Update: Thursday, October 8, 2009 I decided to rewrite this post to include all the information I’ve accumulated while troubleshooting the issues I’ve encountered deploying software release 6.5R1 for my organization. I can’t tell you how valuable it is to have access to a virtual machine with snapshot capability while testing all the different possible anti-virus, anti-spyware, and security software that’s out there in the wild with Juniper’s Windows Secure Application Manager. Since Juniper has yet to really release any useful information I thought I would add some additional notes to this post around the different software products that I’ve discovered can interfere with Juniper’s Windows Secure Application Manager (WSAM) client software.
If you’re a regular follower you know that we recently upgraded our Juniper Secure Access 4000 SSL VPN appliances from 6.2R1 to 6.5R1. You also know that we discovered that the old Juniper Installer Service from 6.2R1 is unable to upgrade the Juniper software components for non-Administrator users. You’ll need to manually install the Juniper Installer Service if your users are non-Administrators of the local computer they work on.
Norton 360, Norton Internet Security, Norton AntiVirus 2010
We’ve been successful in duplicating customer reported issues between Norton 360 or Norton Internet Security or Norton AntiVirus 2010 and Juniper’s Windows Secure Application Manager (WSAM). Windows XP users running any of the above Norton products will generally experience a blue screen of death crash (IRQL_NOT_LESS_OR_EQUAL) when clicking on a bookmark that relies on the WSAM client. Windows Vista users running any of the above Norton products will generally hang the machine (only after the first reboot from the time the product was installed) when launching the WSAM client software upon logging into the Juniper appliance. As a side note to this problem, users running Norton 360 (v188.8.131.52) do not experience this problem, only users running Norton 360 (v184.108.40.206). Juniper Technical Assistance Center (JTAC) has acknowledged that a problem exists and is working to release 6.5R2 in November 2009 to address the problems with Norton.
Symantec AntiVirus v10.x
Users running Symantec Corporate Edition AntiVirus v10.0, v10.2 experience intermittent local name resolution issues from DNS, WINS and local NetBIOS name broadcasts while the WSAM client software is running. The name resolution issues are not present when WSAM is not running. A possible workaround is to create static HOST entries in the local HOSTS file (C:\Windows\System32\drivers\etc\hosts). JTAC has acknowledged that a problem exists, I’m still waiting for additional information from JTAC.
ESET NOD32 Smart Security 4 and Antivirus 4
The testing in our lab has shown varied results. In some instances the latest and greatest release of NOD32 appears to work fine with WSAM. The later versions of NOD32 appear to add exceptions for the Juniper software components in the advanced configuration section under ‘Web Access Protection’. Older versions of NOD32 appear to block WSAM from communicating with the Juniper Secure Access Appliances even though the application indicates that it’s ‘Connected’. In our testing we did find that JSAM and NC both appeared to function properly with the latest version of ESET NOD32 installed. We’ve implemented a workaround for our customers using JSAM and that appears to be working for our users.
Check Point ZoneAlarm Security Suite
We’ve been able to re-create this problem and also have a ticket open with JTAC. We’ve tried adding exceptions and making IP addresses ‘trusted’ in Check Point’s language. We’ve been completely unsuccessful in getting this product to work with WSAM. The symptoms are identical to NOD32, where the WSAM application launches successfully and indicates that it’s ‘Connected’ but your unable to connect to any WSAM applications. In our testing we did find that JSAM and NC both appeared to function properly with ZoneAlarm installed. I have a support ticket open with JTAC but I haven’t received any feedback yet. We’ve implemented a workaround for our customers using JSAM.
I also learned from a user that Spybot Search & Destroy has a feature that can ‘lock’ the local host file on a computer preventing Java Secure Application Manager (JSAM) from operating properly.
Anyone else having any issues of findings they care to share?
Same problem with ZoneAlarm
Interesting that some traffic is tunneled via WSAM (like OWA)
Some traffic is not tunneled (like Outlook client)
Michael McNamara says
Hi Andrei ,
The Windows Secure Application Manager (WSAM) is a light weight VPN client that’s usually configured to only tunnel specific IP addresses and TCP ports. In my network I excluded Outlook Web Access (OWA) from the WSAM configuration because I allow direct access to OWA from the public Internet (you don’t need to use WSAM to access OWA).
The behavior is going to depend on how the Juniper SSL VPN appliance has been configured (all the configuration is central to the appliance – there’s no client configuration involved).