You might recall that I wrote about software release 6.5R2 back in December 2009, detailing our troubles with the 6.5R1 software release and our hope that Juniper could save the day.

Thankfully I’m hear to tell that software release 6.5R2 for the Juniper Secure Access SSL VPN appliances appears to be a winner!

About six days ago I upgraded a pair of SA4000s running 6.5R1 to 6.5R2. The primary goal was to resolve the compatibility issues that were introduced in 6.5R1 and finally provide support for both Windows Vista 64-bit and Windows 7 64-bit. The actually upgrade of the appliances was pretty straight forward and the initial testing didn’t reveal any issues. Unfortunately there’s no amount of testing can always predict how things will go when working with home personal computers and the myriad of software available. We waited nervously for the first few days… thankfully the calls never came. While we had one or two users that needed some hand holding during the software upgrade/installation process, the majority of our 800+ users didn’t seem to have any issues whatsoever.

Let me congratulate Juniper Networks on a job well done!

I’ve created discussion forum for anyone that would like to discuss the Juniper Secure Access SSL VPN appliances. If you have a question or would like to make a comment why not join the discussion?

Cheers!

• Juniper SSL VPN Secure Access 6.5 Available
• Norton 360 and Juniper SSL VPN WSAM
• Juniper SSL VPN Upgrade – Client Software
• Juniper SSL VPN Appliance and Windows Vista 64-Bit

I will be testing 6.5R2 on a spare SA4000 appliance (waiting for an evaluation license key from Juniper) and will share my results with everyone here.

You can find the release notes for 6.5R2 here.

Windows 7

When will Juniper Network’s SSL VPN (SA platform/IVE OS) support Microsoft’s Windows 7 OS as a supported client platform? You can refer to Juniper knowledge base article, KB13195.

Juniper states that “Microsoft Windows 7 is qualified” (not supported) on 6.5R2 and there should be no major issues aside from the know caveats/issues.

Known Issues/Caveats:

* All client components:

1. 1. Unable to install (or) launch client component using IE8 (64 bit). This is expected as IE8 (64 bit) browser is not supported. Please use IE8 (32 bit) to avoid this issue. (470316)

* EndPoint Integrity:

1. When using IE 8 on 64-bit Windows 7 the reason string is not available when a patch assessment policy fails. (485421)

* Secure Virtual Workspace (SVW):

1. When opening a file with Windows Photo Viewer inside SVW, the file is shown on the real desktop rather than inside the SVW session. (447409)
2. On Windows 7, saving a MS Office 2003 file inside SVW fails. (486104)
3. On Windows 7, Control Panel is accessible inside SVW even if it is disabled under application to allow list. (486104)

* WSAM:

1. If Kaspersky Anti-Virus Version 2009 (8.0.0.506) is installed on a Windows 7 (OR) Windows Vista computer, WSAM will not be able to intercept and secure traffic. This issue is not seen with older versions of Kaspersky Anti-Virus (434715).

Cheers!

Update: January 6, 2009

I should point out that I’ve discovered that JSAM will not launch properly with Windows 7 (64-bit) when running 6.5R1 software. I initially thought it might have something to-do with the 32-bit/64-bit versions of Internet Explorer or the 32-bit/64-bit versions of the Java Runtime Environment. I tested the same machine today with 6.5R2 and it worked fine using the 32-bit version of Internet Explorer. I didn’t try the 64-bit version of Internet Explorer. So it would appear the problem is resolved in 6.5R2 software, please see the forums for additional details.

We’ve been planning to upgrade from 6.2R1 to 6.5R1 so we can support our Windows Vista 64-bit users, a population that seems to be growing rapidly these days now that resellers are shipping machines with 4Gb of memory requiring a 64-bit operating system.

Over the past week we’ve been working (along with Juniper) to confirm that upgrading from 6.2R1 to 6.5R1 won’t cause us any unforeseen problems. We’ve tested the upgrade on a spare SA4000 and found no problems worth mentioning on the appliance itself. We did, however, encounter problems with the client software. The Juniper Installer Service is designed to automatically upgrade itself and any associated Juniper software such as Windows Secure Application Manager (WSAM), Network Connect (NC) and Hostchecker. The Juniper Installer Service is critical because it allows non-Administrator users of the personal computer to upgrade the Juniper software without requiring Administrator access. When you have a large deployment with hundreds or thousands of users (especially where those users are outside of your managed environment) it is crucial that this process work flawlessly. It would seem that the upgrade process between 6.2R1 and 6.5R1 is broken. In some discussions with TJAC they didn’t seem surprised by the information yet I don’t ever recall reading anything in the release notes acknowledging that problem.

non-Administrator users

I tested the upgrade process and the client software didn’t upgrade itself properly when a user without Administrator rights connected to the appliance. The browser would just hang at /dana/home/starter0.cgi?check=yes trying to check for the presence of the Juniper Installer Service. After about 30 seconds the browser would try to start Windows Secure Application Manager (if it was configured to launch automatically) and hang again. After another 60 seconds the appliance would try to launch a Java applet to install the WSAM client which would fail because the user wasn’t an Administrator of the PC and didn’t have the proper rights to install the WSAM client software.

Administrator users

If a user with Administrator rights connected to the appliance the browser immediately prompted the user to install the Juniper Installer Service (ActiveX object).  The Windows Secure Application Manager (WSAM) also installed/upgraded itself without issue along with the Network Connect (NC) client. In short there were no issues with the upgrade so long as the user was an Administrator of the personal computer.

Solution

The solution to the problem with non-Administrator users is simple but a painful task depending on how diverse your user population might be. An Administrator of the personal computer must manually install the Juniper Setup Client (formerly called the Juniper Installer Service) onto the personal computer. Once that task is complete non-Administrator users can connect to the Juniper appliance and any remaining Juniper software components will be properly installed through the Juniper Setup Client even though the user is a non-Administrator and doesn’t specifically have rights to install software.

In a previous post I hinted that the WSAM client didn’t function properly in 6.5R1 on a Windows Vista 64-bit computer. That problem seems to have remedied itself although I’m not really sure what changed or what might have been broken in my initial testing. All subsequent testing shows that WSAM works fine from a Windows Vista 64-bit computer. There are some documented issues using the 64-bit version of Internet Explorer within Windows Vista so I would advise users stick to the 32-bit version for now.

Cheers!
Update: Wednesday September 30, 2009

I thought I would post an update since this article seems to be attacking a lot of attention around the net. Over the past three months we had around 1,900 different users login from almost 3,400 different machines (users are mobile). While the majority of issues have been resolved by un-installing the Juniper client software, rebooting and re-installing the client software there are a few that require some extra configuration and one that is currently broken. If you are running Nortel Internet Security 2009 or Norton 360 there is a unknown issues with the latest (GoLive update) version that will cause Windows Vista (Norton forums) to hang and Windows XP to blue screen. If you are using ESET NOD32 you’ll need to add specific exemptions for Internet Explorer and the Juniper programs, you can see a example to the left (click to enlarge).

I also had a brief discussion with JTAC this week in which I was told that the Juniper Installer Service and the Juniper Setup Client are two different pieces of software.  I’ll need to dig up some additional documentation to see if I can untangle that mystery.

This latest version of software now supports Windows Secure Application Manager (WSAM) when used on Windows XP 64-bit and Windows Vista 64-bit clients. There was no mention of Windows 7 which is due to be released October 22, 2009. I did find it interesting that Internet Explorer 8 was only “compatible” with respect to a few of the features while Internet Explorer 7 was “qualified” with all features (review Juniper Secure Access 6.5 Supported Platforms document for specifics). I did a quick search over in the Juniper forums and found some reports that Host Checker wasn’t working properly with Windows 7 RC.

There were two new features that jumped out at me in the What’s New document;

RDP Launcher

SA 6.5 simplifies the use of RDP sessions for end users without requiring them or administrators to create bookmarks.

• Simplifies ease of use for remote users to RDP into remote desktops by merely clicking a button or entering a hostname or IP Address of the remote computer.
• Simplifies the configuration for administrators and reduces the number of support calls from users who are unable to figure out how to RDP to remote computers.

VDI Support

Secure Access (SA) version 6.5 interoperates with VDI products, including VMWare’s View Manager and Citrix’s XenDesktop, enabling administrators to deploy virtual desktops alongside the SA series of SSL VPN devices. This allows the SA administrator to configure centralized remote access policies for users who access their virtual desktops.

• This provides a centralized point of configuration for administrators to configure remote access policies for virtual desktop access through leading virtualization products from VMWare and Citrix.
• SA 6.5 provides end users the VDI client to access the virtual desktop through, and provides flexible client fallback options thereby simplifying the deployment and management for administrators.

We have a lot of folks looking to access their corporate desktops remotely and the RDP (Terminal Services) feature of the Juniper SSL VPN really helps fill that role.

Cheers!

References;

What’s New in Juniper Networks Secure Access (SA) SSL VPN Version 6.5
Juniper Secure Access 6.5 Release Notes
WSAM and Network Connect Error Messages Release 6.5
Juniper Secure Access 6.5 Support Platforms

Update: Thursday November 5, 2009

Let me get right to the point, I would not recommend anyone deploy 6.5R1 on their Juniper Secure Access appliances. There are known issues with the Juniper Windows Secure Application Manager (WSAM) and the following four security suites; Norton 360, Symantec AntiVirus, Zone Alarm Security, ESET NOD32. Users with Norton 360 could experience a blue screen of death (BSOD) using the Juniper Windows Secure Application Manager. Juniper has a hotfix available for 6.5R1 that resolves the BSOD issues with Norton 360. The hotfix is not generally available on the Juniper website so you must contact JTAC for the hotfix.

Additional information can be found at this post; http://blog.michaelfmcnamara.com/2009/10/norton-360-and-juniper-ssl-vpn-wsam/

Update: Friday September 19, 2009

A quick update… I’ve setup a spare SA4000 and received a demo license from Juniper to test the 6.5R1 software release (thanks Matt!). I’m happy to report that the upgrade on the appliance was very smooth although it took about 6 minutes for the appliance to boot back up giving me a few frightful thoughts. Unfortunately the same can’t be said of the client software. I’m still in the process of testing but it appears that non-Administrator users (users that don’t have Administrator rights on the PC) won’t be functional after the upgrade until an Administrator manually installs the latest and greatest Juniper Installer Service. The Juniper Installer Service is designed to allow the client software to upgrade when the user doesn’t have Administrator rights. Users with Administrator rights work fine so long as they answer the prompts to install the new version of the Juniper Installer Service. I hope to release a detailed post in the next few days including some testing of Windows Vista 64-bit desktops.

Juniper has released software 6.5 for the Juniper SSL VPN (Secure Access) appliances which now supports running WSAM on Windows 64-bit operating systems. I’ve posted a new article that details the new software which can be found here; http://blog.michaelfmcnamara.com/2009/09/juniper-ssl-vpn-secure-access-6-5-available/

Almost six years ago we deployed a Neoteris Secure Access 1000 appliance which was designed to publish Intranet based web applications to Internet clients. Neoteris was acquired by Netscreen and then Netscreen was acquired by Juniper. Over a year ago we upgraded our legacy hardware with two Juniper SA4000s running them as a cluster in a high availability design (active/standby). The solution has been very successful with the exception of the occasionally home PC that for one reason or another refuses to install the client software.

We recently upgraded to software release v6.2R1 which promised full support for Windows Vista 64-Bit and Juniper’s Windows Secure Application Manager (WSAM). Juniper’s Windows Secure Application Manager is essentially a mini VPN client that tunnels traffic across an SSL connection with the SA4000 appliances. It provides raw connectivity for non-HTTP based applications. While the documentation indicated that Windows Vista 64-Bit was fully supported we were unable to make it work after a few customers reported having issues. We opened a ticket with Juniper and waiting four business days before Juniper was able to confirm our findings; they too were unable to make it work. We were informed the ticket was to be escalated to design but I immediately found it odd that no one else had already reported this problem. In short Juniper informed us that Windows Vista 64-Bit is not supported and the documentation indicating it was support was “incorrect”. Needless to say I’m not very happy with Juniper as this point and it certainly seems that Juniper has some serious QA issues in their software and documentation teams.  Let’s not even talk about the 9 business day turnaround which is essentially two weeks.

I recently had a discussion with a physician, remember I work for a large healthcare provider, who had tried in vein to help himself by Googling for any hints or tips to getting WSAM working with Windows Vista 64-Bit. So here are some tips that will hopefully get picked up by Google.

1. You must be an Administrator to install the software components
2. You’ll need to be running Windows XP (32-Bit) Service Pack 2 or later
3. If you have a pop-up blocker enabled make sure you exempt the Juniper URL
4. If you have your firewall enabled make sure you unblock WSAM

I’ve also seen issues if ActiveX, JavaScript, or Cookies are disabled from within Internet Explorer. The WSAM software is a Layered Service Provider (LSP) application and as such other software, malware, spyware, etc can sometimes interfere with it’s proper operation. You can have a look here for a utility that might help to clean up any LSP issues that you might have.

The Windows Secure Application Manager can not be run from within a Windows Terminal Server or Citrix session.

Cheers!

Update: August 13, 2008
I recieved a few questions about Juniper’s Windows Secure Application Manager (WSAM) and I thought I would pass on the questions and answers.

Q. Does Juniper’s WSAM support a proxy server?
A. No Juniper’s WSAM does not support a proxy server. The client will need direct Internet access on TCP 443 (https).

Q. Where are the log files, there’s nothing in C:\Program Files\Juniper Networks\Secure Application Manager?
A. The log file is actually stored in the following location; C:\Documents and Settings\<username>\Application Data\Juniper Networks\Secure Application Manager

Update: September 18, 2008
As noted in the comments Juniper has released a customer bulletin concerning the problem. Here’s the official response I received from the Juniper TAC, I haven’t received any follow-up from the sales team which the Juniper TAC referred me to.

“KB12097 was posted to our Knowledge Base Support site and engineering has implemented a check in the WSAM installation that will display an error to the user if they are attempting to install WSAM on a 64-bit Operating System. This fix should be available in the next maintenance release of IVE OS 6.2. As for future support for WSAM on 64-bit systems, this has been revisited by PLM and it is now on our roadmap.”

Update: October 5, 2008
I’m amazed at the number of views that this post has garnered. It seems there are quite a few folks out there trying to figure out why Windows Vista 64bit won’t work with WSAM. I thought I should point out that the Juniper Network Connect client is compatible with Windows Vista 64bit (and 32bit). This may be an option for users although those users will need to speak to their System Administrators since it will require additional configuration and perhaps even licensing.

Cheers!