I didn't see this mentioned in the supported OS doc.  Can I use the 9.x clients?  Would like the built-in browser for SAML auth and RS4 support. ... View more

We are upgrading from Juniper Pulse to PCS 5.3 Pulse Win client.  I want to delete all existing connections so only the new connection pushed from the PCS is available.  In testing, the old client is removed, and the new one is installed (works best in IE). However, old connections are kept.     I tried to delete them in the ProgramData\Pulse Secure\Connectionstore directory, but some of the files are owned by SYSTEM.     Is there a way to do this short of asking each user to delete everything in their Pulse client before upgrading. ... View more

Had a user that couldn't connect using iOS 11.1.2.  Tried new client, but didn't help.  Looked like it was connecting, but VPN icon in the status bar didn't turn on, and couldn't browse.  Works with 11.0.3 on same WiFi.  Tried OS reset but didn't help.  Any other one having issues? ... View more

WSAM auto-launches when the rule runs. In testing, HTML5 StoreFront kills the WSAM session but doesn't seem to launch. Can WSAM and SF HTML5 coexist in one REALM? I don't believe WSAM will launch on demand and must be auto-launched by the role. Correct? ... View more

I go through so many gyrations to figure out supported device types. There should be a boolean that says if a device is supported or not. Like the CertVerify boolean. Also, I'd like to role map using the DeviceOS which the Authentication report gives, but cannot be accessed any other way. This would simplify user agent string manipulations. I really shouldn't have to do this: userAgent = '*Pulse*' && userAgent = '*NcWin32*' && userAgent = '*Windows NT 10.0*' && userAgent = '*Windows NT 6.3*' && userAgent = '*Windows NT 6.2*' && userAgent = '*Windows NT 6.1*' && userAgent = '*Windows NT 6.0*' && userAgent = '*Windows NT 5.1*' && userAgent = '*Mac OS X 10_12*' && userAgent = '*Mac OS X 10_11*' && userAgent = '*Mac OS X 10_10*' && userAgent = '*Mac OS X 10_9*' && userAgent = '*Mac OS X 10_8*' && userAgent = '*Mac OS X 10_7*' && userAgent = '*Mac OS X 10_6*' && userAgent = '*iPhone*OS 10_*' && userAgent = '*iPhone*OS 9_*' && userAgent = '*iPhone*OS 8_*' && userAgent = '*iPhone*OS 7_*' && userAgent = '*iPhone*OS 6_*' && userAgent = '*iPhone*OS 5_*' && userAgent = '*iPad*OS 10_*' && userAgent = '*iPad*OS 9_*' && userAgent = '*iPad*OS 8_*' && userAgent = '*iPad*OS 7_*' && userAgent = '*iPad*OS 6_*' && userAgent = '*iPad*OS 5_*' && userAgent = '*X11*Linux*' && userAgent = '*ChromeOS*' && userAgent = '*CrOS*' && userAgent = '*Android 7.1*' && userAgent = '*Android 7.0*' && userAgent = '*Android 6.0*' && userAgent = '*Android 5.1*' && userAgent = '*Android 5.0*' && userAgent = '*Android 4.*' && userAgent = '*Android 3.*' && userAgent = '*Android 2.3*' ... View more

In the Pulse client for IOS, I am experiencing that the Pulse client defaults to the last used connection. I am rolling out a combination of VPN On-Demand and Manual Full-VPN connect using the client. I need both since VPN On-Demand depends on a full-qualified domain name for its connect rules. For connections using IP addresses, manual VPN is needed. The problem is that the Pulse client changes its default connection based on the last used connection profile. This breaks VPN On-Demand, unless the user manually connects to the VPN On-Demand profile, setting it as default from that point forward. Is there a way to force one profile to the default connection in the iOS Pulse Client? ... View more

In 8.2, WSAM functionality is available in the Pulse Desktop client. Is there a good way to detect if Pulse Desktop is installed? Is there a way to detect without using Host Checker? I'd like to use Pulse Desktop if available, but install WSAM client if not, since it's a much lighter install. ... View more

I was failing CRL checking, causing clients to not be able to login. Here's the final config I'm using (3 level CAs). Machine-Cert --> CAISSUEWA1 --> CAISSUE1 --> CAROOT 1. The client issuing CA (CAISSUEWA1) should have CRL Checking Options set to use: "CDP specified in client certificates". if that is being published. - Tick Verify Trusted Client CA - Tick Trusted for Client Authentication - Untick Participate in Client Certificate Negotiation. 2. The issuing CA (CAISSUEWA1) has the CRL URL of its parent CA (CAISSUE1) in its cert. Copy this URL and paste it in the CRL option of its parent using CRL Checking Option: "manually configured CDP". - Tick Verify Trusted Client CA - Tick Trusted for Client Authentication - Untick Participate in Client Certificate Negotiation. 3. The Root CA (CAROOT) has CRL disabled. - Untick Verify Trusted Client CA - Tick Trusted for Client Authentication - Untick Participate in Client Certificate Negotiation. ... View more

After testing, researching, and support tickets, I have come up with the following summary of SSO capabilities and limitations. Is this correct. 1. SSO requires "core" Web Rewrite using the Content Intermediation Engine a. Uses a Web Resource profile. b. Uses a "special" Web Resource profile that uses the Citrix Transparent Service Proxy (CTS) that supports "Form-Post", also known as "Remote SSO". Note: CTS is an Active-X control, so ONLY SUPPORTS IE. All other browsers require WSAM, JSAM, Pulse, or NC. c. Website needs to send a 401 Authentication Required to trigger Kerberos, NTLM, or Basic Auth. 1. Kerberos and NTLM requires Windows server with Integrate Authentication enabled. d. Website needs a "Form" tag to do a Remote SSO. e. Not sure about the Java Citrix Proxy or JSAM. Haven't tested. f. Haven't spent much time on MS Terminals Services. Is there a proxy similar to CTS, and does it operate similarly? 2. Pass Through Proxy does not support SSO. a. The value of PTP is no special client needed. 3. WSAM does not support SSO a. This works very well in 8.2 with Chrome and FF using new Pulse App Loader (PAL) 4. Pulse and Network Connect do not support SSO. 5. SAML and Cert Authentication complicate SSO since no password is captured at PCS Authentication. a. Kerberos Constrained Delegation SSO can help here to get a ticket for the user by using a service account. b. Can also prompt for a password by doing a secondary login using LDAP or AD and using a password manager like LastPass. 1. Pass the username from the SAML NameID, or CN from Cert. Be sure to send the proper AD username in the attribute. ... View more

We are working on using certificates to authenticate on-demand VPN sessions. The concern is that a stolen phone would still access the corporate VPN until the profile/cert is revoked via MDM. Also, someone's child could access corporate assets unchallenged if they are allowed to play with the phone. Touch ID with a complex "unlock" password for the whole phone will be a good first step. This should handle the "stolen" issue. However, I think a much better solution would be to allow the username and password entered into the Pulse app be cached, and used after Touch ID authentication, the way iTunes/Apple Store allows this. This would make use simpler for the mobile end user, yet maintain strong security for VPN. -=Dan=- Dan Smart Vulcan Materials Birmingham, AL ... View more

Now that we have a fresh break from Juniper for this application, can we please change the arcane terminology in PPS? 1. Infranet Enforcer --> Network Firewall 2. Host Enforcer --> Host Firewall ... View more