Secure Remote Access - SSLVPN FAQ

  1. What is Network Connect?
  2. Will the Juniper IPSec client (called Network Connect) replace the Cisco VPN Client?
  3. Network Connect closes automatically after I sign on. I am unable to maintain an IPSec session.
  4. What is split-tunneling and why is it not allowed?
  5. Can I participate in a multicast session within an SSLVPN tunnel?
  6. What are the issues with the use of personal firewalls?
  7. What files are pushed down to my computer at the start of an SSLVPN session?
  8. Where can I get a listing of the operating systems and browsers supported by the SSLVPN service?
  9. Why does Host Checker assessment continue to fail even though my anti-virus software and signature versions are up-to-date?
  10. What are key VPN components?
  11. Why does the SSLVPN installer “SetupClientInstaller.exe” repeatedly ask to install the client software while establishing SSLVPN session?
  12. When will Juniper Network's SSL VPN platforms support OS X Mavericks 10.9 and Safari 7 as a supported client to connect to SA and MAG SSL VPN platforms?

  1. What is Network Connect?

Network Connect(c) is the vendor (Juniper Networks) trade marked name for the IPSec Client. This client is pushed down automatically after a successful SSLVPN sign on.

  1. Will the Juniper IPSec client (called Network Connect) replace the Cisco VPN Client?

Yes. The Cisco VPN has been declared end-of-life by Cisco Systems. The clientless IPSec solution (Network Connect) by Juniper Networks replaces the Cisco VPN client. The old Cisco VPN service will remain in place until all users have migrated to the SSLVPN service.

  1. Network Connect closes automatically after I sign on. I am unable to maintain an IPSec session.

If Network Connect detects a potential security threat during an IPSec session it closes silently or with an error message. A possible security threat is if the routing table is changed during an IPSec session. There are several known applications that change the routing table (there may be more):

  1. The Apple "bonjour" program, which is bundled with Apple(r) iTunes, occasionally changes the routing table to check for unauthorized Apple filesharing. The routing table is changed to redirect all traffic from the computer to an external Apple(r) site for traffic inspection then returned to the source computer to be routed to the intended destination. When this occurs Network Connect closes the session. To prevent this from occuring remove the "Bonjour" program from the list of installed programs.Windows OS: start > settings > Control Panel > Add or Remove Programs > Remove the "Bonjour" program.
  2. The IEEE 802.1x Authentication makes changes to the routing table. You may disable this service as follows:Microsoft OS: start > run > services.msc > Wired AutoConfig (disable)

  1. What is split-tunneling and why is it not allowed?

When a user has an IPSec (encrypted) tunnel to the York University network this is considered a single tunnel. If the user is able to create a second connection (encrypted or unencrypted) outside the first tunnel to the internet this is considered split-tunnelling. Split-tunneling is a security risk since:

  1. The University's security policies are not enforced on the remote users' second connection to the internet.
  2. An unauthorized connection can be made inbound via the second connection and undetected through the encrypted first tunnel to the University resources.As a result of the security risks split-tunneling is disabled for all IPSec sessions

Here is a graphical explanation of split-tunneling.

  1. Can I participate in a multicast session within an SSLVPN tunnel?

Currently multicast support is not enabled.

  1. What are the issues with the use of personal firewalls?

Certain versions of personal firewall software, home or small office Cable/DSL gateways (sometimes referred to as Cable/DSL routers), and Linux or BSD NAT/Firewall gateway/routers must be configered to allow traffic to the SSLVPN gateway; Please consult the documentation for your software or hardware. Please contact your vendor if you have questions or concerns about your firewall software or gateway.

  1. What files are pushed down to my computer at the start of an SSLVPN session?

All client-side changes are documented in the file Client Side Changes Guide.

  1. Where can I get a listing of the operating systems and browsers supported by the SSLVPN service?

The OS and browsers supported by the SSLVPN service are listed in the file Supported Platforms and Browsers Guide.

Supported OS and Browsers at a glance:

Operating System Browser and Java Environment 32-bit 64-bit
Windows 8, 7, Vista, XP IE7, IE8, IE9, IE10, Firefox 3.0, Sun JRE 6 and above Yes Yes
MacOS 10.6.x, 10.7 & 10.8 (32 Bit only) Safari 5 and above, Sun JRE 6 and above Yes Yes
Linux (Ubuntu 9.10, 10.x, 11.x OpenSuse 10.x, 11.x) Firefox 3.0, Sun JRE 6 Yes No

  1. Why does Host Checker assessment continue to fail even though my anti-virus software and signature versions are up-to-date?

The Host Checker assessment requires not only that you run a full scan but the scan must be clean. There must be no unable-to-read files, no files not scanned, no quarantined items, no unsuccessful quarantine, and no unable to handle file. (Quarantine action does not clean the risk. The risk remains until the client removes the files/application.)

  1. What are key VPN components?

Two key components of the VPN service include:

  1. Any supported web browser may be used; no pre-installed client software or special configuration by the end user is required.
  2. Any operating system with ActiveX or Java support can be used.
Services available during VPN Session
Access to Locally Attached Devices (such as printers) Available
Access to Locally Networked Attached Devices Not available.
Encrypted Traffic All Traffic
IP Address Every user receives a dynamically assigned unique ip address on the York University network.

 

  1. Why does the SSLVPN installer SetupClientInstaller.exe repeatedly ask to install the client software while establishing SSLVPN session?

This problem is global to all SSLVPN profiles.

Affected Users: Various Windows OS running Java Version 6 Update 13 and older. ActiveX enabled users are not affected.

 

Resolutions:

Option 1.
Install the latest Java from http://www.java.com/getjava. As of February 14th 2012, the latest Java was Version 6 Update 31.

 

Option 2.
Open a new browser session and login to your SSLVPN session.

Option 3.
If you do not have adminstrative rights to the computer, then the system administrator (or contact your Department Tech Support) can use the JuniperSetupServiceInstaller.exe to install the Juniper client. This installer will act as an admin proxy to allow future installs of the Juniper client.

 

  1. When will Juniper Network's SSL VPN platforms support OS X Mavericks 10.9 and Safari 7 as a supported client to connect to SA and MAG SSL VPN platforms?

The ETA on the SSLVPN release with support for Mac OS 10.9 is,beginning to mid-December 2013:

 

http://kb.juniper.net/KB28278

 

UIT expects January 2014 as the ETA of this support to the VPN website, as it will take some time to test and deploy.

 

Solution:
Juniper Networks is in the process of qualifying OS X Mavericks 10.9 and Safari 7 as a supported client for various access methods and endpoint security functionality offered by its SSL VPN platforms; currently it is not supported. We appreciate your patience during this qualification phase.

This KB article will be updated with any additional details especially around any new issues as they are found. The current plan of support for each major feature in SSL VPN Platform is listed below:

Junos Pulse Desktop, Endpoint Security (Host Checker), JSAM, Rewriter and Java Applets:

 

  • Support in the maintenance Release? We expect to complete the qualification process and release SSLVPN release 7.4R7, UAC release 4.4R7 and Junos Pulse release 4.0R7 during first week of Dec 2013. This release will contain bug fixes for all issues found during the qualification phase.
  • Support in the next major Software Release? OS X Mavericks 10.9 and Safari 7 will be supported in the next major SSLVPN and Pulse Client software release. Currently this will be SSLVPN release 8.0 and Pulse Client release 5.0
  • What Server (SSL VPN and UAC) and Client versions (Junos Pulse) will be supported? If deploying OS X Mavericks 10.9 and Safari 7 we recommend customers upgrade to SSLVPN release 7.4R7, UAC release 4.4R7 and Junos Pulse release 4.0R7 (or higher).

Known Issues and Limitations:

1. Java Applets blocked by default: On OSX 10.9 (Mavericks), Safari 7's default action for Java applets is to block them. This prevents Pulse, Host Checker and JSAM from launching when accessed via Safari (912652, 922721) To work around this problem, do the following steps:

 

    • Use Safari to browse to the SA or IC. Log in and attempt to deploy Pulse (this will not work).
    • Open Safari Preferences, click the Security tab and choose "Manage Website Settings..." next to the Internet Plug-ins checkbox.
    • Click on Java and find the SA/IC URL listed on the right columnChange the pulldown for that listing to "Run in unsafe mode"

2. Junos Pulse Desktop: Due to the default Gatekeeper settings on Mac OSX 10.8 (Mountain Lion) and OS X 10.9 (Mavericks) , installing Junos Pulse using the standalone installer package using the Finder may fail. As a workaround, in the Security and Privacy Settings, "Allow applications downloaded from" should be set to "Anywhere" (812263)

3. Premier Java RDP Applet: Issues with using this feature when the color depth option is set to 8 bit. The workaround is to use 16 bit or 32 bit color depth setting (932856)

Network Connect:
Network Connect client is not supported on OS X Mavericks 10.9 and Safari 7. Junos Pulse Desktop can be used as a VPN client instead of Network Connect. Please refer to Junos Pulse Documentation for more details on this unified multi-services Client.

Junos Pulse Collaboration:
Junos Pulse Collaboration on OS X Mavericks 10.9 and Safari 7 is not supported.

References

Supported Platforms and Browsers Guide: This guide lists the platforms (operating system and browser combinations) that are supported by VPNYork.

Client Side Changes Guide: This guide lists the package filenames used by the VPNYork gateway device to install client-side components, files the packages install and uninstall, and registry changes that are made to the user's system.