Abbas -   JSAM does not work with iOS devices - they do not support Java. WSAM does not work with iOS devices - they are not Windows devices.   Ken ... View more

I can't believe that this thread has been going on for a week, and no one from Juniper has bothered to say "I'll go hold the responsible person hostage till they release this document."  No one from Juniper has bothered to say "I'm very sorry - I'll find out what is holding this up."   I'm one of Juniper's biggest fans, but I find this unacceptable.  If the document isn't ready, the release isn't ready.  Period.   Ken ... View more

I know this is tedious, but this is precisely the type of issue which should be reported to JTAC.  You have an instance where what the product does is different than what the documentation says it should do.  JTAC should be able to get this set up in the lab quickly and confirm the issue (or determine why it is not working for you).   Ken ... View more

Thanks for this - it looks really useful!   Ken ... View more

The software has been on the web site for some time now.  I'm assuming someone in Juniper must know what the 7.3 release does.  What is the delay with getting out the "What's New" document?   Ken ... View more

You can do this with LDAP, assuming your LDAP server is used for authentication or authorization.  Let's say your LDAP had an attribute called "VLAN" in the directory entry which authenticated or authorized the user.  Then you could have role-mapping rules, like -   If userAttr.VLAN = "1" then assign to "Role1" If userAttr.VLAN = "2" then assign to "Role2"   and Role1 and Role2 should specify different VLANs.   Remember that, to use any LDAP attribute, you need to add it to the server catalog for the authentication server.   Ken ... View more

Can you do 2 authentications - one to AD and another to the VIP?  If so, you could do the following -   Set up primary authentication to AD and secondary authentication to the VIP service. Create a custom sign-in page which prompts for three fields (ID, AD password, token).  The AD password should be put into the "password" field, and the concatenation of the AD password and the token could be put into the "password2" field. When you want to do SSO, you use the "password" field. A caveat - I've never done this.   Ken ... View more

The realm does not change.  If the custom sign-in page assigned to a particular sign-in policy does not load correctly, the user gets redirected to the page for the default policy.  I think the only way you might be able to see this is to do a httpwatch in the browser to see what is fetched.   Ken ... View more

We do something like this.  Just like you, we wanted to have a single URL for a global service, and relieve the end user of the need to know the details of our solution, in particular, the URLs of the different SAs.   I'm not entirely happy with our solution, but it does work.   You don't want to do round-robin DNS.  You need to ensure that the resolution of the DNS name of the SA does not change during a user's session.  Some global load-balancers (like F5's GTMs) allow you to do something called Geo-IP, which resolves a name based on the deduced location of the DNS server which queries the GTM to resolve a name.  Something like this could work, but it of course costs money unless your enterprise already runs GTMs (or something like them).   We do something a little different.  We run an external web site which takes information about the end-user from an internal directory and then redirects the user to the URL of the "optimal" SA globally (we have SAs in 9 locations - 2 in the Americas, 2 in Europe, and 5 in ASPAC).  We make decisions based on the location of the user's mail server, which is in the directory.  We assume that the user should connect to the SA "closest" (in network terms) to the user's mailbox.  Alternatively, the user can override this logic and specify the destination to which they want to be redirected.  We actually use SA's for this function, but you don't need to, and I would like to get rid of them in that function.   If I had it to do again, I would do something like this - Build an internal web site with all the logic. Use the "authorization only" capability of the SA to give user direct access to the internal web site without authentication. I could see expanding the logic of this to monitor the loads on our SAs and do some rudimentary load-balancing among destinations, and also implement failover on server outage.   Ken ... View more

There are no errors in the Juniper templates.  I suggested this because I did not know that your change was a very simple one not affecting any of the preprocessor codes.   Here is another thought.  I know that - if there are syntax errors in a custom login page - the Juniper will redirect to the default page (that is, the one matching the "/*" policy).  I don't know if that would occur if the URL in the img link was not found, but I would guess that it would happen if you had mismatched quotation marks.   Otherwise, I am out of ideas, and I guess you'll need to go to JTAC.   Ken ... View more

Here is a guess - there is a syntax error in the preprocessor statements in your LoginPage.thtml page.  The custom sign-in page mechanism is working correctly, as you see when you load a trivial sign-in page.   I'm not sure how complete the checking is when you load a new set of pages - I know it checks for certain variables, but I am not sure if it checks syntax.  I think the manual on custom sign-in pages has some information about testing pages outside of the SA.   Ken ... View more

The fix is really hard for an enterprise which uses a software distribution method which clones images, particularly if the enterprise has thousands of PCs.   Ken ... View more

Any chance it is associated with the IP address assigned to the user?  You might keep a record of what IP addresses are assigned when the problem occurs.  If these are only a small portion of your address space, you might look to see if router ACLs / firewall rules are treating that range differently, or whether there might be some routability issues.   Ken ... View more

I guess the question is how disciplined is your software management process.  We check for specific versions of specific products known to be deployed in our enterprise (Fortune 25).  We have a very disciplined software distribution process.   We do not try to vet PCs not managed by our enterprise.  If we determine they are not managed by us, whether 3rd party or user personal machine, they get restricted access.   With this, we have done OK.  I might have been caught by Sophos 10, but we were on our way of replacing that product and decided not to upgrade to that version.   Ken ... View more

It sounds like you are taking the correct steps.   Just to make sure, can you attach screen shots of the following pages - Page showing the custom sign-in file (date loaded and size) Sign-in policies page showing assignment of the sign-in page with the custom pages to the specific realm. I know this is trivial, but have you checked in the user log to make sure the user is getting assigned to the correct realm?   Ken ... View more

I think I remember seeing them when we ran a lot of active/passive clusters.  We ultimately decided that the complexity added by A/P clusters wasn't justified by the small amount of improved reliability and moved to A/A clusters or standalone SAs fronted by a load-balancer (which has its own set of problems).   Don't think I ever figured out why they were happening.   Ken ... View more

I can't imagine that you can do a form post without rewriting the page.  It might depend on whether rewriting policies are applied before form post policies.  Can someone more knowledgable give us a definitive answer on this point?   Does the load of the page ehdn rewritten fail because you do not have a proxy server and proxy policies defined?  The only way to get an external page rewritten is for the SA to be able to fetch it through the internal interface of the appliance.  At least in my network, the only way to do that is to go outbound through a proxy.   Ken ... View more

Just to make sure, the SA is rewriting the external resource, correct?  I can't imagine you could do a SSO form POST to a resource which was not being rewritten.   Ken ... View more

This will not work, as iOS devices do not run JSAM.   The only option for an iPad is - I think - full network connectivity using Pulse.   Ken ... View more

Are there estimates for other models?  Is this dependent on how many "non-Activesync" users are logged into the device? Thanks -   Ken ... View more

Make sure you are in the "Network Connect split tunneling policies" and not "Network Connect access policies".  The potential actions should be "Allow access" and "Exclude access".    The "255.255.255.255" mask will be stripped off, since it is a host route, but you should not see the colon and asterisk after the address.    Ken ... View more

I do not believe CTS is implemented for the IOS platform.  Check w/JTAC.   Ken ... View more

Is the printer always on the same address?  Let's say that the local subnet is 192.168.1.0/24 and the printer is always on 192.168.1.100.  I believe you could define an inverse split-tunneling policy to say that everything except 192.168.1.100 is on the other side of the tunnel.  This would - I believe - accomplish your goal by creating a 192.168.1.100/32 route pointing to the physical interface instead of the VPN virtual interface.   I have not implemented inverse split tunneling, so I can't confirm that this would work.   If the printer resides on different addresses at different sites, I don't know of any way to achieve the functionality you wish.   Ken ... View more

I don't believe there is any way to do the kind of role-assignment you want to do.  But there may be something which would work and be very simple.   If you can store the RDP destination names or IP addresses in a multivalued attribute in the AD group structure, you should be able to define a terminal services bookmark using that variable.   My users are defined in an LDAP (not AD) which includes a multivalued field (rdpdest) which has names or addresses of the RDP destinations which they can access.  I then define a terminal services profile with the name and server name/address being "<userAttr.rdpdest>".  This generates a terminal services bookmark for each value of the field.   In my case, these destinations are associated with an individual, but I assume you might be able to do something like that to associate the destinations with a group.   Do it this way, and there is only one role with RDP bookmarks.  If the value of the field is null, the users could fall through to your "catch-all" role.   Ken ... View more

I assume from your question that you are running Network Connect for these users.  Have you checked the NC access control list applied to the role?   Ken ... View more

If you do wish to access public websites through the SA, remember that - in addition to their being included in a rewriting policy - they must also be included in a web proxy policy.  The SA will not access the a website through the external interface.    Ken ... View more

You want to specify your AD/LDAP server as your authorization server. I do authentication against a Radius server which proxies authentications to a number of RSA ACE servers. I then use the user ID from that authentication to do a search on our AD as a LDAP server. So, in my realm definition, the Radius server is listed as the authentication server, and the LDAP as the authorization server. Ken ... View more