There are several ways to do this..... I think your rolemapping will fail as you only have one auth realm, and when you authenticate againgst AD1, you cant rolemapping users from AD2. I would do it this way: 1. Via Active Directory Auth Server When the two ADs have trust relationship you can authenticate and authorize users from both ADs. 2. via IAS Radius on both Domaincontrollers and Radiusproxy Very easy to install and configure. IAS can stable and easy authenticate Users from a domain and autorize via Group Membership configured in IAS RASPolicy. IAS can act as Radius Proxy and send Authrequests to another IAS Radius via routing with the prefix. When user has prefix from AD2, Radiusproxy will send the radius request to IAS2. ... View more

There is a port blocked between IVE internal IP and RSA Server IP. I think it was UDP5500 or something like that. Read the Documentation. Pinging RSA Server is not enough. Check Firewall between the two devices. Cheers ... View more

On IVe, enable a script that simply does the command "gpupdate" when a remote windows pc is establishing a nc tunnel. Working with cached domain credentials works - but only limited. And when domainaccount changes, but the cached credentials are equivalent to the old domain password, user will have problems. This is solved be running command "gpupdate" after nc tunnel is established. ... View more

One possibility would be to work with GINA and enforce the user to use GINA and to login with domaincredentials AFTER NC Tunnel is established. 1. Create as Userrole named "NC Users". 2. Mark the button on "Network Connect" for this role. 3. Under network Connect Opions, mark the button "Install Gina...". 4. Mark the button "Require NC to start when loggin into Windows" 5. Create a second role with all options you want, but without Network connect. 6. On User Realms, create a new Realm 7. On that Realm, on Role Mapping Rules, put first the Rule if Username is * then assign role "NC Users". DONT mark the "STOP Flag"!! 8. On that Realm, on Role Mapping Rules, create a second Rule "if Username is * then assign Role "Untrusted PCs". When user connects to IVE, Role mapping will look if this user loggs in via GINA (start tunnel before winlogon). User will be able to start the tunnel, if gina and nc is allready installed on the pc. When user starts the tunnel, and then wants to login to the domain, tunnel will break up when this pc has not a computer account in active directory. If the pc has a computer account in Active Directory and NC and GINA is installed, user will be able to start the tunnel, and then login directly over the tunnel to his domaincontroller. If the pc has no computer account in Active Directory, user can not open a nc tunnel, but he will be mapped to second role and login successfully to the webportal. Just try this out, GINA is a nice feature for managed domain desktop pcs, cause user has the same desktop and automatic mapped drives as he has when he is in the office. Message Edited by dusannovakovic on 05-03-2008 09:36 AM ... View more

Just relax.... http://www.juniperforum.com/index.php/topic,5170.0.html ... View more

Well, Party-People, some posts ago in this thread i told you exactly what to do to get the IVE as memberserver into your active directory. So simply do it and everything should be right. When u use domain\Administrator it wont work. So ask the Active Directory - Stuff to create a Domainuser with permission to create objects in a special OU in Active Directory (lets call the OU "VPN Users"), and let them give you the credentials of this special useraccount so you can do your job.. When u get this running (according to my howto..) you wont need any LDAP. Winbind will do all the job of authenticating and autorizing users for you - also users from trusted domains, if needed. Or watch this screenshot-howto, this works fine ... http://www.juniperforum.com/index.php/topic,5170.0.html Message Edited by dusannovakovic on 04-30-2008 10:10 AM ... View more

The IVE is also a router. Give each interface an IP from another subnet, for example internal IF= 10.10.10.1/24 and external IF=10.10.10.20.1/24. The IVE will create automatically the proper routing table. Then think about the transfer-networks between your FW and external interface, and between your IVE internal interface and your cisco router interface. Firewall---------Transfer-Net1------------IVE---------Transfer-Net2-----------Cisco Interface ... View more

Well, i dont know anything about your network topology. I hope i did get you right... IVE has nothing to do with the "other" traffic which passes from the inside to the outside (internet) network. Its just a "hardened gateway" which allows secure access to internal ressources from the outside. So, it needs an IP on the external interface, to be accessable from the internet. If you have no public IP for your IVE, use NAT on the firewall and give IVE a private IP. If it has a public IP, place it in the DMZ and thats it. If you can not ping it, troubleshoot if it has a link (LED). Check Duplex and Speedsettings. Sometimes negotiation does not work properly. Maybe its best idea to put a fix speed setting, according to your firewall port (100Mbit?). If it has a link, do a tracert or pathping or traceroute commands to find out why ICMP can not access IVE. You dont need to connect an notebook directly to the internal port to expect to ping the external interface. Connect internal interface to your LAN, connect external Interface to your Firewall and thats it. Even if you put your external interface to DMZ - its safe. This is a hardened machine. No unnecessary ports are opened, only TCP 443 / 80 and UDP 4500. ... View more

Is the external Interface enabled? Watch the Network Tab in your IVE configuration. But no matter - you can go on configuring and learn the basic concept of this great solution even if ext. interface is still not enabled. The most important thing on beginning is to understand the concept... 1. Sign-In Policies >>> Generate a URL for the users. Maps a Sign-In Webpage and a Realm to that URL. 2. Realms >>> Define which Authentication Server to use, Pre-Login Restrictions and how to map User-Roles to that Realm. You can also activate hostchecker to check a host pc BEFORE the user logs in to the IVE! 3. Roles >>> Defines which Ressources the users who will be mapped to that role will have (only Web? Only VPN? Only Fileaccess? Only SSH or RDP? Or everything?). Here you can also activate hostchecker, to check host pc AFTER User did log in to the IVE! 4. Resource Policies >>> Defines which userrole will be able to access which resources. Message Edited by dusannovakovic on 03-20-2008 12:54 PM ... View more

I use a special service account in AD which has the proper rights to create objects and do the queries in AD. But thats not an adminaccount in that trusted domain. Trusted domains are managed by other admins. It works with all other trusted domains till now - the problem only occures with users from this one trusted domain. By the way - the Lithium format of this forum sucks little bit. Why juniper does not use a "normal,well known" forum format like they use it on www.juniperforum.com? Its would be easier to handle for the users who want to participiate on this forum. On this lithium-forum, pages take some seconds to open, and each time i want to post something, i have to login, and then i am not on that threat-side where i want to post, but i have to click several clicks and wait some seconds to type my answer. Message Edited by dusannovakovic on 02-28-2008 10:07 PM ... View more

New information - its not only one user, its all users from one special trusted domain from our big domain forest. But with all other trusted domains it works great. So it has something with this one trusted domain - i created a workaround with rolemapping rule based on "Username", when i find out what is causing the issue, i will post here. These users are all able to authenticate - the problem is only AUTORIZATION based on winbind / kerberos, but only problem occurs with users from ONE of these trusted domains. For any reason ive can not find the groupmembership of users from this domain, but it CAN authenticate the users domainusername / domainpassword. Message Edited by dusannovakovic on 02-28-2008 09:11 PM ... View more

Well, its nice to have a management port for security reasons - management of the appliances can be totally separated from usertraffic. But (!) when the cluster sync information goes over the usertraffic-interfaces (what is the default design of juniper ive sa), then burst of traffic (like broadcaststorm) can disturb the whole cluster functionality. And exactly that happened to me. Thats the reason why i would like to have a dedicated physical connection between the two nodes. One cable, from node to node, and nothing between. ... View more

Yes, thats what i mean. A direct connection over a cable between the two nodes. node1-------------cluster-sync-informations---------node2 I had serious problems with BOTH nodes in Active/Passive Cluster occuring from "burst of traffic" on the router, and this triggered a bug in ive cluster subsystem. The whole cluster went to hell until the network problems on the router were fixed. On the same router we run Cisco VPN Concentrators, which had no problem with the hard network conditions. So i would feel better if i could connect both nodes directly, independent of user traffic ports. I hoped this could be possible with SA6000 as this seems to be the "highend" SA Solution? At the moment i run a SA2000 Cluster, but plan to upgrade. ... View more

http://www.juniper.net/techpubs/software/ive/guides/troubleshooting/NC_Install_Troubleshooting.pdf What is the output of telnet <your-ive-ip> 443 Maybe try to deinstall NC unter Start...Programms..Juniper Networks...Network Connect. Maybe you have to do the uninstall twice to see an effect. When user connects again and install NC. What about java runtime environment on that pc? Try also a policy trace on your ive with troubleshooting...policy trace to see what is the outcome. Maybe that user does not get an IP in the tunnel? Check DHCP Pool / Rolemapping for that user. ... View more

I think the best way to be: 1. Install RSA Radius Server on ACE Server 2. configure different Radius Profiles. Use Radius "Class" Attribute with a value like "Management", "Teleworkers", "Stuff" and so on 3. Assign on ACE Server the proper Radius Profile to the RSA Users on "Edit User" Tab 4. Configure your IVE system as Agent Host on Radius Server and Radius Client 5. On IVE configure on Realm Level as Auth-Server a new Radius Server - your ACE Radius Server 6. On Realm Role mapping, use Rolemap Rulez based on Attributes. If attribute is "Management", then apply Role "Managemt". 7. On Ressource Policy ... Network Connect ... Profiles configure IP Pool for "Management" Then if a user from the management logs in, the RSA Radius Server will send the class attribute with value "Management" to your IVE System, and the user will be mapped to management role, and get an IP in the tunnel which is used for Management people. ... View more