Hello Brian, We had a previous issue with a D-Link DIR-615 router and documented the results in our KB: http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB19900&actp=search&viewlocale=en_US&searchid=1296857643573. I'm not sure if DI-614+ has the same option, but I hope you find this information helpful. If everything is working with your previous router, then it's most likely a setting on the router which is causing the NC connections to be dropped. ... View more

Hello D, Can you ping the end-user machine after the NC session has been disconnected or is this only happening during the NC session? ... View more

Hello Nhel, I would recommend opening a ticket with JTAC as they need to review the logs to confirm the issue. They will need the client debug logs (usually located in C:\Documents and Settings\All Users\Application Data\Juniper Networks\Logging\debuglog.log) and a copy of the iVE logs (user access, event and admin logs). ... View more

Hello Arnold, In most cases, CRL is usually a free service for VeriSign certificate. Depending on the type of certificate (server or client certificate), OCSP is a paid service. You'll want to check with VeriSign to confirm this. In regards to the message, this could cause potential connection issues depending on how the client is configure. There are (rare) instances, the client will drop the connection if it cannot validity the certificate against the CRL. In the browser market, CRL checking should be disabled, by default, in Internet Explorer 6 and below. Starting with IE7, it should be configured to use OCSP first, then fall back to check CRL. With Firefox, I believe it has always used OCSP validation. My recommendation would be try and find an user who is having the issue and see if they can grab the crl by manually typing the url in the browser. If the file can be pulled down, then you can rule out any connection issues. However, I would say 99% of time it is a connection issue while 1% is the CRL server from the CA is down. ... View more

Hello Arnold, If the message is from a browser, this would mean the end-user machine cannot download the CRL from the CA website. On the SSL certificate itself, there should be a "CRL Distribution Point" which states the URL the browser is trying to reach. What I would recommend is to try accessing the URL directly using the browser to see if you can reach the site. If you cannot reach the URL, you'll need to determine the cause of the issue. If you are able to access the site and CRL file, most likely I would recommend contacting your CA to see if their CRL server was down. Overall, my recommendation is to disable CRL checking and enable OCSP as this is more reliable. Depending on the browser and who the CA is, this may or may not be an option. ... View more

Hello RemoLodder, First, you'll want to download openssl to generate the private key and certificate request. Once you have openssl downloaded, you can run the following command with information that pertains to your environment: openssl req -new -nodes -subj "/C=US/ST=California/L=Sunnyvale/O=Juniper Networks/OU=TEST/CN=test.abc.com" -keyout private.txt -out certreq.txt -newkey rsa:2048 -subj is the DN information for your certificate request -keyout is the name of the private key file -out is the name of the certificate request file -newkey rsa:2048 will create a 2048-bit RSA private key Once you've submitted your request and received your public key from a CA, import the private key (private.txt) and the public key from the CA using the import certificate option in the administrator console. ... View more

Hello Flanois, If you want to view the client side logs, you can go to C:\Documents and Settings\All Users\Application Data\Juniper Networks\Logging\debuglog.log. What is the particulare issue you are having with SVW? ... View more

This can be similar to a loopback as the nc server ip address is not tied to any specific hardware. Since it is used only within the tunnel, no devices outside the tunnel should be able to see it. ... View more

Hello aweise, The network connect server ip address is used only between the network connect client and IVE within the tunnel. Since the point-to-point protocol requires two ip's address (one from the client and one from the IVE), the IVE uses a static ip address (network connect server ip) for all NC connection. This also avoids consuming addtional ip addresses per NC connection. This should have no effect on your DHCP server as long as the network connection server ip server is unique from what the DHCP server is assigning. Also, it is not suggest to remove it as this could cause connection issues for network connect users. ... View more

If decreasing the encryption strength resolves the issue, upgrading to 7.4 should resolve those issue. I have tested this scenario in the lab and found it is resolved in the 7.4 release train. ... View more

The following values will only search the dn information of the end user certificate. It will not search the dn of the issuer. ... View more

Hello Nicolas, I've found your case and it looks like it has been escalated to one of my colleagues.  He should be getting back to you shortly.  I will try and provide further assistance through the case. ... View more

Hello Braker, This issue has been identified as a bug and will be fixed in a later release of 7.4.  The issue was due to a change in 7.4R6. ... View more

I am not sure if there is a way for the SA to control this access since it is not going through the rewriter.  Once it is reversed proxied, anyone with access to this link can reach the resource, correct? ... View more

Network connect has the GINA plug-in that integrates with windows credential provider.  This allows you to log-on via your cache credentials and create a tunnel during the log-in process.  Pulse has additional features for machine authentication that allow you to create a tunnel when the machine boots before winlogon or after winlogon. ... View more

Yes, this make sense.  This would be PTP or pass through proxy.  You can configure PTP for hostname and point this to a internal resource.  However, this does mean the hostname will need to be externally resolvable to the SA device.   ... View more

Juniper setup client is not provided as a exe or msi.  In the past, I have installed setup client and zip up the directory and unzipped it in the desired location.  As long as the path is correct, setup client should launch properly. ... View more

I have forwarded your feedback internally to JTAC management as we are working on improving the process and procedures between Juniper and OPSWAT.   ... View more

I tested this in our lab and did not find any change in behavior between 7.3 and 7.4.  I will continue to test to see if I can replicate the issue. ... View more

UnifiedSDK.zip has the required library files to check for AV, Firewall, etc software detection.  These should be tied to a specific ESAP release which would explain why if you connect to one SA with one ESAP version and another with a different SA version, the UnifiedSDK.zip will be downloaded to the same client to match the ESAP package that is installed on the connecting SA device.  If all devices have the same ESAP package version, it is not expected to download the UnifiedSDK.zip again. ... View more

Hello Gleb, I hope you have found a solution, but I did want add to the thread because I believe I understand the issue after responding to another thread.  If you are utilize the custom experience for hostCheckerPolicy to map to a specific role for a pass and fail scenario, this issue would occur.  Since the SA is making the decision for the end user, no remediation page will be displayed.   I was able to get the remedation page to display if I mapped the user to the same role (both pass and fail).  In the pass role, host checker was required.  In the fail role, host checker was not required.  Since the end user is mapped to both roles, the SA will prompt with the remediation page which will give the end user a chance either to resolve the issue or continue which they will only be mapped to the failing role.  I hope this helps. ... View more

Hello szdayal, When you are generating the certificate signing request, you'll want to put the fully qualified domain name the clients or machines are using to connect to your SA box (for example, ive.acmegizmo.local). If you are not using a FQDN, you may need to contact rapidssl as I do not believe they issue out certificate for internal names. This would need to be discussed with the certificate authority. ... View more

I've tested this scenario in our lab and did confirm it does occur in 7.3.  After upgrading to latest 7.4 release (R6), this issue no longer occurs.  We are looking to see if the following changes can be backported to the 7.3 release. ... View more

Sorry for the mispost.  AVG 2014 should be supported in ESAP 2.4.6. https://download.juniper.net/software/ive/releases /esap/2.4.6/j-esap-2.4.6.pkg ... View more

This is possible in a hot/cold configuration. Since the leasing are time sensitive you will need to make sure you have a daily back up of the active license server so this can be easily import in the cold license server if a failover needs to occur. We have document this in the following know article: http://kb.pulsesecure.net/InfoCenter/index?page=conten t&id=KB22374&actp=search&viewlocale=en_US&searchid ... Feel free to provide any feedback if the document is unclear. ... View more

Yes, for pulse you can push connection to the Pulse client via the SA.  This allows the flexiblity to add and remove connections via the SA. In regards to the NC, the KB are correct and should update the url list via the stand alone NC application.  I do not believe there is a way to update the NC sign in list for the NC stand alone application when logging via a web browser. ... View more

We are currently discussing this issue with OPSWAT.  Once the issue is resolved, we will test ane merge this into our next ESAP release.  Once I receive confirmation, I will update this thread. ... View more

This may sound like a DNS setting issue.  If your run ipconfig /all when connected to the VPN tunnel, what are the dns setting that appear for the virtual adapter? ... View more

This version is not currently supported.  We are currently in discussion with OPSWAT to confirm when this will be avaliable. ... View more

The following KB are correct, but they only refer to the stand alone NC application.  If you are looking for a way to save the sign-in url after connecting via a web browser, I do not believe there is any way to do this.  The workflow between launching via the web browser and the standalone application use two different methods. ... View more