I've upgraded our MAG2600 to 7.3r3 and have been working on getting Junos Pulse vpn client working. I'm testing on Windows 7 64bit with the latest available version of the Pulse client. My browser is IE.
I have everything working well except I can't browse the Internet. I'm wanting to force the user through our proxy server to access the Internet. I've tried all the options available (preserve client settings, manual configuration, etc) but no matter how I do it, the client keeps trying to access the Internet directly. I see this through the firewall logs. Spilt tunnelling is not enabled.
I can see the browser options changing on the client depending on what I configure on the IVE, but the settings are being ignored. There are no DNS issues. Assistance would be greatly appreciated.
Does the client already have a proxy server in their IE settings, does it create an instant proxy pac file under the proxy settings on the client IE settings when ou configure a manual proxy under the connection profile. If it does,is it applying your proxy logic correctly?
the logic of the proxy on the client should be just to reach the SA and the logic of the proxy that you configure on the connection profile will be to reach internet and intranet resources.
We don't use PAC files. We do however push the proxy configuration using GPO.
When I choose 'preserve client settings' on the IVE, nothing changes in the browser on the client machine. But accessing the web still tries to go direct (I can confirm this in the firewall logs).
When I choose 'manual' on the IVE, I enter the proxy address and port number on the IVE. On the client side the proxy setting under 'Use a proxy server for your LAN' is unticked and there is a tick against 'use automatic configurtion script'. The field contains the path to the local instantproxy.pac file on the C drive.
When I choose 'no proxy' on the IVE, on the client side the 'use a proxy server for your LAN' is unticked and an instantproxy.pac file is used with a Direct connection configured within the pac file.
When I disconnect from the VPN, the proxy settings are returned to what they were prior to the VPN connection (i.e the GPO settings) which is what it should do.
Basically no matter what option I choose, the client still tries to get to the Internet directly without ever trying to use the proxy, no matter how the client is configured.
I meant if the client already has a pac file/proxy configured, that proxy will be used to decide whether it requires to use that proxy to reach the SA URL depending on the logic of that proxy
Now if you configure a manual proxy/pac file under NC connection profiles, that proxy will be used to access internet and intranet resources as split tunneling is disabled
NC creates an instant proxy pac file stating that to reach SA URL go via the proxy defined in client browser or direct based on that proxy logic and for all other resources go via proxy defined in the NC connection profile
Preserve client side proxy settings preserves the client proxy settings so it requires that the proxy pac url defined in the client broswer settings is reachable via the tunnel and the internal resource and also internet access is going through that proxy.
Can you attach the instant proxy pac file created when you set no proxy or manual proxy under NC connection profile
I've just been reading this thread and I believe I am having exactly the same issues.
Proxy settings are implemented via GPO and all Juniper settings are being ignored. (When Juniper client connects, Proxy settings in IE is unchecked and client cannot access internet)
Did this get resolved?
What version of Internet Explorer are you using?
Beginning with Internet Explorer 10, using Internet Explorer Maintenance to apply settings via GPO has been deprecated in favor of administrative templates and the Internet Explorer Administrative Kit 10.
Beginning with Internet Explorer 11, Microsoft has disabled, by default, use of the "file://" type proxy automatic configuration script that Juniper uses for the instant proxy pac file. IE will accept a file type without complaint but will completely ignore it. There is a registry change that will restore the pre-IE11 functionality. More information can be found here: