I am currently doing research on integrating google 2FA authenticator to SSL VPN.  First step is to setup a linux server and download google 2FA and configure this as secondary autthentication. Has anyone here tried doing the same approach? I will post the project status here so those who are on the same project can  comment and perhaps suggest best way on achiving the goal. ... View more

Hello, A bit late to jump into this one but it's now hot for us as we switch to NC split-tunneling with access to local subnet for our employees (68K). http://en.wikipedia.org/wiki/DNS_hijacking#Manipulation_by_ISPs is an interesting one. The concern about WIndows machines sending traffic to non corporate DNS servers is genuine, and a risk for us. So, if it is a risk then why not switching back to no tunneling at all? Good question... And some answers (side note: we have a forest made of several domains, thus the DNS search list is not made of a single entry) Although using NC for the time being, we are looking for Junos Pulse in the future. The "Location awarness" feature which may trigger the tunnel establishment is attractive. DNS hijacking will break it as our users often enter non FQDN hostnames in whatever program they are using. Regarding Web browsing, we are going to switch from a proxy PAC file settings model to no proxy settings at all: WCCP, thus routing will do the job. Sending browsing traffic to the corporate forward-proxy's via the tunnel is non-sense (assessing the risk of split-tunneling is not for this particular DNS topic). Ideally, I'd be happy to see NC or Pulse tricking the hijacking made by these ISP (which are somehow breaking the RFC by the way. Read this if interested http://www.icann.org/en/committees/security/sac032.pdf ). I meant: ideally, Juniper is providing a workaround. Another quick(?) fix would be to create a list of these hijacker DNS Server IPs, a kind of ongoing community work. The file could be fetched by simple http get (of course, some security mechanisms should be put in place to avoid wrong IP to be there, but it's not the point at this stage). This file could be then used to feed the NC allow Tunneling policies so that traffic for these IP are routed into the tunnel.... Not sure it would do, but it could be worth the try :-). Who is connected via an ISP which is doing such nasty resdirections and want to test the above? Feedback would be more than welcome! Cheers, //P ... View more

Hello, To add another hint to the excellent post from Spacyfreak) , you may also play with proxy pac file which is pushed to the NC client browser. In the PAC file, you can also divert web traffic, stating that it should goes "DIRECT" (No proxy, so routing has precedence) or via your company proxy: useful depending your topology. Resource Policies > Network Connect > NC Connection Profiles: choose your profile and look at "Proxy Server Settings" choosing one of Automatic or Manual. In both cases, provide a valid URI like http://myhost.internal.company.com/proxy.pac, this server being only reachable when the NC tunnel is up. The PAC file file be copied to the $TEMP of the client's PC (and merged with the one configured on the PC, if any). You will mention that the IVE will automatically set an exception to avoid HTTPS traffic for the external SA NIC being sent to the proxy. Best regards. ... View more

Hi Ken, After reading your post, all what I can reply is: so do I :-) Cheers, RasKal ... View more

Hello Zanyterp, Windows7 without Endpoint Security policy configured makes it, of course, as the TNC Plugin is not needed anymore. Thanks for your time and ideas anyway. To give a bit more details now: The TNC client plugin will be associated with Host Checker rather than Pulse for the upgrade (or that is my expectation). What I saw is that, when installed, it is present in the "Pulse - About - version details" product listing; and NOT in the Program Files listing one could get by Control_Panel - Add_remove_Programs. My understanding is that TNC Client Plugin is more HC while Pulse could be compared to NC. Not that important after all... just words. As a test for your Windows 7 users, if you disable Host checker, do users connect successfully? Yes. What checks are you doing? Do you see anything interesting in the user access or event logs at the time the users attempt to connect with Windows 7? I removed HC from the login process. Does the behavior change if users connect from the browser rather than Pulse UI? Remember my post: "my SA is configured (under System -> Options) not to upgrade Junos Pulse clients automatically," We are not allowing users to connect via browsers because we are willing to control the deployment of Pulse: by SMS rather than online installation/upgrade. This is a requirement in my shop... :-(. And you, how are using Pulse? Any issues so far? Best regards. ... View more

Hello, Please have a read: http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB18054 Best regards. ... View more

I didn't test myself, so please don't think it will work.... I'd create a Pulse Location Awareness rule like: if "something" is valid when connected with Verizon then fire the VPN. "Something" is up to you (and Verizon); you will have to find the very specific and unique criteria (or a set of) which will trigger the decision. Junos Pulse -> Connections -> Your_Connx_Set -> Your_Connx_Name (or New) -> "According to location awareness rules:" Of course, create the rule... Best regards. ... View more

Hi Gavin, Ask your Juniper sales rep for an RFE (Request For Enhancement) with Juniper. Best regards. ... View more

Providing an update to myself (and the community)... To avoid TNC Client Plugin "upgrade" even if System -> Options "Enable automatic upgrade of Junos Pulse Clients" is disabled, you'd better create a MSI package with "All components" and not "Minimal components" which only includes Core access components. Doing so (All components) also includes the WX Acceleration Tab on the Client UI, which is not in use in my shop: it is confusing users and triggers (some... actually, a lot) helpdesk calls. Another problem I am facing is Windows 7 not able to connect (after user enters its credential, it loops between "Connecting" and "Waiting to connect" although the IVE is reporting the user as connected (an IP has even be allocated from the pool). I opened another JTAC for this... Anyone else here doing Pulse with Host Checker at Realm Level? Or are you doing compliance at Role level? IVE 7.0R2 (build 16499) Junos Pulse 1.0.2.7095 ... View more