Secure Remote Access - SSLVPN for Linux Faqs

  1. What is Network Connect?
  2. Will the Juniper IPSec client (called Network Connect) replace the Cisco VPN Client?
  3. Network Connect closes automatically after I sign on. I am unable to maintain an IPSec session.
  4. What is split-tunneling and why is it not allowed?
  5. Can I participate in a multicast session within an SSLVPN tunnel?
  6. What are the issues with the use of personal firewalls?
  7. What files are pushed down to my computer at the start of an SSLVPN session?
  8. Where can I get a listing of the operating systems and browsers supported by the SSLVPN service?
  9. Why does Host Checker assessment continue to fail even though my anti-virus software and signature versions are up-to-date?
  10. What are the services available during my SSLVPN session on my computer?

  1. What is Network Connect?

Network Connect(c) is the vendor (Juniper Networks) trade marked name for the IPSec Client. This client is pushed down automatically after a successful SSLVPN sign on.

  1. Will the Juniper IPSec client (called Network Connect) replace the Cisco VPN Client?

Yes. The Cisco VPN has been declared end-of-life by Cisco Systems. The clientless IPSec solution (Network Connect) by Juniper Networks replaces the Cisco VPN client. The old Cisco VPN service will remain in place until all users have migrated to the SSLVPN service.

  1. Network Connect closes automatically after I sign on. I am unable to maintain an IPSec session.

If Network Connect detects a potential security threat during an IPSec session it closes silently or with an error message. A possible security threat is if the routing table is changed during an IPSec session. There are several known applications that change the routing table (there may be more):

  1. The Apple "bonjour" program, which is bundled with Apple(r) iTunes, occasionally changes the routing table to check for unauthorized Apple filesharing. The routing table is changed to redirect all traffic from the computer to an external Apple(r) site for traffic inspection then returned to the source computer to be routed to the intended destination. When this occurs Network Connect closes the session. To prevent this from occuring remove the "Bonjour" program from the list of installed programs.Windows OS: start > settings > Control Panel > Add or Remove Programs > Remove the "Bonjour" program.
  2. The IEEE 802.1x Authentication makes changes to the routing table. You may disable this service as follows:Microsoft OS: start > run > services.msc > Wired AutoConfig (disable)

  1. What is split-tunneling and why is it not allowed?

When a user has an IPSec (encrypted) tunnel to the York University network this is considered a single tunnel. If the user is able to create a second connection (encrypted or unencrypted) outside the first tunnel to the internet this is considered split-tunnelling. Split-tunneling is a security risk since:

  1. The University's security policies are not enforced on the remote users' second connection to the internet.
  2. An unauthorized connection can be made inbound via the second connection and undetected through the encrypted first tunnel to the University resources.As a result of the security risks split-tunneling is disabled for all IPSec sessions

Here is a graphical explanation of split-tunneling.

  1. Can I participate in a multicast session within an SSLVPN tunnel?

Currently multicast support is not enabled.

  1. What are the issues with the use of personal firewalls?

Certain versions of personal firewall software, home or small office Cable/DSL gateways (sometimes referred to as Cable/DSL routers), and Linux or BSD NAT/Firewall gateway/routers must be configered to allow traffic to the SSLVPN gateway; Please consult the documentation for your software or hardware. Please contact your vendor if you have questions or concerns about your firewall software or gateway.

  1. What files are pushed down to my computer at the start of an SSLVPN session?

All client-side changes are documented in the file Client Side Changes Guide.

  1. Where can I get a listing of the operating systems and browsers supported by the SSLVPN service?

The OS and browsers supported by the SSLVPN service are listed in the file Supported Platforms and Browsers Guide.

Supported OS and Browsers at a glance:

Operating System Browser and Java Environment 32-bit 64-bit
Windows 8, 7, Vista, XP IE7, IE8, IE9, IE10, Firefox 3.0, Sun JRE 6 and above Yes Yes
MacOS 10.6.x, 10.7 & 10.8 (32 Bit only) Safari 5 and above, Sun JRE 6 and above Yes Yes
Linux (Ubuntu 9.10, 10.x, 11.x OpenSuse 10.x, 11.x) Firefox 3.0, Sun JRE 6 Yes No

  1. Why does Host Checker assessment continue to fail even though my anti-virus software and signature versions are up-to-date?

The Host Checker assessment requires not only that you run a full scan but the scan must be clean. There must be no unable-to-read files, no files not scanned, no quarantined items, no unsuccessful quarantine, and no unable to handle file. (Quarantine action does not clean the risk. The risk remains until the client removes the files/application.)

  1. What are key VPN components?

Services available during VPN Session
Access to Locally Attached Devices (such as printers) Available
Access to Locally Networked Attached Devices Not available.
Encrypted Traffic All Traffic
IP Address Every user receives a dynamically assigned unique ip address on the York University network.

 

References

Supported Platforms and Browsers Guide: This guide lists the platforms (operating system and browser combinations) that are supported by VPNYork.

Client Side Changes Guide: This guide lists the package filenames used by the VPNYork gateway device to install client-side components, files the packages install and uninstall, and registry changes that are made to the user's system.