This article provides a sample, reference configuration to configure your Juniper SSG20 to esablish a VPN connection with the Web Security Service. It makes no assumptions of other networking equipment or configurations not mentioned. If you require additional assistance, contact Symantec support or your VPN vendor as appropriate.

Deployment Notes

• NAT-T cannot be enabled on the router/firewall device. The Web Security Service does not support that configuration at this time. The device must have an external routeable IP address. 
• Do not send Auth Connector traffic to the Web Security Service
• The best practice is to set the rekey at the specified lifetime interval instead of for lifebytes.

Note: Symantec has seen outages occur if the Phase 2 Timeout value is set to longer than four (4) hours. If the current setting is less than four hours, you can leave that value. Otherwise, adjust the time. The screenshots in the following procedure may not reflect this advisory.

Prerequisite A—Verify that the router is ready for configuration

1. Select Network > Interfaces > List.
2. Verify the list has as many interface pairs as required, plus the management interface.

Prerequisite B—Verify that supported Phase 1 (encryption) and Phase 2 (authentication) Proposals exist

The Web Security Service supports many encryption combinations. See Reference: IKE Encryption and Authentication Algorithms in the Access Methods WebGuide here.

1. Select VPNs > AutoKey Advanced > P1 Proposal and check the list.
2. Select AutoKey Advanced > P2 Proposal and check the list.

Step 1—Create the Primary VPN Gateway

1. Select VPNs > Autokey Advanced > Gateway.
2. Click New.
   The device displays the VPNs > Autokey Advanced > Gateway > Edit page.
3. Configure gateway settings.
   ​
   1. Name the connection to the Web Security Service. For example, ThreatPulseIP1.
   2. Select IKEv1.
   3. Select Static IP Address.
   4. Enter the primary Web Security Service IP Address.
      Refer to this KB article to determine the closest Data Center to your location.
   5. Click Advanced to display more configuration options.
4. Configure advanced gateway settings.
   
   1. Enter the Preshared Key, which is the string that validates the encrypted tunnel between the router and the
      Web Security Service (refer to your planning sheet).
      Tip: The Preshared Key must be at least eight characters and cannot use special characters.
   2. Security Level area:
      • Select Custom.
      • Select a supported Phase 1 Proposal encryption (see Prerequisite B above).​
   3. Verify that the Enable NAT-Traversal option is cleared.
   4. Select DPD and set the Interval to any non-zero value.
      This is required for data center failover.
   5. Click Return to go back to the VPNs > Autokey Advanced > Gateway > Edit page.
5. Click OK.
6. Repeat steps 2-5 to create a VPN Gateway for at least one additional IP address.
   Look for the next-closest Data Center in this KB article and name it appropriately, (example: ThreatPulseIP2).

Step 2—Create a VPN Group For Failover from One Gateway to Another

1. Select VPNs > Autokey Advanced > VPN Groups.
   
2. Enter a new VPN Group ID.
3. Click Add.

Step 3—Create a VPN Tunnel

1. Select VPNs > AutoKey IKE.
2. Click New.
   The device displays the VPNs > AutoKey IKE > Edit page.
3. Assign the VPN to the gateway.
   ​
   1. Name the VPN. For example: ThreatPulseVPN1.
   2. Remote Gateway —Select the Predefined option and from the drop-down list select the primary VPN gateway that you created in Step 2.
   3. Select the Outgoing Interface, which is the untrusted interface (route to the Web Security Service).
   4. Click Advanced to display more configuration options.
4. Configure the User Defined and Replay Protection options and assign to a VPN Group.
   
   1. ​Select User Defined: Custom and select a supported Phase 2 Proposal authentication (see
      Prerequisite B above).
   2. Select Replay Protection.
   3. Select the VPN Group that you created in Step 4.
   4. Click Return.

Step 4—Repeat Step 3 to Create Another VPN Tunnel

1. Follow the steps 3-1 to 3-4 to create a second tunnel with your next-nearest data center, and name it as appropriate (example: ThreatpulseVPN2).
2. Assign the new tunnel to the same VPN Group as you added the first tunnel.
3. Enter 2 for the Weight value on the Advanced page.

Step 5—Verify VPN Group Affiliation

1. Select VPNs > Autokey Advanced > VPN Groups.
2. Verify that the VPN group that you created contains the to VPN services.
   

Step 6—Define Trust and Untrust Policies

1. Select Policy > Policies.
2. The top of the page contains two drop-down lists: From and To.
   
   1. From—Select Trust.
   2. To—Select Untrust.
   3. Click New.
      The device displays the zone policy configuration screen.
3. Assign the internal subnet HTTP service to the Tunnel VPN Group.
   ​
   1. Name the policy. For example, ThreatPulseHTTP.
   2. For the Source Address, select the Internal_subnet option from the Address Book.
   3. The Destination Address setting depends on the Access Method:
      • For stand-alone IPsec deployments, select any.
      • For trans-proxy deployments, enter the Symantec Web Security Service explicit proxy IP address: 199.19.250.205.
   4. For the Service option, select HTTP.
   5. For the Action option, select Tunnel.
   6. Select the VPN Group that you created in Step 2.
   7. Click OK to add the policy.
4. Repeat this step to create a Trust to Untrust policy for the HTTPS service.

Step 7—Create a Trust Policy Rule For Network Address Translation

1. Click New. The zone policy configuration screen displays.
   ​
   1. Name the object.
   2. For the Source Address, select the Internal_subnet option from the Address Book.
   3. The default Destination Address is Any.
   4. For the Service option, select Any.
   5. For the Action option, select Permit.
   6. For the Tunnel: VPN option, select None.
   7. Click OK.

Your Juniper SSG device is now configured to route web traffic to the Web Security Service.