We're just beginning to test the new Junos Pulse 5.0.4 client which now (finally) supports Per-App VPN connections on iOS 7.
We've assigned Per-App VPN enabled profile to one of our apps. When the app is launched, the VPN comes up but when the app tries to make a connection, we're seeing it denied in the SA logs with the following message:
Request to connect to sam::x.x.x.x port y permission denied
This connection worked when Per App VPN wasn't enabled but now it seems a different ACL or protocol type is being applied that is not allowed.
Does anyone know how to add a 'sam::' ACL to allow this type of connection?
Per APP vpn uses the SAM (Secure Applicaion Manager) component of Pulse, not tunneling.
You need to enable WSAM on the role you are using and create a policy for access.
Resource Policies > SAM > Access Control. Add whaichever resources you need to access.
I found this by testing. I can't find any documentation yet.
I have tested this same scenario in our lab and confirmed the same behavior. Since Per-App VPN utilizes a WSAM tunnel, you will need to have the WSAM ACL to allow access to the following resources for Per-App VPN. I have drafted a KB and should be available on our support site in a few days.
Thank you for your feedback.
Thanks. I found a doc on it just yesterday.
Did anybody understand out the role licenses are playing in deployment model
1)iOS 7 Per-App VPN (requires third-party MDM solution to deploy)
I did some tests on an ios 8 device. Indeed tapping on our MDM deployed app makes the vpn on demand to set up but no traffic seems to flow on the "wsam" tunnel.
Before applying to the role the wsam ACL I got the "Request to connect to sam::x.x.x.x port y permission denied" message,
after applying the correct wsam policy no error message but actually no traffic as well ....
Unfortunately our Juniper TAM seems not to know anything about this solution.
In order to allow the Juniper appliance to accept Per app VPN connections you need to purchase a PAC license from juniper.
They are relatively cheap depending on the appliance model you are using.
Great! Actually it would be kind from Juniper to make the device log a clear message when a feature is not working because of lack of licenses ....
Thanks a lot