Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Need help with: http to https, certificates and sign-in page

Jeroen Bismans_
Occasional Contributor
‎07-26-2010 02:13:AM
‎07-26-2010 02:13:AM

Need help with: http to https, certificates and sign-in page

Hi,

I'm pretty new to almost everything from Juniper and I did my first SSL VPN install at a customer.
Everything works fine, the OWA, file shares, Citrix, network connect and so on. But I am having trouble with some requests from the customer.


I will sum up their requests and hopefully I can get some help with this.

  1. Pretty basic, they wanted that when they enter the url of their SSL VPN in http that it redirects to https.
    I have searched the admin guide and the web interface for this but I haven't really found it.

  2. This one is a bit harder, they have 2 realms, let's say realm1 and realm2. They do not want their user to have to choose between the realms in the drop down box on the sign-in page. They would like to have the users sign in with [email protected] or [email protected] and then the SSL VPN parses it to the proper realm. Do you think this is possible? And how I can achieve this?
  3. When I installed the unit, I choose to create a device certificate from the console (sslvpn.domain.org) but the customer wants to use connect.domain.org. But I can't seem to create a new device certificate, I can only make pending certificates to create an official certificate. Is there a way to create a new certificate like you do with the initial install?

Thank you for any help!

0 Kudos
4 REPLIES 4
dcvers_
Regular Contributor
‎07-26-2010 08:39:AM
‎07-26-2010 08:39:AM

Re: Need help with: http to https, certificates and sign-in page

1. Not sure about this, I thought it did this by default but seems not.

2. You should be able to do this with a custom sign in pages. Edit LoginPage.thtml to hide the Realm List and then create a script that intercepts the post, parses the username field then uses this to set the username and selected Realm before posting the form.

3. This questions was asked in another post:

https://forums.pulsesecure.net/topic/pulse-connect-secure/36099-regenerate-system-generated-certific...

the answer was basically save config, reset device, restore config without certificate. If you don't need a publicly signed certificate it may be just as easy to use something like openssl to generate a certificate based on a CSR.

0 Kudos
Jeroen Bismans_
Occasional Contributor
‎07-27-2010 12:11:AM
‎07-27-2010 12:11:AM

Re: Need help with: http to https, certificates and sign-in page

Thank for all the useful tips.

I know now why the redirect doesn't work, I also need to forward the http port through the firewall. It does do it by default.

Thank you for the tips for the realm parsing, I will discuss with the end-user if it is worth the trouble or not.

I will also back-up the config, reset the device and create the proper certificates.

0 Kudos
zanyterp_
Respected Contributor
‎07-31-2010 11:39:AM
‎07-31-2010 11:39:AM

Re: Need help with: http to https, certificates and sign-in page

1) Yes, the IVE will do this; however, as you found, the firewall needs to allow the HTTP -> HTTPS redirect.

2) No. It *may* be possible to create the custom script as discussed by dcvers; but the IVE does not allow for this to be done in any of the standard config options.

3) That is correct, a new self-generated-on-the-IVE certificate cannot be done without doing a factory reset; however, if you or the customer has a Microsoft server with certificate server running, you can generate the CSR on the IVE and then get the certificate from the MS certificate server. Another option, if you are comfortable with it, would be to generate the CSR on the IVE and then use OpenSSL to generate the certificate to import. Be sure to note that with option 1 & 3 the users will receive certificate warnings unless they install the certificate into their browser because they are not trusted; with option #2 they may still have the warning, but it depends on if the local certificate server certificate has been pushed out to users.

0 Kudos
Jeroen Bismans_
Occasional Contributor
‎08-04-2010 04:37:AM
‎08-04-2010 04:37:AM

Re: Need help with: http to https, certificates and sign-in page

Thank you for your reply.

You were correct, I only created a nat rule for https and not for http, that's why the redirect didn't work.
Thank you for pointing this out, this has been fixed now.

I also created a case with Juniper for the custom sign-in page. A team is now going to pick up the case and maybe create the page. I will update on that.

I just did it the quick and dirty way, backed up my config, gave the IVE a reset, configured the correct certificate and restored my backup config.
The customer is planning to buy a real certificate soon so that will also resolve the security messages.

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.