cancel
Showing results for 
Search instead for 
Did you mean: 

IE Deny Add-on List

grabla_
New Contributor

IE Deny Add-on List

Scenario is that Windows 7 deployment is taking place, and the Security on the Windows 7 domain is such that only the known CLSID's of ActiveX controls are allowed to execute in IE9. When we connect to the VPN using a W7 laptop, it says "An Add-on for this web site failed to run".

 

During testing, if we turn off ActiveX filtering and remove the requirement for each CLSID to be on the IE9 Add-on list, we can get in to the VPN.

 

Is there a definitive list of all the activeX controls that are required by the Juniper client, so I can just add their CLSID's all to the Add-on list for IE? Its rather like looking for a needle in a haystack.

 

My hunch at the moment is that the isinstalled Java Class is missing. There may be others.

3 REPLIES 3
grabla_
New Contributor

Re: IE Deny Add-on List

So after another couple of days working on this, it appears as though the control that is blocked is JuniperSetupClientControl Class (JuniperSetupClient.ocx), classid {F27237D7-93C8-44C2-AC6E-D6057B9A918F}

Despite adding the clsid to the IE9 Allow List, when I have RestrictToList=1, IE9 is blocking the Juniper control. The control is however shown in the Downloaded Controls list as Enabled.

 

If I set RestrictToList=0, the Juniper control loads.

If I then disable the control in the registry, the control disappears from the Manage Add-ons, Downloaded controls list under IE9, and we get the same error "An add-on from this web site failed to load".

 

 

I'm now trying to work out why, despite having the CLSID in the allow list, IE9 wont allow the control to load.

grabla_
New Contributor

Re: IE Deny Add-on List

Its very quiet on here. Pioneering as usual Smiley Very Happy

 

I've run process monitor, and filtered against the "Load Image" operation, and I can see iexplore.exe loads junipersetupclient.ocx from the c:\windows\downloaded program files folder, but thats as far as it gets with the RestrictToList=1 setting and the controls CLSID on the add-on list.

 

 

I'm wondering now if the  junipersetupclient.ocx obfuscates its clsid as a security measure at load time, or, if IE9 wont allow controls to be loaded from the c:\windows\downloaded program files folder, whilst the RestrictToList=1, again as an additional security measure.

 

 

 

 

awhittington_
Occasional Contributor

Re: IE Deny Add-on List

This sounds similar to an issue I'm working right now. IVE version 7.0 (old I know) juniper components fail to install automatically with no explanation. I have a JTAC case open for it. I have a work around, you add the URL for the IVE to trusted sites in IE and you have to allow activeX to run (not prompt) and allow scripting, etc. That allows the components to install automatically. if you download the installer from the SA device and install manually it works as well...just not automatically install

 

Funny thing is this worked fine until a week, then just stopped working for every new computer. Not sure if some sort of windows security update caused it or what. But I only have one SA2500 that's doing this out of many.