no, there is no Single Sign On capabilities in Pulse presently. If only using 802.1x without using juniper firewalls as Infranet Enforcers you could also use the inbuilt windows / mac / linux 802.1x client instead of OAC and get SSO. Sam. ... View more

Hi, I'm not sure from your description if it is the same user that needs to see the user or a different one. Only system administrators can see all guest accounts, users with guest management rights should be able to see only accounts that they have created. I am running 4.1r1 and this works. What version are you running? Regards, Sam. ... View more

Are you able to post the rest of your switch config? Sam. ... View more

Hi, The problem sounds to be with your switch config. Are you useing 2 vlans, one data and one voice? This should be configured like: interop# set interfaces ge-0/0/15 unit 0 family ethernet-switching port-mode access interop# set interfaces ge-0/0/15 unit 0 family ethernet-switching vlan members data-g650 interop# set ethernet-switching-options voip interface ge-0/0/15.0 vlan voice-G650 When the IC changes the vlan tag, it should only affect the 'vlan members' statement, not the voip vlan. Sam. JNCIS-SEC,FWV,SSL,ER ... View more

web bookmarks, sam, NC all use seperate ACLs, you cannot create one for all. Which type of access are you giving to your users? Its unlikely that yu are providing them with several ways to connect to one server... ... View more

Hi, As far as I know this is fully supported, so TS users can print using a printer on their TS Client machine / network. It will need to be anabled in the role and the bookmark. Sam. ... View more

Send your logs to an external syslog server then grep through for each of the role names. For instance if you have a realm called OfficeA, you would grep using #grep -c OfficeA log.txt Alternatively copy the logs onto your local windows machine and use wingrep or something simular. Sam. ... View more

Hello, In your Host Checker policy add another check for you Symantec Client Security 10 product, then at the bottom of the screen check the box to enable real time protection. Back in your Host Checker policy select "Any of the above Rules" and HC will pass for whichever rule they are compliant with, or you can create a custom expression if your HC policy is more complex. Sam. ... View more

Hi, Having not worked with either product I cannot say with absolute certainty but if they use the open standards for each technology then they will work. Yes, the SA can deploy the client pre-configured to the client when the user visits a web page. If you contact your Juniper sales rep you could possibly organise a trial or they could provide ou with a demonstration. Regards, Sam. ... View more

Hi, Junos Pulse is just the client, you need an SA series to terminate the SSL VPN, or you can use IPSec with an SRX series. SAs are compatable with LDAP, AD, RADIUS, NIS, ACE, SiteMinder, SAML and Certificate Servers, and has its own Anonymous and built in user database. You can create 2 seperate connections in Pulse, one to use either method, so the user can choose which one one use when connecting, or indeed you can get users to authenticate against both before being able to connect. Sam. ... View more

Hi. 1. No 2. Only if user login using the web url, not if users launch the Network Connect application directly. If using the web page to access your SA, you can change which page they are directed to in the user role (the first role with UI options enabled that the user is placed into in cases where they are members of several roles). By default they are directed to the SA 'Bookmarks Page' but this can be directed to another server if required. Sam. ... View more

On the web management console of your SA. Assuming that you have an SA? ... View more

The official way is to do both machine and user authentication - machine auth puts the laptop on a LAN where it can map the network drives etc, then user auth and HC is performed after the user logs in. I believe you can also specify on the sign in policy that the domain name can dictate the user realm, I suspect that if you chose that option, and stated that users need to type the realm then it would only map properly for user loggin into their domain account, because COMPUTER\user wouldn't have a realm. Sam. ... View more

Currently Pulse on Android only supports web bookmarks. In the role, you will need to enable Web and add some bookmarks. Sam. ... View more

Judging by the log, NSM is trying to connect to the SA on the internal port. Have you put the MGMT port IP in NSM? is the SA on the same subnet, or does it have a route to the NSM box? Sam. ... View more

Ok, there is a setting in the sign in policy weather to pass on the domain name or remove it, you could try adjusting that. You can check your AD is working properly by editing the server and browsing the Server Catalog, you should get a list of all the groups in the domain, if this works then there is certainly no issue with the AD server. Does the AD server itslef show anything in the logs, like login failed? Sam. ... View more

2010-12-23 12:53:02 - ic - [0.0.0.0] DOMAIN\DE-66249(CLIENT_Realm-Cert - WLAN)[] - Primary authentication failed for DOMAIN\DE-66249/DOMAIN_AD from 00-21-6a-15-59-60 2010-12-23 12:53:02 - ic - [0.0.0.0] DOMAIN\DE-66249(CLIENT_Realm-Cert - WLAN)[] - Login failed using auth server DOMAIN_AD (Samba). Reason: Failed That normally indicates that the AD server rejected the credentials and looks healthy. The username being passed is DOMAIN\DE-66249, is that right? (particularly the domain name) Sam. ... View more

On the SA go to: Admin Realms - Admin Users (or whatever your realm is called) - Authentication Policy - Source IP and tick the box "Enable administrators to sign in on the Internal Port" Sam. ... View more

Hi, Can you post your user access log? If your user can login through the web portal then there shouldn't be an issue with the AD server, your user access log will rule out some of the common mistakes. You could always try setting up the AD server as an LDAP server rather than the Active Directory preset, I prefer working with AD in this way. Sam. ... View more

1. Accessibility Because IKE/PPTP need commonly closed firewall ports opened, and for routers to support pass through, whereas an SA will fall back to SSL, and port 443 is open on pretty much all firewalls. 2. Authorisation Host Checker features are far more advances than Microsoft Statement of health etc, you can check AV signatures, software firewall etc in a good level of detail, and provide remediation options to fix them. 3. Scalability Using resource profiles and roles mean that you can scale very specific security requirements easily across thousands of users with very little effort. You can use Single Sign on to many web applications, Citrix, terminal services. 4. Network appliance The device is designed and manufactured to provide excellent VPN encryption and decryption, it can be placed in a network behind IPS/IDS and work solely as an SSL gateway, why on earth would you want to use your processing power to run Windows, anti virus etc. 5. Reliability A planned OS release schedule which can be done with no downtime in a cluster, a completely standard architecture, client and everything else means support is easy. Are VPN users going to have to disconnect every Friday for M$ updates on the server? 6. Security Exposing a windows box to web traffic, tut tut. The SA is Debian Linux hardened by Juniper, with very few vulnerabilities (OK, nothing is perfect) but your average script kiddie won't be able to touch it. 7. Interoperability The SA doesn't just work with M$ stuff, what about pulse from an Iphone/Android, this is the way remote access is going... The SA is designed to do exactly what it is doing. Server 2k8 is a jack of all trades, and certainly not a master of this one. :) Sam. ... View more

Hi, You could use a DHCP server to achieve this using static entries, or if it's a permissions thing put users in more specific roles and have connection profiles per role, for instance .1-.5 for IT, .6-.10 for HR and so on. Sam. ... View more

I've not experienced the issues you are asking about, but SA7.0 is quite a big jump. Why not upgrade to 6.5 first and see if your problem goes away, as long as you read the release notes to check nothing will affect you it should be fine. Sam. ... View more

Hi Gowri, If I understand right, you will end up with four roles: -Employee full access - Employee restricted access -Contractor full access -Contractor restricted access. To achieve this, in your realm, map contractors to both contractor roles, and employees to both employee roles, then on the two full access roles add the restriction that host checker is required. If they pass hostchecker they will get both restricted and full access, if they fail they will only get their restricted access. Because no matter what they will get restricted access, don't duplicate the resources between the restricted and full access roles. Sam. ... View more

Hi ND, The bookmarks are only available when logging in through the web portal. It is still possible to automatically launch NC when a user logs into the portal though..... Sam. ... View more

Hi Luca, That still sounds like an ACL problem. Have you tried clicking the "Create an access control policy allowing Terminal Service access to this server." within the resource profile? Sam. ... View more

Hi, This would only be possible with either: 1. A load balancer able to do https healthchecks 2. A dynamic DNS entry, so both sites share the same domain name which fails over when the primary site is unavailable. 3. I think that JunOS Pulse can do this, or at least list both connections without needing to type URLS, if you are running IVE7. Sam. ... View more

Hi, If I understand you right, you will need to add your SSL gateway as an exception in your proxy.pac file in order to be able to connect. Once NC launches you have the option to modify, dissable, or replace your pac file if needed. Sam. ... View more

VLANs are a feature only available with an IVS license to my knowledge and not available on 2000 series. Either use the native vlan option suggested above, which will assume all untagged traffic belongs to a vlan, or if you need more than one vlan (which sounds like is the case) create a third vlan to a router, and use the router to route between the vlans. Sam. ... View more

Look at the values under the role as stated above.... ensure that "session options" is ticked in the role, then go to the session options tab, and ensure that the max and idle timouts are greater than one hour. If this is network connect related, also go to Configuration > NCP, and check the idle timeout there, this should be greater than or equal to the role's maximum timeout. Sam. ... View more

Hi, You cannot SSO with network Connect. You can however use a Web bookmark to point to the web frontend of Citrix, and use SSO there. You could then launch Network Connect, or Secure Application Manager if required. Depending on the version of Citrix you may need to look at the page source to get the right SSO perametres, I'm pretty sure there is something in the knowledgebase for this though. http://kb.pulsesecure.net Sam. ... View more