For us, setting up from scratch hasn't improved anything with Host Checker evaluations. Host Checker still fails for us when evaluating for antivirus products with updated defs. The lone exception for us has been the CA checks which seem to evaluate properly. Even AVG, which is much improved in ESAP 1.4.5 fails definition checks if we evaluate for any other antivirus products. JTAC has witnessed all of this but can't duplicate the problem, of course. ... View more

In your loginpage.thtml template file, Replace this: <td><input type="submit" value="<% signin %>" name="btnSubmit">&nbsp; With this: <td><input type="submit" value="<% signin %>" name="btnSubmit" disabled>&nbsp; <input type="checkbox" onClick="document.frmLogin['btnSubmit'].disabled =(document.frmLogin['btnSubmit'].disabled)? false : true">I attest that I have read, fully understand, and accept all provisions of the <b>Terms and Conditions</b> below.</p> ... View more

'With the "canned" esap tests when there is a problem is does take a while to sort I'll admit..In the meantime as a workaround I tend to create an "oldschool" test and manulally check for the bit myself that aren't working.' Kendal, Hopefully what you're talking about is available in the 6.x releases because the information I've found in the EPCHECK.log and dsHostChecker.log files has been pretty much useless for me (You see large sections of gobbledygook that I would imagine contains the information I am after but I am not intended to see it). I have had some luck running the OESISDIAGNOSE utility and the OPSWAT AV integration SDK test harness and seeing a bit of what is checked for specifically but in both of those cases, I can't know if I am finding everything the pre defined stuff checks for or just pieces. I guess what I'm saying is I have no way, currently, of comparing a problem user's settings to a known list of the stuff a pre-defined check looks for; I can't create 'oldschool' checks to look for nonworking bits that I have no way of knowing about. This causes me to waste time depending on Juniper support for something I should be able to determine on my own, causes the users to suffer unacceptable periods of denied access, causes me to question the quality of any workaround I do decide to implement temporarily and also causes much longer delays in ultimately getting a problem fixed. FWIW, I agree that this product is miles ahead, almost categorically, of any of the other products I've seen out there. I have just seen some that 'seem' from demonstrations and webinars to have friendlier logging. Anywho, I didn't intend to leave the impression that I was dissatisfied with the product overall, only that I don't like how limited I am in diagnosing and resolving problems with this feature. Message Edited by dogmai on 12-03-2008 12:58 PM ... View more

No information available in the logging will help you if you have issues with predefined Host Checks. The predefined stuff is all a big black box so when you have users that should pass but aren't, you only see in the logs that they didn't pass, not what specifically about the check is failing. As a result, each time I have users that run into issues, I have to open a case with Juniper and collect tons of logs and then a month or two later, ESAP usually catches up to the issue and addresses whatever was causing the issue. Problem with this is I never find out what caused the problem in the first place (knowing, for instance, that a particular check was looking for specific registry syntax would allow me to verify whether my problem user(s) have an extra comma or semicolon character at the end of their string and would allow me to solve the problem much faster than the system in place today). To add insult to injury, I've attended a couple of SSL VPN webinars for competing vendors recently and I've seen that some products do at least have a verbose logging 'mode' that will allow you to troubleshoot such things more efficiently... so it's possible to give us this functionality, just prolly not very high on the to-do list. The Juniper log files, otherwise, have actually seemed pretty good although the reporting against those logs could use work. My account management team tells me that there will be no additional log reporting functionality built into the IVE as it's been made available in another product, STRM, and I've also evaluated a pretty cool solution called SSL Clearview reporter from NWG Technologies (http://www.nwgtechnologies.com/products/product2.html) that is built just for Juniper SSL VPN reporting and comes with some really good drill-down canned reporting. Hope this helps. ... View more

We've had big issues in our environment with Host Checker failing legitimate checks post 5.5R6. Our issues seem to all relate to the new way Host Checker verifies antivirus definition files. In the 5.x versions, I have the option of telling Host Checker to verify that all def. files have been updated within (n) days. 6.x versions no longer have this option and instead you can specify that definition files be recent within (n) releases... n being between 1 and 10. All of the checks I run pass if I am only evaluating for specific antivirus products but they fail if I configure the IVE to check for updated definition files; it doesn't matter what I set the number to. To make matters worse, for us, it doesn't seem to matter which AV products we are evaluating for either. We have failures with Symantec, McAfee, AVG, Trend Micro and others. JTAC has been working this case with us for about a month now and we've upgraded the IVE to various 6.x versions, upgraded ESAP and rebuilt our checks without success. Right now, I'm told that I have to wait for the 1.4.4 ESAP release which has not been made available for each ETA I've been given by JTAC (and now I'm being told that they have no estimated release date). Only checking for the product without updated dictionaries is no better than not checking at all. :-( So, we've been sitting on 5.5R6 (with functioning Host Checker) for over a month waiting to upgrade to a reliable 6.x version that addresses multiple other issues/incompatibilities we have with our environment (Citrix 4.5 farms and Vista SP1 come to mind) but we can't move to the newer, better stuff because, in our case, it will break more than it fixes. Message Edited by dogmai on 12-02-2008 09:19 AM ... View more

You can export the sample template files and edit the loginpage.thtml to accomplish this. Zip up all of the files from the sample template and import, including your customized loginpage.thtml file, and then apply the customized template package to whatever login URLs you want. When you choose to make customizations to your pages, you will have to remember to re-create these changes from the new sample templates each time you upgrade your IVE otherwise any changes/upgrades to the templates from the OS version changes will not be applied to your custom one(s) and they may not function properly (best case) or the IVE may choose to discard them completely (worst case) in favor of the default login page. ... View more

Ray, During that same meeting with my Juniper sales/engineering reps, we reviewed each of the licenses I don't currently have installed and when we talked about the Advanced Malware Protection feature, I was told that the vendor they use dropped support for it and so had Juniper. Coordinating Juniper's IDP solution with the SA appliances was now the preferred solution for malware protection. Anywho, it was that information that led us away from purchasing those licenses. Thanks, ... View more

Same nightmare here... "proprietary". Pre-Configured Host Checks are a black box. I've called JTAC on multiple occasions when my users' PCs were running all of the required software we check for but still some are denied. Inevitably, I have to collect logs from both the IVE and the client PC (sending an .exe file to less-than-savvy users with instructions to copy into a directory, run and send back the log file generated along with the host checker log file can be very challenging) and submit only to hear that they'll have to file a 'bug'. When I ask what for, I always hear the 'proprietary' line. If there were a way for me to see what, specifically, a failing host check was looking for, even if I had to file a ticket per event with JTAC first, I would be able to not only troubleshoot many problems myself but also create custom host checks to mitigate certain issues until a functional ESAP release solved my problem(s). This has been a major problem with my company integrating the Host Checker solution enterprise wide and it really is a pity because we have spent considerable time and effort building custom remediation roles for our user base (a self-help KB of sorts) that we can't even use right now because too many users with the right stuff are failing. We've been plagued primarily with AV checks but have also seen issues with OS and firewall checks as well. I brought this issue up with my Juniper reps when they were last in town, along with our region's SSL VPN product specialist -- telling them exactly what my problems were with having these blind checks along with what I would like to see improved and the specialist told me very directly that it really didn't matter how much I complained about it, I was never going to be allowed to see what these custom checks looked for. The most I could ever get through an enhancement request would be more detailed user/event logging. My desire to better serve my company and users is trumped by Juniper not knowing whether or not I would somehow misbehave with this proprietary 'intellectual property'. Thanks for letting me vent. :-) Message Edited by dogmai on 10-06-2008 12:07 PM Message Edited by dogmai on 10-06-2008 12:08 PM ... View more

Create a role for these users with no terminal services bookmarks and then create the resource policy that will allow RDP to the destinations you want for this role. Choose to allow users to create their own Terminal Service bookmarks. Make them a quick 'how-to' document showing all of the appropriate settings for creating their own bookmarks (minus their particular computer names/ip addresses) and set them loose. They'll have their own resource(s) as personal bookmarks and they will not see everyone else's. ... View more

I don't think that this solution will work for my purposes... I have probably 20 different login URLs and if I am understanding correctly, I would have to create a separate realm/signin for each one that splashes the agreement and then redirects them to the correct login page... I was hoping more for a simple checkbox on the actual sign-in web page that, left unchecked, would prevent users from signing in. If I've misunderstood you, I apologize. Thanks! Jason ... View more