I'm curious about this feature on Pulse and SA hardware. It sounds like the user could have a link or app pointing to an internal URL and the client will see the connection, start, and request loginID and password. Once the user is successfully logged in they'll be passed to the app.
Anyone using this? Anyone found any good documentation on use and setup?
Does it have to be a URL or can it be an IP?
PC,Mac iOS, Android support?
looks like it may be for mobile devices like iPhones and iPads, and is only for certificate based authentication, here's a link to the KB article,
login may be required to access it
So the user doesn't provide any login creds? How is access secured? Not sure how the certificate access works....
screenshots are for the apple ICU so the userID and password listed there are part of the profile the ICU creates.
The VPN on Demand portion is a simply string search of the url to see if it matches. If so, it will try and create a tunnel with Pulse to connect to the resource. The client authentication portion is only to authenticate to the user to the SA. I believe you are asking if about the credentials to the resource itself. You can have the username pulled from a field with the certificate, but there will be no password sent. You'll either need to manually enter via the application or configure a SSO policy on the SA to authenticate the backend.
Thanks. No I'm wondering about the access to the app.
Example user trying to get to owa that isn't Internet accessible
User clicks the owa.company.com bookmark
Pulse sees the DNS request for owa.company.com that fails over Internet
Pulse client starts -requests userID and password -correct?
Authentication success and URL opens. -delay/timeout waiting for authentication?
User types OWA id/password or SSO would kick in?
Or am I completely misunderstanding how VPN on Demand works?
Also, thanks for the time everyone.
For VPN on demand certificate based authentication has to be configured on the SA and the client should have valid certificate. Whenever the resource matches the hostname configured for vpn on demand pulse launches and certificate authentication to the SA is initiated once sucessful users can access the resource.
Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!
An additional hint:
The app that you want to use with VPN on demand must have enabled support for it.
E.g. if you define ".mycompany.com" to be a VPN on demand domain, the Junos Pulse client will only connect automatically for destination something.mycomany.com, if the app uses a special call. Otherwise you have to open the VPN manually.
Safari and some other apps have enabled this, but many not. :-(
there is nothing sent to the external application; as defined in the KB, you determine which hostnames trigger the login.
i believe it is only hostname (not URL)
this is available only on iOS; no other OS has this capablity.