FAQ – SA SSL VPN client component deployment

This article reviews frequently asked questions (FAQs) and useful information for those who either install, uninstall, or upgrade Junos Pulse or Secure Access (SA) legacy client components on client machines, and who may or may not have administrator permissions or privileges for their system.

What should I know when installing, uninstalling, or upgrading Junos Pulse or Secure Access (SA) legacy client components on client machines for users with and without administrative permissions or privileges for their system?

This FAQ is organized by:

  • Junos Pulse client
  • SSL VPN Legacy client
  • JIS

Junos Pulse client  

1.What are the methods which I can use to deploy Junos Pulse on desktops? 

  • Web install
  • Standalone application installer (Default)
  • Standalone application installer (Preconfigured)

2.Is there a recommended method for installing or upgrading Junos Pulse?
There are benefits and disadvantages to all three methods when you are installing Junos Pulse for the first time. We recommend that you choose whatever option best suites your organization’s needs. See the following documentation for more information:
Junos Pulse Administration Guide Chapter 7: Deploying Junos Pulse Client Software

However, when you are upgrading Junos Pulse, we recommend that all upgrades be performed by connecting directly via Junos Pulse rather than using the Web install method. Any additional components which may have been installed on a Pulse client may not get upgraded if the default component set on the role is configured to install “No components” or “Minimal components.” The “Minimal components” option will only upgrade components needed to support selected configuration.

3.How can I enable or disable Junos Pulse install or upgrade from the Secure Access (SA) gateway?
In the SA Admin Console select Maintenance > System > Options: Enable web installation and automatic upgrade of Junos Pulse Clients to allow the Junos Pulse client to receive install or upgrade prompts from the Secure Access (SA) appliance. This will be the case regardless if Junos Pulse is launched by connecting directly via Junos Pulse or if a web browser is used to launch Junos Pulse. If this option is disabled, then you will not be able to receive install or upgrade prompts from the Secure Access(SA) appliance to the Junos Pulse client even if the web browser was not used to launch it.

NOTE: A bound endpoint receives connection set options and connections from its binding server, but it can have its Pulse client software upgraded from any Pulse server that has the automatic upgrade option enabled. During a client software upgrade, the client loses network connectivity temporarily as the driver is upgraded

4.Are administrator privileges required to install, un-install, or upgrade Junos Pulse?
Yes, administrator privileges are required for the initial install or un-installations of Junos Pulse on Windows and Mac OS. However, the Juniper Installer Service(JIS) is built-in component for Junos Pulse on Windows by default and will be used for subsequent upgrades when you connect to Pulse directly or from the web. The built-in Juniper Installer Service(JIS) is not available for Junos Pulse on Mac OS, so administrator privileges will be required for the initial install, as well as for un-install and subsequent upgrades.

SSL VPN Legacy client

1.What are the methods which I can use to deploy the legacy SA SSL VPN client components?

  • Web install
  • Standalone application installer

2.Is there a recommended method for installing or upgrading legacy clients?
There are benefits and disadvantages to both methods. We recommend that you choose whatever option best suites your organization’s needs. See the following documentation for more information:
Junos Pulse Secure Access Service Administration Guide Part 4: Remote Access and Part 5, Chapter 29: General System Management under “Downloading Application Installers”

3.How can I deploy SA SSL VPN client components using the standalone application installers?

  • Distribute the file to client machines using software distribution tools. This option enables you to install an application or service on client machines whose users do not have administrator privileges or permissions, which privilieges are required to install the application or service.
  • Post the executable in a secure repository so that users with the proper administrator rights may download and install the appropriate version.
  • Download and execute a script that automatically retrieves the proper version of the installer from an FTP server.

4.Are administrator privileges required to install, un-install, or upgrade the legacy SA SSL VPN client components?
This depends on the component in question.

JIS (Juniper Installer Service)

1.What is the JIS, and what is the benefit of using it?
The standalone JIS client is available as standalone installer and is also included by default as a built-in component for Junos Pulse for Windows. The JIS standalone client will be invoked for both the legacy SA SSL VPN clients and the initial install of Junos Pulse on Windows. However, Junos Pulse invokes its own built-in JIS component for subsequent upgrades, so the JIS standalone client install is not required. Once the Juniper Installer Service is installed using admin privileges, users can download, install, upgrade, and run Juniper client-side components on Windows machines as restricted users.

2.How does JIS work?
In order to perform tasks that require administrator privileges, the Juniper Installer Service runs under the client’s Local System account, which is a powerful account with full access to the system, and registers itself with Windows’ Service Control Manager (SCM). The service starts automatically on install and during client system start up.

3.Will JIS be invoked when I install, uninstall, or upgrade the standalone application installers?
No, JIS will only be invoked when you attempt to install or uninstall a SA SSL VPN client component from the Web. This is because JIS standalone client can only be invoked by an Active-X control or a Java applet running inside the user’s Web browser. The Active-X control or Java applet communicates the details of the installation processes to be performed through a secure channel between the SA Series Appliance and the client system.

4.How can I uninstall SSL VPN client components from the Web when JIS is installed?
Login to the Web as a user, select Preferences from the user toolbar, if enabled. Applications available for un-installation will be listed under the Applications tab.

5.What is required in order to install JIS?

  • Administrator privileges are required to install the Juniper Installer Service. For additional information, see the Client Side Changes Guide listed under the software release at Secure Access (SA) / SSL VPN Documentation & Software .
  • Ensure the Microsoft Windows Installer exists on the client system prior to installing the Juniper Installer Service.
  • The end users’ client systems must contain either a valid and enabled Java Runtime Engine (JRE) or a current SA Series Appliance ActiveX control. If the client systems do not contain either of these software components, the end user will be unable to connect to the gateway. If there is no JRE on the end users’ client systems, download an appropriate installer package from Maintenance > System > Installers.

6.Where can I download the standalone application installers?
You can download the specific application(s) and/or JIS from in the SA Admin Console (Maintenance > System > Installers).

About the author

Prasanna

Leave a Comment