MAG (UAC,SSL) UPDATE Westcon 5 daagse 13 Februari 2012 Dennis de Leest Security Systems Engineer AGENDA Gartner overview (just published) Junos Pulse Gateways Licensing Changes 2 Copyright © 2010 Juniper Networks, Inc. www.juniper.net SSL OVERVIEW GARTNER (LAST ONE !!) 3 Copyright © 2010 Juniper Networks, Inc. www.juniper.net UAC OVERVIEW GARTNER 4 Copyright © 2010 Juniper Networks, Inc. www.juniper.net JUNOS PULSE GATEWAYS 5 Copyright © 2010 Juniper Networks, Inc. www.juniper.net JUNOS PULSE GATEWAYS Introduction Hardware Fixed Configuration Chassis Application Blades Chassis Management Card Software Junos JWeb Application Blade Software Pricing 6 Copyright © 2010 Juniper Networks, Inc. www.juniper.net INTRODUCTION Junos Pulse Gateway is a universal platform to run SA and IC applications on application blades Junos Pulse Secure Access Service (SA) Junos Pulse Access Control Service (IC) Other applications in the future Next Generation purpose-built AABU hardware platforms Smaller form factor Same performance in half the space Lower power consumption Dual personality SA today, IC tomorrow Common ACCESS licensing 7 Copyright © 2010 Juniper Networks, Inc. www.juniper.net INTRODUCTION Includes both fixed and chassis-based systems Two fixed configurations: MAG2600 and MAG4610 Two chassis configurations: MAG6610 and MAG6611 Shared power and cooling Application blades Optional Chassis Management Card (CMC) 8 Copyright © 2010 Juniper Networks, Inc. www.juniper.net MAG2600 9 Copyright © 2010 Juniper Networks, Inc. www.juniper.net MAG2600 Fixed configuration appliance designed to be: Equivalent to SA700/SA2500 New Enterprise Guest Access appliance Currently Shipping Capacities SA: 100 Concurrent Users EGA: 200 Concurrent Users Physical 4” x 7”, < 20W power consumption Single MAG-SM060 Blade embedded SKUs MAG2600: SA or EGA appliance MAG-PS260: spare/replacement external “brick” power supply Prepare for SA700 EOL Due to parts shortages, the SA700 will be EOL’d soon (likely March 1st) 10 Copyright © 2010 Juniper Networks, Inc. www.juniper.net MAG4610 11 Copyright © 2010 Juniper Networks, Inc. www.juniper.net MAG4610 Fixed configuration appliance equivalent to: SA4500 IC4500 Capacities SA: 1000 Concurrent Users IC: 5000 Concurrent Users Physical 1U, ½-width chassis can be deployed side-by-side in 1 RU Single MAG-SM160 Blade embedded SKUs: MAG4610: SA/IC, 2 node-cluster allowed MAG-RK1U2 = Rack Kit, 1RU x 2 units 12 Copyright © 2010 Juniper Networks, Inc. www.juniper.net MAG6610 13 Copyright © 2010 Juniper Networks, Inc. www.juniper.net MAG6610 Chassis-based appliance, which depending upon the application blade(s) installed is designed to supplement: SA4500/SA6500 IC4500/IC6500 Capacities Dependent upon application blades installed Physical 14 1U modular chassis Up to two application blades One chassis management card (optional) One power supply (AC or DC) One or two hard drives per application blade Two fan trays per application blade Copyright © 2010 Juniper Networks, Inc. www.juniper.net MAG6610 SKUS Chassis MAG6610: Bare System Chassis with AC PS Application Blades Max of 2 per chassis MAG-SM160: SA/IC application blade (4500 equiv, 1K/5K users) MAG-SM360: SA/IC application blade (6500 equiv, 10K/15K users) Management MAG-CM060: Chassis Management Card (optional) Power Supplies One Required, One Max per chassis MAG-PS661: 250W AC Power Supply MAG-PS663: 560W DC Power Supply Hard Drive Spares MAG-HD060: Spare HD for SM160 and SM360 15 Copyright © 2010 Juniper Networks, Inc. www.juniper.net MAG6610 APPLICATION BLADE CONFIGURATION One blade here CMC slot another blade here Slot 1 Slot 2 Chassis mgmt card fits in front slot 16 Copyright © 2010 Juniper Networks, Inc. www.juniper.net MAG6611 17 Copyright © 2010 Juniper Networks, Inc. www.juniper.net MAG6611 Chassis-based appliance, which depending upon the application blade(s) installed is designed to supplement: SA4500/SA6500 IC4500/IC6500 Capacities Dependent upon application blades installed Physical 2U Up to four application blades One chassis management card (optional) 18 Copyright © 2010 Juniper Networks, Inc. www.juniper.net MAG6611 SKUS Chassis MAG6611: Bare System Chassis with AC PS Application Blades Max of 4 per chassis MAG-SM160: SA/IC application blade (4500 equiv, 1K/5K users) MAG-SM360: SA/IC application blade (6500 equiv, 10K/15K users) Management MAG-CM060: Chassis Management Card (optional) Power Supplies Max of 2 per chassis, 1 Required per chassis MAG-PS662: 560W AC Power Supply MAG-PS663: 560W DC Power Supply Hard Drive Spares MAG-HD060: Spare HD for SM160 and SM360 19 Copyright © 2010 Juniper Networks, Inc. www.juniper.net MAG6611 APPLICATION BLADE CONFIGURATION CMC slot Slot 1 Slot 2 Slot 3 20 Copyright © 2010 Juniper Networks, Inc. www.juniper.net MAG6611 REAR VIEW Power supplies, fans, and hard drives are attached in the rear of the chassis All components are hot-plug CAPABLE, but there is no software support for that function Application blades should be powered off before replacement In order to power on/off individual application blades, a CMC is required 21 Copyright © 2010 Juniper Networks, Inc. www.juniper.net APPLICATION BLADES Port Configuration 1 Serial Port 3 Ethernet Ports Management (active only when SA) Internal External Hard Drive Configuration The SM160 includes one hard drive The SM360 includes an onboard RAID controller and multiple hard drives Additional hardware SM360 includes Cavium CN1620 on-board Trusted Platform Module (TPM) chip Not used at this time, reserved for future use 22 Copyright © 2010 Juniper Networks, Inc. www.juniper.net CHASSIS MANAGEMENT AND SINGLE SIGN-ON Chassis Management Card (CMC) is a daughter card that attaches to one of the application blades Occupies an even-numbered slot CMC runs Junos v11.1 and provides Chassis monitoring of “environmentals” such as power and cooling Chassis control of application blades CMC slot 23 Slot 1 Copyright © 2010 Juniper Networks, Inc. Slot 2 www.juniper.net JWEB DASHBOARD 24 Copyright © 2010 Juniper Networks, Inc. www.juniper.net HARDWARE PRICING COMPARISON Curr HW Cost MAG Equiv Cost Diff SA700 $1,500 MAG2600 $1,500 0% SA2500 $2,500 MAG2600 $1,500 -40% SA4500 $7,000 MAG4610 $7,000 0% SA4500 $7,000 MAG6610 MAG-SM160 $2,500 $4,500 0% SA4500 A/P Cluster $14,000 Chassis + 2 x Blade $11,500 -18% SA6500 $27,000 MAG6610 MAG-SM360 $2,500 $21,500 -11% SA6500 A/P Cluster $54,000 Chassis + 2 x Blade $45,500 -16% 25 Copyright © 2010 Juniper Networks, Inc. www.juniper.net WHAT’S INCLUDED IN THE BOX SKU Chassis Power Supply MAG6610 MAG6610C MAG-PS661 (250W AC) MAG6611 MAG6611C MAG-PS662 (560W AC) SKU Blade Hard Drive Fan MAG-SM160 MAG-SM160N 3-port Non-bypass MAG-HD060 160GB SATA 2 x MAG-FT060 MAG-SM360 MAG-SM360N 3-port Non-bypass 2 x MAG-HD060 160GB SATA 2 x MAG-FT060 26 Copyright © 2010 Juniper Networks, Inc. www.juniper.net LICENSING CHANGES 27 Copyright © 2010 Juniper Networks, Inc. www.juniper.net OLD CLUSTER LICENSING N-node cluster with 10000 concurrent users needs ADD-10000U licenses at one node – the license primary CL-10000U licenses at other N-1 nodes CL license at other N-1 nodes for IC Any feature licenses at primary node Cluster licensed for at least 10000 users under all circumstances Up to N-1 node failures cluster partitions Each partition licenses to support 10000 users If cluster is broken into standalone units 28 One node with licenses to support 10000 users Rest of the nodes with no licensed capacity Copyright © 2010 Juniper Networks, Inc. www.juniper.net NEW CLUSTER LICENSING Introduced with SSLVPN 7.0 and UAC 4.1 No CL licenses needed If already present, used in a backward compatible way Any license can be installed at any node Total concurrent user capacity = sum total of all user count licenses Licenses on unreachable nodes stop contributing towards total cluster capacity if they stay unreachable for longer than the cluster grace period (5 days) Unless sufficient CL licenses are present Starting 7.1r2 grace period increased to 10 days Customers encouraged to distribute ADD user count licenses evenly across the cluster A node removed from a cluster takes its licenses with it Feature licenses need be present at only one node No change from current behavior ICE Licenses need be present on all nodes you want to use in case of emergency 29 2 ICE licenses required for a 2-node cluster Copyright © 2010 Juniper Networks, Inc. www.juniper.net CLUSTER CAPACITY EXAMPLE – GOOD Two node cluster Node A with 500 user count licenses Node B with 500 user count licenses Cluster capacity as seen by node A Connected cluster 500A + 500B = 1000 Disconnected Cluster Within grace period of 5 days: 500A + min(500A, 500B) = 1000 Past grace period: 500A = 500 Customer has 5 days to diagnose/remedy the problem Even license distribution Desirable system behavior during cluster disconnects 30 Copyright © 2010 Juniper Networks, Inc. www.juniper.net CLUSTER CAPACITY EXAMPLE – NOT RECOMMENDED Two node cluster Node A with 250 user count licenses Node B with 750 user count licenses Cluster capacity as seen by node A Connected cluster 250A + 750B = 1000 Disconnected Cluster Within grace period of 5 days: 250A + min(250A, 750B) = 500 Past grace period: 250A = 250 Uneven license distribution Undesirable drop in licensed capacity during cluster disconnects 31 Copyright © 2010 Juniper Networks, Inc. www.juniper.net SSLVPN Licensing Review (also for UAC) SA2000/4000/6000 Old cluster licensing SAx000-ADD-xxU and –CL still valid. New cluster licensing SAx000-ADD-xxU on both nodes starting software 7.0. Remark: 7.1 is last release to be supported on SAx000 SA2500/4500/6500 Old cluster licensing SAx500-ADD-xxU and -CL still valid. New cluster licensing SAx500-ADD-xxU on both nodes starting software 7.0. MAG Requires ACCESS-X600 licenses. Licenses have dual personality, SA/IC depending on MAG deployment. Licensing based on new cluster licensing, no –CL licenses available. Minimale software release voor MAG is 7.1 voor SSL en 4.1 voor UAC. 32 Copyright © 2010 Juniper Networks, Inc. www.juniper.net Do you love VMWARE, we do to ! Offline verder praten over: - License server ? (grotere omgevingen) - Virtuele editie van SSL ? 33 Copyright © 2010 Juniper Networks, Inc. www.juniper.net