The clock is correct.   It's set by NTP.

I think the real issue I have is that I can't get the device to use a proxy server to contact the Entitlement Server.  It's trying to get to the Entitlement Server directly, which it can't do from behind our corporate firewall.

I see, you did say that and I overlooked it.  So, yeah, that's a bit of a problem isn't it.

Besides allowing connectivity, I don't know that you can do anything about that.

Hi Drew,

I'm not much of a DI expert, but does this article help? It discusses your problem (proxy access, offline DI signatures) and has an extra step: KB4838

http://kb.juniper.net/index?page=content&id=KB4838&actp=search&searchid=1233665540431

Regards

Andy

It seems your issue is specifically with enabling your license key. You mentioned that you received your license key. If you have the key string, you can manually enter it into your SSG. Here's an excerpt from ScreenOS Concept & Examples Guides, Fundamentals volume.

3. The Juniper License Management System provides the license key in one of two
ways:

• Download the license key to your computer.

• Receive an email that contains your license key.

4. Install the license key in one of the following ways:

WebUI
  Configuration > Update > ScreenOS/Keys > Select License Key Update
  (Features) > click Browse > select the file with the license key,

  then click Apply.

CLI
  exec license-key <key_num>

Once the license key is enabled then I suspect that you will be able to retrieve your DI signatures.

-Richard

Thanks.  I must have missed that section in my reading.  In the mean time I've managed to connect the device to an open Internet connection and obtain the key that way.  I'll this method when it comes time to renew the key next year.

Once I got the license installed I reconnected the device to our network and was unable to get the signature updates via our proxy.  I set up the proxy address and port correctly, and in a packet capture I caould see the device talking to our proxy server, but it's inital request appeared to be encrypted and the proxy server rejected the query.  It's not a show-stopper because I've been able to load the signature database manually.  But it's gong to be painful keeping it up-to-date if I can't get the automatic updates working.

RE: Manually obtaining subscription license keys.  The procedure described above for generating license keys for ScreenOS devices applies to non-subscription keys.  Subscription (AV, DI, WF, AS) keys work a bit differently. 

Once a subscription Authorization Code and a ScreenOS device serial number is presented to the License Management System (LMS), LMS waits for the device to contact it before it actually generates a subscription key.  The LMS user cannot force a key to be generated.  LMS requires a device to contact it via the internet before it generates a subscription key.   Thus there is no key to be downloaded or emailed, until the device initially contacts LMS requesting a key.  Once LMS does receive this request, the key(s) can be found using the LMS search capability, and then the key(s) can be emailed or downloaded.  This behavior also applies to keys generated as a result of subscription renewals.  LMS must be contacted via the internet before it generates the renewal keys.

As a workaround, the following procedure can be used.  This procedure generates keys with end dates based on active LMS subscription entitlements.  LMS validates the serial number of the device. 

Procedure:

1)  Log on to LMS.

2)  Type in the browser the following URL.  Replace the correct serial number.

 https://www.juniper.net/lcrs/reflex/mylicense.do?serial=<SERIAL_NUMBER> 

3)  If all is correct, the browser will respond with the subscription key(s). 

   a.  Using LMS search capability, these keys are now available to be downloaded or emailed

   b.  Previous subscription keys for the appliance will be archived in LMS.

4)  If there is an error, the browser will display an error condition. 

Error Condition:  The serial# is NOT valid (wrong device# or mistyped)
Internet Explorer shows:  Error 400 – Bad Request message
Firefox shows:  “Invalid Serial Number” message

Error Condition: The serial# is valid but the has NO active or valid entitlements (e.g.., the subscription end dates have passed)
Internet Explorer shows:  Error 500-Internal Server Error message (System Down)  IF YOU RECEIVE THIS ERROR, PLEASE DO NOT CALL REPORTING THE SYSTEM IS DOWN.
Firefox shows:  BLANK browser with NO message