Got this response from Juniper Product Line Mgr. about SA4000 support. If you are still running X000 hardwareÐSA2000, SA4000, SA6000 (NOT including FIPS appliances)Ðyou will want to pay close attention to this one. Yesterday, 31 July 2011, is when the Last software engineering supportÓ was reached on these appliances Ñ 2 years after they were end-of-lifeÕd (EOLÕd). To put it in plain language, this means that whatever software is most current as of this milestone date is the cutoff for the software that will load and run on them. 7.1 is the most current version as of yesterday, so when 7.2 eventually ships it will not load on the X000 appliances. If you have been putting off the upgrades and missed the X500 platforms altogether (and good for you for eeking out nearly every bit of available road!), now would be a really good time to start considering an upgrade to the new Junos Pulse Gateway MAG appliances and the X600 series Common ACCESS licensing, perhaps even with the license server! Of course the X000 appliances will continue to be supported for several years (in accordance with the EOL announcement), but only up to the 7.1 software. ... View more

The link in your above release notes has the following in it that makes me think it is supported since it shows the SA4000. SA Hardware Requirements Service Package Version 7.2 is supported on the following SA platforms: Junos Pulse Secure Access Service 4000/6000-FIPS ... View more

Thanks for your reply. Is their any docs that can show this on the Juniper site ? ... View more

Had a few questions to add to this string. Are the SA4000's capable of upgrading to version 7.2 ? When will the last release of code updates be available for the SA4000 platforms ? Thanks, ... View more

No Problem ! Open the Customize button and checked off the "Custom Headers" option to add this feature to the IVE menu. We applied the resource https://<resource name>:*/* and allowed custom headers for this particuliar resource. The developers have not had any issues with this application since applying this policy. ... View more

Bam, did you get any replies on this. I have a similiar issue and wanted to know if you resolved this. Thanks, John ... View more

After applying this "Custom Header" policy we have not seen this issue any further in our testing. ... View more

This comes up when the rewrite engine is unable to read the headers. Was informed I needed to create a Custom Header policy to alleviate this problem. I am in the wait and see phase now. More testing needs to be done and will update outcome when available. ... View more

I know how the IVE works and the methods of collecting data from it, however the issue is not happening continuously and turning on Policy Traceing or Packet capture will eventually timeout since it cannot be turned on for extended periods of time. I was just told to create a Custom Header Policy for this issue and see if this helps our situation.I have been given a vague answer as to what WB-2 actually means, and no documantation of this error was sent to me at this time. ... View more

Also, The developers have tested this going direct (via our LAN) and have not seen the issue happen but then again it has only happened a few times anyway and would be hard to determine since the problem is sporadic. This app is strictly web based and we will not be using NC,JSAM,WSAM or PTP to proxy any of the content. ... View more

Hello, The Case # is 2010-0201-0701 I have not tried PTP since this error is not occurring often and they are not having any other issues within the app. When I spoke with the Juniper case owner they were not sure if this was even a Juniper message and were not able to let me know what exactly a WB-2 error is. If I knew what this error meant at least I would know what and where to look for any possible solutions. Whatever you can do to assist me on this would be appreciated. Thanks, John ... View more

I ended up defining Form Post with the previous config and defining the variables needed to access our apps. This thread stared with my posting for the use use of KCD and will most likely go with this once we upgrade our IVE's to that version of code. In your KCD deployment are you doing any Form Post with your apps ? ... View more

Note, there is a fw in between these resources and I have opened them internally for testing this access so nothing is being blocked. ... View more

I have setup the <USER> as you mentioned since they are the same and have setup the secondary auth server with the <Password[2]> This user is in AD and has been verified. I am getting the following when I do a Policy Trace: Authentication successful to auth server "RSA SecurID" - Getting directory information from auth server "authorization_RSA SecurID" - Retrieved directory information from auth server "authorization_RSA SecurID" - Generated secondary user name using template <USER>: "tch-515-test" - Generated secondary password using template <PASSWORD[2]>: "<hidden>" - Attempting to authenticate user "tch-515-test" with auth server "AD_SSO" -NTLogin(192.168.90.12, WEB\tch-515-test, WEB, iveuser, no, , yes, 1, 6, TEST IVE Computers) -Either username or password is empty. NTLogin done. -tch-515-test(RSA SecurID)[] - Sign-in rejected using auth server AD_SSO (Samba). Reason: ConnectError -tch-515-test(Admin Users)[.Administrators] - tch-515-hagen:RSA SecurID - Policy Tracing turned off I have setup a seperate realm to test the seconary authentication to the AD server directly and I get authenticated so I know the user is being validated in AD, I am at a point where the Secondary Auth is failing when it does the AD lookup it seems and cannot seem to figure out why. I have made some changes to the config on the IVE to no avail. Could it be the application itself not sending a response back to the IVE when credentials are bing passed ? Thanks ... View more

I have tried setting this up and get the following via a Policy Trace that is attached. Also, you mentioned " In the expression builder you can use [email protected]{AD_SSO} to perfrom the checks against the SSO user" is the [email protected][AD_SSO} referencing the NTLM ?? I have setup NTLM as per below placed ion my expression [email protected]{TEST_SSO} TEST_SSO WEB VARIABLE <USER[2]> <PASSWORD[2[> ... View more

dmw, I am now getting started to try and deploy this type of SSO scenario and had another question. The RSA auth that you use for Primary authentication I assume is setup fro the two factor auth and not passwords correct ? Also, the secondary auth server that you have defined via Kerberos AD. How do you handle a predicament where you have multiple AD servers that these users will be going to such as Devl, QC & Production environments ? Thanks for your input, Jhagdak ... View more

dmw, I will need to try that! I assume this setting you mentioned is under the SSO \ Windows Credential Policy ? Where was this information published ? ... View more

Was informed by Juniper that native RSA is not suppported, however in version 6.4 they offer KCD which allows for SSO with OTP compatibility. In the midst of defining this access method to allow two factor authentication directly to our applications and allow the SSO for our end users. ... View more

I have the same question ... View more