Hi Mike, as i understood you have 3 policies with one check each? I would suggest to build 2 policies instead : 1. EndUser policy (contains one rule for standard AV and one rulefor evaluating FW) 2. IT Staff Policy (contains one rule for a bigger list of AV-Vendors and one rule for evaluating FW) This will maintain two independent checks for the two user groups and each policy can be mapped to the corresponding role. Care about that radio buttons in the "Require" Section and make sure that in this Case in each Hostchecker Policy "All of the above rules" is marked. One more suggestion. If you also check for AV-Updates and if you require updates "not older than xxx" make sure your clients are able to reach an AV-update Server bevor they connect via the SA..... or do not not use this feature with too restrictive policies..... I would be nice to get an feedback if this may help ... View more

For me, all i got out of that nebulous Statement from this vendor was NOT TO OTP-only... But who will do this ever in any case ?? So at the moment best will be Username + highly secure Password (complexity) in Combination with At least secure PIN (as long as possible) and the Tokencode. Some Users won't like it..... In the worst scenario security will rely more on the complexity of passwort and Pin than on the tokencode, but i think they won't tell us what really was extracted. Sure, Client certificates will help to mitigate the risk, but this will produce more organizational overhead to maintain (for endusers and Admins) I hope they did not loose serials and seeds of distributed tokens........ i could imagine something like this....but this is just a thought. Sincerely A RSA User (sitting in front of its RSA Monitor and waiting for unusual login attemps all night long :-)...) ... View more

Will the Citrix Receiver on iPad/iPhone work with the (hopefully) upcoming Pulse Client for iOS ? ... View more

Productive since 4 weeks now: Good speed and stability with standards like http/https, wsam, SecureMeeting etc. No Problems with Citrix WebInterface (4.5). Works fine with RSA Appliance 7.1, but.... Strange Symptons with NC, 1. Sometime DNS requests for LAN ressources are not delivered to the tunnel and will be sent to the DNS Server on the physical interface - if the given DNS-Relay (e.g. a DSL-Router) is not correctly configured (like some of the actual German T-Online Routers) your name resoulution fails 2. regular Shutdown of the NC vpn-tunnel after exactly 406 bytes of Data (in some cases, not all !). deinstallation of all old NC-Versions and re-installation of the NC-client helps in most cases but sometimes only for a while.. Lost definitely the stability of my 6.3R3 NC version.......thinking about starting a roolback to this version. I will open a Case next week and see what juniper is saying to this. ... View more

Hi, I have the same issue with citrix listed applications (Metaframe 4.0) and was working on that with Juniper's support for over 3 weeks now. After hours of phone calls, collecting all possible dumps, logs and screenshots, uploading megs of information to Juniper (that guy at juniper really worked hard to get into it) they finally told me that there is probably an issue with Citrix if you use mandatory 128bit encryption on citrix side. They asked me to uncheck the "mandatory" checkbox on citrix serverside, because there are no options to change any settings on IVE side.. However I could not test that advisory yet due to other projects but i will soon check it out...., maybe you try and give a feedback, too. Since I opened this Case this behaviour should be a known issue and i believe to remember that they told me that it will "maybe" fixed with 6.3R5 and 6.5R1..., no word about 6.4Rxxx maybe this Information is helpful ... View more

Hi Hazeen user@ mubadala.ae wont work because you have to use the userPrincipleName-attribute. To make sure to use the right credential, my advisory (e.g like a regular expression) is to use the string like i wrote it : <userAttr@yourdomainldapserver.userPrincipalName> this means the IVE searches your ldap-directory (e.g ActiveDirectory) for an User-Attribute called "userPrincipalName" which is matching the user who has authenticated to the IVE. Then the IVE paste that userPrincipalName to the Username field and everything works fine. Thats it. If you read this carefully you will find out that the string <userAttr@ yourdomainldapserver .userPrincipalName> is not the same as user@ mubadala.ae Then BasicAuth should work perfectly - i have no idea how remote sso can work with OWA 2007. The only tricky thing with basicAuth ist to use the correct authentication-Server Name in the string above.... hope this will help better.... Message Edited by fuman on 10-25-2008 09:53 AM Message Edited by fuman on 10-25-2008 09:54 AM ... View more

Hi hazeen, i run OWA2007 with IVE OS 6.2 with no problems since version 6.0. perhaps those parameters will help you: (excuse me if it is too detailed ) 1. create a new resource profile (web) with type "Microsoft OWA 2007" 2. in this new web application ressource profile you choose a new name (e.g. OWA2007) 3. Insert your base URL (e.g. http://yourOWAserver.yourdomain.com/owa) 4. goto "QWA Settings" 5. Choose "managed Device" an make a decision if want to allow attachment upload/download or not 6. Choose "Autopolicy: Web Access Control" (Check the Box) 7. Enter the URL and port of your OWA-Server into the ressource field , choose "Action = Allow" and click "Add" => looks like "http://yourOWAserver.yourdomain.com:80/* allow 8. Activate Autopolicy: Caching and specifiy the following 3 rules (if not default): a.) http://yourOWAserver.yourdomain.com:80/owa/attachment.ashx?attach=1* => "Unchanged" b.) http://yourOWAserver.yourdomain.com:80/owa/WebReadyView.aspx?t=att&* => "No-Cache" c.) http://yourOWAserver.yourdomain.com:80/* => "Unchanged" 9. Activate Autopolicy: Web Compression (if not default) with the following rule: a.) http://yourOWAserver.yourdomain.com:80/* => Compress 10. Activate Autopolicy: Single Sign On a.) Choose Basic Auth b.) Insert your Ressource: "http://yourOWAserver.yourdomain.com:80/owa/*" c.) Choose " User predefined Credentials...." c 1.) For Username try this parameter: <userAttr@your_Authentication_server.userPrincipalName> c 2.) Choose Variable Password and try this parameter: <password> Hint: c1 and c2 depends on your authentication scheme: for "your_Authentication_server" substitute with the name of the authentication server you created for activeDirectory Authentication, the variable password can also be defined with <password[1]> if you have more than one User/pass kombination (e.g when using additional One time token for authentication purposes or any other secondary authentication mechanism) Hope this will help ... View more

I believe you won't fix this issue with Norton 360. I just had a Client inhouse today with Norton 360 v2.x. Was my first time to see the Client Side of the effect with Norton 360. I could see how hostchecker always tried to download but couldn't be installed, IMHO blocked by Norton 360. The Download of the hostchecker and the AV-detection files kept on an on to download, always again. I stopped it after about 30 minutes. Probably some of those tampering protection features of Norton 360 (and even other Internet-Security-Suites) discard the the installation of hostchecker an the ESAP dll's (I have newest ESAP 1.3.7 installed - which knows even Norton360 v2.x) So - this looks like a dilemma: no hostchecker installed, no detection of norton 360......., but with Norton 360 running, installation of hostchecker fails...... I have not tried to install hostchecker on the target system manually yet - perhaps this will help ....., or the user (or his admin) has to make an checking exception in Norton 360 for the installation directory of Hostchecker (as described in the IVE manual for client-side changes...) perhaps this can help in some way... Message Edited by fuman on 05-21-2008 12:52 PM ... View more