Unable to reach resources via Per-App VPN; User access logs state “Request to connect to XXX.XX.XXX.XXX port XX permission denied”

After configuring Per-App VPN, end users are unable to reach resources via Per-App VPN. In the administrator console, user access log may state “Request to connect to XXX.XX.XXX.XXX port XX permission denied”.

End users are unable to reach any resource through Per-App VPN. In the user access logs, the administrator may see the following messages:
Request to connect to XXX.XX.XXX.XXX port XX permission denied

This issue occurs when one or more of the following conditions are met:

  • Secure Application Manager is not enabled on the corresponding role
  • No matching SAM ACL are configured for the corresponding role

Per-App VPN leverage WSAM technology from the Junos Pulse Secure Access gateway. To resolve this issue, perform the following steps below:
1.Log-in to the admin web interface
2.Navigate to Users > User Roles > <NAME OF USER ROLE>
3.Check the box for Secure Application Manager
4.Check the radio button for Windows version

unable-to-reach-resources-via-per-app-vpn-user-access-logs-state-request-to-connect-to-xxx-xx-xxx-xxx-port-xx-permission-denied
5.Navigate to Users > Resource Policies > SAM > Access Control
6.Click New Policy

unable-to-reach-resources-via-per-app-vpn-user-access-logs-state-request-to-connect-to-xxx-xx-xxx-xxx-port-xx-permission-denied
7.In the Resources field, enter all domain names or IP addresses required for the Per-App VPN access
8.Select Policy applies to SELECTED roles
9.From the Available role list, select the corresponding user role
10.Click Add
11.Select radio button for Allow socket access
12.Click Save Changes

About the author

James Palmer

Leave a Comment