I currently have a single SA 4000 running 6.0R4-2 and I've had some bad experiences in the past trying to upgrade to different Juniper releases. I'm now replacing my 4000 with 2 4500's in a cluster.
Any recommendations on which code to be running?
We've been running 6.3r2 without issue and also have our SA's integrated into the NSM. However, 6.3R4 has a few cluster related fixes. So I would recommend either upgrading to 6.0r10 or if you're looking to add new features try 6.3R4. Either way, I would be sure to check the release notes for addressed and unresolved issues.
I hope this helps.
I too agree with firewall72. 6.3R4 would be a better choice as Secure Access 2500, 4500, and 6500 appliances require software versions 6.1 or later. More over latest releases will be supported for a long time.
I just did an upgrade of a 4000 cluster from 6.0r8 to 6.3r4 yesterday. Upgrade went smooth. Had to update the AV hostcheck (see my other post on subject). I learned the hard way that upgrading users Network Connect is problematic, so I pushed the ne NC via SMS ahead of time, and I check the " Restrict access to Admins only" setting in Signing In tab.
6.3r4 gives me an option for Citrix Web Interface 4.6. I put in the custom cookie headers described in the IVE How To Citrix doc that works with 6.0. I need to test the 4.6 option to make sure nothing breaks.
Only mistake was that I was upgrading the IVE over a NC tunnel, and when I check the restrict access, my NC session when down. Oops. I was doing the upgrade from a machine I was RDP'ing to, but lost connection before I could kick off the upgrade process. Next time I will need to VPN to a firewall first, then kick it off!
I'm assuming that you are importing only your 6.3 boxes to NSM. Have you tried pushing an update to them?
Yes, we've pushed down changes. Both Templates and local configurations have been tested from the NSM. However, we've found some odd issues and have since reported them to JTAC. Specifically, some of the commands/settings become locked in the template and we are forced to make them via the local WebUI, update the template, then sych. I find it very similar to the issues in the begining with some of the Firewalls and NSM. I was told with each update/new version of the NSM code it will become more stable. I hope this helps.
Cool, good luck.