You can change the time-out in the Web option of the role you created for Activesync: 1. Select your role under User Roles 2. Click the Web tab. 3. Click Options. 4. Click "View advanced options". 5. Enter the appropriate number os seconds in the HTTP Connection Timeout field (I used 540 seconds). 6. Click the Save Changes button. Regards, Russ ... View more

Looks like this issue will be resolved in 7.1. Here's the response from JTAC: "I would like to let you know this issue was replicated in the lab and it is fixed in 7.1.Rx. When you test using a web browser (Firefox, safari, internet explorer) on different platforms, you don't have this issue. I was able to confirm that this is a know issue reported with Pulse Client Ver. 1.0 and it is fixed from Pulse Client Ver. 2.0 (IVE OS 7.1Rx). Currently we donot have any ETA of when IVE OS 7.1Rx is expected to get released. Please use the following WORKAROUND to fix the issue for time being: 1. Open Internet Explorer and click Tools > Internet Options > Content tab > Certificates 2. Copy the intermediate CA certificate (attached to the email - rename the file from .txt to .cer) and install within IE (click Import under Intermediate Certification Authorities). 3. Once imported, try accessing the website again with Junos Pulse client. The error message will no longer appear." ... View more

Same problem here using the Entrust L1C chain. Works fine with Network Connect, etc., but not Pulse. I opened a case with JTAC. The first response I got was "try installing the intermediate CA (certificate) locally on the machine." I replied that deploying the chain to thousands of devices was not an option. I'll post again when I hear something useful. Russ ... View more

Hi Mike, JTAC sent me the filter on Friday. Works great! Just in time, 'cause I was about to have to deploy a UAG server. Yuck! Regards, Russ ... View more

Hi Mike, Have you gotten anywhere with JTAC on this issue? My case, 2011-0118-0666, has been open for two weeks now and I've heard almost nothing from JTAC. I escalated the case yesterday... -Russ ... View more

Thanks for the reply, Mike. I submitted all of my logs, traces, captures and screen shots to JTAC to day. Hopefully we'll get some traction soon. FYI...I'm also on 7.0R4. Regards, Russ ... View more

Hi Mike, Did you ever resolve your performance issue? We are experiencing a similar problem. Most of the OWA 2010 dropdown menus take multiple seconds to display via the IVE using IE 7 and IE8. I opened a case with JTAC, but they are not being very helpful on this one. Regards, Russ ... View more

You need to be running IVE 7.0R1 (or later). You can find instructions at: http://www.juniper.net/techpubs/software/pulse/guides/j-pulse-1.0R1-adminguide.pdf. Regards, Russ ... View more

Ok, I opened a case. Here's the paraphrased answer I got: "It's probably not supported, but I'll check and get back to you..." I'll post a reply when I here something. Russ ... View more

Same issue here. Running 7.0R1. We're using the workaround you supplied, but would like a fix from Juniper...opening a case with JTAC. ... View more

I just created a CNAME record in DNS for my internal activesync server and used that CNAME in the Virtual Hostname Sign-in Policy. No cash required... ... View more

You can use custom sign-in pages. See this post: https://forums.pulsesecure.net/topic/pulse-connect-secure/28732-password-change-via-custom-pages#M5564. ... View more

You can't do it with a POST because the destination is login.cgi and that cannot be customized. You might be able to use a GET to the LoginPage.thtml and use client-side code (Java applet or ActiveX) to decrypt the information. I'm wondering why you would want to do this? The data is already encrypted in transit with SSL. ... View more

Hi Scott, What version are you running on your SA-700? I'm not sure which version Juniper added the feature, but in 6.5R1 you can select 1024 or 2048 bit for your CSR. Regards, Russ ... View more

Sorry, but you can't upgrade the client without upgrading the Secure Access appliance (Network Connect server). Regards, Russ ... View more

You can find the Split Tunneling Options in the Network Connect Options of the role. The simplest of the Split Tunneling Options is "Allow access to local subnet." This option automatically allows access to the local subnet without any additional configuration. The other Split Tunneling Options require to define which networks should be tunneled and which should not. Regards, Russ ... View more

Thanks for the update. Did JTAC happen to mention when R2 will be released? ... View more

Yes, the Rewriter, SAM, Terminal Services, etc. will use the domain suffixes listed in the DNS Domain(s) field. ... View more

I've been able to use the Terminal Services span option via SAM and Network Connect, but not the Juniper Terminal Services client. The downside with SAM and Network Connect is that the user has to invoke the local Terminal Services client manually and enter the appropriate address, options, etc. You could create a batch file or other script to launch the client for them, but it's still a pain the rear. I'm not sure why Juniper doesn't expose that option in the Terminal Services Session setup. Would make things much simpler... ... View more

Have you tried adding your sub domains to the DNS Domain(s) field under Network-->Overview? ... View more

Took a while, but I figured out a way to do this. For my test, I used an Active Directory (LDAP) Auth server on IVE versions 6.0R3.1 and 6.5R1. Read the entire post before attempting. Insert the following code into the PasswordExpiration page, two lines below the startPageLink variable (near line 82): ----START CODE---- To change your password now, use the form below: <form autocomplete="off" method="post" name="frmChgPasswd" action="welcome.cgi"> <table> <TR> <TD colspan="2">&nbsp;</TD> </TR> <TR> <TD>Username</TD> <TD><INPUT type="text" name="username" maxlength="32" size="20"></TD> <TD>&nbsp;</TD> <TD>&nbsp;</TD> </TR> <input type=hidden name=authserver value="Active Directory"> <input type=hidden name=realmId value="120"> <input type=hidden name=p value="passwordChange"> <TR> <TD>Old password</TD> <TD><INPUT type="password" name="oldPassword" maxlength="32" size="20"></TD> <TD>&nbsp;</TD> <TD>&nbsp;</TD> </TR> <TR> <TD>New password</TD> <TD><INPUT type="password" maxlength="32" size="20" name="newPassword"></TD> <TD>&nbsp;</TD> <TD>&nbsp;</TD> </TR> <TR> <TD>Confirm password</TD> <TD><INPUT type="password" maxlength="32" size="20" name="confirmPassword"></TD> <TD>&nbsp;</TD> <TD>&nbsp;</TD> </TR> <TR> <TD>&nbsp;</TD> <TD><INPUT type="submit" name="passwordChange" value="Change"></TD> <TD>&nbsp;</TD> <TD>&nbsp;</TD> </TR> </table> </form> -----END CODE----- You'll need to change the realmId and authserver hidden values. In my example above, the authserver was Active%20Directory (I stripped out the %20) and the realmId was 120. On version 6.5R1, the authserver was number. The easiest way to get your values, is to use an Active Directory account that has the "User must change password at next logon" Account option checked. Having that option checked will trigger the PasswordChange page on the IVE. Logon to the IVE using that account . You should be directed to the PasswordChange page. Look at the URL in the address bar. You'll see the realmID and authserver info in the URL. Plug those values into the code above and load the custom page on to the IVE. I could find no dynamic way to plug in these values. If you have many Realms tied into one sign-in policy, this process could be cumbersome... Next, you'll need to test the new PasswordExpiration page. I had to go door-to-door to find someone with a password that was expiring within the next few days, but you could also try fiddling with the "Display warning x day(s) before password expires" on your Realm's Authentication Policy. Logon to the new custom page on your IVE and test it out. Ive attached a copy of my PasswordExpiration page as an example. Regards, Russ ... View more

The only other thing I can think of that might help is to make sure that all of the Display Settings for the Session are unchecked. ... View more

@kenlars wrote: I just haven't been able to get it together to get this going this week - sorry! I've blocked my calendar for 2:00 EST (yes, the US is finally off daylight or summer time) on Wednesday, Nov. 4. The call-in number is: +1 712 580 7707 PIN 5022399. I'll do a reminder post on Tuesday. I know my choice of time is US-centric, but most of the interest I have seen so far is from users in the US, and my calendar is pretty full. If interest from outside the US grows, we'll look to schedule some calls at a time which works better for Europe or Asia. I think this first session will be mostly around introductions and what expectations we have of this. I do have some non-specific offers of support from Juniper. I think these will become more concrete as we see what kind of numbers of people are interested, and what we are interested in. Ken Thanks, Ken! ... View more

I tested on 6.0R3.1 and 6.5R1. Worked on 6.0, but not 6.5. I received the same error message as you. The Save was definitely not successful. I checked out the help file on 6.5 and it appears to be supported. Looks like a bug. You'll have to open a case with JTAC... ... View more

I'm guessing that it's a client issue, but that's just a hunch. You could try doing a TCPDump on the internal interface of the IVE. However, if you have multiple SAM users connected, you may not be able to discern between them. ... View more

Are you using WSAM or JSAM? ... View more

Hi Ken, Are you still shooting for a conference call late this week? Regards, Russ ... View more

Host checker may not be compatible with the broswer on those versions of Mac OS. Look in the User logs for something like: Info AUT23571 2009-10-27 15:06:26 - ive - [127.0.0.1] Root::System()[] - Browser on host 7.7.7.60 is not supported for Host Checker or Cache Cleaner: User agent a10hm/1.0 (linux swo 2.6.14) If possible, create a duplicate Realm without Host Checker and see if you get the error. ... View more

Go to the User Roles page. You should see a list of all your roles. On the right-hand side you'll see columns of enabled setting. If you not using SAM at all, make sure you don't see any check marks in that column. Another place to look is the JSAM Autolaunch Policies: Resource Policies --> Web --> Launch JSAM. Make sure you don't have any autolaunch policies. If you clear those and still have the problem, you'll probably need to open a case with JTAC. ... View more

According to your logs, the client is using JSAM and Network Connect simultaneously. Looks like the JSAM connection closes in this entry: Info JAV20023 2009-10-27 10:11:16 - ive - [xx.yy.zz.53] First.Lastname(Passwords Only)[Corporate Laptop, Shared Drives, Users] - Closed connection to TUN-VPN port 443 after 1230 ... View more