This article provides information on how to configure Network Connect (Prior to 7.2R1 IVE OS and VPN Tunneling in IVE OS 7.2R1 and onwards) on a Juniper device to launch VPN on a iPhone/iPad and then perform a RDP terminal service access from outside the network by using the same VPN tunnel.
Problem or Goal:
How to launch layer-3 VPN to perform RDP from a iPhone or iPad.
The following procedure helps to configure Junos pulse on iPad/iPhone to launch VPN and perform RDP access:
Go to the Apple App store to download the Junos Pulse client and RDP Lite app.
Network Connect (Pre-7.2R1 code) or VPN Tunneling (from 7.2R1 IVE code) has to be configured on the IVE, which will help the user to connect to SSL-VPN using Junos pulse client from the iPad/iPhone.
User Role, User Realm, and Sign-in Policy are required with Network Connect configured on the IVE.
On IVE go to Users > Users Role > New User Role > General > Enable Network Connect (Prior to 7.2R1 IVE OS) or VPN Tunneling (In IVE OS 7.2R1 and onwards) and then click Save Changes.
Note: Do not select the Junos Pulse option as this option is for desktop computers and not mobile devices (This applies only in IVE OS prior to 7.2R1). Confirm the same by referring to the Junos Pulse Mobile Device Integration guide (pages 6 and 7).
Go to the newly created role's Network Connect/VPN Tunneling tab and ensure that the Split Tunneling Options are set correctly and then click Save Changes.
If Enable split tunneling is configured, make sure that the Split tunneling Resource Policy is applied for that role on IVE under Users > Resource Policies > Network Connect > Split-tunneling Networks (specify the IP address of the Terminal service resource,which you need to access from Junos Pulse on iOS devices; by using any RDP app from the app store).
If Disable Split Tunneling or Allow access to local subnet is selected, ensure that the ACL under the Access tab on IVE under Users > Resource Policies > Network Connect > Network Connect Access Control allows the specified RDP host IP address.
Configure the NC Connection Profile on IVE under Users > Resource Policies > Network Connect > NC Connection Profiles:
Click New Profile:
When the SA Series device receives a client request to start a session, it assigns an IP address to the client; based on the IP address policies defined either through DHCP or the IP address pool. Apply to the desired role as well and save changes.
On IVE under Users > Users Realm > New User realm > General:
You can, by using the above procedure, launch the VPN connection on an iPhone or iPad and perform the RDP access.
Select the Preferred Auth Server and save changes.
Click the Role Mapping tab, create a New Rule, and apply it to the iPhone role as configured in step 1.
Note: Host Checker under the Realm or Role is supported from IVE code 7.2R1 or later. Prior to 7.2R1 IVE OS, Host Checker is not supported. For more information about Host Checker support on mobile devices, refer to:
Now go to Authentication > Signing In > Sign-in Policies > New URL, create the new Sign-in URL and apply it to the iPhone realm only and save changes.
On the iPhone:
Launch the Junos Pulse App, which was downloaded from the Apple App store.
Configure the Junos Pulse App with the IVE Sign-in URL and a user-friendly name. Save changes.
Click the Connect button on the Junos Pulse App; this will start the connection.
Provide the credentials to authenticate; once authenticated, you will be able to see the VPN icon, as shown in the following image (this confirms that the VPN tunnel is connected):
Perform the RDP Access:
Click the Home button on the iPhone/iPad to exit the Junos Pulse app user interface. Launch the RDP app downloaded from the Apple App store (for example - RDP lite is one application, which can be used for RDP access and is a free download from the Apple App store).
Click Configure on the RDP lite App and then click New.
Specify the Host address for the remote computer; for which the RDP is being performed (ACL for this Host IP address should be specified as described in step-3) and click the back button.
Now you will be able to see the configured Host IP address; click the profile.
This will initiate the RDP access and you will get connected to the RDP device.