Is it happening to all of your users ? We had this happen to a subset of users while they were being upgraded to a new version. The solution was to uninstall all client software, and manually run the .exe installer on the workstation. Then next time they tried to get in they were ok. We actually created a little installer package to automate the uninstalls, copying and launching of the manual installers.

It caused some serious work and a considerable disruption. Think we were upgrading from 6.0R4-2 to 6.0R7.

Yes, it was happening to all users so we had to disable all Host Checker policies for those realms/sign-in pages; it persists on the "test" realms/sign-in pages where Host Checker is still enabled.

I tried uninstalling everything on a few test machines and connecting back to the SSL VPN portal with the same results.

I have not tried manually installing the HC package, and am not ready to embrace that as a solution, since the a large part of the reason we use this product is for users to be able to easily connect from unmanaged machines as well.

I am stunned at the problems I've had so far with what should be straightforward firmware upgrades...

I've spoken to a JTAC tech and he is going to reproduce our issue in the lab since they have nothing in their KBs about this.

They are going to ask you if you have the installer service installed on workstations, and if the users have local admin rights.

You might want to try loading the installer service on a machine or two to see if it makes a difference. Also, if a manual install works then you are having the same trouble I was.

I did the upgrade last week and experience a lot of problem with Hostchecker after. One of the Antivirus was working before and now it's blocked.

Didn't change the ESAP file.

Re-install on the host HostChecker and still the same problem.

Return to the previous version of the OS 6.1 R2 and works fine again.

I'll open a case probably today .

We had the same problem and found the solution today. download the new Juniper installer service and install it on the workstations. the pre 6.2 installers are nog compatible with 6.2.

also see

http://www.securelink.be/en/x/73/juniper-sa-installer-service

We've had big issues in our environment with Host Checker failing legitimate checks post 5.5R6. Our issues seem to all relate to the new way Host Checker verifies antivirus definition files. In the 5.x versions, I have the option of telling Host Checker to verify that all def. files have been updated within (n) days. 6.x versions no longer have this option and instead you can specify that definition files be recent within (n) releases... n being between 1 and 10.

All of the checks I run pass if I am only evaluating for specific antivirus products but they fail if I configure the IVE to check for updated definition files; it doesn't matter what I set the number to. To make matters worse, for us, it doesn't seem to matter which AV products we are evaluating for either. We have failures with Symantec, McAfee, AVG, Trend Micro and others. JTAC has been working this case with us for about a month now and we've upgraded the IVE to various 6.x versions, upgraded ESAP and rebuilt our checks without success. Right now, I'm told that I have to wait for the 1.4.4 ESAP release which has not been made available for each ETA I've been given by JTAC (and now I'm being told that they have no estimated release date). Only checking for the product without updated dictionaries is no better than not checking at all. :-(

So, we've been sitting on 5.5R6 (with functioning Host Checker) for over a month waiting to upgrade to a reliable 6.x version that addresses multiple other issues/incompatibilities we have with our environment (Citrix 4.5 farms and Vista SP1 come to mind) but we can't move to the newer, better stuff because, in our case, it will break more than it fixes.

I encountered this problem with EVERY upgrade from 6.2R1 (I tried all the 6.3's and all the 6.2's).

In the end I reset my config during the upgrade and had to completely reconfigure my SA2500... but it worked.

The problem wasn't on the client, it was in the SA itself, the host checker loads and then talks ot the juniper to get the policies etc and the juniper logs an error and then hangs... It has left me with no faith in the juniper because there's no way I can find to export the config and then re-import bits of it... I had to setup from scratch.

Hi everybody! I've the same problem after upgrading from version 5.5r4 to 6.3R2 with ESAP 1.4.4

I've installed all the clinet side program (Juniper Installer, Hostchecker, ..) reconnect to the my ssl/vpn Website, the applications are well installed but the problem are still present.

I must disable HC to have right to connect, at the moment i check one or multiple rule to perform a check on (malware, antivirus, firewall) i receive a message 'you are not authorized to login. contact your administrator' before the login appear.

Anyone have an idea or solve this.

I think i create a case at JTAC.

Thanks for your help

Filippo

Hi, i've created a case and get a meeting with JTAC engineer.

Here the solution :

The reason is that the the option "Enable Advanced Endpoint Defense: Malware Protection"
is enabled under Authentication -> Endpoint Security -> Hostchecker.
After disabling the same we were able to pass Host Checker.

If this it can help someone.

Filippo