I’ve been involved in a project at work to setup an iOS/Android supporting SSL VPN gateway. A lot of businesses seem to be pushing the need to get mobile devices connected to the corporate network at the moment, bit of a buzz with the popularity of smartphones. There is currently no host checking or device encryption offered with Junos Pulse so it poses a bit of a risk as there’s a whole swag of devices for which you don’t have a great deal of control over on your network – you are largely reliant on the user not using malicious software (via a jailbreak, or dodgy app store!).
Having spent a good deal of my time working on Juniper’s Pulse software I feel the software is still fairly immature. The sign in pages are seemingly bolted into the product and require some rework to get them working across all mobile platforms (although I understand they have fixed this somewhat in 7.1). There is a lack of decent information on the internet, and Junipers own documentation seems to focus more on what it’s able to do rather than HOW to do it. Web bookmarks do not seem to work yet either, the page will loads for about 20 seconds and then timeout with a white page and no error. I have run debugs and packet captures and there are no errors or anything indicative of an issue. The IVE device does not seem to generate the request to the webserver the bookmark is directed too. This is the bulk of what I needed it for, and it doesn’t seem to work.
As a proof of concept I have been able to get remote desktop working reliably, through the junos client to my workstation. It’s not very practical on an iphone screen but a fair test none the less.
I’d initially created a terminal services session policy within the mobile user realm but found it wouldn’t generate any traffic down the pulse vpn client (confirmed by the client saying 0 bytes sent under ‘Status’). The key to getting this working is creating a “NetConnect Access Policy” instead.
First of all change the access feature from junos pulse to Network Connect:
It seems counter intuitive but the Net Connect profiles work for Junos Pulse too. Click options and click “Access control” down the bottom. Create a policy similar to this allowing TCP3389 to your host:
Save the changes and reload the VPN client. Ensure you have a firewall rule (if applicable) to allow the NetConnect IP Range to the destination on the port specified. Download an RDP app for iphone (Mocha RDP Lite works!) and configure the host you specified in your access control policy. You should now be able to bring up your desktop on your iOS/Android devices.
Simple in theory but these things are often overlooked, there’s nothing in the documentation yet.