1: JUNIPER (MAIN OFFICE)--->
2: set clock timezone -5
3: set vrouter trust-vr sharable
4: set vrouter "untrust-vr"
5: exit
6: set vrouter "trust-vr"
7: unset auto-route-export
8: exit
9: set auth-server "Local" id 0
10: set auth-server "Local" server-name "Local"
11: set auth default auth server "Local"
12: set auth radius accounting port 1646
13: set admin name "admin"
14: set admin password "XYZ123"
15: set admin http redirect
16: set admin auth timeout 10
17: set admin auth server "Local"
18: set admin format dos
19: set vip multi-port
20: set zone "Trust" vrouter "trust-vr"
21: set zone "Untrust" vrouter "trust-vr"
22: set zone "DMZ" vrouter "trust-vr"
23: set zone "VLAN" vrouter "trust-vr"
24: set zone id 100 "DMZ-WAN"
25: set zone "Untrust-Tun" vrouter "trust-vr"
26: set zone "Trust" tcp-rst
27: set zone "Untrust" block
28: unset zone "Untrust" tcp-rst
29: set zone "MGT" block
30: set zone "DMZ" tcp-rst
31: set zone "VLAN" block
32: unset zone "VLAN" tcp-rst
33: set zone "DMZ-WAN" block
34: unset zone "DMZ-WAN" tcp-rst
35: set zone "Trust" screen icmp-flood
36: set zone "Trust" screen udp-flood
37: set zone "Trust" screen winnuke
38: set zone "Trust" screen port-scan
39: set zone "Trust" screen ip-sweep
40: set zone "Trust" screen tear-drop
41: set zone "Trust" screen ping-death
42: set zone "Trust" screen ip-filter-src
43: set zone "Trust" screen land
44: set zone "Trust" screen syn-frag
45: set zone "Trust" screen tcp-no-flag
46: set zone "Trust" screen unknown-protocol
47: set zone "Trust" screen ip-bad-option
48: set zone "Trust" screen ip-record-route
49: set zone "Trust" screen ip-timestamp-opt
50: set zone "Trust" screen ip-security-opt
51: set zone "Trust" screen ip-loose-src-route
52: set zone "Trust" screen ip-strict-src-route
53: set zone "Trust" screen ip-stream-opt
54: set zone "Trust" screen icmp-fragment
55: set zone "Trust" screen icmp-large
56: set zone "Trust" screen syn-fin
57: set zone "Trust" screen fin-no-ack
58: set zone "Trust" screen limit-session source-ip-based
59: set zone "Trust" screen syn-ack-ack-proxy
60: set zone "Trust" screen block-frag
61: set zone "Trust" screen limit-session destination-ip-based
62: set zone "Trust" screen component-block exe
63: set zone "Trust" screen icmp-id
64: set zone "Trust" screen ip-spoofing drop-no-rpf-route
65: set zone "Untrust" screen tear-drop
66: set zone "Untrust" screen syn-flood
67: set zone "Untrust" screen ping-death
68: set zone "Untrust" screen ip-filter-src
69: set zone "Untrust" screen land
70: set zone "V1-Untrust" screen tear-drop
71: set zone "V1-Untrust" screen syn-flood
72: set zone "V1-Untrust" screen ping-death
73: set zone "V1-Untrust" screen ip-filter-src
74: set zone "V1-Untrust" screen land
75: set interface "ethernet0/0" zone "Trust"
76: set interface "ethernet0/1" zone "DMZ"
77: set interface "ethernet0/2" zone "Untrust"
78: set interface "ethernet0/3" zone "DMZ-WAN"
79: set interface "tunnel.1" zone "Untrust"
80: set interface ethernet0/0 ip 10.10.7.2/24
81: set interface ethernet0/0 route
82: unset interface vlan1 ip
83: set interface ethernet0/1 ip 10.10.9.1/24
84: set interface ethernet0/1 route
85: set interface ethernet0/2 ip X.Y.Z.98/27
86: set interface ethernet0/2 route
87: set interface ethernet0/3 ip 10.10.99.0/24
88: set interface ethernet0/3 route
89: set interface tunnel.1 ip unnumbered interface ethernet0/2
90: unset interface vlan1 bypass-others-ipsec
91: unset interface vlan1 bypass-non-ip
92: set interface ethernet0/0 ip manageable
93: unset interface ethernet0/1 ip manageable
94: set interface ethernet0/2 ip manageable
95: unset interface ethernet0/3 ip manageable
96: unset interface ethernet0/0 manage snmp
97: set interface ethernet0/0 manage mtrace
98: unset interface ethernet0/1 manage ping
99: set interface ethernet0/2 manage ping
100: set interface ethernet0/2 manage ssh
101: set interface ethernet0/2 manage telnet
102: set interface ethernet0/2 manage ssl
103: set interface ethernet0/2 manage web
104: set interface ethernet0/2 manage mtrace
105: set interface vlan1 manage mtrace
106: set interface "ethernet0/2" mip X.Y.Z.106 host 10.10.7.106 netmask 255.255.255.255 vr "trust-vr"
107: set interface "ethernet0/2" mip X.Y.Z.109 host 10.10.7.200 netmask 255.255.255.255 vr "trust-vr"
108: set interface "ethernet0/2" mip X.Y.Z.100 host 10.10.7.100 netmask 255.255.255.255 vr "trust-vr"
109: set interface "ethernet0/2" mip X.Y.Z.101 host 10.10.7.206 netmask 255.255.255.255 vr "trust-vr"
110: set interface "ethernet0/2" mip X.Y.Z.103 host 10.10.7.103 netmask 255.255.255.255 vr "trust-vr"
111: set interface "ethernet0/2" mip X.Y.Z.108 host 10.10.7.208 netmask 255.255.255.255 vr "trust-vr"
112: set interface "ethernet0/2" mip X.Y.Z.121 host 10.10.7.121 netmask 255.255.255.255 vr "trust-vr"
113: set interface "ethernet0/2" mip X.Y.Z.115 host 10.10.7.115 netmask 255.255.255.255 vr "trust-vr"
114: set interface "ethernet0/2" mip X.Y.Z.125 host 10.10.7.122 netmask 255.255.255.255 vr "trust-vr"
115: set interface "ethernet0/0" webauth
116: unset flow no-tcp-seq-check
117: set flow tcp-syn-check
118: set domain econium
119: set pki authority default scep mode "auto"
120: set pki x509 default cert-path partial
121: set dns host dns1 66.153.50.66 src-interface ethernet0/2
122: set dns host dns2 64.80.0.162 src-interface ethernet0/2
123: set dns host dns3 64.80.32.128 src-interface ethernet0/2
124: set dns host schedule 06:28
125: set address "Trust" "10.10.7.0/24" 10.10.7.0 255.255.255.0
126: set address "Trust" "10.10.7.106/24" 10.10.7.106 255.255.255.0
127: set address "Trust" "10.10.7.117/24" 10.10.7.117 255.255.255.0
128: set address "Trust" "Office LAN" 10.10.0.0 255.255.0.0
129: set address "Trust" "Trust_LAN" 10.10.7.0 255.255.255.0
130: set address "Untrust" "10.10.12.0/24" 10.10.12.0 255.255.255.0
131: set address "Untrust" "X.Y.Z.117/30" X.Y.Z.117 255.255.255.252
132: set address "Untrust" "W-Remote" 10.10.12.0 255.255.255.0
133: set address "DMZ-WAN" "Wireless" 10.10.99.0 255.255.255.0 "Wireless"
134: set ike gateway "W-Remote GW" address A.B.C.42 Main outgoing-interface "ethernet0/2" preshare "myxlplyt" proposal "pre-g2-3des-sha"
135: set ike respond-bad-spi 1
136: unset ike ikeid-enumeration
137: unset ike dos-protection
138: unset ipsec access-session enable
139: set ipsec access-session maximum 5000
140: set ipsec access-session upper-threshold 0
141: set ipsec access-session lower-threshold 0
142: set ipsec access-session dead-p2-sa-timeout 0
143: unset ipsec access-session log-error
144: unset ipsec access-session info-exch-connected
145: unset ipsec access-session use-error-log
146: set vpn "W-Remote VPN" gateway "W-Remote GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
147: set vpn "W-Remote VPN" id 1 bind interface tunnel.1
148: set url protocol websense
149: exit
150: set anti-spam profile ns-profile
151: set sbl default-server enable
152: set default action tag subject "*** [SPAM] ***"
153: exit
154: set vpn "W-Remote VPN" proxy-id local-ip 10.10.7.0/24 remote-ip 10.10.12.0/24 "ANY"
155: set policy id 34 from "Trust" to "Untrust" "10.10.7.0/24" "10.10.12.0/24" "ANY" permit log
156: set policy id 34
157: set log session-init
158: exit
159: set policy id 33 from "Untrust" to "Trust" "10.10.12.0/24" "10.10.7.0/24" "ANY" permit log
160: set policy id 33
161: set log session-init
162: exit
163: set policy id 21 from "Untrust" to "Trust" "Any" "MIP(X.Y.Z.106)" "ANY" permit log
164: set policy id 21
165: exit
166: set policy id 1 name "Internet Access" from "Trust" to "Untrust" "Office LAN" "Any" "HTTP" nat src permit log url-filter
167: set policy id 1
168: set log session-init
169: exit
170: set policy id 2 from "Trust" to "Untrust" "Office LAN" "Any" "HTTPS" nat src permit log
171: set policy id 2
172: exit
173: set policy id 5 from "Trust" to "DMZ" "Office LAN" "Any" "ANY" nat src permit log
174: set policy id 5
175: exit
176: set policy id 6 name "Deny All - DMZ" from "Untrust" to "DMZ" "Any" "Any" "ANY" deny log
177: set policy id 6
178: exit
179: set policy id 7 from "Trust" to "Untrust" "Office LAN" "Any" "DNS" nat src permit
180: set policy id 7
181: exit
182: set policy id 8 from "Trust" to "Untrust" "Office LAN" "Any" "FTP" nat src permit
183: set policy id 8
184: exit
185: set policy id 9 from "Trust" to "Untrust" "Office LAN" "Any" "POP3" nat src permit
186: set policy id 9
187: exit
188: set policy id 10 from "Trust" to "Untrust" "Office LAN" "Any" "SMTP" nat src permit log
189: set policy id 10
190: exit
191: set policy id 11 name "Wireless Access" from "DMZ-WAN" to "Untrust" "Wireless" "Any" "DNS" nat src permit log
192: set policy id 11
193: set service "FTP"
194: set service "HTTP"
195: set service "HTTPS"
196: set service "PING"
197: set service "POP3"
198: set service "SMTP"
199: set service "VNC"
200: exit
201: set policy id 13 name "VNC" from "Trust" to "Untrust" "Office LAN" "Any" "VNC" nat src permit log
202: set policy id 13
203: exit
204: set policy id 14 name "Ping" from "Trust" to "Untrust" "Office LAN" "Any" "PING" nat src permit log
205: set policy id 14
206: exit
207: set policy id 31 from "Trust" to "Untrust" "Any" "Any" "ANY" nat src permit log
208: set policy id 31
209: exit
210: set policy id 32 from "Trust" to "Untrust" "Office LAN" "Any" "ANY" nat src permit log
211: set policy id 32
212: exit
213: set nsmgmt bulkcli reboot-timeout 60
214: set ssh version v2
215: set ssh enable
216: set config lock timeout 5
217: set ntp server "0.0.0.0"
218: set ntp server backup1 "0.0.0.0"
219: set ntp server backup2 "0.0.0.0"
220: set snmp port listen 161
221: set snmp port trap 162
222: set vrouter "untrust-vr"
223: exit
224: set vrouter "trust-vr"
225: unset add-default-route
226: set route 10.10.12.0/24 interface tunnel.1 preference 20
227: set route 0.0.0.0/0 interface ethernet0/2 gateway X.Y.Z.97 preference 20 metric 10
228: exit
229: set vrouter "untrust-vr"
230: exit
231: set vrouter "trust-vr"
232: exit
). Now security-wise, does it mean by just disabling the split-tunneling, an administrator can be assured that the user won’t harm the corporate ? I don’t think so;