About BrutalDismount

I see this with my installation of 1.2. however I do see it being populated correctly on the firewall HIP Match. ... View more

I also have the same problem when using certificates with IPSEC. I have an open case with support for this very issue. No resolution as of yet. I thought it was an MTU issue with the large certificate, but that was not it. We have had to revert to shared secrets on our IPsec gateways until this gets resolved. ... View more

From a PGP perspective I can say that we have had to disable the SSO functionality of it completely and went with a static username and password. We rolled out PGP about a year ago to 1000 laptops and it was nothing but trouble. Most of the issues stemmed from password synchronization when users changed their passwords. We even saw users logged in automatically even when their domain accounts were expired (yikes). We also utilize Junipers UAC Odyssey client on the endpoints as well.  The issues you are facing are most likely related to the GINA that is being used to "SSO" the user login. GP has its own Gina as well as our Odyssey client. I would make sure that your Gina modules are chained properly and that your protocol binding order is proper. You can try PGP support, but I have found that once Symantec bought them, the support is less then steller. ... View more

For certificate authentication you need only create a certificate certificate profile for each use case and add it to the portal config as well as the gateway. If you use AD integrated CA, this is a breeze using auto enrollment. We had this same conundrum for external parties. The solution was to create another issuing/policy CA to our 3 tier architecture. Our information security department also is in charge of the root CA so this was an easy decision. Then we created a vendor portal where external users can access and request a certificate using a customized certsrv page and template. When an external party is done, we just revoke the cert and update the crl/ocsp and they are no longer able to connect. A separate portal is not entirely necessary unless you want complete segmentation. I just use AD groups and portal config to push the appropriate user to the correct gateway, as well as enable "on demand" mode. ... View more

What we are trying to accomplish is to correlate a user with a file block/data filter rules that we have on connections coming from the internet into our DMZ OWA server. Right now it is a manual process; We see a data filter get triggered, then we have to get the source public IP and dig into the OWA IIS logs to see what AD user logged in from that IP. I will probaly increase the included IP ranges slowly to see how the user-agent reacts. It already takes up a healthy amount of memory. ... View more

Indeed that is the problem. How do you differentiate the GP SSL client that fails HIP check, with the IPSec client? From what I know, there is no way for an IPSec client to pass a HIP check or policy match rule.  ... View more

In my environment I added our CAS servers to the User-ID agent config. This takes care of both OWA and MAPI for internal/external users. ... View more

Looks like I solved my own issue. You must utilize the <cookie/> variable to get the continue button to function properly. Perhaps they have not updated the documentation to reflect this. ... View more