This article provides information about certain limitations, which users may encounter with Junos Pulse Collaboration, when tunneling the connection with the Junos Pulse client; if a proxy server is configured in the client’s browser and it is required to access Internet resources.
- Junos Pulse Collaboration may not be able to connect to the Meeting server, when the VPN tunnel connectivity is established with a Junos Pulse desktop; if a proxy server is configured in the client’s browser and is required to reach the Internet and edge firewalls are configured to deny any outband traffic, which is not proxied.
- Network Connect does not encounter this limitation.
- Traffic, which is not intended for the VPN tunnel, gets forwarded to the proxy server and access to the Internet is allowed.
This behavior is a functional limitation with Junos Pulse 3.0 or earlier and the Windows proxy API. Pulse 3.1 or later releases have the enhancement and work fine for this scenario.
Junos Pulse 3.1 or later release behavior (introduced enhancement):
Junos Pulse will try to directly connect to IVE, even when the proxy is configured in the browser settings. If the first attempt fails, then use the proxy configuration to connect to IVE.
Junos Pulse 3.0 or earlier releases behavior (Limitation is present):
Affected Environment:
- Client OS: Windows
- Junos Pulse version: Any
- Browser: Any browser that is configured with a static proxy server or Proxy Auto-Configuration file and the proxy server is required to access the Internet.
- Network specifications: All traffic to the Internet is Client network prohibited and outgoing web traffic; other than the proxy.
Root cause:
Proxy settings, such as instantproxy.ac, which are applied after the tunnel connection is established, seem incorrect. The following excerpt is of Junos Pulse i(nstantproxy.pac), after the tunnel is established:
The proxy server is 172.27.11.197 and the IVE address is 172.27.117.174
function FindClientProxy(url, host) { return "PROXY 172.27.11.197:8080"; } function FindServerProxy(url, host) { return "DIRECT"; } function FindProxyForURL(url, host) { if (shExpMatch(host, "172.27.117.174")) { return "DIRECT"; } else { return FindServerProxy(url, host); } }
The proxy rule for the IVE control connection is set to DIRECT. The browser will then connect to IVE via direct access; the gateway or firewall rule will reject direct access for outside resources.
The following working sample s the NC created instantproxy.pac content:
function FindClientProxy(url, host) { return "PROXY 172.27.11.197:8080"; } function FindServerProxy(url, host) { return "DIRECT"; } function FindProxyForURL(url, host) { if (shExpMatch(host, "172.27.117.174")) { return "PROXY 172.27.11.197:8080"; } else { return FindServerProxy(url, host); } }
The proxy rule for the IVE control connection is set to PROXY. The browser will then connect to IVE via the proxy access; your gateway or firewall rule will pass the proxy connection for outside resources. This is why Junos Pulse collaboration is not working for this specific environment.
Workaround:
- Use NC, instead of Junos Pulse.
- Permit the outgoing TCP/443 traffic to IVE in the network.
- Manually modify the proxy contents to use the proxy for the IVE connection.