It is with a heavy heart that I must announce I’m about to turn off our Juniper IVE’s (aka SSL VPN). In reality, all we were using these for was publishing applications and presenting these as bookmarks on a landing page. It’s been a very capable, reliable product over the years so it will come with some hesitation when I have to hit the shutdown button on these later this week.

I started this blog back in 2011 and most of the posts were about the trials and tribulations on that platform. Being fully “Azured” we decided to go with Azure Remote App and move away from RSA/Juniper SSL combo. Commercially it makes a lot of sense; RSA has been replaced by Azure MFA which is offered essentially for free when you have AD premium users.

It’s more than a little unfortunate that they have now shitcanned the product  and wont offer it after August 31st, 2017.  We intend on using it until we have something that offers similar functionality. The announcement is here. They are pushing a Citrix solution so it would seem little ironic if we ended up on that given we retired all of our Citrix environment some time ago.

Gartner stopped doing a SSL Gateway Quadrant a number of years ago and had implied that there would no longer be dedicated devices for this purpose. Instead, the function would be rolled into other network infrastructure. I have seen this to be the case where products such as F5’s LTM have been modularised to include this (theirs is called APM). I had done a POC (a long time ago) on both APM and also Netscaler and found these to be capable but expensive products.

We need a device which will terminate SSL connections, present applications to users, and ideally also offer an RDP gateway (as this is quite frankly awful on RemoteApp). Netscaler have an Azure Marketplace image so I might see whether this is a worthy successor. I’m less excited about another IaaS instance to look after but I don’t know if any managed cloud services which fit this space currently.

For those of you that have had to troubleshoot Junos Pulse issues you will have no doubt asked yourself where to start. The client has barely any information, showing just the connection profile and the status of it – connected or not. NetConnect had far better visibility of the technical information as it showed the DHCP allocated address, sent/recieved bytes, routes etc. Junos has an equivalent but it is, as far as I know, completely undocumented.

You can find it on Windows machine under “C:\Program Files\Common Files\Juniper Networks\JamUI”. The Pulse Diagnostics application within than directory can be run by firing up pdv.exe.

For obvious reasons I have removed the server URL / IP from the below screenshot below. It’s a great tool if you need to know any of the technical information around the pulse client.

Pulse Diagnostics

Drop me a line if you found this useful!

I’m doing some work with virtual desktop sessions on juniper at the moment and have come across this error message when trying to connect to Xen Desktop version 5.4 from SSL VPN IVE version 7.1R2.

Unable to load Citrix Desktops, please contact your administrator

Digging a bit deeper, a tcpdump reveals an unknown error which is returned from the Citrix server.

<?xml version=”1.0″ encoding=”ISO-8859-1″?>
<!DOCTYPE NFuseProtocol SYSTEM “NFuse.dtd”>
<NFuseProtocol version=”5.1″>
<ResponseAppData>
<ErrorId>unspecified</ErrorId>
</ResponseAppData>
</NFuseProtocol>

I have spoken with JTAC and they have confirmed that there is a compatibility issue with Xen Deskktop 5.x. They are working on a fix but there is currently no ETA (well not one they would give me anyway). Your options are to downgrade and use version 4, swap to vmware view, or twiddle your thumbs a bit until the fix is made by Juniper.

It is possible to use version 5 if you create a Network Connect profile, and use the native citrix client. It’s certainly not as seamless as a web bookmark is, but it’d still get you up and running if this stuff was urgent.

Hope this helps.

Import error

You will get this error if you are trying to import the XML config from a device which is running a different version to the one you’re importing it to. Exports/Imports must be performed on the same version. A massive pain for me as I’m doing a consolidation project to move the rules from one our clusters to another.

This is also confirmed on the juniper forums http://forums.juniper.net/t5/SSL-VPN/Importing-config-to-newer-version-SA-appliance-possible/td-p/9973

If you are receiving error “The server disallowed the connection” when launching the Junos Pulse client it means you have not allowed netconnect on the User Role you created for mobile devices. It’s easy to make the mistake of configuring a netconnect profile but not hitting the tick the box which binds it to the role. The form should really tick the bx when you select either Network Connect or Junos Pulse automatically..

Click on Users/User Roles. Select the User Role you created for the mobile devices and then go down and confirm the ‘Network Connect’ box is ticked.

Remember to tick the box!