement - UAC Layer 3 Enforcement • Tasks for a given deployment scenario are arranged in a well- defined, dependent order • Wizard-based configuration admin UI navigates to the corresponding configuration screen when the administrator clicks on a particular task Dynamic authentication policy • Leverages an organization’s existing investments in directories, • Saves time and expense by leveraging PKI, and strong authentication and interfacing with existing AAA infrastructures • Supports 802.1X, RADIUS, LDAP, Microsoft Active Directory, RSA Authentication Manager, Network Information Service (NIS), • Establishes a dynamic authentication certificate servers (digital certificates/PKI), local login/password, policy for each user session CA SiteMinder, RSA ClearTrust, Oblix (Oracle), and RADIUS Proxy • Enables support—through RADIUS Proxy—for deployments where certain authentications are supported by a backend RADIUS server Dynamically addresses Employs media access control (MAC) address authentication via • Enhances network and application unmanageable endpoint devices RADIUS, in combination with MAC address whitelisting and blacklisting; protection or, leverages existing policy and profile stores (through LDAP interfaces) • Makes it simpler and faster for or asset discovery or profiling solutions for role- and resource-based organizations to deploy access control access control of unmanageable devices—such as networked printers, across their entire network regardless of cash registers, bar code scanners, VoIP handsets, etc. device manageability • Saves time and cost 7 Table 4: Simple, Flexible Deployment (continued) Features Feature Description Benefits UAC Agent and Junos Pulse • Provides localized UI, online help, installer, and documentation Enables organizations with users not localization for the UAC Agent and Junos Pulse, supporting the following proficient in English to effectively deploy languages: and employ UAC across their distributed enterprise - Chinese (Simplified) - Chinese (Traditional) - french - German - Japanese - Korean - Spanish Granular auditing and logging • Provides fine-grained auditing and logging capabilities, including • Simplifies the diagnosis and repair of access to the IC Series RADIUS diagnostic log files, delivered in a network issues that arise clear, easy-to-understand format • Addresses industry and government • Captures detailed logging by roles that users belong to, resources regulatory compliance and audits that they are trying to access, and the state of compliance of the endpoint and user to the security policies of the network RADIUS Only Appliance • Utilizes many of the features and functions found within the SBR • Enables the IC Series UAC Appliance to Series servers as a basis for its AAA and RADIUS capabilities. be deployed as a AAA/RADIUS server • New license enables organizations desiring only a RADIUS • Enables an organization to become appliance to access only the AAA/RADIUS features found on the familiar with the IC Series appliances IC Series appliances • Allows an organization to upgrade to a full featured UAC license at a future date 8 Product Options The IC4500, IC6500, and IC6500 fIPS have several hardware and software options available: Table 5: Product Options Options Option Description Applicable Products Cluster Licensing Customers now have the ability to build clusters without buying additional licenses. This IC4500, IC6500, IC6500 fIPS Options new clustering method can be explained in two simple steps. 1. Simply place an equal number of user (“-ADD”) licenses on each box. 2. When they are joined together to form a cluster, all of the user licenses add up so that the cluster can now support all of the licensed users. for example, building a 1,000 user cluster would be done by bringing two IC Series appliances together with 500 user licenses each on the two appliances. Clustering allows you to share licenses from one IC Series UAC Appliance with one or more additional IC Series appliances, depending on the platform. The licenses are not additive to the concurrent user licenses. for example, if a customer has a 1,000 user license for the IC4500 and then purchases another IC4500, this will provide a total of 1,000 users that are shared across both appliances, not per appliance. A number of High Availability clustering options have been created to support the IC Series, ensuring redundancy and seamless failover in the rare case of a system failure. Clustering also provides performance scalability to handle the most demanding usage scenarios. The IC6500 and IC6500 fIPS may be purchased in multi-unit clusters or cluster pairs to provide redundancy and expansive user scalability. Microsoft SOH Licenses The licensing of the System Health Agent (SHA)/System Health Verifiers (SHV) and SOH IC4500, IC6500, IC6500 fIPS protocols from Microsoft are addressed, which are key components that enable UAC to support the Microsoft Windows SOH and embedded NAP Agent through the TNC SOH open and standardized protocol, If-TNCCS-SOH. UAC Disaster Recovery UAC’s Disaster Recovery licenses address disaster situations without requiring a permanent IC4500, IC6500, IC6500 fIPS Licenses purchase of user licenses by a customer for those types of contingencies. Also, periodic testing of disaster recovery deployment is enabled while still providing usage when needed. Disaster Recovery licenses are also available for clusters. UAC MAP Server Leveraging the TNC’s If-MAP specification, IC Series (or IC Series appliance cluster) may IC4500, IC6500, IC6500 fIPS Licenses operate solely as a MAP server with no additional simultaneous endpoint licenses or OAC- ADD-UAC licenses. In this mode, the IC Series (or clustered IC Series appliances) as MAP servers must have a MAP Server license installed. Mixed IC Series and MAP server mode is defined as any IC Series appliance that simultaneously acts as both an IC Series appliance and as a MAP server, where either a simultaneous endpoint license or an OAC-ADD-UAC license has been installed. In this case, the MAP Server license is not required on that IC Series appliance (or IC Series appliance cluster). Enhanced Endpoint In UAC, the Enhanced Endpoint Security system now offers antispyware/antimalware IC4500, IC6500, IC6500 fIPS Security (EES) functionality to ensure that unmanaged and managed Microsoft Windows endpoint Subscription Licenses devices are not running spyware or keyloggers. Spyware contaminated devices may be quarantined or have restricted end user access based on policy enforcement. Scans an endpoint’s memory, registry and load points for spyware and malware. A base UAC license includes a free Enhanced Endpoint Security user license for two (2) simultaneous users, allowing users to “try before they buy.” Subscription licenses for additional Enhanced Endpoint Security users are available. RADIUS Only Licenses License enables organizations that wish to deploy a RADIUS appliance access to only the IC4500, IC6500, IC6500 fIPS AAA/RADIUS features of the IC Series appliance, while introducing the organization to the IC Series appliances, as well as allowing the organization to upgrade to a full featured UAC license at a future date. Hot swappable hard disk Dual, mirrored hot swappable SATA hard drives. IC6500, IC6500 fIPS drives Hot swappable power Optional dual, hot swappable power supplies. IC6500, IC6500 fIPS supplies IC6500 fIPS – Second power supply optional, DC power supplies available. Dual, hot swappable Dual, hot swappable fans. IC6500, IC6500 fIPS fans four-port 10/100/1000 four-port 10/100/1000 copper interface card (standard). IC6500 fIPS copper interface card (Standard) 9 IC4500 IC6500 / IC6500 FIPS Specifications IC4500 IC6500 / IC6500 FIPS Dimensions and Power Dimensions 17.26 x 1.75 x 14.5 in 17.26 x 3.5 x 17.72 in (W x H x D) (43.8 x 4.4 x 36.8 cm) (43.8 x 8.8 x 45 cm) Weight 15.6 lb (7.1 kg) typical (unboxed) 26.4 lb (12 kg) typical (unboxed) (IC6500) 26.9 lb (12.2 kg) typical (unboxed) (IC6500 fIPS) Rack mountable Yes, 1U Yes, 2U, 19 in A/C power supply 100-240 VAC, 60-50 Hz, 2.5 A Max, 300 W 100-240 VAC, 60-50 Hz, 2.5 A Max, 400 W System battery CR2032 3V lithium coin cell CR2032 3V lithium coin cell Efficiency 80% minimum, at full load 80% minimum, at full load Material 18 gauge (.048”) cold-rolled steel 18 gauge (.048 in) cold-rolled steel fans Three 40 mm ball-bearing fans, Two 80 mm hot swap, One 40 mm ball-bearing fan in power supply One 40 mm ball-bearing fan in power supply Panel Display Power LED, HD activity, HW alert Yes Yes PS fail No Yes HDD activity and RAID status LEDs No Yes Ports Traffic Two RJ-45 Ethernet - 10/100/1000 full or half duplex four RJ-45 Ethernet – full or half-duplex (auto-negotiation) (auto-negotiation) (IC6500) four-port 10/100/1000 copper interface card (IC6500 fIPS) fast Ethernet IEEE 802.3u compliant IEEE 802.3u compliant Gigabit Ethernet IEEE 802.3z or IEEE 802.3ab compliant IEEE 802.3z or IEEE 802.3ab compliant Console One RJ-45 serial console port One RJ-45 serial console port Environment Operating temp 41° to 104° f (5° to 40° C) 41° to 104° f (5° to 40° C) Storage temp -40° to 158° f (-40° to 70° C) -40° to 158° f (-40° to 70° C) Relative humidity (operating) 8% to 90% noncondensing 8% to 90% noncondensing Relative humidity (storage) 5% to 95% noncondensing 5% to 95% noncondensing Altitude (operating) 10,000 ft (3,048 m) maximum 10,000 ft (3,048 m) maximum Altitude (storage) 40,000 ft (12,192 m) maximum 40,000 ft (12,192 m) maximum Certifications Safety certifications EN60950-1:2001+ A11, UL60950-1:2003, CAN/CSA EN60950-1:2001+ A11, UL60950-1:2003, CAN/CSA C22.2 No. 60950-1-03, IEC 60950-1:2001 C22.2 No. 60950-1-03, IEC 60950-1:2001 Emissions certifications fCC Class A, EN 55022 Class A, EN 55024 Immunity, fCC Class A, EN 55022 Class A, EN 55024 Immunity, EN 61000-3-2, VCCI Class A EN 61000-3-2, VCCI Class A Warranty 90 days; Can be extended with support contract 90 days; Can be extended with support contract 10 UAC Agent, Junos Pulse and UAC Agent- Ordering Information less Mode – Specifications Model Number Description • The Layer 2 UAC Agent (802.lX supplicant) supports Microsoft IC4500 Windows 7 (32- and 64-bit), Windows Vista SP2 (32- and 64- Base System bit), and Windows XP SP3 operating systems, and Apple Mac OS IC4500 IC4500 base system operating system software. Endpoint Licenses (Common Access Licenses) • The Layer 3 UAC Agent (full client) supports Microsoft Windows ACCESSX500-ADD-25U Add 25 simultaneous endpoints to ICx500 7 (32- and 64-bit), Windows Vista SP2 (32- and 64-bit), and or SAx500 Windows XP SP3 operating systems , and Apple Mac OS operating ACCESSX500-ADD-50U Add 50 simultaneous endpoints to ICx500 system software. The Layer 3 UAC Agent (Java based) supports or SAx500 Microsoft Windows XP SP3, Apple Mac OS operating system ACCESSX500-ADD-100U Add 100 simultaneous endpoints to software, and Linux operating platforms, including fedora, Ubuntu, ICx500 or SAx500 and openSUSE. ACCESSX500-ADD-250U Add 250 simultaneous endpoints to • The UAC agent-less mode secures devices running Microsoft ICx500 or SAx500 Windows 7 (32- and 64-bit), Windows Vista SP2 (32- and 64- ACCESSX500-ADD-500U Add 500 simultaneous endpoints to ICx500 or SAx500 bit), and Windows XP SP3 operating systems, Apple Mac OS and ACCESSX500-ADD-1000U Add 1,000 simultaneous endpoints to Linux operating systems and platforms including fedora, Ubuntu ICx500 or SAx500 and openSUSE, interoperating with supported browsers including ACCESSX500-ADD-2000U Add 2,000 simultaneous endpoints to Microsoft Internet Explorer, Mozilla firefox, and Apple Safari. ICx500 or SAx500 • Junos Pulse deployed with/by UAC supports Microsoft Windows ACCESSX500-ADD-3000U Add 3,000 simultaneous endpoints to 7 (32- and 64-bit), Windows Vista SP2 (32- and 64-bit), and ICx500 or SAx500 Windows XP SP3 operating systems. ACCESSX500-ADD-5000U Add 5,000 simultaneous endpoints to ICx500 or SAx500 for specific, supported operating system software, operating platform, and browser versions please refer to the latest version of Feature Licenses the Unified Access Control Supported Platforms document, which IC4500-OAC-ADD-UAC Add UAC support to Odyssey Access Clients may be found at www.juniper.net/techpubs/software/uac/. on IC4500 Juniper Networks Services and Support Disaster Recovery Licenses Juniper Networks is the leader in performance-enabling services IC4500-DR Disaster recovery license for IC4500 that are designed to accelerate, extend, and optimize your IC4500-DR-CL Disaster recovery license for IC4500 cluster high-performance network. Our services allow you to maximize operational efficiency while reducing costs and minimizing Microsoft SOH License risk, achieving a faster time to value for your network. Juniper IC4500-SOH Microsoft SOH license for IC4500 Networks ensures operational excellence by optimizing the IF-MAP License network to maintain required levels of performance, reliability, and IC4500-IfMAP If-MAP license for IC4500 availability. for more details, please visit www.juniper.net/us/en/ IC4500-IfMAP-CL If-MAP license for IC4500 cluster products-services. RADIUS Only License IC4500-RADIUS-SERVER Add RADIUS Server feature to the IC4500 IC6500 Base System IC6500 IC6500 base system Endpoint Licenses (Common Access Licenses) ACCESSX500-ADD-100U Add 100 simultaneous endpoints to ICx500 or SAx500 ACCESSX500-ADD-250U Add 250 simultaneous endpoints to ICx500 or SAx500 ACCESSX500-ADD-500U Add 500 simultaneous endpoints to ICx500 or SAx500 ACCESSX500-ADD-1000U Add 1,000 simultaneous endpoints to ICx500 or SAx500 ACCESSX500-ADD-2000U Add 2,000 simultaneous endpoints to ICx500 or SAx500 ACCESSX500-ADD-3000U Add 3,000 simultaneous endpoints to ICx500 or SAx500 ACCESSX500-ADD-5000U Add 5,000 simultaneous endpoints to ICx500 or SAx500 ACCESSX500-ADD- Add 10,000 simultaneous endpoints to 10000U ICx500 or SAx500 ACCESSX500-ADD- Add 15,000 simultaneous endpoints to 15000U ICx500 or SAx500 11 Model Number Description Model Number Description Endpoint Licenses (Common Access Licenses) Enhanced Endpoint Security (EES) Subscription (continued) Licenses ACCESSX500-ADD- Add 20,000 simultaneous endpoints to ACCESS-EES-50U-1YR 50 Concurrent Users, 1 Year 20000U ICx500 or SAx500 ACCESS-EES-100U-1YR 100 Concurrent Users, 1 Year ACCESSX500-ADD- Add 25,000 simultaneous endpoints to ACCESS-EES-250U-1YR 250 Concurrent Users, 1 Year 25000U ICx500 or SAx500 ACCESS-EES-500U-1YR 500 Concurrent Users, 1 Year ACCESSX500-ADD- Add 30,000 simultaneous endpoints to 30000U ICx500 or SAx500 ACCESS-EES-1000U-1YR 1,000 Concurrent Users, 1 Year Feature Licenses ACCESS-EES-2500U-1YR 2,500 Concurrent Users, 1 Year ACCESS-EES-5000U-1YR 5,000 Concurrent Users, 1 Year IC6500-OAC-ADD-UAC Add UAC support to Odyssey Access Clients ACCESS-EES-7500U-1YR 7,500 Concurrent Users, 1 Year on IC6500 ACCESS-EES-50U-2YR 50 Concurrent Users, 2 Years Disaster Recovery Licenses ACCESS-EES-100U-2YR 100 Concurrent Users, 2 Years IC6500-DR Disaster recovery license for IC6500 ACCESS-EES-250U-2YR 250 Concurrent Users, 2 Years IC6500-DR-CL Disaster recovery license for IC6500 ACCESS-EES-500U-2YR 500 Concurrent Users, 2 Years Cluster ACCESS-EES-1000U-2YR 1,000 Concurrent Users, 2 Years Microsoft SOH License ACCESS-EES-2500U-2YR 2,500 Concurrent Users, 2 Years IC6500-SOH Microsoft SOH license for IC6500 ACCESS-EES-5000U-2YR 5,000 Concurrent Users, 2 Years IF-MAP License ACCESS-EES-7500U-2YR 7,500 Concurrent Users, 2 Years IC6500-IfMAP If-MAP license for IC6500 /IC6500 fIPS ACCESS-EES-50U-3YR 50 Concurrent Users, 3 Years IC6500-IfMAP-CL If-MAP license for IC6500 /IC6500 fIPS cluster ACCESS-EES-100U-3YR 100 Concurrent Users, 3 Years ACCESS-EES-250U-3YR 250 Concurrent Users, 3 Years RADIUS Only License ACCESS-EES-500U-3YR 500 Concurrent Users, 3 Years IC6500-RADIUS-SERVER Add RADIUS Server feature to the IC6500 ACCESS-EES-1000U-3YR 1,000 Concurrent Users, 3 Years IC6500 FIPS ACCESS-EES-2500U-3YR 2,500 Concurrent Users, 3 Years Base System ACCESS-EES-5000U-3YR 5,000 Concurrent Users, 3 Years IC6500fIPS IC6500 fIPS base system ACCESS-EES-7500U-3YR 7,500 Concurrent Users, 3 Years Endpoint Licenses (Common Access Licenses) Accessories Please refer to IC6500 endpoint licenses ordering information on IC6500-PS field upgradeable secondary power previous page. supply for IC6500 /IC6500 fIPS Feature Licenses SA-ACC-RCKMT-KIT-1U SA Series and IC Series rack mount kit - 1U Please refer to IC6500 feature licenses ordering information. SA-ACC-RCKMT-KIT-2U SA Series and IC Series rack mount kit - 2U Disaster Recovery Licenses SA-ACC-PWR-AC-UK SA Series and IC Series AC power cord UK Please refer to IC6500 disaster recovery licenses ordering information. SA-ACC-PWR-AC-EUR SA Series and IC Series AC power cord EUR Microsoft SOH License SA-ACC-PWR-AC-JPN SA Series and IC Series AC power cord JPN Please refer to IC6500 Microsoft SOH license ordering information. RADIUS Only License About Juniper Networks Please refer to IC6500 RADIUS Only License ordering information. Juniper Networks is in the business of network innovation. from devices to data centers, from consumers to cloud providers, Juniper Networks delivers the software, silicon and systems that transform the experience and economics of networking. The company serves customers and partners worldwide. Additional information can be found at www.juniper.net. Corporate and Sales Headquarters APAC Headquarters EMEA Headquarters To purchase Juniper Networks solutions, Juniper Networks, Inc. Juniper Networks (Hong Kong) Juniper Networks Ireland please contact your Juniper Networks 1194 North Mathilda Avenue 26/f, Cityplaza One Airside Business Park representative at 1-866-298-6428 or Sunnyvale, CA 94089 USA 1111 King’s Road Swords, County Dublin, Ireland authorized reseller. Phone: 888.JUNIPER (888.586.4737) Taikoo Shing, Hong Kong Phone: 35.31.8903.600 or 408.745.2000 Phone: 852.2332.3636 EMEA Sales: 00800.4586.4737 fax: 408.745.2100 fax: 852.2574.7803 fax: 35.31.8903.601 www.juniper.net Copyright 2011 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 1000137-010-EN Nov 2011 Printed on recycled paper 12