03-01-2010 11:56 AM
I wish I could share your enthusiasm... I used to up until 6.4 (maybe you skipped it?)... 6.4 was, in my experience, quite a step back. Our biggest issue was Host Checker not automatically upgrading for the end user (and instead they just get the generic "You are not allowed to sign in"), but the memory leak we found that forces us to reboot every week is also a huge pain. Before 6.4 (my first IVE was running 5.2) every upgrade was a pleasure. The last 2 upgrades (to 6.4R3 and to 6.4R4.1) nearly destroyed my Support Center so I'm hoping the extra staffing their planning for our upgrade to 6.5 is found to be unnecessary.
My issues with 6.4 aside I do have 6.5 on a lab IVE and it is very nice. Love the integration with VMView and ActiveSync.
03-03-2010 05:45 AM
This thread scares the bajeezus out of me.
I've been hanging on to 6.0R7 for dear life. Upgrades are nightmarish for our company but I have to make the leap soon since they are dropping support. When I hear that new versions have the same problems I have, memory leaks and host checker execution issues, I get ill in the stomach region.
03-03-2010 07:52 AM
Haha Jickfoo, I don't think it's that scary... I upgraded my one production SA-2000 last night to 6.5R3.1 and we've had no reported issues, although it's important to note it's only used by a few users hence why it was upgraded first. Tomorrow morning we upgrade our major production SA-4000's from 6.4R4 to 6.5R3.1 so I'll let you know if we encounter any problems... I'm optimistic that Host Checker seems to be upgrading properly for users but tomorrow will tell definitively as I'll have over 200 users logging in, all requiring Host Checker to do so.
As an aside, if you're worried about Host Checker (or other VPN software) not installing / upgrading properly automatically when the user logs in, I recommend creating a /downloads sign in page that lets users log in (without Host Checker or anything) and gives them access to a Share you've set up with the manual installers for each piece of software. This has proven incredibly useful for me during the turbulent 6.4 upgrades and even if 6.5 fixes that (and I pray it does) it's still good to have around.
03-03-2010 07:57 AM
I would love to hear how your upgrade goes. Thanks.
Also your advice about a sign in page with the installers is a great one and I will certainly implement that. Thanks very much for that suggestion.
03-05-2010 11:19 AM - edited 03-05-2010 11:21 AM
Our upgrade went pretty smoothly. Much to my pleasure we had nearly zero issues with Host Checker upgrading (like we did after 6.4 upgrade) so that alone made it worth while. One thing to note that we didn't fully notice until the upgrade-- Juniper changed the way their software asks permission from the end user to install/upgrade/run. Now you'll get a small prompt window that will ask permission to run. Luckily there's an "Always" option too so you can accept it once and forget about it which is nice.
The one major issue we had will most likely not affect most other users since it's specific to Secure Virtual Workspace. For some reason the VPN components (HC, WSAM, etc) are unable to install / upgrade properly if it is done within the SVW environment. For example Host Checker would redownload the "UnifiedSDK.zip" up to 4x everytime SVW was launched. We also found WSAM would fail to operate properly as well in some cases. This only impacted about 10% of our userbase that use SVW, but when you've got a total of about 200 users it's noticable. I just found a workaround for this, and that was to purge Juniper software from the end user's machine and have them reinstall everything through a sign-in URL that didn't use SVW. After that they're perfectly fine. I will note, however, that I cannot say that this is an issue only with 6.5... I'm pretty sure previous versions had this same issue but it just became more obvious of an issue now after the upgrade and us not focusing on Host Checker problems. Pretty sure UnifiedSDK.zip always redownloaded multiple times in SVW in versions past.
So overall I'd call our upgrade to 6.5R3.1 a success, it is already worlds better than 6.4, but the SVW issues muddied what otherwise would have been a very pain free upgrade.
03-05-2010 05:29 PM - edited 03-05-2010 05:35 PM
That popup is a new whitelist security feature. From page 80 of the 6.5 admin guide:
—The admin whitelist file can be modified only by the endpoint administrator. The administrator must use SMS or other mechanism to copy the admin whitelist file to the end-user's system. Admin whitelist files are located in:
%ProgramFiles%\Juniper Networks\Whitelist.txt (Windows)
/usr/local/juniper/whitelist.txt (Macintosh and Linux)
—Users can themselves make the decision to trust an IVE or not. When the user makes a decision to trust an IVE, the IVE gets added to the user whitelist. User whitelist files are located in:
%AppData%\Juniper Networks\Whitelist.txt (Windows)
/~/Library/Application Support/Juniper Networks/whitelist.txt (Macintosh)
By design you won't be able to install anything while inside of a SVW. You'll need to have the software installed before you lanch the SVW session. SVW is a restricted workspace with minimal access. For example: it will not allow you to write to the registry. These restrictions are in place to insure that nothing is left behind after the user logs out of the SVW session.
03-08-2010 08:42 AM
I too found the "new whitelist security feature" after the upgrade. While new features are good it would have been nice if this one had been mentioned in the What's New or Release Notes. Changes that throw up new pop-ups to the users are what generate helpdesk calls so its good to be able to warn the helpdesk/users or as is possible in this case here avoid the new pop up.
Also hiding it in the section IF-MAP section of the Admin Guide didn't help as on first glance this section didn't seem relevant to our set up. It took a bit or searching to find a KB article that pointed to the right section.
03-10-2010 08:18 AM
I have been seeing the security pop that allows you to "Always" allow juniper installs since 6.5r1, so yes if your upgrading from 6.4.anything its new and better than a popup for each component imo.
as far as the Host checker, i only use host checker with a seperate realm for MAC users since they need NC and thats only about 20-30 users and they have had no complaints.
03-11-2010 08:46 AM
cbarcellos-- I understand how SVW works, but I always assumed that it made an exception for the installation/ upgrade of Juniper software. If this is not the case then WHY is it allowed to even be attempted to install? The IVE knows perfectly well that the user is inside of SVW (because Host Checker told it they were) so why doesn't it AT LEAST give a notice that it cannot install the software inside of SVW?
It boggles my mind that such a simple thing would be totally overlooked... if the Juniper client software cannot be correctly installed inside of SVW then why does it try anyway? I can't even begin to count the amount of lost produciton hours because of this undocumented problem... and all because there's no check before it goes to install the software as to whether the user is inside of SVW or not.
As an aside-- I spoke too soon about Host Checker being fixed. We do still have issues with users of various kinds being unable to log in because Host Checker isn't upgrading properly. Often uninstalling Host Checker fixes it but not always.