08-19-2009 12:38 PM
I've been developing more features of our Juniper appliances the past few days. We have not been using Network Connect at all. Yesterday, I set up NC and have it working. Today, I discovered a problem and was hoping someone could help.
First... our config:
1x SA 2000 (this is the test device I'm currently using.)
2x SA 6000 in active/passive (where the finalized config will end up.)
auth - Active Directory Win Server 2008 (running in 2008 native mode.)
code - 6.4R2
I have made some blanket allows to open our network when connecting through Network Connect. It is restricted to just several admins by username.
What is going on...
User logs into IVE (or launches network connect client) and gets assigned an IP address from the specified pool. That works fine. Our internal websites work, fileshares work, applications requiring authentication and internal server access work. What doesn't work are things like SharePoint and Citrix that, I assume, are using NTLM for auth. Since the test devices are non-domain devices, the local accounts do not match domain credentials like they would inside the network.
What I have done is attempted to setup NTLM SSO Settings. I created a new Label and assigned our domain name, with Variable set for Credential Type. I set the Username to <USER> and Variable Password to <PASSWORD>. The idea is that since our users will need domain credentials to gain access through Network Connect, we will pass along that in the form of NTLM in place of the credentials on the machine. This does not seem to be working.
Under Kerberos/NTLM/BasicAuth I set the Action to NTLMSSO and applied it to all internal resources. I've also tried using the "Fallback" to NTLM V1.
Anyone have any suggestions? I can provide clarification if needed.
08-19-2009 02:50 PM
08-19-2009 08:16 PM
I was worried that this might be the case. I guess I just didn't know for certain. Just for the heck of it... Assume Network Connect is connected on a non-domain machine. I suppose I could still open sites from links in the IVE bookmark page... Citrix nfuse, sharepoint link. I think I could make it work for just those things that require NTLM. The rest all I really want is the split tunnel (which is working) and the DNS client then server. It works well and I think it will be popular among the user community.
I was incorrect in my post with the fileshares though. Those aren't working as normal. Any idea how I can make those work? I was thinking of a logon script to do some mapping. I'm just not sure how far I can take the scripts. I'm most concerned with what we call M drive mapping (staff shares.)
I'm basically trying to idiot proof this thing. It's not easy! I was hoping for a bit more out of Network Connect, really. Thanks for the reply.
09-14-2009 06:47 AM