Copyright  2014, Juniper Networks, Inc.
1 
Junos Pulse Secure Access Service 
Release Notes 
8.0 R4 Build 31069 
May 2014 
Revision 01 
Contents   
Introduction......................................................................................................................... 2 
Interoperability and Supported Platforms ............................................................................ 2 
Problems Resolved in this release ..................................................................................... 2 
Problems Resolved 8.0R3.2 release .................................................................................. 5 
Problems Resolved in 8.0R3.1 ........................................................................................... 5 
Problems Resolved in 8.0R3 .............................................................................................. 5 
Known Issues in 8.0R3 ....................................................................................................... 6 
Problems Resolved in 8.0R2 .............................................................................................. 7 
Known Issues in 8.0R2 ....................................................................................................... 9 
Junos Pulse 5.0R3 New Features ...................................................................................... 9 
SRX Dynamic VPN Connections for Junos Pulse for Mac ....................................... 9 
Configuring a Junos Pulse Credential Provider Connection for Password or Smart 
Card Login ............................................................................................................ 10 
Updated NDIS Support.......................................................................................... 13 
Documentation ................................................................................................................. 13 
Documentation Feedback ................................................................................................. 13 
Technical Support ............................................................................................................ 13 
Revision History ............................................................................................................... 13 
   
 
Junos Pulse Secure Access Service Release Notes 8.0R3       
 
2     Copyright  2014, Juniper Networks, Inc. 
Introduction 
These release notes contain information about new features, software issues that have been resolved and new 
software issues. If the information in the release notes differs from the information found in the documentation set, 
follow the release notes. 
This is an incremental release notes describing the changes made from 8.0R1 release to 8.0R3. The 8.0R1 release 
notes still apply except for the changes mentioned in this document. Please refer to 8.0R1 release notes for the 
complete version. 
 
NOTE: This Junos Pulse maintenance release introduces new features. These new 
features are documented in this document. 
Interoperability and Supported Platforms 
Please refer to the Junos Pulse 8.0R3 Supported Platforms Guide for supported versions of browsers and operating 
systems in this release. 
Problems Resolved in this release 
Table 4 describes issues that are resolved when you upgrade.  
Table 1  Resolved in This Release 
Problem Report 
Number 
Description 
960853  JSAM upload log feature is not working with Java 7 update 51. 
962767 
Network Connect Client Check option on the client may be initialized 
erroneously 
973499 
Network Connect Auto Uninstall is not working when JIS is installed on a 
Windows workstation. 
977550 
Server side process for IKE (dsagentd) crashes when IKEv2 client connects 
over a network with packet loss and delays. 
        
Copyright  2014, Juniper Networks, Inc.     3 
951935 
Windows Mobile 6.1 users fail to connect to resources over WSAM when 
AES-128 and SSL Acceleration are enabled on the SA. 
979567 
Web process may not disconnect correctly and cause client connections to 
fail. 
959061 
 
When Administrator creates a new patch assessment policy the following 
warning is displayed on Admin UI "Patch Assessment functionality will be 
deprecated and a similar feature called Patch Management will be 
introduced in an upcoming release. Please refer to PSN at 
http://kb.juniper.net/TSB16374 for more details." 
 
913784 
If Host Checker is enforced on the role and the user failed policy evaluation 
for a policy with custom instructions enabled, but left blank, Pulse will report 
Server has not received any information for this policy 
958117  Users are unable to create Junos Pulse Collaboration meeting. 
965888 
Pulse is unable to run session start/stop scripts from a network share 
accessible through the tunnel. 
955023 
If a client has IPv6 enabled, a machine on the same network may be able to 
reach the local IP despite the tunnel policy being set to enable traffic 
enforcement and disable split tunneling 
949672 
New PIN mode against an ACE server may cause the Radius process to 
crash 
979853  Console login may fail for admin users with console access enabled. 
927473 
If license communication is configured for the external or management port, 
the license client may use excessive amounts of swap. 
954485 
ActiveSync/Authorization only access with client certificate check enabled 
and CRL checking is enabled may trigger the web interface to freeze (admin 
and user) for large CRLs. 
 
Junos Pulse Secure Access Service Release Notes 8.0R3       
 
4     Copyright  2014, Juniper Networks, Inc. 
927169 
On an SA and UAC  if the time zone for the system time is set to Jerusalem 
then the time change following DST policies of Israel will not occur. 
945437  Citrix Desktop viewer Toolbar is not working in Citrix Xendesktop VDI profile 
947823 
Unable to upload a scanned file saved to a Web resource accessed via 
Web-Rewrite. 
970920  Some button images for customer applications are not being rewritten. 
929942  Rewriter process crashes sometimes in case of Kerberos SSO. 
951953  Lotus Notes 8.5.3 with ActiveX may fail to upload attachments. 
952779 
The rewrite daemon may fail if the response has an empty HTTP status 
response. 
963521 
Web page redirection fails if "Un-rewritten pages open in new window" and 
"Optimize as long lived resource (no rewrite)" options are enabled. 
971354 
For iOS devices browser screen gets stuck on "Please wait..." if Network 
Connect/Pulse auto launch is enabled. 
981147  Custom web application comment section fails to load. 
977630 
When the Citrix client is hosted on the IVE a user that does not have the 
Citrix client installed will now see the following message "The Citrix Client is 
not installed on your computer. Please click the button below to download 
and install the Citrix client". 
        
Copyright  2014, Juniper Networks, Inc.     5 
971692 
Terminal Resource profile with hostname/custom port not working when 
accessed from Windows 8.1 workstations. 
954924 
Users are unable to launch Secure Virtual Workspace on a Windows 64-bit 
workstation. 
 
Problems Resolved 8.0R3.2 release 
Table 4 describes issues that are resolved when you upgrade.  
Table 2  Resolved in This Release 
Problem Report 
Number 
Description 
981148  Includes fix for NC-FIPS client. Refer to JSA10623. For more detailed info please refer 
KB29004. 
Problems Resolved in 8.0R3.1 
Table 4 describes issues that are resolved when you upgrade.  
Table 3  Resolved in This Release 
Problem Report 
Number 
Description 
981148  This release fixes the issue described in JSA10623. For more detailed info please refer 
KB29004. 
Problems Resolved in 8.0R3 
Table 4 describes issues that are resolved when you upgrade.  
Table 4  Resolved in This Release 
Problem Report 
Number 
Description 
971258  Windows non-admin users fail to install Network Connect, WSAM even when Juniper 
Installer Service in installed. 
 
Junos Pulse Secure Access Service Release Notes 8.0R3       
 
6     Copyright  2014, Juniper Networks, Inc. 
Problem Report 
Number 
Description 
968526  Resource with basic authentication enabled does not open when accessed via 
Authorization-only sign-in policy. 
962314  Network Connect client fails to translate based on end-user browser language 
preferences. 
961761  If the web server fails to send chunk-size line, the rewrite engine may fail. 
959763   On machines running Pulse 5.0r1 or 5.0r2, Pulse may freeze under certain conditions, 
including: 
 * When the endpoint displays the splash screen after the device resumes from sleep 
 * During the 'Remediating' state 
956917  After upgrading the SA, IE9 may not download the new JavaScript files if a version is 
already cached.  
958557  Juniper client components (Host Checker, WSAM, Network Connect, Terminal Services, 
etc.) fail to download proxy .pac files if the server is configured with a non-standard (80, 
443) port. 
951953  Uploading an attachment results in error with Lotus Notes 8.5.3 with ActiveX installed. 
952322  Carriage return are added to every line in Pulse Collaboration email invitation, this may 
cause user to fail login when clicking on the links to join Collaboration session. 
939666  OpenSSL library may cause a rare crash. 
952208  Hob applet (Premier Java RDP Applet) is upgraded to 3.3.0.785. 
 
Known Issues in 8.0R3 
Table 5 describes the open issues.  
Table 5  Known Issues 
Problem Report 
Number 
Description 
881922  Network Connect auto-uninstall does not work for the client users having admin 
privilege when Pulse or JIS is installed on the machine. 
        
Copyright  2014, Juniper Networks, Inc.     7 
Problem Report 
Number 
Description 
949997  Junos Pulse and Network Connect fails to connect when using client-side or server-
side proxy with IE 11. 
 
Problems Resolved in 8.0R2 
Table 6 describes the problems resolved.  
Table 6  Resolved in 8.0R2 
Problem Report 
Number 
Description 
929171  When External User Records Management is enabled, if the number of active sessions 
exceeds the configured value for "Persistent user records limit" then the subsequent user 
login might fail. 
925198  Password authentication policy page is missing from 7.2R1 if primary authentication 
server is Certificate and secondary authentication is enabled. 
951754  An end user with revoked certificate, having critical crlExtensions, is able to login, when 
certificate authentication is enabled 
944239  Password feature under authentication policy for user realm is broken. 
881922  Network Connect auto uninstall does not work for the client users having admin privilege. 
935862  IKEv2 sessions get disconnected abruptly. 
937176  WSAM UI uses Traditional Chinese instead of Simplified Chinese for Windows 
7(Simplified Chinese) 
952733  Host checker policy is not getting removed from the HC policy page though it is deleted. 
But refreshing the page again results in removing the policy from HC page. 
952683  Clicking on ESAP link on Host Checker main page is always displaying list of products 
supported by active ESAP.  
953541  Admin user is not warned when activating a sub-default ESAP package. 
944660  The Antivirus product Super Security Zero 16.x fails to pass the number of updates check. 
 
Junos Pulse Secure Access Service Release Notes 8.0R3       
 
8     Copyright  2014, Juniper Networks, Inc. 
Problem Report 
Number 
Description 
952926  Users fail to pass ESAP-based Host Checker policies with a client date later than Dec 13 
2013 with ESAP older than 2.5.1 
928964  Moving between logs page is displaying a log message "Unknown event SystemStatus" in 
debug log. 
921871  Client fails to logon to a server, from a previously used ip address, due to presence of 
remnants of the older session. 
900370  If the installation of Pulse is corrupted on an endpoint, users will be prompted to upgrade 
their Pulse client even though "Enable web installation and automatic upgrade of Junos 
Pulse Clients" is disabled." 
897986  Pulse SSL tunnels provides less upload bandwidth than NC with SSL VPN tunnels. Pulse 
could take as much as two and a half times longer than NC. Exact performance variance 
depends on a number of factors, including underlying network substrate speed, server 
loading, etc. This performance discrepancy between Pulse and NC does not occur with 
VPN tunnels that use the UDP/ESP protocol, which is the default VPN protocol. Only 
users needing to use SSL due to the need to have FIPS compliance would experience this 
performance discrepancy. 
959240  Pulse fails to connect to SA with 'network error 1115' due to overloaded SBR process. 
915552  After upgrading to JRE 7 Update 25,end users are receiving "An unsigned application from 
the location below is requesting permission to run from java for SSH 
947091  Post upgrade to 8.0, lab license does not contain IVS functionality any more. 
911776  If an active/passive cluster is removed, the VIP cannot then be accessed when assigned 
to another port on the system. 
915956  Unable to capture a filter for 64 bytes packets to a specific network 
939534  Log query results with filters set do not show up correct data. 
859959  Upgrading to a newer release in MAG is causing the process dsnetd to fail under specific 
conditions. 
946820  Client side JavaScript rewriter fails to parse certain Hex Codes properly, resulting in HTTP 
403 error for a particular option in SAP portal. 
942158  The Microsoft ActiveX control, RSPrintClient, when used in Custom Applications fails to 
print document. 
936312  SAP site using HTML5 and Kendo Controls fails to load completely via rewriter. 
        
Copyright  2014, Juniper Networks, Inc.     9 
Problem Report 
Number 
Description 
946720  Web pages are not loading via rewriter in rare cases when '#' is present in URL path. 
955065  With JAVA 7 update 51, HOB and SSH applets fail to load with "Application blocked by 
Security Setting" warning. 
960528  Pass through policy is not working, When selective rewriting policy for long-lived resource 
(no rewrite) and Pass through policy is configured for the same resource. 
955427  Support for New Selective rewriting policy for long-lived resource (no rewrite) is added, 
Can be used for long-lived connections like OWA 2010 pending Request notification. 
961761  Rewriter and hpproxy-server crashes when a backend server responds without chunk size 
and Transfer-encoding: chunked header set. 
 
Known Issues in 8.0R2 
Table 7 describes the open issues in 8.0R2.  
Table 7  Known Issues in 8.0R2 
Problem Report Number  Description 
971258  Windows non-admin users fail to install Network Connect, WSAM even when 
Juniper Installer Service in installed. 
Junos Pulse 5.0R3 New Features 
SRX Dynamic VPN Connections for Junos Pulse for Mac 
Junos Pulse for Mac OS X adds support for Dynamic VPN tunnels to a Juniper Networks SRX gateway. Mac OS X 
endpoints can now use Junos Pulse client software to connect to SRX Branch series SRX100-SRX650 gateways that 
are running Junos OS Release 10.x or later, and that have dynamic VPN access enabled and configured. SRX 
gateways do not support deployment of the Mac version of the Junos Pulse Client. For deployment options for the 
Mac version of the Junos Pulse client, please read the Junos Pulse Admin guide. 
 
Junos Pulse Secure Access Service Release Notes 8.0R3       
 
10     Copyright  2014, Juniper Networks, Inc. 
Figure 1.  Pulse for Mac 
 
 
 
NOTE: The Junos Pulse Dynamic VPN functionality is compatible with SRX-Branch 
(SRX100-SRX650) devices only. SRX Data Center (SRX1400-SRX5800  also 
called SRX HE or High End) devices do not support Junos Pulse Dynamic VPN 
from either Windows or Mac clients. For more details, please see KB 17436. 
Configuring a Junos Pulse Credential Provider Connection for Password or Smart Card Login 
If you allow users to log in with smart cards or with a username/password, then you can have the Pulse credential 
provider automatically authenticate the user based on the login method. The Pulse user sees two different credential 
provider tiles for the Pulse connection, one for smart card authentication and one for username/password 
authentication. Credential provider tiles that launch a Pulse connection include a Pulse logo. See Figure 2. The Pulse 
connection determines which realm to use through preferred realm settings that you specify as part of the Pulse 
connection preferences. If the connection succeeds, the login type is saved so that, if re-authentication is needed, (for 
example, the connection times out), the same login type is used. 
        
Copyright  2014, Juniper Networks, Inc.     11 
Figure 2.  Pulse Credential Provider Tiles 
 
Before you begin: 
  Before you deploy a connection that uses this feature, make sure that you have created all the authentication 
realms that are required. You need one realm for smart card authentication and a different one for user 
name/password authentication. Both realms can be mapped to the same role or you can use different roles, and 
include a remediation role for endpoints that do not pass Host Checker evaluation. If you use machine 
authentication for a connection (machine-then-user-at-credprov), you need an authentication realm for the 
machine. 
  Make sure that all of the realms that are used in the Pulse connection are included in the sign-in policy. 
  The authentication realms on the Pulse server must be configured so that the Preferred Pre-login Smartcard 
Realm uses certificate authentication and the Preferred Pre-login Password Realm uses username/password 
authentication. 
The following procedure summarizes the steps to create a Junos Pulse connection that uses credential provider 
authentication, and allows the user to choose either smart card login or username/password login. Table 8 describes 
the configuration options: 
1.  Click Users > Junos Pulse > Connections and create or select a connection set. 
2.  Create or edit a connection. For connection type, you can select either UAC (802.1X) for a Layer 2 connection or 
SSL VPN or UAC (L3) for a Layer 3 connection. The SRX and App Acceleration connection types do not 
support credential provider authentication. 
3.  For the Connection is established option, choose one of the credential provider options: 
  Automatically at user loginEnables Pulse client interaction with the credential provider software on the 
endpoint. The user credentials are used to establish the authenticated Pulse connection to the network, 
login to the endpoint, and login to the domain server. 
  Automatically when the machine starts. Connection is authenticated again at user loginEnables Pulse 
client interaction with the credential provider software on the endpoint. Machine credentials are used to 
establish the authenticated Pulse connection to the network using the specified Machine Connection 
Preferences or Pre-login Connection Preferences. When the user provides user credentials, the connection 
is authenticated again. 
 
Junos Pulse Secure Access Service Release Notes 8.0R3       
 
12     Copyright  2014, Juniper Networks, Inc. 
4.  For SSL VPN or UAC (L3) connections that are set to have the connection established automatically, you can 
define location awareness rules that enable an endpoint to connect conditionally. 
5.  For a Layer 2 connection that uses machine certificate authentication, make sure that the connection has an 
entry in the Trusted Server List. To allow any server certificate, type ANY as the Server certificate DN. To allow 
only one server certificate, specify the server certificates full DN for example, 
 C=US; ST=NH; L=Kingston; O=My Company; OU=Engineering; CN=c4k1.stnh.mycompany.net; 
[email protected]. 
6.  For the desired connection behavior, set the connection preferences as described in Table 8. 
Table 8  Configuration Options for Credential Provider Login 
Pulse Client Credential 
Provider Login 
Behavior 
Connection is 
established 
option 
User Connection 
Preferences 
options 
Pre-login Connection 
Preferences 
Machine 
Connection 
Preferences 
At user login, the user 
can choose from two 
credential provider tiles: 
smart card login or 
username/password 
login. 
The credentials are then 
used to connect to the 
network, login to the 
endpoint, and login to 
the domain server. 
Automatically at 
user login 
Preferred User 
Realm and 
Preferred User 
Role Set are not 
available if you 
specify values for 
Preferred Pre-login 
Password Realm 
Preferred Pre-login 
Smartcard Realm. 
Enables Pulse credential 
provider tiles. The realm 
name appears on each 
tile. You must specify 
values for both of the 
following options: 
  Preferred Pre-login 
Password Realm
The authentication 
realm that provides 
username/password 
authentication. 
  Preferred Pre-login 
Smartcard Realm
The authentication 
realm that provides 
smartcard 
authentication. 
Not available. 
At machine login and at 
user login, the user can 
choose from two 
credential provider tiles: 
smart card login or 
username/password 
login. 
Automatically 
when machine 
starts. 
Connection is 
authenticated 
again at user 
login. 
Enables Pulse credential 
provider tiles. The realm 
name appears on each 
tile. 
  Preferred Pre-login 
Password Realm
The authentication 
realm that provides 
username/password 
authentication. 
  Preferred Pre-login 
Smartcard Realm
The authentication 
realm that provides 
smartcard 
authentication. 
Preferred Machine 
Realm and 
Preferred Machine 
Role Set are not 
available if you 
specify values for 
Preferred Pre-login 
Password Realm 
Preferred Pre-login 
Smartcard Realm. 
        
Copyright  2014, Juniper Networks, Inc.     13 
Updated NDIS Support 
Junos Pulse for Windows includes a set of drivers that interface with the Windows Network Driver Interface 
Specification (NDIS) driver for communications with the endpoints network interface. For Pulse 5.0R3, the NDIS5 
compliant Juniper Network Agent (JNPRNA) has been replaced with the NDIS6 compliant Juniper Network Service 
(JNPRNS) to support enhanced functionality that is available in Windows Vista and later Windows versions. JNPRNA 
will continue to be available on Windows XP endpoints. Pulse on all other Windows versions will use JNPRNS. The 
Pulse for Windows file set changes are included in the Junos Pulse Client Changes Guide 5.0R3. 
 
NOTE: JNPRNS does not support wired 802.1x for Odyssey Access Client (OAC). 
If OAC is already installed on the endpoint when you install Pulse 5.0R3, the new 
JNPRNS components will be installed to support Pulse, and the required legacy 
JNPRNA components will remain on the endpoint to support OAC functionality. 
For more information about NDIS and upgrading to Pulse 5.0R3, see KB 28892. 
 
Documentation 
Junos Pulse documentation is available at http://www.juniper.net/techpubs. 
Documentation Feedback 
We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can 
send your comments to [email protected]. 
Technical Support 
When you need additional information or assistance, you can contact Juniper Networks Technical Assistance Center 
(JTAC): 
  http://www.juniper.net/support/requesting-support.html 
  [email protected] 
  1-888-314-JTAC within the United States 
1-408-745-9500 from outside the United States 
For more technical support resources, browse the support website (http://www.juniper.net/customers/support/#task). 
Revision History 
Table 6 lists the revision history for this document. 
Table 6 Revision History 
Revision  Description 
25 March 2014  Initial publication.