- Pulse Secure Community
- :
- About dcvers_
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
since
10-29-2017
10-29-2017
dcvers_
Regular Contributor
196
Posts
1
Kudos
11
Solutions
07-25-2014
04:50:AM
You can put the user ID in the certificate as an entry in the Subject Alternative Name field. If requesting it manuall the syntax would be: san:upn=userID@domain It is also be possible to configure the AD certificate server to add it automatically using templates (don't know the details of how as this is not may area). However, depending upon how the internal resource authenticate this may not help. If they authenticate based on the certificate then it will work of if they just check AD group memberhsip of the passed user ID it may work. But if they require ID and password it won't.
... View more
07-09-2014
07:31:AM
This is an old KB on CTS load issues that may or may not help. http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB18241&smlogin=true For you it could be in the Intranet zone the site is automatically "Trusted".
... View more
04-23-2014
07:18:AM
The code that adds the prompts and input box to the page starts with <% FOREACH prompt = prompts %>. To hide the prompts you would need to look at modifying this. You can identify the iteration for a particular prompt using a statement like <% IF prompt.promptText == "TBD" %> You could try just skipping the code that adds the label and input box for the prompts you want to hide but I have a feeling this may upset the box so you may be best just setting them to hidden.
... View more
04-22-2014
05:27:AM
The labels are stored in the prompts array. To modify them add code like the following to loginpage.thtml <% FOREACH prompt = prompts %> <%IF prompt.promptText == "username" %> <% SET prompt.promptText = "Username 1" %> <%ELSIF prompt.promptText == "password" %> <% SET prompt.promptText = "Password 1" %> <%ELSIF prompt.promptText == "Additional username" %> <% SET prompt.promptText = "Username 2" %> <%ELSIF prompt.promptText == "Additional password" %> <% SET prompt.promptText = "Password 2" %> <% ELSE %> <% END %> <% END %>
... View more
04-08-2014
06:17:AM
I don't think there is anything in the logs but if you go to the Authentication server and look at the user list the "Agent" column will show the browser string (which usually includes info about the OS) or Pulse version + OS.
... View more
03-27-2014
07:38:AM
I never found a solution or root cause but we did find it was only happening if the user tried to connect from the internal LAN (so via our proxy). When they connected externally the upgrade worked without any problems. It was mainly IT guys doing it this way so we decided to go ahead anyway but make sure the helpdesks knew the workaround (only upgrade externally).
... View more
02-17-2014
05:59:AM
The fact you hit your home router on the first hop for the unreachable sites suggests the traffic is not being routed over the VPN connection. Check the split tunneling resource policy is allowing all the site subnets.
... View more
01-28-2014
03:03:AM
We are piloting an upgrade from 7.10R10 to 7.4R8 and a number of users have reported the following error when they click on Upgrade for the Pulse client: "System Error Please Sign in and try again" (screenshot below) I've found a few KBs about a similar message saying failed download message but nothing the same as the above. During my testing I tested the upgrade many times on different machines with different IDs but never saw this message. Any ideas what might be causing it?
... View more
01-14-2014
07:34:AM
It could be the local configuration file C:\Program Files\Common Files\Juniper Networks\connstore.dat is not getting updated because Pulse is not recognizing it as an older version of the appliance configuration. Check out this thread for some hints on what to check https://forums.pulsesecure.net/topic/pulse-connect-secure/196417-pulse-connection-configuration-file#M18423
... View more
11-01-2013
07:04:AM
Is there any way to force an upgrade of Pulse when the user connects to an upgraded appliance without giving them the option to cancel it? Ideally the upgrade would be done automatically without any user interaction required. Upgrading from 7.1R10 to 7.4Rx
... View more
10-08-2013
08:32:AM
You should be able to set up an Authorisation Only sign-in policy (and associated role and resource policy) to enable access to the internal URL needed during login. You can tie down which URLs are accessible with the resource policy but remember anything allowed can be access unauthenticated.
... View more
09-09-2013
01:15:AM
We currently have an SBR providing RADIUS authentication for our Wireless LAN. Next year I hope to do a project to replace this but I need to workout some rough cost for the budget. As a result of an upgrade of our VPN later this year I may have a couple of spare SM160 modules in out MAG chassis so I am considering changing their identity to IC and using then as a platform for the RADIUS. What is not 100% clear is what licenses I need to do this. Would it just be a MAGX600-RADIUS-SERVER or would I also need some user/concurrent connections licenses?
... View more
07-29-2013
03:30:AM
Here are the additional "common" URLs we had to add allow access to our sharepoint 2010 teams sites: http://sitename.company.com:80/_layouts/* http://sitename.company.com:80/WebResource.axd?* http://sitename.company.com:80/Style Library/* http://sitename.company.com:80/ScriptResource.axd?*
... View more
07-19-2013
05:09:AM
I can't think of a simpler way. Both options are valid so I think its more down to which one you prefer. For me a downside of using the restriction on the role is it is when looking at the role mappings page you wouldn't know about it unless you drilled down into the role.
... View more
07-18-2013
07:16:AM
You would need to use a Custom Expression to build the conditions for the role mappings. You can combine different types such as group lookups and Host Checks using local operators, e.g.: group.GROUPNAME AND hostCheckerPolicy = "HCPolicy" group.GROUPNAME AND ! hostCheckerPolicy = "HCPolicy" On the role mapping change Rules Based on to "Custom Expression", click Update and then the Expressions button will be displayed. Click this and then get a box where you can build the required expression.
... View more
07-10-2013
05:47:AM
You might be able to do this using two realms and the Source IP authentication policy. I've not tested this but the following may work On the realm you want Host checker set the Source IP policy to deny access if the source IP is in the subnet On the realm you don't want host checker set the Source IP policy to allow if the source IP is in the subnet Assign both realms to the sign-in policy (URL) When multiple realms are assigned to a sign-in policy if you don't meet the polices they are not listed (if there is only one valid one then this is used by default). So if I have my logic correct users on the required network are only allowed to use the non-host checker realm and people not in the required network are only allowed to use the host checker realm
... View more
07-01-2013
03:02:AM
Thanks for the answers. A couple of additional questions: 1. Does the licensing server have to be the on the same version as the members appliances? 2. Do all the members need to be on the same version, e.g. when doing an upgrade could be upgrade on box first then others at a later dates (assuming they are not clustered)? 3. Is there a mechanism to transfer licenses to a new licensing server, e.g. when the current box is End of Life?
... View more
06-28-2013
06:16:AM
We are considering moving from locally installed licenses to a license server set up and I just want to be sure I understand a few things correctly.Today we have an Active/Passive Cluster with 350 licenses in each box giving us a total of 700 licenses. 1. Am I correct in thinking each box can surrender its 350 existing licenses to the new licensing server and then 700 licenses will be available to any appliance registered to the licensing server? 2. For the surrendered licenses are there any restrictions on which type of hardware can use then? For example, today the cluster is build with MAG-SM160 but in the future we may upgrade to MAG-SM360 to increase capacity. In this case could the MAG-SM360s use the licenses surrendered by the SM160s'? 3. Are meeting licenses (e.g.. ACCESSX600-MTG-25U) also managed by the licensing server or do we still need locally installed licenses? 4. Am I correct in thinking each appliance will still need it's own ICE licenses? Version: 7.1R10
... View more
06-24-2013
03:13:AM
My boss is asking me for EOL dates for the MAG chassis and service modules. I had a look on the EOL page but can't see any statements for MAG hardware. Does anyone know if any announcements have been made for the MAG hardware and if so where I can find this information.
... View more
06-24-2013
03:10:AM
I've found the cause of the issue. Basically what I'd done was taken the exported configuration file and deleted the line with he location awareness configuration and used this in our deployment package. The issue was that the version number of this file matched that of the configuration the boxes so Pulse didn't update it. We have duplicate configurations for our different AD domains and for one the Pulse configuration had been "touched" after the export so its version number was different and so Pulse did pull down the full configuration. In the other domains people who were working had had other issues so we'd refresh the connection by deleting the connection installed by the package and then login in via a web browser to pull down the connection (this pulled down the full configuration including the location awareness). So to fix it for every one we just need to touch all the connection configurations to update the version number of the box. Thanks for all the help on this it certainly pointed me in the right direction to find the fix.
... View more
06-12-2013
05:08:AM
Hello Kita, I don't think it is a configuraiton issue at the SA end as the same configuration is working for most people. Which is why I am digging into the local files. I was hoping to take the configuration files from a user having the problem remove the user setting and copy it to my machine to test but it keeps restroing my configuration As some background. We are going to migrate from Network Conenct to Pulse so we have created a package the pre-deploys Pulse with a configuration with Location Awareness off but mapping roles associatd with a connection set with it turned on. This means the the first time they manually connected the configuration gets updated. For 95% of pilot users this worked but for a handful it failed.
... View more
06-11-2013
08:40:AM
Does anyone know where the information to create the C:\Program Files\Common Files\Juniper Networks\connstore.dat file comes from for a particular user? If I delete it and the .bak file it gets recreated with all the old settings next time I start Pulse. I'm troubleshooting a Location Awareness issue some users are experiencing and for these users file is missing the "connection-policy:" setting and the settings don't seem to get updated when they connect to the appliance so I would like to understand where the data may be stored locally.
... View more
04-23-2013
05:27:AM
We are rolling out Pulse and have a user who has his Windows display language set to English but the Pulse client is showing in German. I've done some testing on my machine and changing the Windows display language does update the language as expect. Any ideas where else could Pulse be picking up the language settings? The user is based in Switzerland so his machine may have originally been build in German but was changed to English before Pulse was installed. Pulse: 2.14.20595 SA 7.1R10
... View more
03-21-2013
02:17:AM
Hello Kita, It's immediately rejecting the authentication and not even extracting the user name from the certificate so a policy trace is no use. Also to be clear the same certificate works on one realm but not on another even though they are configured with the same Authentication server. However, after looking at the xml exports again I have now found a difference. For the realms where it works in the <certificate> section the <customized> value is set to: allow-all-users In the admin portal the setting shows as: Only allow users with a client-side certificate signed by Trusted Client CAs to sign inÓ. For the other realms where it does not work in the xml export the <customized> value is set to: require-client-cert In the portal again the setting shown as: Only allow users with a client-side certificate signed by Trusted Client CAs to sign inÓ. I did some testing on my test box and even if the xml setting is "allow-all-users" it works correctly, i.e. it only allows clients with a valid certificate from one of the trusted CAs and the required attributes. So it appears the value shown in the admin portal is the correct one but whatever it is picking up to fill in the xml is causing the issue. I was able to fix the issue by editing the xml export to have the <customized> value is set to: allow-all-users and then re-importing.
... View more
03-20-2013
09:44:AM
We are setting up some new realms that will use certificate based authentication. They all use the same certificate Auth server but have different Directory/Attribute servers and use different groups lookups in the role mappings. Other than that they are essentially identical. If I connect to one realm I get a failed authentication. Log message: "Login failed. Reason: WrongCert" If I connect to another realm with the same certificate I get authenticated without any issue. On the production box 1 out of 4 is working and in my test lab 2 out of 4 work. But not the same ones. I did an xml export of the config and as far as I can see everything is configured the same for each realm. Any ideas? Version 7.1R10
... View more
02-26-2013
05:56:AM
We will shortly be moving from Network Connect to Pulse and are working with our SCCM packaging team to create a package to deploy the Pulse client with the configuration pointing to our boxes. Everything works until Pulse starts at the end of the install at which point we get an "Interactive Services Detection" message from Windows saying a program is trying to display a message. The project is Pulse and it seems to be the Splash screen it's trying to show. Running the package manually from a command line works without any problem so we suspect it is an issue the user package runs as. Anyone know how to get round this or a parameter in the installer to stop Pulse running immediately after the install? Pulse Version: 2.1.4.20595 Command using to install: msiexec.exe /i JunosPulse.x86.msi CONFIGFILE=%CD%\Pulse.jnprpreconfig ADDLOCAL=PulseNC,NCTNCClientPlugin /l*v "%windir%\Logs\JunosPulse_Install.log" /qn
... View more
02-07-2013
07:14:AM
FYI: What you installed originally is the background installer service that allows things like Network Connect to download and install without local admin rights when you connect to the VPN via a web browser. In this case if Network Connect has been configure to auto launch there should be no need to manually install it.
... View more
01-28-2013
08:30:AM
You can sometimes see this if you have Roaming Sessions disabled and the ISP is having an issue that is causing them to refresh use IPs at regular intervals. If this is the case you should be able to see the session drop messages in the logs.
... View more
12-06-2012
08:49:AM
If you are using Web rewriting then it is the Juniper appliance that connects to the internal web sites and so it is the appliance that has to trust the CA that issues the internal sites certificates. As you have added the CAs certificate to the Trusted Server list on the appliance this is why you no longer see the warning.
... View more
Latest Tags
No tags yet
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy.
Pulse Secure has updated its Privacy Policy effective June 28, 2017.
