Re: vpn on demand

imanenvoy_ · ‎04-17-2012

I'm curious about this feature on Pulse and SA hardware. It sounds like the user could have a link or app pointing to an internal URL and the client will see the connection, start, and request loginID and password. Once the user is successfully logged in they'll be passed to the app.

Anyone using this? Anyone found any good documentation on use and setup?

Does it have to be a URL or can it be an IP?

PC,Mac iOS, Android support?

Thanks all.

SonicBoom_ · ‎04-17-2012

looks like it may be for mobile devices like iPhones and iPads, and is only for certificate based authentication, here's a link to the KB article,

http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB21438&actp=search&viewlocale=en_US&sear...

login may be required to access it

imanenvoy_ · ‎04-17-2012

So the user doesn't provide any login creds? How is access secured? Not sure how the certificate access works....

SonicBoom_ · ‎04-17-2012

yes login credentials are provided by the user, click the link and you will see screen shots that will clear everything up

imanenvoy_ · ‎04-17-2012

screenshots are for the apple ICU so the userID and password listed there are part of the profile the ICU creates.

Kita_ · ‎04-17-2012

Hello imanenvoy,

The VPN on Demand portion is a simply string search of the url to see if it matches. If so, it will try and create a tunnel with Pulse to connect to the resource. The client authentication portion is only to authenticate to the user to the SA. I believe you are asking if about the credentials to the resource itself. You can have the username pulled from a field with the certificate, but there will be no password sent. You'll either need to manually enter via the application or configure a SSO policy on the SA to authenticate the backend.

imanenvoy_ · ‎04-17-2012

Thanks. No I'm wondering about the access to the app.

Example user trying to get to owa that isn't Internet accessible

User clicks the owa.company.com bookmark

Pulse sees the DNS request for owa.company.com that fails over Internet

Pulse client starts -requests userID and password -correct?

Authentication success and URL opens. -delay/timeout waiting for authentication?

User types OWA id/password or SSO would kick in?

Or am I completely misunderstanding how VPN on Demand works?

Also, thanks for the time everyone.

SVK_ · ‎04-17-2012

For VPN on demand certificate based authentication has to be configured on the SA and the client should have valid certificate. Whenever the resource matches the hostname configured for vpn on demand pulse launches and certificate authentication to the SA is initiated once sucessful users can access the resource.

NOTE:
Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!

Steffen_ · ‎04-18-2012

An additional hint:

The app that you want to use with VPN on demand must have enabled support for it.

E.g. if you define ".mycompany.com" to be a VPN on demand domain, the Junos Pulse client will only connect automatically for destination something.mycomany.com, if the app uses a special call. Otherwise you have to open the VPN manually.

Safari and some other apps have enabled this, but many not. :-(

- Steffen

zanyterp_ · ‎04-18-2012

there is nothing sent to the external application; as defined in the KB, you determine which hostnames trigger the login.

i believe it is only hostname (not URL)

this is available only on iOS; no other OS has this capablity.