cancel
Showing results for 
Search instead for 
Did you mean: 

Junos Pulse for iOS 5.0.4 and Per-app VPN: "Request to connect to sam::x.x.x.x port y permission denied"

elawford_
Occasional Contributor

Junos Pulse for iOS 5.0.4 and Per-app VPN: "Request to connect to sam::x.x.x.x port y permission denied"

Hi all,

 

We're just beginning to test the new Junos Pulse 5.0.4 client which now (finally) supports Per-App VPN connections on iOS 7.

 

We've assigned Per-App VPN enabled profile to one of our apps. When the app is launched, the VPN comes up but when the app tries to make a connection, we're seeing it denied in the SA logs with the following message:

 

Request to connect to sam::x.x.x.x port y permission denied

 

This connection worked when Per App VPN wasn't enabled but now it seems a different ACL or protocol type is being applied that is not allowed.

 

Does anyone know how to add a 'sam::' ACL to allow this type of connection?

6 REPLIES 6
filbert_
Frequent Contributor

Re: Junos Pulse for iOS 5.0.4 and Per-app VPN: "Request to connect to sam::x.x.x.x port y permission denied"

Per APP vpn uses the SAM (Secure Applicaion Manager) component of Pulse, not tunneling.

You need to enable WSAM on the role you are using and create a policy for access.

Resource Policies > SAM > Access Control. Add whaichever resources you need to access.

 

I found this by testing. I can't find any documentation yet.

 

Kita_
Valued Contributor

Re: Junos Pulse for iOS 5.0.4 and Per-app VPN: "Request to connect to sam::x.x.x.x port y permission denied"

Hello Filbert,

 

I have tested this same scenario in our lab and confirmed the same behavior.  Since Per-App VPN utilizes a WSAM tunnel, you will need to have the WSAM ACL to allow access to the following resources for Per-App VPN.  I have drafted a KB and should be available on our support site in a few days. 

 

Thank you for your feedback.

filbert_
Frequent Contributor

Re: Junos Pulse for iOS 5.0.4 and Per-app VPN: "Request to connect to sam::x.x.x.x port y permission denied"

m_blackbird_
Occasional Contributor

Re: Junos Pulse for iOS 5.0.4 and Per-app VPN: "Request to connect to sam::x.x.x.x port y permission denied"

Did anybody understand out the role licenses are playing in deployment model

1)iOS 7 Per-App VPN (requires third-party MDM solution to deploy)

?

 

I did some tests on an ios 8 device. Indeed tapping on our MDM deployed app makes the vpn on demand to set up  but no traffic seems to flow on the "wsam" tunnel.
Before applying to the role the wsam ACL I got the  "Request to connect to sam::x.x.x.x port y permission denied" message,
after applying the correct wsam policy no error message  but actually no traffic as well ....
Unfortunately our Juniper TAM seems not to know anything about this solution.

 

Regards

MM

 

 

 

filbert_
Frequent Contributor

Re: Junos Pulse for iOS 5.0.4 and Per-app VPN: "Request to connect to sam::x.x.x.x port y permission denied"

In order to allow the Juniper appliance to accept Per app VPN connections you need to purchase a PAC license from juniper.

They are relatively cheap depending on the appliance model you are using.

m_blackbird_
Occasional Contributor

ÿ"Re: Junos Pulse for iOS 5.0.4 and Per-app VPN: "Request to connect to sam::x.x.x.x port y permission denied""

Great! Actually  it  would be kind from Juniper to  make the device  log a clear message  when a feature is not working because of lack of licenses ....

 

 

 Thanks a lot

MM