I'm installing some new ISG firewalls with IDPs, so I'm going to be doing an NSM upgrade to 2008.2. This would be a good time to add my SA boxes to NSM. Was wondering if IVE 6.3 is stable enough for a heavily used (200 user ave) SA 4000 box?
I'm currently at 6.0R8 but wouldn't mind getting the Firefox 3 issues fixed as well as manage change control in NSM.
Even if the code is stable, the upgrade process will be hairy especially if your using Host Checker. If you have a test box, try migrating 50 users or so to get a sense of the issues you will encounter. Upgrades are my biggest complaint about NetConnect. It's a lot to upgrade to new switch code and have all your users upgraded all at once, you will get calls. I wish Juniper would create a client independent of the switch code. I cant comment specifically on the stability of 6.3R2 but I've learned to wait until R5's or higher.
The SA box has an option of having applets be removed after logout. I, too, have had issues with users successfully downloading the upgraded Network Connnect without problems. My thought was to turn on having applet removed on logout a week before upgrade so the majority of machines would NOT have the Host Check or Network Connect clients loaded and would get a "clean" install. Anyone try this? Or would this just create more problems and support calls?
I agree that being able to "phase in" Network Connect upgrades would be very helpful.
What, exactly, is the issue with upgrades and Host Checker?
Hardest problem for me was the that the juniper installer / active x control element has changed.
I wasn't really well prepared for that. (I have been told, last time it has been updated 2 yeas ago).
Immediatly there poppt up a lot of calls because the users did not have the rights to install the new piece of software.
Juniper Installer / Network Connect should be rolled out 1 month in advance.
Sounds long term, but keep in mind that some users might be on vacation / ill or whatever.
ActiveX control element / juniper installer should be compatible with older versions but I would test that.
Esp. try it with non priviliged accounts after roll out.
But in this update ... even the installer has changed and with it the active x control element.
This leads to following situation:
The user also needs priviliged/admin rights to upgrade the installer.
So you need to roll out the installer with software distribution in advance but a software distribution is not always available for external users.
One royal pain is the anti-virus host checker being changed from "xx days old" to "xx updates old". Whereas fourteen days was acceptable to us before, the new setting only allows up to 10 updates old.
Our anti-virus vendor sometimes kicks out a minor update every day or two, sometimes not, and setting the host checker to 3 updates old caused major problems for people who connect their computer to the Internet only once a week. Our executives a use desktop as their primary computer but have a laptop for weekend use or travelling only.
I had to reset it to the maximum of 10 and I really have no idea how long that is in days. Potentially it could be ten weeks. <sigh>
It looks like this change was introduced in v6.2.