FYI:  This issue has been resolved in 7.4r7 for us. ... View more

Thanks for the reply jayLaiz. I can't find the document that lists the issue that you're referencing. I checked the release notes for Pulse 7.4r7 and for ESAP 2.4.8. A search for "779118" didn't turn up anything either. Can you point me in the right direction please? ... View more

I can confirm that  KB2830477 is causing the same issue for us. We're running 7.4r4. I see that  KB2830477 can be found under the optional section of Windows Update.    Did you have any issues resulting from uninstalling this KB?  ... View more

Do these users have local admin rights on their computers? ... View more

I can confirm that enabling compatibility mode worked for me as well. Host checker loaded properly. Using IE 11 on  Windows 8.1 and connecting to an SA6500 running IVE 7.4r4 and ESAP 2.4.5.     ... View more

PG, thank you for the quick reply. I can confirm that this worked for me. Host Checker installed properly and successfully detected my Kaspersky AV.   Thanks for the great work around, PG. ... View more

Excellent news. Glad to be of assistance. ... View more

That's good to hear. Post if you have trouble with that part.  ... View more

Gleb, I noticed that you said "Under User Realm - Authentication Policy - Host Checker  I checked Evaluate ALL  Policies"   If you want the the custom remediation message (or reason strings) to appear prior to authentication you must also configure the policies to be enforced at the realm level. If you are only evaluating the HC policies you are telling the IVE that you wish to keep a record of which policies were passed / failed so that you can use that info in the post-authentication role mapping.   I generally try to avoid enforcing many HC policies at the realm level becuase they can be difficult to troubleshoot. If you are enforcing several HC policies at the realm level and users are not able to remediate the issue/s themselves, you will have to take additional steps to locate their user session logs on the IVE since they were never given the opportunity to submit their username.   Alternatively, I prefer enforcing the majority of my HC policies at the role level. I'll typically have zero or one HC policys enforced at the realm level along with some other non-HC checks (certificate, source IP, user agent).   I hope this helps. ... View more

I don't believe that this is a Juniper issue. This sounds more like a local group policy. If I recall correctly there are group policies that can automatically disconnect and / or log off stale RDP sessions.     Here is an MS article on the subject: http://technet.microsoft.com/en-us/library/cc753112(WS.10).aspx The article references Windows Server 2008, but I have configured these settings on client systems going as far back as Windows 2000 and XP.   Good luck. ... View more

Crypto, if you have your RSA/ACE server as your first authentication server and you have AD/LDAP as your authorization server, you will not be challenged for your AD credentials. Instead, you will be challened for your RSA/ACE credentials. Then, the IVE will use the credentials that you specify in the AD/LDAP Auth server config to query Active Directory for your account's group memberships and attributes.   If you also want to be challenged for your AD credentials (after the RSA credentials), you need to select your AD/LDAP auth server as a secondary authentication server.   I'm sorry if I'm misinterpreting what you're trying to do. I hope this helps. ... View more

Yes, we did open a case and Juniper did provide fix for the issue in the form of a new version of the Hob client. We loaded the new client to the system through the standard process to add third party Java applets and configured the custom HTML. So, far it appears the performance is back to what we would expect. The new version is jwt 33.0754 I believe. From a technical standpoint, my issue has been resolved. I'm now just waiting for an answer on whether or not this applet will honor our Premier Java RDP licenses as it did not replace the default version of the Premier Java RDP client.   (Thanks to everyone for the suggestions) ... View more

The upgrade was from 7.2R3 to 7.3R2.   I also have a test system that was upgraded from 7.3R1 to 7.3R2. I rolled the test system back to 7.3R1 and the RDP issues went away. The version of Hob was 3.3 before and after the rollback, but the poor performance was only seen under 7.3R2 ( and not under 7.2R3 or 7.3R1).   So to summarize....   7.2R3 - Good 7.3R1 - Good 7.3R2 - Bad ... View more

I have not tried this, but I'm very interested in your results. I'd suggest opening a case with JTAC to get their opinion. I'm not sure how well the rewriter can handle HTML5 traffic, but they may be able to provide a quick answer.   If you're looking for some things to try here are some ideas. Have you tried a web policy that specifies either no caching or unchanged headers?  Have you tried a passthrough proxy config?   ... View more

I've also been able to get host checker working between Windows 8 and IVE 7.2R3, but only with FireFox. Here is the process that I followed.   Install Firefox ( I tested 16.0.1. ). Install Java ( I tested version 7, update 9 ). Log into the VPN - HC will not be able to detect Windows Defender initially. Open Windows Defender using the search built into Windows 8. Disable the real time file scanning in Defender and then re-enable. Log out of the VPN and then log back in.   Obviously this isn't an officially supported scenario, but I think the information is useful. ... View more

I have 7.3R1 installed in my lab and I was able to get Host Checker working. I should add that according to the release notes Juniper only supports one third pardty AV product when running Windows 8, which is Defender. Also, the release notes state that you must be running ESAP 2.2.4 (which I am).   The release notes also state that real time file scanning is not detectable in Win8 until RTFS has been disabled and re-enabled in Defender. I can confirm that this is true. When I first logged in with Win8 / Defender, I was failing the AV policy. This didn't change until I manually disabled the RTFS feature in Defender and re-enabled it.   In my case, the AV policy is enforced at the role level. So I was able to perform the disable / re-enable while still logged into the VPN. I let the session sit idle long enough for the security policies to be re-evaluated at which point the roles that were restricted by the AV policy became available. I also confirmed in the Active Users monitor that the PC was fully-compliant.   7.3R1 Release Notes info on HC and pre-defined AV policies: "Hostchecker support of Predefined policies on Windows 8 endpoints is limited to Windows Defender only with ESAP 2.2.4. Windows Defender needs to be manually Turned off/on once on Windows 8 machines to enable the 'Check RTP status' Hostchecker policy (792564, 802832, 802855, 813340, 815559)"   Oddly enough, I only had to disable and re-enable Defender once. Even after a reboot, Defender was properly detected. ... View more

I have 7.2R4 installed in my lab. I successfully tested host checker and the premier java RDP client on a Mac running OS X 10.7.4, Safari 5.7 and Java 1.6.0.   When I attempt to connect with a Mac running OS X 10.8.2, Safari 6.0.1 and Java 1.6.0, I am able to install Host Checker, but I am unable to load the Premier Java RDP client. The error is as follows: "The digital signature is not trusted. Java will not allow any access to this applet."   I'm glad that Host Checker is working though. ... View more

If there are other users out there that are still looking for the ability to have user created Juniper Terminal Services bookmarks work with Java RDP clients like the Premier Java RDP Client (AKA Hoblink) please contact your sales rep and have your name / company added to enhancement request 29755. We've had this ER open for a while and it currently has a medium priority. The ER hasn't seen much movement, but if more customers request the feature, it may get bumped up. Thanks. (Also, if anyone has found a decent work-around, please let me know). ... View more

I'll be putting it in my lab in the morning. Will report back what I find. ... View more

That's good to hear. When you first upgraded to the 7.2 code, were you upgrading from 7.1 or from 6.x? ... View more

I agree, Roxanne. In fact I use several parameters in the HTML for the Hob app to automate around this issue for my users. These parameters provide the Hob client with the users credentials automatically. This makes the hob screen basically flash by without the user having to do anything. Please note that in the example below we are embedding the password for a secondary authentication server, hence the [2] in the password variable. <param name="USERID" value="<<USER>>">  <param name="PASSWORD" value="<<PASSWORD[2]>>">  <param name="DOMAIN" value="Your Domain"> If for some reason you just want the Hob screen to disappear but not have the user automatically log into the PC you can add the following parameter as well. <param name="AUTOLOGON" value="no">   I've also attached the Hoblink Java RDP user manual to this thread. Most of the info within it doesn't apply since users don't have much need to interact with the Hob client when launched from a Juniper device. The appendix at the end is very useful though. It lists alll of the HTML parameters that you can use to customize the Hob client. ... View more

Interesting. I'm curious if the certificate that is used to sign the applets is related to the ports that you are presenting your signed SSL certs on. I'm assuming that you are using a real (public) SSL cert on the site that users connect to. Here's what I'm getting at. Are you still presenting the default, self-signed certificate that the SA creates during setup on your outside interface? Under the 6.x IVE, it would create a "secure.companyname.com" self-signed cert. ... View more

Does anyone know if the Apple firewall has the potential to interfere with the HC install under either Mountain Lion or Lion? I have one Mac that sits at the HostChecker screen indefinitely and we just found out that it has the firewall enabled. When time permits I will disable the FW and retest. ... View more

I'm currently testing 7.2R3 in a lab environment. We recently went from 6.5R2 to 7.1R6 in our production environment and I concurr, our HostChecker issues were horrible. Since moving to 7.1, our HostChecker calls on Win 7 and Vista have gone though the roof. Many if not most of these calls require a very lengthy, manual uninstall of HostChecer. I'm hoping that going from 7.1R6 to 7.2R3 will not have the same effect. I'm planning to get my upgrade done within the next three weeks. I'll add my results afterward. ... View more

I believe that we found the solution. In our configuration, we do not open all network ports over Net Connect by default. Instead we open only the port used by the applications our users need. When we added the ports necessary for Outlook 2010 to function over NetConnect we added a range of ports that had been agreed apon between myself (VPN admin) and the team that manages our Exchange environment. It appears that they did not have all of the Exchange servers constrained to the same port range. Specifically, the public folders server traffic was being blocked. It appears that by opening TCP 7157 (in addition to our existing port range) has resolved the issue for us. ... View more