- Pulse Secure Community
- :
- About em_platinum_
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
since
10-29-2017
10-29-2017
em_platinum_
Contributor
35
Posts
0
Kudos
4
Solutions
10-28-2014
12:55:PM
Looks like I didn't have the Intermediate CA installed with this backend application for some reason. Once I updated the chain to include the root and the intermediate, the untrusted error from the MAG went away. Thanks!
... View more
10-28-2014
12:31:PM
I am using a wildcard certificate from GoDaddy on my MAG 4610 and this has always worked fine, no ceritifcate trust issues from browsers or Junos Pulse. I have setup a web bookmark to SiteA, an internal site that uses SSL. This site uses the exact same wildcard certificate I use for access to the MAG itself, and I am receive the message "The certificate was not issued by a trusted certificate authority". if I browse to SIteA directly from within the network, there is no certificate not trusted errors (in any browser). Can anyone explain why the MAG is throwing this error and how I can resolve it? It makes no sense at all.
... View more
05-09-2014
07:59:PM
I just updated both of my DC's being used by form MAG form 2012 to 2012 R2 and have had no issues. I am running 8.0R3.2
... View more
03-28-2014
03:09:PM
What's an IP of an "internal resource" you are trying to reach from the client connected with Pulse? Have you looked at your Firewall ACL's to make sure you are allowing traffic appropriately in/out of the DMZ zone to the zone that has those "internal resources" ?
... View more
03-21-2014
11:07:AM
Pulse is the future and, as far as I know, intended to replace Network Connect There are stills ome things available in NC that haven't made it to Pulse yet, so you need to evaluate specific needs. Here's some reading on the subject of Pulse vs NC: https://forums.pulsesecure.net/topic/pulse-connect-secure/215341-NC-vs-Pulse http://www.juniper.net/techpubs/en_US/junos-pulse4.0/topics/reference/a-c-c-nc-comparing.html (note that this talks about Pulse 4.0 and Pulse is up to 5.0 now)
... View more
03-21-2014
05:12:AM
Go to System / Platform and what is the current version and model? On the Mac go to Apple icon in menu abr and About This Mac and what is the verson of OS X? In Junos Pulse client on Mac, go to Junos Pulse in menu bar and then About Junos Pulse and what is the version there? Can the Mac ping using IP addresses or do you not get any replies when using IP?
... View more
03-20-2014
05:15:PM
Are you using split tunneling? If so u nder Resource Policies / VPN Tunneling / Connection Profiles / DNS Settings do you have proper DNS servers and search domain specified or If you have this set to use IVE settings do you have correct DNS settings defined under Network / Overview / DNS name resolution? If using DHCP, have you verified the DHCP server is set to give out proper DNS settings? Have you verified the MBAir is actually receiving the IP addresses of the correct DNS server as well as search domain? I'm using Pulse 5.0 on my MB Air with OS X Mavericks and SA8.0 and everything works fine. If you are on 7.4 make sure and it's OS X Mavericks in question, make sure you are on at least 7.4R7 and the Pulse client from that build or newer is used, as this is when Mavericks compatibility was added.
... View more
03-03-2014
04:58:AM
I believe he is referring to this: Note that a setting of 0 disables these features. When I try to set this above 1000 Mbps as shown, the device gives me this error indicating the max is 1000 Mbps.
... View more
02-28-2014
10:54:AM
I'm wondering what the best way to authenticate users who work from domain joined computers when off network. This would be someone like a laptop user or a use who I would set to permanently work from home and want them on the domain. This is an Active Directory (2008 R2) environment with Windows 7 on the desktop. Preferrably, I want these users to have an active VPN connection during login so that they can be authenticated against a domain controller and not used cached credentials (just like it would work if they were in an on network office) Do I need to use one of the Pulse connection profiles settings that uses machine authentication to establish a connection or can I use the "automatically at user login" option. Documentation says the following for Pulse connection profiles automatically at user login option: Enables Pulse client interaction with the credential provider software on the endpoint. The user credentials are used to establish the authenticated Pulse connection to the network, log in to the endpoint, and log in to the domain server. Does this option cause Pulse to fully connection before the login is attempted to the computer? It seems worded in a way that implies that it does. If it does, why would I want to use this vs. a machine authentication option or vice-versa. Lastly, is the option in User Role/VPN Tunneling/Options for Launch client during Windows Interactive User Logon (This option allows client to be started when users log into Windows) identical to setting the Pulse connection profile to "Automatically at user login" ? If so, and I want to use this option, is it better to set it in the connection profile or user role?
... View more
02-27-2014
05:38:AM
@jayLaiz wrote: under user role > sam options, is automatic host mapping enabled. Regards, Jay That was it. Not sure how I missed that option. I also see how this will be a problem for non-administrative users so it looks like I will not use this option and use external DNS records resolved to loopback addresses that are statically defined in resource profiles that use JSAM. Some behavior I've noticed as part of workking through this which seems unusual. This is part of the JSAM starting processing. Anyone have any comments on these? Windows OS - Admin User logged In - Automatic Host Mapping disabled OR enabled - User is always prompted with a UAC popup from Juniper JSAM Tool. This tool seems to be what handles modifying the hosts file so I can understand why ther eis the UAC popup when hosting mapping is enabled, but why is it occuring when host mapping is disabled? Windows OS - NonAdmin User logged in - Automatic Host Mapping disabled OR enabled - User never receives the UAC popup from Juniper JSAM Tool - This is good because they don't have permission to modify hosts file anyway, so it seems like something is coded to recognize a non-admin user and not bother prompting, but why doesn't it do this when it's an admin user logged in and automatic host mapping is disabled? Mac OS X - Admin OR NonAdmin user logged In - Automatic Host Mapping disabled OR enabled - User is always prompted for Admin credentials, regardless of if that user is an Admin or NonAdmin. This prompt is definitely for modifying the hosts file. If the user is a NonAdmin and Automatic Host Mapping is enabled, the user can simply hit cancel and they get a popup that they don't have permissions to modify the hosts file and JSAM finishes launches. If the user is a NonAdmin and happens to know admin credentials, they can supply them and the hosts file will get modified. Question here is, is this expected behavior for a NonAdmin to be getting the admin credentials prompt? Is the software not coded to know this is a non-admin and not prompt (kind of like how Windows with a NonAdmin doesn't do the UAC prompt to run JSAM Tool)
... View more
02-27-2014
05:26:AM
I just purchased a MAG4610 and was using the SA DTE VM for testing. When I was downloading the VM with the Juniper SE, he asked if I was going to use the Secure Meeting feature. He said that if I intended to use that heavily than I should stick with the recommended 7.4 release. He didn't specify any further details as to why, but he went on to say if I wasn't going to use or rely on Secure Meeting (or just experiment with it) than he suggested going to 8.0. 8.0 Introduced a major new features such as MDM Integration with AirWatch and MobileIron, so if this is something you want, then you have to use 8.0. licensed and you don't actually even ned to apply your concurrent user license to the device. If you apply it, it's basically ignored since the device will still stay max licensed, although you are still required by the EULA to purchase the correct number of concurrent user licenses. T his new license model can be useful in an unexpected situation of you running out of licenses. On 7.4, this would mean users can't connect until you can purchase and activate new licenses. But on 8.0, if you exceed your purchased limit, the unit doesn't care. Again, you still need to buy those additional licenses, but you're not going stuck with users who can't connect if you end up in this situation and are running 8.0. My MAG4610 had a base SA image of 7.4R1. Per release notes on 8.0R1, the recommendation is for devices that are pre-7.4R1 to first upgrade to 7.1R16 or newer and then to upgrade to 8.0R1. Assuming your device has something older than 7.1R16 currently you can go from currently version -> 7.1R16 -> 8.0R2. This is the upgrade path I took. However, before I read the upgrade path, I did an upgrade straight from 7.1R1 -> 8.0R2 and it worked without issue, so you could probably go straight through if you wanted given it's a new device with no pre-existing configuration to potentially get changed. You could also go from 7.1R1 -> 7.4R9 if you prefer to stay on the JTAC recommended release. I did about 30 days of testing with the SA DTE VM running 8.0R1 and didn't run into any issues for how I am using the device, which is a mix of Windows and Mac client, URL Rewriting, Passthrough Proxy, WSAM, JSAM, and Pulse. I did not do any testing with Host Checker/Cache Cleaner however, but nothing I've read in release notes leads me to believe there would be any issues.
... View more
02-26-2014
08:56:AM
Here is the Java console log output with tracing and logging enabled: Java Plug-in 10.51.2.13 Using JRE version 1.7.0_51-b13 Java HotSpot(TM) Client VM User home directory = C:\Users\user ---------------------------------------------------- c: clear console window f: finalize objects on finalization queue g: garbage collect h: display this help message l: dump classloader list m: print memory usage o: trigger logging q: hide console r: reload policy configuration s: dump system and deployment properties t: dump thread list v: dump thread stack x: clear classloader cache 0-5: set trace level to <n> ---------------------------------------------------- basic: Added progress listener: sun.plugin.util.ProgressMonitorAdapter@174f6ce basic: Plugin2ClassLoader.addURL parent called for https://the.domain.com/dana-cached/java/Neoterissun.jar basic: Added progress listener: sun.plugin.util.ProgressMonitorAdapter@9d478b basic: Plugin2ClassLoader.addURL parent called for https://the.domain.com/dana-cached/java/Neoterissun.jar security: Blacklist revocation check is enabled security: blacklist: created: NEED_LOAD, lastModified: 1390916633572 security: blacklist: hasBeenModifiedSince 1393419895725 (we have 1390916633572) security: Trusted libraries list check is enabled network: Cache entry found [url: https://the.domain.com/dana-cached/java/Neoterissun.jar, version: null] prevalidated=false/0 cache: Adding MemoryCache entry: https://the.domain.com/dana-cached/java/Neoterissun.jar cache: Resource https://the.domain.com/dana-cached/java/Neoterissun.jar has expired. network: Connecting https://the.domain.com/dana-cached/java/Neoterissun.jar with proxy=DIRECT network: Cache entry not found [url: file:/C:/Program%20Files%20(x86)/Java/jre7/lib/ext/sunec.jar, version: null] network: Cache entry not found [url: file:/C:/Program%20Files%20(x86)/Java/jre7/lib/ext/sunjce_provider.jar, version: null] network: Connecting http://the.domain.com:443/ with proxy=DIRECT security: Loading Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts security: Loaded Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts security: Loading certificates from Deployment session certificate store security: Loaded certificates from Deployment session certificate store security: Loading certificates from Internet Explorer ROOT certificate store security: Loaded certificates from Internet Explorer ROOT certificate store network: Connecting https://the.domain.com/dana-cached/java/Neoterissun.jar with cookie "DSSignInURL=/; DSID=2308d369d46829e3f87dcd355acf372a; DSFirstAccess=1393433538; DSLastAccess=1393433543; DSJSAMInitialized=1" network: Server https://the.domain.com/dana-cached/java/Neoterissun.jar requesting to set-cookie with "DSLastAccess=1393433547; path=/; Secure" network: ResponseCode for https://the.domain.com/dana-cached/java/Neoterissun.jar : 304 network: Encoding for https://the.domain.com/dana-cached/java/Neoterissun.jar : null network: Disconnect connection to https://the.domain.com/dana-cached/java/Neoterissun.jar cache: Read manifest for https://the.domain.com/dana-cached/java/Neoterissun.jar: read=170 full=5817 cache: Loading full manifest for https://the.domain.com/dana-cached/java/Neoterissun.jarcache: Reading Signers from 5029 https://the.domain.com/dana-cached/java/Neoterissun.jar | c:\users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\4fe887e-3bb02a9e.idx cache: Done readSigners(https://the.domain.com/dana-cached/java/Neoterissun.jar) security: Trust for: https://the.domain.com/dana-cached/java/Neoterissun.jar has ended: Wed Dec 31 19:00:00 EST 1969 security: Missing Application-Library-Allowable-Codebase manifest attribute for: https://the.domain.com/dana-cached/java/Neoterissun.jar security: Loading certificates from Deployment session certificate store security: Loaded certificates from Deployment session certificate store security: Loading certificates from Deployment session certificate store security: Loaded certificates from Deployment session certificate store security: Loading certificates from Deployment session certificate store security: Loaded certificates from Deployment session certificate store security: Loading certificates from Internet Explorer TrustedPublisher certificate store security: Loaded certificates from Internet Explorer TrustedPublisher certificate store security: Loading certificates from Internet Explorer DISALLOWED certificate store security: Loaded certificates from Internet Explorer DISALLOWED certificate store security: Validate the certificate chain using CertPath API security: Loading certificates from Internet Explorer ROOT certificate store security: Loaded certificates from Internet Explorer ROOT certificate store security: Loading blacklisted.certs file: c:\users\user\AppData\LocalLow\Sun\Java\Deployment\security\blacklisted.certs security: SHA-256Certificate finger print: F807A65B14382E9733915339ECDB9A23048A8FD46189584DD76EC80D0BDD8326 security: Checking if certificate is in Internet Explorer DISALLOWED certificate store security: SHA-256Certificate finger print: 0CFC19DB681B014BFE3F23CB3A78B67208B4E3D8D7B6A7B1807F7CD6ECB2A54E security: Checking if certificate is in Internet Explorer DISALLOWED certificate store security: SHA-256Certificate finger print: 8420DFBE376F414BF4C0A81E6936D24CCC03F304835B86C7A39142FCA723A689 security: Checking if certificate is in Internet Explorer DISALLOWED certificate store security: SHA-256Certificate finger print: A4B6B3996FC2F306B3FD8681BD63413D8C5009CC4FA329C2CCF0E2FA1B140305 security: Checking if certificate is in Internet Explorer DISALLOWED certificate store security: The OCSP support is enabled security: The CRL support is enabled network: Connecting http://ocsp.verisign.com/ with proxy=DIRECT network: Connecting http://ocsp.verisign.com:80/ with proxy=DIRECT security: OCSP Response: GOOD network: Connecting http://ocsp.verisign.com/ with proxy=DIRECT security: OCSP Response: GOOD network: Connecting http://ocsp.verisign.com/ with proxy=DIRECT security: OCSP Response: GOOD security: Certificate validation succeeded using OCSP/CRL security: Checking if certificate is in Internet Explorer TrustedPublisher certificate store basic: Dialog type is not candidate for embedding security: User has granted the privileges to the code for this session only security: Saving certificates in Deployment session certificate store security: Saved certificates in Deployment session certificate store security: Grant socket perm for https://the.domain.com/dana-cached/java/Neoterissun.jar : java.security.Permissions@1e39ebf ( ("java.net.SocketPermission" "the.domain.com" "connect,accept,resolve") ) security: Trust for: https://the.domain.com/dana-cached/java/Neoterissun.jar has ended: Wed Dec 31 19:00:00 EST 1969 security: Missing Application-Library-Allowable-Codebase manifest attribute for: https://the.domain.com/dana-cached/java/Neoterissun.jar security: Validate the certificate chain using CertPath API basic: Plugin2ClassLoader.getPermissions CeilingPolicy allPerms security: Missing Application-Library-Allowable-Codebase manifest attribute for: https://the.domain.com/dana-cached/java/Neoterissun.jar security: Validate the certificate chain using CertPath API security: SSV validation: running: 1.7.0_51 requested: null range: null javaVersionParam: null Rule Set version: null network: Created version ID: 1.7.0.51 network: Created version ID: 1.7.0.51 security: continue with running version network: Created version ID: 1.7.0.51 network: Created version ID: 1.7 network: Created version ID: 2.2.51 security: --- parseCommandLine converted : into: [] security: Missing Application-Library-Allowable-Codebase manifest attribute for: https://the.domain.com/dana-cached/java/Neoterissun.jar security: Validate the certificate chain using CertPath API security: SSV validation: running: 1.7.0_51 requested: null range: null javaVersionParam: null Rule Set version: null network: Created version ID: 1.7.0.51 network: Created version ID: 1.7.0.51 security: continue with running version network: Created version ID: 1.7.0.51 network: Created version ID: 1.7 network: Created version ID: 2.2.51 security: --- parseCommandLine converted : into: [] basic: Applet loaded. basic: Applet resized and added to parent container basic: PERF: AppletExecutionRunnable - applet.init() BEGIN ; jvmLaunch dt 234879 us, pluginInit dt 6324338 us, TotalTime: 6559217 us basic: Applet loaded. basic: Applet resized and added to parent container basic: PERF: AppletExecutionRunnable - applet.init() BEGIN ; jvmLaunch dt 234879 us, pluginInit dt 6331971 us, TotalTime: 6566850 us basic: Applet initialized basic: Starting applet basic: completed perf rollup basic: Applet made visible basic: Applet started basic: Told clients applet is started OS Name: Windows 7 Java vendor: Oracle Corporation Executing Sun Microsystems block basic: Applet initialized basic: Starting applet basic: completed perf rollup IVE Host: the.domain.com network: Connecting https://the.domain.com/dana/cs/csdbg.cgi?app=jsam with proxy=DIRECT network: Connecting https://the.domain.com/dana/cs/csdbg.cgi?app=jsam with cookie "DSSignInURL=/; DSID=2308d369d46829e3f87dcd355acf372a; DSFirstAccess=1393433538; DSLastAccess=1393433547; DSJSAMInitialized=1" network: Server https://the.domain.com/dana/cs/csdbg.cgi?app=jsam requesting to set-cookie with "DSLastAccess=1393433549; path=/; Secure" Run Level:0, read timeout:90000 network: Connecting http://127.0.0.1:5555/ with proxy=DIRECT network: Connecting https://the.domain.com/dana-cached/java/jsamtool.exe with proxy=DIRECT network: Connecting https://the.domain.com/dana-cached/java/jsamtool.exe with cookie "DSSignInURL=/; DSID=2308d369d46829e3f87dcd355acf372a; DSFirstAccess=1393433538; DSLastAccess=1393433549; DSJSAMInitialized=1" network: Server https://the.domain.com/dana-cached/java/jsamtool.exe requesting to set-cookie with "DSLastAccess=1393433552; path=/; Secure" Admin tool will be launched from c:\users\user\AppData\Roaming\Juniper Networks\Java Secure Application Manager\jsamtool.exe network: Connecting http://127.0.0.1:5555/ with proxy=DIRECT network: Connecting http://127.0.0.1:5555/ with proxy=DIRECT network: Connecting http://127.0.0.1:5555/ with proxy=DIRECT network: Connecting http://127.0.0.1:5555/ with proxy=DIRECT Accounting.sendStart( String type "JSAM" ) network: Connecting https://the.domain.com/dana/home/norefr.cgi with proxy=DIRECT StatusApplet started... network: Connecting https://the.domain.com/dana/home/norefr.cgi with cookie "DSSignInURL=/; DSID=2308d369d46829e3f87dcd355acf372a; DSFirstAccess=1393433538; DSLastAccess=1393433552; DSJSAMInitialized=1" network: Server https://the.domain.com/dana/home/norefr.cgi requesting to set-cookie with "DSLastAccess=1393433538; path=/; Secure" Get ct: application/octet-stream Sent accounting start basic: Applet made visible basic: Applet started basic: Told clients applet is started
... View more
02-26-2014
08:30:AM
Thanks for explanation on how JSAM works to tunneling traffic. I have confirmed that the service is listening on port 80 on the designated loopback address but the hosts file is NOT being updated. The user I am testing with on Windows is an administrator. Behavior is showing the same on OSX. Service is listening but no modification of /etc/hosts. I am prompted to specify administrative credentials on OSX as part of JSAM trying to start (which I do) but still nothing in /etc/hosts The resource profile is defined by hostname
... View more
02-26-2014
05:08:AM
I have a basic Web Bookmark resource profile defined configured for JSAM using default settings. When I login to the portal, I launch JSAM manually with the start button and then JSAM connects and shows a green light. However, when I click on the web bookmark the website does not load. I see no traffic going through JSAM (per the send/receive stats in the JSAM window. Not sure what else to look at to try and get this working This occurs on both Windows and Mac. Environment details: SA 8.0R2 OS X 10.9.2, Safari 7, Java 7u51 Windows 7 x64, IE11, Java 7u51
... View more
02-24-2014
05:27:PM
SA 8.0R2 on MAG4610. I created a web resource profile and under rewrite policy I set it to use WSAM. SAM options on this user role are set to WSAM. I set auto-launch SAM in the options but WSAM still doesn't launch. When I log in with a user that has this profile mapped I don't get an option to launch WSAM. If I change SAM options to JSAM I get a button in the portal. This user I am testing with also has Junos Pulse configured. Would this cause WSAM to not be available for any reason?
... View more
02-11-2014
03:51:PM
I did trials with both Both products offer almost all the same features as the other. I would say F5 has slightly more flexibility because you basically string together your access portal using a Visual Policy Editor. This allows you to literally create the workflow of how the portal works, from the login page, to auth, to what resources are available. That's not to say it does more than Juniper because of it, but it does give you maximum control, which can be attractive to some people. F5 also lets you use their iRules (IP traffic manipulation) with APM which is a very powerful capability, if it's needed. One thing F5 APM doesn't offer is a web based access method to file shares. it was available in Firepass but it hasn't made it into APM yet. Juniper is 100x easier to configure and manage as an admin. Yes it's THAT much easier, I watched a couple short video's from someon YouTube on initial device configuration and that's all it took for me to fully understand how to get my Juniper demo VM fully deployed on my network with clientless and client based access. As I started to dig further into the feature set, I found Juniper's documentation and general informationa vialable online to be much more easier to work with and get me to my goal much faster compared to F5. F5 offers APM as a virtual appliance. Juniper only offers it in a VM for service providers. One of the potential advantage of F5 offering APM in a VM is that with the way the bundling works, you end up getting the FULL F5 product suite licensed. This means you get to use almost every product F5 offers all from that single VM. So if you have interested in load balancing, global load balancing, application firewall, etc., you can potentially kill many birds with one stone. But, if you want to stick with hardware, F5 appliances are rather pricey, but their concurrent user licening costs are well below Juniper so it helps balance it out. Depending on your user count, there can be a pretty huge difference in price between the two. I don't want to talk pricing publically in the forum but if you want to PM me I can provide more detail. I talked with some peers who work at very large organizations and they all used Juniper for SSL VPN. When I posted on various forums online, I got the most recommendations for Juniper. A few people pointed me towards F5 APM but none of them actually had used it themselves. I ended up picking Juniper. PS - The 3 links provided are rather old and these products have been through a decent amount of changes since the publish dates.. Case in point, the newest article is dated 2011 and it says there is no Host Checking for Mac and Linux from Juniper, and that's no longer accurate. One article is 2005 so that should be entirely ignored. The other article from SearchSecurity has no date but given it talks about an SA-6000 which end end of sale Jan 2010, that article is probably from mid-2009 at best. Both of the newer articles are also about Firepass, not APM, and while similar, they are not 100% identical.
... View more
01-29-2014
10:00:AM
Ran into an issue today where a user could not access a tunnelled network that he was able to access yesterday. No changes were made on the tunnel side. User is running Pulse 5.0 on Windows 7 connecting to Secure Access Service 8.0R1.0 User's home network of 192.168.1.0/24 with the home WiFi Router at 192.168.1.1 Overlapping Remote network is 192.168.0.0/23 Other Remote network is 10.10.0.0/16, 10.100.0.0/16 and 172.16.10.0/24 Split tunneling is enabled and route precedence is set to "Endpoint route". Secure Access Service Internal IP is 10.10.1.11 and VPN Tunneling Server IP is 10.10.1.12 Users assigned IP from Secure Access Service is 10.10.201.7 The user can access all of the "other" remote networks listed above, but they can't access remote network I have listed as "overlapping" When the user tries to ping IP's in the 192.168.0.0/23 subnet (ex: 192.168.1.11 and 192.168.1.6) the user gets no response, and traceroutes get no response either. The user said this was working fine yesterday, but today, no luck. No changes were made ont he Secure Access Service side. Here is the users current route table. I don't have a table from yesterday to look at. IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.5 25 10.10.0.0 255.255.0.0 On-link 10.10.201.7 1 10.10.201.7 255.255.255.255 On-link 10.10.201.7 256 10.10.255.255 255.255.255.255 On-link 10.10.201.7 256 10.100.0.0 255.255.0.0 On-link 10.10.201.7 1 10.100.255.255 255.255.255.255 On-link 10.10.201.7 256 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 172.16.10.0 255.255.255.0 On-link 10.10.201.7 1 172.16.10.255 255.255.255.255 On-link 10.10.201.7 256 192.65.XXX.XX 255.255.255.255 192.168.1.1 192.168.1.5 25 192.168.0.0 255.255.254.0 On-link 10.10.201.7 1 192.168.1.0 255.255.255.0 On-link 192.168.1.5 281 192.168.1.5 255.255.255.255 On-link 192.168.1.5 281 192.168.1.255 255.255.255.255 On-link 192.168.1.5 281 192.168.1.255 255.255.255.255 On-link 10.10.201.7 256 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.1.5 281 224.0.0.0 240.0.0.0 On-link 10.10.201.7 256 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.1.5 281 255.255.255.255 255.255.255.255 On-link 10.10.201.7 256 ===========================================================================
... View more
01-23-2014
08:27:AM
This is a common question that applies to more than just Juniper's SSL VPN product, and it's really about risk exposure tolerances. Connecting the internal port right into the LAN is the easiest way to deploy, but should the device software get exploited, a hacker could potentially gain unrestriced access to all LAN resoruces, assuming you have no internal access controls on the LAN segment the device is connecteed too. A generally best practice for security would be to not have a device accepting internet facing connects to be directly connected to the LAN, but this is a more complex setup. There are many ways to accomplish this with both 1 and 2 arm configurations. In general, a secure and fairly easy configuration would be 1 arm in DMZ, which would use only the internal port, Check out this KB for all the options: http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB10162 It talks about SA-6000 but it's relevant to any SA/MAG device with an internal//external interface. It's also relevant to just about any device (or virtual appliance) where you have at least 2 interfaces available.
... View more
01-10-2014
11:33:AM
I understand that licenses are tied to a single device unless you use a licensing server. For the size of my environment, a licensing server is rather overkill and was not recommended. As there is no way to migrate the concurrent user licenses to new hardware, and with user licenses being the most expensive part of a MAG purchase,concerns have been raised about longevity of investment. The SA series hardware looks to have had 5 year lifecycle from announcement until end-of-sale. If the same is going to appyl for the MAG, which came out in mid-2011, there is only about 2 1/2 possibly before end-of-sale. I won't have any issues with using end-of-sale equipment in product as long as it has support, and I know support runs for 5 years after end of sale, BUT, there are concerns about what the software development will be done on end-of-sale hardware. Do I run the risk of finding myself with an OS release (MS is moving towards yearly releases) that isn't supported on my 2 1/2 year old MAG investment? I don't know. Thus, with no way to move the bulk of the investment (concurrent user licensing) forward to new generation hardware, the lifecycle of the hardware relative to our purchase date is fairly important. When I look at a major competitor like Cisco ASA, their 1st generation ASA's were on the market 8 years before they went end-of-sale. Will the current generation last that long? Not sure, but all I can go on here is history. If the MAG hardware is going to run 8 years, then now I have 5+ years of known currency, which is very differnet than 2.5 years. How do others address these kinds of questions and situations?
... View more
01-02-2014
05:42:AM
@jayLaiz wrote: can you check http://kb.pulsesecure.net/KB26381 Regards, Jay Bingo! That was it. I specified a new IP range not in use anywhere in my network and put the route for that range back to the SA's VPN Tunnel IP Address and everthing works like a charm!
... View more
12-31-2013
05:22:PM
If you are going to Pulse on Mac than you are looking at layer 3 SSL VPN tunnel, and the restrictions are all protocl, IP and port based. There won't be a way to restrict just the Outlook application on Mac to go across the tunnel, it will be all traffic from the computer that has a SSL VPN tunnel connected through Pulse that can go across the tunnel, based on tunnel config. If you want to keep things as restrictive as possible and are using split tunneling then just specify the IP address of your Exchange CAS server. If you are not using split tunneling then you will use Access Policies to restrict the allowed traffic across the tunnel Additionally, with the Access Control rule, you can restrict traffc down to a protocol and port (such as TCP/443 for the IP of the CAS server). This same use in Access Control policy can also be layered with split tunneling as split tunneling config only lets you specify IP's and not protocols or ports. All of this is defined under Resource Policies/VPN Tunneling Here is a use case scenario form Juniper Tech Docs that uses Access Control to restrict traffic as much as possible: http://www.juniper.net/techpubs/en_US/sa8.0/topics /task/operational/secure-access-nc-policy-use-case ... I don't believe much has changed here in SA 8.0 software but you may want to upgrade to 7.4R9. 7.4R7 added official support for OS 10.9 which will be important for supporting Mac environment, and you may was well jump up to 7.4R9 sin that case.
... View more
12-31-2013
04:59:PM
Can I cluster like service modules between two physical different MAG6610's? And can I do this with both service modules? Specifically: SM160 #1 in MAG6610 #1 clustered to SM160 #1 in MAG6610 #2 SM160 #2 in MAG6610 #2 clustered to SM160 #1 in MAG6610 #2
... View more
12-31-2013
04:32:PM
@spuluka wrote: On your user role try setting the route precedence: Role -- VPN tunneling Tab Route Precedence-- select the tunnel option I'm idealyl looking for users in this situation to be able to access their local subnets as well as subnets across the VPN when any overlap occurs. This would allow them to do something such as print to their local printer or access local files while also accessing remote resources. Is that even possible? There are two options: "Tunnel" and "Tunnel with local subnet access" With split-tunneling enabled, the Admin Guide indicates that the difference in the route precedence s in regard to directly connected endpoint routes, as follows: Endpoint - Does not go through tunnel Tunnel - Routes are modified to go through the tunnel only if they overlap with the split-tunneling subnets. Otherwise the routes do not go through the tunnel. Tunnel with local subnet access - Does not go through tunnel. If I understand this correctly, I wold need to use "Tunnel" for the user to be able to access the subnet across the tunnel, but this would end up causing the user to lose local subnet acess, would it not? if I used "Tunnel with local subnet access", then it's no different than the "Endpoint" route precedence currently defined, and the user would have local subnet access but not remote subnet access for the overlap.
... View more
12-31-2013
03:51:PM
@RajTilak wrote: Hello Thanks but exactly speaking i want to control the traffic on split tunneling as well. I want the user to browse only requested sites i.e through VPN tunnel or other adaptor. All the other traffic should get dropped at his machine locally. I am looking for a scenariou where if default route can be removed on clients and static routes can be formed. When you enable split tunneling, you define what subnets/IP's would go through the tunnel. Anything not defined in that split tunnel list would go out tthe users local internet connection. You would setup you split tunnel subnets/IP's for whatever internal resources the user needs across the tunnel, and that's the only traffic that would go through the tunnel. I'm a little unclear how necessary traffic is coming across the VPN and then going out to your firewall to the internet? That would seem to imply you are not using split tunneling.
... View more
12-31-2013
03:14:PM
8.0R3 will probably fix it. From the release notes under resolved issues PR 971258 - Windows non-admin users fail to install Network Connect, WSAM even when Juniper Installer Service in installed.
... View more
12-31-2013
12:53:PM
I am considering purchasing a MAG6610/SM160 to run in SSL VPN and am using the SA DTE VM for eval purposes. I am currently trying to get the Pulse Client to work but am not receiving any traffic back to the client. My internal network is made up of multiple VLAN's within 10.10.0.0/16 (10.10.1.0/25, 10.10.10.0/24, etc), all routed on the core switch. Here's the configuration I am trying to make work right now SA 8.0R1 software internal port IP: 10.10.1.11 Internal port subnet: 255.255.255.0 internal port gw: 10.10.1.1 VPN Tunnel Server IP Address: 10.10.1.12 authentication against AD is configured and working split tunnel: disabled IP pool given out per VPN tunneling policy: 10.10.1.10-10.10.1.30 Junos Pulse client connects and I am asked to authenticate which I do successfully with my AD credentials. I am given an IP of 10.10.1.10. I then try to ping internet traffic, or internal IP of 10.10.10..10 and get no response. The client shows traffic out but nothing in. From an internal routing standpoint, the default gateway that the SA uses for the internal port handles all routing between VLAN's and out to the internet, so I was expecting this to all just work as-is, but no luck.
... View more
12-31-2013
09:20:AM
I cleared cache but no difference. The behavior is still the same, sometimes the entire site loads and functions, sometimes it doesn't. I am doing this in passthrough proxy right now since this is less intrusive and seems like it would be easier to troubleshoot. I will run through the log gathering process
... View more
12-31-2013
08:17:AM
Here are the specific details http://www.juniper.net/techpubs/en_US/sa8.0/inform ation-products/topic-collections/Junos-Pulse-Secur ... – Page 6, Table 4 http://www.juniper.net/techpubs/en_US/uac5.0/infor mation-products/topic-collections/Junos-Pulse-Acce ... - Page 5, Table 4 http://www.juniper.net/techpubs/en_US/sa8.0/topics /reference/general/secure-access-license-upgrading ... This would apply to something like the Common Access License. The last link does indicate that the EULA still applies, which should mean that you are still required to purchase the common access licenses based on the number of concurrent users accesing the devices. It's basically like an honor system for most licensed features. Anyone have any inside info on why this change was made? It seems as if it opens up Juniper for revenue loss for customers who are not going to do the right thing and purchased required quantities.
... View more
12-31-2013
07:03:AM
I am considering purchasing a MAG6610/SM160 to run in SSL VPN and am using the SA DTE VM 8.0r1 for eval purposes. I am looking at potentially having heavy use of rewrite and passthrough proxy features. I've run into an issue with one website when using rewrite. It basically appears as if all of the CSS and/or JS files are not being loaded and/or rendered. The site uses a lot of JS files including jquery and other things, pretty basic CSS, and XML to query data from a backend database. The application is ASP.NET If directly access the site (not going through the SA) it load completely 100% of the time. I've actually never had users complain of this issue while accessing the site internally for the past 3+ months on a daily basis, all day long, so it's not webserver performance issues. So, I switched to passthrough proxy and sometimes I can get the entire site to load properly, but sometimes I have the same issue where CSS doesn't ready and scripts don't load and execute. I set caching to unchanged, compress to off, disabled the toolbar and still no difference. I then tried different combinations of those settings and no change in overal behavior. Any ideas to why I can get the site to load fully and function properly but sometimes I cannot? Again, this is using PTP.
... View more
12-31-2013
06:57:AM
I see the same thing on 8.0R1.0 with Pulse 5.0.1.41197 Info NWC30477 2014-01-27 07:18:46 - ive - [XXX.XXX.XXX.XXX] user (user realm)[user roles] - VPN Tunneling: User with IP 10.10.201.5 connected with ESP transport mode. Info NWC30477 2014-01-27 07:18:40 - ive - [XXX.XXX.XXX.XXX] user (user realm)[user roles] - VPN Tunneling: User with IP 10.10.201.5 connected with SSL transport mode. I see the same thing even if i check the box for "ESP Transport Only (No SSL fallback, this setting is for the Pulse client only)" There is always 5-6 seconds between the two entries.
... View more
Latest Tags
No tags yet
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy.
Pulse Secure has updated its Privacy Policy effective June 28, 2017.
