Pop source NAT on your firewall rule too to rule out any routing getting back to outside of your firewall. It sounds as though this is the likely cause. ... View more

Yes, the user will only need to authenticate once. Once they are in the auth table on the firewall all their access will be provisioned. If you use OAC or Pulse on their desktop they do not need to authenticate at all... Sam. JNCIS-FWV JNCIS-SEC JNCIS-SSL JNCIS-ER ... View more

No. Use Shrewsoft VPN (google it) to connect using IPSec to a netscreen. This works perfectly, though is not 'supported' by Juniper. Alternatively consider updating to a Junos Firewall, and use PULSE which is Juniper supported, or an SA series for SSL VPN. Regards, Sam. JNCIS-FWV JNCIS-SEC JNCIS-SSL JNCIS-ER ... View more

In the UI settings of the role, add a notification message. User's LDAP information can be extracted using userAttr.xxx where xxx is the variable you want to display. For example, userAttr.name will display the users name, userAttr.cn will display the user's container name (usually their full name) etc. There are lots and I can't remember all of them but that should get you on the right track. You can use the variables to display the users phone number, line manager, anything you have recorded in their user account in AD. For example: "Hello <userAttr.name" would display "Hello Sam" for me. Sam. JNCIS-SSL JNCIS-FWV JNCIS-ER JNCIS-SEC ... View more

You can run Pulse and NC on the same device, you just need two seperate roles. Sam. JNCIS-SSL JNCIS-FWV JNCIS-ER JNCIS-SEC ... View more

I doubt that this is supported but if they already have the hardware then no harm in trying. I believe that the only difference between the models is hardware, the software packages are the same, and since you can run NSM on your own hardware if you wish it shouldn't be a problem. Just obviously have the same software version on each, and you'll probibly have to reinstall so that the quick start wizard can add the neccessary to the config files. Sam. ... View more

I know what you mean, and I believe that it is a Windows fault, not anything to do with Juniper. We get the same thing with other applications too. If it really bothers them that much then configure the taskbar to hide the icon and notifications. Sam. ... View more

You'll need the Juniper installer service rather than the NC application itself otherwise users will not be able to conect when the software on the SA is upgraded. This software is available from the admin WebUI of the gateway you are connecting to under System > Installers. If your deployment is as large as you suggest, you should not have a problem getting to it, else you really need to change your suport contractor. Juniper do not permit software downloads without a valid support contract, so we cannot provide you with the software here. Sam. JNCIS-FWV JNCIS-SEC JNCIS-SSL JNCIS-ER ... View more

*Face Palm moment* I don't know why I didn't think of that! ... View more

Open SSL will output 2 files, the CSR and the KEY. Keep the key safe, send the CSR to your Certificate Authority. Your CA will send you the completed certificate back. Import the certificate, and the key that you kept safe into both SAs (they will be two seperate files) and voila. No need to install anything onto your linux server, it just creates the key and CSR. Cheers, Sam. ... View more

You need to import the certificate and key. If you created your cert on the first SA using a CSR then you will not be able to see your key and I do not believe that there is a way to recover it. You'll need a unix system with openSSL to generate a new key and CSR that you can import into both SAs. Sam. JNCIS-FWV JNCIS-SSL JNCIS-ER JNCIS-SEC ... View more

There is that, or what I do is have a group in AD for each of the roles, and the role mapping rules just map one group to one role. If a user needs to change roles they just get moved in AD. This has the added advantage for me that our first line support guys can make such modifications without touching the SA or IC. Sam. ... View more

Hi Charles, Rather than export their AD group membership, export their roles. Have identical roles on the IC. When they are imported into the IC they will be given the same roles as on the SA. Remeber that your enforcers need to be configured to provision the auth table "as required" to support IF-MAP. Sam. JNCIS-FWV JNCIS-SSL JNCIS-ER JNCIS-SEC ... View more

Are you running 64bit Gentoo? NC does not work on 64bit Linux. I had to run 32 bit with PAE. Sam. ... View more

Changing the node names within the cluster (as they appear in the clustering page, rather than the hostnames which are already covered in this thread) can only be done by recreating the cluster. Sam. JNCIS-SSL JNCIS-FWV JNCIS-SEC JNCIS-ER ... View more

Hi, I would only use extra realms for: - using a different auth server - Using different Host Checker Policies - Using different role mapping Otherwise they can be condensed. You can of course run one hostcheker policy to check different things on Macs vs Windows, just use the tabs in the hostchecker policy. HC is clever enough to only apply mac rules to a mac etc. Yes Macs can (and should) run antivirus, they currently have security by obscurity and that is changing as they grow in popularity. Granted it is more secure than windows it is far from perfect. Take a look at the below. http://www.theregister.co.uk/2008/12/02/apple_mac_av_advice/_ Hostchecker is far more basic for Mac and Linux, and can only check the existance (or non existance) of a file, a running process, or an open port. So it can only check for AV if you configure it manually. To check for AV I would point the Host Checker at the signatures file, and select the option 'file must have changed no more than x days' to check that the signatures are up to date. You're right, checking Safari is runing seems like a complete waste of time to me... It sounds as though the last admin was looking for a way to run hostchecker that would always pass - (s)he could have just disabled hostcheker for that realm. Cheers, Sam. JNCIS-FWV JNCIS-SSL JNCIS-ER JNCIS-SEC ... View more

Is windows 2k8 your client? I read it as your AD server the first time round. I believe that only the desktop editions of windows (xp, vista, 7) are fully supported and compatable. If you are using a server as your client, are you using it is a terminal server? If so NAC is no use at all to you. Sam. ... View more

Possibly you do not have all parts of pulse installed, only the minumum ones. You are probibly missing Host Checker which when you go in through the web will be performed before pulse is launched. Try re-installing pulse on the machine from the .exe on the installers page. Sam. ... View more

Hi, For single sign on you will need to use Odyssey rather than pulse. Pulse cannot SSO yet. Odyssey grabs the credentials that the user types into windows, so your AD system will be completely compatable. The Infranet controller will the automatically assign the resources, this can be to move the suer into a particular vlan, or to open up rules on a juniper firewall. No interaction from the suer is needed at any point. The best option for deployment is to create your odyssey settings on one computer, then the client lets you export the settings into an MSI. Use GPO in active directory, or a startup script to roll it out automatically, or users can browse to the Infranet Controller and it will download automatically, but this obviously involves users doing something which isn't ideal. Sam. ... View more

The SSG can provide a web page that the suer would have to browse to first, then once authenticated they would be able to access the system, but the SSG will not be able to goven what folder they access etc, nor will it allow the user to change their password. Either you would have to do that in the internal database, or you would need an authentication server such as RADIUS or Active Directory. To be honest it would be much easier to have the *nix based system do the authentication, and run a module whereby the user could change their password. Sam. ... View more

Try the ascii codes. ^i or ^k. No idea if it will work though... Sam. ... View more

That is probibly a rewriting problem. If the user is connectying over the internet to the SA, why can't they connect directly to gmail? gmail uses ssl too.... ... View more

In my case AD accounts, but where they are autnenticated against makes no difference, the settings are all within the role. Sam. ... View more

Finding User Entries: Base DN: dc=red,dc=company,dc=local Filter: samaccountname=<USER> Determining Group Membership: Base DN: dc=red,dc=company,dc=local Filter: cn=<GROUPNAME> Member attributeL member Make sure you tick "Authentication Required to search LDAP" and provide some working user credentials too. You should then see your groups. Sam. ... View more

Hi, Add your AD server as an LDAP server, rather than AD, this is much more flexible. Once done select the Server Catalogue at the bottom of the auth server page, and click search. You should see all the groups on your AD server. By selecting them you import the FQDNs into the SA, then you can use them for role mapping within a realm that uses the AD server for authentication. Sam. ... View more

For our guest admins we got them to login to the normal user page rather than the admin page. In their user role we selsected guest admin and when they login they get a specific user admin console. See the attached screenshot showing that they can see the user they have created. Sam. ... View more

Hi, You can only do this through rewriting I believe, so you would need the web app to not go through SAM. Without knowledge of your application I don't know if this is possible... Sam. ... View more

It sounds as though you might be missing an intermediate CA cert, just a thought though. Sam. ... View more