This article provides information on the workflow for Encapsulating Security Payload (ESP) packet flow, keep-alive with idle timeout, and ESP to SSL failover behavior on the Junos Pulse Secure Access Gateway.
option is selected for the User role, which is configured under User roles General Overview When accessing the SSL gateway via a Mac PC, the Junos Pulse option is not displayed on the user access page; but the Network Connect option is displayed instead. The issue is specific to only Mac PCs and is not observed with Windows based PCs.
Windows Mobile 6.x OS does not support wildcard certificates. Junos Pulse client registration will fail, if the Mobile Security Gateway, to which registration is being attempted, uses wildcard Secure Socket Layer ( SSL ) certificates.
NOTE: This issue may still occur if the Connection Profile is configured to use ESP if the Junos Pulse client fallbacks from ESP to SSL . This can happen if the client is unable to make an initial connection to ESP or remain connected using ESP on UDP port 4500.
This Component set is pushed to clients that try to launch the Junos Pulse client, when connecting to the SSL gateway: http://www.juniper.net/techpubs/en_US/junos-pulse-30/topics/reference/access-control-connect-connection-set-options.html Note
In the above mentioned proxy or ESP blocked network environment, go to the SA/MAG VPN Connection and configure SSL as the transport mode (ESP is the default mode), so that Junos Pulse directly establishes the VPN tunnel via SSL transport; which prevents the network access from being blocked.
This user guide is used to assist in the configuration of a SSL/VPN connection for the device. Installing the Junos Pulse application on a iOS device does not require a SSL /VPN connection to perform monitoring and control (M C) and features, which are listed in the Junos Pulse Supported Mobile Platforms document.
However if this condition is not met, the client falls back to SSL as the secondary mechanism to connect to IVE on port 443, which takes another 15 seconds (by default). A newly introduced administrative option in Junos Pulse Secure Access Service ( SSL VPN) 7.2 allows administrators to prevent the failover from ESP to the SSL transport mode.
: There is currently a known issue, in which Junos Pulse may not honor the ESP to SSL fallback timeout setting that is configured on SA SSL VPN. Junos Pulse will fallback, anywhere between 60 and 110 seconds, in addition to the non-configurable idle timeout of 60 seconds. Due to this issue, it is possible that Junos Pulse may take up to 2 minutes and 50 seconds, before it will be able to pass traffic, after the connection is made; if UDP port 4500 is blocked.
Juniper has a separate solution for the Mobility platform, which uses the integration of Junos Pulse and Juniper SSL device. This way, the Junos Pulse client on iPad can connect to the SSL gateway and granted access to the internet corporate network in a secure way.
Junos Pulse Secure Access Service 7.2 and above, ESP transport mode is supported. Prior to Junos Pulse 3.0, ESP is not supported. Even if ESP is selected in the Connection Profile , the connection will be established with SSL .
The firmware code used on the Juniper SSL device is 7.2rx and later, with Pulse Client version 3.0 and later. Junos Pulse and WSAM features are enabled under a role and auto-launch is enabled for both. When connecting to the SSL gateway, neither Pulse nor WSAM application is launched automatically, and user is re-directed to the user access page where only the Pulse option is available.
Note : Changing any of the above settings might restart some services in the Junos Pulse Secure Access Service. (This article provides more information than in the example on page 761 of the Junos Pulse Secure Access Service Administration Guide