So, basically you are trying to use the VPN connection on your laptop to bridge between an unsecure device on an unsecure network and your secure corporate network, bypassing any host checker validation/enforcement on your mobile device in the process. Most companies would frown on such behaviour if not outright prohibit it. There is a reason why split-tunnel connections are disabled by default. ... View more

I have had some issue on machines with Dropbox installed. Initial connection is ok but reconnections fail until I exit Dropbox. Do you have any software like that that might be causing problem at the network level? ... View more

While UDP 4500 is the default for ESP mode, the setting can be change and ESP can be disabled entirely. Also, when using ESP, SSL fallback can be enabled or disabled. Always best to check the actual VPN connection profile/profiles to ensure firewall rules are properly aligned with your specific deployment. ... View more

Sale pitch aside.. If you do not want users to be presented with a login dialog if they fail host checker evaluation, you need to have your Host Checker policy enabled for both 'Evaluate' and 'Require and Enforce' at the realm level. If you only evaluate at the realm level and enforce at the role level, the users will be allowed to complete the login before the policy is enforced. There really isn't any 'if, then, else' logic in host checker evaluation. You're really limited to 'and' style logic (i.e. require both this rule/policy and that rule/policy) or 'or' style logic (i.e. require either this rule/policy or that rule/policy). If you want to allow users to login if they either match a list of MAC address or have appropriate AV software, there are two possibilities: Create one Host Checker policy that has two rules; one for MAC evaluation and one for AV evaluation, and set the Host Checker policy to require 'any of the above rules'. The policy will evaulate as true if either condition is met. When you enforce at the realm level the user will be allowed to login if the policy evaluate as true. Create two separate Host Checker policies; one policy with a single rule for the MAC evaulation and one policy with a single rule for AV evaluation. At the realm level, set both policies for 'Evaluate' and 'Require and Enforce' and enable the option 'Allow access to realm if any ONE of the selected ...'. Users will be allowed to login as long as at least one of the policies evaluates as true. Which approach is better for you will depend on if you use the policies elsewhere in the configuration (e.g. role mapping rules, conditional rewriting rules, etc.). You should also consider the slightly different user experience and logging results for the two approaches. If you really want to, you can get pretty sofisticated with this by combining both types ('and' policies with 'or' rules, 'or' policies with 'and' rule). In my opinion, simpler is better. ... View more

Three things you need to look at 1. On the VPN server - VPN Tunneling Access Control. Look for policies that permit access to only intranet IPs 2. On the internal firewall between the VPN server and the intranet (if one exists). Look for policies that allow access from VPN range to intranet range but not the reverse. 3. On the client. Look for a local firewall turned on by default or as part of Host Checker remediation. ... View more

A couple of thoughts come to mind... develop a reporting script and configure the VPN role to launch at session startup find a way to flag systems based on IP address, assuming your VPN IP pool is unique. ... View more

The Cache Cleaner policy can be enabled for enforcement at the realm level under the Authentication Policy > Host Checker tab and/or it can be enabled for enforcement at the role level under General > Restrictions > Host Checker. ... View more

I believe the SA 1000 was rated for up to 100 simultaneous connections. How many users you could actually support depended on the licensing you had - 25 user, 50 user, or 100 user. Juniper stopped selling the SA 1000 in July 2007. It reached end of support in July 2011. ... View more

Using no rewrite with a bookmark simply passes the real target URL directly to the user's browser without any modifications. It is essentially the same as if the user opened up a new browser window and simply entered the target URL manually. SAM creates an application tunnel that captures any traffic for a specific host. This happens regardless of what client application used or how the hostname is selected (manually entered, existing browser favorite, etc.) Used together, the bookmark passes the real target URL to the user's browser, when the browser attempts to connect to the target URL, SAM capture the traffic and redirects it down the tunnel. So yes, creating a web application resource with 'no rewiriting (use J/WSAM)' allows you to present an unmodified URL to the user that connect to an internal resource using SAM. From the user's perspective they are interacting directly with the target application. You could also independently create a rewriting policy and a SAM policy manually to the same effect as long as the namespace matches as these are really two separate processes. Just be aware that when you use no rewriting, that page is fully outside the control of the rewriting engine. Any pages or sites a user navigates to from that initial page are also not rewritten. ... View more

The ease or difficulty of changing an authentication server is going to depend on how you use it beyond simple authentication. In addition to what Kita pointed our, you also need to be aware of any attributes, expressions or groups you may have defined for use in role mapping, etc. as these are part of the server catalog for that specific authentication server. At the very least, setup a test realm with the same role mapping rules that uses the new authentication server to make sure you fully understand the impact any changes you make to the production realm will have in your specific environment. ... View more

What version of the ESAP plug-in are you running? ... View more

Exactly the info I needed. Thanks ... View more

I see the following item listed as fixed in the release notes for 8.1r3 PRS-323933 Hosts file entries fail to populate on Mac OS clients I am wondering if this related to what I am seeing in 8.0r9. If so, will a similar fix be available in an upcoming release of the 8.0 branch? ... View more

Any ideas? It would seem to me that this is an important function to support non-split-tunnel VPN connections both in environments that use split-DNS and in environments that use DNS based load balancing. ... View more

Have you verified that the external interface link speed and duplex settings match the settings for the port on the switch or router the external interface is connected to? Both should either be auto negotiated or both should being using the same speed and dupled. Having mismatched speed and duplex messes things up in a hurry. Also, make sure your cable is correct and tests clean. Eliminate the easy things before you jump to hardware replacement. ... View more

On the sign-in policies page, there is an option to enable multiple user sessions On the realm's authentication policy>limits page, there is an option to limit the number of sessions per user To allow more than one session per user you need to enable multiple user session at the sign-in level and then set the limit of session per user at the realm level. ... View more

Any ideas about this? Is a day a '24 hour period' or a calendar day? If calendar day, is it based on GMT or System time? ... View more

Concurrent user would be any user logged on the the device; including administrative portal users, web portal users, SAM users, vpn tunnel users, etc.   VPN tunnel users are specifically those users with an active Network Connect or Pulse VPN tunnel.   ... View more

With both the Network Connect and Pulse client, there is a CLI that you might be able to use for a scripted login. Use with caution however as there could be a risk of password exposure. ... View more

From KB28278 "Network Connect client is not supported on Mac OS X Mavericks 10.9 and Safari 7. Junos Pulse Desktop can be used as a VPN client instead of Network Connect" ... View more

Maybe the same issue described here:   ... View more

A Host Checker policy with no rules for Android would effectively block Android if the policy is enforced, would it not? ... View more

The easiest way to do this is to create a role mapping rule with a custom expression that matches the source IP/subnet and maps to a role with the desired limited access. Another possible approach is to create detailed rules associated with the resource policy. ... View more