Hi Mike, as i understood you have 3 policies with one check each? I would suggest to build 2 policies instead : 1. EndUser policy (contains one rule for standard AV and one rulefor evaluating FW) 2. IT Staff Policy (contains one rule for a bigger list of AV-Vendors and one rule for evaluating FW) This will maintain two independent checks for the two user groups and each policy can be mapped to the corresponding role. Care about that radio buttons in the "Require" Section and make sure that in this Case in each Hostchecker Policy "All of the above rules" is marked. One more suggestion. If you also check for AV-Updates and if you require updates "not older than xxx" make sure your clients are able to reach an AV-update Server bevor they connect via the SA..... or do not not use this feature with too restrictive policies..... I would be nice to get an feedback if this may help ... View more

For me, all i got out of that nebulous Statement from this vendor was NOT TO OTP-only... But who will do this ever in any case ?? So at the moment best will be Username + highly secure Password (complexity) in Combination with At least secure PIN (as long as possible) and the Tokencode. Some Users won't like it..... In the worst scenario security will rely more on the complexity of passwort and Pin than on the tokencode, but i think they won't tell us what really was extracted. Sure, Client certificates will help to mitigate the risk, but this will produce more organizational overhead to maintain (for endusers and Admins) I hope they did not loose serials and seeds of distributed tokens........ i could imagine something like this....but this is just a thought. Sincerely A RSA User (sitting in front of its RSA Monitor and waiting for unusual login attemps all night long :-)...) ... View more

Does anyone know about the IVE SA roadmap for IE 9 Support? I understand that it is not supported yet but after Microsoft launched IE 9 officially more and more Users aks for using the "actual" Microsoft Browser with Juniper SA. Any Ideas? or at least Rumors when (or in which release) it will be supported ? ;-) ... View more

Will the Citrix Receiver on iPad/iPhone work with the (hopefully) upcoming Pulse Client for iOS ? ... View more

Hi, I am not sure if I really understood your problem but let me try... There is more than one option to build a variable for the UPN. Normally your different LDAP server have a name (In this case I use AuthServername as an example ->"under Auth.Server on the Authentication area.....) If you have more than one Authentication Server it might be a good idea to build your variable for the UPN like this if there is more than LDAP Authentication Server: <[email protected]thServername.userPrincipalName> instead of <userAttr.userPrincipleName> (works for me ...) But be aware that beginning with 6.5 the actual IVE OS versions have a strange bug with the variable for the UPN !!. Web SSO (with Basic Authentication) did stop working in my Environment after upgrading from 6.4R5.1 to 6.5. <[email protected]> (or the version which you did use: userAttr.userPrincipalName) does not transmit the domain-part of the UPN. I was getting crazy on this problem since a couple month now and worked together with the Juniper support since this time - till Juniper was able approve this strange behaviour. The Juniper Support found the problem finally and told me that they are working on a fix.....(Still waiting) The Problem is newly listed in known/unfixed Limitations of IVE OS 6.5R6 and the Release Notes give a hint that it may be a problem on previous Releases too. I have had the issue with all 6.5 (R1-R6)and the new 7.0R Firmware Releases. Link to the release Note "Known Issues/Limitations in 6.5R6 Release The following list enumerates known issues in this release. Some of these issues may exist in previous releases as well: 1. Web-sso - SSO polices working in 6.0 do not work after upgrade to 6.5 (479100)" In my Case the problem did NOT show up on IVE OS 6.4 (R1 -R5.1) and earlier versions of the firmware ......(I did not test 6.4R6-R8) Perhaps you have the same problem.....(depending on your IVE OS Version...) This may not be a solution, but i hope it can give you a useful information.. ... View more

Hi kenlars, thank you - that's it ! As in most situations the simple solutions are the best solutions. Thank you very much (shame on me not to see the wood for the trees .....) ... View more

Productive since 4 weeks now: Good speed and stability with standards like http/https, wsam, SecureMeeting etc. No Problems with Citrix WebInterface (4.5). Works fine with RSA Appliance 7.1, but.... Strange Symptons with NC, 1. Sometime DNS requests for LAN ressources are not delivered to the tunnel and will be sent to the DNS Server on the physical interface - if the given DNS-Relay (e.g. a DSL-Router) is not correctly configured (like some of the actual German T-Online Routers) your name resoulution fails 2. regular Shutdown of the NC vpn-tunnel after exactly 406 bytes of Data (in some cases, not all !). deinstallation of all old NC-Versions and re-installation of the NC-client helps in most cases but sometimes only for a while.. Lost definitely the stability of my 6.3R3 NC version.......thinking about starting a roolback to this version. I will open a Case next week and see what juniper is saying to this. ... View more

Hi, I have the same issue with citrix listed applications (Metaframe 4.0) and was working on that with Juniper's support for over 3 weeks now. After hours of phone calls, collecting all possible dumps, logs and screenshots, uploading megs of information to Juniper (that guy at juniper really worked hard to get into it) they finally told me that there is probably an issue with Citrix if you use mandatory 128bit encryption on citrix side. They asked me to uncheck the "mandatory" checkbox on citrix serverside, because there are no options to change any settings on IVE side.. However I could not test that advisory yet due to other projects but i will soon check it out...., maybe you try and give a feedback, too. Since I opened this Case this behaviour should be a known issue and i believe to remember that they told me that it will "maybe" fixed with 6.3R5 and 6.5R1..., no word about 6.4Rxxx maybe this Information is helpful ... View more

Hi Hazeen [email protected] mubadala.ae wont work because you have to use the userPrincipleName-attribute. To make sure to use the right credential, my advisory (e.g like a regular expression) is to use the string like i wrote it : <[email protected]> this means the IVE searches your ldap-directory (e.g ActiveDirectory) for an User-Attribute called "userPrincipalName" which is matching the user who has authenticated to the IVE. Then the IVE paste that userPrincipalName to the Username field and everything works fine. Thats it. If you read this carefully you will find out that the string <[email protected] yourdomainldapserver .userPrincipalName> is not the same as [email protected] mubadala.ae Then BasicAuth should work perfectly - i have no idea how remote sso can work with OWA 2007. The only tricky thing with basicAuth ist to use the correct authentication-Server Name in the string above.... hope this will help better.... Message Edited by fuman on 10-25-2008 09:53 AM Message Edited by fuman on 10-25-2008 09:54 AM ... View more

Hi hazeen, i run OWA2007 with IVE OS 6.2 with no problems since version 6.0. perhaps those parameters will help you: (excuse me if it is too detailed ) 1. create a new resource profile (web) with type "Microsoft OWA 2007" 2. in this new web application ressource profile you choose a new name (e.g. OWA2007) 3. Insert your base URL (e.g. http://yourOWAserver.yourdomain.com/owa) 4. goto "QWA Settings" 5. Choose "managed Device" an make a decision if want to allow attachment upload/download or not 6. Choose "Autopolicy: Web Access Control" (Check the Box) 7. Enter the URL and port of your OWA-Server into the ressource field , choose "Action = Allow" and click "Add" => looks like "http://yourOWAserver.yourdomain.com:80/* allow 8. Activate Autopolicy: Caching and specifiy the following 3 rules (if not default): a.) http://yourOWAserver.yourdomain.com:80/owa/attachment.ashx?attach=1* => "Unchanged" b.) http://yourOWAserver.yourdomain.com:80/owa/WebReadyView.aspx?t=att&* => "No-Cache" c.) http://yourOWAserver.yourdomain.com:80/* => "Unchanged" 9. Activate Autopolicy: Web Compression (if not default) with the following rule: a.) http://yourOWAserver.yourdomain.com:80/* => Compress 10. Activate Autopolicy: Single Sign On a.) Choose Basic Auth b.) Insert your Ressource: "http://yourOWAserver.yourdomain.com:80/owa/*" c.) Choose " User predefined Credentials...." c 1.) For Username try this parameter: <[email protected]_Authentication_server.userPrincipalName> c 2.) Choose Variable Password and try this parameter: <password> Hint: c1 and c2 depends on your authentication scheme: for "your_Authentication_server" substitute with the name of the authentication server you created for activeDirectory Authentication, the variable password can also be defined with <password[1]> if you have more than one User/pass kombination (e.g when using additional One time token for authentication purposes or any other secondary authentication mechanism) Hope this will help ... View more

I believe you won't fix this issue with Norton 360. I just had a Client inhouse today with Norton 360 v2.x. Was my first time to see the Client Side of the effect with Norton 360. I could see how hostchecker always tried to download but couldn't be installed, IMHO blocked by Norton 360. The Download of the hostchecker and the AV-detection files kept on an on to download, always again. I stopped it after about 30 minutes. Probably some of those tampering protection features of Norton 360 (and even other Internet-Security-Suites) discard the the installation of hostchecker an the ESAP dll's (I have newest ESAP 1.3.7 installed - which knows even Norton360 v2.x) So - this looks like a dilemma: no hostchecker installed, no detection of norton 360......., but with Norton 360 running, installation of hostchecker fails...... I have not tried to install hostchecker on the target system manually yet - perhaps this will help ....., or the user (or his admin) has to make an checking exception in Norton 360 for the installation directory of Hostchecker (as described in the IVE manual for client-side changes...) perhaps this can help in some way... Message Edited by fuman on 05-21-2008 12:52 PM ... View more