That is the default setting, however you can easily change. Below is from the helper text in the UI (admin guide should have more details):   "The additional credentials can be specified by the user on the sign-in page (the labels for these inputs are specified by the sign-in page), or they can be pre-defined below, in which case the user will not be prompted for the credential" ... View more

The current design allows for dual authentication servers (under realm you have to select the option 'Additional authentication server') however it does not allow for a fallback (try first auth sever and if it fails try secondary) the way your use case requires. One workaround is to use custom sign-in pages and 2 realms (one with each auth server) Using custom sign-in pages framework you can customise the login page to trap error message for invalid login from first realm and then redirect browser to the second realm sign-in page.   http://www.juniper.net/techpubs/en_US/sa8.0/information-products/topic-collections/security-access-custom-sign-in-pages-developer-reference-8-0-5-0.pdf   ... View more

Note that option # 1 is a light-weight rewriter. The access method is named passthrough proxy which creates an impression that it is a proxy related solution which is not the case.   http://www.juniper.net/techpubs/software/ive/guides/howtos/How_To__PTP.pdf   ... View more

Those rewriting policies control what the rewrite engine rewrites as response to a user's request.   For example: A webpage is hosted @ http://www.foo.com/home.html and home.html page contains script tags like what you have in your example. Now to not rewrite those script tags the selective-rewrite policy should be: resource=http://www.foo.com/home.html action=Dont-rewrite   This will ensure the script tage dont get rewritten. However the side effect is that all content and URLs in home.html page will not be rewritten (as the rewrite engine was instructed to do so by the above selective rewrite policy). I suspect this will not work for you.   A couple of options you can try: 1. Access the application through Pass through Proxy option (and dont select the option rewrite external links)  Or 2. Introduce a web proxy in the network that has access to these external links and add policies on SA to access the external links through the web proxy ... View more

From the JSA @ http://kb.pulsesecure.net/InfoCenter/index?page=content&id=JSA10646   "The issue exists within a web page that is only accessible by an authenticated user session."   One of the deployments that won't be impacted by above is a pure Junos Pulse client deployment (A typical pure pulse client deployment does not involve the use of a browser by the end user and such cross site scripting issues don't impact)   ... View more

Sure. Assuming your SA/MAG physcial internal interface has ip 192.168.10.100 (/24) and your VLAN interface on SA/MAG has IP 172.27.10.5 (/24) and the AD server is at 172.27.10.6 then:   1. On SA/MAG add a route to internal interface route table: Destination = 172.27.10.6 mask: 32 bit Gateway: 172.27.10.1 Interface: Select the VLAN interface   2. On your AD server and all intermediate Hops add routes that sends traffic for 192.168.10.100 back to 172.27.10.1 gateway and an entry on that gateway to send this traffic to SA VLAN interface 172.27.10.5.   #2 above is because SA/MAG will still source traffic from internal port IP address, the only thing #1 does is changes the outgoing interface on SA/MAG for 172.27.10.6 traffic.       ... View more

The easiest and cleanest option is to use Radius if the SMS auth app supports standard Radius (so SA will be a Radius Client and your App/Backend the Radius Server)   Other options: 1. If your app supports SAML then it can become the identity provider and  SA the consumer (service provider). This will be  a SSO type intergation.  ... View more

When you access Sharepoint does the URL have a 'danainfo' in its string? If yes then you are accessing sharepoint using Juniper's Content Intermediation Engine (aka Rewriter).   The rewrite engine does strip non-standard http headers before forwarding your browser's http request to a backend server. This behaviour can be changed by the sysadmin. The config option "Allow Custom Headers" is under Resource Policies > Web > Custom Headers. ... View more

>>For an LDAP auth server, does it cache the imported groups or is each query done in real time?   There is no caching of a user's group membership. The query is executed each time Authorization needs to be done (each login).   Having said that, in a LDAP auth server case, when a role mapping rules based on 'Group Membership' is created the rule uses the Group's DN as the main identifier. If a group is moved its DN will change. And the SA role mapping rule will have to be recreated else the SA will use the previous DN.   If I were to take a guess without looking at your config this changed group DN might the reason authorization failed in your case. If you look at a tcpdump and Policy trace you will be able to verify this.   Hope it helps. ... View more

Not sure what the end goal is but the piece you refer above is possible. The login presented by MAG is essentially a HTML form. So if this remote page can collect user credentails and do a  form post to the Juniper login page cgi then it should be doable.   Note that the MAG device implements a lot of business logic using redirects, cookies, etc. So it important that the customization not break any of this logic by ignoring redirects, cookies, etc that would normnally be set if the user directly logged in.  ... View more

fyi - App Version: 5.0.5.46479 with fix for this issue has been posted on Apple App Store. ... View more

This can be fixed by upgrading the SSL VPN gateway device or using the workaround of Exception Site list, both these options are desribed in http://kb.pulsesecure.net/InfoCenter/index?page=content&id=kb28704 ... View more

Glad it working in your network now. Was it the return route? ... View more

Yes a static route on internal interface routing table will force traffic destined to 192.168.10.0 through VLAN port (i.e. traffic will be tagged and sent). However the source-ip of these packets will be 192.168.1.5 (hence the need for return route on AD backend server)   To verify if packets are going out via VLAN interface please capture packets either on switch or on the backend AD server. The tcpdump on MAG records packets before the VLAN tagging happens so you wont see the VLAN tags on captures taken directly on SA.   I have tested this in my lab (a few months ago) and this has worked. ... View more

So you want to send traffic to '192.168.1.5' over the VLAN port/interface?   The VLAN options on MAG are currently limited to sending user traffic to backend servers and not meant for authentication or system traffic. (User traffic can be sent via a VLAN by using the Role level -> Source IP option). The only crude workaround for your requirement is to add a static route like you did on the MAG internal interface route table and then add a static route (return route) on the 192.168.1.5 device directing it to send traffic from internal interface IP to the VLAN interface.  ... View more

That URL pattern seems to indicate that the connection attempt was from a client component like NC or WSAM. Most probably a result of client component attempting to connect/send data but the session-id being used was timed-out or invalid on the server.   As mentioned before this should be of no concern. The only reason this message is logged is for people that want to track if too many unauthenticated requests are being sent to the device.     ... View more

Iewisra, Does the issue stop if you access the backend RDP server using IP rather than hostname? In that case this could be the same issue as described in http://kb.pulsesecure.net/InfoCenter/index?page=content&id=kb28418   ... View more

1. Yes Client Certificate based auth is supported. 2. Unfortunately at this time the user-agent string is the same on Windows RT and Windows Pro platforms. 3. And using slash (i.e) URL rather than hostname/ip  is not supported through the UI. However you could use the PowerShell script option described in the doc and use the URI parameter as a workaround.  ... View more

This might help:   http://www.juniper.net/techpubs/software/pulse/guides/j-pulse-windows-inbox-client-qsg.pdf   ... View more

JH,   The Active-X based issues on IE 11 (on windows 8.1) will be fixed in 7.4R6 as mentioned in the KB.   The issue with Java prompts that appear since Java 7 update 45 (independent of Windows 8.1) is being worked upon. I don't have an ETA for this issue as yet. If you report it to JTAC they should be able to track the release that will have the fix for you. Or If I find out before that will certainly share with the forum. ... View more

Does this help?   http://kb.pulsesecure.net/InfoCenter/index?page=content&id=kb28018     ... View more

They are both different.   The internal VIP is primarily to allow end users to sign-in (especially for one arm config and for deployments that have end users on both sides i.e the external DMZ and internal)   The VLAN and all virtual ports under VLAN are mainly to allow outgoing traffic (user traffic to backend resources) to be sourced  via a specific VLAN interface. ... View more

It will depend on the access mechanism you choose.   If you use pure L3 VPN style access mechanism then 1 realm, 2 roles and 2 'VPN Tunneling Connection profiles' will suffice as for L3 VPN the SA preserves the source IP that was assigned to the tunnel interface (Note: 1 realm will suffice assuming your authentication server can return an attribute that allows the SSL VPN gateway to map staff/student to the appropriate role)   However if you use any other access method like web(rewrite), File browsing, Secure Application Manager (SAM ), etc then this will get very tricky as by default the SSL VPN gateway sources traffic for all these access methods using its internal interface IP. You could over-ride the default behaviour by using the role level option called Source IP. However that was designed to be used on a per role basis rather than per user basis. Which is why in your use case it will be tricky (i.e. will need one role per user) ... View more

If you plan on reusing the pre-configured default Admin Realm then:   1. Define the NPS server as a Radius Auth server under the Auth Server Menu 2. Under Admin Realms Menu select the Admin Users Realm and change the Autentication server to the NPS server instance defined in step1 and save changes. 3. Then go to the role mapping tab  and create a new Rule based on User Attribute and select the attribute which the NPS server will send  with group membership info.   Note: If you are changing the pre-configured default Admin Realm then its better to have serial console access in case you lock yourself out ... View more

From the error message it seems like the SA did not assign any find any realms/roles. What do the user access logs on the SA say?   Also this article might apply if you are using HC  http://kb.pulsesecure.net/InfoCenter/index?page=content&id=kb23412 ... View more