2 Replies Latest reply on Apr 10, 2014 9:02 AM by c8822131

    McAfee HIPS 8 and Juniper SAM 7

    c8822131

      Hi all,

       

      Are there any Juniper SAM gurus out there ?

       

      I have 3 customers who use Juniper SAM to connect to a secure console but HIPS appears to blocking traffic.

       

      Scenario

      Users access a web portal and enter credentials which fires up the SAM client to create a secure VPN tunnel successfully.

      They then attempt to access a console via an IP using port 6800 but traffic is being blocked by HIPS (confirmed when dropping the FW temporarily)

       

      The Firewall activity log shows traffic is being blocked by a CAG. The CAG is configured to allow traffic accross Wired and Wireless adapters providing the connection specific DNS suffix matches the rule in the CAG "domain.name"

       

      The block is reported as follows:

       

      Time:  25/02/2014 14:01:35

      Event:  Traffic

      IP Address/User:  127.0.0.1

      Description:  Secure Application Manager Proxy (dsSamProxy)

      Path:  C:\Program Files\Juniper Networks\Secure Application Manager\dsSamProxy.exe

      Message:  Blocked Incoming TCP -  Source 127.0.0.1 :  (3421)  Destination 127.0.1.69 :  (10000)

      Matched Rule:  Corporate - Internal

       

      No matter what I try with FW rules, Trusted Networks or Trusted Applications, I can't get HIPS to allow traffic to pass and the console to connect.

       

      If anyone has any ideas please feel free to share! I'm going insane trying to work this one out ! 

        • 1. Re: McAfee HIPS 8 and Juniper SAM 7
          Kary Tankink

          FYI, you should have a firewall rule at the top of your policy to always allow Loopback traffic.  In this case, you'll have to use rules for non-standard Loopback traffic (non-127.0.0.1).  Loopback traffic typically cannot be allowed in Location Aware Groups (especially with Connection Isolation enabled), since HIPS treats loopback traffic through a separate adapter than your Wired/Wireless network adapter.  The Loopback adapter will not list DNS Servers, Connection-specific DNS suffixes, Gateway, etc.

           

          KB71230 - Host Intrusion Prevention 8.0 Loopback traffic blocked when firewall is enabled

          • 2. Re: McAfee HIPS 8 and Juniper SAM 7
            c8822131

            Hi Kary,

             

            That did the job !

             

            It seems obvious now but we had an SR open too, this was really perplexing everyone.

             

            I simply added a rule directly below the Loopback rule to allow non standard local addresses 127.0.0.x and 127.0.1.x and the JUniper software now passes traffic via HIPS.

             

            It looks like Juniper clients add another addess into the process inbetween localhost and the adapter. 127.0.0.1>Juniper Client IP>Network Adapter (I think)

             

            Thanks again