technology, networking and IP telephony
Posts tagged Juniper
Norton 360 and Juniper SSL VPN WSAM
3October 2, 2009
by Michael McNamara in Juniper
Update: Thursday, October 8, 2009 I decided to rewrite this post to include all the information I’ve accumulated while troubleshooting the issues I’ve encountered deploying software release 6.5R1 for my organization. I can’t tell you how valuable it is to have access to a virtual machine with snapshot capability while testing all the different possible anti-virus, anti-spyware, and security software that’s out there in the wild with Juniper’s Windows Secure Application Manager. Since Juniper has yet to really release any useful information I thought I would add some additional notes to this post around the different software products that I’ve discovered can interfere with Juniper’s Windows Secure Application Manager (WSAM) client software.
If you’re a regular follower you know that we recently upgraded our Juniper Secure Access 4000 SSL VPN appliances from 6.2R1 to 6.5R1. You also know that we discovered that the old Juniper Installer Service from 6.2R1 is unable to upgrade the Juniper software components for non-Administrator users. You’ll need to manually install the Juniper Installer Service if your users are non-Administrators of the local computer they work on.
Norton 360, Norton Internet Security, Norton AntiVirus 2010
We’ve been successful in duplicating customer reported issues between Norton 360 or Norton Internet Security or Norton AntiVirus 2010 and Juniper’s Windows Secure Application Manager (WSAM). Windows XP users running any of the above Norton products will generally experience a blue screen of death crash (IRQL_NOT_LESS_OR_EQUAL) when clicking on a bookmark that relies on the WSAM client. Windows Vista users running any of the above Norton products will generally hang the machine (only after the first reboot from the time the product was installed) when launching the WSAM client software upon logging into the Juniper appliance. As a side note to this problem, users running Norton 360 (v3.0.0.135) do not experience this problem, only users running Norton 360 (v3.5.2.11). Juniper Technical Assistance Center (JTAC) has acknowledged that a problem exists and is working to release 6.5R2 in November 2009 to address the problems with Norton.
Symantec AntiVirus v10.x
Users running Symantec Corporate Edition AntiVirus v10.0, v10.2 experience intermittent local name resolution issues from DNS, WINS and local NetBIOS name broadcasts while the WSAM client software is running. The name resolution issues are not present when WSAM is not running. A possible workaround is to create static HOST entries in the local HOSTS file (C:\Windows\System32\drivers\etc\hosts). JTAC has acknowledged that a problem exists, I’m still waiting for additional information from JTAC.
ESET NOD32 Smart Security 4 and Antivirus 4
The testing in our lab has shown varied results. In some instances the latest and greatest release of NOD32 appears to work fine with WSAM. The later versions of NOD32 appear to add exceptions for the Juniper software components in the advanced configuration section under ‘Web Access Protection’. Older versions of NOD32 appear to block WSAM from communicating with the Juniper Secure Access Appliances even though the application indicates that it’s ‘Connected’. In our testing we did find that JSAM and NC both appeared to function properly with the latest version of ESET NOD32 installed. We’ve implemented a workaround for our customers using JSAM and that appears to be working for our users.
Check Point ZoneAlarm Security Suite
We’ve been able to re-create this problem and also have a ticket open with JTAC. We’ve tried adding exceptions and making IP addresses ‘trusted’ in Check Point’s language. We’ve been completely unsuccessful in getting this product to work with WSAM. The symptoms are identical to NOD32, where the WSAM application launches successfully and indicates that it’s ‘Connected’ but your unable to connect to any WSAM applications. In our testing we did find that JSAM and NC both appeared to function properly with ZoneAlarm installed. I have a support ticket open with JTAC but I haven’t received any feedback yet. We’ve implemented a workaround for our customers using JSAM.
I also learned from a user that Spybot Search & Destroy has a feature that can ‘lock’ the local host file on a computer preventing Java Secure Application Manager (JSAM) from operating properly.
Anyone else having any issues of findings they care to share?
Juniper SSL VPN Secure Access 6.5 Available
2September 1, 2009
by Michael McNamara in Juniper
Juniper recently released a new version of software for their SSL VPN (Secure Access) appliances. The new release is important because it finally addresses a problem that was original documented on my blog in this post. While I have yet to deploy this new software release (I would be interested in hearing from those that have) I thought it warranted a new post.
This latest version of software now supports Windows Secure Application Manager (WSAM) when used on Windows XP 64-bit and Windows Vista 64-bit clients. There was no mention of Windows 7 which is due to be released October 22, 2009. I did find it interesting that Internet Explorer 8 was only “compatible” with respect to a few of the features while Internet Explorer 7 was “qualified” with all features (review Juniper Secure Access 6.5 Supported Platforms document for specifics). I did a quick search over in the Juniper forums and found some reports that Host Checker wasn’t working properly with Windows 7 RC.
There were two new features that jumped out at me in the What’s New document;
RDP Launcher
SA 6.5 simplifies the use of RDP sessions for end users without requiring them or administrators to create bookmarks.
- Simplifies ease of use for remote users to RDP into remote desktops by merely clicking a button or entering a hostname or IP Address of the remote computer.
- Simplifies the configuration for administrators and reduces the number of support calls from users who are unable to figure out how to RDP to remote computers.
VDI Support
Secure Access (SA) version 6.5 interoperates with VDI products, including VMWare’s View Manager and Citrix’s XenDesktop, enabling administrators to deploy virtual desktops alongside the SA series of SSL VPN devices. This allows the SA administrator to configure centralized remote access policies for users who access their virtual desktops.
- This provides a centralized point of configuration for administrators to configure remote access policies for virtual desktop access through leading virtualization products from VMWare and Citrix.
- SA 6.5 provides end users the VDI client to access the virtual desktop through, and provides flexible client fallback options thereby simplifying the deployment and management for administrators.
We have a lot of folks looking to access their corporate desktops remotely and the RDP (Terminal Services) feature of the Juniper SSL VPN really helps fill that role.
Cheers!
References;
What’s New in Juniper Networks Secure Access (SA) SSL VPN Version 6.5
Juniper Secure Access 6.5 Release Notes
WSAM and Network Connect Error Messages Release 6.5
Juniper Secure Access 6.5 Support Platforms
Update: Thursday November 5, 2009
Let me get right to the point, I would not recommend anyone deploy 6.5R1 on their Juniper Secure Access appliances. There are known issues with the Juniper Windows Secure Application Manager (WSAM) and the following four security suites; Norton 360, Symantec AntiVirus, Zone Alarm Security, ESET NOD32. Users with Norton 360 could experience a blue screen of death (BSOD) using the Juniper Windows Secure Application Manager. Juniper has a hotfix available for 6.5R1 that resolves the BSOD issues with Norton 360. The hotfix is not generally available on the Juniper website so you must contact JTAC for the hotfix.
Additional information can be found at this post; http://blog.michaelfmcnamara.com/2009/10/norton-360-and-juniper-ssl-vpn-wsam/
Update: Friday September 19, 2009
A quick update… I’ve setup a spare SA4000 and received a demo license from Juniper to test the 6.5R1 software release (thanks Matt!). I’m happy to report that the upgrade on the appliance was very smooth although it took about 6 minutes for the appliance to boot back up giving me a few frightful thoughts. Unfortunately the same can’t be said of the client software. I’m still in the process of testing but it appears that non-Administrator users (users that don’t have Administrator rights on the PC) won’t be functional after the upgrade until an Administrator manually installs the latest and greatest Juniper Installer Service. The Juniper Installer Service is designed to allow the client software to upgrade when the user doesn’t have Administrator rights. Users with Administrator rights work fine so long as they answer the prompts to install the new version of the Juniper Installer Service. I hope to release a detailed post in the next few days including some testing of Windows Vista 64-bit desktops.
Juniper SSL VPN Appliance and Windows Vista 64-Bit
11August 12, 2008
by Michael McNamara in Juniper
Update: September 1, 2009
Juniper has released software 6.5 for the Juniper SSL VPN (Secure Access) appliances which now supports running WSAM on Windows 64-bit operating systems. I’ve posted a new article that details the new software which can be found here; http://blog.michaelfmcnamara.com/2009/09/juniper-ssl-vpn-secure-access-6-5-available/
Almost six years ago we deployed a Neoteris Secure Access 1000 appliance which was designed to publish Intranet based web applications to Internet clients. Neoteris was acquired by Netscreen and then Netscreen was acquired by Juniper. Over a year ago we upgraded our legacy hardware with two Juniper SA4000s running them as a cluster in a high availability design (active/standby). The solution has been very successful with the exception of the occasionally home PC that for one reason or another refuses to install the client software.
We recently upgraded to software release v6.2R1 which promised full support for Windows Vista 64-Bit and Juniper’s Windows Secure Application Manager (WSAM). Juniper’s Windows Secure Application Manager is essentially a mini VPN client that tunnels traffic across an SSL connection with the SA4000 appliances. It provides raw connectivity for non-HTTP based applications. While the documentation indicated that Windows Vista 64-Bit was fully supported we were unable to make it work after a few customers reported having issues. We opened a ticket with Juniper and waiting four business days before Juniper was able to confirm our findings; they too were unable to make it work. We were informed the ticket was to be escalated to design but I immediately found it odd that no one else had already reported this problem. In short Juniper informed us that Windows Vista 64-Bit is not supported and the documentation indicating it was support was “incorrect”. Needless to say I’m not very happy with Juniper as this point and it certainly seems that Juniper has some serious QA issues in their software and documentation teams. Let’s not even talk about the 9 business day turnaround which is essentially two weeks.
I recently had a discussion with a physician, remember I work for a large healthcare provider, who had tried in vein to help himself by Googling for any hints or tips to getting WSAM working with Windows Vista 64-Bit. So here are some tips that will hopefully get picked up by Google.
- You must be an Administrator to install the software components
- You’ll need to be running Windows XP (32-Bit) Service Pack 2 or later
- If you have a pop-up blocker enabled make sure you exempt the Juniper URL
- If you have your firewall enabled make sure you unblock WSAM
I’ve also seen issues if ActiveX, JavaScript, or Cookies are disabled from within Internet Explorer. The WSAM software is a Layered Service Provider (LSP) application and as such other software, malware, spyware, etc can sometimes interfere with it’s proper operation. You can have a look here for a utility that might help to clean up any LSP issues that you might have.
The Windows Secure Application Manager can not be run from within a Windows Terminal Server or Citrix session.
Cheers!
Update: August 13, 2008
I recieved a few questions about Juniper’s Windows Secure Application Manager (WSAM) and I thought I would pass on the questions and answers.
Q. Does Juniper’s WSAM support a proxy server?
A. No Juniper’s WSAM does not support a proxy server. The client will need direct Internet access on TCP 443 (https).
Q. Where are the log files, there’s nothing in C:\Program Files\Juniper Networks\Secure Application Manager?
A. The log file is actually stored in the following location; C:\Documents and Settings\<username>\Application Data\Juniper Networks\Secure Application Manager
Update: September 18, 2008
As noted in the comments Juniper has released a customer bulletin concerning the problem. Here’s the official response I received from the Juniper TAC, I haven’t received any follow-up from the sales team which the Juniper TAC referred me to.
“KB12097 was posted to our Knowledge Base Support site and engineering has implemented a check in the WSAM installation that will display an error to the user if they are attempting to install WSAM on a 64-bit Operating System. This fix should be available in the next maintenance release of IVE OS 6.2. As for future support for WSAM on 64-bit systems, this has been revisited by PLM and it is now on our roadmap.”
Update: October 5, 2008
I’m amazed at the number of views that this post has garnered. It seems there are quite a few folks out there trying to figure out why Windows Vista 64bit won’t work with WSAM. I thought I should point out that the Juniper Network Connect client is compatible with Windows Vista 64bit (and 32bit). This may be an option for users although those users will need to speak to their System Administrators since it will require additional configuration and perhaps even licensing.
Cheers!
