Yes the certificate is there. What are the powershell commands you used to configure the client?   Thanks ... View more

Were you able to get user certificate authenticaion to work on RT? I see in the documentation that it states "Authentication method" is not a supported setting.   This makes me think that only UN/PW is supported.                                                                                                                                                         NOTE: Some VPN Client cmdlet options are not applicable to creating Pulse connections.The following Add-VpnConnection options cause an errorif you use them when creating a Pulse connection:                                                                             ¥ -AuthenticationMethod ¥ -EncryptionLevel ¥ -L2tpPsk ¥ -MachineCertificateEKUFilter ¥ -MachineCertificateIssuerFilter ¥ -UseWinlogonCredential ... View more

http://www.juniper.net/techpubs/en_US/junos-pulse5.0/information-products/topic-collections/win-phone-junos-pulse.pdf           ... View more

You may need to reboot your PC after installing Pulse. Yes, you would just enter your domain credentials in the Pulse branded login tile. ... View more

You can accomplish what you want by configuring Pulse to "Start automatically at user login" and then put a certificate restriction on the role you want to use.  Users will have a Pulse branded tile when they go to login and need to just enter their AD creds. You can't use HostChecker because it can only validate machine certificates.   Hope this helps. ... View more

I don't believe that is going to be possible.   See; http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB19325   Note Certificate authentication to an ActiveSync server is not supported. In the following scenario, the initial connection to Junos Pulse Secure Access gateway requires a client certificate. If successful, username/password credentials are provided to the ActiveSync server.   ... View more

Sounds like you are the right track with your last paragraph. I've used "NOT" in the custom policies several times. Make a copy of your AV/FW Hostchecker policy then change it to a custom rule and put in; NOT "Rulename1" OR NOT "rulename2" Any Windows device that doesn't have the required AV and FW running should match this policy. You're also going to need to add some dummy rules in that HC policy for the other OS. For example, add a version check for ios devices. ... View more

My question is what is the best way to generate a cert? Not sure there is a best way. It depends on your CA. If you are using Microsoft Certificate Services you can setup SCEP and provision the certificates directly to the iOS devices. A google search will show you several articles on how to do this.   Should I just use a PC to generate a "client authentication" cert and have it signed by our Root CA? Yes, the certificate purpose must be Client Authenticaion and be signed by your CA.   I am assuming the reccomendation would be to do generate a unique cert for each device. Since the Root's Public key is recognized by the MAG, I should only have to setup the MAG once for that to work.  Correct?  Yes, that is correct.   Do most people track the cert back to the particular user for logging? Yes. Sharing a client certificate would be akin to sharing a username/password. It's never a good idea. Among other things it allows you to revoke a users certificate in order to remove their VPN access. ... View more

In the Juniper Admin GUI go to; System > Configuration > Security. At the bottom of that page under "ActiveSync Client Certificate Configuration" you can enable certificate auth. You will will also need to import the Trusted Client CA cert   Hope this helps. ... View more

It's under Route Precedence. "Tunnel Routes with local subnet access"                 ... View more

If you are looking for a string in the last part of each log message then you would use msg="string" If the string you are looking for resides in more than one log component then it would probably be easier to export the log and search it. ... View more

Thanks but it even occurs when only one person is on the VPN.  ... View more

You can download the generic sample template which will contain those files. ... View more

I believe the only situation where that is possible is when you are using SAML. In that case the credential collector can be a seperate site from the Juniper login page. ... View more

Braker- Did you ever figure out how to solve this?   Thanks ... View more

Thanks. I found a doc on it just yesterday. http://www.juniper.net/techpubs/software/pulse/guides/Junos_Pulse_AppConnect_Deployment_Guide.pdf     ... View more

What version of IVE are you running? I'm not seeing the same result with 8.0R3.2. ... View more

Per APP vpn uses the SAM (Secure Applicaion Manager) component of Pulse, not tunneling. You need to enable WSAM on the role you are using and create a policy for access. Resource Policies > SAM > Access Control. Add whaichever resources you need to access.   I found this by testing. I can't find any documentation yet.   ... View more

If you have AD authenticaion configured on the 6611 then the username attribute being checked in AD is SamAccountName or UserPrincipalName if you have the "allow domain to be specific as part of the username". That's why changing the users email address in AD had no affect. If you changed the authenticaion type to LDAP you could define which username attribute to use, like email. If you want to stick with AD then you need to see if the username is defined in a different manner in another user certificate attribute. Then set your certificate authentication use that as the username template. Something like <certAttr.altName.UPNuid>    Run a policy trace and that will show you the details about how the authenticaion is working or not working for a specific user.   Hope this helps. ... View more

In the host checker policy for XP choose "Custom" under Require: Then enter NOT <name of you hostchecker policy> ... View more

Change the variable to <USERNAME> It won't include the domain. ... View more

I guess I would want to know why you want to implement client certificate authetication. In general, sharing the same client certificate among multiple users would be similiar to sharing the same username password. A client certificates is typically issued to a single user. For most of our customers we combine the client certiticate auth with Active Directory UN/PW. So in order access VPN a user has to have a the client cert on their device and know their credentials. Another option for you might be to use device certficates. This works well if the devices are members of an AD domain which typically provisions the client cert when the machine is joined. Again I would suggest also requiring UN/PW in combinatioin with the device cert. For role mapping you can extract the username from the certificate(assuming you are not sharing a single cert) and map based on the AD group a user belongs to.   ... View more

I did get it working. The documentation isn't very clear.   To answer your question;   For the internal : is it the URL of the Outlook Web Access on the HTTPS port ? Yes, this is the URL of your OWA server.   For the virtual hostname, if i understand it's an url defined into my external DNS and available from Internet ? Correct, this is a hostname that resolves to the external IP of your Juniper gateway.   After you have that configured you have to configure a sign in policy that maps to a realm and role that has secure mail enabled in order to onbaord the device. So something like https://IVEHostname/onboard     ... View more

Have you tried deleting the infcache.1 file? ... View more