- Pulse Secure Community
- :
- About -red-_
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
since
10-29-2017
10-29-2017
-red-_
Frequent Contributor
97
Posts
0
Kudos
8
Solutions
12-01-2014
07:53:AM
If everything else appears to work ok, try deleting and rebuilding your role mapping rules/create a new sign-in policy and new realm and test it there. I have seen similar behavior before, for whatever reason (with no changes on our end) we were either unable to extract AD group memberships, or better yet, we were extracting them, and they werent matching to our existing rules. Delete/rebuild of the role mapping rules resolved it every time. If you have tried everything else with no luck, give it a go.
... View more
10-17-2014
10:44:PM
Based on the description, this sounds dns related. Verify that your dns suffixes are the same on both appliances. I would also look at creating an IP based citrix entry instead of hostname to see if this will resolve the issue.
... View more
10-17-2014
07:33:AM
Hosts entries is a good one to look at. If I remember correctly, when entering the static hosts menu, it defaults to just that cluster member, and you have to use the pull down to select the entire cluster. Otherwise you end up adding a hosts entry just to the one member. Which is generally a non-event until you fail over.
... View more
10-16-2014
05:37:AM
I am doing something slightly different with my GTM for my QA SA clusters (I have a primary and a backup scenario rather than active/active) But for what you are trying to do, I think you are on the right track. The one thing you will want to keep an eye on if going active/active is persistence. If your customer uses network connect, make sure you dont end up in a scenario where the initial client connection is load balanced to datacenter 1, and when the NC client comes up, it attemps to connect to datacenter 2 VIP
... View more
10-15-2014
07:58:AM
This may help. http://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers
... View more
10-15-2014
07:55:AM
Do the users actually utilize the sign out option, or just terminate their browser/client VPN session?
... View more
10-15-2014
07:50:AM
Check your routes on the SRX, it sounds like your are pointing your NC pool to the physical interface of the 01 appliance rather than the VIP.
... View more
09-09-2014
07:53:AM
From what we have seen, it is a dynamically generated number when the sign-in policy is created. We also had a fair deal of trouble migrating between appliances.. etc. Dealing with users bookmarking the whole URL, including url_xxx can be a nightmare. Thankfully, Exporting/Importing user.cfg preserves the policy numbering, so as long as you can import user.cfg to a new appliance, you can keep the numbers the same.
... View more
09-05-2014
08:30:AM
Are you allowing split tunneling? When running speed test while NC session is established, is all your traffic traversing the VPN tunnel, then going back out via your company's internet pipe, or are you going direct to the resource?
... View more
09-02-2014
08:34:AM
Assuming you are using Network Connect or Pulse,I would be curious whether you're using ESP or SSL as your transport, and if you are seeing performance difference between the two.
... View more
08-24-2014
09:28:PM
Yup, took some digging though my email, but I found it.. I suppose my fault for having overlooked it, but one would think deserves more attention than being included as a line item in an otherwise inconspicuous notification This was actually the body of the email. The following new or updated Technical Support Bulletin (TSB) content has been posted. TSB16490 Planned Outage: Application Maintenance & Downtime - Aug 2 TSB16487 Junos Pulse Divestiture Customer Update
... View more
08-23-2014
08:07:PM
This is normal behavior. I do not believe default options are intended as a template for new roles, but rather they are invoked if you dont specify session options in your newly created roles.
... View more
08-23-2014
08:02:PM
Still nothing formal from Juniper or from the newco that purchased Pulse. Apparently even our VAR is not getting their emails and calls returned. With both previous ownership changes; from Neoteris to Netscreen, and then to Juniper, communication has been great, sales org was proactively engaging us to keep up in the loop. Juniper has dropped the ball on this one. I have been a proponent of the IVE for almost a decade. I know it well enough to address the majority of the use cases we get thrown at us. However, the lack of communication, along with a clear direction is making it downright impossible to consider moving forward with this product.
... View more
08-23-2014
07:47:PM
If you havent already, try setting it up as a passthrough proxy. I had to do this to a couple of apps to keep them from getting mangled.
... View more
08-11-2014
05:43:AM
This is useful if you dont want to enable the Juniper GINA client. While you can have NC/Pulse execute log-in scripts upon establishment of a tunnel, If thier password is set to expire, they generally wont get prompted. This is not a feature I want on all the time, but once in a while it does come in handy.
... View more
07-29-2014
07:05:AM
Thanks for chiming in. Took a bit, but finally realized that my problem wasnt the policy, but rather the test machine I was using. I completely overlooked the fact that it had 2 AV products loaded (and apparently active.) So, the rule as written was actually correct. Now I have to figure our why there is almost a 1 minute delay between the time the user enters the credentials and when the role mapping actually takes place. Policy trace shows the gap, but nothing in terms of an explanation as to why.
... View more
07-24-2014
02:05:PM
For the life of me, I cant seem to figure this out. I am trying to create a sign-in policy consisting of 2 realms. The first realm will be slated for Windows machines, and enforce presence of AV and Firewall components. The second realm is intended as a fallback for everyone else, so if they dont have AV/Firewall software installed or a non-windows platform.. etc, I want them to end up at this realm. Where I am running into a problem is essentially, users with AV/Firewall software still inadvertanly get an option for the fallback realm. Without any restrictions in place, they technically get both. I need to figure out a way to negate the AV/Firewall HC policy at the realm level. I can use custom expressions to achieve this at the role level, but I'm at a loss as to how to do this if I intend to do realm level enforcement. I tried creating another HC policy consisting of All supported AV and firewall products, then under custom rules I attempted to find syntax that would essentially allow only if AV/Firewall checks failed. So far I'm not having much luck. Curious of someone is doing something along these lines, and if so, how.
... View more
07-24-2014
07:49:AM
What continues to bother me about this is that Juniper is yet to officially communicate this to their customer base, well soon to be former customer base. Seems our VAR is finding this out the same time as we are. They are now scrambling to get in touch with juniper to understand what this transition will look like. You'd hope these things would be worked out sooner rather than later.
... View more
07-23-2014
08:30:PM
To attest to what Kita has mentioned, XML, while more flexible, is very, very particular in terms of dependencies, so it can quickly become a headache. Binary is much cleaner, but offers no flexibility. Having done config migrations using both methods, i prefer binary, whenever I can get away with it. If you can run the appliances in parallel,look into using Push Configuration option to selectively push configuration components to the new device. I assume the devices have to be on the same code though.
... View more
05-07-2014
03:32:PM
You're probably right. I suspect however the silence on this matter is costing them money. I am sure we are not an only customer reluctant to invest any more capital into refreshing this solution without a comfort level as to what the future holds.
... View more
05-07-2014
09:18:AM
Thanks for chiming in. Hopefully you are right and this is in reference to the Mobile Security Suite only, but knowing this information is out there, lack of clarification directly from Juniper has been dissapointing.
... View more
05-07-2014
08:11:AM
Good morning all, We ran into an interesting article a while back. Now a bit curious whether Juniper offered any additional information regarding the future of the Pulse product line. http://www.reuters.com/article/2014/04/14/us-junipernetworks-sale-idUSBREA3D1TS20140414 We have a sizable deployment of Juniper SA appliances, so this, coupled with lack of info from Juniper a bit unnerving. Would be good to hear directly from Juniper on this topic.
... View more
08-07-2013
01:22:PM
Do you see any corresponding messages in the event log or the user access log?
... View more
07-17-2013
05:11:AM
No solution yet. May be getting closer though. Looking at this with our SE, he pointed out something interesting during our testing. When using desktop version of Pulse (be it Windows or MAC) with adaptive auth configured in the realm, the user access log shows the "agent" field was blank ... "agent = " However, once you you remove the adaptive auth component from the realm and just go with AD, the agent field is populated. This would suggest that with adaptive auth configured, IVE is unable to determine user agent. Therefore, it doesnt know which defender file to invoke, essentially intead of using the customized defender files uploaded as part of the template, it is presenting a generic passcode prompt. At least that's what it looks like So far, I have observed this on all versions of IVE code ranging from 7.1Rx all all the way up to 7.4R3 Again, the part which completely throws me off here is that mobile versions of Pulse work just fine.
... View more
06-20-2013
09:56:AM
Yes, as long as the devices are clustered you should be able to absorb all 700 users on one box (or across 2 boxes.) shouldnt really matter. I believe this would become an issue if you lose one of the appliances for an extended period of time. I think there is a grace period which allows you to utilize licenses from both appliances even with one of them down, but I dont recall for how long. I am a bit curious about your cluster set up though. Is there a particular reason you chose to do active/active without a load balancer?
... View more
06-20-2013
07:56:AM
Whether the licenses are shared will depend upon which licenses you actually have. Say if each of your boxes has actual user licenses (add 250 simultaneous users) vs. one box with user license and the other one with a matching cluster user licenses, then they would add up in either clustering mode. If I am not mistaken, this was introduced with 7.x code. If one is a regular user license and the other a cluster license then you just get 350 users regardless of the mode you run (my account team is used to getting an earfull from us on this one) As far as license usage, to the best of my knowledge, each authenticated user session will consume a license.
... View more
06-13-2013
04:57:AM
The only downside I am aware of based on our testing is NC (and Pulse's) inability to invoke a custom defender.thtml. While a non issue in most use cases, it impacts our ability to utilize RSA Adaptive Auth solution. This particular problem was a show stopper for us, but absent adaptive auth problems, it seemed to work ok.
... View more
06-07-2013
07:56:AM
The process I had described is essentially how we are doign it. We have a handful of URLs which authenticate based on the source IPs, simlar to what you're doing. From the internal network, and for users without split tunneling enabled, its a non-issue. For my user base with split tunneling what I had suggested is what worked for us. Essentialy the goal is to force the traffic destined to these sites to be treated just like your internal ranges rather than internet traffic.. Once it comes across the tunnel and hits your perimeter, you want it to follow your default path out to the internet and be subject to the same NAT policy as what is utilized by your internal users. Without having a better understanding of your network layout, its hard to offer step-by step instructions beyond the changes you need to make on the IVE.
... View more
06-06-2013
06:22:AM
Are you sure? I would think if they were to add the IP of the web site to the split tunneling networks list, make corresponding changes to NC Access list (if necessary,) then route that IP to say their internal network, it would take the default path out, similar to that of an internal user.
... View more
06-06-2013
05:59:AM
This cluster is running 7.1R10. I have rebooted the box this morning and re-enabled it, still seeing the same problem. Looks like its time for a ticket.
... View more
Latest Tags
No tags yet
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy.
Pulse Secure has updated its Privacy Policy effective June 28, 2017.
