For a certificate based authentication you first need to create / setup a CA. This can be either a Microsoft CA or any other one. If you do not need a direct AD authentication, you can use OpenSSL and TinyCA (GUI)  to create the client certificates.   On the SA you only have to import the public part of the Root Certifate of your CA under "Trusted Client CAs" and set it as "Trused for Client Authentication".     After you created a  client certificate, you have two  ways to get it on the iOS Devices. 1)You can export the certifcate as PKCS#12 and put it on an (interal) website or cloud storage from where you can download it onto the iOS Device.   2) You can use the Apple Configuration Tool to create a profile, which contains the client certificate. I would recommend this way, as you can do much more settings here then only import certificates. To import the client certificate, you first have to import it on the PC where you run  to the Apple Tool, as the Tool can only import certificates from the internal Windows Certificate Storage. After creating the profile, you can use USB to get it directly on the iOS Device or you can export it as a .mobileconfig file, if you want to import it via website or cloud storage.   Hope this helps       ... View more

I got the same here today, running 7.4R7.   I wanted to explain to a user how to use Secure Meeting. The user started the session and I tried to join from my virtual computer, but got the same error as you (session has expired). After that I tried to join from my host computer to the same session and had no problems.        ... View more

Hi,    we are running McAfee Virus Scan Enterprise 8.8, too, and do not have any problems with it. You can take a look in the logs on the ePo Server or the client to see whether VirusScan is blocking something or not. In the ePo Server there is a VirusScan policy called "Unwanted Programs" with some pre-defined categories. As far as I can remember, the Host Checkers does fall into the category "Remote Tools", which is enabled by default. If this category is enabled for your VirusScan Clients, the HC could be blocked and you should see corresponding log entries on the ePo Server.   Mayby you should take a look there.     ... View more

According to  the Supported Platforms documentation I would say, that 7.3 is the first firmware supporting IE10.   Supported Platforms 7.3 ... View more

I«ve tested Exchange Active Sync on Windows Phone 7, 7.5 and 8. With all of them I was able to do a sync using our IVE (7.2R6).   The only limitation I found was, that Windows Phone 7 and 7.5 isn«t able to authenticate by username/password and client certificate at the same time. I could only choose to authenticate between username/password OR certificate.   Windows Phone 8 has synced without any problem using both authentication methods.       ... View more

Firefox 17.0 and Java 7U9. My test machines are running XP and Windows 7 (32 Bit). ... View more

I got the same error as Steve, so I took the HTML code we use for ProperRDP as a template to build a new one. With this HTML Code the Applet starts and I can connect to a XP or Server 2003 host.  But I get an "cursor not found" error when trying to connect to a Windows 7 host..   Any ideas?   <HTML> <HEAD> <TITLE>JavaRDP</TITLE> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> </HEAD> <BODY> <applet code="com.lixia.rdp.applet.RdpApplet.class"' codebase="<< CODEBASE >>" archive="JavaRDP2.0-20101111.jar" width="1024" height="768" name="Lixia RDP" align="center"> <param name="code" value="com.lixia.rdp.applet.RdpApplet.class"> <param name="codebase" value="<< CODEBASE >>"> <param name="archive" value="JavaRDP2.0-20101111.jar"> <param name="cabbase" value=""> <param name="name" value="JavaRDP"> <param name="geometry" value="1024x768"> <param name="server" value="<<HOST>>"> <param name="align" value="center"> <param name="port" value="<<PORT>>"> <param name="username" value="<<USER>>"> <param name="bpp" value="16"> </applet> </BODY> </HTML>   ... View more

In my eyes that depends on how the users work with the SA. A rough guideline for me is.... Are there users which has to alternately login to differnet realm? => Sign-In Page/URL with Realm Selection. This would make it easier for the users to switch between the realms Are the majority of the users login to one specific realm? => Sign-In Page/URL with single realm for that users. This reduces the number of users which could choose the wrong realm => Reduced work for the helpdesk :-) Do you have multiple realms for the users, but each users always only login to one of this realms? => Sign-In Page/URL for each realm. In my experience it seems to be easier for a user to distinguish between URLs rather than realms. So telling him he has to go to "mycorp.com/sales" to login is easier than telling him to go to "mycorp.com/login" and choose the "sales" realm. Are there technical reasons for multiple domains (e.g. users has to choose the domain he wants to login in) => Try to find a solution to accomplish this with a single realm. According to Murphys Law the effort for this is considerably lower than to explain the user which realm to choose ... View more

I opened a case and support told me, that this is a known behaviour which has been fixed in 7.1R6 (I use 7.0R7). Ok...this answeres my question. I then asked about a KB article to this issue. Because I wasn«t able to find something about that in the Knowledge Base. He told me that Juniper has not published a KB article, because this issue / fix is mentioned in a few 7.0 and 7.1 release notes. Thats a little bit odd. I mean...what good is a Knowledge Base If I don«t put information about all bugs / fixes in there. I certainly will not read through all release notes to see if a specific behaviour I just discovered is a bug or not. A simple article like "This is a know behaviour and has been fixed in 7.1R6" would have solved this issue for me within minutes. But ok...this should be part of another discussion. Thanks for your replies and efforts to help me with that. ... View more

You are correct. That«s what I mean. I use two different usernames with different passwords. The first one ist for radius authentication and the second one for LDAP authentication. ... View more

Well...i should be seeing the content of both variables, not the content of the first one and the name of the second one Maybe I did not expressed it correctly, so I took two snapshots. One of the SSO settings and one of what I see in the logfile of the webserver which gets the request. The variable <[email protected]> is filled with the value "Testdomain" The variable <Username[2]> is filled with the name used for the second authentication. Here it is "Testuser". So I would expect so see something like "Testdomain\Testuser " in the weblog. __ ... View more

I was able to work around this. The Web Server also accept the UPN for login, so I«ve added userPrincipalName to the server catalog of the LDAP Server to use it for SSO. Nevertheless I think the behaviour of the SA isn«t correct when using two (or more) variables for the username in SSO. I can see in the logs of the Web Server that the SA tries to login with DomainA\Username[2] . If I only use userAttr.ReplyMessage it tries to login with DomainA. (means the variable is filled corretly with the Radius Reply Message "DomainA") If I only use Username[2] it tries to login with JohnD. (means the variable is filled correctly with the username used for the secornd authentication) If I combine them in SSO, the SA tries to login with DomainA\Username[2]. I also tested it with <Username>\<Username[2]> just to see what happens. And the SA combined this to something like PeterM\<Username[2]. (where PeterM is the name used for the first authentication). So for me it seems that the SA stops to resolve any variables after it resolves the first one. Maybe I should open a ticket for this. ... View more

There is no problem. The Host Checker simply does not support IPad. So you will have to create an extra rule without HC for the IPad users. ... View more

As far as I know there are no other ways to achive this. Exept you use an external auth server which allows you to define time restricions. But that would just allow you to define a login time. With custom expresion in combination with policy reevaluation you can also make sure the user gets kicked when the login time expires. Custom expressions aren«t that complicated. They are simple IF-Then expressions. And if you do something wrong, than simply nothing happens. If the expression matches, the user can log in. If not, he can«t :-) For example user = 'JDoe' AND time.year = 2012 AND time.month = 01 AND Time.day = 26 AND Time = (08:00AM TO 05:00PM) AND hostCheckerPolicy = "<name of policy>" This allows the user "JDoe" to login on 26th January 2012 between 8 AM and 5 PM, if the defined Host Checker Policy check was successfull. You can test your custom expression with the simulator (Maintenance / Troubleshooting / UserSessions / Simulation) Hope it helps. Marc ... View more

We have a multi domain AD structur and the login process takes about 2-3 seconds using LDAP. The duration of the login process depends on how large your AD is and how you configured the LDAP search string. So if you, for example, have a large AD and start the group search at top level, it takes time for your LDAP server to search through the whole AD. There are some errors in the LDAP configuration in your last posting, so maybe this can help you. Generally... to avoid typos with DNs it is a good idea to use a tool like ADExplorer from Sysinternals to copy/paste the DN of a User or group. Authentication required ---------------------------------- If authentication is required for an LDAP search, then you must enter the DN of an appropriate account here. For example: CN=LDAPUser, OU=Users, DC=Creditocoucion, DC=es Finding user entries ---------------------------- Here you have to define where the LDAP search will start searching for a user and what filter will be used for the search. To start at top level this could be DC=creditocoucion,DC=es What filter to use depends on how you want to search for the user within the AD. If your users uses their normal AD login name, then the filter would be..... sAMAccountName=<USERNAME> ...where sAMAccountName is the LDAP attribute you want to check. Again...use a tool like ADExplorer to see which LDAP attributes are available if you want to do some special things. :-) Determing group membership ------------------------------------------ This is a little bit the same as "Finding user entries". Here you define where the LDAP search should start to determine if a user belongs to a group. This is necessary if you want to grant permissions based on group membership. If you want to do so, than, in my opinion, it would be a good idea to use dedicated groups for this and to put this group in an extra OU. This would speed up the lookup. For example an OU named "SSL-Groups". The base DN would then be... OU=SSL-Group, DC=creditocoucion,DC=es The filter : cn=<GROUPNAME> Member attribute : member Hope this helps you a little bit ... View more

Thanks for the Info. The Professional version is listed, but not the (very popular) free version. I«ve just tested the ESAP 1.8.1 with Avira Free 12.x , but it is not detected (as expected). Ticket is open. ... View more

I can«t see your rule settings. There is no picture. We use 7.0R7 (build 18809) Our settings are: __- Virus Definition files should not be older than 6 Updates - Monitor this rule for change in result - The " Successful System Scan must have been performed in the last x days " option is not set. - The McAfee Enterprise is selected by Vendor "McAfee" I«ve made the experience that different IVE OS Versions can result in different behaviours of the HC. I had an issue with HC (ESAP 1.7.5 or 1.7.6), where it did not detect the virus definition of TrendMicro. After upgrading the IVE from 7.0R4 to 7.0R7, the issue were gone. Without updating ESAP. Maybe your problem isn«t only an issue with HC, but in combination with IVE 7.1 . ______ ... View more

Hello, We have no problem with ESAP 1.8 and McAfee Enterpriese 8.7.0.570. What IVE OS Version do you use? ... View more

Hello, This issue seems to be resoved with Firefox 8. I«ve just tested the Firefox 8 (Final) with Windows 7 (32 Bit) and the Host Checker starteds as it did with Firefox 6.x. Marc ... View more

Hello Avira 2012 is still not supported by 1.8. That«s not funny any more. ... View more

Hi We ran into this last Friday, when the first users reported this problem. Today I«ve verified this on Windows 7 64- and 32-Bit, where I«ve got the same results as you. Like you, I also tried the Addon Compatibility Reporter, but with no effect, too. Fortunately this problem does not occur on Windows XP, as most of our users are on Windows XP Till now the only solution I know on Windows 7 is rolling back to Firefox 6. ... View more

____Hello Ok...this problem is marked as solved, but I had a similar problem with users in multiple domains, so maybe my solution can help you in any way. Here we have a classic domain setup with a root domain and some sub-domains. domain.com aaa.domain.com bbb.domain.com ..and so on. The users of the SA can be from any of these domains, which means the LDAP lookup had to start at the root domain. dc=domain,dc=com Because of the size and number of the domains, the LDAP lookup took inacceptable long (40+ seconds). An AD/NT lookup ran into timeout after 2 minutes or so. So I had to search for another solution. My Idea then was to build some kind of dynamic BASE DN to let the LDAP lookup start directly within the users domain. To achieve this, I configured the Reply-message attribute on the Radius server (we use Radius for the first authentication) to reply with the (sub)domain name of the user who logs in. JohnDoe Auth-Type := Local, Cleartext-Password := "password" Reply-Message:="aaa" In the LDAP Auth Server settings I then used the system variable "userAttr.<auth-attr> to dynamically build the correct BASEDN for the lookup. Looks like this dc=<[email protected]>,dc=domain,dc=com When a users logs in, this resolves to .... dc=aaa,dc=domain,dc=com With this Base DN, the LDAP Server of the root domain directly replies with a redirect to the domain controller of the users domain, which is then queried for the user attributes. Maybe my solution can help in any way. Marc ... View more

Hmmm...because of your posting I«ve just done some sniffing with TCPDUMP. And the only traffic I can see is the one destined to the internal network. Everything like it should. So I«m really interested in what JTAC will say. ... View more

I«m currently testing Junos Pulse on iOS with an iPad (4.3.1) and an iPhone (4.3) and have no problem to get split tunneling working (SA 4500 running 7.0R4) I«ve configured split tunneling to route all traffic for internal addresses (172.16.0.0/16) to the SA. In the network access policy I«ve allowed RDP and HTTP to an internal MS Exchange Testserver ...and everything works like it should. On both iOS devices I can use OWA, ActiveSync and Remote Desktop to the internal server while being able to surf the internet. Maybe we can compare our settings to find what«s going wrong. Marc ... View more

Thanks for your response. Your hint to import the certificate to see whats wrong with it was a good idea. Although i wasn«t able to import it ("unsuppored certificate purpose") it showed me that there must something be wrong with the certificate itself. To cut a long story short: It was the certificate template on the CA that got broken in any way. The defined use in the template was set to "Signature" and the policiy was set to "client auth", but the certificate itself contained some weird values. After creating a new, clean template everything runs fine Thanks fŸr your help Marc ... View more

Thanks for your response. ... View more