Haven't tried it myself but have you tried using NetConnect to see if that fixes the problem? Just for debugging. ... View more

What you want to do is set the restrictions on the role to evaluate the Host Checker policies but not enforce it. This way the user will still be able to map into the role but a message will be logged. -Mike ... View more

It should be able to see the cluster... no need to upgrade. Just don't stay too far with version differences. I've had OAC on older version communciating with IC cluster on new versions. I assume you will have both IC devices in the cluster at the same firmware. -Mike ... View more

The default behavior is for the client to get a message saying an upgrade is required. You can disable this on the IC6500 if needed. However, it should continue to work with the old version of OAC. -Mike ... View more

Ah ok. I thought you were referring to 2 wired NIC, not 1 wired and 1 wireless. :) Glad you found a solution. -Mike ... View more

If OAC does not control the NIC, it cannot make changes to it directly. At least not that I'm aware of. -Mike ... View more

Since you broke the cluster, you will have some downtime. The steps you online is what you have to do to get this working again in a cluster. With regards to configuration, when adding a device to a cluster, the configuration on the device is replaced so changes will not propagate. It will take about 5 mins or so while the primary device reboots. Once it's rebooted just add the 2nd device to the cluster and verify sync. At this point no more downtime. -Mike ... View more

Hi, Have you tried to disable McAfee to test JTAC's theory? Contact your local Juniper REP and let them know of the issues with JTAC. Hopefully you can get someone on your timezone that can help. Good Luck! -Mike ... View more

Hi, I'm not sure it's possible to do what you're asking. Basically, you're asking to create a link that's accessible via the SSL VPN so when user clicks on the link, it logs in the SSL and then go to the survey link. Otherwise, the use would sign-on to the SSL directly and get the access they need. I haven't seen a way to do this within the SSL VPN device. Maybe Juniper can help with this directly. Have you contact JTAC to see if there's a solution? If you do find a solution please post... it would be interesting to see if you can have a link that's proxied by the SSL VPN. -Mike ... View more

Hi, Your best bet would be JTAC. If you are not getting the help you need with Level 1 ask them to escalate the case. If they give you issues with this, speak to a manager. If this doesn't work, call the JTAC support number, select the option for Customer Service and explain the situation. No reason why you should not get the proper help you need via JTAC. -Mike ... View more

irfanhussain Since you want the user to get a OWA 2003 link, this is all web based. The user does not need to get an IP address or built an actual IPSec tunnel from the end-point to the SSL VPN. What you need to do is create a Web Resource Policy, which is basically a web link/bookmark to the OWA URL. Associate that web link/bookmark with the role created for the user. The user will go to https://100.100.100.1, login and providing authentication is successful and user is mapped to the correct role, they will get a portal page on the SSL VPN with at least 1 web link to OWA. The user clicks on OWA and the SSL device acts as a proxy between the OWA server and the user. FYI ... the SA can be configured to provide a number of different type of access -- Terminal Services, Web Resources, Telnet/SSH, Network Connect, SAM. Only Network Connect would provide a full IPSec tunnel and at that point the user will get an IP address that from a configured IP Pool on the SSL VPN. You should take a look at the admin guide for detail info on all these features. In general, I do not enable Network Connect unless it's absolutely necessary. If I can provide the same access using one of the other features, I do that. Network Connect makes the end-point communicate with the internal networks directly (of course youc an setup ACLs on the SA to limit access). Hope that helps. -Mike ... View more

rakeshb, That's a good workaround! Never thought of that. :) -Mike ... View more

What are you trying to accomplish? Which features are you enabling for the user after they signon (roles) and what does the user needs to do? Based on the requirements, you may or may not need Network Connect. If you're not running Network Connect, users will not be able to ping internal resources. -Mike ... View more

When you say drops, can you be a bit more specific? Is it the SSL dropping, SAM, Network Connect? Normally after an upgrade, if users are experiencing any connectivity issues, clean the cache and uninstall the Juniper apps from Add/Remove programs. -Mike ... View more

Yes, you can assign policies based on AD group on the IC. The OAC will get the info from the UAC and will move the the VLAN based on policies. -Mike ... View more

Were you able to get the SRX connected to the IC? If this works, then you should just have to create your resource policies on the IC and it should push it to the SRX. ... View more

When you setup a policy on the SRX you, one of the action is to permit application UAC w/VPN. For the SSG is a bit different. On the SRX it seems the Zones does not make a difference when you specify them on the SRX. With the SSG it's a bit more integrated so it does matter which zone for either SRX or SSG and the firewall does know about it one way or the other. -Mike ... View more

You would need to create a policy and associated it with all 3 devices. Right-click on a policy and there's an option for "assign". If you will be doing this, then create 1 policy and under the policy create groups for each firewall. There's a column asking which firewall to install the policy to. For example: Group1: Firewall1 Group2: Firewall2 Group3: Firewall3 Group4: Shared - all 3 firewalls. This way you have 1 policy but it's broken out into groups. -Mike ... View more

Dominik, If you search your AD for 'rappaport02', does it show up? If so, what OU is it part of? I have this working at several location, even with nested OU and it works fine. In the trace logs, do you see any errors or messages about "winbind"? -Mike ... View more

If you place a PC in VLAN33 without any 802.1x, does it receive an valid default gateway? OAC should not keep the default gateway for another VLAN. Only thing I can think of is that the DHCP server is not configured to send the default gateway/router DHCP option for VLAN33. -Mike ... View more

What does your split-tunnel ACL and access ACL looks like? Also, verify the user has DNS access via NC. ... View more

You need to configure the IC for an AGENT configuration, since the OAC is the agent. You don't need an 802.1x switch. So you will be doing L3 authentication. In the OAC configure an Infranet Controller profile and point it to the correct path to the IC. Should work. -Mike ... View more

Enable authentication policy tracing on the IC and see if you have any issues with WinBind. I had a similar issue in the past where AD accounts worked fine but computer accounts did not work. The problem turned out to be that the account used to connect to the AD (auth servers) did not have sufficient rights to do a winbind so it failed machine authentication. Also, from the location where you define the AD server on the IC, make sure there are no erros when you run the TEST to verify AD connectivity from IC to AD. -Mike ... View more

I can't say I'm very impressed with the SRX myself. As a firewall and just that, it seems to be OK but when you start doing any of the advance stuff, it's just not realiable as yet. I'm currently int he middle of a project and I've ran into some strange issues, things that I think Juniper should have identified and have solutions for before pushing the SRX to the public. Oh well... Wonder why I do this job sometimes? :) Good luck with your other issue. Hopefully JTAC can get you an RMA -- hell, they should have one out to you ASAP, no questions about it. Amazing how a simple thing like that will screw up the system. -Mike ... View more

I'm running the same version also. Weird you're not hearing back from them. You should call back and have the case escalated. Did you do any trace on the SRX or run a wireshark on the end station and/or the DHCP server? ... View more

Not sure what could be wrong. Seems to have everything configured properly. What did JTAC have to say? Also, what firmware are you running? -Mike ... View more

No drop packets in the DHCP relay stats. -Mike ... View more