Hello all   Was hoping someone could lend me a hand. The whole issue of certificates quite frankly gives me a headache. A dark art some would call it.   The requirements are that the user's machine should be checked to ensure it has a valid certificate signed/issued by the internal PKI. So to simulate this I have setup a Server 2008 root CA (single tier) with which I have created my root cert and private key. In order to simulate the machine certificate verification I have created a certificate template on the PKI using the template 'Workstation Authentication' that has the following properties:   Algorithm: ECDH 256, HASH: SHA256 Subject Name: Format: Common Name, Include UPN Permissions: Domain Computers - Read, Autoenroll   I then use a GPO to push this out to my lab Windows 8.1 VM.   My thinking now is that the machine now has a client/machine certificate. Using the MMC snap-in I can verify that the cert has indeed been sent to the Windows 8 machine signed by the CA. With this I now upload the root CA cert to the SA under the [b]System > Configuration > Certificates > Trusted Client CA[/b] section. I then enable the certificate check under the [b]User Realms > Realm Name > Authentication Policy > Certificate[/b] section.   With this my hope is that prior to authentication the host machine will have the certificate checked, the SA then compares this to the uploaded root CA and sees it has been signed by the same internal PKI and voila, it's passed.   Unfortunately that is not the case as I just keep getting the dreaded "Error 1332 Missing or invalid certificate error" when trying to log in.   I'm at a loss here. Can someone shed a light on how to fix this?   Many thanks ... View more

Hello all We have a requirement to deploy a SAS SSL VPN solution using some MAGs. The requirements as defined by the customer are to use:   - Encryption: AES with 128-bit key in GCM mode - Authentication: ECDSA-256 with SHA-256 on P-256 curve - Key Exchange: ECDH using P-256 curve   As all fall under the combination 1 of the Suite B profile for TLS (RFC 6460).   The Junos SAS does support suite B, however, I'm a little unsure as to how we actually ensure that these parameters are used when the client connects (via Pulse only, never a web browser).    In our lab we have a MAG and a Pulse client. Under Configuration > Security > SSL Options I have the following configured:   1. Turn on FIPS mode 2. Accept only TLS 3. Custom SSL Cipher Selection (AES/3DES and AES ticked)   When we fire up the Pulse client we see that we only ever agree between Pulse and the SAS the Ciper Suite:   TLS_RSA_WITH_AES_128_CBC_SHA256   This may be a silly question but what is the best way to ensure that we use the following Ciper Suite so as to comply with the customer's requirements: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256   Thank you ... View more

Hello all   Just getting to grips with the Junos SAS. I have configured a host checker policy which if failed, should give the user a hyperlink they can click to go off and update whatever it is they need to update. The thing is the Hyperlink doesn't open up in a separate browser but opens within the Pulse client. This is all well and good but is there a way to get it to launch in an external browser, IE for example? Thank you ... View more

Hello all   Has anyone had much luck with setting up health monitors from their load balancer of choice to the SA devices? I have followed this guide:   http://www.juniper.net/techpubs/en_US/sa8.0/topics/reference/general/secure-access-clustering-active-active-deploying.html   But when I apply:   Send string: https://Secure Access Service Controller-Hostname/dana-na/healthcheck/healthcheck.cgi?status=all Receive string: HTTP/1.1 200 OK   Or:   Send string: https://Secure Access Service Controller-Hostname/dana-na/healthcheck/healthcheck.cgi?status=all Receive string: Security gateway is accessible   ...the virtual server that is the MAG IP endpoint always goes offline. I'm using the F5 GTM product to do this monitoring by the way.   In an ideal world what would be great is to have a monitor that initially probes the SA, the SA returns back the current number of SSL connections. The load balancer then removes that node from the pool if the number of SSL connections is above a certain limit.   Any ideas? Thank you ... View more

Hello all Forgive me if this question has been answered, I did look but couldn't find anything specifically what I'm after. I'm hoping it will actually be quite simple.   I am embarking on an adventure to design a remote access solution based on the Juniper SA series (MAG, SSL VPN etc.).  The customer has expressed a desire to load balance incoming requests to both data centres using the F5 GTM product.   I have experience with GTMs but to date it has been entirely GTM <-> LTM communications, no 3rd party. My thinking here is to:   1. Create two  'Server' objects on the GTM as a 'Generic Host' and specify the IP address of each of the external IP addresses of the Juniper MAGs, respectively. 2. Staying within the Server configuration I define the 'Virtual Server' or vIP of each device. These too will also be the external IP address of the MAGs 3. With these constructs now in place I can create two 'Pools' into which I add each Virtual Server. 4. Then define a Wide IP to respond to the DNS requests and assign both pools.   The GTM will then return the vIPs of each MAG.   I've rushed through that explanation but is anyone able to validate that the above will do the trick or is there a smarter way to achieve my goals? Many thanks for your advice. I am new to Juniper so please bear with me through some seriously silly questions. ... View more