Home > Java, Mac administration, Mac OS X > Connections to Juniper Network Connect VPN failing in Safari 6.1 and Safari 7

Connections to Juniper Network Connect VPN failing in Safari 6.1 and Safari 7

Along with Mavericks‘ release today, Apple released Safari 7 (included with Mavericks) and Safari 6.1 for Mountain Lion. Both versions of the Safari browser are having issues connecting to my work’s VPN. When connecting to the VPN, it will try to install the Network Connect client software then fail with the following error:

An error occurred while extracting one of the Network Connect components


Mac OS X 10.6.8 and 10.7.5 do not have Safari 6.1 available as an update of this time, so connecting to the VPN using Safari on those OSs should be unaffected.

I’ve verified that connecting to the VPN with Firefox 24 works for both 10.8.x and 10.9.x.


For now, it appears that using Firefox to connect to Juniper VPNs is going to be the workaround for this issue until we can get a fix from either Juniper or Apple. Google Chrome is a 32-bit browser, which prevents it from being able to work with Oracle’s 64-bit Java 7.

Based on what I’m seeing, it looks like Safari 6.1 and Safari 7 introduced a new sandbox for browser plug-ins, replacing the previous Java whitelist. At this time, it does not appear that Juniper’s software is able to work with this sandbox.

Screen Shot 2013-10-22 at 8.11.01 PM

Screen Shot 2013-10-22 at 8.10.55 PM

  1. Drew
    October 23, 2013 at 12:32 am

    Just use the Network Connect app in /Applications and bypass the browser.

  2. Patrick Fergus
    October 23, 2013 at 1:17 am

    Note that Rich’s tests don’t include Juniper’s HostChecker (his institution doesn’t use it), which could complicate things for Firefox.

    • October 23, 2013 at 2:50 am

      Correct, my shop is not using HostChecker so my results may not match everyone’s.

  3. cesar
    October 23, 2013 at 4:40 am

    HostChecker fails to download and install. I’ve had a bug report into Apple since the first preview. And have followed up with a case using our Enterprise Support contract.

    • Cesar
      October 23, 2013 at 10:21 pm

      If anyone is interested in a sample Profile, let me know. If you already use Profiles adding the following boolean value PlugInRunUnsandboxed to every item for each of your POPS will generate the correct setting.

      • Steve b
        October 23, 2013 at 10:28 pm

        If you have a sample profile, I would very much like a look!

      • Paul Austin
        October 24, 2013 at 12:47 pm

        I would love to see a sample profile as well.

      • Cesar
        October 24, 2013 at 5:28 pm

        DON’T USE THIS AS IS. The UUID and URLS have been masked.

        PayloadIdentifiercom.apple.mdm.FQDN.com.7db58040-1e59-0131-5165-########.alacartePayloadRemovalDisallowedPayloadScopeSystemPayloadTypeConfigurationPayloadUUID7db58040-1e59-0131-5165-#######PayloadOrganizationAgilent Technologies, Inc.PayloadVersion1PayloadDisplayNameSettings for Safari-VPNPayloadContentPayloadTypecom.apple.ManagedClient.preferencesPayloadVersion1PayloadIdentifiercom.apple.mdm.FQDN.com.7db58040-1e59-0131-5165-#######.alacarte.customsettings.50ad0ab0-1e5c-0131-5169-482a1458f0a5PayloadUUID50ad0ab0-1e5c-0131-5169-######PayloadEnabledPayloadDisplayNameCustom: (com.apple.Safari)PayloadContentcom.apple.SafariForcedmcx_preference_settingscom.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomaticallyManagedPlugInPoliciesnet.juniper.DSSafariExtensions.pluginPlugInFirstVisitPolicyPlugInPolicyAllowNoSecurityRestrictionscom.oracle.java.JavaAppletPluginPlugInHostnamePoliciesPlugInPageURLhttps://FQDN.com/dar2PlugInHostnameFQDN.comPlugInRunUnsandboxedPlugInPolicyPlugInPolicyAllowNoSecurityRestrictions

  4. vef445
    October 23, 2013 at 11:19 am

    Same problem here, and firefox won’t do the trick (host checker). Please let us know if any update or work-around. Thanks!🙂

  5. statik
    October 23, 2013 at 12:31 pm

    Setting it to run in “unsafe mode” worked for me.

  6. vef445
    October 23, 2013 at 1:47 pm

    statik :
    Setting it to run in “unsafe mode” worked for me.

    Could you please give more details? Where do you set this up?

    • vef445
      October 23, 2013 at 1:51 pm

      Just found it! It works! Thanks Statik.😉

      • johngregory
        October 23, 2013 at 3:49 pm

        where is that setting for unsafe mode? thanks.

      • Paul Austin
        October 23, 2013 at 6:42 pm

        Where did you find the setting?????

      • Liam
        October 23, 2013 at 7:59 pm

        I am also trying to find this setting, thanks!

    • October 24, 2013 at 1:00 pm

      Safari->Preferences->Security tab
      “Manage Website Settings…” button in the bottom right
      Highlight “Java” from the list.
      Add your VPN site
      Click the popup menu and select “Run in Unsafe Mode”

      • Mike
        January 3, 2014 at 5:23 am

        @eholtam – thanks very much, this worked for me on Mountain Lion with Safari 6.1.1. Mike

  7. October 23, 2013 at 4:08 pm

    Tried to enable the Firewall (http://osxdaily.com/2010/03/12/how-to-enable-the-firewall-in-mac-os-x/). It worked for me (host checker).🙂

  8. JSC
    October 23, 2013 at 4:25 pm

    Uninstalling Java 7 and using Apple Java worked for me.

  9. Bajankinch
    October 23, 2013 at 7:59 pm

    Unsafe mode worked for me as well. Thanks Rich!

  10. CarPag
    October 23, 2013 at 8:08 pm

    what is unsafe mode

  11. Wei
    October 23, 2013 at 8:14 pm

    Paul Austin :
    Where did you find the setting?????

    Safari -> Preference -> Security -> Java. In the dropdown list, select “Run in unsafe mode” for the website you want use Java plugin.

    • Steve b
      October 23, 2013 at 10:29 pm

      We tried this- unsafe mode for Java for the juniper URL – did not resolve the issue.

  12. Liam
    • CarPag
      October 23, 2013 at 11:32 pm

      This one did the trick for me

  13. JayM
    October 24, 2013 at 1:09 am

    Anyone else having issues after Network Connect is running for a little while it stops forwarding packets?

    Looks like it is related to the fact that we don’t allow Split Tunneling and the client is unable to update the routing table now for some reason. I’ve tried running it with “sudo open Network\ Connect.app” and remove all extended attributes from it… turning off the safety mechanisms in System Preferences->Security->Anywhere… can’t think of anything else and am assuming that Mavericks changes the way the routing table is update.

    I REALLY cannot believe Juniper hasn’t released a client that works based on the Mavericks developer releases over the past few months. Though looking around, my company is running 7.1 and not 7.4r4 that came out back in August… wonder if it works with that one and is just easier for our security guys to let Juniper take the blame for their not upgrading.

    • JayM
      October 24, 2013 at 1:42 pm

      Nope, definitely not our security guys. Our hardware can’t run 7.4r4 and beyond that more searching last night… 7.4r4 doesn’t help the problems either. Juniper just doesn’t seem to know how to play in the Desktop/Mobile spaces where operating systems have a dev trial period which is when they have to release fixes so that on shipping day everything just works for the end users.

    • vef445
      October 29, 2013 at 6:54 am

      Same here, it works, as long as we don’t need to update the routing table, which means disconnection after a few minutes:/

  14. joost
    October 24, 2013 at 3:01 am

    You need to enable the Apple Java. Use a terminal and type these commands:

    sudo mkdir -p /Library/Internet\ Plug-Ins/disabled

    sudo mv /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin /Library/Internet\ Plug-Ins/disabled

    sudo ln -sf /System/Library/Java/Support/Deploy.bundle/Contents/Resources/JavaPlugin2_NPAPI.plugin /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin

    sudo ln -sf /System/Library/Frameworks/JavaVM.framework/Commands/javaws /usr/bin/javaws

    • JSC
      October 24, 2013 at 8:24 am

      Worked fine for me with Safari 6.1 / Mountain Lion, but for whatever reason not with Mavericks. “Unsafe Mode” finally did it.

  15. Josh
    October 24, 2013 at 4:10 pm

    Rich, I’ve got an MCX setup in Casper that fixes this for Safari (over at JAMFNation).

  16. myself
    October 25, 2013 at 7:22 am

    Unsafe mode works for me as well, but when installing Network connect, the progress bar stops at “Getting Authentication”, even though I internet my password…


    • December 30, 2013 at 7:46 pm

      Raj’s suggestion below will fix this – it looks like the java app is unable to untar the installation binaries from the /tmp folder. Run this after the attempted download/install fails:

      sudo tar -C / -xvf /tmp/NetworkConnectBinaries.pax

  17. John Wolf
    October 28, 2013 at 4:52 pm

    I just went through connecting to our Juniper VPN on an out of the box Mavericks Retina Laptop. Found out a few things…

    I could get past Host Checker in Safari by setting our vpn URL to “Always Allow” and Unsafe Mode, and that made Host Checker happy.

    Then, I could not get Network Connect to install.

    Oddly, after installing Java 6 (as well as Java 7), Network connect installed without a hitch, and I got a connection.

    We are using Network Connect 7.3.5. The only thing I notice is that disconnect icon is missing from Network Connect, but you can still click in that area.

  18. October 29, 2013 at 6:37 pm

    THANK YOU! My entire division thanks you.

  19. vef445
    October 30, 2013 at 6:14 am
    • JayM
      October 30, 2013 at 2:00 pm

      They do not acknowledge the problem that vef445 and I are experiencing. December?!? Really?!? That is pretty crazy… first developer release in June. Six months later you promise to make it work, but only on a revision that requires new hardware for many folks. And this is the 3rd or 4th time with Mac OSX (which captures more than 50% market share in many corporations now) and Juniper has done the same thing on iOS releases at twice if not more. Does not speak well for their abilities to deliver.

  20. Raj
    November 13, 2013 at 9:56 pm

    In addition to “unsafe mode”, I had to do the following manually as the script was stuck installing..

    $ sudo tar -C / -xvf /tmp/NetworkConnectBinaries.pax

    After this, restarted the connection and now the applet came up.

  21. Adnan Riaz
    November 14, 2013 at 10:27 pm

    I can run Network Connect fine, but after 5-10 minutes it stops routing packets, I have to sign out and sign in again. Anyone else having this issue?

    • Delia
      January 7, 2014 at 10:57 am

      I have same problem. ¿do you have any solution yet?
      Thank you from Madrid, Spain

    • delia
      January 16, 2014 at 8:27 am

      I have updated my Java to Java 7 51. and now I have much more problems because I cannot connect anything. I couldn’t try your script.

      Java Plugin
      Usando versión de JRE 1.7.0_51-b13 Java HotSpot(TM) 64-Bit Server VM
      Directorio de inicio del usuario = /Users/…

      Missing Application-Name manifest attribute for: https://…es/dana-cached/sc/JuniperSetupClientApplet.osx.jar

    • Delia
      January 22, 2014 at 9:49 am

      Thank you very much, I have solved my problem today. Now it is working perfectly, I have modified security Java, an then I have tried your script ¡and now it is working almost two hours without stop!

      • Adnan Riaz
        January 22, 2014 at 11:45 pm

        That is great! Can you please leave a comment on my blogs site?

  22. Chriss4242
    November 26, 2013 at 12:36 am

    Raj :
    In addition to “unsafe mode”, I had to do the following manually as the script was stuck installing..
    $ sudo tar -C / -xvf /tmp/NetworkConnectBinaries.pax
    After this, restarted the connection and now the applet came up.

    I found Network Connect was not installing either. So I also tried “sudo tar -C / -xvf /tmp/NetworkConnectBinaries.pax”. This got further to the point where it complained about Java 6 not being installed. It prompted to install which I let it install and all came up good.

    I suspect installing Java 6 up front may have removed the need to manually extract the package with tar, but I don’t have another out of box mac to test with. We are using Network Connect 7.4.4

  23. January 11, 2014 at 12:48 am


    My buddy co-worker Steve got it working!

    On the VPN Webpage go to PREFERENCES > APPLICATION and Uninstall Network Connect Components!

    Also Prefrences > Advances and remove Cookies

    Steve you are the next Jobs man!

    The only thing we can guess is that the install package was in there still but corrupted and that was the only way to remove!


  24. February 4, 2014 at 4:20 pm

    I wanted to know if anyone knows how to inject these settings into safari via command line, because I need to do this on around 300 mac os x boxes. =)

  25. February 14, 2014 at 6:54 pm

    I’ve had several issues using the Juniper application on MAC and here are the settings and steps I find that will usually resolve almost any Juniper network Issue
    Install the latest version of Java

    Open Java control panel from system preferences go to the security tab edit the secure sites list and include the URL for your VPN.

    Now open safari and go to your VPN website
    Open the Safari preferences go to security tab and select the VPN website. Change the settings to allow all and run in unsafe mode

    Now download the Network connect application http://library.wheatoncollege.edu/technology/junipermac.dmg

    Connect to VPN and all issues should be resolved.

    This is basically a perfectly clean installation in my opinion so if you already have network connect installed be sure to remove from programs before hand.

    Hope this helps

  26. stutz
    June 13, 2014 at 6:24 pm

    Have your company look into Junos Pulse for Mac (made by Juniper). Thats what our solution was. Works on 10.7-10.9 and its a lot better than network connect and you don’t need Oracle Java installed to run it.

  27. Hen solomon
    November 15, 2014 at 4:14 pm

    Hi, managed to connect with VPN and all works fine except a very weird issue. I can access only the company server but can’t access the Internet via Safari while with FireFox I can access the Internet . It asks me to trust the site ore something like that but after clicking trust it works no issue. Company proxy is set well. Any idea why Firefox access the Internet and Safari not? (Without VPN safari works no issues) thanks!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: