I have some contractors onsite that need to connect to their Juniper SSL VPN via Network Connect. We're having issues right now that they can't log in unless we configure their browser to use our proxy server explicitly. Our proxy server is transparent (via WCCP protocol) and I do not want to force proxy settings on their browser. Is there another way to force Juniper to be proxy aware when CONNECTING to the SA? I'm not talking about setting proxy settings once you're connected.
In one scenario they get sent to a web rewrite page, in another Network Connect launches. If we don't set proxy settings on the browser they get an error, if we do they're fine. What can I do to fix this?
Thanks for your help,
What does your user access log say for the user when it drops?
The client-based components will fail without defining the traffic, yes, you are correct; but the web-based only traffic has nothing that would be dropped by itself (it is just the browser communicating to the web server). The only item that would cause a drop is a change in source IP (and then the users would see an invalid session/session timed out message rather than the IE "can't connect to the internet" message).
What does your SSL dump on the IVE show?
What does the raw TCP dump of the same connection show?
I apologize for sounding as if I doubted the need for proxying; that was unintentional as I was aware that it had to be used. If you need L3 access (Network Connect), or use any component other than "simple" web rewriting, you will need to manually configure the proxy in the client browser. I know this is not the desired behavior, but without this it will not work.
Unless I'm missing something, your Contractors are using an external SA, yes? I would simply modify the ACL being used for WCCP and permit them direct-to-net. I don't see the need to proxy them for their own SSL VPN proxy.
No, transparent proxies are not supported for the clients and will cause failures.
Are you seeing a failure on BOTH core access or ONLY Network Connect?
It fails on both core access and Network Connect, yes.
The reason for proxying is just standard policy that ALL internet bound traffic must be filtered. I really did not want to start adding exceptions to the WCCP rules and would rather in the end have it a source/destination of 0.0.0.0.
Is there no way to teach the core access / clients to use a proxy outside of configuring it in the browser?
The proxy in the browser is not used by the core rewrite engine. If you need to proxy that traffic, you need to create a web proxy policy at Users>Resource Policies>Web>Proxy (first you will need to define a server on the server link).
For Network Connect it is not possible to use a transparent proxy; this *must* be defined in the browser for the connection to work successfully.
This is a proxy between the end user and the SA, not between the SA and the internet.
User's on my network going through transparent proxy for internet filtering trying to reach their company's SA on the internet. The SA can't be configured to use it, it will never be able to connect to the proxy on my network.
OK; thank you.
For the Network Connect clients, that will not work (nor will Host Checker, WSAM, TS, etc) if the proxy is not defined for the users in their browser. This information is needed in order to configure the tunnel and access appropriately.
I am not sure why the core access, web-based rewriting is not functioning; that would be something to try and track down with the customer. Do users see any messages? Are they able to hit the login page and then nothing past that?
They can hit the login page, but as soon as they log in they get the generic IE "Page Cannot be Displayed" error. If we configure the browser for the proxy explicitly it works fine. No Host checker, no WSAM/NC, it's just web rewrite.
I was hoping, like other applications, there was a way to tell Juniper that there's a proxy without configuring it in the browser. For example, IBM Assist Onsite will check for the presence of C:\ibm_proxy.txt. You enter the proxy IP and port into that text file and it will detect it at launch and use it. Had hoped Juniper had a similar feature where I could just throw a txt file on their PC somewhere that would tell Juniper to use the proxy without messing with browser settings.
No, there is nothing like that on the IVE.
For rewrite only, where there is no use of clients such as Network Connect, there would be something between the user and the proxy blocking the traffic. There is no use of the client proxy for this connetion as it is SSL-only. I'm not sure why you are seeing a difference when adding the proxy explicitly when using web-based, web-site access only. It is not something I have seen or heard of in the past.
Does the proxy show why it is dropping the connection? Does it show it *is* dropping the connection?