cancel
Showing results for 
Search instead for 
Did you mean: 

NC Client Check

SOLVED
Occasional Contributor

NC Client Check

Quick question.

Exactly what does this setting do?

Users > Roles > "RoleName" > Network Connect > Options > Other Options > "NC Client Check"

Tried to search for info in the admin guide, kb, ect, but can find anything.

6 REPLIES 6
Occasional Contributor

Re: NC Client Check

Hi MichAda

NC Client Check is to check the integrity of Network Connect client components prior to starting a Network Connect tunnel.

if intergrity check fails you will be prompted with error 23787 - Cannot start the Network Connect service. Please re-install network Connect.Ó

Thanks

EL

Highlighted
Occasional Contributor

Re: NC Client Check

Interesting.

I still don't get it though.

Is it just to make sure they get a failure notice before it fails?

I would think that a failure would also indicate a problem : )

We have a user that is having a script problem after an upgrade from 7.0 to 7.1 now, and they have been told to re-install.

I think I'll tick the "NC Client Check" box and see if it helps.

Frequent Contributor

Re: NC Client Check

Hello MichAda,

This is just like a client side security check.

When this option is enabled, NC UI will verify the digital signature of the service binary.

JIS must be installed if user doesnÕt have admin privilege as this process involves service restarting.

Hope the above helps

Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks

Occasional Contributor

Re: NC Client Check

Yeah, it all helpful at this point.

I hate to be soo slow, but I'm just trying to fully understand the option.

So I guess you would elect to check this option if you want to avoid the possibility of a client connecting, and setting up a tunnel, with altered, or tampered, Network Connect files.

Really appreciate the post! Smiley Happy

Frequent Contributor

Re: NC Client Check

Hello MichAda,

I appreciate your response and yes, your understanding is correct now. I am happy that I could help you, but I am trying to understand why wouldn't this solution get an approval from you. Smiley Tongue

Well, to add more value and with intention to help you understand this option better, I have included more detail on this - Could you please mark "accepted solution" if this did help you this time?

Scenario:

- The binary mentioned above can be tampered by hackerÕs using their own tools to inject their own code on the
.exe to function different other than the way intended by Juniper Networks.
- To avoid this tampering, we now sign the binary using code signing certificateÓ

- This means, we have the signature of the binary and we generate a hash valueÓ for the binary and store on the
binary.

- This way, anybody who wants to tamper our binary, needs the private key we generated as well.

Solution

- Now, when we enable NC Client Check, the service binary (dsNCService.exe) is verified by the Network
Connect GUI.

- This way, we know that the service is not tampered.

- If a service is already started and is on the system, then the client is expected to verify the serviceÓ which
means, verify the digital signature and later stop and restart the service.

- When in this case of stopping and restarting the service, we would need administrator privilege or JIS
installed on the client machine.

Thanks

Occasional Contributor

Re: NC Client Check

Now 'that' I accept as a solution!

While the other posts were helpful, I still didnÕt have the full picture.

I do now.

IÕm Slow, but thoroughÉThank you very much.