Same for us. Pulse is/was a great product....   http://www.sdncentral.com/news/juniper-sells-junos-pulse-security/2014/07/   would be great if us as customers was informed as to what the future holds.     ... View more

To add a note on the Virus Scanner side of it; I find it very handy to check the Virus Update XML for the current list of sigs - helps when a user says they have the latest and all I have in syslog is the software version. EndPoint Security -> Virus Signature version monitoring -> Download Path currently: https://download.juniper.net/software/av/uac/epupdate_hist.xml ... View more

Timing is amazing; I was just asked if the RDP client could be expanded to include the /span directive, I was about to log a Juniper ticket for enhancement. Two questions, does your method cover this ? and can you just give some simple steps (Im new to SA) as to how the HTML is processed by the SA to replace the various tags with actual values :> Mark ... View more

The SA's do hierarchial LDAP searches. The two things to consider are what is looking for and what access does the binding account have to LDAP. In looking for an LDAP group Groups ... -> Search ... The SA unit is looking for objects with an objectclass of 'groupofUniqueNames' or 'groupOfNames' or 'posixGroup' it expects the entry to have a CN - does your object/group match these conditions? ... View more

Weve had a SA4500 cluster running for about a year and I thought Id put some comments in. Some of what your asking we havent done so ive left those parts out. One upfront comment - Juniper support is brilliant, lots of help working thru user issues as well as technical ones; regular updates - its for that reason I wanted to give something back. - implementing single signon to citrix was a no brainer, you can do it AD or use web based credentials. You will need to decide on going with a Java or native client (not a juniper issue but something that does crop up). - file services is built in, our users map their own resources or you can do it for them. - RDP is built in, we found that a tad slow (their are comments on the forum about changing resolution to speed up the process). In the end we use RDP for external parties and our people use the VPN option which is brilliant. - VPN gives you integrated DNS so your users dont have to remember 'inside' and 'outside' configurations. Addresses are from a VPN pool that your DHCP can pass out or get the Juniper to do it. The separate addressing allows you to differentiate at the firewalls between different user groups. - We use host checker, just be aware the more functionality you put into it (firewall checks, antivirus etc.) the larger the code and signature base that needs to be downloaded - its a once off but does need updating as you update the backend with the latest sigs. - If our users fail hostchecker they dont get VPN - they get a message to that effect. This typically happens when theyve updated to the latest free virus checker which unfortunately we have to support. - You will need admin for installation of the VPN, not too run it, we opted to do it pre-installed on our SOE laptops and remote devicesrather then the wrapper, but thats just our process not a comment on the wrapper. - We have MAC users, though they are not power users - everything works the same. - Id very much recommend gettting secure meeting so you can support your remote users, it was very unexpected win and our help desk uses it for troubleshooting a lot of internal issues as well as external. - We also use the integrated Juniper IDP feature so if an attack is detected the user is 'jailed' and only gets a limited number of functions. * hope these points help Mark ... View more

we have the same problem - the workaround for us it to detect if they have the client , if not then display a link to the client. if youve found a solution id love to hear it; the yellow bar is hit and miss for many users. our help desk is asked to confirm with the user that they have both packages installed at the end: Citrix Presentation Server Client & Juniper Citrix Services Client. If not then uninstall and hit the link again to download the client. Mark ... View more

To avoid confusion im arguing for: firewall nic (sub interface) -> switch (vlan xxx) -> IVE external port + IVE internal port -> switch (vlan yyy) -> firewall nic (sub interface) -> internal net The use of the switches also lends itself to clustering. ... View more

Just to add my 2c's worth; Having a client that requires administration privilege to install and is directly linked to the version on the server is a design flaw I feel.  They need to be able to have backward's compatibility so we can upgrade our user base independant of when the server is updated.   ... View more

'With my paranoid hat on' Deploying this way is an issue - as only the encrypted traffic is processed by the firewall. All other traffic, like netconnect traffic, goes 'unfiltered' into the internal network. How about sub-interfacing the firewall nic and have the both ports going back into the firewall, were at least the exiting traffic can be checked. ... View more

pure speculation but export the signin pages as XML, edit then re-import? Would  be handy to update to front with standard messages and links such as to the corporate  security policy.     ... View more