Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Problem connecting ActiveSync through SSL VPN and MobileIron Sentry

fduranti_
Occasional Contributor
‎06-07-2013 03:08:AM
‎06-07-2013 03:08:AM

Problem connecting ActiveSync through SSL VPN and MobileIron Sentry

Hi, I've a little problem. We use a MAG2640 with 7.3R5 installed and we use it as a passthrough for activesync email. Instead of connecting directly to Exchange we use a Mobile Iron appliance (sentry standalone) that will authorize the device. Untile version 4.5 of Sentry software all was working correctly but it seems that for enhanced security version 4.6 don't allow the SSA to get page with an error related to the SSL negotiation.

 

MobileIron said that the Load Balancer (in this case the MAG2640 machine) should use SSLv3 with a strong cypher to get the pages.

Anyone has any experience with this kind of connection?

The error I get seems something standard related to negotiation so it's possible that someone got it on other application too (with Authorization only access):

 

2013-06-07 09:54:55,271 INFO [SocketThread.init:367] (pool-9-thread-33) (TAG,10.202.109.21:23377,DEVICE_TYPE,DEVICE_ID,USER_ID,COMMAND,SERVER) ********** SocketThread starting (running 1, total 33) for client /MAG2640:23377

2013-06-07 09:54:55,271 INFO [SocketThread.run:720] (pool-9-thread-33) (TAG,10.202.109.21:23377,DEVICE_TYPE,DEVICE_ID,USER_ID,COMMAND,SERVER) SSLHandshakeException: SSLv2Hello is disabled

2013-06-07 09:54:55,272 DEBUG [SocketThread.run:721] (pool-9-thread-33) (TAG,10.202.109.21:23377,DEVICE_TYPE,DEVICE_ID,USER_ID,COMMAND,SERVER) Exception:

javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled at com.sun.net.ssl.internal.ssl.InputRecord.handleUnknownRecord(InputRecord.java:451) at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:355) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:863) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1203) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:818) at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75) at java.io.FilterInputStream.read(FilterInputStream.java:116) at com.mobileiron.alcor.utils.CountStatsInputStream.read(CountStatsInputStream.java:90) at java.io.BufferedInputStream.fill(BufferedInputStream.java:218) at java.io.BufferedInputStream.read(BufferedInputStream.java:237) at com.mobileiron.alcor.http.HttpUtils.readNextLine(HttpUtils.java:68) at com.mobileiron.alcor.http.HttpUtils.getNextLine(HttpUtils.java:58) at com.mobileiron.alcor.http.HttpRequest.readRequestLine(HttpRequest.java:192) at com.mobileiron.alcor.http.HttpRequest.readStartLine(HttpRequest.java:185) at com.mobileiron.alcor.SocketThread.readMessage(SocketThread.java:2248) at com.mobileiron.alcor.SocketThread.getClientMessage(SocketThread.java:2127) at com.mobileiron.alcor.SocketThread.getClientMessageHeaders(SocketThread.java:2092) at com.mobileiron.alcor.SocketThread.processUpstream(SocketThread.java:408) at com.mobileiron.alcor.SocketThread.run(SocketThread.java:701) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:439) at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303) at java.util.concurrent.FutureTask.run(FutureTask.java:138) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918) at java.lang.Thread.run(Thread.java:662)2013-06-07 09:54:55,272 INFO [SocketThread.run:733] (pool-9-thread-33) (TAG,10.202.109.21:23377,DEVICE_TYPE,DEVICE_ID,USER_ID,COMMAND,SERVER) SocketThread exiting (running 0, total 33) for client MAG2640:23377

0 Kudos
1 REPLY 1
Kita_
Valued Contributor
‎06-07-2013 10:10:AM
‎06-07-2013 10:10:AM

Re: Problem connecting ActiveSync through SSL VPN and MobileIron Sentry

Since the connection is going through the MAG and connecting to the Mobile Iron appliance, this would be considered a backend connection.  While the security settings are customizable, these setting will only modify the incoming connections on the web server between the end user and the MAG device.

 

When an initial handshake is made between the MAG and SA device, SSLv2/v3 is utilized, then the negotation occurs to use the strong encryption between the two clients.  This is to provide max. compatible with all systems.  Engineering is working on providing more granularity to the administrator to enable/disable protocols and cipher suites to the backend connections similiar to the existing web server service in a future release.  

 

The recommendation would be to file an ER with your Juniper account team so this request is properly tracked.

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.