- Pulse Secure Community
- :
- About Darktan_
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
since
10-29-2017
10-29-2017
Darktan_
Contributor
29
Posts
0
Kudos
0
Solutions
01-18-2011
01:01:PM
So this weekend my Juniper was upgraded to version 7.0R2 from 6.4R1. The upgrade went fine (thank $diety) but I have another issue. None of the realms are implementing Cache Cleaner. I have several policies for each realm due to logistics. If you pass one, you get into the realm. Now the problem is after the upgrade no one was prompted to upgrade the Cache Cleaner. The NC, yes. And it doesn't look like it's running on the realms that it should. Looking at the User Authentication Realm>$Realm>Authentication Policy>Host Checker I see all my policies plus a new one called 'Cache Cleaner Policy' that I do not remember creating and can't find in the policy list. Is this the new way to enforce the Cache Cleaner at the realm level? If so, it is set to Require and Enforce but the Cache Cleaner is still not running. Also, I do have the global settings under Endpoint Security set. The other thing is I allow access to the realm when one of the policies pass. This means all my antivirus and security checks are worthless because as soon as the Cache Cleaner is installed, they pass that policy and get in. Unless I'm reading it wrong. Anyone have any suggestions or advice?
... View more
01-14-2011
07:27:AM
Found the answer. I was given the 32 bit version of NC by accident. The 64 bit should work and is supposed to be supported.
... View more
01-14-2011
06:54:AM
Hello everyone. I thought I would ask here while I start looking for the answer myself. We are about to upgrade our SA to a newer version as part of the steps to cluster it with another one.I just got a copy of the new NC version and tried to install it on my laptop. I received a 24047 error about it being an unsupported OS. I can't imagine that W7 64bit is unsupported but I haven't found anything to the contrary. The issue is this is a show stopper if we go ahead as we have W7 machines in the field and they won't be able to upgrade from the device. So is NC 7 supported on W7 64 bit? Or do I have to do something to get the OS check to skip? Thank you for the help
... View more
07-13-2010
06:20:AM
We've started to see something similar but this is due to the Cache Cleaner being enabled. Our timeouts are set to 2 hours but the maximum time on the Cache Cleaner is 60 minutes. So the idle time of the Cache Cleaner hits before the NC timeout. I've asked around if this configuration is correct or how to change it, but no one has responded.
... View more
07-13-2010
06:14:AM
Though I agree with the other two that connecting a DC to a VPN is a bad practice one of the issues might be UAC. Turn it off. I've had other issues with software installations on 2008 that were due to UAC being turned on even logged in as the admin.
... View more
07-13-2010
06:09:AM
A possible answer.... The issue is with Kerberos authentication using UDP. The packets for UDP are of such a size that they have to be fragmented when sending them through the VPN. If the packets are received out of order, the packets will be dropped. This leads to not being authenticated to the Active Directory and means that you will be denied access to your mailbox. The many factors that created this are user factors and equipment at the location. Hotel or public wifi equipment could have any number of things that slow transfers or add to packet size including other tunnels that the traffic uses within its own network. Also various factors for the user including SID history, group membership and other factors can result in having larger Kerberos authentication packet sizes. The solution is a simple registry change to force Kerberos to use TCP instead of UDP in Windows. It requires a change or additional key and then a reboot. 1. Start Registry Editor. 2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters Note If the Parameters key does not exist, create it now. 3. On the Edit menu, point to New, and then click DWORD Value. 4. Type MaxPacketSize, and then press ENTER. 5. Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK. 6. Quit Registry Editor. 7. Restart your computer. The full article can be found here. http://support.microsoft.com/kb/244474
... View more
04-30-2010
06:24:AM
Does anyone have any insight to this? I can go back and say because of the new Cache Cleaner the timeouts have now changed, but managment (and the users) aren't going to like it. In a perfect world, I'd like to have a 2 hour idle and 12 hour session limit and have the Cache Cleaner only run at login and log off. Is that even possible?
... View more
04-23-2010
08:00:AM
Zombie thread... So after months of other projects I've finally gotten back to the VPN. We've started implementing the Cache Cleaner on our realms. I have one realm live with the changes and another 2 ready to go next week. I had a group of testers using the my test realm with no issues. Now with the one realm live and more people on it, I'm starting to see some disconnects. I'm wondering if anyone would double check my numbers to make sure everything is right. What we are aiming for are the timeout settings for the Role. What I want the Cache Cleaner to do is to give the user a clean slate on startup to the IVE. I've been getting reports that users are getting kicked off after an hour and not the 2 hour idle limit. And sometimes in the middle of things. Role Settings: Idle Timeout - 120 min Max Session - 720 min Reminder - 30 min Idle timeout application activity - disabled Cache Cleaner (under Endpoint Security) Cleaner Frequency - 15 min Status Update - 60 min Client side process - 60 min Realm Settings: Cache Cleaner - Load and enforce Any help would be greatly appreciated.
... View more
03-03-2010
05:42:AM
That's a possibility I hadn't thought of. The issue I'm trying to avoid is our desktop support is outsourced to another company and in about 3 months, their contract ends and they get kicked to the curb. Consequently, they are a little sluggish to actually help out. So if I can drag it out for a while, then it becomes a problem that I can finally get my hands around it.
... View more
02-25-2010
10:25:AM
I can't seem to wrap my head around this one. Maybe it's the cold medicine. Personally I can't wait for spring.... We ran into an issue with Outlook clients on our VPN and I figured out it was the kerboros authentication that was failng over UDP. Switching to TCP resolves it just fine. Now to save our desktop people hassles of trying to deploy out a simple registry change, I thought I could just set the VPN for it. This way I know that only VPN users are getting the setting and I guarentee that they will get it when the log into the VPN. Problem is I can't seem to get the policy to create the registry key if it's missing. The policy is setup under the Host Checker Policy with a Registry Setting rule type. The subkey is right and so is the name, type and value. I have remediation checked. Backing up to the Host Check Policy with the rule, my options for remediation are: Enable Custom Instructions Enable Custom Actions Kill Processes Delete Files Send reason strings Now under my test User Realm, I have several policies. An antivirus policy, firewall policy and a policy to track user names and computer names (makes it easier to find people who fail in the log). I have the TCP policy in place with Require and Enforce but I have it set to allow if one policy is passed (the way the boss wanted it setup means everyone fails at least 1 of the 2 polcies in place depending on location. Not my idea.) Now when I log in with my test machine I can see in the log that the policy fails, but I can't seem to get it to create the entry. One think I thought of is I'm not sure how deep the Host Checker can create a key. HKLM\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters is the key I'm looking for and then I need a DWORD created. Most systems I've come across do not have the Parameters key set. Could this be an issue? Any help with this would be appreciated. Darktan Running: Model: SA-2500 Current version: 6.4R1 (build 14063) Rollback version: 6.3R3 (build 13881)
... View more
02-25-2010
10:01:AM
We actually just gave the vendor an old laptop. They were reluctent to help troubleshoot the issue and we have been trying to stay away from supporting a vendor. Not the best solution, but this was the only vendor with this issue. Thanks for the assist. Peace
... View more
02-01-2010
07:17:AM
Well this is still an issue. The user can connect if I turn off the 'latest definition' part of the policy. I uninstalled the Host Checker and reinstalled everything from the installer files from the IVE. Same result. His VM was set to NAT (use the MAC's connection) and we turned that to bridged mode. Same thing. He's using AVG Free 8.x but we've gotten the same thing with any version of AVG. He's an admin on his system with Windows firewall turned off. Login page is set to a trusted site and all his trusted sites are set for lowest security setting. I'm not sure what the problem is. He has no other software installed that could be causing this issue. And it seems like it's just this guy. No one else is having an issue.
... View more
01-20-2010
01:17:PM
Thanks. I'd rather not get into running HC on a Mac only because I have none to test with. A blind policy would be a pain. I'll look into running the remediation fixes. We have that turned off to put the responsibility back on the end user but if it's needed, it's needed. Thank you
... View more
01-19-2010
12:17:PM
I will hop in as well. I have a vendor that isn't connecting with Avira. He might have other issues too, but I pointed him to something else.
... View more
01-19-2010
12:10:PM
Has anyone seen this? I have a vendor (so there's only so much I can do) that uses a disposable XP machine running on VMware on a Macintosh to connect to our system. Before, they had no anti-virus or anything on the machine and would just reload it every day. We require at least an anti-virus software on it in order to connect. The problem is, NC keeps bombing out on him saying his anti-virus is out of date or not updated. He's tried several different versions, all with the same results. The only thing I can think of is the VMware/Mac setup. We allow split tunnelling on the local side, but I'm not sure that's the problem. No other vendor we have that uses this VPN has issues. Peace
... View more
01-19-2010
12:03:PM
We use a tier security system here. AD accounts as well as RSA keys. But I think our biggest thing is that we check for company owned machines. Our system checks the registry to see what domain you are attached to, but you could easily set it for a marker file or some obscure registry entry. That way only company owned machines can connect. (I think you can even use a certificate but I'm not positive about that). Peace
... View more
01-15-2010
05:59:AM
Thank you Tech_dude. That is exactly what I needed. I was thrown supporting this device without being there for the setup so there is a lot of things that weren't told to me about basic maintenance. Your instructions were almost perfect (not sure about the 'blocked' part) and I got it updated. Now to tell all the vendors about the new list. I wish I could layer it to accept older versions of some products as well. Thank you
... View more
01-15-2010
05:56:AM
If I'm reading it correctly, your policy is 'Any product from a specific vendor'. I think the issue is that McAfee Security Center is not a supported product. The exact phrasing on my device is 'Require any supported product from a specific vendor.' Even though McAfee is supported, that specific product is not.
... View more
01-14-2010
12:46:PM
So I'm back with another question... :) We have a portal for our external vendors. Stil the same security as our regluar users but you don't get all network access and the only thing we require on the local PC side is a 'Valid anti-virus program' from the list of supported clients on the IVE. I've noticed that our's is kind of out of date. AVG for instance. The free version only goes up to7.x and the current version is 9.x. How would I go about updating this list to include more up to date versions? Would I need to update the build on the IVE? Our system is: SA-2500 Current version: 6.4R1 (build 14063) Thanks again for the assistance. Peace --Todd Bertschi
... View more
12-30-2009
08:27:AM
All that is checked so it should be working. One of the problems I have (internally) is that I don't have full access to the AD environment as it's controlled through another company. I also was not present when the system was put into place so it's very possible none of the AD side was setup correctly. My boss's answer to a simple question like 'Who should I call to verify all this on the AD side?' is 'Sorry. Can't help.' So I guess next week when everyone is back in the offices, I'll end up just calling the monkeys on the helpdesk. I'm sure a level 1 tech has all the power to confirm a certificate on the AD....
... View more
12-29-2009
07:04:AM
My bad. I forgot to include what I'm working with. SA-2500 Current version: 6.4R1 (build 14063) That is where I can set it on mine too. It's set. And as far as I can tell everything is working correctly. Enabled and the AD/NT setup looks correct and the AD side is setup correctly with LDAPS. It is still possible the AD side is incorrect. I have limited access to our AD so I'm taking someone else's word that it's all correct. It's a fight with them so I'd like to rule out everything else first.
... View more
12-29-2009
05:54:AM
I think the issue is 6.4 doesn't work but 6.5 does. Newer client version but running an older version on the IVE. When you log in, the NC version doesn't match and it performs an 'upgrade'. As Tessian said, you should be able to run multiple versions but it might break something in a Mac. I also have no experience in Mac's. Besides upgrading the IVE, the only other thing I can think of is to disable the automatic upgrade of all clients. Peace
... View more
12-29-2009
05:49:AM
We have an issue with our Juniper. The regular 'Your password expires in blah blah blah' message is not being pushed down to the user on login to the VPN. Our AD is setup correctly according to the KBA so I don't think that is it. I've read about custom sign-in pages and that's a great help. I plan on making up some custom pages in the future, but frankly I don't have time to mess with it right now. When you log into our VPN, we redirect you to our external company page and don't use the standard login. I altered one of my test realms to point to the standard login page as a test. Both pages don't seem to prompt me for my password reset or to notify me. So... Simple question. Is there an easy way to get this to work without learning all about custom pages or am I going to have to make time to learn this stuff? Thank you Peace --Todd
... View more
09-14-2009
04:27:AM
Thanks for the info Stine. Luckily the problem seems to have disappeared with some changes in our DNS suffixes. I'd still like to use the Cache Cleaner on a regular basis but I'll have to setup a test realm. The information you gave is a big help though. With it I hope I can sort out a decent test realm and get things rolling. Peace Darktan
... View more
08-27-2009
07:31:AM
I have one problematic user (luckily it's just one for now). His biggest issue is that he can't reconnect to the sign-in page without clearing all his temp files. What I think is happening is he's not disconnecting correctly or his cookies are not being deleted on sign-off. We have the start page on login changed to our external website because the NC Start button was confusing the users (NC starts on login). So after he logs off, if he tries to log ininstead of the sign-in page he gets the external website. To resolve this and to stave off future problems I flipped on the Cache Cleaner. I'm really only concerned with the users having no Juniper files that could screw up the connection process so on start-up and shut down are really the only times I need it running but I want to automate it to make it easier for the users. Currently, it's set to realm level enforcement. The Cleaner Frequency is 60 minutes and Status Update is 60. Login activity timeout is also set to 60. The idle timeout is 120 minutes and the session length is 720 minutes. Peristent sessions are also enabled. Now the problem is this user has been getting timeouts from the Cache Cleaner about every hour (System process detected a Cache Cleaner time out on host blah blah blah) since I enabled Cache Cleaner. I can't see where the settings are crossing. This is one of our power users (he thinks the session timeout should be removed completely) and is always working so he's not hitting the idle limit as far as I can tell. Does anyone have any suggestions or thoughts on how to configure this or why it's happening? Thank you Peace Darktan
... View more
08-12-2009
10:30:AM
Thank you both for the help. That did it. I wish our vendor could've answered so quickly. Kudos to both of you! Peace
... View more
08-12-2009
05:23:AM
I apologize for some mis-information. Our device is doing the DHCP. Ugh. I hate when I have to confirm information given to me. So drf... I think that is what I'm altering. Screenshot of DNS entries I now know where you're talking about and I believe this may be what I'm looking for. Right now there is only one entry there, a 192.xxx.xxx.xxx number. When I connect my DNS suffixes show 192.xxx.xxx.xxx (same number) and na.$company.com. I need to add the other ones. Would it be a simple thing of just adding them to the dialog box? 192.xxx.xxx.xxx, na.$company.com, eu.$company.com, br$.company.com etc? Screen shot attached. SA DNS Entries I just want to be sure as our test group can get nasty when things are disrupted. And thank you both for the help.
... View more
08-11-2009
10:05:AM
Hello all. I'm having some issues and our VPN and our 3rd party vendor is less than helpful so I thought I'd go for the source. Hopefully this is an easy issue and I apologizeif this drifts out of the range of Juniper support. We have an SA-2500 device that is doing our VPN. We're connecting through Network Connect but we have a minor routing issue. We need to adjust the DNS Suffixes on the Juniper connection when you connect. The problem is I can't seem to find where I change that setting. Our device is not doing DHCP. It is funneled back to another server in our network for that. Now when you connect to the VPN, the DNS suffixes change for all adapters, but not to what we need. So something gets pushed, but I need to correct it to the right addresses. I just need to know if I should be talking to our telco (who owns the DHCP) or looking at the VPN components to change the setting. Thanks Peace --Todd
... View more
Latest Tags
No tags yet
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy.
Pulse Secure has updated its Privacy Policy effective June 28, 2017.
