- Pulse Secure Community
- :
- About ruc_
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
since
10-29-2017
10-29-2017
ruc_
Regular Contributor
249
Posts
1
Kudos
25
Solutions
08-06-2012
06:30:PM
@ plago: Yes it will upgrade that node and progress to every node automatically. The only way to not upgrade other nodes is by disabling them from cluster temporarily. @ red: If you pre-stage the exact same package version locally to each node and then initiate upgrade from one node then it will upgrade all nodes in the cluster by utilizing each nodes locally staged package rather than pushing it out to each nodes. In fact I would recommend this option to reduce the maintenance window by not having to wait for each node to push software packages over WAN links.
... View more
06-27-2012
09:16:PM
The SA/MAG series are for Remote access only. You should look at the SRX firewall to do site to site.
... View more
06-25-2012
05:55:AM
Its not clear if 1. your Radius return attribute is Class and the value 'OU=ALDAR' (in that case you can select Class from the drop down aption) (OR) 2. your Radius return attribute is Class OU and the value is ALDAR (in that case you will have to create a custom expression for role mapping. Similar to userAttr.Class OU = 'ALDAR') I think it should be # 1 however I can't say for sure based on the info in your post.
... View more
06-24-2012
07:57:PM
1 Kudo
I saw this on one of My Lab Virtual Machines when I upgraded it to 7.2R2 from 7.1R6. To fix it I had to go to the new 'Traffic Segregation' menu item and add the VLANs back under the 'Default Network' UI.
... View more
06-24-2012
07:50:PM
JQ, If you are using PRE Pulse 3.0/SA 7.2: To achieve the 'Auto Launch' experience similar to what end users have with NC (when signing in from a browser) you have to enable the following two config options 1. 'Auto-launch' (Under Role >> Network Connect/VPN Tunneling) 2. Under Junos Pulse >> Connections >> Connection is Established >> Automatically after user logs on However a side effect of config # 2 is that the Pulse client starts every time a user logs into windows. Some customers may not want this behavior. However In Pulse 3.0R1 (and upwards) this has been modified and config # 2 mentioned above is no longer required to achieve the 'Auto Launch' experience similar to NC. Config # 1 should be sufficient.
... View more
06-24-2012
06:34:PM
Assuming the Radius Server returns group information as part of the return attributes then on SA you need to create a Role mapping rule based on 'User Attribute' and rom drop select the attribute that will be returned by the Radius server. See screenshot for sample config
... View more
06-18-2012
08:38:PM
@bickyz wrote: I have a simple website hosted internally that provides some info about the organisation; this website doesn't require one to logon. Can this website be published via SA so that anyone can access it without having to login. The idea behind is to let public access the site without need to login but same time it comes through the SA so that it uses SSL certicate on the SA and traffic gets encrypted. Please correct me If I have misunderstood something. Based on you requirements above (i.e. no authentication, no access control and only needing a https connection) I would say accessing via SA is an overkill (technically it is possible). If you can install a SSL certificate on your webserver and directly publish it via the firewall then I would recommend that route.
... View more
06-04-2012
10:58:PM
This issue in 7.1r9 with the error "An error occurred while extracting one of the Network Connect components." will not occur on 7.2R2 ( is available for download on support site) and will also be fixed in 7.1R10 that is being scheduled. (please contact JTAC for the dates)
... View more
05-16-2012
07:15:PM
This issue should be fixed in 7.2R1 and higher. What release are you seeing it on and can you provide some more details on your endpoint policies config?
... View more
05-14-2012
09:22:PM
What is your actual IP pool defined in the connection profile and what IP address is assigned to the VPN adapter on the Vista once NC/Pulse is connected? From your description I'm seeing 2 different IP's Initially you mentioned the pool is: "connection profile - test-profile ip addresses 192.168.92-125-192.168.92.126 applies to role joe" And in your next post you mentioned that the VPN address is: "but not from the VPN address 192.168.126." *IF* your actual VPN adapter IP address is in a subnet that is different from the MAG SM-160 internal interface then the MAG will not proxy arp for the VPN adapter IP which means when the target/backend server responds those packets will not reach the MAG's internal interface. To workaround this you have to add static routes on your network such that any traffic for the NC IP pool is sent to the internal interface of the MAG SM 160 so it can send it back to the client machine over the tunnel. This issue and solution is described in detail in http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB23048 Note: The "network connect server ip address" parameter is internal to the MAG and is used to terminate the client tunnels. You will never see it being used when routing packets to backend, etc its only used internal within the MAG/SA device. The reason its configurable is this IP has to be unique on your network (does not have to be on any specific subnet, etc) so in the event 10.200.200.200 already exists on your network then you need to change the parameter, else there is no need to change.
... View more
04-30-2012
06:00:PM
I doubt that is the case as HC should allow any client with newer definitions than its own (it only blocks clients with older def versions). Do you have a cluster? And does the issue start immediately after a virus definition download by one of the SA nodes and goes away after the subsequent virus definition download?
... View more
04-30-2012
05:31:PM
NC ACL functionality will not be able to achieve what you need. You will need an external firewall for such ACL control. http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB20394
... View more
04-23-2012
10:50:PM
Reducing the Role level idle timeout value will help clean out the session from SA once users logoff/hibernate their PCs
... View more
04-23-2012
09:40:PM
by intentionally blocking the CRL server connectivity from SA (in my lab setup) I get the same client error message as you did (via browser). Below is the related log entry in SA event logs. Info ERR23059 2012-04-24 06:32:46 - certlab - [127.0.0.1] Root::System()[] - Error downloading CRL from 'http://xyz/CertEnroll/rootca.crl': Failed, couldn't connect to host
... View more
04-23-2012
09:34:PM
Your config is correct. Also the error message you are getting indicates that the actual machine certificate checks are happening but failing. You may want to open a JTAC case to get to the bottom. One other thing: The '3' in your error message indicates the check may be failing due to CRL related issues. Can you check your CRL settings and also check the SA event log for any CRL download failure messages?
... View more
01-26-2012
04:26:PM
They can be on different switches (different switches will provide greater redundancy so that would be better design than same switch)
... View more
01-22-2012
07:00:PM
The bonding on SA6500 is simple interface bonding. Its always in Active/Backup mode (failover mode only) and only one port will be active at any given time. The corresponding switch ports require no specific config (from bonding perspective) . The failover trigger is link level failures (i.e.. Carrier state)
... View more
01-10-2012
07:21:PM
When creating an Active Directory authentication server instance the choice between using LDAP interface and using native interface (Active Directory / WindowsNT) depends on each environment however I usually lean towards LDAP due to the following: 1. The LDAP interface is standards based: The advantage of this are a. Lesser chances of interpretability issues b. Easier to troubleshoot and isolate issues. c. Quicker support for newer versions (for example When Windows 2008 server was introduced the SA platforms supported the LDAP method from day one) 2. Higher degree of control with group lookup/role mapping: a. You can define where in the directory structure should group lookup start. (results in faster group lookup in very large directory structure) b. You can either chase a group and check if a user is a member of that group or chase a user and see which groups the user belongs to. c. You can leverage user attributes for role mapping 3. Better Password Management functionality (password complexity, advance password expiration notification)
... View more
12-04-2011
09:54:PM
NULL is right about the implications of a disconnected cluster node and the validity of full 1000 user license only for the grace period. BTW the grace period was increased to 10 days from 7.1r2 onwards.
... View more
11-30-2011
09:51:PM
4610 is a fixed chassis unit for SSL VPN or NAC (UAC) 4611 is a fixed chassis unit meant only for app. acceleration. http://www.juniper.net/us/en/products-services/security/mag-series/
... View more
11-29-2011
04:26:PM
Rickyrick, If you can wait for a couple more days then 7.1R5 is due and it will have an additional fix in Active Directory based authentication area (does not apply to LDAP). Like I mentioned in my previous response there could be different triggers that lead to the machine account going into an unusable state (which result in the noroles symptom) and 7.1R4.1 fixes a known trigger. 7.1R5 has a fix to yet another trigger that was recently discovered. If you have a JTAC case open they will be able to root cause your issue to one of those issues however given that 7.1R5 has both the fixes I would recommend using that for any AD role mapping issues..
... View more
11-21-2011
06:08:PM
Host Checker's Patch Assessment feature will be the best fit for this requirement.
... View more
10-26-2011
08:51:PM
Steve/Richard, The symptoms you describe (AD based Authentication works but AD based Authorization i.e. group lookup/role mapping fails) indicate that the Machine Account between SA and the Domain Controllers is in a state where it is not usable. Note that authentication will not require the machine account however authorization and password management will. That is why you see the "Login failed. Reason: NoRoles" issue which indicates authentication worked but authorization failed. The key to understanding the root cause is finding why the machine account goes into an unusable state. If you would like for JTAC to investigate the root cause before you upgrade I would recommend opening a case with the data requested in the attached pdf. Please note the pdf contians instructions to enable very detailed logging for AD and may have a slight impact on the system performance. Also note that the most important window will be the phase where the device goes from working to non-working state and it is important to capture logs close to the intial occurences of this issue else the logs will rollover. Another helpful log will be the event logs from the Domain Controller for the SA's machine account name.
... View more
08-17-2011
06:01:PM
As the 2 containers are at same level you cannot avoid using the least common denominator which in your case is Corp Users. Apart from the work around you mentioned other option is to create 2 auth servers and have end user select either a Permanent Or Contractor realm.
... View more
07-12-2011
01:28:AM
When I open the tcpdump named "SA4500 capture on untagged inside interface with Staff role mapping to STAFF VLAN.cap" and use the filter tcp.port==80_ then I see packets with source IP 10.240.100.51 which according to the screenshot attached is the IP of your VLAN named STAFF. So it seems to be sourcing from the VLAN as configured in the role. Or am I misreading the IP's used in your setup?
... View more
05-09-2011
07:09:PM
Enabling persistent session cookie can cause issues if users don't explicitly logout. Below is a snip from KB19908 http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB19908 Workaround: If the user's session cookie is made persistent, then applications may forward the cookie when sending the request to SA and this problem may not occur. However setting a user session cookie as persistent may have undesirable side effects such as leaving user sessions open if they do not logout gracefully. So please refer to the SA admin guide before you make these changes. Admin UI > User Roles > Select the Specific Role > General > Session Options > Persistent Session > Enabled
... View more
05-09-2011
06:59:PM
Can you have the end user try https://server-name rather than http://server-name I have not researched *all possible* causes that lead to this error. However one of the cause for this message was an issue in NC MAC client where it would not get redirected to https:// if end-user mistakenly used http:// This issue has been fixed in 7.0R4/7.1R1 and higher releases.
... View more
05-05-2011
09:57:PM
The message " exceeds maximum fragment 100000 " seems to indicate that its hitting a limit. This might be related to large number of HC policies (like check for *all* supported AVs, Firewall, etc) Does it work if you reduce the number the HC policies? In either case I would recommend opening a JTAC case for this.
... View more
Latest Tags
No tags yet
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy.
Pulse Secure has updated its Privacy Policy effective June 28, 2017.
