On iOS devices we can launch Layer-3 VPN through Junos Pulse App. Junos Pulse App is available for Free on Apple App store. We need to configure the Network Connect settings on the Juniper SSL VPN box first and then we need to use Junos Pulse App on iPhone/iPad to launch Layer-3 VPN. If we use Safari browser on iPhone/iPad and clicks on the VPN icon to launch Layer-3 VPN, it will redirect us to the Junos Pulse App installed on the iPhone/iPad to launch Layer-3 VPN as described below in the document. After launching Layer-3 VPN on iOS device, we can do various things like Remote desktop, accessing Citrix resource. For doing the Remote desktop we need to download any Remote Desktop application (like RDP Lite) from the Apple app store and to access Citrix resources we need to download Citrix Receiver App from the Apple app store. Both Apps are available free of cost on Apple App store as of now.
So this document covers the following in regards to launching Layer-3 VPN on iOS devices:
Configuration of Network Connect on Juniper SSL VPN box for Layer-3 VPN access.
How to use Junos Pulse App on iOS devices to launch Layer-3 VPN.
Behavior when launching Layer-3 VPN through Safari browser on iOS devices (iPhone/iPad).
How to do Remote Desktop and access Citrix resources after launching Layer-3 VPN on iOS devices.
1. Configuration on Juniper SSL VPN box for Layer-3 VPN access.
On IVE go to Users > Users Role > New User Role > General > Enable Network Connect and then click Save Changes.
Note: Please do not select the Junos Pulse option as this option is for desktop computers and not mobile devices. Confirm the same by referring to the Junos Pulse Mobile Device Integration guide (pages 6 and 7).
Go to the newly created role's Network Connect tab:
On the Network Connect tab, ensure that the Split Tunneling Options are set correctly and then click Save Changes. In this case we are using Network Connect with Disable Split Tunneling option for example.
If Enable split tunneling is configured, make sure that the Split tunneling Resource Policy is applied for that role on IVE under Users > Resource Policies > Network Connect > Split-tunneling Networks. Create a New Policy and specify the Resources to which access is allowes and map it to the particular User Role then Save Changes ( To do RDP access from iPhone/iPad , specify the IP address or subnet of the Terminal service resource that you need to access from Junos Pulse on iOS devices, using any RDP app from app store).
Then under the Access tab on IVE under Users > Resource Policies > Network Connect > Network Connect Access Control, we need to specify the same resource as shown above and apply to the same User Role. Please refer the screenshot as mentioned below for reference.
If Disable Split Tunneling or Allow access to local subnet is selected, ensure that the ACL under the Access tab on IVE under Users > Resource Policies > Network Connect > Network Connect Access Control is allowing the resouce to be access (For doing RDP, we need to specify the IP address of Subnet to be accessed). By default there is a policy with resource *:* means all access. We can modify this existing policy or create a new Policy as per our need.
Now, Configure the NC Connection Profile on IVE under Users > Resource Policies > Network Connect > NC Connection Profiles:
a. Click New Profile:
In below screenshot we have given a manual IP address Pool but we can also use the DHCP option just above the below option as well.
When the SA Series device receives a client request to start a session, it assigns an IP address to the client based on the IP address policies defined either through DHCP or the IP address pool. Apply to the desired role as well and save changes.
On IVE under Users > Users Realm > New User realm > General:
Select the Preferred Auth Server and save changes. In below screenshot we are using System Local for example.
Click the Role Mapping tab, create a New Rule, and apply it to the Role as created above.
Please note: Neither the role nor the realm should have Host checker, cache cleaner enabled (No evaluate or Enforce), as it currently not supported (current running version 7.0 and 7.1)
Now go to Authentication > Signing In > Sign-in Policies > New URL, create the new Sign-in URL and apply it to the iPhone realm only and save changes.
In below screenhsot we are using */pulse so that end users can use the URL <hostname>/pulse when they try to log-in.
Note: Both the role nor the realm should have Host Checker and Cache Cleaner enabled (No evaluate or Enforce), as they are currently not supported (current running version 7.0 and 7.1).
This finishes the configuration on the Juniper SSL VPN box.
2. How to use Junos Pulse App on iOS devices to launch Layer-3 VPN.
On the iPhone or iPad please follow the below steps to launch Layer-3 VPN using Junos Pulse App.
Download the Junos Pulse App from the Apple store on iPhone/iPad first.
Once installed, launch the Junos Pulse App downloaded from the Apple App store, click on the configurtaion > Edit > Add new configuration and fill in the details as shown below:
Give any friendly name (In the below screenshot we have used Pulse for example) and the fill in the Sign-in URL as created in the SA box configuration (In below screenshot we are using <IP address>/pulse for example.
Now, click the Connect button on the Junos Pulse App as shown in below screenshot; this will start the connection.
Now, it will ask for the credentials to authenticate; once authenticated, we will be able to see the VPN icon as shown in the image below (this confirms that the VPN tunnel is connected):
We can click on the Intranet icon as shown in the above document and this will list all the web bookmarks created under the User Role on Juniper Box, if any.
So this way we have launched the Layer-3 VPN successfully on the iPhone. Same way we can do it on iPads.
3. Behavior when launching Layer-3 VPN through Safari browser on iOS devices (iPhone/iPad).
When we use Safari browser on iPhone/iPad to log-in to the SSL VPN and try launching VPN by clicking on the VPN icon from the Safari browser, it does not download the Network Connect client, but instead it redirects user to the Junos Pulse App installed on the iPhone/iPad. Then user has to configure Junos Pulse Appas described above in the document to launch VPN. We see the VPN icon as shown in below screenshot from the Safari browser on iPhone. This VPN icon show up only when we select the "Network Connect" access feature under the User Role on Juniper box.
So to launch VPN on iPhone/iPad we have to make use of Junos Pulse App at all times. If we use Safari browser, the we can access the Web and File bookmarks as configured, but when trying to launch VPN from Safari browser, it will redirect us to the Junos Pulse App installed on iPhone/iPad and then we configure the Pulse App as discussed above in the document to launch the VPN.
4. How to do Remote Desktop and access Citrix resources after launching Layer-3 VPN on iOS devices.
To do an RDP through iPhone/iPad we need to download a RDP App from the Apple App store first. In this case, we have downloaded the RDP Lite App for reference.
After launching the VPN as shown in document above, click the Home button on the iPhone/iPad to exit out of the Junos Pulse app user interface. Launch the RDP app downloaded from the Apple App store (for example - RDP lite is one application that can be used for RDP access and is a free download from the Apple App store).
Click on Configure or Connect as shown in above screenshot from RDP Lite application, then click on New as shown in below screenshot to Add a configuration:
Specify the Host address for the remote computer; for which the RDP is being performed (ACL for this Host IP address should be specified in the Network Connect settings as mentioned above in the document) and click the back button as shown in below screenshots. In below screenshot we have given 10.9.222.6 for example.
Now you will be able to see the configured Host IP address in the list and once we click on the IP address that we configured, it will launch the RDP session to that machine.
To access the Citrix resources on iPhone/iPad through Layer-3 VPN we need to download the Citrix Receiver App from the Apple App store.
After launching the VPN as shown in document above, click the Home button on the iPhone/iPad to exit out of the Junos Pulse app user interface. Launch the Citrix Receiver App downloaded from the Apple App store and click on the Citrix Receiver which will give us the below screen:
To add the settings we need to click on the + icon as shown in above screenshots and fill in the details as shown in below screenshot:
After filling in the details as shown in above sscreenshot, click on Save and then click on that Profile to launch the Citrix session to access the published Apps.
Note: Make sure we are able to access the Published Apps through iPhone/iPad from the internal network (without accessing through Juniper box). If we are able to access the Published Apps directly from our internal network without using SSL VPN, then it should work when accessed through Juniper SSL VPN .
This completes the process of doing RDP and accessing published Apps through Citrix Receiver App.