- Pulse Secure Community
- :
- About arslan.nawaz_
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
since
10-29-2017
10-29-2017
arslan.nawaz_
Contributor
30
Posts
0
Kudos
2
Solutions
04-15-2015
06:27:AM
still waiting.... any help.... :(
... View more
03-27-2015
01:48:AM
Hi I am using the MAG 2600. I configure web access for Microsoft Dynamics ERP portal on SSL device. When user click on the web portal link the web portal open successfully. However when user try to click any link inside ERP portal it does not work. Also few icons (links) inside the portal is showing disable. Any solution???
... View more
10-19-2014
10:18:PM
Since we use capitive portal in srx uac policy, If I dont use the application-services in security policies than how I can redirect the users towards UAC (captive portal)? Second I cant understand the behavior of security policy. If I use the source-identity with unauthenticated user and uac-policy with application-services the policy is bypass (not matched even user is still unautheticated), and if I did not use source-identity with application services uac-policy the policy is matched but policy did not allow the user traffic...
... View more
10-18-2014
11:33:PM
Yes I upgrade junos software to 12.1x44d40. I remove all the unified-access-control configuration on SRX then commit and then reconfigure the uac settings, but still no luck. here is uac configuration on srx ------------------------------------------------------------------------------------------------------------------------------------------------------- set services unified-access-control infranet-controller MAG-UAC address 10.50.50.100 set services unified-access-control infranet-controller MAG-UAC interface reth1.50 set services unified-access-control infranet-controller MAG-UAC password uac@mag set security policies from-zone Wifi to-zone Internet policy test-uac match source-address Arslan-1.12 set security policies from-zone Wifi to-zone Internet policy test-uac match destination-address any set security policies from-zone Wifi to-zone Internet policy test-uac match application any set security policies from-zone Wifi to-zone Internet policy test-uac then permit application-services uac-policy set security policies from-zone Wifi to-zone Internet policy test-uac then log session-init -------------------------------------------------------------------------------------------------------------------------------------------------------- Following is the output of few show commands. > show services unified-access-control status node0: -------------------------------------------------------------------------- Host Address Port Interface State MAG-UAC 10.50.50.100 11123 reth1.50 connected > show services unified-access-control roles node0: -------------------------------------------------------------------------- Name Identifier Trust-User 0000000001.000005.0 Remediate-User 1396270434.123514.0 Trust-Agentless 1395391788.690864.0 GUAM 1395991600.414804.0 Guest-Users 1395992372.36996.0 Corporate-Wifi 1395994939.110403.0 > show services unified-access-control policies node0: -------------------------------------------------------------------------- Id Resource Action Apply Role identifier 1 10.100.111.111:* allow selected 1396270434.123514.0 2 *:* allow selected 0000000001.000005.0 > show services unified-access-control counters node0: -------------------------------------------------------------------------- (Counter command showing nothing...............) Should i use the source-identity in security policy?
... View more
10-18-2014
09:45:AM
hi I have an urgent query. I was using UAC 5.0 on MAG and SRX 1400 in Chassis cluster with Junos 10.4 as the L3 enforcer. The solution was deployed successfully and everthing was rorking fine until recently I upgrade my SRX 1400 junos software from version 10.4 to 12.1. After the upgrade junos software, all the UAC policies configured on SRX 1400 is not working. The device is connected to UAC properly and users are shown in auth table of SRX device... Any help Regards
... View more
07-05-2014
04:01:AM
I try the pass through proxy but still the problem is not solved. Application is open via the SA web access but when I click on any button (like New, Edit etc.) nothing happen, application is not responding and did not open the new dialog boxes or text boxes. Is this the issue with CIE? How can I solve the issue?
... View more
07-02-2014
12:50:AM
When I access my enterprise web application via web based core access method in SA-8.0R4 (MAG 2600) any link that will open the new dialog box (through java script code) in my application is not working. When I click any such application link nothing will happen. How can I resolve this issue? note: I am using thedefault rewrite policy
... View more
04-08-2014
08:43:AM
Hi Now the problem is solved. I notice that once user connected to UAC and assign a role (e.g. "Users-Trust") and then he disconnect the network cable and connect to Wifi start using his previous connection on UAC with the same role (i.e, "Users-Trust" instead of "Users-Wireless" ). The problem is solved by adding the source ip restriction on role level. So if user changes his source IP he canÍt use the same role which he was already connected on the device and lost the connection. He needs to provide the credentials of "Users-Wireless" role in order to connect this new role. Yes I can also restrict user on firewall policies via security policy source identity command. But this feature is available on Junos 12.1 while I am using Junos 11.4 (for high end srx devices still junos 11.4 is recommended by juniper. ) Thanks for the help Regards Arslan
... View more
04-08-2014
02:06:AM
Thanks Kanann/Ashish Paul @Kanan No... I am using the two different realms for both roles. Reason is because I want to ensure that all the users with role "Users-Wireless" will get agent less connection with no client installation. and the all the users with "Users-Trust" role will have option to install the pulse client via web. I configure two different realms and sign in policies for both roles. If i configure the same realm and segregate users on the basis of role mapping, then users with role "Users-Wireless" will also start junos pulse client installation whereas we want to get them connected to UAC directly (means no pulse client installation - only the agent less connection). With dynamic policy evaluation the minimum time I can set for role evaluation is 5 minute. Or I need to manually refresh the role. It means users still can use his active session with the same role but with new IP address. And as the end user IP is change the user remain connected to UAC (using his previious UAC session with new IP address) and with same role. It means however his role is not change on UAC but as his IP is change and he is already authenticated on UAC he start using unauthorized accesses on the basis of his sourece IP address. @Ashish I disable the Roaming Session option on all the roles. I am using L3 enforcement no 802.1x.
... View more
04-08-2014
12:04:AM
Hi I have a query about UAC. I have two roles. One is the "Users-Trust" and Second is the "Users-Wireless". Users-Trust role is for users who connected via network cable using Junos Pulse. User-Wireless role is for users who connected via wifi devices and the role is configured as Agentless. The users with Users-Trust role have resource access policy with allow everything and I control thier accesses on SRX firewall on the basis of thier source ip addresses. However I configure the resource access policies for Wifi users as deny all the corporate network access and allow only direct internet access with cap portal. Now the issue is as user connect on Cable he get the role "Users-Trust" and start using network resources. Later on user disconnect the cable and connect to wifi and as his session remains on UAC he starting using his same session with the new ip address (wifi dhcp ip). and start using the resources allow only to specific wifi users. I also configure role mapping policies for User-Wireless role allow this role only for specific users and not allow everyone. As I understand when user switched to wifi his source ip is changed but his session was remain exist on device. UAC will not check user credientials/roles and start using the same session with new ip address. I want to not allow user to use same session on UAC when his ip address is change. Can any one help me...... Regards Arslan Nawaz
... View more
03-20-2014
05:09:AM
Thanks a lot Raveen and Kannan. Actually I want to use NAC for the guest users to access limited internet. Usually we can't bind guest to install client on their mobiles and at the same time we want some minimal compliance enforcement like not allow them to use P2P software, torrents etc. Obviously I have workaround and can control the access on layer 3 on SRX firewalls but I think It was better if we can enforce the compliance via MAG directly. Hopefully it will be in the future roadmap. Regards Arslan
... View more
03-19-2014
01:43:AM
Hi I am trying to use host checker on android devices (with MAG 4610). I try to use agentless connection and on my andriod mobile browser as I enter the credentials I get the following msg. "Host Checker is not supported. Please contact your administrator" How can I use host checker policies on andriod without junos pulse client software. Regards Arslan Nawaz
... View more
02-25-2014
07:19:AM
Thanks Kalagesan problem is solved... I succesfully done SSO using SPNEGO user role firewall.
... View more
02-24-2014
04:24:AM
Dear Kalagesan I already read these details on User Role Firewall documentation. Actually I confuse about AD configuration. I am not much familiar with AD just know the basics. Suppose the hostname of my MAG device is ic2600 with domain xyz..com I create a dns entry ic2600.xyz.com and map the entry with the ip address of my MAG device. The documentation is saying to perform these steps on AD. -------------------------------------------------------------- 1. Add a DNS entry as the UAC service account in the Forward Lookup Zones. In this way clients can refer to the MAG Series device by name or by IP address. This UAC service account name will be used in the next section when reconfiguring the UAC service on the MAG Series device. 2. Single sign-on authentication requires that the UAC service account password never expires. To modify user settings: From the Active Directory Users and Computers application in DNS, select Users>New>User and select the UAC service account created in step 1. Select the Account tab. In user settings, click Password Never Expires. 3. Create SPNEGO Keytab File: On the Domain Controller, open a command line, and enter the ktpass command to create the SPNEGO keytab file. -------------------------------------------------------------- As I mention I create the DNS entry of my ic2600 device. Can you expain what the SPN actually is and how can I create the SPN user? What is the UAC service account and how it is created? Can you explain step 2 in more detail? Many Regards Arslan
... View more
02-21-2014
07:47:AM
Hi I try to configure user role firewall on MAG 2600 with MAGx600-UAC-SRX license. I am using the Windows Server 2008R2 and UAC 4.4. I want to setup SSO using SPENGO protocol. Can someone explain me the steps how to configure Active Directory? I want to know the exact steps I should perform on AD. How to setup "DNS" and "User and Computers" settings and use of "ktpass" command on AD? Regards Arslan Nawaz
... View more
02-21-2013
01:56:AM
What the meaning of following log message. Minor EML20770 2013-02-21 14:47:43 - mem1 - [127.0.0.1] Root::Mail-Proxy()[] - SMTP: Cannot get default server's Capability because server did not return OK greeting response. Minor EML20860 2013-02-21 14:47:43 - mem1 - [127.0.0.1] Root::Mail-Proxy()[] - Blocked read from server did not find delimiter. Minor EML20770 2013-02-21 14:43:26 - mem1 - [127.0.0.1] Root::Mail-Proxy()[] - IMAP: Cannot get default server's Capability because server did not return OK greeting response. Minor EML20860 2013-02-21 14:43:26 - mem1 - [127.0.0.1] Root::Mail-Proxy()[] - Blocked read from server did not find delimiter. Second can anyone explain how the email proxy in SSL VPN work?
... View more
02-21-2013
12:06:AM
I have SA-4000 and 7.0R2. I Can I use MS Outllook 2013 as emil client for my SA. Second how can I configure Outlook to access the email server via SA SSL VPN. I am using the IMAP protocol. How the email client feature works with stanadard email server? Regards Arslan Nawaz
... View more
09-23-2012
12:32:AM
Thanks Sir; Actually i am bit confuse with pulse client software behavior. With L3 enforcement we create the connection on pulse manually or download it from IC. But with 802.1x is it necessary to enable 802.1x in TCP/IP settings? Can we control the connections manually? Can we disable 802.1x in windows TCP/IP connection settings and then use 802.1x? We use pulse as a supplicant but what is windows supplicant?
... View more
09-10-2012
12:32:AM
Yes I read this topic in admin guide... Actually I read all the topics in admin guide.... I have confusion regarding provisioning the resources with dynamic ipsec routing policies. This feature is not supported on JUNOS enforcer it is only supported screen os with release 6.3. With this feature we do not need to configure the ipsec policies for each resource on ic. Any how thanks a lot for the support. best regards Arslan Nawaz
... View more
09-10-2012
12:25:AM
Dear Raveen I try to explain my query further... I have two Vlans 10 and 20. End point get the ip 192.168.10.11/24 with vlan 10 and ip 192.168.20.11/24 with vlan 20. Both vlans are also configure on IC and on IC vlan 10 ip is 192.168.10.200 and vlan 20 ip is 192.168.20.200. When client connect with vlan 10 my pulse client show a connection name "Local Area Connection" with IP 192.168.10.200 and with IC change the vlan dynamically the pulse client show the "Local Area Connection" with IP 192.168.20.200. As vlan change pulse connection is also automatically change which is understandable. Now as I moce IC on layer-3 means there is a layer three device between the IC I am not able to connect IC with pulse client? Can I configure manually a connection for 802.1x on pulse client Pulse-Client (Supplicant) ----> EX3200 (Authenticator) --------> L3 Router/Firewall -----> IC/Radius The links bw EX3200, Router and IC are layer-3. Regards Arslan Nawaz
... View more
09-09-2012
11:51:PM
Thanks kalagesan and raveen for all the help and support. I will check these solutions.... My question regarding 802.1x and layer-3......???? Regards Arslan Nawaz
... View more
09-09-2012
11:49:PM
Dear Kalagesan My query is regarding the IC. Juniper documentation saying that with screen os earlier 6.1 we need to configure the screen os ipsec policies and an ipsec routing policy for each recource that we wnat to protect however with screen os 6.1 and later IC device can dynamically provision ipsec routing policies so we dont need to configure a seperate policy for each resource. My question is how this ipsec policy works and how we can configure it?
... View more
09-09-2012
11:28:PM
Hello Can any one explain dynamic ipsec routing policies on screen os? Hows it works?
... View more
09-09-2012
11:25:PM
Thanks Kalagesan/Raveen for your support. Can you guide me how to configure reauthentication on EX switch and how I can configure the radius accounting msgs... how i can configure radius accounting messages both on authenticator and IC? One more question regarding 802.1x... I understand that suplicant and authenticator must be on layer-2 so they can exchange EAPOL msgs. Is it necessary for IC to communicate with authenticator on layer-2 for Radius communications? I think it is, bcoz pulse client need to access the IC on layer 2 for automatically adding the connection according the vlan client can access. so can we deploy IC so that authenticator communicate with IC on layer-3 and if we can then how can pulse client connect with IC? Regards Arslan Nawaz
... View more
09-08-2012
05:08:AM
Thanks kalagesan With dynamic policy evaluation I can set the time minimum 5 mints but I want to close the session immediately user disconnect from the network, Here I explain the problem I am facing. I implement 802.1x IC solution with EX3200 as an enforcer. I configure two vlans one is employee and second is guest on EX3200. Also I configure the guest vlan as guest-vlan in ex3200 dot1x configuration. I configure IC with two roles one in Full-Access role and second is Quarantine role. I create a relam and in role-mapping I create a single rule and map both roles with used identities. Full-Access role have host-checker policy to check the user end point before assign him full role if host checker policy on end point fails user assign Quarantine role and if host checker policy pass user assign both Full-Access and Quarantine role. In Radius Return Attribute policy I configure first policy with Full-Access role return the vlan employee and second policy with Quarantine role return the vlan guest. As user connect to IC with full fill the host checker policy IC assign the user correct vlan that is employee and user get the full access. During the session user lost the compliance and when host checker policy re-evaluate it disconnect the user re-authenticate and assign the user guest vlan with Quarantine role having restrict access to corporate resources. Now the problem is when user has guest vlan and at that time user disconnect from network (cable unplug or TCP/IP connection disable) and during the off line time somehow user meet the end point compliance then connect to network again IC not re-authenticate the user nor recheck the compliance instead IC create new session with same vlan and end point IP that IC assign the user previously that was the guest vlan. Although user meet the compliance but user get the limited access with guest vlan. To solve the problem I remove the connection manually on IC and ask user to re-connect to network or I instruct user to remove the session from pulse and the re-connect to network. Why IC not assign user right vlan i.e. Employee after user connect to network again with full compliance. IC create new session assign both roles but not return the Employee vlan but user get the guest vlan instead of employee vlan. Any suggestion or help regarding this issue Many Regards Arslan Nawaz
... View more
09-07-2012
02:23:AM
I am using 802.1x with EX3200 switches. I authenticate user through IC on layer 2 8021x. Once user nuplug his network cable or disable the TCP/IP connection user session remain exist on IC. How can I remove the session on IC automatically once user is disconnected on network. Regards Arslan Nawaz
... View more
05-09-2012
05:24:AM
Thanks..... Means I must have a license to use 802.1x or Layer-3 Firewall for policy enforcement with IC4000.
... View more
05-08-2012
12:34:AM
I have IC4000 with no license installed. That is "ic - (0 users )". What features and configuration options available on device without the license. The UAC option in administrator menu is also not working. What is the reason and how I can use UAC option in admin menu so I can configure the Infranet Enforcer?
... View more
03-07-2012
09:04:PM
Thansk Viji.. Now I understand this with mobile phone. But can I connect IVE from PC without installing any client software on PC.
... View more
03-05-2012
04:10:AM
Can anyone explain the active sync? Can I use it without installing the client software (junos pulse etc) on mobile clients? How I can configure Active Sync on SSL VPN device and on iphone?
... View more
Latest Tags
No tags yet
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy.
Pulse Secure has updated its Privacy Policy effective June 28, 2017.
