Strange problem - we have an SA4500 (6.5R5) with two roles configured. One is used for our internal company users, then other is used for a partner. Access into the VPN works great with both, except for drive mappings. For the remote users using the "company" role, everything works great - apps, drive access, etc. For PCs using the "partner" role, there is no problem with connectivity. However, when they map a drive (either through Windows explorer or a home-built script that uses 'net use' commands), they have problems with accessing all of the folders underneath the root of that drive. This share is actually a DFS share, so all it's doing is referring them to clusters where the actual data is stored. After doing a Wireshark capture, I found that some SMB and NBNS lookups are actually being sent out the physical adapter of the PC and not the Network Connect adapter. I think this is the reason why they can't access the shares referred to them by the DFS, but how can I tell the client to use the NC adapter so that I can eliminate that as the problem?? I have some split tunneling set up, but all that is doing is sending traffic for two specific subnets (neither of which contain the cluster hosts or the WINS/DNS servers) out the physical adapter. In fact, the capture shows me that the SMB and NBNS lookups are being sent to the physical adapter's broadcast address. ????? I'm a network guy (routers, switches, firewalls) with minimal knowledge of netbios, DFS, etc, so I don't know...is that supposed to happen? Why wouldn't these lookups be sent out the Network Connect adapter like all other traffic destined for the internal company network? The client PCs are NOT in the same Active Directory domain as our company servers, but does that even matter in this case? TIA ... View more

Greetings, We have a need to allow remote clients using a specific role to get access into our internal resources, but to also be able to browse the internet. I configured split tunneling so the remote clients can have access to their local resources (printers, local network drive), but as we know, the default route is set to use the VPN. We're having issues with the clients' browser (IE version 8) authenticating through our proxy, so I figured I could use split tunneling to tell the remote clients to use the VPN if they're trying to access the corprate resources, but to use the physical adapter for everything else. Is this possible? The split tunneling options in the admin guide don't necessarily help me. ... View more

Hi all, We have an SA4500 that, for a specific role, hands out a PAC file from an internal web server. I modified the PAC file so that it includes a number of exceptions based on IP address and/or host name. The very top of the file starts with: function FindClientProxy(url, host) { if (isInNet(host, "1.1.1.0", "255.255.255.0")) { return "DIRECT"; } if (shExpMatch(host, "*.local")) { return "DIRECT"; } { (various other exceptions) } return "PROXY proxy:88"; Essentially, I'm trying to tell the remote clients to bypass our proxy server for certain hosts and IPs, but use the proxy server, otherwise. Upon logging into the role, the user gets the PAC file correctly, but at the very top of the file is the following: function FindClientProxy(url, host) { return "DIRECT"; } This tells me it's somehow being added to the file and forcing the clients to go out to internet sites directly, not through our proxy environment. They will get blocked by this, as our firewall doesn't permit users to have open internet access. Why is the PAC file being modifed like this? I clearly select the "Automatic (URL for PAC file on another server)" option in the Network Connect proxy settings for this role. How is it telling the PAC file to do that? Thanks! ... View more

Greetings, We're running an IVE version 6.5R1 with ESAP 1.6.7. We have some clients running Symantec Client Security (version 10.1.0.394) that are having problems getting past Host Checker. The machines (laptops for field inspectors, engineers, etc.) have the full scan disabled because the laptop's CPU will get bogged down once they boot it up. Instead, they enabled a real-time virus scan that scans files while being uploaded/downloaded. So, they don't run a full scan periodically. Can Host Checker still support this? Originally, we set up HC so that any user would have to have run a full scan in order to be compliant. We would like HC to support the real-time scanning so that it considers the laptop compliant. Any other suggestions? I also thought about setting up a different sign-in page and could apply HC policies specific to these workstations, though I don't see how I could do anything differently. ... View more

What is this used for? I've read KB9650 that says it's only used for Network Connect server side internal implementation purposes and not exposed to the client at all. This also shows up as the DHCP server to the client in the ipconfig /all output. Is there a way to remove this? Does this have an effect on DHCP somehow? We're using an internal DHCP server to assign IP addresses to the remote clients, so that shouldn't come into play here. ... View more

We have an SA4500, version 6.5R1. All we need to do is create a tunnel with Network Connect and allow users to run their apps as if their desktop was physically connected to our network. Upon logging into our VPN, the client's browser asks permission (via a pop-up information bar) to download a Citrix client. How do I prevent this from happening? I've unchecked the Terminal Services feature in the rol configuration, but it didn't seem to work. ... View more

We will be installing an active/active pair of SA4500s with a hardware load balancer. As with an SSL-based web site, am I correct in thinking that we will need a certificate for both units? If so, how will this work with the URL we provide users to access the VPN? For example, if we give the users a URL of https://vpn.company.com and we need a certificate on both units, do we create each certificate with a different common name (e.g., vpn1.company.com and vpn2.company.com)? How will that conflict or work with the DNS name that the users enter in their browser? Thanks and regards. ... View more

We're running into a strange issue where I'm not sure if the ESAP or Host Checker has a bug. We have an SA4500 running 6.5R1, using ESAP version 1.5.8. I've configured the HC policy to use an antivirus policy, checking for a scan run within the past 5 days and have definitions not older than 10 previous updates.The policy looks for *any* supported AV product. When I connect in from a company-issued laptop using the latest Symantec Endpoint Protection, it works fine. Using my home PC with McAfee, I get the following: 'McAfee VirusScan 13.15.116 does not comply with policy. Compliance requires successful complete system scan.' I'm running the scan right now, but my PC scans every day. Does it need to find no "problems" to be considered a successful complete scan? ... View more

We are using an SA4500 for an evaluation, when I suddenly lost the ability to manage the unit. I created an admin user for management and configuration purposes without any problems. However, just yesterday, I was unable to make any changes. The box would let me log in with the same username & password (via the WebUI), but once I clicked on anything, I was immediately returned to the login page...as if my session had timed out. Any ideas? Do admin users get locked out after a certain period of time? ... View more

We are doing an eval of the SA4500 and are discussing options of where to place it on the network. The plan is to give users access to basic resources (email, internet, in-house apps, etc.). Option 1 - Place the SA in our DMZ behind a firewall and have a "one arm" topology where the internal and external interfaces are in the same subnet. Thus the traffic travels from the internet to the firewall to the DMZ, then back through the same firewall to reach the internal network. Option 2 - Place the SA in front of the firewall and send traffic to the internal network through the firewall (utilizing a second DMZ-style vlan). The concern with the first option is that we would create a back door into the internal network, where all traffic currently has to traverse the firewall to get there. Option #2 does leave the SA open to the internet for potential attacks. Is there a normal convention that most organizations use? Thanks! ... View more