cancel
Showing results for 
Search instead for 
Did you mean: 

Junos Pulse (small step forward...painfully)

SOLVED
hulk_
Occasional Contributor

Junos Pulse (small step forward...painfully)

After the long awaited release of Junos Pulse and a SSL VPN version to support it (yes I did jump to ver 7.0), my i.apple device users are extremely happy to have "NetConnect" functionality from their devices. Painfully, which I find lacking in any documentation is the clarity of what is actually needed. After stumbling for a day or so, it appears that first...you can only have single REALM to a single SIGN-IN page/policy. It appears that Multiple realms causes a problem and an error message is displayed concluding that the authentication failed! (and it does not matter what device type...ipad, window mobile etc.) Although you can set the realm on a Windows Mobile device...it appears it ignore this setting. Additionally, my Windows mobile device users are still disgruntled that they still have to use the WSAM approach, which I find as an administrator rather cumbersome to create policies, application profiles etc, whereas, with the NetConnect approach, I assign an IP to the device and apply policy to the device from several points in the network. (NICE....)

The next confusing piece is the Role definitions...especially when you have a mixed device spectrum in a single group or dept. As for the i.apple devices, no problem...just select the Junos Pulse under the NetConnect tab and presto...no -one is the wiser, however, to support the Windows devices, you also have to ensure that the WSAM is selected and of course users being who they are , will try and install/run the WSAM application (yes even after you train them and write documentation to the same effect). Also better ensure that policy and applications are defined as well. And finally running the Junos Pulse on anything other than a mobile device...well good luck.

It would well be worth the effort to simplify the number of connection clients to a single unified client (preference given to a NetConnect like client ) for all devices and OS's. I think that Juniper made some headwind in the face of the i.device explosion. I can only hope that the direction for the Junos Pulse is to continue with replacing the WSAM like utility.

MH

1 ACCEPTED SOLUTION

Accepted Solutions
hulk_
Occasional Contributor

Re: Junos Pulse (small step forward...painfully)

I believe I have narrowed down the multi-realm issue. If one uses the default "Users" url, as I suspect most do, defining multiple realms under that particular url, the Junos Pulse fails. If you create another URL, and add multiple realms to the url definition, then the Pulse client prompts the user for the Realm to log into. Even if you define the Realm, as you can with Windows mobile devices, pointing it at the default URL for users, causes the same issue, the client fails to connect.

Synopsis: the url */ is not recognized by the Pulse Client.

MH

View solution in original post

3 REPLIES 3
zanyterp_
Respected Contributor

Re: Junos Pulse (small step forward...painfully)

You are correct regarding WSAM & Junos Pulse on Windows Mobile devices.

What difficulty are you experiencing with Pulse on desktop Windows machines? It should work without any issue; have you reported issues you have found to JTAC so these can be addressed?

hulk_
Occasional Contributor

Re: Junos Pulse (small step forward...painfully)

The difficulty is the same for a mobile device as for a client machine, in that, multi-realms cause the application to produce an error message that does not truly reflect the problem. The error message points to a certificate problem with a corresponding "authentication could not be completed" in the application tray. this message would lead one to believe that A). their certificate for the appliance was a problem( eg. expired, corrupt etc.) which in fact, the certificate is OK. B). that , in our case we do not use personal certificates, that the site was now using personal certificates and the user or machine had an incorrect or no valid certificate.

I have not reported this to JTAC at this time, as I believe that the application and documentation is still relatively new and needs to mature. Other users of this forum have posted similar findings/questions, and may have already posed the question to JTAC. Although the documentation infers a relatively quick setup process, the application may be doing exactly as the developers had intended it to do, therefore, it is simply a documentation adjustment. I am not currently planning a campus wide roll out at this time, so my intent is to wait and see what comes down the pipe in the next little while.

One last thought...is that the Junos Pulse was created for mobile devices (as I understand it), to provide VPN remote-like access and the connection methods appear to be fragmented. Eg...

:Smiley EmbarassedFor mobile apple devices (i-touch, i-phone i-pad), the connection method is Net Connect.

:Smiley EmbarassedFor mobile windows devices (htc, windows mobile etc) the connection method is WSAM.

:Smiley EmbarassedFor Windows machines (XP, Vista, W7) the connection method is Net Connect .

:Smiley EmbarassedFor other OS's (MAC, Linux etc), not currently supported ( hopefully a maturity statement).

My point is that, when looking at Windows devices for example, whether mobile or not, there are two different connection mechanisms which is (in my view) an administrative nightmare to setup, configure and manage. A single unified client connection mechanism (NetConnect preferrably, others may argue) is the best option for all who have to manage the users and their expectations.

Thanks for listening

MH

hulk_
Occasional Contributor

Re: Junos Pulse (small step forward...painfully)

I believe I have narrowed down the multi-realm issue. If one uses the default "Users" url, as I suspect most do, defining multiple realms under that particular url, the Junos Pulse fails. If you create another URL, and add multiple realms to the url definition, then the Pulse client prompts the user for the Realm to log into. Even if you define the Realm, as you can with Windows mobile devices, pointing it at the default URL for users, causes the same issue, the client fails to connect.

Synopsis: the url */ is not recognized by the Pulse Client.

MH

View solution in original post