Reset Search



KB25305 - PTP Web links configured in port mode are not working from Pulse Secure Mobile Client on iPad

« Go Back


Last Modified Date8/1/2015 4:31 AM
When attempting to access a Web resource configured with a Passthrough Proxy policy using Pulse Secure Mobile Client for iOS, iPad and iPhone, users will not be able to access the resource from the Pulse Secure Mobile Client due a Web certificate host name mismatch that is issued by the Apple WebKit in the background, that the iOS user will not see.
Problem or Goal
  • Web bookmark is configured with a PTP Policy using IVE port 11010.
  • Web bookmark is accessible using IE on Windows OS.
  • Web bookmark is accessible when using Safari browser on the iPad. 
  • Issue occurs only through Pulse interface->Intranet->Bookmarks environment.
  • Issue is seen with Junos Pulse 3.x.x and 4.x.x on iPads running iOS 4, iOS 5 and iOS 6.
  • Web bookmarks that do not use the PTP policy can be accessed via Junos Pulse on iPad running iOS 4, iOS 5 and iOS 6.  
When attempting to access Web bookmarks over PTP on an iPad, the iOS user sees a blank page load with no content and there are no errors displayed in the Pulse browser.  The connection to the resource fails to load.
Pulse Secure Mobile Client for iOS forwards Web traffic to backend resources using the IP address of the Secure Access Gateway in the rewritten URL instead of the server host name.  

For example, Pulse Secure Mobile Client for iOS forwards Web URLs using PTP to the backend resource server as:
Normally, Web URLs using PTP are forwarded to the backend resource server by host name as:
PTP only supports using host names for the backend resource and it is also required to use the DNS name of the Secure Access Gateway for the secure session.  Normally, this condition would be handled by adding an entry to the host file on the client PC or mobile device that resolves the IP address of the Secure Access Gateway to its DNS host name, which allows PTP to work in this scenario. However, due to restrictions in Apple iOS, the host file cannot be modified, thus creating the Web server certificate mismatch issued in the Apple Webkit browser used by the Pulse client, and the connection is denied.  
When configuring Web browsing access with Pulse Secure Mobile Client for iOS, access methods other than the Pulse client should be used for resources that have PTP Policies applied to them, such as having Apple iOS users launch Pulse Secure Mobile Client first, then browse to these Web resources using Safari browser.  
Related Links
Attachment 1 
Created ByData Deployment



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255