You are on page 1of 53

Release Notes (Rev. 0.

44)

Juniper Networks Secure Access
IVE Platform version 6.5 R1 Build # 14599

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408 745 2000 or 888 JUNIPER www.juniper.net
Jan 12, 2010

Copyright © 2005, 2006, 2007, 2008, 2009, 2010 Juniper Networks, Inc.

i

Contents
Recommended Operation........................................................................................................................................ 1 New Features in this Release .................................................................................................................................. 3 Upgrading to this Release........................................................................................................................................ 3 Known Issues/Limitations Fixed in this Release ................................................................................................. 4 All Secure Access Platforms........................................................................................................................... 4 SA 2000 through SA 6500 Items .................................................................................................................... 6 Known Issues and Limitations in this Release ..................................................................................................... 9 All Secure Access Platforms........................................................................................................................... 9 SA 2000 through SA 6500 Items .................................................................................................................. 14 Windows 7 ..................................................................................................................................................... 15 Archived Known Issues and Limitations ............................................................................................................ 17 All Secure Access Platforms......................................................................................................................... 17 SA 2000 through SA 6500 Items .................................................................................................................. 35 Supported Platforms .............................................................................................................................................. 49 Supported NSM releases ....................................................................................................................................... 51

Copyright © 2005-2010 Juniper Networks, Inc.

ii

Recommended Operation
• •

The Debug Log troubleshooting functionality should only be enabled after consulting with Juniper Networks Support. The IVE has an Automatic Version Monitoring feature which notifies Juniper Networks of the software version the IVE is running and the hardware ID of the appliance via an HTTPS request from the administrator’s Web browser upon login to the admin UI. Juniper Networks collects this data to be able to inform customers about critical security patches they may need. Administrators can enable/disable this functionality by logging into the admin UI and going to the Maintenance > System > Options menu. We strongly recommend that administrators keep this setting enabled. When using W-SAM, Network Connect, or Secure Meeting, we recommend that the administrator allow the client to automatically select between the optimized and non-optimized NCP options. This allows clients to use optimized NCP where possible, and to fall back to non-optimized NCP where necessary. (28405) More than one simultaneous session from a single client to the same IVE might cause unpredictable behavior and is not supported. This is primarily due to the pre-authentication mechanisms which might conflict between sessions. This caution also applies to situations where an end-user and administrator session to a single host occur simultaneously. When using an external load balancer and accessing J-SAM, W-SAM, Network Connect, or the Online Meeting functionality, persistence must be employed on the load balancer. This persistence should be based on Source IP or Destination Source, depending on the load balancer being used. In order to access IVE resources as links from a non-IVE Web page, a selective rewriting rule for the IVE resources is required. For example, if you would like to include a link to the IVE logout page such as http://<IVE server>/access/auth/logout.cgi then you need to create a selective rewriting rule for http://< IVE server >/*. (26472) If two separate Web browser instances attempt to access different versions of the IVE, the browser may prompt the user to reboot the PC after the NeoterisSetup.cab file has been downloaded. Upon closing all browsers and logging in again, the prompt will no longer be displayed. No reboot is required. W-SAM supports client-initiated UDP and TCP traffic by process name, by destination hostname, or by destination address range:port range. Except for Passive FTP, W-SAM only supports protocols that do not embed IP addresses in the header or payload. W-SAM also supports unicast clientinitiated UDP. Users must launch drive maps through W-SAM in one of the following ways:
• •

NetUse--At the Command prompt, type: net use * \\server\share /user:username Right-click My Computer > Map Network Drive, or in Windows Explorer, go to Tools > Map Network Drive and select “Connect using a different username”.

When using the W-SAM Access Control List (ACL), administrators should take extra precaution when granting access to hosts. We recommend that administrators use the IP address instead of the hostname. If the hostname is required, for security purposes, administrators should try to include additional ACLs with the corresponding IP address or IP addresses for that hostname. Reverse DNS lookups are not supported. To run Citrix NFuse through W-SAM, you must define a Caching rule to cache launch.asp files. For

Copyright © 2005-2010 Juniper Networks, Inc.

1

example, configure the resource policy to “<server name>:80,443/*.launch.asp” and the Caching Option to “Cache (do not add/modify caching headers)”.

When using Microsoft NetMeeting with W-SAM, hosting a meeting is not supported. There are no problems joining a meeting using Windows 2000. When using Windows XP, however, application sharing does not work as expected. In order for Windows XP users to work around this sharing issue, they must first turn on the “Only you can accept incoming calls” option. When using WSAM on Pocket PC, roaming for IVE sessions should be enabled when being used over GPRS because the IP address of the phone may change. When using WSAM on Pocket PC, if you have multiple roles defined, select the option for “Merge settings for all assigned roles” in Administrators > Admin Realms > [Realm] > Role Mapping. Do not delete the main cluster licensing node. Doing so will lose all cluster licenses.

Copyright © 2005-2010 Juniper Networks, Inc.

2

New Features in this Release
• Please refer to the What’s New document for details about new features available in this release.

Upgrading to this Release
• Please refer to the Supported Platforms document for important information pertaining platforms supported. Windows 98 SE and Windows NT are not supported on the 5.5 and later releases. The SA1000, SA3000 and SA5000 series platforms are not supported on the 6.1 and later releases. The supported upgrade paths to this release are when you upgrade from any one of the below mentioned releases. In order to ensure configuration and user data integrity after the upgrade, we strongly recommend that you follow a supported upgrade path. o o o o o o 6.4Rx 6.3Rx 6.2Rx 6.1Rx Note: If upgrading from a release not listed here, please upgrade to one of the listed releases first, and then upgrade to 6.5 R1. If using Beta or Early Access (EA) software, please be sure to roll back to a prior production build and then upgrade to the 6.5 R1 software. (This process enables you to roll back to a production build if ever needed.)

Copyright © 2005-2010 Juniper Networks, Inc.

3

0. (383309) Integrated Web SSO (CD/Kerberos/NTLM/Basic) • Constrained delegation is not supported when user credentials used for login to SA match the CD account configured for constrained delegation. make sure that DNS is working correctly. (427768) User credentials having Chinese characters may have issues with NTLM SSO. and a user who maps to that role attempts to access a Domino 8 server. (419029) • Pass-Through Proxy • XML Import of Web profile (with Pass Through Proxy settings enabled) and PTP proxy Policy through the same XML file causes an import error.1 on Firefox loading the Inbox is slower than other pages. a null pointer exception is seen on the Java console by the end user during launch of JSAM. Known Issues/Limitations Fixed in this Release 4 . (391947) Rewriter/Web Applications • Currently the SA has a limitation of not supporting heavy usage of PDF rewriting due to high memory usage. (426084) Workaround: Import the resource profile(s) first. For a particular role. JSAM • When Citrix is enabled as an application for JSAM. Inc. (413833) URL obfuscation may not work with Domino 8. • File Browsing • For Windows CIFS share with NTLM V2. an error is displayed the first time a file download is downloaded. The exception does not prevent Citrix from working through JSAM. (427280) • • • PDF files greater than 32 Mb are not supported through the rewriter (38375). This can impact performance if there are a large number of groups (424046). group lookup is performed even when no role mapping rules involving groups are configured on the IVE for that server. Workaround: Use upper case for “Realm” in realm definition if realm definition needs to be used for constrained delegation. When Active Directory is being used as a secondary authentication server. the destination server hostname might be displayed in the URL instead of the obfuscated token of the destination hostname. (427759) • If “Realm” in Realm definition is lower case and this realm definition is used for constrained delegation then CD SSO does not work. Subsequent attempts will work without error. or that a host-toaddress mapping is entered into the Hosts table (394555).Known Issues/Limitations Fixed in this Release All Secure Access Platforms AAA • The IVE will enter into an inconsistent state and will reboot if the configured Windows 2008 Server domain controller cannot be resolved to an IP address due to DNS malfunction or any other reason. if the “Enable mask hostnames while browsing” option is enabled. To avoid this problem. When accessing Domino 8. (423257) Copyright © 2005-2009 Juniper Networks. followed by the PTP policies.

o Change the log file size to desired value on the admin UI.. This will result in the loss of the existing security world and certificates. However. If any of the above operations are necessary. (415518) For the SA4000 FIPS and SA6000 FIPS hardware platforms. the DMI agent should be disabled by looking under the dmi agent tab in the configuration menu: It should say disconnected for outbound connections and either disabled/listening for inbound connections. o Re-initializing the security world.4R1 FIPS machine.4R1 FIPS cluster. (430043) The workaround if NSM is being used is as follows: o Disable DMI agent by turning off inbound and outbound connections under the DMI agent tab in the configuration menu.4R1 FIPS machine to a 6.4R1. they should be performed prior to an upgrade to 6. (425474) Workaround: Remove all duplicate routes from the exported XML using a text editor and then perform an XML import. the device ignores them and retains its existing state for these settings. it sometimes results in an error (SIGBUS). • • Copyright © 2005-2009 Juniper Networks. Known Issues/Limitations Fixed in this Release 5 . Method: search for <routes> . DMI agent is enabled for NSM operation. if the settings are enabled in the imported file. (434848) o • XML Import for the “Enable Kernel Watchdog” and “Enable File System Auto-clean” settings under System > Maintenance works correctly has the desired effect if the settings are disabled in the imported XML file. 'Allowed Encryption Strength' will be set to 'Accept only 128-bit and greater' on upgrade. The node where the cluster was created will remain unaffected. the following security world operations are not possible: Joining a 6. (433297) Issue regarding XML export/import: If a given route exists both on the system and in the XML file. If NSM operation is not needed. o Importing a security world and certificates using binary config import onto a 6. All other normal functions will not be affected. Device will not be able to boot. (424764) • RC2-MEDIUM option has been removed from 'Custom SSL Cipher Selection'. o Replacing administrator cards. In the cases where the device fails to boot properly. the XML import finds this to be a duplicate route and the operation fails. recovery will require a rollback or factoryreset. o Import device config from NSM System • Dashboard displays don’t change when setting to individual IVE node or All Member. This will result in the loss of security world and certificates on the joining node. If 'Allowed Encryption Strength' was set to 'Custom SSL Cipher Selection' and RC2-MEDIUM was the only selected cipher. The joining node will not be able to boot. Device will not be able to boot. o Re-enable DMI agent by turning inbound/outbound connections back on. Inc.. o Configuration reset from the serial console.DMI Agent • When DMI agent is enabled and running and the default log file size is changed to a higher value. Device will not be able to boot.

a user is able to change the MTU value on the Network Connect adapter. (The Network Connect client automatically connects to the last secure gateway server that you accessed. • The “Enable Kernel Watchdog” and “Enable File System Auto-clean” settings under System > Maintenance display the following behavior : If these settings are enabled from NSM and pushed to the device. the device ignores them. the message “You do not have permission to login. (433297) Archiving • If the archiving settings are configured before applying any licenses to the IVE device. (414513) • While Network Connect is running. Known Issues/Limitations Fixed in this Release 6 . which may not use the version defined in the Network Connect client. (428542) • The FTP archiving feature does not allow specification of credentials to access the backend FTP server in the format "domain\username". NC Smartcard Credential Provider is not able to add or replace the smart card certificate in the SystemStore and therefore fails to establish an NC tunnel. a stack overflow may occur. then attempt to disable from NSM.gina. Here is the content of message nc. The message should be a correct remediation message depends on the remediation action required and should be displayed from an Internet Explorer.</routes> blocks and remove those blocks. Windows Interactive User Logon is the NC GINA component in Windows XP and the NC Credential Provider in Windows Vista respectively. Inc.24628 pops up twice when a user uses Windows Interactive User Logon to connect to an IVE of a different version compared to the Network Connect client that was installed on the client machine. enable the setting via the admin UI and import into NSM. the default value for log filters in the archiving settings is incorrectly set to WELF instead of Standard. This is incorrect behavior. if these settings are disabled from NSM and pushed to the device.gina. (428951) • Copyright © 2005-2009 Juniper Networks. (423846) Windows Interactive User Logon • Error message nc. This works correctly. please contact your administrator” is shown on a Firefox browser.24628: “The secure gateway and Network Connect client versions do not match. and then login to your secure gateway to upgrade Network Connect. the device accepts them and updates configuration correctly. click Cancel to sign into the secure gateway that uses different version of Network Connect. (426804) In some situations. To get into this state.windows. (403256) SA 2000 through SA 6500 Items Network Connect (NC) Windows Client • When another IM driver binds to the Network Connect adapter. when the user clicks to read the remediation message. However. and licenses are added subsequently.” (425694) • If a Host Checker policy is configured to be used in conjunction with NC Windows Interactive User Logon and the Host Checker policy fails.) Click OK to continue to log into your desktop. Or.windows.

11. Inc. the meeting presenter may receive a message saying “The connection to Meeting server has been lost. (425463) • • • Secure Meeting • If a Windows user is the meeting presenter and shares the desktop and then pauses sharing. (411591) Due to a software issue. However. printing from a Citrix session inside SVW is not supported. NC will disconnect the NC tunnel after the user logs in to Windows. (423857) After Secure Meeting client is launched inside Juniper Networks Secure Virtual Workspace. Known Issues/Limitations Fixed in this Release 7 .• If the logon user’s SAM and UPN names are different. the Secure Meeting client may crash when it exists. (419422) Log caption under preference tab is not localized. (425651) On Vista. (392488) While having a long meeting over a slow link. any meeting attendees joining the meeting after the sharing pause will see the presenter’s screen instead of the screen when the presenter paused. the new proxy setting is not recognized by the Secure Meeting Outlook plugin. (423185) Users are automatically switched to real desktop while inside SVW if the Yahoo tool bar is installed in the IE7 browser. (423823. (424266) o If a user uses Outlook to change the meeting name and/or add some text of an instance of a recurrent meeting. the other Windows users will not be able to use this Secure Meeting capabilities. (433728) Within IVS. the agenda field of the modified instance on IVE end user page details view is empty. The high privilege programs are the programs that Vista prompts for UAC credential. launching WSAM takes more than 30 seconds (462893) Non-FQDN hostnames cannot be accessed after signing out and signing back in to the IVE (447824) • Secure Virtual Workspace (SVW) • Secure Virtual Workspace settings cannot be configured via XML Import or from NSM. (428951) Windows Secure Application Manager • WSAM unable to resolve non-FQDN hostnames (437505) • On Vista. SVW policies are visible under the HC tab in the NSM UI.6. The Meeting string and some strings in the Outlook plug-in are not translated into German. the SVW can’t be launched when a Host Checker policy fails. This problem doesn’t occur if the presenter is using Linux or MAC. after one of these Windows users uninstalls his/her copy of Secure Meeting client. (416241) Secure Meeting Outlook plugin can’t be downloaded using IE7 and JAVA 1. Viewing the series shows the correct agenda field. if multiple Windows users are sharing the same Windows machine and more than one of them installed Secure Meeting client with the capability of allowing remote viewing and controlling of high privilege programs. (428576) • • • • • • • • Copyright © 2005-2009 Juniper Networks. Possible reason includes the server or network connection is down. when IVE is accessed with a FQDN. Please contact your system administrator. (423538) Various strings were not translated correctly. 424504) o Draw string is incorrectly translated in French.” (396059) If proxy setting is changed after Secure Meeting Outlook plugin is installed. and errors are thrown if the administrator attempts to edit them.

Inc. Known Issues/Limitations Fixed in this Release 8 . Host Checker does not restart if user tries to login after login inactivity time expires (406841). the browser within SODA may crash (424666) Copyright © 2005-2009 Juniper Networks.log is not uploaded to the server (403986) When connecting to an IVE device from within Symantec Virtual Desktop (SODA) and Java delivery is enabled. dsHostChecker_mac1.Host Checker • • • • • Connection control policy and SODA fails on French and Japanese images (421951) Vista : HC+CC+ActiveX in post auth redirects to sign-in page with authentication failure message (421718) When launched through Network Connect.

However. (455887) If a user did not select "always" on the "Setup Control .based web applications do not work as expected on iPhone 3. as is authentication on networks consisting solely of legacy domain controllers. (446326) If an end-user expands or collapses the floating toolbar in the course of accessing any website through core rewriting.1. the following error is seen : "The URL entered is invalid. the user will see a "Setup Control . the same applications work on iPhone2.Known Issues and Limitations in this Release All Secure Access Platforms AAA • Windows Server 2008-based authentication on networks consisting solely of Windows Server 2008 domain controllers is guaranteed work. 1000). change setTimeout(Test. In the latter case. please use IP based resource in your Java ACL resource policies. this does not work as expected. A possible workaround is to change the JavaScript code for setTimeOut to pass a string instead of a function.0 going through the IVE rewriter. (459767) AJAX.wWWHomePage> is entered in Resource Profile > Resource page on the admin UI. Inc. (438100) If <userAttr. administrators must choose “Domain Controller is a Windows 2008 Server” option on the IVE Active Directory configuration page. to setTimeout("Test()". Please enter a protocol for the URL".com via an http:// connection to the SA device throws an SSL warning "Do you want to view only the webpage content that was delivered securely ?" However. 1000). (394181) • • When a user clicks "No" on the "Setup Control . if the value <userAttr. attributes containing only whitespace values cannot be deleted (458929) • Adaptive Delivery – AX and Java Installers • Using IE8 and JAVA.png from the root of the server. they may see an application error with a null pointer exception when closing the browser. (458530) If a web page is launched on the iPhone from an icon bookmark. this works fine if facebook.2. authentication on networks with a mix of new and legacy servers MAY work. Note : The same value works correctly without error when entered in the Role > Web Bookmarks page via the admin UI or NSM (PR 443849) Browsing to facebook. Using NSM. no validation error is seen but update device fails. the iPhone will often try to get the default icon /apple-touch-icon. However. when the user tries to change "Host checker Remediation" option under Advanced > Preferences. Known Issues and Limitations in this Release 9 .wWWHomePage> is entered in the Resource profile > Resource page. In Custom Radius Rules. (458531) TCP connections created by Java applets using hostnames fail to match Java ACL resource policies with matching hostname resources. (458370) Rewriter/Web Applications • • Accessing PDF files larger than 32MB will cause high CPU utilization. For example.Warning" dialog. the toolbar settings are supposed to be saved and restored upon the next login.Warning" dialog. This sometimes prevents users from logging in. or enable the “IP based matching for Hostname based policy • • • • • Copyright © 2005-2009 Juniper Networks.com is accessed through an https:// connection to the SA.Warning" dialog again. To work around this problem. Changes made to the floating toolbar changes are lost when then user logs out.png is not found. However. The user will see an IVE page saying /apple-touch-icon. after user sign-out from the Secure Gateway. a JAVA script error may appear. instead of the normal IVE experience.

(455154) If a user logs into to IVE using an AD auth server and tries to access an NTLM-protected resource for which SSO is disabled. a user logging into the IVE will be able to access only one of the service lists but not the other.net). and if the resource resides in the same domain as the AD authentication server.(422736) If a user logs in to the IVE using a Local User account. (427768) If there are two separate CD accounts configured for the same Kerberos realm with different service lists that apply to the same IVE user role. IVE will not perform SSO when the resource is accessed. (433199) • For XenDesktop. the desktop may not launch in the first attempt.net or user11@kerb11. but will launch in subsequent attempts. a null pointer exception is seen on the Java console by the end user during launch of JSAM.resources” option on the Resource Policies > Web > Options page.(450001) Cross-realm Kerberos Constrained Delegation is not supported in this release. Hardcoded realm name works. Workaround: Use upper case for “Realm” in realm definition if realm definition needs to be used for constrained delegation. The exception does not prevent Citrix from working through JSAM. they will see a warning page in the second machine indicating that the session is active along with an option to continue. Known Issues and Limitations in this Release 10 .kerber3. Java exceptions are thrown in the Java console when a telnet session is launched. NTLM intermediation login fails and returns the same intermediation page. the IVE still attempts to perform single sign-on. (419917) Copyright © 2005-2009 Juniper Networks. However. (460106) If NTLM entry is defined under Resource Policies > Web > General with Variable credential type with domain using <REALM> and there is no policy for this resource (using the SSO under the General tab). the session on the first machine is terminated. if only the COM port option is enabled on bookmarks page without Printer or Drive options. if the Citrix client is installed when launching a Citrix XenDesktop bookmark. if the user logs in again to the first machine. they will simply see a login screen with no warning message. (449745) Cross-realm Kerberos SSO is not supported in this release. If the user chooses to continue. (423257) • If JSAM client side logs are enabled on the IVE. it will not work as Citrix does not support it. Inc. and accesses a resource using a User Principal Name (such as 77889911@kerber3. The workaround is for the user to use a normal AD account name instead of the UPN name.(460386) • • • • • • • User Access • If a user logs in to the IVE from two different client machines. the SSO failed with NTLM intermediation page with the server domain. (447903) JSAM • When Citrix is enabled as an application for JSAM. user login to an AD realm which is different from the server realm. (416372) If a Kerberos SSO policy is configured using a credential of a realm other than the resource's Kerberos realm. (458914) Integrated Web SSO (CD/Kerberos/NTLM/Basic) • If “Realm” in Realm definition is lower case and this realm definition is used for constrained delegation then CD SSO does not work. (461542) Virtual Desktops • On Windows.

(460913) It is possible to delete a VLAN interface even if it associated with some static routes. the reporting of the load average in an idle system is different from previous releases. If they don’t. (473758) • • System • The new EES licenses are duration-based in this release. Inc. Citrix HDX functionality for accelerating flash content can be supported only when the site hosting the flash content is directly reachable from the end users’ machine. Before importing an XML configuration containing IVS profiles and corresponding configurations. then the other node will constantly try to reform the cluster. with Embedded Citrix client and JSAM access method. in the admin UI.0 on Windows-XP and IE6. It is recommended that such operations be performed during maintenance windows.0 and later. the minimum value at idle will be 1 as the kernel accounts for system related processes. but there is no system impact as these routes will not be used. Known Issues and Limitations in this Release 11 . the 1-year EES license will be extended by 4 months to 16 months automatically and the expired timer will be automatically adjusted to reflect this extension. create them with minimal configurations and then attempt the import. (56761) Copyright © 2005-2009 Juniper Networks. in this release. it should be un-installed by going to the browser add-ons list and deleting the Download Manager add-on and then downloading the client through 'click here' link. The 2-year and 3-year EES licenses will not have the same extension. clicking on the Applications will cause a looping pop-up window. The first is that only the root IVS administrator can perform XML Import/Export of IVS configurations. In addition. (449853) With the kernel change in 6. if a node is disabled. XML Import/Export • It is expected that XML Import of a large configuration will drive up CPU utilization. sometimes the idle session reminder may popup even if the Citrix session is not idle. make sure that IVS systems with those names exist on the target device. (417481) When Session Counter is set to ON. User Record Synchronization feature will not start automatically after importing a system configuration that has this feature enabled. If the user has already installed the Download Manager. the IVS must already exist on the target device. The workaround is to disable User Record Synchronization and then Enable User Record Synchronization from the user interface. and there may be disruption in services for end users (462734) • • • • MSP/IVS • This release supports import/export of IVS configurations in XML. (426307) • • When using Citrix Web Interface 5. (385631) In an A/P cluster. rdp terminal services can't be launched. The full subscription licensing model for EES will be ready by next release. For import of an XML IVS configuration to succeed. However. (430988) On Windows 2000 clients. the description of the EES license will be displayed as a subscription license.Terminal Services • Citrix client can not be downloaded using Citrix Download Manager. Instead the user should download the package using the "click here" link. after the configuration import. The second one is that IVS systems cannot be created through XML Import. There are a couple of restrictions on this feature that may be relaxed in future releases. (458321).

Also Signature download fails through non-proxy on Vista. (460534) Log upload feature for Host Checker does not include AED logs. existing sessions matching the configured session export policy will not be exported to the IF-MAP Server. HC process checks with MD5 checksum fails on win7 and vista if user does not have SeDebugPrivilege. (427843) When configuring an IF-MAP client and IF-MAP server to use certificate authentication..459672) With AED. Known Issues and Limitations in this Release 12 .com/ fails because of any reason (example: no internet connectivity or site not reachable) the next attempt to download signatures will occur automatically after 5 minutes. may cause memory and device resources to be consumed if there are issues establishing a connection to the IF-MAP Server. (450162) Symantec SODA doesn’t work with Java on XP (451599) InPrivate browsing in IE8 does not allow creation of persistent cookies and hence host checker is not supported with it. a device certificate signed by a Certificate Authority (CA) is required to be installed on the IF-MAP client. signature download fails through auth-proxy. (430487) • • Copyright © 2005-2009 Juniper Networks. signatures don't download if proxy is configured (460534) If a large number of patches are missing on the endpoint in some cases remediation message to the end user states "Remediation data truncated" (446977) With AED.. Please note that the default self-signed device certificate created at installation time cannot be used for this purpose.CRTR. During this time users will need to wait if the policy requires signatures to be up to date to certain days. Trial package of 25 AED users has now been replaced by the trial pack of 2 EES users. (460571) Network connect with Host Checker Connection Control Polciy does not work properly (447312) OS check rule doesn’t have specific support for Vista SP2. With AED on Windows Vista. All sessions created after IF-MAP client is enabled will be exported per the configured export policy. client side upgrades with third party policy SODA enforced gives the error "Windows can not find \. WSAM CLI launcher and NC-GINA login mode (459274. if a signature download from http://products. Work around is to shutdown SODA and login again.. Be sure to disable the IF-MAP functionality when not in use and ensure connectivity problems are resolved when IFMAP is enabled.. • • • • • • • • • • • • IF-MAP • When enabling IF-MAP client on a SA device.webroot. Inc. (413383) Enabling the IF-MAP client feature on an IC or SA Device.Appdata\Juniper\SetupClient\user_X86_MICROSOFTVC80.exe" when the IVE URL is launched inside virtual desktop. (457897) AED is not supported with NC CLI launcher.Host Checker • OnVista.

it assumes the operation should happen in the main desktop. (433090) If more than one detailed rule is created with associated conditional expressions in NSM. when user install or uninstall SA clients inside SVW.1r2 . sign-in URLS. SA Issues with NSM: Pass-through Proxy • XML Import of Web profile (with Pass Through Proxy settings enabled) and PTP proxy Policy through the same XML file causes an import error.2r1. (57104) Selection of multiple objects is not available through the NSM UI. Inc. sign-in pages and so forth. Known Issues and Limitations in this Release 13 . Because Juniper Installer Service is running on the host machine. (433728) If Juniper Installer Service is installed on the machine that SVW is launched. SVW policies are visible under the HC tab in the NSM UI. and errors are thrown if the administrator attempts to edit them. and later releases. the group selector panels titled “Members/Non-Members” map to the panels titled “Available/Selected” or “Available List/Selected List” in the SSL VPN SA or Infranet Controller administration UI. then update device from NSM fails. However. This is because Juniper Installer Service is used to carry out the install or uninstall operation. error may occur. (55674) Identifier names (names of key fields) in the SSL VPN SA and Infranet Controller configuration. then subsequent updates to the device succeed. • In the NSM UI. (443138) SVW doesn't support printers that do not use Windows print spooler. Secure Virtual Workspace: • Secure Virtual Workspace settings cannot be configured through XML Import or from NSM. even though this capability is available on the SSL VPN SA and Infranet Controller Web UI in multiple places. (426084) Workaround: Import the resource profile(s) first. such as the names or realms. Note : The same issue and workaround apply for configuration update of these settings from NSM. (55527) • • • NSM Support Issues: Please refer to the NSM release notes for 2008. cannot be changed through the NSM UI. (57190) The SSL VPN SA and Infranet Controller admin UI allows duplication of objects such as roles or resource profiles. followed by the PTP policies. This is correct NSM behavior. identifier names can be changed through the SSL VPN SA and Infranet Controller Web UI. 2008. However. roles. If all saved expressions except one are deleted in NSM.NSM Integration Issues NSM usage notes: This section describes some differences in user experience between the NSM UI and the SA/IVE administrative user interface. This capability does not exist in the NSM UI. (458029) • • Resource Policies: • Copyright © 2005-2009 Juniper Networks. To workaround this issue. uninstall or install SA clients on the real desktop.

SA 2000 through SA 6500 Items All Client Applications Network Connect • If an NC user signs out through NC within a very short duration (less than 5 minutes). (433954) Windows Interactive User Logon • If the client machine is configured to use DHCP. Known Issues and Limitations in this Release 14 . Radius accounting byte count shows 0.0. 449911) • With Safari 4. (459924) MAC Client • On MAC. if authenticated proxy is configured. the second node issues an incorrect async configuration notification in NSM. (465766) • Documentation • The administrator online help incorrectly states that you can optionally specify expiration days or expiration hours when creating user accounts on a local authentication server. This is a bug in Safari. and pushed to an IVE cluster. which results in NSM displaying the device status as “Managed. Inc. (463176) If a software upgrade operation is performed on one of the nodes of an Active/Passive cluster from NSM. NC unable to connect to the Secure Gateway. The assertions occur in the DMI agent software executing on the second node prior to the completion of the upgrade operation. We’ve opened a case with Apple. the upgrade completes successfully. This is harmless and does not impact functionality.AAA: • If a realm is created from NSM with default values for the realm limits (guaranteed minimum and maximium). No such options available. (442395) • • It has been observed that ESET NOD32 mistakenly deletes dsNetworkConnect. the update succeeds but a spurious delta configuration is seen on all but one cluster node. MS Messenger needs to use TLS when connecting through Network Connect. (459653) Windows Client • If a server certificate is changed on the Secure Access Gateway. (385479. but assertions are seen in the event logs in the second node. (464488) Clustering: • When the second node is added to a 2-node cluster via the Reachable Add Device workflow. NC GINA may complain that there is no Copyright © 2005-2009 Juniper Networks.exe when NC was initially installed. Device Changed. and are not seen when the IVE boots up with the new (upgraded) software image. all current connected Network Connect client will disconnect. This causes NC fail to connect to the Secure Gateway. (446259) Nclauncher may fail to establish NC tunnel successfully if NC upgrade is required. especially if the connection is through a slow link.

• Secure Virtual Workspace (SVW) • Using IE8 with SVW. Inc.(459532) WSAM can be launched from 64-bit browsers on a 64-bit machine only thru Java Applet with 64-bit JRE installed.(453625) WSAM domain authentication needs the endpoint’s domain controller(s) and DNS servers responding to DNS-SRV queries to reachable either locally or thru WSAM (459841) When a user logs in to the IVE using WSAM on Windows Mobile.network connection when user login soon after the client machine is powered up. (447409) Secure Virtual Workspace • Copyright © 2005-2009 Juniper Networks.juniper. To recover from this. the file is shown on the real desktop rather than inside SVW. This is due to a race condition where the user is attempting to use NC GINA before the client machine obtained an IP address. (468042) • • • When accessing help from IVE home browser inside SVW. if a Host Checker policy fails for a realm.exe to the allowed list. (450172) When opening a file with Windows Photo Viewer inside SVW.gina. However. we’ve done some testing with Windows 7 build 7201 and here are known issues with this Windows 7 build. etc. Windows Client • Occasionally.net/KB13195 for latest on our Windows 7 supportability. Network Connect client. the Vista presenter has to restart the Secure Meeting client.windows. when a client is launched. (460175) If HC is configured to be used in conjunction with NC Credential Provider and the HC policy check fails. a “Program Compatibility Assistant” error dialog may be displayed. the IE help window is shown on main desktop. the cursor icon appears as a black square. JAVA script error may be shown. (456813) • Windows 7 6. (438615) • • NC diagnostics window incorrectly shows that “Credential Provider Plug-in Not Configured” even when NC Credential Provider is configured and working. (466003) When user clicks on IE7 help inside SVW. (434715) • • • WSAM can’t resolve non-FDQN hostnames when an OpenDNS server in a network responds with bogus name resolutions. (450256) Sometimes when the viewer window pops up. This includes Log Upload windows client. IVE admin has to add iexplore.0. (468625) SVW doesn't support printers that do not use Windows print spooler. NC Credential Provider shows an incorrect error message nc.5 R1 release does not officially support Windows 7.23816 “Secure Gateway authentication failed. (433090) Secure Meeting • When remote controlling screens of a Vista presenter. if the controller moves the mouse too fast.” (460277) Windows Secure Application Manager • WSAM application mode is incompatible with Kaspersky Anti Virus 8. a remediation page for that realm will be shown and additional host checker policies for different realms will not be evaluated. Please visit http://kb. the remote control may stop working. Known Issues and Limitations in this Release 15 .

the webDav client on Windows 7 sends the old SA session cookie (for the original session) to the SA device instead of the new session cookie. Known Issues and Limitations in this Release 16 . Note : This scenario works with Windows XP and Windows Vista Copyright © 2005-2009 Juniper Networks. Sharepoint access does not work. If the user signs-out of the SA device and signs-in again. Inc.Sharepoint • The following problem was observed when accessing SharePoint7 on Windows7RC/Office 2007 through the SA (SSL-VPN) device. When the user tries to access Sharepoint through the new session.

(57568) Binary import system and user configuration across incompatible hardware platforms are not supported. or vice versa. Web content is sometimes served with the HTTP directives. This includes W-SAM. (31987) When configuring the size of log file. No-Cache or No-Store browsers should not cache such content. for example). (31694) On the Preferences > Applications page for end-users. instead of sending a new request. An Internet Explorer cache problem exists when handling the HTTP No-Cache directive in the Microsoft Internet Explorer Web browser. is not supported through XML Import/Export. Network Connect. the log utilization is shown to be -1%. The recommendation is to keep the number of user records within 160K. (34287) The default filter setting under System > Log/Monitoring > <log type> > Filters > <filter> > Make default. (53885) Upgrading to 6. directories. (56657) • • • • • • • • • • • Copyright © 2005-2009 Juniper Networks. you can configure the IVE not to compress specific files. (39573) “Saving all Logs” is only designed for Event.Archived Known Issues and Limitations All Secure Access Platforms System Status and Logs • On some administrator console pages. or types of content using the URL rules commands. this occurrence does not result in any incorrect behavior. (22978) When switching from Optimized NetScreen Communication Protocol (oNCP) to standard NCP. (29133) The external port on the administrator Web console may show “Connected” status even though the network cable is not connected. However. • • Default filter for logs may be incorrectly set after deleting a custom filter.2R1 may fail with “Unable to import data” error message if the user configuration is very large. For example. exporting a system configuration from an SA6000 machine and importing it to SA4500 machine will result in machine not function correctly. changing one or more parameters causes multiple log messages to appear in the IVE system log that indicate that all the parameters are changed. please do not configure multiple log files to have larger than 250 Mbytes as it may cause the system to run out of disk space. two log messages are generated. (36153) The legend may still be displayed on the Central Manager display even though it is disabled in the display setting. there are links to uninstall applications even if those applications are not installed or available on the client PC (if they are not using a Windows PC. Internet Explorer only exhibits this problem when the served No-Cache content is compressed. after binary import. and Secure Meeting. To work around this problem. you must restart all NCP-based communications. (42183) When a VLAN interface is deleted. Access. It does not include sensor logs and uploaded client logs. Archived Known Issues and Limitations 17 . The second log message is valid and contains the correct VLAN interface name. (35127) There are rare situations in which. and User logs. Inc. The first log message is redundant and is missing the VLAN interface name. When GZIP compressed content with the No-Cache or No-Store directive is served to Internet Explorer the browser saves a copy of the uncompressed content in its cache. If a user then uses the Back button in their browser. Internet Explorer displays the file from its cache.

(412021) When importing system configuration. if an administrator were to import the configuration from an IVE platform (SA3000) into an SA6000. (47718) The "RC4-64-MD5" cipher is no longer supported in "LOW" setting. NSM accepts the configuration without any validation errors.x releases. (59608) In NSM. (53885) The System Snapshot options. this ARP entry is be used. Therefore. (57332) On a source and target SA device. the administrator can only change settings for existing objects. SSL crypto acceleration would be disabled as the SA3000 does not have the crypto functionality (38433) The option "Enable cluster network troubleshooting server" under Maintenance > Troubleshooting > Monitoring > Cluster in the admin UI is not exposed on the NSM. however there will be no prior notification regarding a required reboot on the admin UI. when the configuration is pushed to the device. if the order of the ACLs is changed on the source SA and a second Selective Push operation is performed from the source. administrators are allowed to edit virtual ports settings from the Passive node. Cross platform imports across unsupported migration paths may result in undefined system behavior. an error will be generated if the IP address is invalid. Inc. the resulting order of the ACLs on the target will differ from that on the source. Then. (57576) Push Config does not currently support deletion of objects. under Maintenance > Troubleshooting > System Snapshot. (421576) Cross platform imports should be performed only across compatible platforms. (59290) License upgrade may not work if the original licenses are installed in 3. the Add and Delete buttons for VLAN and virtual ports are disabled. if there is a SSL acceleration setting mismatch between the current IVE settings and settings from imported configuration. However. configure the same web ACLs or push them individually from source to target through the Selective Push operation. This is due to the missing of license info in a template. provided the Cluster license is installed on that node. device-side validation fails and the device throws an error. (48967) The current SSL-VPN configuration import functionality does not track any platform specific functionality like SSL Acceleration cards etc. the ACLs need to be manually re-ordered on the target following the second Selective Push operation. (59215) The ARP cache entries cannot be deleted through the serial console. no validation check is performed on the NSM side. when configuring cluster nodes in a template. Archived Known Issues and Limitations 18 . during runtime. (58625) • When configuring IP address for virtual ports. external • • • • • • • • • • Maintenance • • Push Config • • • Copyright © 2005-2009 Juniper Networks. resulting in a failed config update from NSM. (57162) The following settings are excluded from the Selective Push Config operation: internal port. or create new objects on the target system. SA will always present “High” ciphers to backend servers when making SSL connections. Through Push Config. may not be pushed correctly to target device through Push Config. However. (46110) When Custom Cipher Selection is used. the selected ciphers are enforced to the SSL connections from clients. To work around this issue. the IVE will reboot. When the configuration is updated to the SA device.System • If the administrator configures virtual ports for the external interface when the external interface is disabled. (58627) In NSM. (59834) Through XML Import/Export or NSM. an invalid MAC address configured in an ARP cache entry is accepted.

an admin log is generated stating that the query status has been changed to “off”. if the “Major Log Trap” checkbox is selected on the Log/Monitoring > SNMP page. VLAN tags do not show up in the TCPDUMP troubleshooting tool due to hardware acceleration. press CTRL+C to terminate the tool and return to the menu. ‘defined SNMP settings’ and ‘syslog configurations’ (56329) Administration Tools • • If a serial console troubleshooting tool (such as ping) becomes unresponsive. • XML Import/Export • A combination of the “insert” operation and “create” operation of the same XML element in the XML document won’t work in XML import operation if “insert” operation was executed before “create” operation. management port (for SA 6000. The workaround is for the administrator to re-enter the DMI Agent settings manually on the target after the Push operation has completed. (25095) SNMP • snmpwalk does not report NC tunnel interfaces due to performance overhead related with retrieving the corresponding OIDs. ‘certificates’. several other settings are excluded from the import. (28400) Connectivity • FIN packets may leak from internal port to external port. (41829) SNMP MIB walk or the entire IVE MIB is expected to be CPU intensive. there are two options : Option 1 : Use the ”insert“ operation with all the required attributes since the ”insert“ operation will create the object if it does not exist.port. The recommendation is to configure the external SNMP monitoring application to bypass the tcpTable in the TCP MIB when walking the IVE MIB. the resulting value on the target SA device is “2147483647”. (60373). Inc. there is no corresponding event log stating that the • • Copyright © 2005-2009 Juniper Networks. (54323) • If Security > Lockout options “rate” and “attempts” are configured to be “4294967295” on one SA device and then pushed to another SA device via Selective Push Config. However.(44894) When the SNMP agent is disabled from the admin UI. • The iveRebootTrap is not sent if the IVE is rebooted via the serial console. there are no security ramifications for this activity. an event of severity “Major” is logged in the Event Log. However. (55655) To work around this problem. Archived Known Issues and Limitations 19 . such as: ‘cluster configurations’. Binary Import/Export • When an binary configuration import is performed with the option “Import everything except network settings and licenses”. SA 6000-SP and SA 6500) and VLAN ports. However. and import XML document with ”create“operations first. Additionally. apart from the network settings & licenses. or Option 2 : Separate the ”create“operation and ”insert“operations to two different XML documents. then import XML document with ”insert“operations. a major log trap is generated for this event. (57548) Push Config (Full Push) incorrectly clears the DMI Agent settings on the target device.

(56817) • Archiving • The admin UI will show the following checkboxes unchecked. some operations (e. then the access to that page will be allowed in that session either through a bookmark or browsing toolbar. (47205) • Standard traps as specified in MIB-2 such as linkUp. Archive admin access log. (22969) When using HTTP Basic Auth (in SSO). (21040) Web Server SSL Certificates issued by the IPSAC root are not supported by the IVE. The ACE Next-Pin and New-Token modes do not work properly when using ACE as the secondary login server. (46936). (21870) The Realm-level option “Enable Password Management” needs to be enabled in order to allow the end-user or administrator to change their password via the “change password at next logon” option (IVE Authentication – user accounts). the IVE will not properly display it. The administrator is advised to monitor traps specified in the IVE MIB such as netExternalInterfaceUp or netExternalInterfaceDown. preferably with debug log enabled. The maximum number of combined bookmarks a role can have is approximately 500.operational state of the agent has been changed to “off”. though they are configured. The workaround is to split a role with a large number of bookmarks into multiple roles. Key Usage. Extended Key Usage. SSL Certificates of the Netscape format must include the SSL Server Bit set in the “Netscape Cert Type” extension. etc are not supported. • • • • • • • • • • Copyright © 2005-2009 Juniper Networks. linkDown. (42548) AAA • • The upload of custom sign-in pages may some times fail. the specified time range cannot cross midnight. and not UTF_8. and Archive client-side log uploads. This practice may cause one account to force the other account out of an IVE session when the other logs in. Archived Known Issues and Limitations 20 . when the administrator logs in with Read-Only right: Archive events log. User Access Control (UAC) prompts may appear for some of these windows executables. The workaround is to break the time range into two conditions. if a Realm name (not an IVE Realm but an HTTP Auth Realm) is encoded in Shift_JIS. (15881) Accounts that are used for both administrator and end-user access to the IVE may conflict if they use the same username and authentication server. delete role. even though there is no explicit policy to allow access. On Vista.. Inc.g. As a result. and Netscape Cert Type are all required for these certificates to work properly. (38853) When specifying a time condition in policy detail rules. One solution is to duplicate the Authentication server on the IVE so that administrator users log in to one Authentication server and end-users login to a duplicate server that point to the same backend system. (41339) System healthcheck reporting via SNMP traps. (41557) When the user signs in and gets redirected to a custom start page. duplicate role) may not work correctly. This is just a UI presentation issue and not affecting actual archiving functionality. (27811) Importing the system config does not import SSL Intermediate CA Certificates (chains). This occurs rarely. Archive Sensors log. Archive NC packet log. The workaround is to try again. If a role has more than 500 bookmarks. SNMP memUtilNotify and cpuUtilNotify traps can be generated even though the dashboard graphs do not show a spike in memory or CPU utilization. Session Timeout Warning is not supported on handheld devices. and system parameters reported via the admin UI dashboard graphs under System > Status > Overview are not synchronized. "Sign Juniper Web Controls" feature will not sign Juniper web controls that are windows executables. Archive user access log.

Archived Known Issues and Limitations 21 . (56624) In a newly-created delegated admin role. the system assumes that the first option applies (ie that it needs to Merge Settings for all Roles) if the second and third options are set to <false> in the imported XML document (57202).and user will see Juniper Networks company name in the UAC prompts. the first one is never exported or imported via XML Export/Import. This change is made so that users are not confronted with a situation where they login only to discover that they cannot change their password. (47476) XML Import containing changes to User Roles with insufficient data will succeed leading to inconsistent configuration state (57801). This happens only if password management is in force. the default delegation settings for user roles or realms in the General > Overview page show "Deny All". On the SA device web admin UI. (49917) Users are forced to change their passwords when XML-exported System Local user accounts are imported back into the SSLVPN device. This is correct behavior but the same configuration when attempted through the admin UI will succeed (56061). User must select sets of merged roles assigned by each rule. The work-around is to avoid XML export/import of user accounts and use binary export/import instead. a password policy that allows all grace logins to be consumed by the user is not enforced. the error message displayed to the end-user shows “account disabled”. User must select among the assigned roles. the name of the Siteminder Auth Server becomes uneditable (51314).X releases to this release. XML Import/Export of device certificates and code-signing certificates is not supported. Then. Of these options. and clicks Save Changes without making any changes and then navigates back to the General > Overview page. Novell eDir: Starting with this release. and 3. 2. the "Deny All" is replaced by "Custom Settings" (58188) Administrator is required to manually configure the OCSP options and OCSP responders should it be necessary. although this account may not truly be disabled. Instead. When a user’s password is expired. if the password expiration timeframe is changed (for example from 10 days to 20 days). This will be addressed in a future release. under Configuration > user realms > <REALM NAME> > Role mapping rules. if the administrator navigates to the Users > Roles or realms tabs. for the certificate to sign the OCSP request and the certificate to validate the OCSP response. (46687) • • The variable NTDOMAIN[2] does not work. then the user’s profile will still show the • Copyright © 2005-2009 Juniper Networks. Inc. Users are unable to login to SA if the hostname has an underscore. Import of Realms containing authentication policies with invalid Source IP addresses will fail. there are three options: 1. The user will always have two grace logins left. On upgrading from 5. and if passwords were originally configured to be expired after the lapse of a specified number of days. after the intermediate CA is imported and the OCSP responder is created for that CA (405805) • • • • • • • • • Password Management • • Password Management must be enabled at the realm level if the administrator wants to enable password expirations or require a user to change their password at the next log-on. and Password Management is NOT enabled for that user’s realm. if the user’s password is reset (or changed) then the user’s profile will have a new password expiration date. However. (21654) When using Sun One/iPlanet as an Authentication server and enforcing both “password expiration in X days” and “allow password change after Y days”. Merge settings of all assigned roles.

This also applies to the Domain Controller on which the change was originally performed.old password expiration time. Any realm and role restrictions that require Cache Cleaner will fail (39116). Client-Side Digital Certificates/Cert-Based Authentication/PKI • When the SA device is configured to "Accept SSL V2 and V3 and TLS V1 (maximize browser compatibility)" and the browser is set to "Use SSL 2. terminate the browser session and restart again. • AD Domain Controllers synchronize security policy settings every 5 minutes. Cache Cleaner is not supported on Windows Mobile Devices and will not load on them. (13489) When using LDAP for a CDP. If this occurs. This is a limitation of Sun One/iPlanet to which we adhere. Inc. The default port number for LDAP is 389. they will not be able to clean directories that are in privileged root directories like C:\Program Files\. If a change is made to the security policy. The workaround is to check the "Use SSL 3. Archived Known Issues and Limitations 22 .0" option in the browser as well.2_04 for the delivery of the Juniper Setup Applet. The solution is to install the Microsoft hotfix KB931494.. Whole Security may perform automatic remediation of an endpoint after the user has been shown the remediation page. In this case the user will need to select “Try Again” on the remediation page to reevaluate the policies and obtain the appropriate access (47655) When using Host Checker functionality on Linux OS platform. If a user tries to login to the IVE using a valid certificate issued by a revoked Root CA.0" only. Host Checker and Cache Cleaner do not work on Firefox when using Sun JVM 1. (18578) If you configure a client-side digital certificate authentication policy for the Realm. Occasionally the Firefox browser may go into an indefinite "try again" loop if manual intervention is needed to correct a detected anomaly. use Manual CDP configuration. the user cannot login to the Realm until he is given a valid client certificate. (40628) Host Checker Connection Control is not supported on the Vista Platform (44515). (14922) Host Checker and Cache Cleaner • • If a “Restricted” user runs Cache Cleaner. and the client’s certificate is expired. please refer to: http://www.microsoft.4.asp. The IVE does not perform revocation checking on Root CA certificates.asp?url=/technet/prodtechnol/windowsserver200 3/proddocs/standard/lpe_overview. then the client authentication using the certificate will fail. For more information. do not specify port numbers in the CDP Server field. “firefox” needs to be available in the system PATH in order for remediation instructions to be displayed (47414) Auto remediation for Microsoft Windows Firewall on Vista fails if UAC is ON.. (28892) Certificate users may get an HTTP 500 error if an end-user provides an incorrect password for a private key file when challenged for a client certificate. for example “minimum password length”. it could take up to 5 minutes before that change propagates to all Domain Controllers.com/technet/treeview/default. (51824) Predefined AV/FW policies can perform following remediation automatic but the status is not displayed to the end user. 49050 • • • • • • • Copyright © 2005-2009 Juniper Networks. To use a non-standard port. (42901) • • • • • Client certificate authentication will fail when the client machine has Windows 2003 SP1 installed. such as deleting a file. the IVE allows the user to sign in.

• • • • • • • • • • • • • Internationalization Issues • When importing a custom HTML Help file for end-users. During XML import the credentials used to download the files from staging server for “Virus signature version monitoring” and “Patch Management Info monitoring” under Endpoint Security are not verified. for example. To achieve equivalent export the policies which are created by enabling these options in the admin UI (57573) On the realm restrictions page. after logging in to the IVE if a browser is left idle so that the session times out. it must be converted to UTF-8 before it is imported by the IVE administrator. Archived Known Issues and Limitations 23 . They are policies exposed as options as in the UI. it just logs users out of the IVE. during XML import/export. Administrators should correct these OS rules before XML import by adding a supported OS in the rule. (10839) • The following URL contains a list of characters which are not supported for filenames or folders Copyright © 2005-2009 Juniper Networks. for all or some policies only the "Require and Enforce" option should not be enabled. (384845) Disabling Auto completion of web addresses is not working on Internet Explorer 8(385861). The "Evaluate Policies" option should also be enabled for correct Host Checker behavior. if the file is encoded in a different language. (60332) On Vista with IE7 if Host Checker and Cache Cleaner are configured on a realm and client side proxy is also configured then Host Checker installation falls back to Java even when ActiveX is enabled (60554) If you have a NetBIOS rule with a required option and a MAC address rule with deny option configured under one policy and both rules fails. Inc. the input type validation is not completed for DWORD and binary registry values.o o o o Turning on AV real time protection Turning on Firewall Start the AV scan Download AV signature files • On Windows Mobile. (56493) Host Checker options "Create Host Checker Connection Control" and "Enable: Advanced Endpoint Defense" are not exported during XML export. (57993) XML import fails when a Host Checker policy has custom expression defined. (56003) On Linux/Unix MD5 check for Process works only if process is launched using absolute path. (53497) XML import will fail if the predefined OS rule under Endpoint Security does not contain any OS selected or contains only Win9x OS selected which is no longer supported. if a user selects “do not show remediation for this session” option on the remediation page then there is no way to undo it for the session as “Advanced preferences” page is not available on Win Mobile. The browser operates normally some time after the java script completes processing. only the NetBIOS reason strings are displayed (407661) Auto-update virus signatures list and Auto-update Patch Management data using authentication ISA proxy fails with error 'Received HTTP code 407 from proxy after CONNECT' (405352) When configuring Host Checker registry check rule types via NSM or XML Import. Inside SVW. Shift_JIS. sign out doesn't close SVW. (52885) Shavlik patch rule admin UI: Sometimes the browser hangs if you add or remove a lot of “specific products”.

Some of the diagnostics content in W-SAM is not localized and will always be displayed in English.jp/help/faq/charactor/izonmoji. Additionally. the locale is not sent in the HTTP header. If this occurs.0.com/?kbid=816868. If these invitations are sent to Yahoo or Hotmail or other Web-based email accounts. they will blink within the user’s Start Menu “Dock”. (14496) • The timestamp function of the IVE may not be in the same format as what is expected when working with the Japanese user interface. For instance. I.biglobe. in Internet Explorer 6. Special characters such as ①. The formatting for the IVE is as follows: hh:mm:ss (am|pm) and month/day/year. the administrator should enter Registry Settings rule settings in English. you can change the font setting in the Fonts section of the Netscape Preferences. Japanese characters are not supported in naming Authentication Servers. A translated version of the end-user help will be available in the first maintenance release after the general availability release. meeting invitations will be sent out using the Japanese template. (22041) Internet Explorer may truncate Japanese filenames if they are too long. when installing the Setup Client application or any other Juniper client application. and ~ are not supported in filenames for UNIX servers. (14529 and 14348) • With localized Pocket PCs. (32550) End-user help will appear only in English in this release. and thus the IVE is unable to detect which language to return. and Japanese Help files may be difficult to read. To fix this problem change your browser's text size to a larger font. Java delivery is invoked and Copyright © 2005-2009 Juniper Networks. ¥. use another browser such as Internet Explorer.on Samba Servers: http://support. some characters or possibly the entire email may not display correctly.7 and the Japanese language setting.microsoft. so English is returned by default. square characters may appear in the printed Help. (25097) Bolded characters in Korean. More details can be found about this non-IVE issue at: http://support. when using a Japanese language setting on the IVE. Inc. Filenames using 5c characters such as 表 and 工 will be corrupted and cannot be deleted from UNIX servers.html. the default font may incorrectly display characters and words on the user interface page. Users should pay attention to this when working in a multi-window workspace.” With Secure Meeting. To fix the problem. When using Netscape 4. (29603) If you try to print Asian language Help from Firefox on Linux. some Excel files cannot be saved. when these dialogs appear in the background. choose View > Text Size > Largest. Chinese. (35712) • • • • • • • • • • • • Adaptive Delivery – AX and Java Installers Windows Vista additions • On Windows Vista. where you can select the option “Netscape should override the fonts specified in the document.ne. However. (22068) In a Host Checker policy. (45441) • If ActiveX control was installed and a user cancels a UAC prompt. Archived Known Issues and Limitations 24 . UAC prompts and Setup dialogs may be hidden in the background. (30017) Advanced Endpoint Defense: Integrated Malware Protection is only supported in English. such as the Japanese Pocket PC.

It should not modify user’s APPDATA directory. (23824) • The Java Installer Security patch is present in Release 5. Juniper setup ActiveX control is installed. This error behavior of Vodafone Mobile Connect application causes Juniper setup client fails to install correctly. when a restricted user attempts to download an IVE client for the first time. this is a safe script." is requesting enhanced abilities that are UNSAFE and could be used to compromise your machine or data. ONLY Version 5. the user should check the box "Remember this decision". Inc. please check if you have Vodafone Mobile Connect application installed. (47877) When Vodafone Mobile Connect application version 9. in spite of the fact that the ActiveX installer is enabled (56157) Java delivery fails in 64-bit XP with a "Failed to download the application" error (57681) • • • All Client Applications Windows Vista additions • On Windows Vista. and then reverts to an older version that doesn't have the security patch. (44753) When Juniper Installer Service is installed on a Vista client machine.1. it modifies the current user’s APPDATA directory from "c:\Users\<user>\AppData\Roaming" to "C:\Documents and Settings\ReleaseEngineer.4.4 and older is attempted to install and/or launch on a Vista platform. the user will incorrectly see a Microsoft UAC prompt as mentioned above. The purpose of the script is to allow components such as W-SAM. (46180) All UAC prompts that display “known incompatibility” warnings incorrectly display application name to be: Juniper Citrix Services Client. Therefore. • Copyright © 2005-2009 Juniper Networks. This is a problem with Vodafone Mobile Connect application.MACROVISION\Application Data". When running under Windows Vista. to be launched from Firefox.4.4 of the Juniper client package “installerservicesetup. Inc. (48351) • • Some UAC prompt may not come in foreground during IVE clients’ installation. The user must go to a web browser and logon using an interactive Web Browser launch to ensure that the updated controls are installed on the clientside. client applications will not load using the Java Installer. (49755) • Existing Windows XP/Windows 2K platforms • Users may see the following warning message when signing in using the Firefox browser: A script from "Juniper Networks. • When installing Version 5. (40923) Juniper’s Installer Service is NOT designed to update the version of ActiveX and Java Installer that is loaded on the client system.exe” on a Windows Vista platform.5 and later Juniper client applications are supported. Additionally. If you see issues with Juniper setup client installation. To avoid seeing this message every time the user signs in. and Secure Meeting. there will not be any notification to the user due to the non-persistent nature of the applet.redirects user to setup client download page. Windows Vista will display a warning: “This program has known incompatibility issues” when a Juniper client version 5. successfully. Network Connect. however. Archived Known Issues and Limitations 25 .0. a “Run Prompt” is shown. the Network Connect standalone launcher causes the Java installer to load. Firefox will not execute JavaScript that is signed by a certificate whose CA is not already trusted by Firefox. When a user updates their client to an SSL-VPN running version 5.4345 is installed on a Vista machine.

value is validate to ensure that total configured bandwidth of all roles do not exceed the bandwidth configured for the IVE system. Inc. (46723) If NC ACL is created as *. enter multiple IP address ranges. the administrator may go back and lower the IVE total Network Connect bandwidth to be less than total of bandwidth configured for all roles. (41272) When AES 256 is specified to be the only allowed encryption algorithm on IVE admin console. (54054) When using Network Connect and the user signs out from the web page. with a maximum of 254 addresses per range. After a Network Connect Bandwidth Management policy is created. However. Archived Known Issues and Limitations 26 . (37753) If Network Connect has been launched from a computer that has an older JVM. the actual maximum bandwidth of the policy will be limited to the Maximum Network Connect Bandwidth of IVE. we will mitigate this by allowing you to enter Network Connect IP address pools with a more standard syntax (for example. (56413) Network Connect access policies applied to a user are not captured in the Policy Tracing logs. Network Connect client fails to connect. Network Connect may experience random session disconnect. a previous authentication policy which checks the “NcWin32” user-agent needs to be modified to check “NcWin32*”.*:*. This is not supported by Network Connect running on Windows 2000 and Windows XP. the browser hangs. (24809) Network Connect fails to reconnect when a VIP fail-over occurs in an Active/Passive cluster environment if the client is on the same subnet with both nodes of the cluster. (38269) Standalone Network Connect login doesn’t support client certificate on a USB smart card. (56476) Network Connect client send/receive byte count wrap back to zero after it reaches 4GB. (56169) The IVE does not send GARP for an assigned Network Connect client IP if the IP address is not in the same subnet as IVE’s internal port. only Network Connect on Vista supports this configuration. However. Specify each range on a single line. (56829) When configuring Network Connect bandwidth of roles. the error message “Failure to download the Application” appears when attempting to reconnect via Network Connect. To specify a larger pool for a specific role. (6378) • • When using RedHat DHCP server. Network Connect might encounter failures when PING packets with sizes greater than 8000 bytes are sent. In the future. Any authentication policy based on a user-agent string needs to be reviewed to ensure its accuracy. MAC client and Linux client. (46060) NCP Idle Connection Timeout should be configured to be greater than ESP key lifetime. Users that sign out via the Network Connect menu are not affected (57381). Otherwise.Network Connect • The Network Connect Client IP address pool user interface requires you to enter IP addresses as ranges. the value saved in the policy is not changed. (58052) • • • • • • • • • • • Macintosh Client • When a Network Connect tunnel is established on a Mac OS X computer. IP/netmask). For example. (27388) • Copyright © 2005-2009 Juniper Networks. the IP address assigned to a Network Connect user is not released when the user sign out from the Secure Gateway. if the Maximum Network Connect Bandwidth of the IVE was modified to be smaller than the Maximum Bandwidth configured in the policy. This is a limitation of the underlying Mac OS X platform. This is same for Windows client. (26994) A User-Agent string sent by a standalone Network Connect login is changed from “NcWin32” to “NcWin32<IEUserAgent>”.

adding a PCMCIA-enabled Wireless card to a laptop will cause the Network Connect to reconnect. (47829) Client side proxy is not supported MAC OS X 10. if a user tries to launch Network Connect (for example. the Network Connect log may go above 10MB before the log is rolled over. Internet Explorer's "Use automatic configuration script" is “file://C:\myproxy. it is important to note that attempting to “uninstall” Network Connect from the Juniper SSL-VPN Web UI will not uninstall older versions of Network Connect.• • • • • When clicking Sign Out from a browser user may see a message “session terminated due to duration restrictions”. i. (51928) Because the Macintosh Network Connect client checks log file size every second to decide if log file roll over is required.9 (49009) Microsoft Live communication doesn’t work over Network Connect tunnel. (24933) There is a known issue with the Network Connect standalone client when a custom start page is enabled. (31037)  In some situations.2 (47885.pac. (22200) Microsoft has limited API support for parsing a proxy PAC file. the user must install RPM on the Ubuntu machine using “alien” first. (25958) When an existing Network Connect session is established. from a previously installed version). 47960) Authenticated proxy is not supported on MAC OS earlier than 10.conf file while Network Connect is running as it causes the client to terminate. (27522) While still installing the Network Connect client. when authenticated proxy is used with Network Connect. (41010) Network Connect client doesn’t have reconnect functionality in Linux.” Network Connect is not able to extract the correct proxy information. users may get a “Cannot connect to IVE” error the first time they launch • • • • • • Copyright © 2005-2009 Juniper Networks.3. If a PAC file located inside the client’s PAC. Archived Known Issues and Limitations 27 . (25151. (38735) Auto-uninstall on sign-out is not working. Network Connect can only be uninstalled if a user with Admin privileges attempts to run the uninstaller. (35672) Sometimes a Network Connect tunnel fails to setup when launched from a command line. (59507) Linux Client  Users should not remove the /etc/resolv.0. Network Connect does not automatically launch on the client as is expected with the standalone client. 33938) Shortcut keys for localized menu items are not correct.0 or later. or the Installer Service is installed and the restricted user uninstalls from the uninstall link under Preferences in the user’s IVE homepage. causing an HTTP resource behind the IVE to be unreachable. 32269) When upgrading the client from prior versions of Network Connect to version 5. (55679)     • Windows Client • If a Restricted user has Network Connect installed on their system.e. Network Connect displays an error message “Error opening file for writing”. (28143) In certain situations. the proxy takes precedence over the Network Connect route. (47211) To install Network Connect on Ubuntu using the standalone installation package. Each version of Network Connect will need to be uninstalled separately. (34481. Inc.

the Network Connect client is disconnected.com/?id=935269 “The IP address of the default gateway for a dial-up connection in Windows Vista is 0. (47959) If a client machine is shutdown when Network Connect is connected. The client driver displays a “Failed to Connect to the Secure Gateway.1 or higher is enabled.0. 35292) If you install the Odyssey client when a Network Connect client is running. (35774) Uninstalling the Network Connect client driver manually causes the Network Connect client to be unable to connect to the IVE. an entry is added to the hosts file to point to the external interface of the Secure Gateway. This is due to conflicting software that does not allow Network Connect to bind to the TCP/IP stack properly. (45131) The New Secure Gateway Window menu button is not supported on Vista. (35993) When running on Windows XP SP1. (40061) On rare occasions.0 Pro or 6.sys always shows 5.0. This is because of a Microsoft issue: http://support.0 “.5. Subsequent launches will connect without issues. (36137. (33123.5.4. Secure Meeting. (33162) Network Connect fails to connect when using the VIP on the DX.0. dsNcAdpt.” and the Sun JRE 1. (45439) When Network Connect is connected to the Secure Gateway externally. when Network Connect is installed on a 64-bit Vista machine. Inc. Reconnect?” message. (29082) When ActiveX is “Disabled. the Virtual Adapter of Network Connect shows the default gateway as 0. if Windows is not able to sync with the timer server when the Network Connect client is running. 47978) In Vista.5 as its file version. (28845) • • Some diagnostic tests in the Advanced View of the Network Connect client may fail on unsupported platforms due to lack of libraries that the tests depend on. users will see a pop up message requesting permission to install the Juniper signed Network Connect driver. the Network Connect virtual adapter doesn’t show user friendly name. (40718) On Vista. signing out of the IVE Web interface will prompt the user to accept the SSL certificate up to two times (32129). 46903) Network Connect fails to connect if early versions of Checkpoint Secure client are installed on the same computer. This is due to Windows XP SP1 system issue.microsoft. Windows Terminal Services. the client side proxy setting • • • • • • • • • • • • • • • • • Copyright © 2005-2009 Juniper Networks. (47034) “Copy to Log” button on Performance tab doesn’t show a copy successful confirmation message. This issue doesn’t exist on Windows XP SP2 and later. This affects ALL Windows applications.Network Connect. (40159) The Network Connect client doesn’t support the proxy auto detection configuration. (45157. Network Connect may repeatedly display a session timeout message box. Host Checker. and Cache Cleaner The Network Connect client fails to launch if Kaspersky 5. Accepting the certificate prompt will successfully log the user out. Network Connect supports Checkpoint Secure client R5. Network Connect.0 is installed on the same PC. (46654) Because the Network Connect driver dsNcAdpt.0. until Network Connect driver is signed by Microsoft again on 32-bit machines. (34905) Local proxy exception list is not supported when NC is configured with split tunneling disabled option. the Network Connect client has compatibility issues with iPass/Telia if split tunneling is disabled.sys is signed by Microsoft release and there has been no changes since release 5. including W-SAM. Archived Known Issues and Limitations 28 . (46345) Because the Network Connect 64-bit driver is not signed by Microsoft.0.

(48598) On Firefix 1.com/kb/262981 for details. (57381) In Advanced View. the security alert displays in the same Firefox window so user has to click on back button to get back to the home page. accessing shared folder when Network Connect is running.0 on 64-bit Windows 2003. user may see a blue screen. (54001) After launching Network Connect from IE7. When a specific log such as dsNetworkConnect is selected. and then signs in to the IVE again and attempts to download an IVE client from the same IE7 browser. (50205) Occasionally.windows.microsoft.may not be restored properly. if you launch Network Connect using nclauncher Sign Out from browser may show an error message saying that the Network Connect session has timed out. (57435) Network Connect clients may fail to connect if Adobe bonjour software is installed and running. the Network Connect client can’t be launched anymore. (48170) In 64-bit windows 2003. Network Connect client is not a true 64-bit application. if the Windows network address is changed or if the network adapter is disabled then enabled after Network Connect client launched once. (50097) Because Nclauncher and NC standalone application are based on Internet Explorer. if client side auth proxy is configured. Nclauncher and NC standalone application are not aware of proxy that is configured in Firefox. (57065) On a Vista 64-bit machine. if the user signs out from the browser. (428690) • • • • • • • • • • • Copyright © 2005-2009 Juniper Networks. See release notes for bug 46654 for reference. dsNcAdpt.0. (59634) With “split tunneling disabled”. a standard user still can not install Network Connect on a 64-bit Vista because the user is not able to see the Network Connect driver installation popup message displayed by Vista. Inc.23712 error “The Network Connect session terminated.” Refer to http://support.inf file is left on the install directory. Archived Known Issues and Limitations 29 . after Network Connect client is installed using the standalone Network Connect package. Network Connect disconnects and reconnects when DHCP renew happens on the physical adapter. user will get Network Connect session timeout error when Network Connect is connected to IVE through proxy with enabled “bypass proxy server for local address. (48328) • • • • • • • • If Cisco VPN Client 4. (56628) Due to a Windows issue. This problem doesn’t occur on Vista SP1. (48687) Auto-Uninstall of Network Connect client when Network Connect is used by a restricted user is not supported on Windows XP. the user will receive a “Failed to download the application” message. (48978) Enabling Microsoft TCP Chimney causes performance degradation when accessing Onyx server through Network Connect. Do you want to reconnect?” Enable DisableDHCPMediaSense resolves this problem. nclauncher. (56149) On Vista. (49421) When Juniper Installer Service is running. when View All Logs are selected in the drop down box. Log Content viewer will show the proper log entries. the Network Connect Tunnel shows “Established” even when Network Connect is not connected.exe may fail to launch Network Connect. the Log Content viewer window is empty. (59792) When a Network Connect client is not connected and you click Start Diagnostics on the Diagnostics tab. Logs tab. (48590) Network Connect doesn’t support Firefox 2. Network Connect displays an nc. (48602) Network Connect is a 32-bit application that has supported to be run in a 64-bit machine. (50808) If DisableDHCPMediaSense is disabled.app.8 is installed on the same client machine.

the NC tunnel can not be established. the user is not able to launch a New Secure Gateway window from the Network Connect icon menu. Install Service fails to install. and the client is able to reach the IVE via either of the two IP addresses. We strongly recommend that you do not enable auto-uninstall of Network Connect on sign out for roles where GINA is enabled. Archived Known Issues and Limitations 30 . (40091) GINA logon screen doesn’t support domain\user login. 34534) If the IVE is not responsive. Enter Machine authentication credentials into the Odyssey Client so that it can authenticate against the Access Point prior to Windows login. This issue will be fixed in 6. (56348) Proxy configured for the dial-up connection is not supported with Credential Provider.0 SP1 problem: http://support. the GINA from the upgraded version does not take effect until the user reboots the machine.exe – stop doesn’t restore proxy settings. (36569) Rewriter/Web Applications Copyright © 2005-2009 Juniper Networks. For example.0 Service Pack 1 and a proxy is configured.Windows Interactive User Logon • The Network Connect client needs to be installed prior to Windows logon for the GINA launch to occur. 2.2R2(57763) Smartcard with user name and password is not supported through NC Credential Provider. If the user uses the IVE’s internal IP address. (38876) nclauncher –signout doesn’t support auto-uninstall Network Connect client option. Inc. This is by design. (391624) • • • • • • • • • Network Connect Command Launcher • If a user is using Microsoft Internet Explorer 6. (36093. Disable the Odyssey client GINA to enable the Network Connect GINA to function properly. If the user uses the IVE’s external IP address to login using browser. when using NC GINA the user must use the IVE’s external IP address. the Network Connect icon remains grayed out. the user has to use the same IVE IP address / hostname as used by the browser. This is due to the IE 6. A reboot warning message should be displayed. (53009) Nclauncher. the GINA login progress screen may freeze for up to 30 seconds.com/?kbid=329802 (38869) The Network Connect launcher doesn’t support Cache Cleaner in this release. (37615/43300) When Network Connect is upgraded. (34806) GINA doesn’t support certificate authentication. (55859) nclauncher –exit doesn’t restore proxy settings. (37299) Occasionally.microsoft. There are two workarounds: 1. (29937) • To login to the IVE using NC GINA. (59915) • • • • Installer Service • If Encrypted File System is enabled on current user’s temp directory. (34534) GINA/HC: Advanced Endpoint Defense: Integrated Malware Protection detection works only in user context mode and in certain situations as described in the documentation. if the IVE has external IP and internal IP addresses. (38856) Network Connect GINA has a compatibility issue with the Odyssey client GINA. after the user successfully launches Network Connect using the GINA login.

(25896) When accessing. This causes the error.html extension and open the file. i. the auto-created resource policy is incorrectly. the following steps must be taken: 1. (416918) Mixed authentication modes of NTLM and Basic Auth are not supported. if the Autopolicy-SSO option is enabled.11. it should be generated as http://10.0. the Flash Web site does not render properly (26391). there is an XMLHTTP request on clicking the mail after session timeout which returns a re-direction. The administrator can manually change the resource policy to reflect the correct URL.11. Inc.11+attachment. (387708) If a web page is sending a POST request to an SSL-enabled webserver that does not have a valid SSL certificate and the IVE is configured to display a warning for invalid server certs then the POST request will not succeed.3.11. On iNotes 8. Therefore. (37684) To support the Oracle Financials application in a clientless manner. 44040) The PDF rewriter does not support Adobe forms. Instead.11/exchange.11. (422887) While accessing OWA 2007 through the rewriter and saving a html file from an email has the extension of the type ". The Oracle application must be configured as a Pass Through Proxy application on the IVE.• The use of iframe in the toolbar causes interop issues with JavaScript rewriting and does not work with FireFox browser.0/8. For example. the user is not prompted to install the Macromedia application. If alarms are enabled it may also help to close all fired alarms before attempting to close the browser window. (412231) For OWA 2003 Web resource profiles. • • • • • • • • • • • • • The IVE does not work with Whole Security Confidence Online version 4. (41572. but iNotes 8 does not honor the redirect. Workarounds: Rename the saved file to a . (29303) If using Safari on Mac OS. 2.DanaInfo=10. If using a self-signed certificate on the IVE then you must follow the steps outlined in http://www.11.11. To workaround this issue. OR create a caching policy *:*/owa/* as unchanged for OWA 2007 to get the correct filename while saving.11. The Oracle application must be set to the “Forms Listener Servlet” mode. a Flash Web site that requires Macromedia.0 the browser may hang or give an error.oratransplant. A new option called "Use Iframe in Toolbar" was added to solve both these issues. the browsing toolbar may not show up on Web pages that contain Flash objects and Java applets. (35634) Some Java applets (including Citrix Java applets) on Mac OS 10.11/exchange/*. Archived Known Issues and Limitations 31 . submitting a FORM from within a PDF file is not supported.11. (426334) If an SA session times out when accessing iNotes 7.11:80/*. Copyright © 2005-2009 Juniper Networks. 3. the resource policy is incorrectly generated as http://10. It works with Confidence Online version 5. (46806) Microsoft Office 2007 XML documents that include references to external files are not rewritten. purchase a valid SSL certificate for the webserver or disabled the invalid server certificate warning for end-users.4 running JVM 1. (Bug 41422) The PDF rewriter does not support PDF files that contain 2 objects for the same link. through the IVE. iframe will be used only if this option is explicitly enabled. if the OWA server in the resource profile is http://10.e.5 might fail through the IVE rewriter if a production SSL certificate is not installed on the IVE.nl/2005/07/11/using-self-signed-ssl-certificates-withjinitiator/ or you must upload a production Web server certificate to the IVE (38806).ashx" and the file cannot be opened.

and Server Catalog Configuration pages in the Admin console. if the Flash content is generating Actionscript from within Actionscript and that Actionscript is generating links. file uploads. and need to access it through the IVE.5 or 6. With Siebel 7. When "High browser security” is enabled. This is only a problem for menu-dependent applications. 27377) PowerPoint files may not display properly with Office 2002 in Internet Explorer on Windows 2000. (28627) For OWA 2003 support. This is not a limitation of the IVE. There are known issues with Microsoft's pop-up blocker being enabled and certain OWA 2003 scripts not being able to run when being accessed through the IVE. To work around this limitation. the user must change their browser security settings. Juniper Networks recommends that pop-up blockers be disabled and that the user refresh their OWA session after disabling the pop-up blocker. In addition. or the IVE Upgrade Progress window. Full Sametime Connect functionality is supported using W-SAM and Network Connect.microsoft.aspx?scid=kb. saving files containing Japanese characters may result in garbled file names. the toolbar logos may be aligned vertically instead of horizontally. should first remove the ActiveX control from their Internet browser’s cache.0 with compression. (38638) The “Display Favorites” functionality on the IVE toolbar may not work on Web sites that use iFrames or frames. For IE. (23092) With Mozilla Firefox and Netscape. a user might see a pop-up warning confirming whether or not the Java applet should be downloaded. HTTP objects will be cached.5 through the IVE. (35937) The rewriter does not support load balancers that use version 3 session ID Secure Socket Layer • • • • • • • • • • • • • • • • Copyright © 2005-2009 Juniper Networks. Lotus iNotes in offline mode is not supported through the rewriter. the following compression resource policy must be added. (27381. (30602) HDML used by Openwave browsers is not supported through the rewriter.5. Resource Policies > Web > Compression. (8247) Some menus of Siebel 7 are not working. please visit: http://support. There is nothing that Juniper Networks can do to suppress this warning message.24621) Checking in of documents in the Documentum Web application is not supported through the Java rewriter. (27361.• When accessing Flash content. as it is a function of the browser. online Help. The native browser on a Symbian handheld device is not supported. For more details. (22743) On a Symbian handheld device. Dashboard Configuration page. rather an issue specific to Microsoft Internet Explorer and HTTP compression. administrators should advise end-users to install Microsoft Office 2002 Service Pack 1 and Service Pack 2. (21865) When using Internet Explorer 5. Archived Known Issues and Limitations 32 . this can be done by selecting Tools > Internet Settings > Security > Custom Level and enabling each of the ActiveX items listed there. Additionally. To stop these pop-ups.com/default. (9442) Lotus Sametime Connect chat functionality is supported only when using Web rewriting and JSAM. Users may see "Script" errors in this case. (9889) When using Siebel 7. regardless of the object’s cache settings.en-us. the user may see ActiveX warning pop-ups. then it may not work through the rewriter. http://<OWA server>:80/exchange/*/?cmd=treehierarchy > Do not compress. Users who access Lotus Sametime Connect directly. the menus work as expected. the icons may appear as text links instead of GIFs. Inc. pop-up blockers may cause problems with other IVE functions using pop-ups (for example.321722.

(38304) Sending email with attachments fails when accessing Domino version 8 through the rewriter. the IVE may invalidate the user session. Note: This problem and related scenarios apply to Web SSO settings in resource policies and web resource profiles. go to Users > Resource Policies > Files > Options and select the appropriate encoding option. (58256) This error will occur in the following scenarios: 1.3. (29926) To preserve filenames that contain non-English characters when doing a multiple file download in Windows File Browsing.5.owa?*" and action set to "Don't rewrite content: Do not redirect to target web server". (35619) • • • The JavaScript call window. accessing Webdav through the rewriter results in the user unable login to the Webdav server with write access.doc" to the filename. The <auth-type> attribute is not set to "basic-predefined" or "ntlm-predefined". <pre-defined-password-type>.10+Design. if an XML rewrite is needed. (57083) When any PDF file accessed through rewriter is saved. (53642) • • • • • • • Pass-Through Proxy Issues • To use OWA 2007 with Pass Through Proxy. the administrator must configure a Selective Rewriting policy for resource "*:*/owa/ev. (58139) Importing XML for Web SSO settings may result in the following error message: "Modification of this attribute is not allowed". • When accessing a file via the rewriter and trying to save it through the right click menu will append string similar to "DanaInfo=10.5. This happens because the right click menu picks up the name from the URL. This call is used in Siebel 7. <explicitpassword>. “Danainfo” gets appended to the name of the file. thus requiring the user to sign in again. The workaround is to disable persistent cookie for Siebel 7. 2. Saving via the download pop-up will retain the filename without appending any string. even when user does not specify any POST parameters. (32044) The standard and framed IVE toolbar does not appear in the iNotes application in Safari 1. The <auth-type> attribute is set to "basic-predefined" or "ntlm-predefined" and <predefined-password-type> is set to "explicit". or <domain> attributes are being modified by the XML import. and the <explicit-password> attribute is being modified by the XML import.10.10. (46344) • • If the user is using Mozilla Firefox with Pass-Through Proxy (with the IVE port configuration). 3. Copyright © 2005-2009 Juniper Networks. <variable-password>. (57537) Composing a new email in Domino version 8 via rewriter will be present a secure/insecure warning. Inc. (55946) XML import allows creating a Web Resource Profile > OWA 2007 resource profile > Form post SSO. (57469) When SSO is disabled and the IIS server is setup with Basic or NTML authentication for WebDav Virtual directory only.(SSL) for client-server stickiness. The <auth-type> attribute is set to "basic-predefined" or "ntlm-predefined" and <predefined-password-type> is set to "variable". and the <pre-defined-username>. (57468) URL obfuscation does not happen when accessing Domino version 8 via the rewriter. When using Lotus iNotes through Pass-Through Proxy. Archived Known Issues and Limitations 33 .createpopup is not supported with persistent cookies. and the <variable-password> attribute is being modified by XML import.

• • When using Lotus iNotes through Pass-through Proxy clicking on the logout button in Lotus iNotes will logout the user from the IVE. NTLM and Basic intermediation/SSO is not supported for Negotiate challenge. (41825) If Pass-through proxy with "Rewrite external links" is configured for OWA or iNotes then links embedded in email messages are not clickable (44053). (422736) • • When using web SSO. change the default cache rule from ‘No-Store’ to ‘Unchanged’. Hosted Java Applet Issues • The Java applet upload feature may not work on Mozilla Firefox 1.owa?* with "Don't rewrite content: Do not redirect to target web server" option enabled is added.(415049) Copyright © 2005-2009 Juniper Networks.0. path ‘*’. and value ‘No-Store’. This is because Mozilla Firefox 1.6 does not pass cookies from the browser to the Java applet. This is due to a bug in Internet Explorer.1 on IE 7 through PTP host mode gives script error. having a proxy between the SA and the backend server is not supported. (47026) When opening a file in the Japanese locale the URL displayed in the Internet Explorer title bar and the URL bar is garbled. (417953.6 unless the default cookie settings for the browser are modified. Only Kerberos intermediation/SSO is supported for a Negotiate challenge. The file when viewed is displayed incorrectly. It will also not work if the both user and CD account are on the same realm but the associated services are in a different realm. Pass Through Proxy • Accessing OWA 2007 through PTP gives an error while creating a new mail unless a selective rewriting policy for *:*/owa/ev. Archived Known Issues and Limitations 34 . change the settings to ”Enable all cookies” in Mozilla’s Edit > Preferences > Privacy & Security > Cookies or enable “Include IVE session cookie in URL” in the IVE Admin console. go to Users > Resource Policies > Files > Options and select the appropriate encoding option. (59800) Multiple file download is not supported on Windows Mobile devices. (19612). Inc. Constrained delegation will not work when a constrained delegation account and the associated services are on a different realm from the user realm. or add a new cache rule with the IP/hostname of the Lotus Server. due to the unavailability of Zip tool by default. (38304) • • Integrated Web SSO (CD/Kerberos/NTLM/Basic) • SA does not support cross realm constrained delegation. To preserve filenames that contain non-English characters when doing a multiple file download in Windows File Browsing. To work around this limitation. 385883) • Accessing One-line summary of the PRINotes 8.administrators are encouraged to either enable XML rewriting in the Pass-Through Proxy configuration. (27353) File Browsing • • • The shortcut files created within shared folders on Longhorn server do not get listed. Due to a bug in Microsoft Network discovery API NetServerEnum2 IVE will not be able to extract the workgroup information if the master browse server is in a different subnet (43172).

like the one used by Windows Secure Application Manager (W-SAM). There is a chance that this might work in Release 5. WSAM and J-SAM will both work as access methods.JSAM • If JSAM client side logs are enabled on the IVE. If WSAM is installed after installing Checkpoint Secure Remote R56. Archived Known Issues and Limitations 35 . If Lotus Notes Background Replicator is not used. only one application (BitGuard Personal Firewall) is known to be incompatible with W-SAM. then WSAM will work fine. (26698) When using W-SAM diagnostic tools and the built-in log viewer. The user must manually re-direct their browser by clicking on the available hyperlink. Inc. Java exceptions are thrown in the Java console when a telnet session is launched. Customers who use Norton Antivirus Personal Edition 2003 and 2004 should be aware of a live update that Symantec has made available to resolve some TDI compatibility issues with other TDI drivers. (20415) If the Lotus Notes Background Replicator is used within the Lotus Notes Client with the other email and database functionality. • • When the “W-SAM uninstall at exit” option is activated on the server. the user cannot launch W-SAM twice within an authenticated session. and the second initiating a reinstallation. Network Connect is required. There are some complex TCP sequence interactions that are causing the application to break when this feature is enabled (21421) • • • When WSAM applications are defined in Application Mode. (25038) Now that the W-SAM client for Windows 2000/XP is built on a TDI-based architecture. We are pursuing this issue with Checkpoint R&D. (419917) SA 2000 through SA 6500 Items Windows Secure Application Manager • When using Citrix Terminal Services over Windows Secure Application Manager (WSAM). but it has not been verified yet. in some cases. the end-user should use the Uninstall link in the UI under Preferences > Applications.0 that resolved this interoperability issue with WSAM and other TDI driver-based clients. and then launch/re-launch W-SAM so that the log file can be viewed from the diagnostic utility.0 W-SAM and later versions. and the user has the older version of W-SAM installed on their computer. an error message appears instructing them to uninstall their existing application prior to reinstalling W-SAM. (34584) o o o If WSAM is installed prior to Checkpoint Secure Remote R56 install. clients might find duplicate entries of this application name being displayed in the WSAM client > Detailed tab. We have also identified that Checkpoint R60 works fine with WSAM in either scenario listed above. the Citrix “Session Reliability” feature should be disabled on the Citrix Metaframe clients. and the remote user needs access to this functionality through the Secure Access Gateway. This indicates that there were code changes in Checkpoint 6. We recommend you run Symantec live update before installing W-SAM. (23346) When using WSAM with Checkpoint Secure Remote R56 client. In order to uninstall W-SAM. WSAM does not work. we recommend that you make your log level selection first. there are known interoperability issues introduced by the Checkpoint product. (24285) If Auto-Upgrade is disabled on the gateway. (27350) • • • • Copyright © 2005-2009 Juniper Networks. Users must sign in to the IVE two separate times—the first one resulting in a de-installation.

Another approach is to secure all Web browser traffic using Application Mode. The Installer Service is designed to provide application installation capability for users who are performing a standard Web-based installation from the IVE. so administrators are encouraged to use short descriptions for the applications they have configured for W-SAM. and answer “No” to the security warning during the load process. (45792) Windows Secure Application Manager (WSAM) does not support NetBIOS file browsing on Vista SP1 if the file server supports NetBIOS traffic only on port 139.exe is launched from the root directory. such as c:\. WSAM will forward all DNS requests to the Secure Gateway. such as c:\Juniper Networks\. only traffic for the first hostname would be secured. (23090) If you have the NCP Auto-select option disabled.exe from a subdirectory. To resolve this issue. if you want to access UAC (Juniper Networks’ Unified Access Control) protected resources. The workaround is to launch Samlauncher. W-SAM is not able to tunnel traffic to the specified hosts. and the Web browser is configured to go through a proxy to access the IVE. (44585) If WSAM is configured by destination with multiple hostnames corresponding to the same physical IP address. even in the presence of the Installer Service. (47417) When a user signs out of the IVE on a Firefox or an Internet Explorer browser. users can add the specified hostname to the Web browser proxy exception list. The workaround is to specify IP address in WSAM configuration. W-SAM upgrade notifications may get crossed between these active user sessions. (46830) WSAM does not provide an option to reconnect in the message box displayed on idle timeout with the IVE. When using WSAM or Terminal Services to remotely connect to the enterprise network. (45033. (395237) The domain controller has to be added to the WSAM ACL list to enable password change thru WSAM WSAM is not supported on multiple Terminal Service/Citrix sessions running on the same Windows server (419891) • • • • • • • • • • • • • • • • • Copyright © 2005-2009 Juniper Networks. Inc. Archived Known Issues and Limitations 36 . (56414) If standalone WSAM Installer is installed on Vista. If Samlauncher.• Restricted users can't install W-SAM using the Stand-alone Installer. 438099) In Application mode. you need to create a policy in UAC to treat traffic coming from the IVE as an unmanaged device. (18681) The application descriptions of the W-SAM window do not wrap properly. WSAM needs Microsoft KB 951748 to be installed on the system to control the behavior of DNS cache to open and close sockets for DNS requests. (43617) If the administrator doesn’t enter any value in “Allowed Server Ports” field. W-SAM does not initially launch. it is interpreted as “*:*” by WSAM. (22454) If a Windows XP client has the “Fast User Switching” option enabled and is switching between two active user sessions. There is no additional impact to the user session. If W-SAM is configured in Host Mode. if WSAM is still transferring traffic the user may see a “Session Timeout” message because the timeout message may reach WSAM before a sign out event. then launching of WSAM using IE will not work if JRE is not installed on the PC (54513). (42119) Enabling client log for WSAM impacts throughput. start test on diagnostics tab doesn’t work. (52840) On XP. which in turn forward all packets to internal LAN.

Inc.g. We suggest that you configure your cluster nodes to use the same NTP server to ensure they are synchronized. the machine is in “initialize” mode. the Security World is modified to use the new administrator card. please add the application name to the WSAM debug list and reboot the device. (53871) To create application specific WSAM log file for an application already launched before WSAM is installed e. (56737) WSAM does not support Windows Live Messenger on Windows Mobile devices. If you then try to perform a “rollback. it is recommended that the devices be configured at one site before • • • Copyright © 2005-2009 Juniper Networks. Archived Known Issues and Limitations 37 . (48524) WSAM does not support two-tier Windows Mobile Smartphone devices. This is because the “rollback” reverts to the original Security World. (45956) • • • • • • • WSAM doesn’t support client auth proxy settings in PAC files thru Firefox. To activate the new administrator card. SAM UI sign-in does not support role selection. samizing access to public internet sites is not working. repllog. which is not yet configured to use the new administrator card. Administrators must leave the switch at O during normal operation (as per the instructions on the serial console and in the documentation). (47769) By design. WSAM uninstall from user preferences> applications> wsam uninstall doesn’t work if Juniper Installer Service is installed (385930) If Kaspersky antivirus is present on the machine.• • • • On Vista. If the HSM module switch is set to I on a FIPS-enabled Secure Access appliance. Scriptable WSAM (Samlauncher. Secure Access Series FIPS does not support automatic time synchronization across cluster nodes. (480529) • • Pocket PC • Windows SAM options under Users > User Roles > Select Role > SAM > Options are not supported on Pocket PC. WSAM/JSAM/Terminal Service users will get disconnected if any application secured with WSAM sends UDP traffic to a host denied access using an ACL in IVE resource policy (427700). To setup a WAN FIPS Cluster.” the new administrator card does not work. FIPS • If you replace an administrator card using option 10 in the serial console after upgrading a Secure Access Series FIPS appliance.exe. Rebooting the appliance during this time reinitializes the server key and invalidates the current server certificate. If the Windows XP based client machine has other TDI driver based software like Symantec’s Norton 360 or Norton Internet Security it may cause Windows Blue Screen errors (465562) If the Windows Vista based client machine has other TDI driver based software like Symantec’s Norton 360 or Norton Internet Security it may cause the machine to freeze and will require a reboot to recover. (44832) When using WSAM on the Treo. (437185). If the cluster nodes are not synchronized. It is now packaged as part of WSAM package. you must use option 10 on the serial console once again.exe) is no longer available as a standalone exe. (52924). please disable the manual proxy on the device (46081) On a Cingular 8125 device when using WSAM on an ActiveSync connection. WSAM will stay in disconnected mode till we reboot the machine after installing WSAM (419868). time-based features (such as Secure Meeting) do not function properly.

” This option preserves VLAN interfaces configured on the IVE. the IVS root administrator must go into each individual IVS and reconfigure the "Selected VLANs" and mark the appropriate VLAN in each IVS as default. This may leave an IVS with no Selected VLANs in its profile. (44952) For JSAM on Vista. Inc. JSAM fails to exit successfully (JSAM window does not close and hosts file is not restored) when two users use JSAM in the following manner: user A launches JSAM on a timed out session while user B logs into the login window and launches JSAM. but user access to backend resources continues to work over VLAN interfaces. (41085) • Java Secure Application Manager (JSAM) • • On Vista. to support applications that require registry modifications. the recommendation is to redirect the corresponding IVS logs to a syslog server rather than rely on native logging on the IVE. resulting in a mismatch between the VLANs in the IVS profile settings and the newly imported VLANs in the Network settings. JSAM would auto-launch only if the URL was accessed from the IVE bookmarks page. a UAC prompt labeled Juniper JSAM Tool will be displayed to enter administrator credentials. • The FIPS Status LED on the front panel of the SA 4000 FIPS and SA 6000 FIPS product lines is reserved for future use. (46033) The JSAM Autolaunch Policy has been enhanced so that JSAM will auto-launch if the configured URL matches a URL that is requested through the rewriter. (41085) • When an IVS license is added to an IVE that already has the VLAN license installed. (48851) • • Copyright © 2005-2009 Juniper Networks. (48240) MSP administrator advisories: • For MSP subscribers with logging requirements that exceed 1MB. or a dedicated syslog server for a single IVS. The actual behavior is that the admin UI presents the roles as being disassociated from their former VLANs. the expected behavior is that all existing roles should get unbound from VLANs and access to backend resources via VLANs should fail after addition of IVE license. NetBIOS File browsing does not work through JSAM. etc/hosts and etc/lmhosts modification. The syslog server could be a central server across multiple IVS systems. Previously. Archived Known Issues and Limitations 38 . To work around this issue.cfg) is imported into an IVE on which IVS’s have been configured. MSP (IVS/VLAN) • If a binary system configuration is imported with "include network settings" selected to an IVE with IVSs and VLANs. When a binary system configuration (system. the recommended binary import option is “Import everything except network settings and licenses. Including wildcards in the resource could result in the web page displaying incorrectly. It takes an IVE reboot for backend access to fail as expected. The exact URL for which the JSAM is expected to launch should be entered as the resource. they need to go into each Role within each IVS and click on "Save changes" to ensure that the default VLAN configured for the IVS is correctly reflected in the Role's VLAN/Source IP settings. The option “Import everything except IP” should be avoided since it will result in overwriting the VLAN interfaces on the IVE with the VLAN interfaces in the imported file.sending the unit to the final location as the initial configuration requires the smart cards to be available. The device operates correctly under the FIPS specification regardless of the state of the LED. then existing VLANs are replaced. In addition.

}. J-SAM does not automatically launch when Embedded Applications are set to “Auto” in the Citrix Web Interface. configure J-SAM to launch automatically when user accesses the Citrix Web Interface login page. add the URL for the Citrix Web Interface login page. To create a detailed rule.6 builds 2237 and greater. Archived Known Issues and Limitations 39 . if a user has a pop-up blocker. • When using JSAM within SODA 2. To workaround this issue.0 with the latest automatic updates does not support the auto-launching of the Citrix application when clicking on a published application through the IVE. Click Save Changes. users can add the following line to their “java. Click "New Rule".5 and with SODA 2.   Add the IVE as a trusted site or Go to Tools > Internet options > Security > Custom level button > Downloads. The etc/hosts file does get restored with SODA 2. (43061) JSAM can be pre-launched in one of the following ways:  Select "Auto-launch Secure Application Manager" under Roles > <role Name> > SAM > Options. (43197) Internet Explorer 6.• • • • The configuration where the JSAM autolaunch resource policy is the same as a PTP hostname is not supported. You can use detailed rules functionality to create this policy only for IE 7 users. (48614) The restore system settings operation will not restore the hosts file successfully if you log in as a different user from the one that originally launched JSAM. Under Action. To workaround this issue. Inc.aspx". 3.policy” file: grant { permission java.  Create a Launch JSAM resource policy for IE 7 users. do the following: 1. For example. Under conditions. enter userAgent = '*MSIE 7*'. JSAM will automatically launch when the user logs into the IVE. (37486) Outlook 2003 and Outlook 2007 are not supported with J-SAM. 2.0 will not automatically launch JSAM when a user clicks on a published application on the Citrix Web Interface page. Enable "Automatic Prompting for file downloads". 4. select "Detailed Rules" and click the Detailed Rules link.6 (SODA build prior to 2237). that user may experience problems waiting for SAM to fully load. "http://<Citrix server>/Citrix/MetaFrame/site/login. A pop-up window alerting the customer to accept the SAM plug-in may be waiting in the background behind the Internet browser. the etc/hosts file does not get restored to its original state when JSAM is exited. (43061) • Internet Explorer 7.AllPermission. In order to tunnel Citrix traffic. the user must prelaunch JSAM before clicking on the published application. use WSAM or Network Connect. This only affects configurations where the published application is accessed throug JSAM. When using W-SAM and J-SAM. Under Resources. (8251) Netscape may lock up on users who close J-SAM. Set the resource to "*".security. The application discovery functionality within Citrix Program Neighborhood is supported once port • • • • • Copyright © 2005-2009 Juniper Networks. To work around this issue. (25828) If WINS server is being used for name server resolution then NetBIOS through JSAM is not supported. To work around this problem.

(46594) When auto-launching J-SAM using Safari (versions prior to 1. Doing so causes the system to accept the drive as healthy even if the drive has missed updates. Please talk to your system administrator. It is caused by the fact that the system didn’t initialize itself properly during soft reset.80 is configured under J-SAM.0. (35150) If an SA6000 goes from a two-drive configuration to a single-drive configuration (due to drive failure and/or removal) and is rebooted. if a user attempts to use the server discovery feature. (21747) On a Mac OS X.(57144) When JSAM is launched in Firefox 2. occasionally an SA6000 system could see inconsistent LED behavior where the RAID Status LED blinks in RED and the Hard Disk LED is not lit. the user must quit and restart the browser in order to launch J-SAM successfully. Func:02 Loading Configuration.X. (Apple Bug #3860749) (21746) When running J-SAM on a Mac OS X client.4.0. Inc. This is due to a limitation in these versions of Safari. (55079) • • Mac OS Specific J-SAM Items • • On Mac OS X 10. the launch may fail. A cold restart will fix this problem. All Rights Reserved. Workaround is to AutoLaunch JSAM at start of user session. if the user clicks “No” on the SSL certificate warning. <<< Press <Ctrl><A> for Adaptec RAID Configuration Utility! >>> Controller #00: HostRAID-ICH5R at PCI Bus:00.2. (57742) Auto-Launch JSAM for a PTP URL will cause infinite loop on the client. the application discovery fails. The workaround is to restart Citrix Program Neighborhood. If the custom company logo image uploaded to the IVE is a . J-SAM opens a new browser window to display the home page instead of updating the original window that launched J-SAM. However.53 GB Healthy • Copyright © 2005-2009 Juniper Networks. which does not work through the IVE. This results in two open browser windows.2).. the machine halts during boot and displays a serial console message similar to the following: Adaptec Embedded SATA HostRAID BIOS V3. (8665) • • When Auto launch JSAM is configured for a PTP port mode web policy JSAM goes into infinite loop on Mac OS. This is due to Apple's JVM code behavior. if the framed toolbar is configured then the JSAM autolaunch policy feature is not supported.bmp file then the image will not display correctly on the J-SAM window on a Mac OS X using JVM 1. and then attempts to use the application discovery again.12 on Vista.01D06 74. (25831) • • • Hardware • On the SA6000. user would see a message “You do not have permission to change hosts files. (31583) • After an upgrade. the first time J-SAM is launched after rebooting the machine. Inc.Done. Port#00 WDC WD800JD-00LSA0 06. Archived Known Issues and Limitations 40 . Dev:1F. This incorrect LED behavior is cosmetic and does not reflect the actual state of the system.” This is expected behavior because UAC prohibits JAVA applet from changing host files. (57144) Mac JSAM fails to upload logs when the user is authenticated to the SA using Siteminder authentication with the following message: "Uploading failed: It appears that you are not logged-in".. avoid hot-plugging RAID drive connect-disconnect-connect sequences that are faster than 5 minutes.1-1 1255 (c) 1998-2004 Adaptec. and if UAC mode is on.

Inc.. Secure Meeting • We recommend that you do not upgrade the meeting while Secure Meeting is running on Macintosh or Linux machines. Therefore.Done. All Rights Reserved. the meeting client cannot be launched from this browser. if there is a proxy configured. <<< Press <Ctrl><A> for Adaptec RAID Configuration Utility! >>> Controller #00: HostRAID-ICH5R at PCI Bus:00.. We are working with Apple on this issue.0 has a bug wherein it does not fully support proxy configurations.0. (22273) • Safari 1. if the user clicks “No” on the certificate pop-up. If an upgrade is performed during a Secure Meeting. Archived Known Issues and Limitations 41 . Macintosh and Linux users may not be able to launch the client for a new meeting. (17331) On a Windows platform.jar file. Dev:1F. the meeting client picks up the proxy information from the Internet Explorer browser settings.RAID-1 IVE 74. Secure Meeting works on other browsers only if the proxy setting is also configured in Internet Explorer. As a result. Inc.3. This causes the Secure Meeting client to download incorrectly. the rebuild operation may never complete.01C06 74. If an SA6000 is rebooted while rebuilding the RAID array.4 has a problem with NTLM authentication when using ISA proxy server to download the Secure Meeting . the Secure Meeting client does not install. This can be seen from the following BIOS screen on reboot: Adaptec Embedded SATA HostRAID BIOS V3. If the user wishes to try again.53 GB Healthy Port#01 WDC WD800JD-23JNA1 06. The drive which had been previously replaced should be removed from the unit for 2 minutes and then re-inserted. After the drive is removed and re-inserted the RAID rebuild should proceed normally.47 GB Building 1 Logical Device(s) Found To recover from this condition. (17445) When using Mac OS X 10.6 and SunJVM 1. The user should hit Enter to continue using the machine with a degraded array until a replacement drive can be obtained. • An SA6000 should NEVER be power-cycled or rebooted while rebuilding.3 and Safari 1. This is due to Safari and Mozilla browser behavior related to caching Java applets. the machine should be fully booted into the IVE. Func:02 Loading Configuration. Port#00 WDC WD800JD-23JNA1 06.53 GB Healthy Array #0 .Following SATA device(s) are not present or responding: Port#1 WARNING !!! Configuration Change(s) detected !!! Press <Enter> to accept the current configuration or power off the system and check the drive connections.1-1 1255 (c) 1998-2004 Adaptec.01C06 74. they must open a new Safari browser window. The user must close and restart the browser to fix the problem. (17442) • • • Copyright © 2005-2009 Juniper Networks. (17550) Red Hat Linux 9 with Mozilla Firefox 1.

(24902) A presenter using a Linux client is not supported in a WAN environment.6 such that if it is configured with an authenticated proxy. auto-scrolling in the viewer window is incorrectly controlled by the auto-scroll option under the presenter’s preferences. (41217) • • • • • • • • • • • • • • Copyright © 2005-2009 Juniper Networks. (24417) In Fit To Window mode. attendees may sometimes see small blocks of mangled images in their Viewer window. Inc. (25555) Part of the bottom of the presenter screen is truncated when viewed on a Linux or Mac viewer in Fit to Window mode. auto-scrolling in the viewer window is not working on Macintosh. (24543) You should not start annotation in a remote control session. Archived Known Issues and Limitations 42 . annotation may not work well for conductor and presenter on Windows. Fit to Window does not work well when the presenter changes the resolution while presenting. the presenter can click on them. 31604) On Windows. (24427) A presenter using a Linux client is not supported over slow DSL. (39857) During annotation. the chat messages do not reappear after the user un-hides the messages. the attendee lost the annotations when disconnected and reconnected. and Windows platforms. If the Linux or Mac presenter annotates over the application toolbar at the top or bottom of the screen. (27403) When the Hide Attendees option is enabled. (30633) Auto-scrolling in the viewer window on Mac or Linux can be slow at times. (31456) On Windows. (39413) There is an issue with Mozilla 1. if the Windows attendee clicks on the Draw icon. a "Failed to change roles" message appears when granting annotation permissions to another attendee. then the annotated objects in those areas are not displayed to the viewers. (31353) If a presenter starts sharing while the Hide Attendees option has been enabled and the presenter has ongoing private chats with other attendees. and those private chat messages will be seen by other attendees. the annotation session is not started. (26468) The Secure Meeting Toolbar does not work on the Linux KDE window manager if the attendee runs the Viewer in Full Screen mode. The correct message should be he cannot annotate while sharing control of the presentation. (40470) In Hide Attendees mode. Linux. The presenter needs to click the Draw icon again after an attendee has joined the meeting. (31603. (37868) Secure Meeting does not launch on Sygate Virtual Desktop if the Secure Meeting client is not already installed on the real desktop.• • • • • • • • If the Hide Attendees option is enabled. the private chat tabs are enabled. when a Linux or Macintosh presenter clicks on the Draw icon to enable annotation. Secure Meeting will not launch. only when the presenter enables auto-scroll will the attendees on the Windows platform see auto-scrolling in their viewer window. he'll get an incorrect message "Request for control failed". the role information is not displayed next to the attendee name in the Chat window. (24480) On Macintosh and Linux platforms. (26851) If there are no attendees. (24986) There is a limitation on the areas where a Linux and Mac presenter can annotate. (24985) There are attendee viewing issues in a WAN environment with Linux presenting. (31602) During annotation. On Windows. Therefore. then the private chat tabs are disabled on Mac and Linux. (40869) When a Linux or Mac user is presenting and a Windows attendee is the remote controller.

the presenter should select his name and click on “Controller” button. using the same browser window. if the Viewer images are mangled. chat messages are duplicated if the Secure Meeting disconnects and reconnects. Secure Meeting under Resource Policies has been moved to the Configuration page. Inc. The workaround is to sign in to IVE again or close and open a new browser. the presenter’s “Take Control” button is not enabled if the presenter grants remote control to an attendee via “Controller” button. the presenter gets an error message "Could not share desktop. (46969) If the remote controller changes the screen resolution on Mac or Linux presenter desktop. (48072) On Windows. Archived Known Issues and Limitations 43 . then remote controller can type language X’s characters into presenter desktop.5. (45612) In 6. presenter's mouse cursor will be displayed with "wavy" or "fishbowl" effect as the presenter moves his mouse. The workaround is for remote controller to select the IME to be language X on the presenter desktop and to select remote controller’s own IME to English. users have to point their mouse over the menu item to actually see the update state of the menu item. the characters typed by remote controller on presenter’s desktop will not appear correctly. if an attendee joins the meeting. (48777) On Windows platform. The workaround is to use JVM 1. (41992) If two or more attendees select the same annotated object and move it.x. (50060) Attendees invited through the Secure Meeting Outlook Plugin are not listed in the meeting archived file.• • • • • On some Intel iMac systems. there is a delay in remote control in Fit To Window mode. the object will be move to an unexpected location.0. (41995) In the 6. To take control back. (41530) On Macintosh and Linux platforms. you can minimize/maximize or close/reopen the Viewer window to refresh the images.0 release. (47724. when attendee enables Fit To Window mode on his Viewer. (48212) After upgrading to 6. the active meeting clients may have to be relaunched. vertical lines appear in his Viewer window. Contact your system administrator" and the remote controller gets disconnected. the format of the notification email has been updated. if “Authentication Requirements” is not set to “Require secure gateway authentication”. the administrator will see a javascript error when he clicks on the Meetings tab under Roles. (53408) After presenter on Windows machine enables "Hide Drawing" during annotation. (47891) On Mac with JVM 1.4 or below. (53025) If the services are restarted on an Active/Passive cluster. (44708) "Select All" does not work in Customize Drawing Permissions window.0. (44684) On Windows platform. the toolbar continuously displays and hides once the toolbar is set to auto-hide. he is able to draw even though hide drawing mode is enabled. conductor will receive two URLs in the notification email: conductor should sign in to IVE using the “Conductor URL” and send the “Attendee URL” for attendees to join the meeting. 21404) After the presenter enables "Hide Drawing" during annotation and an attendee on Mac/Linux joins the meeting. (41469) On the Macintosh platform. (48210) On Windows platform. (47924) On Vista platform. when the attendee draws past the presenter’s screen. In addition. (43346) During a remote control session involving non-English Windows OS. he will see the drawings on his Viewer window even though Hide Drawing mode is • • • • • • • • • • • • • • • Copyright © 2005-2009 Juniper Networks. annotated objects are not scaled properly if attendee enables Fit to Window mode.

This could be confusing as the end user can login to the IVE from within SVW. (59607) When Outlook plug-in is installed through Firefox. Therefore. (423034) Meeting viewers are able to see Outlook Desktop alert notifications even if unrelated applications are shared on the Windows desktop. Use sharing desktop as a workaround. (57667) Under Configuration > Secure Meeting. if "Sequential room number with prefix" has an empty room value in the XML document.exe" in the "Blocked List" tab in Confidence Online Application. This issue may happen for Power Point presentation too. Secure Meeting is not able to display the Video screen. (58571) Meetings that are scheduled on the DST start day and the DST end day are placed on a row that is one hour off from the actual meeting starting time. (418839) On a hardware video acceleration capable computer. When SVW is configured to start before user authentication the end user will see the message "You do not have permission to login. User is able to update Secure Meeting configuration on SA service successfully even if “SMTP Login” and “SMTP Password” are invalid. (55518) • If Symantec's Confidence Online blocks the Secure Meeting client process on the presenter's machine. Meetings will start on correct scheduled time. 48587) • When Host Checker remediation is configured for a Secure Virtual Workspace policy. The workaround is to restart the browser and connect to the IVE again (36682). (426017) If a user is presenting from a Windows XP machine. This is only a display problem. (59632) Secure Meeting doesn’t support application sharing of Mokafive. (57186) On Vista. user are prompted to enter proxy authentication twice when creating Secure Meeting from Microsoft Outlook. then attendees will see black screen appearing on their viewers. (423336) If Auth proxy is required to connect to Secure Gateway and if Firefox is used to launch Secure Meeting from https://<SecureGatewayURL>/meeting/<MeetingID>. The slides are changing continuously. Archived Known Issues and Limitations 44 . the Secure Meeting client can’t be downloaded and installed. when the XML document is imported back into SA device. Inc. It will not be able to access other applications/processes running at higher integrity level. remote controlling those applications/processes running at higher integrity level on a Vista machine will not work. viewers using XP and Vista clients see a green wait cursor. (59778) Through NSM. Viewers using Linux or MAC don’t see this problem. Please contact your administrator" in the browser on the real desktop.enabled. The workaround is to disable hardware acceleration in the Video play. (34385. These fields should be auto populated. if authentication proxy is configured. (427181) • • • • • • • • • • • • • Secure Virtual Workspace (SVW) • The Secure Virtual Desktop does not support real time Anti-Virus scan. (392575) After installing Outlook Secure Meeting plug-in. the Secure Meeting application is run at medium integrity level. (426340) Sometimes the cursor may continuously blink when the meeting presenter is using Windows XP. To avoid any • Copyright © 2005-2009 Juniper Networks. The presenter must unblock "dsCboxUI. pauses and then started Yahoo slide show in the presentation. the Try Again button on the end user remediation page will not launch Secure Virtual Workspace again. (57020) On Macintosh or Linux platforms. "Pause" sharing does not work. the “User ID” and “Realm” fields are empty in the “Provide server details” page. the room value will default to "room".

” (37021) When Yahoo toolbar is installed.confusion this message can be altered using the custom sign-in pages by customizing the message for error code 1025 in SSL. user is switched back to real desktop. Inc. IE in SVW launches very slowly. (57161) In a Japanese OS. (43695) Applications can not modify Local Machine registry keys inside SVW.thtml (37021). It is recommended that strong passwords be used when securing their SVW persistent data store on multi-user systems. if user modifies proxy setting on the real desktop after SVW been launched once. Some applications are single instance by design. Thus. Because of this limitation. The default editor is going to be Wordmail instead of Microsoft Word. all applications require modification in Local Machine during installation can’t be installed inside SVW. once SVW launches. they can be launched inside SVW. the default desktop background is set to same as SVW desktop background. such as Acrobat Reader. if a Windows personal Firewall alert is shown. SVW will not recognize the new proxy settings. sometimes MS office 2007 can’t be launched inside SVW. (410805) While user is inside SVW. (56558) After Host Checker launches SVW. (56316) User may get an error message when viewing property of a file inside SVW. the Windows personal firewall screen will be shown on the real desktop. As part of Host Checker launch. (51131). (412241) Installing a . Microsoft Word is DISABLED as a default editor for Microsoft Outlook. (60265) With persistent data is enabled. (53706) JSAM configured with Netbios file browsing does not work inside SVW. (37438) Microsoft Outlook will work in SVW only when connecting to a Microsoft Exchange server through the MAPI protocol (40877). If they are previously installed on the client machine. This is due to compatibility issue with Yahoo toolbar. the alert will be shown on the real desktop. (37144) Multiple users using the same password to encrypt their SVW workspace on the same host could gain access to the persistent data storage protected by that static password. • • While in the Secure Virtual Workspace. Attendee does not get a request for control denied message when the presenter denies the request for control. (45899) When persistent data is configured for SVW. (425653) • • • • • • • • • • • • • • • • • Copyright © 2005-2009 Juniper Networks. SVW does not work in HC post-authentication mode. SVW gets evaluated and any evaluation of SVW will launch the SVW shell. if the machine lost power or crashed (not graceful shutdown). these applications can’t be launched in the default desktop and inside SVW simultaneously. (403398) If user launch Windows personal Firewall from inside SVW. User can manually switch back to SVW desktop. This happens when the presenter is running on Linux or Macintosh. (53703) When the Google Toolbar is installed. Archived Known Issues and Limitations 45 . user may see a few error pop up messages. (37311) SVW is configured using Host Checker’s policy UI on the SSL-VPN admin UI.msi package inside SVW is not supported. Please contact your administrator. and SVW is launched by a restricted user. (56310) When Microsoft Exchange Outlook application is launched inside SVW. the browser page on real desktop shows “You do not have permission to login.

as system events do not have an associated Realm or role name. (32829) Copyright © 2005-2009 Juniper Networks. (49585) • • • • • • • • • End-User Interface • Welcome messages and portal name are displayed even if the greeting is disabled. Inc. the “sign in again” link may take the adminiswtrator to the end-user sign in page instead of the administrator sign-in page. If the custom Help page is blocked by an Access Control policy. (26077) The Dashboard graphs may not display properly if the IVE system time has been adjusted back too many hours or days in time before the data was recorded.System Administration and User Interface System Status and Logs • • The format of the logs for system-generated events may show () and []. if the log is already larger than the new maximum size. (22728) • If HTML tags are used in the notification message then the collapse/expand feature is not available. (31987) The maximum log size of the sensor logs cannot be set when the IVE is upgraded from 5. the current log file is archived and a new log file is created. The administrator can simply type the administrator sign-in URL (for example. then the standard error page is displayed with a link to "Return to previous page. The IVE does not respond to 407-based authentication challenges from the Web proxy. In active/active Network Connect deployments. with static routes to each sub-pool pointing to the internal IP address of the hosting cluster node as the next-hop gateway. The display is momentarily incorrect due to this change. When an administrator IVE session times out (due to inactivity or by reaching the hard limit). Further. the recommendation to the administrator is to split up the NC IP pool into node-specific sub-pools." This link does not work. The administrator must manually activate it on the serial console or Web interface. (22264) Clustering • The IVE does not support a common IP address pool for NC for an Active/Active cluster. The IVE no longer automatically enables hardware acceleration when the license is installed that enables the acceleration feature. (46642) Periodic snapshots will not be taken if the system configuration is imported without network settings from another SA. /admin) to sign back into the IVE Admin Console.2 or an earlier release (42185) The time to generate a system snapshot will increase dramatically if there are a lot of client connections and the DNS server is unreachable. both of which can be ignored. The workaround is to disable and then enable the periodic snapshot on the new SA again. When the Web Proxy feature is enabled. The hardware port status may not be correctly updated when the network port is not connected. Archived Known Issues and Limitations 46 . administrators should make sure to turn off HTTP proxy authentication (407-based) on the Web proxy. (22321) When the administrator reduces the maximum size of a log file on the IVE. the administrator is advised to perform static route configuration on the backend router infrastructure in a coordinated fashion. the log size will show a larger % value on the Status page under “Logging Disk % full”. (16920) The Web Proxy feature may only be configured for HTTP and HTTPS requests. As soon as another log message is generated for that log file.

1R1 or newer) that will be part of the cluster C2 on the same network to which PN1 was attached. Import the data exported in step 1 into the new cluster Node PN2. the administrator may need to manually associate the device certificates to cluster internal and external VIPs in order for the device certificate to be presented to the right port. The internal network settings of the newly added nodes must also exactly match the corresponding settings in the original cluster C. Archived Known Issues and Limitations 47 . Note down the following information • Cluster name – C_Name • cluster password . (26182) After a certificate is de-associated with an interface. Do not join the newly added nodes to the cluster C2 yet. Nodes being added must be assigned exactly the same names that existed in original cluster C1. 3. Navigate to the cluster status page and add the remaining nodes to the cluster configuration. Navigate to the admin UI Clustering tab and click on Create Cluster.PN_InternalNetmask • Internal network gateway of PN1 . Create the cluster C2 using the exact same cluster name and cluster password that were in use at cluster C1. 2. 6. (48857) Changing VLAN IP to different network could leave the VLAN virtual ports configuration in different network than the underlying VLAN. network masks and gateways Shut down the machines in the existing cluster C1. the nodes that do not have a log archiving server configured will not archive the logs. 7. (42351) Changing the IP address of a cluster node can sometimes cause the cluster to not converge. This first cluster node PN2 must also be assigned the name PN_Name as noted down in Step 2. 4. 5. (40046) When upgrading A/P cluster to 6.PN_Name • Internal IP address of PN1 – PN_InternalIP • Internal network mask of PN1 . even though there may be more than one IP address configured for each cluster node. (48608) The admin UI will show just one IP address in virtual port configuration page. Let’s call this machine PN2. Inc. Bring up one of the new machine (which should already be running a software release 6. When prompted configure the internal network settings of PN2 to exactly match the internal network settings of PN1 as noted down in Step 2. Install the new primary licenses on PN2.• • • • When log synchronization is not turned on. it must be deleted before the new certificate will be present on the interface. • • • • Export the system user and IVS configuration from C1's primary node (PN1). Copyright © 2005-2009 Juniper Networks.PN_InternalGateway • Names of all other nodes in the C1 cluster and their internal network IP address. (48904) To migrate system and user configuration from an SA cluster C1 to a replacement cluster C2 with different type of SA machines. (48643) An active/passive cluster loses the VIP if one of the nodes is removed from the cluster.1. 8.C_Password • Name of the node where export was done . follow the steps listed below: (54213) 1.

the "Connect local XXX resources" options defined under Roles > Terminal Services > Options had two functions: first it determined if this option was visible in an end-user bookmark.) Until Microsoft establishes a fix. (48743) An administrator will not be able to install any new license on a cluster primary node if all the licenses are deleted first. Import the system configuration – pick the option “Import everything (except Device Certificate(s))” Import the device certificates Import user accounts Import any ivs settings Bring up the remaining new machines.• • • • 9. To support this new behavior. the administrator must ensure that the import operation is initiated at the same node from which the system configuration was exported. local drive mapping will work only on Win2K3. In general it is preferable to exclude network settings when importing system configuration in a running cluster. Install the CL licenses on the newly joined nodes.0 the role level options determine if this option will be visible in an end-user bookmark. If the end-user behavior could vary after an upgrade then the change is logged in the admin access logs. then IVE will use the CTS client to run the applications on the Citrix Web Interface (45629) The Terminal Services feature supports local drive mapping. Do not do make any other configuration changes on these machines as they will be lost when these machines join the cluster. (56077) • • Terminal Services • In releases prior to 6. (Windows 2000 does not allow drive mapping via RDP clients. Therefore it is possible that user in a pre-6. (47028) • If the user is mapped to two roles. Join the machines brought up in step 9 to the cluster. Archived Known Issues and Limitations 48 . • Network settings that are part of the system configuration exported from a cluster can not be imported into another cluster with a different cluster configuration. (55054) A cluster may split into two different cluster configurations when adding/joining/deleting a node in a WAN cluster under heavy load. Inc.0. To import system configuration including network settings previously exported from a cluster back into the same cluster. 10.0 release had access to local resources and does not have access after the upgrade to 6. Therefore this role-level option overrode a similar option in the admin bookmark. configure the bare minimal internal network settings needed to bring up the machine – the network settings must match what has already been configured in the cluster C2 on node PN2. the following changes will be made during an upgrade: if a terminal services resource profile is associated with multiple roles and their individual role level settings conflict then these corresponding options in all the bookmarks defined under these roles will be disabled. In 6. 11. Citrix Java applets will not work on Mac OS X unless a production Web server certificate has been uploaded to the IVE. but cannot support it on Windows 2000 due to a Microsoft limitation. wait for the cluster status to stabilize. second it determined whether the local resource would be available for all users of this role. This behavior has been changed to clarify the use of these options.0. Note that during the import operation nodes in the cluster will be disabled and enabled internally. one configured to use CTS to run applications on the Citrix Web Interface (through Citrix WI web resource profile) and the other configured to use JSAM or WSAM to run applications. Do not add licenses on these machines yet. (25264) • • Copyright © 2005-2009 Juniper Networks.

juniper.(49440) Telnet/SSH bookmarks can not have duplicate names. Copyright © 2005-2009 Juniper Networks. So if older versions have bookmarks with duplicate names created the upgrade process will modify the names to make them unique. configure IE to allow the telnet/ssh window to open without an address bar.". End users should not remove this DLL from their Windows Vista machines or otherwise Windows Terminal Services will not work (42450) Netscape may freeze when users close Secure Terminal Access (STA). (41475) When using Windows Terminal Services with ThinPrint client on Vista.5 and later. Inc.8MB and 4. The “Supported Platforms” document summarizes the functionality tested. our testing model. o Click "Custom level. so we have tested IVE functionality with the most common operating system/browser configurations used for the specific functionality. the user may begin typing and using the Telnet/SSH functionality. Please check the client documentation for supported color depths. the main telnet/ssh window loses focus. • When using the [Tab] + [Enter] key in IE 7 in a telnet/ssh window. the user must first click in the Java Applet window to set the focus.AllPermission.. o Click "Enable" under "Allow websites to open windows without address or status bars". (41027) The Citrix client version 10. (51949) Supported Platforms Please see the “Supported Platforms” document posted on the Juniper Networks Support Site (http://www. o Choose Tools>Internet Options>Security. (54816) • • • • • • Telnet/SSH • When using Secure Terminal Access (STA). Archived Known Issues and Limitations 49 . Windows Terminal Services uses mstscax.dll on Windows Vista to launch the terminal services session in both the SSO and non-SSO cases. users can add the following line to their java.net/support/) under “IVE OS” for a current list of supported platforms (operating system/browser combinations). Creating a Citrix Terminal Services session using a custom ICA file will not work if there is already a Citrix Terminal Services session in the role that is having the same name for the Custom ICA file. 2-BookmarkA.policy file: grant { permission java. o Scroll down to the "Miscellaneous" section. a greater number of color depths are listed than what the RDP or ICA client supports.. To resolve this issue. The stop button is missing and scrolling does not work. (46143) • • Telnet/SSH windows configured with screen size 132*60 and font size 36 pixels does not work well. (45748) When using Web Citrix resource profile with “launch using CTS” option. }.8Mb respectively in size. Ex: BookmarkA. you need to use ThinPrint client’s Vista compatible version.2 and 10. BookmarkA would become 1-BoomarkA. and the supported platforms for the Neoteris IVE. Customers are advised to use a sufficiently large timeout to avoid this problem (46104) Starting with IVE version 5. To workaround this issue.security. Note that some platforms do not completely conform to HTTP standards. The user session might hit idle time out for those coming from slow connections while downloading the Citrix client. the “connect all disconnected sessions” feature may not work at times. Then.0 are 7. Use a different file name for the ICA file to work around the problem.• When creating a Windows or Citrix terminal services session on the SA device.

Copyright © 2005-2009 Juniper Networks.juniper.net/support. Archived Known Issues and Limitations 50 . Inc. please visit the Juniper Networks Support Site: http://www.To open a case or to obtain support information.

1r1 and later releases.2r2.Supported NSM releases The 6. Archived Known Issues and Limitations 51 . Copyright © 2005-2009 Juniper Networks. Inc.5R1 release will be manageable via the following NSM releases: 2008. 2009.