Easy Patching with IVE (SSLVPN)

I don't know what your experiences are with IVE patching but mine have been relatively painless. There are a few easy rules that I follow to ensure that things go well.

First is to know when patching is required. Go to the Juniper support website, login and make sure you are setup for alerts/bulletins. Remember you need to enable yourself for both software and hardware.

Next is test (if you can). If you have a test IVE or a smaller IVE used for a smaller office, upgrade that and test before your main sites. If you have different client builds accessing your IVEs, see if you can get as many of them as possible to connect to the upgraded test box. Have someone (maybe you) create a risks and issues log of all the events during the testing and during the upgrade planning.

Read read READ those release notes. Seriously, read them cover to cover and envisage how the changes apply to your environment.

Prep you clients.

• Don't use too many browsers. I'm aware that the IVE supports a wide range a browsers but for the upgrade it would be easier to limit the browsers that you ask people to use. That way you can easily brief users on all the options/menus/changes etc. IE is the default that I use for Windows clients.
• Make sure they have your IVE URLs in the Trusted Sites of your browsers. This will limit the problem of users missing the security warnings or the browsers potentially blocking the SSLVPN clients when they connect for the first time after the upgrade.
• Use the Juniper Installer Service. In a Windows environments these are a godsend. Two clients are available in your IVE's Maintenance | System | Installer section of the GUI and they come in exe or msi formats. What they do is once they are installed with admin privileges they enable further IVE client installs to occur without the end user needing admin rights. Have a read of the Appendix of the Juniper Client Side Changes (this doc is for v7.1 of the IVE OS) document to see how this helps.

During the upgrade

1. Don't panic. JTAC is there for you, contact them here and these upgrades are (touch wood) relatively bulletproof.
2. First take backups. Multiple ones, both single file backups and XML backups.
3. Clear down the logs before you upgrade. (To speed things up)
4. Don't worry about the time taken, I've found that SA's can take a good 20-40 mins to upgrade sometimes. The rule of thumb is when you are about ready to go get your console cable out to check what's going on, that's the time that it will finish upgrading.
5. If in a cluster the other IVE's will upgrade after the first one has (and generally they will be quicker than the first one)
6. Understand the Rollback Button in Maintenance | System. Any changes you make post upgrade will be lost if you use the Rollback Button. The IVE takes a point in time image to create the rollback image. Any config changes are only written into the live flash memory.
7. Have a testing script that you've gone through with your management team and if applicable with user input as to what needs to be tested. That way if your script is completed correctly you've not missed anything important. This is especially useful if your upgrade is taking part in the dead of night, so you do not have to work from a fallible mental list.

Troubleshooting post upgrade

You've upgraded the IVE and now there will be the odd client having connection problems. Generally they will be related to the IVE software loaded on the client and the browser. Remember most of the IVE traffic goes through the browser so any problems with the browser might cause problems with the IVE. Your 3 steps to heaven are:-

1. Clear down browser cache. Seriously, this works for 90+% of all post upgrade problems. If you have full control of the clients you could even script this or create a GPO for it ahead of time.
2. Get the user to remove/uninstall all the Juniper Software from the client. If you are using the Installer Service they will auto re-install (you are using the service aren't you?) & try again. This fixes most of the remaining problems.
3. If you are having problems with Pulse and/or Network Connect on a Windows client then it's time to get technical. This is the final step before going to JTAC and does involve some technical know how & maybe admin rights on the client.

Uninstall pulse, any other vpn client, and anything else loaded into the driver stack. (sniffer wireshark etc… leave AV/Firewall driver for now, but if it still doesn't work try uninstalling it)

Then run from an admin command prompt

netsh int ip reset reset.log

netsh winsock reset

(Only one will work, they are the same command for the various versions of Windows) It will reset and rebuild your IP/TCP stack on the client

Reboot and reinstall.

So far the plan above has kept my upgrades relatively trouble free.

If you have found it useful please leave a comment. Also if you have any tricks or tips of your own please shout out and I'll add them on.

Chris

New Year, New Challenges

After poking Andy in the ribs for weeks he's finally allowed someone else to update this blog. I'll be covering off the more techy side of the Juniper Environment and how the new products, along with the existing, stack up in a technical manner.

FYI I've worked with the Juniper product line for 5-6 years. Starting with the SSLVPN & the Netscreens, then to the SSGs, & NSM. Onward to now working with Junos on firewalls (SRX), Routers (J series) & switches (EXs).

Anyway about to start the new year with a thrilling subject. Patching!

Chris

Juniper Jobs

As a Juniper Services Company, demand from customers for utlising our consultants for project work is sky high at the moment. I'm not sure whether this is down to the fact that we are a growing company or whether due to the financial climate, restructing of staff and redundancies have left skills gaps in clients IT departments.

Anyway this recent surge led me to have a look at the state of the Juniper Jobs Market and I thought I'd share these interesting stats with you from itjobswatch.

For the 6 months to 20 October 2008, IT jobs within the UK citing Juniper also mentioned the following IT skills in order of popularity:

Cisco 78.9%
CheckPoint 39.7%
Windows 17.51%
BlueCoat 15.58%
Linux 13.43%
Nortel 10.65%

For the 3 months to 2o October 2008, below shows the geographic location of Juniper Jobs based on UK Job Adverts citing Juniper:

TOTAL ADVERTS 843

London 439
South East 271
Berkshire 98
Hampshire 78
Reading 51
North West 41
Basingstoke 38
East of England 31
Surrey 30
Manchester 22
Yorkshire 18
West Midlands 18

For the 6 months to 20 October 2008, IT jobs within the UK citing Juniper were in the following industry sectors:

Finance 14.67%
IT/Telecoms 12.12%
Health 3.40%
Government 3.12%
Education 1.76%
Retail 1.42%
Marketing 1.02%
Legal 0.74%
Manufacturing 0.17%

And finally, the average salary for Jobs citing Juniper over the last 3 months was £46,412.

I hope you find this as interesting as I did.

Thanks,

Andy

Quantix win CNA Mobility Solution of the Year 2008

Last Thursday night we scooped the CNA award for Best Mobility Solution delivered in 2008. This project was based on an integrated Juniper SA & Citrix implementaion for our great customer HCA Healthcare.

Please find the press release below.

Quantix Celebrates Awards Success
Specialist managed service provider wins Mobility Solution award with innovative HCA Healthcare solution

Quantix, a provider of enterprise applications, support and managed services, is celebrating its success in the Channel Network Awards (CNA), held at the prestigious Hilton Hotel on Park Lane, London. Quantix won the Mobility Solution category for the innovative mobility solution it provided for HCA Healthcare and was also a finalist in the Business Awards Nottinghamshire 2008 in the Innovation Through Technology category for its Business Continuity Managed Service.

The CNA Awards recognise business solutions supplied to clients by the channel and the Mobility Solutions category looks for innovative and scalable solutions where a reseller has understood the specific needs of the client. Quantix provided HCA Healthcare with an innovative solution to allow secure access to proprietary and graphically intensive medical applications from any machine with a web browser. This presents medical personnel with the ability to gain access to x-ray images, patient records, and surgical modelling applications from any machine with a web browser in a secure manner. This would allow them to consult with clients and view images in a home environment but also provide a rapid response to consultation on urgent surgery.

“We’re thrilled to have won this award and to have had our solutions recognised in an event as prestigious as the CNA Awards,” said Quantix Managing Director Richard Salmon. “The work we have done for HCA Healthcare is a true testament to the need for mobile solutions and we look forward to providing further benefits to their mobility needs.”

The mobility solution deployed at HCA Healthcare reduces the waiting time for patients needing urgent surgery, as consultants can access vital information from any connected device, reducing the time needed to view any relevant radiography images.

“Winning at the Channel Network Awards has always been difficult and this year doubly so with the increased number of entries and the highest quality ever,” claimed John Chapman, judging organiser. “One of the toughest categories this year was for Mobility Solutions and for Quantix to come away as winner of this category is great testament to their ingenuity, skill and focus on what the customer was trying to achieve. The judges were particularly impressed with the way Quantix overcame some tough technology and operational issues”

Quantix’s RapidRecovery business continuity solution was also a finalist in the Innovation Through Technology category of the Business Awards Nottinghamshire 2008 which recognise business achievements and helps organisations celebrate their contribution to the regions’ economy.

Thanks,

Andy

Quantix's Managed Business Continuity Service hits the news..

Quantix's Managed Business Continuity Service, hits the press this week. Please find below one of the articles.


The FINANCIAL -- Quantix, a leading Managed Services providers, launches its new RapidRecovery Business Continuity solution.

Specifically designed by Quantix to offer customers a fully outsourced replicated environment, this service can drastically drive down the costs of Business Continuity. RapidRecovery provides not only a replicated standby site, but also day-to-day failover of servers in order to provide true business continuity.

RapidRecovery is all encompassing, comprising an Accelerated Private Data Link, the Rapid Recovery Platform, SecureConnect Service, Proactive Monitoring and the Quantix Managed Service Team. Other benefits include the recovery time of minutes from invocation, data recovery point of minutes, bare metal recovery, platform resiliency, snap shots, flexible storage and multi vendor support.

'Disaster recovery has typically been viewed as a form of insurance that carries a large annually recurring fee, with businesses only realising the real benefits of their investment when a disaster occurs,' explains Quantix's Managing Director, Richard Salmon. 'We are changing this perception by offering our customers the ability to use the same platform for development purposes and extended in-house maintenance, as well as acting as their disaster recovery service delivery infrastructure.'

Following the installation of RapidRecovery, businesses can benefit from flexible and secure access to the RapidRecovery platform and a low cost, secure solution that allows partners, customers or employees to work on applications, directories or extranets without client software having to be installed. It also had the added bonus of allowing an organisation to focus on their core business as Quantix manages the implementation 24 hours a day, 7 days a week.

'One of the biggest benefits of RapidRecovery is that it is fully managed by a team of more than 20 accredited engineers on a 24/7 basis,' adds Salmon. 'Our support team includes engineers and consultants who are specialists in their fields, so once RapidRecovery is installed, our customers have the reassurance that one of the leading support companies in the UK is managing and maintaining their system.'

If you would like further information our Business continuity/Disaster Recovery services, please visit our website or please do not hesitate to contact one of our engineers on 0115 983 6200.