Connections to Juniper Network Connect VPN failing in Safari 6.1 and Safari 7
Along with Mavericks‘ release today, Apple released Safari 7 (included with Mavericks) and Safari 6.1 for Mountain Lion. Both versions of the Safari browser are having issues connecting to my work’s VPN. When connecting to the VPN, it will try to install the Network Connect client software then fail with the following error:
An error occurred while extracting one of the Network Connect components
Mac OS X 10.6.8 and 10.7.5 do not have Safari 6.1 available as an update of this time, so connecting to the VPN using Safari on those OSs should be unaffected.
I’ve verified that connecting to the VPN with Firefox 24 works for both 10.8.x and 10.9.x.
For now, it appears that using Firefox to connect to Juniper VPNs is going to be the workaround for this issue until we can get a fix from either Juniper or Apple. Google Chrome is a 32-bit browser, which prevents it from being able to work with Oracle’s 64-bit Java 7.
Based on what I’m seeing, it looks like Safari 6.1 and Safari 7 introduced a new sandbox for browser plug-ins, replacing the previous Java whitelist. At this time, it does not appear that Juniper’s software is able to work with this sandbox.
Just use the Network Connect app in /Applications and bypass the browser.
Note that Rich’s tests don’t include Juniper’s HostChecker (his institution doesn’t use it), which could complicate things for Firefox.
Correct, my shop is not using HostChecker so my results may not match everyone’s.
HostChecker fails to download and install. I’ve had a bug report into Apple since the first preview. And have followed up with a case using our Enterprise Support contract.
If anyone is interested in a sample Profile, let me know. If you already use Profiles adding the following boolean value PlugInRunUnsandboxed to every item for each of your POPS will generate the correct setting.
If you have a sample profile, I would very much like a look!
I would love to see a sample profile as well.
DON’T USE THIS AS IS. The UUID and URLS have been masked.
PayloadIdentifiercom.apple.mdm.FQDN.com.7db58040-1e59-0131-5165-########.alacartePayloadRemovalDisallowedPayloadScopeSystemPayloadTypeConfigurationPayloadUUID7db58040-1e59-0131-5165-#######PayloadOrganizationAgilent Technologies, Inc.PayloadVersion1PayloadDisplayNameSettings for Safari-VPNPayloadContentPayloadTypecom.apple.ManagedClient.preferencesPayloadVersion1PayloadIdentifiercom.apple.mdm.FQDN.com.7db58040-1e59-0131-5165-#######.alacarte.customsettings.50ad0ab0-1e5c-0131-5169-482a1458f0a5PayloadUUID50ad0ab0-1e5c-0131-5169-######PayloadEnabledPayloadDisplayNameCustom: (com.apple.Safari)PayloadContentcom.apple.SafariForcedmcx_preference_settingscom.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomaticallyManagedPlugInPoliciesnet.juniper.DSSafariExtensions.pluginPlugInFirstVisitPolicyPlugInPolicyAllowNoSecurityRestrictionscom.oracle.java.JavaAppletPluginPlugInHostnamePoliciesPlugInPageURLhttps://FQDN.com/dar2PlugInHostnameFQDN.comPlugInRunUnsandboxedPlugInPolicyPlugInPolicyAllowNoSecurityRestrictions
Same problem here, and firefox won’t do the trick (host checker). Please let us know if any update or work-around. Thanks! 🙂
Setting it to run in “unsafe mode” worked for me.
Could you please give more details? Where do you set this up?
Thanks
Just found it! It works! Thanks Statik. 😉
where is that setting for unsafe mode? thanks.
Where did you find the setting?????
I am also trying to find this setting, thanks!
Safari->Preferences->Security tab
“Manage Website Settings…” button in the bottom right
Highlight “Java” from the list.
Add your VPN site
Click the popup menu and select “Run in Unsafe Mode”
@eholtam – thanks very much, this worked for me on Mountain Lion with Safari 6.1.1. Mike
Tried to enable the Firewall (http://osxdaily.com/2010/03/12/how-to-enable-the-firewall-in-mac-os-x/). It worked for me (host checker). 🙂
Uninstalling Java 7 and using Apple Java worked for me.
Unsafe mode worked for me as well. Thanks Rich!
what is unsafe mode
Safari -> Preference -> Security -> Java. In the dropdown list, select “Run in unsafe mode” for the website you want use Java plugin.
We tried this- unsafe mode for Java for the juniper URL – did not resolve the issue.
Run in unsafe mode: http://helpx.adobe.com/flash-player/kb/removing-sandbox-restrictions-your-safari.html
This one did the trick for me
Anyone else having issues after Network Connect is running for a little while it stops forwarding packets?
Looks like it is related to the fact that we don’t allow Split Tunneling and the client is unable to update the routing table now for some reason. I’ve tried running it with “sudo open Network\ Connect.app” and remove all extended attributes from it… turning off the safety mechanisms in System Preferences->Security->Anywhere… can’t think of anything else and am assuming that Mavericks changes the way the routing table is update.
I REALLY cannot believe Juniper hasn’t released a client that works based on the Mavericks developer releases over the past few months. Though looking around, my company is running 7.1 and not 7.4r4 that came out back in August… wonder if it works with that one and is just easier for our security guys to let Juniper take the blame for their not upgrading.
Nope, definitely not our security guys. Our hardware can’t run 7.4r4 and beyond that more searching last night… 7.4r4 doesn’t help the problems either. Juniper just doesn’t seem to know how to play in the Desktop/Mobile spaces where operating systems have a dev trial period which is when they have to release fixes so that on shipping day everything just works for the end users.
Same here, it works, as long as we don’t need to update the routing table, which means disconnection after a few minutes
You need to enable the Apple Java. Use a terminal and type these commands:
sudo mkdir -p /Library/Internet\ Plug-Ins/disabled
sudo mv /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin /Library/Internet\ Plug-Ins/disabled
sudo ln -sf /System/Library/Java/Support/Deploy.bundle/Contents/Resources/JavaPlugin2_NPAPI.plugin /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin
sudo ln -sf /System/Library/Frameworks/JavaVM.framework/Commands/javaws /usr/bin/javaws
Worked fine for me with Safari 6.1 / Mountain Lion, but for whatever reason not with Mavericks. “Unsafe Mode” finally did it.
Rich, I’ve got an MCX setup in Casper that fixes this for Safari (over at JAMFNation).
https://jamfnation.jamfsoftware.com/discussion.html?id=8789
Unsafe mode works for me as well, but when installing Network connect, the progress bar stops at “Getting Authentication”, even though I internet my password…
anyone?
Raj’s suggestion below will fix this – it looks like the java app is unable to untar the installation binaries from the /tmp folder. Run this after the attempted download/install fails:
sudo tar -C / -xvf /tmp/NetworkConnectBinaries.pax
I just went through connecting to our Juniper VPN on an out of the box Mavericks Retina Laptop. Found out a few things…
I could get past Host Checker in Safari by setting our vpn URL to “Always Allow” and Unsafe Mode, and that made Host Checker happy.
Then, I could not get Network Connect to install.
Oddly, after installing Java 6 (as well as Java 7), Network connect installed without a hitch, and I got a connection.
We are using Network Connect 7.3.5. The only thing I notice is that disconnect icon is missing from Network Connect, but you can still click in that area.
THANK YOU! My entire division thanks you.
Just for your information: http://kb.juniper.net/InfoCenter/index?page=content&id=kb28278
They do not acknowledge the problem that vef445 and I are experiencing. December?!? Really?!? That is pretty crazy… first developer release in June. Six months later you promise to make it work, but only on a revision that requires new hardware for many folks. And this is the 3rd or 4th time with Mac OSX (which captures more than 50% market share in many corporations now) and Juniper has done the same thing on iOS releases at twice if not more. Does not speak well for their abilities to deliver.
In addition to “unsafe mode”, I had to do the following manually as the script was stuck installing..
$ sudo tar -C / -xvf /tmp/NetworkConnectBinaries.pax
After this, restarted the connection and now the applet came up.
I can run Network Connect fine, but after 5-10 minutes it stops routing packets, I have to sign out and sign in again. Anyone else having this issue?
I have same problem. ¿do you have any solution yet?
Thank you from Madrid, Spain
I wrote a script on my own to fix it:
http://blogs.danosaab.com/?p=1
Let me know if it works for you too.
I have updated my Java to Java 7 51. and now I have much more problems because I cannot connect anything. I couldn’t try your script.
Java Plugin 10.51.2.13
Usando versión de JRE 1.7.0_51-b13 Java HotSpot(TM) 64-Bit Server VM
Directorio de inicio del usuario = /Users/…
…
Missing Application-Name manifest attribute for: https://…es/dana-cached/sc/JuniperSetupClientApplet.osx.jar
look at this article… https://derflounder.wordpress.com/2014/01/16/managing-oracles-java-exception-site-list/
Thank you very much, I have solved my problem today. Now it is working perfectly, I have modified security Java, an then I have tried your script ¡and now it is working almost two hours without stop!
That is great! Can you please leave a comment on my blogs site?
I found Network Connect was not installing either. So I also tried “sudo tar -C / -xvf /tmp/NetworkConnectBinaries.pax”. This got further to the point where it complained about Java 6 not being installed. It prompted to install which I let it install and all came up good.
I suspect installing Java 6 up front may have removed the need to manually extract the package with tar, but I don’t have another out of box mac to test with. We are using Network Connect 7.4.4
!!!!!!!!!
My buddy co-worker Steve got it working!
On the VPN Webpage go to PREFERENCES > APPLICATION and Uninstall Network Connect Components!
Also Prefrences > Advances and remove Cookies
Steve you are the next Jobs man!
The only thing we can guess is that the install package was in there still but corrupted and that was the only way to remove!
!!!!!!!!!!
I wanted to know if anyone knows how to inject these settings into safari via command line, because I need to do this on around 300 mac os x boxes. =)
I’ve had several issues using the Juniper application on MAC and here are the settings and steps I find that will usually resolve almost any Juniper network Issue
Install the latest version of Java
Open Java control panel from system preferences go to the security tab edit the secure sites list and include the URL for your VPN.
Now open safari and go to your VPN website
Open the Safari preferences go to security tab and select the VPN website. Change the settings to allow all and run in unsafe mode
Now download the Network connect application http://library.wheatoncollege.edu/technology/junipermac.dmg
Connect to VPN and all issues should be resolved.
This is basically a perfectly clean installation in my opinion so if you already have network connect installed be sure to remove from programs before hand.
Hope this helps
Have your company look into Junos Pulse for Mac (made by Juniper). Thats what our solution was. Works on 10.7-10.9 and its a lot better than network connect and you don’t need Oracle Java installed to run it.
Hi, managed to connect with VPN and all works fine except a very weird issue. I can access only the company server but can’t access the Internet via Safari while with FireFox I can access the Internet . It asks me to trust the site ore something like that but after clicking trust it works no issue. Company proxy is set well. Any idea why Firefox access the Internet and Safari not? (Without VPN safari works no issues) thanks!
Hi,
I am unable to connect to my office network through Juniper Network Connect. Previously i was using that , but suddenly it stopped and my IT team tried their level best. They have reinstalled also. But Acting going through Host check for 5 min, it is getting timed out . I am using V8.0 , i am able to connect from my colleagues VPN client but.What might be the reason?