I think I had this once, when i checked "Connection Requests" in the eventlog settings under Log/Monitoring->Events->Settings. So unchecking this should help to avoid this message. But for sure this does not help if you want to further investigate if this may be a real user problem or if this results just from any bots etc. accessing the page on 443, e.g. without the usage of ssl. ... View more

Yes and no. For this function look at SSO FORM Post in the Role. The No is for "he SSL gateway parse this page somehow". ;) You will have to define for what page this rule shall be applied (the URL displaying the loginform), to which URL to post (form's action), and which fields + values to post. The username and password may be taken from the internal vars. I've done this for the login forms of our Novell iChain, which worked fine. Therefore I also posted the hidden fields, happily the values were static ;) ... View more

So if I got you right, you did a policy trace on a user facing that problem. What checkboxes did you check? Does any other logs (error / user / admin) show an errormessage (what options did you check for those logs). Is maybe a systemsnapshot created? ... View more

I guess he meant "browser request follow through" in the role's session options?! ... View more

No i'd neither do timing nor check the size difference between an uncompressed and a gzip compressed traffic. I only saw it in the headers to be published and was affected by the IE bug in conjunction with gzip and no-cache headers (pragma...) ... View more

Maybe you could check what kind of data is passing when starting tcpdump directly filtered on the locations ip? ... View more

Hmm this explanation would make sense... ... View more

Hopefully, but if J-Tac does not now about this problem they will not analyze and probably fix it.... Is anything noted in the error log or maybe a system snapshot generated during that spike? You may find the snapsot thing under "maintainane -> Troubleshooting -> System Snapshot". Although we did not have this specific problem, we had some spikes in the past, and most times a systemsnapshot or at leas a critical error in the errorlog was reported. ... View more

But normally rollback should run as (afair) the old system is moved to a spare partition for roleback purposes... Anyway did you configure anything special with this AD realm? We got on, with just AD user/password auth for accessing a sharepoint portal through the IVE. We did not have any problems or such log messages after upgrading to 6.2R1. ... View more

I'd guess 6.2R1 (build 13255) ;) ... View more

Hi Christopher, thank you very much for your answer and help. Ok then it looks like it's more the problem of the treatment of a usb hdd instead of the filesystem (as my tests were with ntfs usb hdd and fat32 usb stick). I'd guess that the right treatment would be that all USB devices are the same, no matter if it is a digital camera or and usb stick or a usb harddriver, especially windows itself displays it as transportable media (or sth. similar, just tried to transalte it ;) ). But you are right with the risk of exporting data from the client pc via that way, but in this case it's wanted. We do not enabele or use desktop persistency, due there is no need for usto have this persistence. ... View more

But if this is an attack, you should check, why there also exist private IPs in your list. So this is either from your internal network or the callerID (or similar) from the RADIUS Packet is displayed there... ... View more

Just to crosslink threads here, I guess this leads to the same direction than the last posts of http://forums.juniper.net/jnet/board/message?board.id=SSL_VPN&thread.id=990 ... View more

I think unfortunately not. I just saw this button for HostChecker. But that's what I'd need to think a bout deploying NC as solution vs. our current IPSec solution. But how about an RFE? I mean eventhough there may be changes on the NC client in a newer IVE OS (that may be just upgraded because you need a fix in your webrewriter while NC is working fine for you), why shall I change the NC client if it is running fine for me? I do not need to ugprade my IPSec VPN Client when upgrading the OS of my central IPSec inftrastructure... Message Edited by ben on 07-03-2008 08:40 AM ... View more

Yes but it would help to use the SSL VPN without auto upgrading and instead sth. similar to a button on the startpage to manually start the upgrade process in case a newer version exists... ... View more

Sry I can't help you with the autorulestuff, because I rarely use the, instead I prefer defining the rules my own, so that I always know what's happening (and in case I am doing sth. wrong I am cheating from examle autorules, e.g. with this citrix stuff ;) ). But I guess that they are alway on top to always keep them working, so that they might not be influenced by manual rules. ... View more

Deny rules always appread before the allow rules. So if you e.g. allow myhost.com:80,443/abc/* and want to exclude myhost.com:80,443/abc/noaccesshere/* then this rule needs to appear before: 1.) Deny: myhost.com:80,443/abc/noaccesshere/* 2.) Allow: myhost.com:80,443/abc/* But if you exclude everything for a ressource and want to allow something included in the deny ressource, the allow rule will be in the first position: 1.) Allow: myhost.com:80,443/tobeallowed/* 2.) Deny: myhost.com:80,443/* If something is neither allowed nor denied will be denied by default - similar to the "cleanup" rule you describe. ... View more

yes it is. You got several possibilities to solve it, e.g. by a post request or by adding data to the http header. More can be found in the Admindocs or in the onlinehelp of the IVE or here: http://kb.pulsesecure.net/kb/documents/public/IVE/SA-SM-Admin-Help/wwhelp/wwhimpl/common/html/wwhelp.htm?context=SA_Admin_Help&file=chapWebRewriting-05.html EDIT: Sry, link corrected. Just took the link to this onelinehelp from the WSAM thread and forgot about the frames ;) Message Edited by ben on 06-27-2008 01:58 PM ... View more

I'd wonder if this coud be a solution, because as you said, only XLS docs are affected from downloading out of OWA, but not any other documents. Could you try do deactive (in case it is) the compression for OWA ressources? Afair MSIE (also v7) has the Bug not displaying or fetching content right when using an ssl-connection with compression. But I think there was also something about caching in that contect, but that might be deactivated (or I'd wonder if OWA sends attachments with cache headers). Thus I am not sure if this will help here. You could also find that out, if the error also occurs when using a browser != MSIE, e.g. Firefox 2. ... View more

You coukd also try a policy trace to see which users gets which role and why. ... View more

does not look like an SSL-VPN issue, so it might be the wrong categroy?! ... View more

So if I see this right, the userobjects for the app are held in an oracle DB, and the authentication is done with Vascos Tokensolution? I would authenticate the Vasco stuff via RADIUS (as proxy for the vasco server, if this does not support radius directly). After a successfull authentication on the SA either do a SSO form POST to post the username to the app or feed it inside the header. But you should make sure then, that the app-server is only reacting on that username for requests coming from the SAs internal IP (in case you really use both NICs). ... View more

Have you got a lab unit or one spare? In this case I'd roll back, and reproduce and fix those issues on a labunit with the JTAC Support, especially because of the GINA problem. But this may also depend of the number of users and their "importance". Then you could also verify that the automatic update of NC from 6.0R5 to 6.2R1 is working fine. ... View more

Regarding pont 2.) if it is present in the browser store, than it's a clientcert and not a machine cert. For those you not need HC. HC is needed if you want to check certs beeing in other stores of your client PC, e.g. when checking Certs stored on a smartcard etc. But this is not a machinecertificiate anymore, because for my understanding a machine cert identifies the machine, which can not be done by just inserting a smart card (by the user).... ... View more

@Ray: It looks like I missed the information both sign in policies are based on different auth realms? If not than it's just, as you mentioned, security by obscurity and not an option for my situation anymore. That's what I was asking about. And I am pretty sure, for my environment, ppl would rapidly learn about how to avoid such host checks if the can, even if they'd pass them. ... View more

@Ray: Thx for the info, but the question was more about, if you accept windows users to sign in with the MAC realm just in case it does not work with the windows one, e.g. because missing AV. Also jahmals solution which is good but not a relibale solution, but for sure it depends on the needs... ... View more

@Ray: How do you prevent Windowsusers to not access the /mac URL? ... View more