You may want to verify this. I've done something similar as a proof of concept. We have both IVEs and Netscalers in our environment. It has been a while so details are a bit sketchy, but if I remember correctly, it entailed seting up pasthrough proxy resource (with SSO) to the callback IP address of the Netscaler. We were able to access XenDesktop with no issues.   Definiely an odd set-up, but it worked.   ... View more

Couple of things... Check your NC ACL maybe? Also, are you accessing the severs via name or IP address, if by hostname, make sure your DNS settings are intact. Is the problem isolated to a particular role? Is RDP the only thing you're having a problem with? Have you tried creating a new NC profile? ... View more

One of my users attempting to log in to a 7.1R9 cluster reported the same problem. I reviewed release notes for 7.1R10, but unless I am missing something I didn't see a reference to this issue as being identified/fixed. Curious as to the status on this. ... View more

Just opened a ticket. I have 4 clusters with essentially an identical configuration. only the ones running 7.2R2 are showing these symptoms.. This is very odd. ... View more

Juniper may frown upon this approach, but it may work. In theory, it could work if you break the cluster on the 01 box without the changes being propagated to 02 So perhaps something like this? Export User.cfg and System.cfg on the 01 box (for later) Load balance all your users to the 02 appliance. Disable 01 node in the cluster. Temporarily disconnect your 01 appliance from the network. Connect directly to 01 from your machine (via xover maybe?) Delete cluster Upgrade code Connect appliance back to the network At this point 01 should function as a standalone appliance to allow you to test the new code. Once done, you can either roll back, then import the cfg file to restore your clustering, or just create a new cluster on the newly updated appliance and add the 02. Again, just a theory, but I think it would work. ... View more

You should be able to modify your existing policy. I ended up creating a new check to look for the msseces.exe, added it to my existing ESAP based AV policy, then changed the require option to either "Any of the above rules" or if you have additional rules you may want to apply, then use Custom and do something along these lines "allow=MSE-v4 OR Preferred-AntiVirus "....... This did the trick for me. I do wish Juniper would have proactively sent out an alert on this when the calls started pouring in. ... View more

We have a cluster of SA6000's and are using OCS for VOIP. We have a signifficant number of users telecommuting with no issues (with the exception of random NC disconnects after the recent code upgrade.) On occasion a performance problem is reported, but it is typically isolated to either a user workstation or their broadband connection. ... View more

This was actually taken from a one month old config, I suspect we're closer to 480 by now. Based on the reaction to the number of profiles I believe it confirms my suspicion that it may be a bit much :) As for the set up. These are base SA6000 appliances with no additional upgrades. Other than managing the cluster via NSM, given the number of resource profiles we are dealing with, I'm not sure what if anything can really be done to improve the performance of web interface. ... View more

Thanks for the advice. I will likely open a JTAC case in a day or two. As for the sync settings, though we are in fact synching user sessions, neither the logs nor favorites are being syncronized across the cluster members. I have also noticed the issue exists independent of the number of user sessions. I have a a lab cluster with the an identical configuration where I am experiencing the same problem. I cannot help but wonder whether the size of the configuration is a culprit. at my last count, i had 454 web resource profiles defined. ... View more

Unfortunately, the bulk of the users are connecting via the workstations which we don't control. Our biggest challenge is the desire to address all of this with no additional user interaction. Even if we had offered up an app for the users to manually execute, I suspect only half the users would actually do so. ... View more

Thank you all for the input. Looking at responses, most, if not all of these options have been explored.Given the size of our network, narrowing the range down from 10/8 would be a signifficant undertaking, and may not work in all cases as there will still be a risk of overlap. Since resources the users access on our network number in thousands, NAT would not be viable. We threw it out as an option, but people cringed :) Also since our users include everything from small office networks to large organizations, we cannot impose the address space they use internally. Ideally, I would like to see a host checker enhancement which could query the interface to determine the workstation's IP address, which would provide us with an option to automatically detect potential IP conflicts and map users to WSAM enabled role when this is encountered, but even if the enhancement request is accepted, it may take a while. Regards, D ... View more

Technically no, at least not that I'm aware of. As long as "log off on connect" is enabled, by virtue of logging a user off the workstation, while retaining the VPN tunnel, I believe the supplied credentials, rather than cached ones are used. At least this has been my observation. Someone please chime in if this isn't the case. As for the argument that this constitues double authentication. To an extent, I would agree. However, if you get to a point where you're considering using GINA, you'd be essentially doing the same thing. To me, this is a worthwhile alternative. ... View more

Instead of GINA, here's what I found works well, and helps accomplish more or less the same goal. We've disabled GINA for couple of our user roles, and had the end users enable the option (within their network connect client->tools->connections options) to log off on connect. If you have a user that needs to get their drive mappings, etc.. This option a allows a user to establish a VPN tunnel by logging in from their browser (or NC client itself.) Once session is established, the user is logged out of the workstation, yet the VPN session remains. User logs back in to the workstation, as well as the domain, and you get more or less the same functionality as you did with GINA. Granted, there's an extra step involved, but if it allows you to get rid of GINA, its well worth it. And since the user is actually logging in to the domain, instead of merely using cached credentials, they will get prompted if their password is set to expire, and will be able to change it. Regards, ... View more

What version of code are you running? Is this something which has worked prior to the upgrade, and then stopped? If you haven't already done so, I'd suggest sending a copy of your sign-in page to Entrust and have them examine it (hopefully they wont be too quick to point a finger at Juniper.) If I'm not mistaken, the more recent versions of code do allow you to set up a support meeting, so you may be able to set up a quick secure meeting, and show Entrust the exact problem you're seeing. Good luck. ... View more

I've had very limited luck modifying this page. We've not had much luck with approaching either RSA and Juniper regarding getting additional information/meaningfull examples of modifying the template. For the most part we kept it vanilla, except adding the log-in banner, and forcing it to open a browser window in a particular size. In retrospect, is has prompted us to also take a look at the RSA toolbar token. It looks promising, but seems to be lacking the flexibility, or rather configurability to make it work with the Juniper sign-in pages without having to manipulate the template. I'm actually very surprised that RSA does not allow you to customize the fields you want the toolbar to populate. Back to the SoftToken sign in template, I'll see if I can dig something up, but again, I'm not sure how useful it may be given how little we've done to it. ... View more

The choice between SAM and NC will vary based on what you're trying to accomplish, and how much administration you're willing to deal with. If your users need access to only a handful of resources on the network, and you can get away with using SAM, then that is your best bet. Just define what resources they have access to, and you're done. The only downsides are having to deal with managing the resources you're allowing via SAM, and the firewall policy you'll have in place. If you need to provide the remote users with "look and feel" of being on the network: log-in scripts for drive mapping, etc, then you're probably better off with Network Connect. It allows you to define a much broader access, and then control everything via the firewall policy. The downsides can depend on how you feel about split tunneling. By not allowing it, you will either have to deny users access to the internet, their resources.. etc, or be willing to absorb this traffic and allow it to traverse your network to get to the internet. If you plan on enabling GINA, then you have to take into account remote users who may be using their own workstations (they tend dislike GINA being loaded on their machines.) If you don't user GINA, you may still invoke their login scripts. The only drawback is that depending upon when their credentials expire, unless you are also using AD to authenticate them across the SSL, they will not be prompted to change them. I can go on, but I think those are the key points to consider when making a decision. Hopefully this helps. Regards, ... View more

I'm afraid you may have to stick with NC. I would be willing to bet if you review your firewall logs, you will see traffic from your video conference server attempting to hit the SA, though they are actually intended to reach the worksation which has initiated the original connection. I've experemented with several flavors of video conference solutions, all resulting in the same outcome; Network Connect. If someone managed to make it work via SAM, I'd love to hear details. ... View more

What kind of issues are you seeing? ... View more

Rob, You may want to take this with a grain of salt since I've not worked with an SA700. I have however deployed SA1000s to SA6000s. From what I know of IVE, you will be able to handle access to Sharepoint, as well as TS/RDP. I'm not too sure about Exchange though. If you're using OWA, the answer is yes. But, if you actually want to allow a user with an Outlook client to connect to an Exchange server, I think you will need to utilize either Secure Application Manager or Network Connect. Folks, please chime in if I'm mistaken. ... View more

From my recent conversation with the developers and business owners, the first scenario is probably not an option. It appears the extent to which they want to control "look & feel" also includes custom error messages which would guide the end user through resolving whatever authentication issue they may be having. I'm very curious about the second scenario. Up to now we've almost exclusively used either NC or SAM, so I've not had much exposure with regards to manipulating intermediation settings. How do I disable intermediation, while still utilizing core to provide access to this app.. Passthrough proxy, or am I way off? Thank you for the info. ... View more

Generally I'm not a fan of reviving old theads, but this seemed relevant. I've loaded 8.0R1 on my test cluster. As I was going through the host checker policy I found an option for Statement of Health based evaluation, which seems in line with what I had envisioned erlier. IC specific references aside, I cant seem to find any documentation for this functionality on the IVE. Curious if anyone has seen it and gotten it to work. ... View more