Symantec tested and validated that Juniper® devices are able to forward web traffic to the Web Security Service for policy checks and malware scanning. The following procedure demonstrates the pre-shared secret method, which requires a unique gateway IP address (no NAT-T).
Requires JUNOS Software Release [10.0R1.8] or later
This procedure provides a guideline configuration that you can apply to the above model or other Juniper models. It is likely that you have an existing Juniper device configured in your network; therefore, slight alterations to the existing deployment might be required.
The most basic concept for this method is configure the router with a site-to-site VPN connection and configure the device policy rules to send web-based traffic to the Web Security Service and ignore everything else. Depending on your geographical location, you must create at least two VPN gateways.
The device must have an external routeable IP address.
Do not send Auth Connector traffic to the Web Security Service.
You can create a designated host or subnet that tests the IPsec connectivity to the Web Security Service without interrupting the production traffic. After successful testing, you then add production subnets.
Note: Symantec has seen outages occur if the Phase 2 Timeout value is set to longer than four (4) hours. If the current setting is less than four hours, you can leave that value. Otherwise, adjust the time. The screenshots in the following procedure might not reflect this advisory.
Prerequisite A—Verify that the router is ready for configuration.
Select Configure > Interfaces.
Verify the list has as many interface pairs as required, plus the management interface.
Click Add. The device displays the Add Policy/Policy page.
Create policy that routes HTTP traffic to the Web Security Service.
Name the policy.
From Zone—Select trust.
To Zone—Select untrust.
Source Address—Select all applicable subnets ~or~ if you created a Policy Element that contains your internal subnets, select it.
Destination Address—Select any.
Application—Select junos-http. This is the default element that includes TCP traffic on port 80.
Policy Action—Select permit. When you select this, the SRX interface displays the Permit Action tab. Proceed to the next step to complete the policy.
Select the Web Security Service VPN profile that you created in Step 6.3.
Step 8—Repeat Step 7 for the HTTPS protocol
In Step 7.3.f, select junos-https.
If you are sending traffic to Singapore, which currently requires two IP address configurations, or you want to provide a layer of failover for other connection issues, use the CLI to add the following: set security ike gateway BC_Cloud_Gatewaysecondary_cloud_IP