- Pulse Secure Community
- :
- About gamer004_
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
since
10-29-2017
10-29-2017
gamer004_
Contributor
29
Posts
0
Kudos
2
Solutions
01-18-2013
05:22:AM
We have a SA-4500 crashing on a regular basis. Critical ERR24632 - [127.0.0.1] System Program rewrite-server recently failed. Trace info: (no debugging symbols found) Using host libthread_db library . Core was generated by `/home/builds/bld16339/install/bin/rewrite-server --dspar 6 55'. Program terminated with signal 6, Aborted. #0 0x219247a2 in ?? () " We don't know chicken-egg here: CPU100% -> Rewrite error or Rewrite Error --> CPU 100% Ideas anyone?
... View more
08-28-2012
07:31:AM
Thanks all for your answers. I was out on business trip + holiday, so could'nt reply sooner. Regards, Frank
... View more
07-13-2012
02:14:AM
We're running 7.2R2 on MAG 4610 cluster. When uploading the latest VMWare View client ( 31MB) error appears: "Client size should be less than 25 MB , Failed to upload VMware Client " When will Juniper address this error? Thanks.
... View more
07-13-2012
02:10:AM
Yes, thankyou. that would be great.
... View more
07-06-2012
02:53:AM
Hi, A customer of ours complains about the size of the debuglog.log file in the Public user profile folder. This because of profiles being copied from and to network drives. Is there a way to turn off this file completely? ( file is in %drive%\Users\Public\Juniper Networks\Logging ; Windows 7) You cannot turn off this file centrally ( System- Log/monitoring -ClientLogs-Settings). But, ofcourse you all knew this ;-) Thanks, Frank
... View more
03-25-2011
12:48:AM
Thankyou. Will certainly try this.
... View more
03-24-2011
12:13:PM
We're running SA's on 7.0R4 and 7.1R1.0. Several users that upgraded their Firefox from 3.6 to 4 complain they are unable to have software like the Setup software and HostChecker pushed to their clients. When they downgrade to 3.6 it is working again. So my advice: wait a while before upgrading your Firefox 3.x users to 4. Frank
... View more
07-09-2010
12:42:AM
Thanks. Will try that. File is in users docs&settings folder, so should be R/W access for restricted users.
... View more
07-06-2010
01:33:AM
Hi, Sometimes we have problems with users that have company PC's equipped with the Juniper Installer Service. They are using Network connect software that was installed with the use of JIS. When the NC software becomes corrupt for whatever reason, users are unable to deinstall the NC software because of their restricted rights. How can we enforce the re-installation of NC for JIS users? Thanks, Frank
... View more
06-29-2010
05:19:AM
VLAN option is available on all SA series ( except 700) as feature of the IVE OS for a couple of years now. You don't need IVS license for this. I'm not talking crap, been working with SA's since they we're still yellow ( Neoteris).
... View more
06-24-2010
05:41:AM
You need to use the native-vlan command on your Cisco to tell the switch in which VLAN it needs to put the untagged traffic from your internal interface. Suc6. Frank
... View more
04-01-2010
01:07:AM
Hi, Please note that IVE OS uses the untagged internal interface for box initiated traffic like SCP,Syslog, SNMP trap etc. We tried to have the OS changed on this item but received a clear no. Reply was that this behaviour was too deep in sourcecode to have changed.
... View more
07-01-2009
01:47:AM
Hi, check out this URL, it has helped me out once before with a similar problem: http://blogs.technet.com/askperf/archive/2007/08/24/terminal-server-and-printer-redirection.aspx
... View more
06-23-2009
05:11:AM
Take a look at Microsoft's service called Network Location Awareness (NLA). Google will tell you all about it..... We have a customer who combines his GPO Firewall policies with Network Connect and windows XP firewall. When an enduser is at home using the NC the XP firewall is updated with help of NLA. I'm not the expert on this ( not microsoft guru) so check it out if this pushed you into the right direction... regards, Frank
... View more
06-23-2009
02:01:AM
We use AM 6.x. The following items are important to check: 1. When working with a new IVE box or when you have deleted the sdconf.rec file on the IVE, go to the agent host entry in your AM and delete the "node secret created" checkbox. The first authentication session ( must be succesful) will generate a new shared secret between SA and RSA AM 2. Make sure the type of agent host in AM is "Communication Server" 3. AM likes DNS resolving. Make sure DNS resolving is set up. The AM does lookup for host. Create entry in your DNS or set up a local hostfile on your AM. 4. When you have multliple interfaces or NAT between AM and SA, make sure you configured the secondary nodes section. 5. Check any intermediate FW's between AM and IVE. There must be a rule for 5500-udp You can check the Activity Monitor on AM to see what's happening when you try to authenticate a user through the IVE. goodluck Frank
... View more
06-17-2009
07:48:AM
Take a look at Cacti ( http://www.cacti.net/ ). With simple periodical snmp walk you can create the best graphs. Templates for IVE are available.
... View more
06-17-2009
03:00:AM
The background on this behaviour is that Juniper added some of their already existing Instant Virtual Systems (IVS) license features to the IVE os. In IVS there is a so called root IVS. This root IVS is associated with the internal (untagged) interface.All customers are put in their own IVS ( and thus VLAN). So, when adding authentication servers that have ip addresses in a different VLAN than the internal interface, you have to specify a route that can actually leave the root IVS ( where you have defined the auth servers) to another IVS. That's what you're doing when adding a route in the internal routing table towards a VLAN. We have some IVS boxes, so when Juniper added the VLAN tagging option , I noticed that they actually implemented a sort of stripped IVS feature...
... View more
06-16-2009
02:45:PM
No , not just with roles. It should work with just a route in the routing table of the internal interface towards the VLAN in which the DC2 server is. Auth servers are adressed from within the internal (untagged) VLAN. So add route in internal interface routing table: <destination net DC2> <mask> <gateway in VLAN for DC2> <Interface VLAN DC2> We use this for example with our shared MSP RSA/ACE server in our shared services network while the customer uses their own AD for autorisation. We create a route in the internal interface's routing table towards the gateway of our MSP network using the VLAN interface that is routed on the MSP network. Goodluck.
... View more
06-15-2009
11:17:AM
Sounds pretty good... The only thing to remind is that services like SNMP,Time, Syslog,SFTP (Archiving) use the internal untagged port by default.You cannot select a VLAN interface for this traffic. This is by default. I already tried once by requesting a "feature request" @ Juniper to change this, but my request didn't make a chance. Buy a bigger box with management interface....( SA6500 series) All other services like authentication / autorisation servers can use a destination in an other VLAN by creating a route in the internal routing table and use the gateway in the appropriate VLAN. (select VLAN interface). Goodluck
... View more
06-12-2009
12:57:AM
Yes that's possible if you are running 6.3 or 6.4. You can create a VLAN under network-vlans en then assign this vlan under role-vlan/source ip. Please note that traffic leaving the internal interface is untagged by default ( traffic like SNMP,Syslog etc). This means the port on your switch must support dual mode ( Foundry) or native vlan ( Cisco) ( depending on your brand) which means the switch can put untagged traffic into a specific vlan.
... View more
06-11-2009
07:46:AM
The random characters are used as keying input to generate a random private key, so I'm not sure entering the same characters will result in exactly the same private key. By the way, most signing CA's accept a resign of a CSR when all provided information is exactly identical. So when you lose a private key ( a machine crashes) they sign you newly generated CSR again. The enddate of the cert will stay identical ofcourse.... you could check with your CA....
... View more
06-11-2009
07:29:AM
You should use the <Homedir> variable from the user settings in your AD. Setup an LDAP type AD server as an autorisation server.Match your <user> string to the samAccountname e.g. John or to userPrincipalName e.g. john@mynet.local Use \\<userAttr.homeDirectory>\ in your role under file access. So, when John's account in AD states his homedir is on \\server001\users\john the IVE will publish exactly this variable. Frank
... View more
06-11-2009
07:18:AM
When using NC in split tunneling mode checks these items: 1. Under network-Network connect specify the IP pool for remote clients. This ip pool should be unique on your internal network. 2. Route the NC pool on you internal network towards the internal interface of your IVE 3. Create a NC profile to use the NC IP pool 4. Specify for which internal networks NC will perform VPN ( this is split tunneling ; otherwise all traffic will be routed through VPN) 5. Create an access-list for this role under resource-pol-NC to allow traffic. Goodluck, Frank
... View more
06-11-2009
06:23:AM
The problem with generating a CSR on the IVE is that when you type random data, you're actually generating a private key. The public part is sent of to the CA. When the original CSR is missing, to my knowledge, your private key is also gone. What you could try: 1. If you have backup ( system.cfg or XML) try to restore. This will restore any pending CSR's as well. 2. Generate a new CSR on for example a Windows CA server. Use the same information as before and mark the private key as exportable. Have your CSR signed by the CA and import the certificate including the private key into your IVE. Goodluck. Frank
... View more
06-11-2009
05:13:AM
Hi , Can anyone help me with a basic plan with steps to take to set up KCD towards a Windows resource? Especially the service-list / SPN part on AD is new / unknown to me. I know setting up SPN's in combination with Microsoft IAG/UAG is a command line thing. Thanks in advance, Frank
... View more
06-11-2009
01:57:AM
As stated here: http://kb.pulsesecure.net/InfoCenter/index?page=conten t&id=KB19293&cat=ssl_vpn&actp=LIST&smlogin=true IE9 and also Firefox 4 would be supported in 7.1R2.0. Now that 71.R2.0 is released, I cannot find this support in the (old) supported platforms guide. So, is IE9 anf FF4 supported in this release or not? Thanks. Frank
... View more
06-11-2009
01:07:AM
By now I know that users can deinstall NC from the Preferences- Applications option on their personal page. This works fine.
... View more
06-11-2009
12:51:AM
We have a SA4500 cluster running with IVS license running on 6.5R5. We have customers in IVS using NC only. We have shared authentication server on out MSP network. Server can be accessed through the internal port . When we make internal port the default VLAN in IVS, the SA connects to the shared auth server with the internal ports IP address ( that's what we want). However, enduser NC traffic for the IVS also ends up in the internal port instead of the IVS ( Unwanted; seen with TCP dump). Published apps / services do not appear in internal port but in IVS(?). So issue only with NC, not with reverse proxy. when we make the IVS vlan the default vlan, the shared authentication server is accessed with the IVS ip address. This is an unwanted festure because than we have to perform NAT / routing for customer addresses on our MSP network. So bottom line: Is this NC traffic ending up in the internal port network when default VLAN is internal port a bug or by design? We think it is not implemented correctly. Ideas anyone?
... View more
06-11-2009
12:46:AM
To answer my own question ( we created a case for this a while ago). I hope this helps other IVS users with the same issue: You can set the default VLAN to the internal port . Use the VLAN select box in the role options of NC ( inside your IVS). Select the customer VLAN for the role, then it works. The MSP authentication traffic goes into the default VLAN (MSP) and the customer NC traffic goed into the IVS.
... View more
Latest Tags
No tags yet
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy.
Pulse Secure has updated its Privacy Policy effective June 28, 2017.
