When you have a web resource profile that uses JSAM with no rewriting, SAM should do two things

1. create a host file entry for the server pointing to a localhost IP address

2. create a service listening on that localhost IP to intercept and tunnel the desired traffic

Make sure the host file entry is being created and that the service is listening. On Windows, the later can be accomplished with the command netstat -anp TCP

Also, make sure your web resource profile is defined by hostname not IP address.

Also, make sure you don't have a web rewriting policy that supersedes the no rewrite autopolicy created for JSAM.

Thanks for explanation on how JSAM works to tunneling traffic.

I have confirmed that the service is listening on port 80 on the designated loopback address but the hosts file is NOT being updated.  The user I am testing with on Windows is an administrator. 

Behavior is showing the same on OSX.  Service is listening but no modification of /etc/hosts.  I am prompted to specify administrative credentials on OSX as part of JSAM trying to start (which I do) but still nothing in /etc/hosts

The resource profile is defined by hostname

Here is the Java console log output with tracing and logging enabled:

Java Plug-in 10.51.2.13 Using JRE version 1.7.0_51-b13 Java HotSpot(TM) Client VM User home directory = C:\Users\user ---------------------------------------------------- c:   clear console window f:   finalize objects on finalization queue g:   garbage collect h:   display this help message l:   dump classloader list m:   print memory usage o:   trigger logging q:   hide console r:   reload policy configuration s:   dump system and deployment properties t:   dump thread list v:   dump thread stack x:   clear classloader cache 0-5: set trace level to <n> ---------------------------------------------------- basic: Added progress listener: [email protected] basic: Plugin2ClassLoader.addURL parent called for https://the.domain.com/dana-cached/java/Neoterissun.jar basic: Added progress listener: [email protected] basic: Plugin2ClassLoader.addURL parent called for https://the.domain.com/dana-cached/java/Neoterissun.jar security: Blacklist revocation check is enabled security: blacklist: created: NEED_LOAD, lastModified: 1390916633572 security: blacklist: hasBeenModifiedSince 1393419895725 (we have 1390916633572) security: Trusted libraries list check is enabled network: Cache entry found [url: https://the.domain.com/dana-cached/java/Neoterissun.jar, version: null] prevalidated=false/0 cache: Adding MemoryCache entry: https://the.domain.com/dana-cached/java/Neoterissun.jar cache: Resource https://the.domain.com/dana-cached/java/Neoterissun.jar has expired. network: Connecting https://the.domain.com/dana-cached/java/Neoterissun.jar with proxy=DIRECT network: Cache entry not found [url: file:/C:/Program%20Files%20(x86)/Java/jre7/lib/ext/sunec.jar, version: null] network: Cache entry not found [url: file:/C:/Program%20Files%20(x86)/Java/jre7/lib/ext/sunjce_provider.jar, version: null] network: Connecting http://the.domain.com:443/ with proxy=DIRECT security: Loading Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts security: Loaded Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts security: Loading certificates from Deployment session certificate store security: Loaded certificates from Deployment session certificate store security: Loading certificates from Internet Explorer ROOT certificate store security: Loaded certificates from Internet Explorer ROOT certificate store network: Connecting https://the.domain.com/dana-cached/java/Neoterissun.jar with cookie "DSSignInURL=/; DSID=2308d369d46829e3f87dcd355acf372a; DSFirstAccess=1393433538; DSLastAccess=1393433543; DSJSAMInitialized=1" network: Server https://the.domain.com/dana-cached/java/Neoterissun.jar requesting to set-cookie with "DSLastAccess=1393433547; path=/; Secure" network: ResponseCode for https://the.domain.com/dana-cached/java/Neoterissun.jar : 304 network: Encoding for https://the.domain.com/dana-cached/java/Neoterissun.jar : null network: Disconnect connection to https://the.domain.com/dana-cached/java/Neoterissun.jar cache:  Read manifest for https://the.domain.com/dana-cached/java/Neoterissun.jar: read=170 full=5817 cache: Loading full manifest for https://the.domain.com/dana-cached/java/Neoterissun.jarcache: Reading Signers from 5029 https://the.domain.com/dana-cached/java/Neoterissun.jar | c:\users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\4fe887e-3bb02a9e.idx cache: Done readSigners(https://the.domain.com/dana-cached/java/Neoterissun.jar) security: Trust for: https://the.domain.com/dana-cached/java/Neoterissun.jar has ended: Wed Dec 31 19:00:00 EST 1969 security: Missing Application-Library-Allowable-Codebase manifest attribute for: https://the.domain.com/dana-cached/java/Neoterissun.jar security: Loading certificates from Deployment session certificate store security: Loaded certificates from Deployment session certificate store security: Loading certificates from Deployment session certificate store security: Loaded certificates from Deployment session certificate store security: Loading certificates from Deployment session certificate store security: Loaded certificates from Deployment session certificate store security: Loading certificates from Internet Explorer TrustedPublisher certificate store security: Loaded certificates from Internet Explorer TrustedPublisher certificate store security: Loading certificates from Internet Explorer DISALLOWED certificate store security: Loaded certificates from Internet Explorer DISALLOWED certificate store security: Validate the certificate chain using CertPath API security: Loading certificates from Internet Explorer ROOT certificate store security: Loaded certificates from Internet Explorer ROOT certificate store security: Loading blacklisted.certs file: c:\users\user\AppData\LocalLow\Sun\Java\Deployment\security\blacklisted.certs security: SHA-256Certificate finger print: F807A65B14382E9733915339ECDB9A23048A8FD46189584DD76EC80D0BDD8326 security: Checking if certificate is in Internet Explorer DISALLOWED certificate store security: SHA-256Certificate finger print: 0CFC19DB681B014BFE3F23CB3A78B67208B4E3D8D7B6A7B1807F7CD6ECB2A54E security: Checking if certificate is in Internet Explorer DISALLOWED certificate store security: SHA-256Certificate finger print: 8420DFBE376F414BF4C0A81E6936D24CCC03F304835B86C7A39142FCA723A689 security: Checking if certificate is in Internet Explorer DISALLOWED certificate store security: SHA-256Certificate finger print: A4B6B3996FC2F306B3FD8681BD63413D8C5009CC4FA329C2CCF0E2FA1B140305 security: Checking if certificate is in Internet Explorer DISALLOWED certificate store security: The OCSP support is enabled security: The CRL support is enabled network: Connecting http://ocsp.verisign.com/ with proxy=DIRECT network: Connecting http://ocsp.verisign.com:80/ with proxy=DIRECT security: OCSP Response: GOOD network: Connecting http://ocsp.verisign.com/ with proxy=DIRECT security: OCSP Response: GOOD network: Connecting http://ocsp.verisign.com/ with proxy=DIRECT security: OCSP Response: GOOD security: Certificate validation succeeded using OCSP/CRL security: Checking if certificate is in Internet Explorer TrustedPublisher certificate store basic: Dialog type is not candidate for embedding security: User has granted the privileges to the code for this session only security: Saving certificates in Deployment session certificate store security: Saved certificates in Deployment session certificate store security: Grant socket perm for https://the.domain.com/dana-cached/java/Neoterissun.jar : [email protected] (  ("java.net.SocketPermission" "the.domain.com" "connect,accept,resolve") )  security: Trust for: https://the.domain.com/dana-cached/java/Neoterissun.jar has ended: Wed Dec 31 19:00:00 EST 1969 security: Missing Application-Library-Allowable-Codebase manifest attribute for: https://the.domain.com/dana-cached/java/Neoterissun.jar security: Validate the certificate chain using CertPath API basic: Plugin2ClassLoader.getPermissions CeilingPolicy allPerms security: Missing Application-Library-Allowable-Codebase manifest attribute for: https://the.domain.com/dana-cached/java/Neoterissun.jar security: Validate the certificate chain using CertPath API security: SSV validation:     running: 1.7.0_51     requested: null     range: null     javaVersionParam: null     Rule Set version: null network: Created version ID: 1.7.0.51 network: Created version ID: 1.7.0.51 security: continue with running version network: Created version ID: 1.7.0.51 network: Created version ID: 1.7 network: Created version ID: 2.2.51 security:  --- parseCommandLine converted :  into: [] security: Missing Application-Library-Allowable-Codebase manifest attribute for: https://the.domain.com/dana-cached/java/Neoterissun.jar security: Validate the certificate chain using CertPath API security: SSV validation:     running: 1.7.0_51     requested: null     range: null     javaVersionParam: null     Rule Set version: null network: Created version ID: 1.7.0.51 network: Created version ID: 1.7.0.51 security: continue with running version network: Created version ID: 1.7.0.51 network: Created version ID: 1.7 network: Created version ID: 2.2.51 security:  --- parseCommandLine converted :  into: [] basic: Applet loaded. basic: Applet resized and added to parent container basic: PERF: AppletExecutionRunnable - applet.init() BEGIN ; jvmLaunch dt 234879 us, pluginInit dt 6324338 us, TotalTime: 6559217 us basic: Applet loaded. basic: Applet resized and added to parent container basic: PERF: AppletExecutionRunnable - applet.init() BEGIN ; jvmLaunch dt 234879 us, pluginInit dt 6331971 us, TotalTime: 6566850 us basic: Applet initialized basic: Starting applet basic: completed perf rollup basic: Applet made visible basic: Applet started basic: Told clients applet is started OS Name: Windows 7 Java vendor: Oracle Corporation Executing Sun Microsystems block basic: Applet initialized basic: Starting applet basic: completed perf rollup IVE Host: the.domain.com network: Connecting https://the.domain.com/dana/cs/csdbg.cgi?app=jsam with proxy=DIRECT network: Connecting https://the.domain.com/dana/cs/csdbg.cgi?app=jsam with cookie "DSSignInURL=/; DSID=2308d369d46829e3f87dcd355acf372a; DSFirstAccess=1393433538; DSLastAccess=1393433547; DSJSAMInitialized=1" network: Server https://the.domain.com/dana/cs/csdbg.cgi?app=jsam requesting to set-cookie with "DSLastAccess=1393433549; path=/; Secure" Run Level:0, read timeout:90000 network: Connecting http://127.0.0.1:5555/ with proxy=DIRECT network: Connecting https://the.domain.com/dana-cached/java/jsamtool.exe with proxy=DIRECT network: Connecting https://the.domain.com/dana-cached/java/jsamtool.exe with cookie "DSSignInURL=/; DSID=2308d369d46829e3f87dcd355acf372a; DSFirstAccess=1393433538; DSLastAccess=1393433549; DSJSAMInitialized=1" network: Server https://the.domain.com/dana-cached/java/jsamtool.exe requesting to set-cookie with "DSLastAccess=1393433552; path=/; Secure" Admin tool will be launched from c:\users\user\AppData\Roaming\Juniper Networks\Java Secure Application Manager\jsamtool.exe network: Connecting http://127.0.0.1:5555/ with proxy=DIRECT network: Connecting http://127.0.0.1:5555/ with proxy=DIRECT network: Connecting http://127.0.0.1:5555/ with proxy=DIRECT network: Connecting http://127.0.0.1:5555/ with proxy=DIRECT Accounting.sendStart( String type "JSAM" ) network: Connecting https://the.domain.com/dana/home/norefr.cgi with proxy=DIRECT StatusApplet started... network: Connecting https://the.domain.com/dana/home/norefr.cgi with cookie "DSSignInURL=/; DSID=2308d369d46829e3f87dcd355acf372a; DSFirstAccess=1393433538; DSLastAccess=1393433552; DSJSAMInitialized=1" network: Server https://the.domain.com/dana/home/norefr.cgi requesting to set-cookie with "DSLastAccess=1393433538; path=/; Secure" Get ct: application/octet-stream Sent accounting start basic: Applet made visible basic: Applet started basic: Told clients applet is started 

---

@jayLaiz wrote:

under user role > sam options, is automatic host mapping enabled.

 

Regards,

Jay

---

That was it.  Not sure how I missed that option.  I also see how this will be a problem for non-administrative users so it looks like I will not use this option and use external DNS records resolved to loopback addresses that are statically defined in resource profiles that use JSAM.

Some behavior I've noticed as part of workking through this which seems unusual.  This is part of the JSAM starting processing.  Anyone have any comments on these?

• Windows OS - Admin User logged In - Automatic Host Mapping disabled OR enabled - User is always prompted with a UAC popup from Juniper JSAM Tool.   This tool seems to be what handles modifying the hosts file so I can understand why ther eis the UAC popup when hosting mapping is enabled, but why is it occuring when host mapping is disabled?
• Windows OS - NonAdmin User logged in - Automatic Host Mapping disabled OR enabled - User never receives the UAC popup from Juniper JSAM Tool - This is good because they don't have permission to modify hosts file anyway, so it seems like something is coded to recognize a non-admin user and not bother prompting, but why doesn't it do this when it's an admin user logged in and automatic host mapping is disabled?
• Mac OS X - Admin OR NonAdmin user logged In - Automatic Host Mapping disabled OR enabled - User is always prompted for Admin credentials, regardless of if that user is an Admin or NonAdmin.  This prompt is definitely for modifying the hosts file.  If the user is a NonAdmin and Automatic Host Mapping is enabled, the user can simply hit cancel and they get a popup that they don't have permissions to modify the hosts file and JSAM finishes launches. If the user is a NonAdmin and happens to know admin credentials, they can supply them and the hosts file will get modified.   Question here is, is this expected behavior for a NonAdmin to be getting the admin credentials prompt?  Is the software not coded to know this is a non-admin and not prompt (kind of like how Windows with a NonAdmin doesn't do the UAC prompt to run JSAM Tool)

Hi,

I and 3 is unusual behavior, i think this needs to be taken up in a jtac ticket.

Regards,

Jay