When possible it’s always a good idea to test any software upgrades, because you just never know what your going to get. That was the case recently when I upgraded our test PA-220 from 9.1.7 to 9.1.12-h3 and seemingly breaks all GlobalProtect VPN functionality. The portal doesn’t respond on TCP/443 at all, so it looks like the firewall itself is dropping the traffic.

The issue turned out to be Strict IP Address Check which was just “resolved” or enabled in 9.1.12.

AN-175934 Fixed an issue where packed-based zone protectio settings (such as
Strict IP Address Check) were not applied to return traffic.

When I disabled Strict IP Address Check on the zp_untrusted zone protection profile GlobalProtect started working again.

What is Strict IP Address Check?
Check that both of the following conditions are true:

• The source IP address is not the subnet broadcast IP address of the ingress interface.
• The source IP address is routable over the exact ingress interface.

If either condition is not true, discard the packet.

Looks like a bug to me.

Cheers!

While very few of us have planned and organized days these past few weeks have been unlike anything I’ve ever experienced, running from one fire to another, one disaster to another. Whether it’s a power failure in a data center or someone deciding to water the potted plant that they hung over the network switch, there’s always some new emergency or problem that requires IT to jump in and save the day. This event was no different but the scale and duration was a whole new experience for everyone.

We started mobilizing our disaster preparedness plan around the middle of February. The initial request from the leadership team was pretty straight forward, “How do we prepare to have our home office employees and call centers agents work remotely?”. Like most large-medium sized enterprises we have a couple of hundred people working remotely every day, however we were talking about going from 200-300 daily remote users to potentially 3,000-4,000 daily remote users in a very short time span. And a significant portion of those users still had desktop devices.

In the span of a week we had ordered, imaged, configured and deployed (shipped or handed out) over 400 laptops to over 400 employees and call center agents. We also spun up a new Virtual Private Network (VPN) solution using Palo Alto Network’s GlobalProtect to help supplement our existing Pulse Secure and Microsoft Direct Access solutions.

I should note that I reached out to Pulse Secure and they offered us a temporary 60 day license to help us cope with the additional users – kudos to Pulse Secure.

Like everyone we’re in the middle of our second week and the Internet itself is starting to show it’s cracks. This past Monday and Tuesday we experienced connectivity issues across 30 stores in and around London, UK for ~ 45-60 minutes at a time. We later learned that Monday was the first day in the UK with all schools closed and British Telecom (BT) wasn’t handling the strain well. I’m sure it’s not helping BT that Disney+ just launched in the UK and Ireland on Wednesday.

We’ve had a number of issues with Microsoft, Slack and Zoom over the past two weeks and expect those issues will likely continue as more and more people around the nation and globe transition to working remotely.

Nobody’s really sure what the future holds… hopefully things will start to improve as we work to flatten the curve.

Thanks to all the IT folks that are continuing to carry on the struggle, be it onsite or from the confines of your own home…we know what what your’re going through and we appreciate your efforts!

If you have story to share, let us know below.

Stay safe! Cheers!

Here’s a quick note for anyone looking to understand how they can allow either the standard samAccountName (username) or the userPrincipalName (usually the email address) to be used by users when logging into the GlobalProtect VPN client when authenticating against Windows Active Directory via LDAP.

I will assume that you already have basic username authentication working. So this post will outline how you can add the ability for users to use the userPrincipalName as opposed to their samAccountName (username).

Step 1. Assuming you already have an Authentication Profile setup to authenticate usernames (samAccoutName) you’ll need to clone that profile and then update the Login Attribute to “userPrincipalName”.

Step 2. Create an Authentication Sequence that includes both your Authentication Profiles, the original profile along with the profile you created in the step above. In the example below I’m using “auth_ldap”.

Step 3. Update your GlobalProtect Portal Configuration Client Authentication to reference this new Authentication Sequence. Network -> GlobalProtect -> Portals, edit your configuration and update the authentication profile to “auth_ldap”.

Step 4. Update your GlobalProtect Gateway Configuration Client Authentication to reference this new Authentication Sequence. Network -> GlobalProtect -> Gateways, edit your configuration and update authentication profile to “auth_ldap”.

Step 5. Commit your changes.

With that all done you can now test, using either your samAccountName (username) or your userPrincipalName (usually the email address of the user).

Cheers!

I eventually realized that the Pulse Secure client was “caching” the certificate selection because I had chosen to “Save Settings” in the client when originally prompted to choose which SSL certificate the client should provide while authenticating. 

The solution.. go into the client and select “Forget Saved Settings“.

The next time I attempted to connect I was prompted to choose which certificate to use for authentication purposes.

Cheers!

A client had two physical sites about 1 mile apart which were connected to the Internet by separate Verizon FiOS broadband connections and which were assigned the following static IP addresses;

Site A:

IP Network: 198.51.100.226/28
Subnet Mask: 255.255.255.0
Default Gateway: 198.51.100.1
Usable IP Addresses: 198.51.100.226 – 198.254.100.238

Site B:

IP Network: 198.51.100.50/28
Subnet Mask: 255.255.255.0
Default Gateway: 198.51.100.1
Usable IP Addresses: 198.51.100.50 – 198.51.100.63

Let me be the first to admit that the information above isn’t quite right… there is no IP address block 198.51.100.226/28, it should be 198.51.100.224/28. I believe that’s Verizon trying to avoid having customers accidentally use the network address or the first address in the IP address block which is likely reserved for the actual Verizon Actiontec router.

The client was trying to establish a VPN tunnel between the two sites and was running into difficulties. The issue was with the IP addressing provided by Verizon and it’s likely implementation of private VLANs on the Juniper hardware. I’m assuming that Verizon is likely using PVLANs to isolate traffic between individual customers to minimize the number of IP subnets they need to create. Instead of creating 16 /28 IP networks they are using a single /24 network and then isolating the traffic between customers using PVLANs. The issue in the example above is pretty obvious – the individual client devices are attempting to communicate with each other on the local subnet. Believing that there’s no need to signal the upstream router because the netmask indicates that the remote site should be in the same IP network. While the remote site is actually in the same IP network, the implementation of PVLANs is blocking communication between the client devices.

Anyone have any experience with Verizon FiOS using PVLANs?

I believe I heard years ago that Verizon chose Juniper for their FiOS implementation.

Cheers!

Reference: Juniper – Understanding Private VLANs on EX Series Switches

Articles

Network Field Day #NFD11 by Dominik Pickhardt – Dominik will be attending Network Field Day 11 this January 2016 in San Jose, CA. It just happens that I’ve also been invited to join the gang in Silicon Valley on January 19th – 22nd. You find more information over on the Tech Field Day website.

US House okays making internet tax exemptions permanent by Shaun Nichols – We’ll need to see how HR 644 fairs in the senate now that it includes a provision to prevent states from collecting sales tax on Internet retailers for out of state customers.

IP leak affecting VPN providers with port forwarding by Perfect Privacy – The team over at Perfect Privacy have revealed how an attacker can reveal a VPN user’s real IP address given a few specific conditions.

A free, almost foolproof way to check for malware by Roger A. Grimes – A great article describing how to easily test a Windows client to see if it’s infected with some malware. I’ve recently found myself doing quite a bit of security forensics analyzing various systems and images.

Will Let’s Encrypt threaten commercial certificate authorities? by Larry Seltzer – Let’s Encrypt is a new free Certificate Authority looking to make publicly signed certificates available for free to anyone. The stated goal of the organization is to help secure the Internet by offering free SSL certificates to anyone. The certificates are only valid for 90 days, a significant caveat and differentiator with the commercial certificate authorities.

Cheers!

This single client supports the following operating systems (in both 32-bit and 64-bit versions);

•     Windows XP
•     Windows Vista
•     Windows 7
•     Windows 8

The following note is included at the top of the release notes;

When upgrading from Windows 7 GA to Windows 7 Service Pack 1 (SP1) users must remove the Avaya VPN Client prior to upgrading to SP1. Once the upgrade to SP1 is complete, reinstall the Avaya VPN Client.

Users who upgrade from a v10.05 or earlier release to v10.06 may receive the following error
dialogue when attempting to establish an IPSec VPN tunnel – “Activation of VPN Adapter Fa iled”. This issue occurs when the AVC filter a dapter is not upgraded correctly during software installation.

Resolved Issues

• wi00889600 10.06_500 – AVC 10.04.109 Client in SSL Mode Doesn’t Accept Untrusted Self-Signed Cert.
• wi00982245 10.06_500 – AVG IPsec mobility performance is very low.
• wi01069664 10.06_500 – AVC Mobility feature fails when moving from a wireless to a wired connection.
• wi01069666 10.06_500 – Repeated failover between wired and wireless connections may cause mobility failure.
• wi01100993 10.06_500 – VPN Client – PLAP is unreliable on Windows 8.
• wi01100994 10.06_500 – VPN Client – OSK (On-Screen Keyboard) does not launch with client.
• wi01109393 10.06_500 – AVC Client does not work with SSL Protocols TLS1.1 and TLS 1.2.
• wi01131474 10.06_500 – SSL tunnels may be disconnected due to multicast or host routing table entry changes which should have no impact on tunnel security. Changes to multicast and most host routes are now properly ignored.
• wi01138381 10.06_500 – The SwapAdapters option added in 10.06.200 does not take into account the registry path for 64-bit systems.

You should refer to the release notes for all the details, including the interoperability issues.

Note: I’m hosting these files from my own servers so please don’t abuse my generosity by hot-linking to them from other sites or by downloading the files dozens of times needlessly.

AVC32-10.06.500.exe (32-bit – Windows XP, Windows Vista, Windows 7, Windows 8)
MD5: 377d84bb29be2abb1197f2f791dce98b
AVC64-10.06.500.exe (64-bit – Windows XP, Windows Vista, Windows 7, Windows 8)
MD5: 24ac65597ce3ce92099940e7a316ad5c

I’m no longer personally using the Avaya VPN Client. These days I utilize the Juniper Network Connect (and Pulse) client when working remotely. So I’m not really in a position to help everyone with their installation problems. In the past I’ve found that the client will work fine on a fresh OS installation the majority of the time when it wouldn’t work on that same machine prior to the re-imaging.

Cheers!

I’ve deployed the Juniper SRX 650 and the Juniper SRX 210H in a typical corporate branch office tunnel architecture utilizing route-based VPN tunnels with OSPF and Point to Multi-Point interfaces along with virtual router instances. Since that deployment I’ve really come to enjoy using the Junos CLI interface.

While there are a few grammatical errors (who am I to criticize) the book contains a large number of example configurations and actually shows the reader how to implement the feature and/or option as opposed to just defining it.

In the spirit of full disclosure, I received an electronic copy of the book, Juniper SRX Series, from Juniper free of charge.

Study Material

If you are looking to take the JNCIA-Junos or the JNCIS-SEC you can find the study guides from Juniper here;

https://learningportal.juniper.net/juniper/user_fasttrack_home.aspx

You’ll need to create an account with Juniper in order to access the study material.

I’m personally reviewing both the study material provided by Juniper along with the book, Juniper SRX Series, to validate my understanding of each feature and option.

Cheers!

This single client supports the following operating systems (in both 32-bit and 64-bit versions);

•     Windows XP
•     Windows Vista
•     Windows 7
•     Windows 8

Resolved Issues

• wi01107642 – SSL Mode Tunnels Do Not Disconnect.

You should refer to the release notes for all the details, including the interoperability issues.

Note: I’m hosting these files from my own servers so please don’t abuse my generosity by hot-linking to them from other sites or by downloading the files dozens of times needlessly.

AVC32-10.06.301.exe (32-bit – Windows XP, Windows Vista, Windows 7, Windows 8)
MD5: d256bdd829119dbb05beaf5fd9378aea
AVC64-10.06.301.exe (64-bit – Windows XP, Windows Vista, Windows 7, Windows 8)
MD5: f7266ea28723decf6d6ead3ba7009134

I’m no longer personally using the Avaya VPN Client. These days I utilize the Juniper Network Connect (and Pulse) client when working remotely. So I’m not really in a position to help everyone with their installation problems. In the past I’ve found that the client will work fine on a fresh OS installation the majority of the time when it wouldn’t work on that same machine prior to the re-imaging.

Cheers!

This single client supports the following operating systems (in both 32-bit and 64-bit versions);

•     Windows XP
•     Windows Vista
•     Windows 7
•     Windows 8

Resolved Issues

• wi01066387 Removal and re-installation of the VPN Client did not restore VPN adapter configurations (such as MTU) to system defaults.
• wi01069254 AVC SSL Tunnel mode may randomly fail to retrieve the banner.
• wi01076085 The Avaya VPN Client was previously unable to handle fragmented UDP frames resulting in data loss. This functionality has been added.
• wi01082043 VPN Client Does Not Send UDP Keepalives In NAT Environments.
• wi01086545 Manual Removal Instructions to Repair Broken Windows 8 Installation.
• wi01090553 VPN Client Route Monitoring for SSL Tunnel Mode is inconsistent or not working as expected.
• wi01090556 The VPN Client disconnects a user due to detected route table changes (via route monitoring) if the client machine’s local area connections renew their DHCP lease while a tunnel is active – and the DHCP server returns a default gateway value (normal in most environments).
• wi01105916 Changes introduced by wi01059319 in 10.06.200 may result in the client returning error “General System Problem.” This has been resolved.
• wi01090812 AVC/SSL connection drops while roaming when original metric lower than VPN adapter.

You should refer to the release notes for all the details, including the interoperability issues.

Note: I’m hosting these files from my own servers so please don’t abuse my generosity by hot-linking to them from other sites or by downloading the files dozens of times needlessly. Since May 5, 2013 the Avaya VPN Client downloads have accounted for ~ 36.8 GB of traffic from this site.

AVC32-10.06.300.exe (32-bit – Windows XP, Windows Vista, Windows 7, Windows 8)
MD5: 8e1d5f590022cd92d9d9f0636c063114
AVC64-10.06.300.exe (64-bit – Windows XP, Windows Vista, Windows 7, Windows 8)
MD5: 0eed78b62efad94da8e9c9d6f070cf49

I’m no longer personally using the Avaya VPN Client. These days I utilize the Juniper Network Connect (and Pulse) client when working remotely. So I’m not really in a position to help everyone with their installation problems. In the past I’ve found that the client will work fine on a fresh OS installation the majority of the time when it wouldn’t work on that same machine prior to the re-imaging.

Cheers!

This single client supports the following operating systems (in both 32-bit and 64-bit versions);

• Windows XP
• Windows Vista
• Windows 7
• Windows 8

Resolved Issues

• wi01041435 – Traffic to overlapping network of Split net and Local net got blocked.
• wi01031645 – AVC SwapAdapter feature does not reprioritize the VPN Adapter binding order for SSL tunnel types.
• wi01011920 – AVC may Orphan NetBT NameList registry entries if ungracefully terminated.
• wi01047768 – NVR interoperability – banner issues with specific IP address pool for Windows 7 users
• wi01043584 – Installing AVC over same version in silent mode causes error
• wi01058523 – AVC 10.06.104 IPSec Tunnels might drop during server initiated rekey
• wi01049421 – Unsigned EAC Miniport Driver Blocked by Windows XP OS. A new binder.exe utility has been included in the installation directory (default: %ProgramFiles%\Avaya\Avaya VPN Client) on Windows XP systems to assist with remediating this issue.
• wi01056647 – AVC may crash when connecting through an unstable wireless access point
• wi01059319 – Sometimes WINS Servers may not take effect in Windows XP
• wi01068400 – Dial-up not working properly on 32 bit platforms
• wi01028196 – AVC fails to properly identify Windows XP x64 operating system which may result in improper client operation
• wi00951988 – Unsupported Installation Change is not disabled properly.

Activation of VPN Adapter Failed

wi00928966 – Users who upgrade from a v10.05 or earlier release to v10.06 on Windows XP may receive the following error dialogue when attempting to establish an IPSec VPN tunnel – “Activation of VPN Adapter Failed”. This issue occurs when the AVC filter driver is not upgraded correctly during software installation.
As a precautionary measure, rebooting the machine before an upgrade installation is highly recommended. If the problem does occur, the workaround would be to uninstall and then reinstall the client. Please note, uninstall will remove all profiles and configurations. If users want to carry them over to the following reinstallation, they can use the Import/Export feature to export them before uninstall and import them back after reinstallation. For more details about the Import/Export feature please see Section 7 of this document.)

You should refer to the release notes for all the details, including the interoperability issues.

AVC32-10.06.200.exe (32-bit Windows XP, Windows Vista, Windows 7, Windows 8)
MD5: 006e21051924d92634b62600c071418b
AVC64-10.06.200.exe (64-bit Windows XP, Windows Vista, Windows 7, Windows 8)
MD5: 34c860667260ce196139521196fca946

Cheers!

This single client supports the following operating systems (in both 32-bit and 64-bit versions);

• Windows XP
• Windows Vista
• Windows 7

Resolved Issues

• wi01009468 BSOD (Blue Screen of Death) may occur on Windows 7 multi-core machines if Symantec Endpoint Protection v11.x is installed.
• wi01002823 AVC 10.04.108+ Incompatibility with AT&T 4G USB Modem
• wi01011943 AVC “Display Warning” or “Disconnect” Limitation. Previously the VPN client would be abruptly terminated if a user attempted to shut down or restart the host machine. Now the tunnel is gracefully disconnected prior to shut down or restart.
• wi01032791 Disconnect the VPN tunnel when AVC service is closed/stopped

Open Issues

• wi01011920 AVC may Orphan NetBT NameList registry entries if ungracefully terminated. The workaround is to clear the NetBT NameList or gracefully terminate the VPN Client before rebooting or restarting the host PC.
• wi01031645 AVC SwapAdapter feature does not reprioritize the VPN Adapter binding order for SSL tunnel types.

Interoperability

• McAfee ViruScan v8.8
• Microsoft Internet Explorer v8
• Microsoft Windows 7 IPv6 6to5 Adapter Duplicates
• Avaya NetDirect Client
• DNS Binding Priority with Windows Operating Systems

You should refer to the release notes for all the details, including the interoperability issues.

AVC32-10.06.104.exe (32-bit Windows XP, Windows Vista, Windows 7)
AVC64-10.06.104.exe (64-bit Windows XP, Windows Vista, Windows 7)

Cheers!

• Windows XP
• Windows Vista
• Windows 7

Resolved Issues

• wi01003255 – Split Tunnel Failure on Windows 7
• wi00860526,wi00972868 – Mobility for IPSEC doesn’t work properly on Windows 7 and XP.
• wi00947857 – IPsec split tunneling mode enabled_inverse_local does not enforce its restrictions on sessions already established before the tunnel was created.
• wi00956803 – Cached VPN adapter drivers not cleaned up on Windows 7
• wi00995550 – Disconnecting a tunnel may cause service crash
• wi00981906 – Fetching banner from different AVG when DNS Round Robin used
• wi01006672 AVC may Orphan DNS Suffix Entries if ungracefully terminated.

New Outstanding issues

• wi01011920 – AVC may Orphan NetBT NameList registry entries if ungracefully terminated. The workaround is to clear the NetBT NameList or gracefully terminate the VPN Client before rebooting or restarting the host PC.

New Known Issues

• wi00928966 – Users who upgrade from a v10.05 or earlier release to v10.06 on Windows XP may receive the following error dialogue when attempting to establish an IPSec VPN tunnel – “Activation of VPN Adapter Failed”. This issue occurs when the AVC filter driver is not upgraded correctly during software installation. As a precautionary measure, rebooting the machine before an upgrade installation is highly recommended. If the problem does occur, the workaround would be to uninstall and then reinstall the client. Please note, uninstall will remove all profiles and configurations. If users want to carry them over to the following reinstallation, they can use the Import/Export feature to export them before uninstall and import them back after reinstallation. For more details about the Import/Export feature please see Section 7 of this document.)
• wi00951988 – Component modification after installation is not supported.
• wi00932075 – Canceling uninstall in the middle may cause faulty rollback.

You should refer to the release notes for all the details.

I will continue to host the client files on my website.

AVC32-10.06.022.exe (32-bit Windows XP, Windows Vista, Windows 7)
AVC64-10.06.022.exe (64-bit Windows XP, Windows Vista, Windows 7)

Cheers!

Configure the Juniper SRX 210 Branch Office

Login to the serial console of the Juniper SRX gateway with the username of “root” (password should be blank). We’ll start the configuration by loading the factory defaults and then setting up some basic system information. We’ll add a user called “admin” for future use.

root@% cli
root> configure
Entering configuration mode
[edit]
load factory-default
set system host-name vpn-srx210h-gw
set system domain-name vpn.acme.org
set system time-zone America/New_York
set system root-authentication plain-text-password
set system login user admin full-name Administrator
set system login user admin uid 100
set system login user admin class super-user
set system login user admin authentication plain-text-password

Lets set the SNMP information including a reference to the routing-instance “centralized-internet”. This will allow us to perform SNMP polls against this VRF from the specific IP management workstations we’ve listed below.

set snmp description "Juniper SRX 210H"
set snmp location "Local Branch Office (Somewhere, USA)"
set snmp contact "Technology Team"
set snmp community readonlystring authorization read-only
set snmp community readonlystring routing-instance centralized-internet clients 10.1.20.50/32
set snmp community readonlystring routing-instance centralized-internet clients 10.2.20.50/32
set snmp community readwritestring authorization read-write
set snmp routing-instance-access
commit

Let’s start by configuring the WAN (public) and LAN (private) IP addresses. The interface ge-0/0 is the public interface which will connect to the Internet Service Provider. The interface vlan.0 is the private interface which is made up of physical interfaces ge-0/1 – ge0/7. We’ll also delete the factory default address of 192.168.1.1.

set interface ge0/0/0 unit 0 family inet address 1.51.88.10/30
set routing-options static route 0.0.0.0/0 next-hop 1.51.88.9
set interface vlan unit 0 family inet address 10.1.200.1/24
delete interfaces vlan unit 0 family inet address 192.168.1.1/24

Let’s enable the web management GUI on the public interface and set the TCP port to 10443 as opposed to the default of 443.

set system services web-management https interface ge-0/0/0.0
set system services web-management https port 10443

Let’s enable the system services we want to allow in the untrust zone.

set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services https

Let’s repeat those commands for the specific public interface.

set security zones security-zone untrust interface ge-0/0/0 host-inbound-traffic system-services ike
set security zones security-zone untrust interface ge-0/0/0 host-inbound-traffic system-services ping
set security zones security-zone untrust interface ge-0/0/0 host-inbound-traffic system-services https

Let’s build the VPN tunnel interfaces to Juniper SRX 650. We’ll need to assign IP addresses to these interfaces since we’re setting up a Point to MultiPoint network with route based VPN tunnels.

set interfaces st0 unit 0 family inet address 10.1.255.120/24
set interfaces st0 unit 0 family inet mtu 1500

Let’s finish up setting up the security zones and adding the VPN interfaces.

set security zones security-zone vpn interfaces st0.0
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust host-inbound-traffic system-services all

Let’s not forget to allow the remote management via the web interface. (added 10/18/2011)

set security zones security-zone vpn host-inbound-traffic system-services all
set security zones security-zone vpn host-inbound-traffic protocols all
set system services web-management http interface st0.0

Let’s setup the IKE policies and pre-shared-key for both VPN tunnels, please make sure to replace the preshared-key and IP addressing below with the values that’s specific to your installation (not the example one). I use the acronym PDC to stand for Primary Data Center since we have both a primary and alternate/standby.

set security ike policy PDC-IKE mode main
set security ike policy PDC-IKE proposal-set standard
set security ike policy PDC-IKE pre-shared-key ascii-text "c3DrmFiRei37NpW65GnygdOorykE0ZjnpyX"
set security ike gateway PDC-GW ike-policy PDC-IKE
set security ike gateway PDC-GW address 2.1.1.25
set security ike gateway PDC-GW external-interface ge-0/0/0.0

set security ipsec policy ACME-VPN proposal-set standard
set security ipsec policy ACME-VPN perfect-forward-secrecy keys group2

set security ipsec vpn PDC-VPN ike gateway PDC-GW
set security ipsec vpn PDC-VPN ike ipsec-policy ACME-VPN
set security ipsec vpn PDC-VPN bind-interface st0.0
set security ipsec vpn PDC-VPN establish-tunnels immediately

The Juniper SRX still acts as a firewall so we need to create policies to allow the traffic to flow. I’ll set everything wide open for this example.

edit security policies from-zone trust to-zone vpn
set policy local-to-spokes match source-address any
set policy local-to-spokes match destination-address any
set policy local-to-spokes match application any
set policy local-to-spokes then permit
exit

edit security policies from-zone vpn to-zone trust
set policy local-to-spokes match source-address any
set policy local-to-spokes match destination-address any
set policy local-to-spokes match application any
set policy local-to-spokes then permit
exit

edit security policies from-zone vpn to-zone vpn
set policy local-to-spokes match source-address any
set policy local-to-spokes match destination-address any
set policy local-to-spokes match application any
set policy local-to-spokes then permit
exit

We’ll create a virtual routing instance setting the next-hop to interface st0.0

set routing-options interface-routes rib-group inet centralized
set routing-options rib-groups centralized import-rib inet.0
set routing-options rib-groups centralized import-rib centralized-internet.inet.0

We’ll create a virtual routing instance setting the next-hop to interface st0.0

set routing-instances centralized-internet instance-type virtual-router
set routing-instances centralized-internet interface st0.0
set routing-instances centralized-internet routing-options static route 0.0.0.0/0 next-hop st0.0

This filter will direct all traffic to the centralized-internet routing table. The first term allows us to add an exception although it’s not used today but can be for testing and troubleshooting by changing the IP address to a valid LAN client IP address. This filter allows traffic from 10.1.200.254 to be routed based on the default routing-instance which would send it directly out to the Internet as opposed to routing it over the VPN tunnel back to the main office.

set firewall filter centralized-internet-filter term 1 from destination-address 10.1.200.254/32
set firewall filter centralized-internet-filter term 1 then accept
set firewall filter centralized-internet-filter term 2 then routing-instance centralized-internet

We’ll apply the filter we created above to traffic ingressing the interface vlan.0.

set interface vlan unit 0 family inet filter input centralized-internet-filter

Let’s configure a DHCP relay instance to forward DHCP requests to a centralized server (10.1.1.40).

set forwarding-options helpers bootp relay-agent-option
set forwarding-options helpers bootp description "Branch DHCP Relay"
set forwarding-options helpers bootp server 10.1.1.40 routing-instance centralized-internet
set forwarding-options helpers bootp vpn
set forwarding-options helpers bootp interface vlan.0

Let’s configure the TCP-MSS value so we don’t have any MTU issues tunneling over IPSec

set security flow tcp-mss ipsec-vpn mss 1350

Let’s configure the debug options so we can troubleshoot any IKE/IPSEC issues.

set security ike traceoptions file size 1m
set security ike traceoptions flag policy-manager
set security ike traceoptions flag ike
set security ike traceoptions flag routing-socket

We need to disable IDP to prevent unwanted error messages from filling the log.

set system processes idp-policy disable

Now we need to commit and save all the changes we’ve made above.

commit

If you have issues committing the changes with errors such as :

root# commit
[edit system]
'autoinstallation'
incompatible with 'forwarding-options helpers bootp'
[edit forwarding-options helpers]
'bootp'
incompatible with 'system autoinstallation'
error: commit failed: (statements constraint check failed)

Just issue the following command and re-issue the commit

root# delete system autoinstallation

If you are connected to the public Internet you can sync the date/time via NTP over the public interface.

root# set date ntp 173.9.142.98

Configure the Juniper SRX 650 Main Office

Now we need to configure the Juniper SRX 650 which is the main office side of the tunnel.

Let’s create an IKE policy for this specific connection. Please remember to substitute the preshared-key and IP addresses I use in the example below.

set security ike policy TESTLAB-IKE mode main
set security ike policy TESTLAB-IKE proposal-set standard
set security ike policy TESTLAB-IKE pre-shared-key ascii-text "c3DrmFiRei37NpW65GnygdOorykE0ZjnpyX"

Let’s create a gateway and tie it together with our IKE policy. Let’s set the public IP address of the branch office VPN site.

set security ike gateway TESTLAB-GW ike-policy TESTLAB-IKE
set security ike gateway TESTLAB-GW address 1.51.88.10
set security ike gateway TESTLAB-GW external-interface ge-0/0/0.0

Let’s create a VPN policy and tie all the policies together binding it to st0.10 which is a multipoint interface on the main office side.

set security ipsec vpn TESTLAB-VPN ike gateway TESTLAB-GW
set security ipsec vpn TESTLAB-VPN ike ipsec-policy ACME-VPN
set security ipsec vpn TESTLAB-VPN bind-interface st0.10
set security ipsec vpn TESTLAB-VPN establish-tunnels immediately

Since we’re not yet doing OSPF we need to create a static route in the appropriate routing instance.

set routing-instances routing-table-lan routing-options static route 10.1.200.1/24 next-hop 10.1.220.10

I’m omitting a few steps on the Juniper SRX 650 to implement the Multipoint VPN feature but it’s well documented (as most of this is) in the Juniper documentation.

References;

• Juniper SRX Series Multipoint VPN Configuration with Next-Hop Tunnel Binding

Cheers!

• Windows XP
• Windows Vista
• Windows 7

The release notes mention the following compatibility issues;

User may experience Blue Screen of Death (BSOD) during VPN tunneling if McAfee VirusScan v8.8 is installed on the machine. It’s due to an issue with McAfee driver mfewfpk.sys. McAfee provided a hot fix in October, 2011 and also embedded it into McAfee VirusScan v8.8 Repost 1. Please either apply the patch or use the v8.8 Repost 1.

The Avaya VPN Client (AVC) must not be installed on the same client machine in which either the Avaya VPN Gateway (AVG) NetDirect Installable Client (NDIC) or NetDirect portable client (ActiveX or Java-based) is installed, or vice-versa. Doing so may result in unexpected client behaviors. The AVC client may report “Failed to Activate the VPN Adapter”. Ensure that conflicting clients are uninstalled prior to installation of either AVC or NDIC/NetDirect.

The following issues have been resolved;

• wi00938485 Splittun Disabled/Enable_Inverse Failure on Windows7
• wi00924999 If users connect AVC to AVG from behind a non-IPsec-aware NAT box, they might experience intermittent banner retrieval failure or disconnection.
• wi00947500 Sometimes the upload speed is low.
• wi00887226 In rare occasions network applications might be impacted because of dropped packets.
• wi00924795 Custom taskbar icons have wrong file names.

You should refer to the release notes for all the details.

I will continue to host the client files on my website.

AVC32-10.05.150.exe (32-bit Windows XP, Windows Vista, Windows 7)
AVC64-10.05.150.exe (64-bit Windows XP, Windows Vista, Windows 7)

Cheers

Update: June 29, 2012

I’ve posted the new client in this post. I’m going to close this post to comments, please make any comments in the new post.

• Windows XP
• Windows Vista
• Windows 7

The following feature has been added;

Integrated smart card PIN prompt (wi00565664)

When users use smart cards, normally the smart card reader applications and the operating system handle the context setup, i.e. they pop up PIN prompt and PIN verification. However, with the introduction of Windows 7/Vista’s “Session 0 isolation”, this mechanism does work for some smart cards any longer. Their PIN prompts get blocked by “Session 0 isolation” when the calling applications run as services.

In this release, we take care of the smart card context setup within our client in a way that is compatible with the OS that users can continue using smart card based authentication smoothly as before.

The following issues were resolved;

• wi00889552 – On Windows 7, when AVC establishes a SSL VPN tunnel, it identifies its local OS to Avaya VPN Gateway (AVG) as Vista.
• wi00888226 – Certificates not available for selection if there are certificates installed on the PC that do not have a Subject field
• wi00896822 – Occasionally the upgrade install on Windows XP 64-bit doesn’t install the driver properly.

You should refer to the release notes for all the details.

I will continue to host both the 32bit and 64bit installation files here on my blog for download until such time as I run out of bandwidth or someone from Avaya objects (whichever occurs first).

If you feel so inclined why not leave a comment, even if it’s just to say “Hi!”.

AVC32-10.05.100.exe (MD5SUM HASH – 08f1a124ec969333680f883580327009)
AVC64-10.05.100.exe (MD5SUM HASH – 4174ea5afba84ad496356744a7ac579e)

Cheers!

Updated: June 29, 2012

You’ll find the new client here.

• Windows XP
• Windows Vista
• Windows 7

This release appears to be primarily geared around the Avaya re-branding effort so I wouldn’t advise that you rush out and upgrade right away.

“Nortel VPN Client” is been rebranded as “Avaya VPN Client”
With the transition from Nortel to Avaya, the product “Nortel VPN Client” has been renamed as “Avaya VPN Client”. Some preliminary rebranding was done in earlier releases. In this release, remaining components have been completed, including installer, install path, driver names and etc.

Here are the few “resolved” issues;

• wi00883754 Unsupported Change/Repair options appear in Programs and Features
• wi00872243 Long message gets trimmed in the app launch wait dialog.
• wi00877055 During upgrade install, previously installed PLAP component may fail to show up.

You should refer to the release notes for all the details.

AVC32-10.05.012.exe (MD5SUM HASH – e0d516cdf9a813df3243f59612f81340)

AVC64-10.05.012.exe (MD5SUM HASH – 57f490235bdd0dce0226e374d871f908)

Cheers!
Update: September 20, 2011

Avaya has release v10.05.100 which can be found here, I’m going to close comments on this post.

We recently received a warning from SecureLink regarding the recent release of Java 6 Update 26;

There is a compatibility issue with the upgrade process from any previous version to Java 6 update 26 because of changes to some Java system files. Symptoms include connection errors, disappearing java applet window, session disconnects and java system errors. This issue occurs for both SecureLink Users and SecureLink Enterprise Vendor Representatives. SecureLink Users and SecureLink Enterprise Vendors can work around this problem by uninstalling and then manually re-installing Java or by rejecting Java 6 update 26.

Uninstall instructions http://www.java.com/en/download/uninstall.jsp

Manual Install Instructions http://www.java.com/en/download/help/windows_manual_download.xml

Cheers!

• Windows XP
• Windows Vista
• Windows 7

The following issues have been identified and resolved according the the release notes;

• wi00875648 – Certificates with UTF-8 encoded issuer name can’t be selected.
• wi00875671 – Sometimes users might get “Unhandled exception” error when trying to select a certificate or display its details.
• wi00875676 – Pre-application launch command line not saved properly.

In the past I attempted to host the client files and I quickly ate through my 40 GB/monthly quota on my host. I’m going to attempt to-do this again however I will most likely change the URL from time to time to guarantee that people aren’t hot-linking to it.

• NVC32-10.04.109.exe (MD5SUM – 9f100688562386a60766d6837a2116de)
• NVC64-10.04.109.exe (MD5SUM – 32ad85f400315581343a2bb20233fc13)

I may also restrict access to only ARIN based IP addresses, again I’ll have to see how things go the second time around.

Cheers!

Updated Saturday May 7, 2011

I’ve added MD5 hashes for both the files.

Updated Tuesday September 20, 2011

Avaya has release version 10.05.100 which can be found here, I’m going to close comments on this post.

• Windows XP
• Windows Vista
• Windows 7

The new client is now rebranded as the Avaya VPN Client, although the installation routine still bears the name “Nortel VPN Client” in the title bar and the desktop icon created by the installation gets the label “Nortel VPN Client”. The new client also supports a (completely) quiet installation;

Previously, when users install the client, they need to acknowledge UAC prompts before the installation can continue. If they do not want the UAC prompts to show up, they would have to manually install Avaya certificate to the Trusted Publisher store, or check on the “Always trust software from Avaya Inc.” during earlier installation NVC. In this release, a new option is introduced that the procedure can be automated. To use it, users will need to pass in “TrustAvaya=TRUE” (the “TRUE” must be in uppercase) to the installer at command line (in administrative context). For example,

C:\NVC32-10.04.108.exe /S /v”/qn TrustAvaya=TRUE”

or

C:\msiexec /i “Nortel VPN Client.msi” /qn TrustAvaya=TRUE

There are quite a few bugs resolved in this release including the following;

• wi00568576 Wireless users are disconnected intermittently. IPSec users which are behind a wireless cable modem are disconnected intermittently. Users are able to authenticate successfully, but after some time they get disconnected and the client pops up the message “VPN tunnel is disconnected due to routing table change”. This is because the operating system changes the metric of wireless interface according to various parameters when Automatic Metric option is enabled. This is the default configuration for network interfaces in Windows. This causes the client to consider that the routing tabled has been hacked and disconnects the tunnel.
• wi00595275 Screen Saver policy enforced at user level only. End user machine’s screen saver settings can be enabled at user level or group level (via Active Directory group policy). When the VPN client enforces the screen saver policy (pushed from server), it only checks the user level setting.
• wi00595280 Unable to ping the local interface after a tunnel is disconnected. The issue occurs on Windows Vista/7 with mandatory tunneling only.
• wi00666178 Inaccurate message when the QOTD banner message is not received. If the quote-of-the-day banner message gets lost (due to networking issue), the tunneling attempt failed with error message of “User did not acknowledge the banner”, which may confuse users. The message has been reworded as “The banner message from the VPN Router was not received, or the user didn’t acknowledge the banner. Please contact your Network Administrator or Helpdesk for assistance.”
• wi00823633 On Windows XP the client fails to start if only Microsoft .NET 4.0 is available. On machines that have only .NET Framework v4.0 but no v3.5 or earlier versions available, the client fails to start.
• wi00840078 Local IP address is unreachable on Windows 7. On Windows 7/Vista, when a tunnel is up (in mandatory tunneling mode), the local host IP address is not accessible.
• wi00595473 Preconfigured profiles were not displayed in some cases.
• wi00841234 NVC GUI takes very long time to launch up when using IPSec profiles having saved passwords.
• wi00827126 Certificate based SSL tunneling fails when EACA (NHA/TG) is enabled. When Avaya EAC Agent (formerly Nortel Health Agent or TunnelGuard) is enabled, certificate-based SSL tunneling attempt will fail with error of “Banner fetching failed.”
• wi00830401 On Windows 7/Vista the DNS settings for the VPN connection is not used if the connection is through a mobile broadband card connection. It’s an issue with the operating system’s DNS resolution. Please use Microsoft’s workaround described here: http://support.microsoft.com/default.aspx?scid=kb;en-us;311218
• wi00841109 Occasionally tunneling attempts may fail with error of “Activating VPN adapter failed” error is displayed.
• wi00841089 Sometimes the log clear function doesn’t work. The log shows there are query errors.

A number of readers posted comments to the previous software release, Nortel VPN Client Release 10.04.016, around the first issue above where users were getting disconnected with the following message; VPN tunnel is disconnected due to routing table change. If you don’t feel like upgrading the client you can implement a workaround provided by a reader.

You can find the complete release notes right here.

You can find the client software on the Avaya support website.

I’m going to make the AVC software available here unless I’m contacted by Avaya.

NVC64-10.04.108.exe (64bit)
NVC32-10.04.108.exe (32bit)

Cheers!

Updated Sunday April 10, 2011

I can no longer host the Avaya VPN client software do to the enormous bandwidth utilization on my host. In addition there are just too many people abusing my gesture. I had a single IP address from China download the client software so many times that it consumed 10GB of bandwidth.

I had to spend more than a few minutes trying to get the DHCP relay working on the SRX 210. The configuration was pretty straight forward, the trick in the end was the “vpn” statement (see below) that allows the DHCP/BOOTP packets to be relayed across a VPN tunnel. Please note that the DHCP server at 10.1.1.1 is accessible via the VPN tunnel.

forwarding-options {
 helpers {
  bootp {
   relay-agent-option;
   description "Branch DHCP Relay";
   server 10.1.1.1;
   maximum-hop-count 10;
   minimum-wait-time 1;
   vpn;
   interface {
    vlan.0;
   }
  }
 }
}

The next big step will be deploying OSPF between all the SRX gateways.

Cheers!

You can find the release notes for JUNOS 10.1 on the Juniper website.

We started by placing the software (junos-srxsme-10.1R1.8-domestic.tgz) on an internal web server (10.1.20.1).

The upgrade itself took at least 5 minutes and the reboot took at least another 5 minutes, you definitely need to be patient when upgrading the SRX. It took a really long time compared to anything else I’ve upgraded in the past.

root> request system software add http://10.1.20.1/junos-srxsme-10.1R1.8-domestic.tgz reboot
/var/tmp/incoming-package.1145                        1500 kB 1500 kBps
Package contains junos-10.1R1.8.tgz ; renaming ...
NOTICE: Validating configuration against junos-10.1R1.8.tgz.
NOTICE: Use the 'no-validate' option to skip this if desired.
Formatting alternate root (/dev/ad0s2a)...
/dev/ad0s2a: 631.0MB (1292236 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 157.75MB, 10096 blks, 20224 inodes.
super-block backups (for fsck -b #) at:
32, 323104, 646176, 969248
** /dev/altroot
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 317928 free (24 frags, 39738 blocks, 0.0% fragmentation)
Checking compatibility with configuration
Initializing...
Verified manifest signed by PackageProduction_10_0_0
Verified junos-10.0R1.8-domestic signed by PackageProduction_10_0_0
Using junos-10.1R1.8-domestic from /altroot/cf/packages/install-tmp/junos-10.1R1.8-domestic
Copying package ...
Saving boot file package in /var/sw/pkg/junos-boot-srxsme-10.1R1.8.tgz
veriexec: cannot update veriexec for /cf/var/validate/chroot/junos/etc/voip/musiconhold.conf: No such file or directory
Verified manifest signed by PackageProduction_10_1_0
Hardware Database regeneration succeeded
Validating against /config/juniper.conf.gz
cp: /cf/var/validate/chroot/var/etc/resolv.conf and /etc/resolv.conf are identical (not copied).
cp: /cf/var/validate/chroot/var/etc/hosts and /etc/hosts are identical (not copied).
Port based Network Access Control: rtslib: ERROR kernel does not support all messages: expected 95 got 94,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg: expected 104 got 103,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg-stats: expected 104 got 103,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: WARNING version mismatch for msg fc fabric: expected 97 got 84,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: ERROR kernel does not support all messages: expected 95 got 94,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg: expected 104 got 103,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg-stats: expected 104 got 103,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: WARNING version mismatch for msg fc fabric: expected 97 got 0,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: ERROR IDL IDR Decode Error -1(Garbled Message)
Link Layer Discovery Protocol: rtslib: ERROR kernel does not support all messages: expected 95 got 94,a reboot or software upgrade may be required
Link Layer Discovery Protocol:
Link Layer Discovery Protocol: rtslib: WARNING version mismatch for msg gencfg: expected 104 got 103,a reboot or software upgrade may be required
Link Layer Discovery Protocol:
Link Layer Discovery Protocol: rtslib: WARNING version mismatch for msg gencfg-stats: expected 104 got 103,a reboot or software upgrade may be required
Link Layer Discovery Protocol:
Link Layer Discovery Protocol: rtslib: WARNING version mismatch for msg fc fabric: expected 97 got 0,a reboot or software upgrade may be required
Link Layer Discovery Protocol:
mgd: commit complete
Validation succeeded
Installing package '/altroot/cf/packages/install-tmp/junos-10.1R1.8-domestic' ...
Verified junos-boot-srxsme-10.1R1.8.tgz signed by PackageProduction_10_1_0
Verified junos-srxsme-10.1R1.8-domestic signed by PackageProduction_10_1_0
Saving boot file package in /var/sw/pkg/junos-boot-srxsme-10.1R1.8.tgz
JUNOS 10.1R1.8 will become active at next reboot
Saving package file in /var/sw/pkg/junos-10.1R1.8 ...
cp: /altroot/cf/packages/install-tmp/junos-10.1R1.8-domestic is a directory (not copied).
Saving state for rollback ...
Rebooting ...
shutdown: [pid 1888]
Shutdown NOW!

*** FINAL System shutdown message from root@ ***
System going down IMMEDIATELY

I hope to post some additional information as we move forward with the Juniper SRX platform.

Cheers!

• Windows 7: Home Basic, Home Premium, Professional, Enterprise and Ultimate
• Vista: Home Basic, Home Premium, Business, Enterprise, and Ultimate
• XP: Home, Professional, and Tablet

There are quite a few resolved bugs in this release and quite a few known issues. I would advise everyone to read the release notes thoroughly before spending too much time troubleshooting.

You can find the actual NVC (Nortel VPN Client) on the Nortel/Avaya website and the release notes here.

Cheers!

Updated September 2, 2010
It would seem that this is a very popular post given the number of people searching for information regarding the Nortel VPN Client (NVC) and Microsoft Windows 7. I’ve uploaded the complete documentation archive containing the installation instructions and troubleshooting instructions. In addition if you are looking for the new NVC you can download it directly from Nortel here. While the client software isn’t “licensed” it is restricted by US export laws because of it’s 128-bit (and greater) encryption capabilities.
Updated Friday December 17, 2010

I’ve added links to the 32-bit and 64-bit clients in the comments below.

Updated Sunday April 10, 2011

I can no longer host the Avaya VPN client software do to the enormous bandwidth utilization on my host. In addition there are just too many people abusing my gesture. I had a single IP address from China download the client software so many times that it consumed 10GB of bandwidth.

Updated Saturday May 7, 2011

Avaya has released v10.04.109 of their VPN client software which is available in this post.

You might recall that I wrote about software release 6.5R2 back in December 2009, detailing our troubles with the 6.5R1 software release and our hope that Juniper could save the day.

Thankfully I’m hear to tell that software release 6.5R2 for the Juniper Secure Access SSL VPN appliances appears to be a winner!

About six days ago I upgraded a pair of SA4000s running 6.5R1 to 6.5R2. The primary goal was to resolve the compatibility issues that were introduced in 6.5R1 and finally provide support for both Windows Vista 64-bit and Windows 7 64-bit. The actually upgrade of the appliances was pretty straight forward and the initial testing didn’t reveal any issues. Unfortunately there’s no amount of testing can always predict how things will go when working with home personal computers and the myriad of software available. We waited nervously for the first few days… thankfully the calls never came. While we had one or two users that needed some hand holding during the software upgrade/installation process, the majority of our 800+ users didn’t seem to have any issues whatsoever.

Let me congratulate Juniper Networks on a job well done!

I’ve created discussion forum for anyone that would like to discuss the Juniper Secure Access SSL VPN appliances. If you have a question or would like to make a comment why not join the discussion?

Cheers!

• Juniper SSL VPN Secure Access 6.5 Available
• Norton 360 and Juniper SSL VPN WSAM
• Juniper SSL VPN Upgrade – Client Software
• Juniper SSL VPN Appliance and Windows Vista 64-Bit

I will be testing 6.5R2 on a spare SA4000 appliance (waiting for an evaluation license key from Juniper) and will share my results with everyone here.

You can find the release notes for 6.5R2 here.

Windows 7

When will Juniper Network’s SSL VPN (SA platform/IVE OS) support Microsoft’s Windows 7 OS as a supported client platform? You can refer to Juniper knowledge base article, KB13195.

Juniper states that “Microsoft Windows 7 is qualified” (not supported) on 6.5R2 and there should be no major issues aside from the know caveats/issues.

Known Issues/Caveats:

* All client components:

1. 1. Unable to install (or) launch client component using IE8 (64 bit). This is expected as IE8 (64 bit) browser is not supported. Please use IE8 (32 bit) to avoid this issue. (470316)

* EndPoint Integrity:

1. When using IE 8 on 64-bit Windows 7 the reason string is not available when a patch assessment policy fails. (485421)

* Secure Virtual Workspace (SVW):

1. When opening a file with Windows Photo Viewer inside SVW, the file is shown on the real desktop rather than inside the SVW session. (447409)
2. On Windows 7, saving a MS Office 2003 file inside SVW fails. (486104)
3. On Windows 7, Control Panel is accessible inside SVW even if it is disabled under application to allow list. (486104)

* WSAM:

1. If Kaspersky Anti-Virus Version 2009 (8.0.0.506) is installed on a Windows 7 (OR) Windows Vista computer, WSAM will not be able to intercept and secure traffic. This issue is not seen with older versions of Kaspersky Anti-Virus (434715).

Cheers!

Update: January 6, 2009

I should point out that I’ve discovered that JSAM will not launch properly with Windows 7 (64-bit) when running 6.5R1 software. I initially thought it might have something to-do with the 32-bit/64-bit versions of Internet Explorer or the 32-bit/64-bit versions of the Java Runtime Environment. I tested the same machine today with 6.5R2 and it worked fine using the 32-bit version of Internet Explorer. I didn’t try the 64-bit version of Internet Explorer. So it would appear the problem is resolved in 6.5R2 software, please see the forums for additional details.