- Pulse Secure Community
- :
- About mattspierce_
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
since
10-29-2017
10-29-2017
mattspierce_
Frequent Contributor
108
Posts
0
Kudos
4
Solutions
08-31-2012
11:18:AM
I worked out the issue myself. I didn't have any conditions set to the allow rule. Adding role ='*' put the allow rule in effect and fixed my glitch. I was also able to clean up that knarly 10 network rule.
... View more
08-31-2012
07:19:AM
I'm running into an issue with Split Tunneling as well. We have Pretty much our entire 10.x.x.x network utilized in various test networks. We have a product range that users 10.10.10.x and 10.10.20.x that we have worked around. with a very likely overly complicated allow rule. The problem crops up when a contractor connected to our network and they used the network range 10.60.100.0/24. I changed our Test Allow rule to Detailed rule. then denyed that range for the contractor role. then allowed the networks for all Roles. This isn't working though. Can anyone point out where I went wrong? Also, if I understand this, I can change the Test polcy to use the resources 10.0.0.0/8 and let the detailed rule allow statement to handle the mishmash of 10.x.x.x networks that should come accross the tunnel. SA4500 v7.2 r3 The role is set to use Junos Pulse Split tunneling is allowed. Route Precidence is set to Tunnel Route Split Tunnel Resource Policy 1. Test Detailed Rules (Edit) 1. Deny 10.60.100.0/24 If: role = 'contractor' 2. Allow 10.0.0.0/13, 10.8.0.0/16, 10.9.0.0/16, 10.10.0.0/21, 10.10.12.0/23, 10.10.14.0/23, 10.10.16.0/23, 10.10.18.0/23, 10.10.8.0/23, 10.10.11.0/24, 10.10.21.0/24, 10.10.22.0/23, 10.10.24.0/22, 10.10.32.0/19, 10.10.64.0/18, 10.10.128.0/18, 10.10.192.0/18, 10.11.0.0/16, 10.12.0.0/14, 10.16.0.0/12, 10.10.28.0/22, 10.32.0.0/11, 10.64.0.0/10, 10.128.0.0/9 (Details) 10.0.0.0/13 10.8.0.0/16 10.9.0.0/16 10.10.0.0/21 10.10.12.0/23 10.10.14.0/23 10.10.16.0/23 10.10.18.0/23 10.10.8.0/23 10.10.11.0/24 10.10.21.0/24 10.10.22.0/23 10.10.24.0/22 10.10.32.0/19 10.10.64.0/18 10.10.128.0/18 10.10.192.0/18 10.11.0.0/16 10.12.0.0/14 10.16.0.0/12 10.10.28.0/22 10.32.0.0/11 10.64.0.0/10 10.128.0.0/9 All roles
... View more
08-31-2012
06:24:AM
Thanks for the answer. Just so I can be cliear, is the connection count cumulative with user access and active sync? I'd guess that is the case based on the memory considerations. If our Activesync+UserAccess count hits 1001, what happens? Does the overage get dropped?
... View more
08-29-2012
08:46:AM
I have a pair of sa4500's in A/P clustering. I have about 680 activesync clients connecting to an internal exchange 2010 infrastructure through the cluster. I have another 250 users average connecting as web users or pulse connections. All told we will say 930 or so users on a given day. Since the 4500 only supports 1000 concurrent connections, am I about to hit the ceiling?
... View more
08-07-2012
02:44:PM
We have host checker disabled, but on two systems we are experiencing the issue. On two other systems we are not having the issue. All systems involved were upgraded from Lion. Nothing we can find distinguishes the affected systems.
... View more
08-03-2012
07:50:AM
I have a user who is continuing to have issues with Mountain Lion. Specifically the Pulse client is uninstalled after each reboot. I've verified that he can execute from any source. I've ensured that Java is installed and enabled in safari. I don't knwo what else to try.
... View more
05-29-2012
01:34:PM
I had very similar results as you did. The step I was missing was converting the pem files to der. openssl x509 -in certificate.pem -inform PEM -out certificate.der -outform DER openssl rsa -in privatekey.pem -inform PEM -out privatekey.der -outform DER Could you be referencing old certs that are still in pem format?
... View more
05-17-2012
08:00:AM
The Web Resource was the issue as described in KB24117. The affected users had bookmarks contained html encoding. Deleting those bookmarkes allowed the client to login. I set the role option Mask hostnames while browsingÓ.. That seemed to be affective for the other affected users. I may have to peel off a role specificially for the mobile clients so I can set the 'Web' access method and not affect other network connect users. http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB24117&actp=RSS&utm_source=twitterfeed&utm_medium=twitter&smlogin=true
... View more
05-16-2012
03:12:PM
Has there been any update? I have a user who is not able to stay connected from an iPhone. The client connects and then immediatly disconnects. I've had the user remove the profile and re add it. I've checked realm and role restrictions and I'm not enforcing browser strings. I've checked the role and Junos Pulse is not enabled. My gateway is an SA4500 running 7.2.1r1 Client is: iOS 5.1 Junos pulse 3.2 Log shows a successful login followed by a log out. Info AUT22673 2012-05-16 17:00:05 - j4500-b1cr - [166.147.115.243] anjohnso(Pulse_Mobile)[Users-NC-Client] - Logout from 166.147.115.243 (session:357e104c) Info AUT22670 2012-05-16 17:00:04 - j4500-b1cr - [166.147.115.243] anjohnso(Pulse_Mobile)[Users-NC-Client] - Login succeeded for anjohnso/Pulse_Mobile (session:357e104c) from 166.147.115.243. Info AUT24326 2012-05-16 17:00:04 - j4500-b1cr - [166.147.115.243] anjohnso(Pulse_Mobile)[] - Primary authentication successful for anjohnso/rsa-srv6 from 166.147.115.243 Info AUT23278 2012-05-16 17:00:02 - j4500-b1cr - [166.147.115.243] anjohnso(Pulse_Mobile)[] - User Limit realm restrictions successfully passed for anjohnso/Pulse_Mobile policy trace shows the login and role map are all successfull. Info PTR10212 2012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[] - Mapped to roles Users-NC-Client by rule 'user = '*'' Info PTR10213 2012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[] - Role mapping stopped by Stop rule Info PTR10205 2012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[] - Realm Pulse_Mobile mapped user anjohnso to roles Users-NC-Client Info PTR23353 2012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[] - Role restrictions successfully passed for roles: Users-NC-Client Info PTR23362 2012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[Users-NC-Client] - Sign-in successful, creating session Info PTR23363 2012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[Users-NC-Client] - Session created, redirecting user to start page. Sign-in done. Info PTR24559 2012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[Users-NC-Client] - Automatically redirected from page "login" to the next start page "/dana/home/starter0.cgi?check=yes" before starting the session.
... View more
05-04-2012
06:34:AM
I was able to work around the issue by setting up a Pass Through Proxy rule to bounce the traffic up to port 1100x. I was supprised that our single sign on continued to work. We are running 7.2 so that my be a new feature.
... View more
05-03-2012
07:32:AM
Was there ever any solution to this.. I've also run into this problem. SA4500 and DTE. Both running 7.2r1.1 Using the standard OWA Resource Policy and Singe Sign on with Form fill. Connecting to an Exchange 2010 sp1 environement. When opening another mailbox the user sees the other mailbox for a split second and then get the following error. There was a problem opening your mailbox. You may have already signed in to Outlook Web App on a different browser tab. If so, close this tab and return to the other tab. If that doesn't work, you can try: - Closing your browser window and signing in again. - Deleting cookies from your browser and signing in again.
... View more
05-01-2012
12:32:PM
I'm very interested in this. Is there a KB discribing a sample config for a SAML session?
... View more
04-30-2012
01:56:PM
I upgraded from 7.1R7 to 7.2R1.1. I'd say your download is corrupt. One of the things I love about the DTE is that I can get 100% gaurantee that a firmware will function in production because I've already ran that firware in dev for a month or so.
... View more
04-30-2012
01:25:PM
We have been getting the error below "Unfortunatly Junos Pulse has Stopped on a fairly frequent basis. Most clients have experienced the issue and all are on the current market version. The issues has gotten worse since enabling the pulse security portal on the devices. I get about 4-5 crashes a day. The devices I know have the issue are divers. One VZW GNEX running 4.0.2. One HTC Thunderbolt run 2.3, and one HTC Incredible 2 runnig 2.3. All devices are factory firmware. The Gnex is encrypted but the other two are not.
... View more
04-30-2012
09:02:AM
Thank you for the KB reference. I was missing the PEM to DER conversion. Once I got that squareed it works like a champ. The device interface allows you to reference a .PEM or .DER format file. I had already trimmed the Bag header as requested in the KB. Does the Pulse Mobile android client not suport .PEM then? I'm also not happy having an unencrypted key file sitting on the filesystem. In my minde it would make the most sense if you implemented a client keystore. And allowed import of .pfx. That seems to be the least worst option for provisioning the mobile client. The key is encrypted right up to it being entered into the pulse mobile keystore and then the pfx file should be deleted.
... View more
04-30-2012
07:24:AM
In the role you map the ipad's communication to, do you have Junos Pulse or Network Connect defined in the role options? As odd as it may sound, the Junos Pulse mobile clients need to connect to a role defining Network Connect.
... View more
04-27-2012
01:39:PM
About useing the certificate store, is the problem a lack of api access to the cert store? I've installed certs there and used them for wifi auth and activesync. But those are built in capabilities.
... View more
04-27-2012
01:13:PM
With Use Cert disable I get Missing Certificate Check that your Certificate is valid and up-to-date and try again on the client side. Here are the user side logs. Info AUT23457 2012-04-27 15:10:55 - ive - [76.164.174.115] System(pulse_cert)[] - Login failed using auth server Adtran-PKI (Certificate Server). Reason: NoCert Info AUT24327 2012-04-27 15:10:55 - ive - [76.164.174.115] System(pulse_cert)[] - Primary authentication failed for /Adtran-PKI from 76.164.174.115 Info CRT30663 2012-04-27 15:10:55 - ive - [76.164.174.115] System()[] - client certificate received: -----BEGIN CERTIFICATE----------END CERTIFICATE-----
... View more
04-27-2012
07:05:AM
I'm attempting to get certificate authentication working. I've tested it out on the Windows Client and the iOS Junos Pulse mobile so I know that the signin, realm, and auth servers are correct. On my android device I can't seem to get the cert format correct. First off, why doesnt adroid pulse client support pfx/p12? That is the easiest most common format for an exported keypair and certificate. Even better, why isn't the certificate interface integrated into the Android certfificate store? Your duiplicating work and making it more difficult to deploy. So far I have exported my pfx file with the command line openssl pkcs12 -in cred.p12 -out certkey.pem -nodes -clcerts I've then setup the option to use certs in three different ways with the Junos Client 1)Point the client to certkey.pem for both dialog choices 2)Split certkey.pem into a cert.pem and key.pem. In the pulse client I configured the certs as apropriate. 2)Split certkey.pem into a cert.pem and key.pem. I then edited the .pem files and removed all headers leaving the begin cert and end cert header. In the pulse client I configured the certs as apropriate. 3)I took the cert.pem and key.pem and removed all headers leaving only the ciphertext. I renamed those files cert.der and key.der respectivly. In the pulse client I configured the certs as apropriate. In all cases I get the error "Failed to connect to the server! Check your Certificate." I have a trace running on the realm the client points to for the UPN the cert uses. In all cases I never see a login attempt. I have client cert logging on and the user log shows no attempt. That tells me that the client isn't digesting the cert or even trying to login. So where am I messing up?
... View more
04-19-2012
06:54:AM
I think what you are asking would be very difficult to implement. A webserver, which is what the SA's are, don't keep state with the client. The client keeps a cookie once logged on and reminds the server of his state with each link. For what your asking to work I believe the server would have to keep track of the URL and every link in the current document a user has pulled down. That is a lot of data to keep track on the fly. The solution in the SA appliances are the Web ACL's. That is the mechansim that lets the role a user maps to get access to resources. By default I believe there are *.* access rules for the initial role. I would suggest considering removing the *.* acls. Then create resource profiles for your web pages. The profile will create an autopolicy with the ACL you need.
... View more
01-25-2012
02:20:PM
You could try setting the service to manual. That should only call the service when you run the pulse client. Let me know if that works for you.
... View more
01-17-2012
08:14:AM
Thanks for the reply. Just to be certain. Were you using client certificates on the devices and enforcing certificates in the SA's configuration? I just don't get why multiple other platforms work and Windows Phone isn't. Certs imported clean, they just are not used. One site mentioned having to trust the root and intermediate cert through the web browser but the email diaologs looked just like the web browser import diaolog. Both showed successful. Of course in the goal for minimalsm you can't actually look and see what certs are loaded that I can find.
... View more
01-16-2012
11:56:AM
Have you thought about using client certs? That would tighten up.authentication. enforce client certificates in configure/security. ad can publish and maintain the certs. Mark the keys non exportable in your template and now only ad boxes can associate.
... View more
01-13-2012
02:11:PM
Has anyone gotten Certauth working through an SA appliance with Windows Phone 7. We currently service iOS and Android with our unit. I am not able to get a Windows Phone to work. I have an sa4500 running 7.1r5 code. I'm pointing my signin url to a vip for the Eachange 2010sp1 cluster(3 servers) I've seen folks give explicit instructions for configuring the client and server. http://mobilitydojo.net/2010/05/20/securing-exchange-activesync-with-client-certificates-wan-access/ My config is mostly the same. The main difference though is that these instructions alwasy use a MS Forefront server as the RP. I'm of course not. Additionaly, in the config of the Forefront server, the instructions detail configuring Contrained Delegation to the Forfront AD object. This is to allow the ForeFront server to use the cert to auth to the Outlook Frontend Server. The SA doens't have any documentation for a similar capablity and instead forwards the authentication to the Frontend Server and then pass the response. I'm wondering if this is my issue. Windows Phone 7 is the only client I've heard of that can use clients certs to not only auth to the ReverseProxy, but all the way through to Exchange.
... View more
12-20-2011
08:57:AM
We are having the same issue. We have a saml federation with ADP portal. There is an applicaiton within their portal that uses a java servlet to populate a flash element. That servlet generates the base url on the server side and the rewriter isn't catching it. I'm currently working the issue through my reseller and they have an atac case open about the situation. Were you ever able to make any headway?
... View more
12-15-2011
12:44:PM
Its under System\Configuration\Virtual Desktops. There is a tab that provided options for the vmware view and citrix client installs. From there you will need to have the role Terminal Services/Options sections setup. Thne publish a resource for the Termial Service.
... View more
11-30-2011
02:22:PM
We havn't seen more of this issue since moving to 7.1r4 by the way.
... View more
11-30-2011
02:21:PM
The fix was to come up a fix process. Removed all the unnecessary programs. CA/Shopnow/McAffee and all Juniper modules.\ Ran the Pulse Cleaner tool. *Juniper support recently dropped this tool on me during another client issue.* Ran the following commands. netsh int ip reset reset.logÓ and netsh winsock resetÓ Deleted all files in c:\windows\temp and %temp%. *This is a typical step for fixing msiexec errors.* Reboot. Reinstall. I ran md5 on the relevant dll files using md5deep, a free tool for getting hashes on a windows box. Any md5 hashing tool will do.
... View more
11-14-2011
05:06:AM
With the Pulse mobile clients they need to be connecting to a role that has network connect. Seems odd, but its in the docuemntation. You also may want to lookup the kb entries on the pulse mobile client. There is a custom signin page that imporves the users login experience.
... View more
08-25-2011
11:39:AM
We are finalizing the SAML setup with one of our vendors. We sent them our SA Entity ID. I had to edit the Consumer Service URL and the Resources URL. That modified the SA Entity ID and blew the config. Is this Entity ID something I can change back to its original value. I canÕt edit it in the SAML SSO Policies directly. ItÕs some kind of system generated value. Original value https://vpn.adtran.com/dana-na/auth/saml-endpoint.cgi?p=idp4 Post Edit value https://vpn.adtran.com/dana-na/auth/saml-endpoint.cgi?p=idp5
... View more
Latest Tags
No tags yet
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy.
Pulse Secure has updated its Privacy Policy effective June 28, 2017.
