Its currently being considered as a enhancement request. ... View more

I see the same problem, try accessing http://redirect.mycompany.com/ I believe you will get redirected to http://www.myserver.com/subpath ... View more

You may need to find whats common between the user accounts that are failing, are they part of the same group, did they recently change their passwords.. Theres no straight forward way to find the cause, please also create a case with JTAC for further analysis. ... View more

With split tunnel enabled mode and with internal proxy only traffic that needs to go via tunnel uses proxy all other traffic will go direct including the exeptions that are specified withing the original PAC file.. You can create a TAC case to investigate this further. ... View more

1) Try clearing the user access/ event /admin log (after taking a backup). 2) Delete any system / admin generated snapshots from troubleshooting -> system snapshot page. (after taking a backup) 3) Check the SNMP trap thresholds that has been set under log /monitoring -> SNMP to check what percentage of log frequency is set. May want to increase it if its too low. ... View more

Yes, WSAM does support UDP, only conditions is that it has to be client initiated traffic. Policy needs to be specified either as an application or as a destination server (and port). Eg., telnet.exe, outlook.exe or mail.company.com ... View more

Please confirm if your proxy server is internal or external to SA device, also confirm if you have split tunnel disabled or enabled, based on these settings PAC file will be created differently. ... View more

In Admin guide under authorization-only access policy............. "Up to 1000 concurrent connections is supported on an SA 6500." Trying to get info for other devices. ... View more

http://www.juniper.net/techpubs/software/ive/guides/howtos/How_To_Certificates.pdf The above link could also give you more information on how you can configure the settings. ... View more

Since each access mechanism (web rewrite, NC, SAM, pulse) are different in the way they work, there cant be one global policy for all, as it defeats the very purpose of having these variety to suit different customer requirements. Based on what type of access you choose to provide to end users you can configure one global policy within that access type to be applied when users get mapped to specific roles. ... View more

If a user is logged in multiple times, you can simple calculate the total time for that user ID, since user ID is going to be unique per realm / auth server. ... View more

I agree, its a nice to have feature but I am afraid this is currently not available on the SA for now. Can become an enhancement request. ... View more

There may not be a direct GUI way to find this out, but what I can think of is using the active user sessions page. This page has an entry for every user that is logged in and is currently active, if you count a specific role or a realm it will give you the number of users using a particular role or realm. Of course you will have to first copy the active user sessions page data to a good text editor and then try this out, but as said its not very straight forward. ... View more

Misha, There may not be a direct GUI way to find this out, but what I can think of is using the active user sessions page. ... View more

If you need to load multiple device certs then you can create virtual ports (external and internal ) and assign unique certs for each port. Your load balancer can then foward request to any ports based on the location the user comes from. ... View more

Not all rewrite issues will have a rewrite fiter developed. Juniper engineering writes these filters and its decided on a case by case basis. ... View more

Not all rewrite problems will have a rewrite filter. Only problems that require minor change may have a filter developed (by juniper engineering). ... View more

Ideally its the bytes that was received after completion of a web request like GET. It looks like the variable which holds the received bytes value is not able to hold the large value correctly which is why we are seeing this incorrectly. Will need more data to see why this is happening. a) which IVE OS do you see this on? b) You see this on your syslog data, do you also see the same value on your IVE's user access log as well? ... View more

There is no exclusive clean up utility as such for Host checker uninstalling application from Add/Remove programs should be good enough for a new 7.x installation. ... View more

I guess your host checker policy is only meant to check the client OS, if its 2008 or not. If thats the case see if turning OFF UAC gives a different result, I have seen a problem similar to this. ... View more

Please post this on to SRX / Firewall forum. ... View more

Please explain the problem that you are facing in detail. ... View more

According to the RFC, the only mandatory requirement is that the client identifier be unique: "For correct identification of clients, each client's client- identifier MUST be unique among the client-identifiers used on the subnet to which the client is attached. Vendors and system administrators are responsible for choosing client-identifiers that meet this requirement for uniqueness." We are ensuring uniqueness by using the user's SID in the client identifier. We are not using type-value pairs. One thing to note is that the IVE is sending these DHCP Discover packets on behalf of the NC clients and does not have the client's hardware address when doing so. ... View more

Role mapping should be able achieve your requirement. If you point your base DN to Corp Accounts, and use filter cn=* you should get all groups available under all OU's within Corp Accounts. This way you can limit authentication/authorization to only groups that belong to "Staff" and "Contractors". ... View more

Try to connect to the SA device as a client from the LAN itself, this way you will eliminate the routers in question and see if the problem even occurs when testing from LAN as a SA user bypassing the internet. ... View more

A trace route from client computer (NC client) will tell if the traffic to DNS servers is reaching out to the IVE and then getting forwarded. ... View more

1) did this start after an IVE OS upgrade? if yes, what was the previous version. 2) Do you see this problem on all roles or only specific roles? 3) if you create a new role do you still see the problem? ... View more

When you say "I logged inside via web" I guess you are referring to logging into SA as an admin and that you could after disconnecting the cable. Even after you created another admin account you still could not login? Can you try to create a super admin session (option 6 on admin console) and then login, there after check user access / admin logs to see if any errors. ... View more

check if any third party software is installed on the computer which might be blocking dsncservice.exe ... View more