In addition to using the Cisco VPN client at work we also need to make use of the Juniper Network Connect (JNC) VPN client at times. After struggling to get it working and reading a lot of blog posts, including this one which is important for getting hold of JNC via a browser, I discovered the MadScientist's blog post. Fortunately I discovered that I don't really need his msjnc perl script even though it has helped me a lot. It is however required for proper initialisation/setup of JNC. This post will explain what I have learnt and hopefully it will also help someone else (if not, then I have at least documented it for myself).
After following the blog post I was still unable to get it working, because:
- My computer is behind a proxy through which I am supposed to access the VPN. Unfortunately the blog post does not go into any details regarding proxies.
- When setting up a profile using the msjnc front-end it tries to download an X.509 certificate using the
~/.juniper_networks/getx509certificate.shscript which tries to execute
openssl s_client -connect $1:443 < /dev/null 1>out.txt 2>err.txt
This failed for me, because I am behind a proxy and openssl does not support proxies. The workaround for this was to connect directly to the Internet (using a different network) and then configure a new profile from scratch. Once the certificate is downloaded it can be reused - even when behind a proxy as will be seen later. The certificate is downloaded to~/.juniper_networks/.cert.<vpn.host> - I believe there are a few bugs in the msjnc front-end when configuring the VPN proxy server
hostname:portpair. Whenever I entered something like10.0.0.10:8080it complained that it was not valid. This results in incorrect settings in the~/.msjnc-profiles.cfgfile. I should probably fork the GibHub project and send a patch instead of just complaining :-)
After fidgeting a lot I noticed the command that msjnc tries to execute in the ~/.msjnc.log file. I copied+pasted this into a terminal and voila!
When connected directly to the Internet the following command works for me:
~/.juniper_networks/network_connect/ncsvc -h <vpn.host> -u <vpn.username> -r <realm> -P 443 -U https://<vpn.host> -f ~/.juniper_networks/.cert.<vpn.host>
where:
vpn.hostis the hostname or IP of the VPN servervpn.usernameis your username as provided by your "network administrator"realmis the realm of the VPN you are connecting to (see the introductory comments of the msjnc script on how to determine your realm)
When behind a proxy the following command works for me:
~/.juniper_networks/network_connect/ncsvc -h <vpn.host> -u <vpn.username> -r <realm> -P 443 -U https://<vpn.host> -y <proxy.host> -z <proxy.port> -d <proxy.domain> -s <proxy.username> -a <proxy.password> -f ~/.juniper_networks/.cert.<vpn.host>
where:
- the above arguments are still valid; and
proxy.hostis your proxy hostname or IPproxy.portis your proxy portproxy.domainis the Active Directory DOMAIN (I think), such as WORKGROUPproxy.usernameis your proxy usernameproxy.passwordis your proxy password
What I like about this solution is that once it is setup you do not need to jump through all the Java hoops or even visit your VPN's web site. You can just run the command, type in your password when prompted and then you are connected to the Juniper VPN. You also don't need the msjnc script any more, but I'll keep it around just in case.
