03-01-2010 11:56 AM
I wish I could share your enthusiasm... I used to up until 6.4 (maybe you skipped it?)... 6.4 was, in my experience, quite a step back. Our biggest issue was Host Checker not automatically upgrading for the end user (and instead they just get the generic "You are not allowed to sign in"), but the memory leak we found that forces us to reboot every week is also a huge pain. Before 6.4 (my first IVE was running 5.2) every upgrade was a pleasure. The last 2 upgrades (to 6.4R3 and to 6.4R4.1) nearly destroyed my Support Center so I'm hoping the extra staffing their planning for our upgrade to 6.5 is found to be unnecessary.
My issues with 6.4 aside I do have 6.5 on a lab IVE and it is very nice. Love the integration with VMView and ActiveSync.
03-03-2010 05:45 AM
This thread scares the bajeezus out of me.
I've been hanging on to 6.0R7 for dear life. Upgrades are nightmarish for our company but I have to make the leap soon since they are dropping support. When I hear that new versions have the same problems I have, memory leaks and host checker execution issues, I get ill in the stomach region.
03-03-2010 07:52 AM
Haha Jickfoo, I don't think it's that scary... I upgraded my one production SA-2000 last night to 6.5R3.1 and we've had no reported issues, although it's important to note it's only used by a few users hence why it was upgraded first. Tomorrow morning we upgrade our major production SA-4000's from 6.4R4 to 6.5R3.1 so I'll let you know if we encounter any problems... I'm optimistic that Host Checker seems to be upgrading properly for users but tomorrow will tell definitively as I'll have over 200 users logging in, all requiring Host Checker to do so.
As an aside, if you're worried about Host Checker (or other VPN software) not installing / upgrading properly automatically when the user logs in, I recommend creating a /downloads sign in page that lets users log in (without Host Checker or anything) and gives them access to a Share you've set up with the manual installers for each piece of software. This has proven incredibly useful for me during the turbulent 6.4 upgrades and even if 6.5 fixes that (and I pray it does) it's still good to have around.
03-03-2010 07:57 AM
I would love to hear how your upgrade goes. Thanks.
Also your advice about a sign in page with the installers is a great one and I will certainly implement that. Thanks very much for that suggestion.
03-05-2010 11:19 AM - edited 03-05-2010 11:21 AM
Our upgrade went pretty smoothly. Much to my pleasure we had nearly zero issues with Host Checker upgrading (like we did after 6.4 upgrade) so that alone made it worth while. One thing to note that we didn't fully notice until the upgrade-- Juniper changed the way their software asks permission from the end user to install/upgrade/run. Now you'll get a small prompt window that will ask permission to run. Luckily there's an "Always" option too so you can accept it once and forget about it which is nice.
The one major issue we had will most likely not affect most other users since it's specific to Secure Virtual Workspace. For some reason the VPN components (HC, WSAM, etc) are unable to install / upgrade properly if it is done within the SVW environment. For example Host Checker would redownload the "UnifiedSDK.zip" up to 4x everytime SVW was launched. We also found WSAM would fail to operate properly as well in some cases. This only impacted about 10% of our userbase that use SVW, but when you've got a total of about 200 users it's noticable. I just found a workaround for this, and that was to purge Juniper software from the end user's machine and have them reinstall everything through a sign-in URL that didn't use SVW. After that they're perfectly fine. I will note, however, that I cannot say that this is an issue only with 6.5... I'm pretty sure previous versions had this same issue but it just became more obvious of an issue now after the upgrade and us not focusing on Host Checker problems. Pretty sure UnifiedSDK.zip always redownloaded multiple times in SVW in versions past.
So overall I'd call our upgrade to 6.5R3.1 a success, it is already worlds better than 6.4, but the SVW issues muddied what otherwise would have been a very pain free upgrade.
03-05-2010 05:29 PM - edited 03-05-2010 05:35 PM
That popup is a new whitelist security feature. From page 80 of the 6.5 admin guide:
—The admin whitelist file can be modified only by the endpoint administrator. The administrator must use SMS or other mechanism to copy the admin whitelist file to the end-user's system. Admin whitelist files are located in:
%ProgramFiles%\Juniper Networks\Whitelist.txt (Windows)
/usr/local/juniper/whitelist.txt (Macintosh and Linux)
—Users can themselves make the decision to trust an IVE or not. When the user makes a decision to trust an IVE, the IVE gets added to the user whitelist. User whitelist files are located in:
%AppData%\Juniper Networks\Whitelist.txt (Windows)
/~/Library/Application Support/Juniper Networks/whitelist.txt (Macintosh)
By design you won't be able to install anything while inside of a SVW. You'll need to have the software installed before you lanch the SVW session. SVW is a restricted workspace with minimal access. For example: it will not allow you to write to the registry. These restrictions are in place to insure that nothing is left behind after the user logs out of the SVW session.
03-08-2010 08:42 AM
I too found the "new whitelist security feature" after the upgrade. While new features are good it would have been nice if this one had been mentioned in the What's New or Release Notes. Changes that throw up new pop-ups to the users are what generate helpdesk calls so its good to be able to warn the helpdesk/users or as is possible in this case here avoid the new pop up.
Also hiding it in the section IF-MAP section of the Admin Guide didn't help as on first glance this section didn't seem relevant to our set up. It took a bit or searching to find a KB article that pointed to the right section.
03-10-2010 08:18 AM
I have been seeing the security pop that allows you to "Always" allow juniper installs since 6.5r1, so yes if your upgrading from 6.4.anything its new and better than a popup for each component imo.
as far as the Host checker, i only use host checker with a seperate realm for MAC users since they need NC and thats only about 20-30 users and they have had no complaints.
03-11-2010 08:46 AM
cbarcellos-- I understand how SVW works, but I always assumed that it made an exception for the installation/ upgrade of Juniper software. If this is not the case then WHY is it allowed to even be attempted to install? The IVE knows perfectly well that the user is inside of SVW (because Host Checker told it they were) so why doesn't it AT LEAST give a notice that it cannot install the software inside of SVW?
It boggles my mind that such a simple thing would be totally overlooked... if the Juniper client software cannot be correctly installed inside of SVW then why does it try anyway? I can't even begin to count the amount of lost produciton hours because of this undocumented problem... and all because there's no check before it goes to install the software as to whether the user is inside of SVW or not.
As an aside-- I spoke too soon about Host Checker being fixed. We do still have issues with users of various kinds being unable to log in because Host Checker isn't upgrading properly. Often uninstalling Host Checker fixes it but not always.
03-11-2010 10:09 AM - edited 03-11-2010 10:13 AM
I wanted to double check this, so I tested it on a 6.5r2 IVE in my lab.
First I uninstalled all Juniper applications. Next I logged into the IVE with the SVW setting to invoke at the realm level.This caused a HC installer to popup, which loaded SVW on my system. Then I logged into the IVE from inside the SVW session. NC auto installed and then launched normally.
I then logged out of SVW to check which Juniper Apps were still on the system. HC and NC were installed. I logged into SVW again and saw that NC launched properly, as it was already on the system. So it looks like NC will install inside of SVW without issue. In my test I used IE6/XP with SP3.
WSAM also installed inside of SVW, and was still on the system after logging out. WSAM launched normally when I logged in the second time as well.
03-11-2010 11:55 AM
It's good to know what I thought originally is correct...that the software will and does install inside of SVW. The problem that I mentioned earlier is that this is not 100% effective. Especially after our upgrade to 6.5 we had many users with issues getting either Host Checker or WSAM to work correctly inside of SVW. Host Checker most common problem was that it would constantly redownload the ESAP package (up to 3 times in a row) everytime they went to log in, WSAM most common problem is that while it would launch and show connected it would never actually send data through it. In both cases the fix for this was to uninstall both pieces of software and have them installed / run outside of SVW. For the majority of users this was not necessary, but it happened to enough of our user base for it to be obvious that there is some problem with installing Juniper software inside of SVW.
03-11-2010 12:19 PM
That experience shouldn't happen. If some users work, but others don't, it sounds like deeper research needs to be done. I'd reccomend opening up a JTAC case to get this looked at.
03-12-2010 08:31 AM
Thanks I've already done so although I don't hold much hope in a resolution... looks like it's time to start researching alternatives to SVW, we've been using it for over a year now and it's clear that the feature is just not reliable enough to be used in a large production setting with non-standardized endpoints (which I thought is what it was designed for).
Thanks again for your input.
03-17-2010 02:30 PM - edited 03-17-2010 02:37 PM
The "What's New" guide for 6.5 now lists the new Whitelist feature. Thanks for bringing this to our attention.
No problem. I'm sure that JTAC will find a resolution for the SVW problem you're running into. Their job is to ensure you're satisfied with the resolutions that are presented to you. If you're having problems with the case, feel free to message me the case number so I can follow up on it for you.