Probably my least favourite thing I’ve been ‘privileged’ to work on this year has been SAML federation. With a view of replacing our Juniper IVE’s which act as just SSL VPN gateways, I’ve been looking at the alternatives which offer more functionality in the way of load balancing, application delivery, and security features (ie SQL injection protection, form sanitisation etc). Our company users SAML federation on the Juniper’s currently so any proposed replacement would need to do this too. The BIG-IP APM product and the Citrix Netscalers both boast a feature set which includes both the SSL VPN functionality as well as the aforementioned additional features.

While I have a pretty good understanding of SAML and the roles of the IDP and SP systems, it seems the variances with how each vendor implements these roles is enough to cause a bit of a head ache. Even though the Juniper and F5’s have a seemingly intuitive approach to settings these up, it’s still not that easy to get them working together. Metadata files are supposed to make the exchange of this configuration between platforms easy, It should just be a matter exporting/importing these on each of the SP/IDP systems, exchanging SSL certificates, and configuring the resources to be accessed. In a short amount of time, I’ve managed to hit three errors:

The following were caused by mismatched certificates:

Oct 15 14:48:30 xxxapmt01v err apd[20059]: 01490204:3: 9a52b00c: SAML Agent: /Common/APM_POC_act_saml_auth_ag failed to process signed assertion, error: IdP certificate mismatch
Oct 15 15:05:57 xxxtapmt01v err apd[20059]: 0149020a:3: 7d4f8750: SAML Agent: /Common/APM_POC_act_saml_auth_ag SAML assertion is invalid, error: AuthenticationStatement must have AuthnInstant attribute

This is the error I’m currently stuck on:

Oct 15 14:59:38 xxxapmt01v err apd[20059]: 01490203:3: 2862ad79: SAML Agent: /Common/APM_POC_act_saml_auth_ag failed to parse assertion, error: Response is not encrypted

The juniper is active as the IDP and I’m not sure why it’d be sending unencrypted assertions, I have the same system working with other SP’s so I think it’s more likely to be on the APM (SP).

I’ve followed these guides to a tee:

Configuring Juniper as IDP

Configuring F5 APM as SP

Drop me a line if you have any experience with the errors please!

-Update 1- 11.4.0 This is fixed in HF4.

For those of you that have had to troubleshoot Junos Pulse issues you will have no doubt asked yourself where to start. The client has barely any information, showing just the connection profile and the status of it – connected or not. NetConnect had far better visibility of the technical information as it showed the DHCP allocated address, sent/recieved bytes, routes etc. Junos has an equivalent but it is, as far as I know, completely undocumented.

You can find it on Windows machine under “C:\Program Files\Common Files\Juniper Networks\JamUI”. The Pulse Diagnostics application within than directory can be run by firing up pdv.exe.

For obvious reasons I have removed the server URL / IP from the below screenshot below. It’s a great tool if you need to know any of the technical information around the pulse client.

Pulse Diagnostics

Drop me a line if you found this useful!

I’m doing some work with virtual desktop sessions on juniper at the moment and have come across this error message when trying to connect to Xen Desktop version 5.4 from SSL VPN IVE version 7.1R2.

Unable to load Citrix Desktops, please contact your administrator

Digging a bit deeper, a tcpdump reveals an unknown error which is returned from the Citrix server.

<?xml version=”1.0″ encoding=”ISO-8859-1″?>
<!DOCTYPE NFuseProtocol SYSTEM “NFuse.dtd”>
<NFuseProtocol version=”5.1″>
<ResponseAppData>
<ErrorId>unspecified</ErrorId>
</ResponseAppData>
</NFuseProtocol>

I have spoken with JTAC and they have confirmed that there is a compatibility issue with Xen Deskktop 5.x. They are working on a fix but there is currently no ETA (well not one they would give me anyway). Your options are to downgrade and use version 4, swap to vmware view, or twiddle your thumbs a bit until the fix is made by Juniper.

It is possible to use version 5 if you create a Network Connect profile, and use the native citrix client. It’s certainly not as seamless as a web bookmark is, but it’d still get you up and running if this stuff was urgent.

Hope this helps.

Import error

You will get this error if you are trying to import the XML config from a device which is running a different version to the one you’re importing it to. Exports/Imports must be performed on the same version. A massive pain for me as I’m doing a consolidation project to move the rules from one our clusters to another.

This is also confirmed on the juniper forums http://forums.juniper.net/t5/SSL-VPN/Importing-config-to-newer-version-SA-appliance-possible/td-p/9973

If you are receiving error “The server disallowed the connection” when launching the Junos Pulse client it means you have not allowed netconnect on the User Role you created for mobile devices. It’s easy to make the mistake of configuring a netconnect profile but not hitting the tick the box which binds it to the role. The form should really tick the bx when you select either Network Connect or Junos Pulse automatically..

Click on Users/User Roles. Select the User Role you created for the mobile devices and then go down and confirm the ‘Network Connect’ box is ticked.

Remember to tick the box!