Our users access our Intranet from outside our network by logging into the SA2500 SSL-VPN and selecting the Intranet from the SSL-VPN menu.
We have a customer survey link that we send out via e-mail... the survey page is just a page on the same server as our Intranet and we would like for the user to be able to click the link, get prompted for the SSL-VPN login, then be directed to the survey page. This is the way it worked with our old Nortel SSL-VPN and we accomplished this by providing two links in the survey e-mail... one for "in the office" and one for "out of the office".
I've recreated the "out of the office" link to accomodate the new Juniper rewrite url but when the user logs in he still just get the menu and isn't being redirected. Is there a way to get this single survey url to redirect without affecting the way the rest of our intranet functions through the SSL-VPN?
Thanks in advance for your help!
Thanks again for the helpful information! I was able to get the "out of office" link working using Rakeshb's method. I will try enabling "Browser request follow-through" next week to see if that works as well... I'd definitely rather go with that approach as it's much, much simpler. I will post back next week with my final notes.
"but when the user logs in he still just get the menu and isn't being redirected."
When you say the above I think you are referring to the bookmarks page that comes up right after you sign-in to SSL-VPN page.
Correct me if that is not the case.
What you could do is, create a seperate role for the survey activities. On this new role goto general -> UI options.
On this page see the 'start page', here select "custom page" as the option and you can add your survey URL here.
This way when a user from the outside clicks on the survey link, he will authenticate to SSL-
VPN get assigned to this role and automatically get redirected to the survey URL that you way.
This will avoid users seeing the bookmark page.
< please mark this post as 'accepted solution' if this answers your question that way it might help other as well, thanks >
That's a good workaround! Never thought of that.
Thanks for the reply... much appreciated! Just had a follow-up question... the survey page is actually for our employees and everyone is already assigned roles and access the ssl-vpn for other applications. Won't this workaround affect the way the ssl-vpn currently works for them? If I assign them to this role won't they get redirected to the survey page every time they login after? How does the ssl-vpn know which role takes precedence?
Thanks again for the help!
Thanks for the reply... unfortunately this still isn't working for me... maybe I'm doing something wrong. I'm fairly new at managing this box so I'll restate what I'm trying to accomplish and what I've done thus far per your recommendation...
All of our employees already use the ssl-vpn and have roles defined... when a user logs in he is mapped to roles based on active directory group. The roles simply define the menu items and ssl-vpn services that the user has access to. Our IT Helpdesk sends out an automated survey e-mail when a helpdesk ticket is closed... the e-mail has two links... one is to access the survey on our LAN... and the other is to access the survey from the Internet. The link to access from the Internet is the ssl-vpn rewrite link to the survey (ie. https://host.domain.com/survey/,DanaInfo=server.company.com+itqu.asp?icid=20210). When a user click that link, he gets the webportal login, then after logging in he gets the ssl-vpn menu... he is not redirected to the survey. I would like the the users to be redirected to the survey automatically.
So in following your advice, I created a new role called "Customer Survey Role"... enabled UI Options and set the Custom Start Page to the url of the customer survey. I then went to User Realm and mapped a new Active Directory group to the Customer Survey Role. When I added myself to the new Active Directory group and logged into the ssl-vpn I got the new custom start page... this happens regardless of whether I click on the survey e-mail link or just login via the main ssl-vpn page. I only want the custom start page if I click on the survey e-mail link... if I just login normally through the main portal page I want to get my menu of apps. Is there any way to get this to work the way I want?
Thanks again for the help!
I'm not sure it's possible to do what you're asking. Basically, you're asking to create a link that's accessible via the SSL VPN so when user clicks on the link, it logs in the SSL and then go to the survey link. Otherwise, the use would sign-on to the SSL directly and get the access they need.
I haven't seen a way to do this within the SSL VPN device. Maybe Juniper can help with this directly. Have you contact JTAC to see if there's a solution? If you do find a solution please post... it would be interesting to see if you can have a link that's proxied by the SSL VPN.
Heres how SA device will differentiate client requests.
Realm1 - for employees
Realm2 - for survey only
Role1 - Contains bookmarks and other access components.
Role2 - No bookmarks will only redirect automatically to a custom start page.
Employees will normally use Realm1 and will get mapped to Role1 for their day to day operations.
When a survey email is received and when employees click on the link to survey, they will be hitting Realm2 and will get mapped to Role2.
This can be the only way to differentiate a normal employee access and a survey driven access.
Note: If a user tries to access a survey link from the internet without clicking on the survey email, they will still be able to connect as long as they can authenticate to the AD server.
Let me know if this makes clear to your current deployment requirement.
What you are trying can be done if you enable the Role Level option for Browser request follow through. The setting is under Roles > Session Options. This setting will basically ensure that any URL you send to the SA (before login) will be remembered and then post login SA will redirect user to this URL.
On a related note: While the format of the URL you created should work fine, a much cleaner way would be to emulate the format of a bookmark based launch. So if its doable change the format of the "out of office" link to: