About zanyterp

zanyterp

unfortunately, i am not sure why that decision was made. i agree it is odd. have you had a chance to try the 5.1R9 client? that was the last version to support SRX connections. if that also shows the same behavior, i would recommend reaching out to Juniper to work with them; they will reach out to the Pulse Secure support team as-needed from there

zanyterp

You wouldn't happen to be running HyperV on your system, would you? If yes, can you disable the Pulse Secure/Juniper Network Service driver on the HyperV NIC and test? (https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB43614)

zanyterp

You wouldn't happen to be running HyperV on your system, would you? If yes, can you disable the Pulse Secure/Juniper Network Service driver on the HyperV NIC and test? (https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB43614)

zanyterp

You wouldn't happen to be running HyperV on your system, would you? If yes, can you disable the Pulse Secure/Juniper Network Service driver on the HyperV NIC and test? (https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB43614)

zanyterp

Thank you for the updates, @Mario; I am sorry to hear you have experienced connectivity failure with the upgrade. Yes, the SPE edition still provides 2 free users for testing.

zanyterp

👍 thank you for the info, @Ray. i had not seen anyone working on an Azure-based appliance yet. good to know @cml130: any luck with pulling up the serial console interface?

zanyterp

I am not familiar with any specific NPS configuration guide. Which errors are you seeing? I know I have configured it in the past (that lab has been torn down so i don't have an easy way to go check). Are the errors on the PCS side or NPS side? i remember the NPS side being significantly more difficult to configure than some of the other RADIUS servers I have tested. do other RADIUS clients complete authentication successfully?

zanyterp

thank you for posting the configuration elements for others!

zanyterp

thank you for the update, @tottawang glad to hear it is working

zanyterp

@Ithrendil do you know if other client OS are allowed to create a VPN tunnel? are you using IPv6 or only IPv4? i would recommend opening a case with our support team for further investigation

zanyterp

:'( thank you for trying it out and getting back to us. since this is an unlicensed POC…how POCy is this? is it POC enough that you can deploy a brand new 9.1R1-based image from the marketplace or upload the 9.1R1 VM directly to use for testing?

zanyterp

only one client can run at a time. if WSAM is open, you will not be able to launch Network Connect. as @Ray said, you will need to exit WSAM prior to launching Network Connect as WSAM blocks Network Connect. Alternately, you can login through the Network Connect client directly. Please note: both of these clients are deprecated. I would recommend working on the transition to Pulse.

zanyterp

the upgrades are available on my.pulsesecure.net after purchasing support. you can try to download a new version of the VM; you can also try to reach out to your local account team to see if they can help with an upgrade

zanyterp

you are welcome; glad to hear it works

zanyterp

what version of ESAP is being used? i would recommend working with our support team on identifying the failure reason (it may be that an update from OPSWAT is needed) in addition, this check does require the use of the Pulse client for logging in (as @Ray mentioned). from your note, i believe you are already doing that, but thought i would confirm.

zanyterp

that was down yesterday; it should be back up and running now. can you confirm that it is working for you?

zanyterp

what version of software are you using? if you are on pre-9.1R1, it will be difficult to have access outside the resource group that hosts the PCS. if you are using 9.1R1, please enable source NATting at System>Network>VPN tunneling. if you are not on 9.1R1, please upgrade and test.

zanyterp

Thank you for the idea, ganeshga@emiratesnbd.com

zanyterp

you are welcome; glad to hear that it is working

zanyterp

SRX connections are not supported on 9.0R4 It looks like you are trying to use split tunneling disabled on the SRX connection; if that is true, that is not supported on the macOS client.

zanyterp

If you change to memberOf, does it work? What does your TCP dump show? Is the group nested five levels deep? Do any of your groups come back? If yes, is there anything obviously different on the working and failing? If you really need to search that many levels, you probably need to increase your timeout value from the default 60 seconds to 120 or 180 seconds.

zanyterp

In addition to the above configuration, you will enable the Pulse Secure client on the role options page. This will enable the L4 (WSAM) connectivity of the Pulse client (both Pulse enabled and WSAM enabled on the role)

zanyterp

thank you for posting the sanitized file. are you able to create a test connection set that disables lockdown to see if that makes a positive impact?

zanyterp

thank you for the confirmation on version and rollback testing what is your connection setting configured for (machine then user; user at cred prov; user only; etc)? are you using lockdown or always on VPN? if yes, can you disable those and see if a positive impact is seen?

zanyterp

Hi @Tamas, In addition to what @Ray pointed out, can you ask your helpdesk to open a case with our support team? We have not seen this come in through our support system (that I am aware of) and we would like to assist in getting this resolved

zanyterp

are you able to use a previous kernel version? this looks like some issues that have been reported elsewhere while using 18.04

zanyterp

I am not sure; I do not know if the Azure instance has a serial console connection/virtual console option. Like you, @Ray, I do not have a way to test. @cml130: in addition to the above from @Ray, do you know how the authentication is done into the appliance? if the admin is configured against your domain controller, as long as it was not set to a specific user, you should be able to login to the /admin URL. otherwise, you will need to access the serial console of the appliance

zanyterp

if you rollback to a previous version of Pulse, do you see the same behavior? as @Ray mentioned, we have only seen this when there is a connection up and running and then a new one is attempted

zanyterp

thank you for confirming that it is happening for the three users that have been migrated. unfortunately, we are not able to see this in our lab on a vanilla image. as @Ray mentioned, adding dsTermServ.exe to the whitelist for both Carbon Black & Forescout should be checked. I have seen Carbon Black block our executables in the past. Do either of those applications have logs that record what is being blocked/denied that you can check?

zanyterp

@diaitskov: If you changed the user-agent string, it is possible it would run the checks for that spoofed platform; however, the connection would still fail as the macOS or Windows binaries will not load on Linux and still cause failure (since the application will not run).

Re: [SRX Connection] 9.0r4-b1731 Service exited du...

Re: Connecting to VPN with Pulse shuts off my wire...

Re: Pulse Secure 5.2 kills WiFi on Windows 10 Anni...

Re: Pulse Secure 9.0.3 Kills Wireless on Windows 1...

Re: Pulse Secure Client Issues and Licensing

Re: Lost Admin Password on Virtual Appliance in Az...

Re: Psa 5000 and microsot nps Server

Re: Win10 running Pulse Secure VPN client Error 14...

Re: Pulse Secure and Ubuntu 18.10

Re: Connecting to localhost ssl fails (error 20001...

Re: Am I missing something obvious with allowing o...

Re: Unable to connect to Juniper Network connect

Re: Where to download latest install package

Re: Group membership LDAP lookup

Re: Pulse secure vpn client Windows update agent u...

Re: Something wrong with "download.pulsesecure.net...

Re: Am I missing something obvious with allowing o...

Re: Connecting to VPN with Pulse shuts off my wire...

Re: Error:1135 "Remote access already provided by ...

Re: [SRX Connection] 9.0r4-b1731 Service exited du...

Re: Group membership LDAP lookup

Re: Access to the Web site is blocked by your admi...

Re: Error:1135 "Remote access already provided by ...

Re: Error:1135 "Remote access already provided by ...

Re: Pulse Secure 9.0.3 Kills Wireless on Windows 1...

Re: Pulse Secure 9.0R2-819 crashes on Ubuntu 18.04

Re: Lost Admin Password on Virtual Appliance in Az...

Re: Error:1135 "Remote access already provided by ...

Re: dsTermServ issue on Windows 10

Re: Your computer's security is unsatisfactory - L...