What is JNC (Juniper Network Connect)?
Network Connect is a software package from Juniper Networks that interfaces with its Secure Access hardware and provides a Virtual Private Network (VPN) solution. There are two software products that connect to Secure Access servers: Windows Secure Application Manager which, as you might guess, runs on Microsoft Windows; and Network Connect which runs on other platforms, in particular GNU/Linux.
Note! |
---|
I no longer have access to Juniper VPN servers and no need for this software, since 2013. As such, it has suffered a significant amount of bit-rot. Some people are still able to use it, which is great.
However, if you’re not one of them you might prefer to investigate the OpenConnect project. This project provides open-source software which is purported to work with Juniper SSL VPN (aka Pulse Connect Secure). It is typically available from your GNU/Linux distribution provider and there are NetworkManager plugins which integrate seamlessly with the desktop (if you use NetworkManager). Give it a try! |
So, GNU/Linux is supported! Great! Well, sort of. Juniper has fallen into the common trap of supporting Red Hat Enterprise Linux and calling it good enough. It’s quite frustrating, since with an extra hour or two of effort these companies could create a portable solution. I realize that support costs money, but even if they only officially supported Red Hat Enterprise, it wouldn’t hurt them to go the extra couple of centimeters necessary to provide a more generic implementation.
Equally frustrating, even on RHEL the provided user interface utility has a number of missing features. Finally, it’s written in (32bit only) Java, and does not work well with non-Sun/Oracle versions of Java which makes for many problems on 64bit systems and versions of Linux which don’t have official Sun/Oracle Java packages.
Luckily, the actual VPN software works fine on these other systems; it’s the invocation script and especially the installer that are utterly broken. This utility (written in Perl/GTK2) attempts to provide a more functional, better-supported interface to Juniper Network Connect session management.
Making It Work
Package Requirements
Since the Network Connect software is 32bit you must have 32bit C runtime support libraries installed on your system. For most Red Hat-based systems these will be available by default.
On newer versions of 64bit Ubuntu that support multilib you will need to install 32bit libraries, like this:
sudo apt-get install libc6:i386 zlib1g:i386
If you get the cryptic, useless error ncsvc: No such file or directory
even though the file is clearly right there, this is what’s happening. Install the 32bit libs.
In order to use the script you must have Perl and Perl/GTK2 installed.
On Debian/Ubuntu systems run:
sudo apt-get install libgtk2-perl libwww-perl
On Red Hat/RPM-based systems you should be able to run:
sudo yum install perl-Gtk2 perl-libwww-perl
A critical aspect of the VPN is that your DNS resolution information is reset to point to the DNS server of the VPN; this allows you to resolve internal hostnames that aren’t registered outside the VPN. Usually, when you exit the VPN tool it will restore your original DNS settings. However, I have seen this fail; when that happens your system can no longer resolve any hostnames. It seems like the network is broken but it’s actually a trivial fix… if you know what your original DNS server was. I recommend making a copy of the /etc/resolv.conf
file on your system so you can copy it back later if necessary.
Step 1: Install MSJNC Session Manager
First you need to install my script onto your system:
Put it somewhere on your PATH; I typically create ~/bin
and add that to my PATH for these sorts of things. Don’t forget to ensure the script is executable after you download it.
If you didn’t understand the previous paragraph, then open up a terminal (use Applications -> Accessories -> Terminal) and enter these commands; none of them should give you any error message. You will need to type your password when prompted (after the sudo
command)
wget -q -O /tmp/msjnc https://raw.github.com/madscientist/msjnc/master/msjnc chmod 755 /tmp/msjnc sudo cp /tmp/msjnc /usr/bin
Step 2: Install Network Connect Software
The Network Connect software is installed automatically when you first connect to the server. Although this install will fail on Ubuntu due to the fairly stupid scripting Juniper provides, it’s still necessary to go through this step to obtain the software.
So, connect to your Juniper VPN server with FireFox and log into the VPN. You should have received instructions from your IT department or whomever manages the server on how to do this.
Once it’s done you’ll see something like this (maybe after some other links); Click the “Start” button next to “Network Connect”:
The Network Connect software will download:
The software will pop up a terminal window asking for the root password:
Of course, on Ubuntu root doesn’t have a password and the script is not smart enough to consider using sudo. So ignore this: hit ENTER and when it asks if you’d like to try again, hit ENTER again. You will get an error message about SSL; click OK. This will cause the startup to fail, but that’s fine because it’s left behind the downloaded software which we can then use with a more portable installer.
Before continuing, log out from the VPN connection in the browser. There should be some kind of exit button on the page. If you can’t find it, exiting your browser should do it. We won’t be needing it anymore anyway.
Step 3: Run msjnc
To complete the installation, you should invoke msjnc
. To do this, open a terminal window (Applications -> Accessories -> Terminal) and type msjnc
. Whenever the script runs it checks to be sure everything is set up and, if not, will do it for you. It will ask for your password; if that doesn’t work (your system doesn’t have sudo configured) it may ask for the root password.
Running msjnc will create a new menu item in your desktop called Network Connect, under the Internet or Networking menu. You can use this in the future to start or stop the VPN. You can also drag it to your Panel or Launcher or whatever. If your desktop manager or panel supports Actions as per the spec (often invoked by right-clicking the menu item for example) then there will be extra actions available for stopping the VPN, as well as configuration options.
Step 4: Create one or more profiles
Use the “Profiles” menu and select the “New” option to create a new profile. Enter values for your Juniper Network Connect VPN server. If you don’t understand the options you can run “perldoc msjnc” to get more documentation.
Step 5: Select a profile as the default (optional)
Use the “Profiles” menu and select one of the profiles you created as the “default” profile. This is not necessary if you only have one profile.
Startup
Whenever you click the “Connect” button in the msjnc utility, you will prompt you for your VPN password or the SecurID PIN plus the fob value, if your company uses SecurID fobs. Alternatively you can start the VPN session from the command line with the --connect
option.
Troubleshooting
Some servers want you to use HTTPS but will (confusingly) perform some early operations correctly with HTTP. The script will try HTTPS by default if you specify HTTP and it doesn’t work, but if you use an HTTP URL and can’t connect, try again with HTTPS.
A number of people have written me to ask about multi-key logins. I don’t have any knowledge of or experience with these and my (very limited) investigation of the Network Connect service doesn’t show how to do this from the command line. If someone can describe what the expected interface to the ncsvc
program is for these situations I’ll try to add support for it.
If you can’t access any network hosts after bringing down the VPN, it’s probably because your DNS server was not reset properly. You did take my advice above and make a backup copy, right? Suppose you called the backup ~/resolv.bak
; then you’d run this command to restore your network:
$ sudo cp $HOME/resolv.bak /etc/resolv.conf
If things still don’t work for you you might try asking on one of the Ubuntu forum threads dedicated to this subject.
Mailing List
I have created a mailing list for information on the script. The list is moderated so don’t worry about spam, etc. It’s also extremely low-traffic, I expect. You can subscribe using this link.
I would like to ask 2 extra features:
1) a command-line switch and/or menu option to check for updates.
2) an option to start minimized in the system tray (in order to autostart on login).
I am testing to establish Remote Access (VPN connection) using Juniper Network Connect software on SLED 12 Beta3/4. I am not able established the IP Tunnelling on SLED 12( Not released yet). I have checked it thoroughly but could not resolve it.
I can see, after user’s authentication (using PIN + RSA Secure ID) on work web site, the Juniper’s Network Connect software is downloaded and installed on the user’s profile in directory ~/.juniper_network/network_connect/ but the service (ncsvc) does not become active during the Remote Access session and failed to establish IP tunnelling.
I did lots of research on this issue including instructions on Juniper website. Installed 32-bit Java and set up plugins in Firefox and also followed instructions on your web site “Mad Scientist” but still I am not able to setup VPN connection. I have also tested script developed by your site -“Mad Scientist” for Juniper network for 64-bit Linux but it failed to work on SLED 12.
Regards,
Kiran
Thanks a lot for the instructions and the script. Working well for me. I do use the Password+RSA token and no issues for me.
Great script “Your Madness”. Was just about to give up on NC for Linux 64 bit clients.
Thanks,
Ed.
Hi, I have 64 bit Ubuntu 14.04 LTS and followed your instructions till step 2. Unfortunately, as you rightfully wrote, due to the fairly stupid scripting Juniper provides, I do not even get the “Start” button despite that I am being the admin of the SA. Any suggestions? Did you manage to get it to work in 14.04?
Thanks for the great article!
That may be because there was some jre-plugin missed in your OS, so Firefox couldn’t start the Java applet?
Try “sudo apt-get install icedtea-plugin” .
I’m using it in 14.04 now.
Works great under 64 bit Ubuntu 14.04. Thanks! Had problem with the DNS as described, but your solution worked as well.
Hi, anybody having experience with RHEL 7 based systems? In CentOS 7, the perl-Gtk2 is not in the repos anymore. Tried to run msjnc anyway, but failed:
$ msjnc
Can’t locate Glib.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at /usr/local/bin/msjnc line 56.
BEGIN failed–compilation aborted at /usr/local/bin/msjnc line 56.
And “yum provides *Glib.pm” found no matches.
I used your setup today, it worked like a charm, thanks so much. My university does not support Linux so it is always necessary to find a workaround for everything. This did the trick!