Jump to content


Photo

SSL being blocked on Mac?

ssl mac

  • Please log in to reply
8 replies to this topic

#1 Phil Rudich

Phil Rudich
  • Members
  • 12 posts

Posted 29 January 2014 - 02:59 PM

Hello,

We have a new user who has a MacBook and whenever he attempts to access our RDP client setup, he's getting the following error and then the system doesn't allow him to go any further.

 

/Users/<username>/.sslvpn/applications/sslexplorer-agent/device-config-agent

 

We've tried reinstalling Java which did not work. He may have some Symantec security tools or a virus program on the machine that could potentially be blocking the Java applet from running, but since it's his personal machine, I'm reluctant to play with it too much longer.

 

Has anyone come across this error and a resolution?

 

Thanks,

Phil



#2 John Thomas

John Thomas
  • Members
  • 1 posts

Posted 29 January 2014 - 03:06 PM

Yes, I have seen that also for users on the new Mas OSX Mavericks. Here is a document I created for my users to solve that issue. I made changes by removing my VPN web address. Be sure to have them use the correct web address for your VPN webpage.

 

1.    Go to http://www.microsoft.com/en-us/download/confirmation.aspx?id=18140 and download and install the Microsoft Remote Desktop Client for Mac. *Note: the install may require special steps, depending on the security settings of your Mac. (Click on the little question mark in the lower left of any popup window after trying to install to learn how to install third-party apps. It usually involves opening the file from Finder and holding the CONTROL key down while clicking and selecting Open.) Once it properly installs the app, continue to the next step.

2.    Go to http://www.java.com/ and download and install the latest Java update for Mac.

3.    Restart your Mac.

4.    Open Safari and go to <VPN webpage> and log in. 

5.    Go to the SAFARI>PREFERENCES menu from the Dynamic Top Bar on your Mac desktop. 

6.    From the Preferences windows, go to the Security tab. 

7.    Ensure the check box is checked for Allow Plug-ins next to Internet plug-ins. Then click on the Manage Website Settingsā€¦ button. 

8.    Ensure Java is highlighted on the left side, and then make sure <VPN website address> shows up in the Current Open Websites. Select Allow Always in the drop-down box to the right of <VPN website address>. Click the drop-down box again and select Run in Unsafe Mode. A popup window will pop up, click Trust. Click Done.

9.    Now you can select any of the Mac 2 connections from the VPN page and it should now load Java properly and open the remote desktop connection for the resource you selected.



#3 Gavin Chappell

Gavin Chappell
  • Moderators
  • 434 posts
  • LocationNottingham, UK

Posted 29 January 2014 - 03:07 PM

This is a known issue with recent versions of Java and Safari, in order to provide extra security. The key is to allow Java on your user's laptop to run in "unsafe mode" for your SSL VPN:

 

Open Safari preferences

Go to the Security tab

Click the "Manage plugins" button at the bottom of the window

In the list on the left, click Java

In the list on the right hand side, find the hostname of the SSL VPN device. This should currently say "Allow" or similar in a drop down menu.

Open the drop down menu and select "Run in Unsafe mode"

Click OK/Done to get all the way out of the preferences

 

This is required for the SSL VPN Agent to have access to the filesystem on the computer in order to download its components and any other applications that may be required.



#4 Phil Rudich

Phil Rudich
  • Members
  • 12 posts

Posted 29 January 2014 - 04:22 PM

Thanks guys. I'll give these a try!



#5 Luke Rockwell

Luke Rockwell
  • Members
  • 1 posts

Posted 07 April 2014 - 06:30 PM

This no longer works with Safari Update Version 7.0.3 (9537.75.14)

 

Grrrr



#6 Gavin Chappell

Gavin Chappell
  • Moderators
  • 434 posts
  • LocationNottingham, UK

Posted 08 April 2014 - 04:50 AM

I'm afraid I have to disagree, Luke. I upgraded our office Mac (running Mavericks) to Safari 7.0.3 this morning and although I found it had blanked my trusted sites list (which I'm sure contained several dev/test VPNs before) I had no problem re-trusting them and then allowing them to run in Unsafe Mode again.



#7 Shane Ley

Shane Ley
  • Members
  • 2 posts

Posted 09 April 2014 - 07:21 PM

Would it not be possible to work within the constraints of the sandbox and write files to a temporary location in the event that the Java plugin is being loaded within a sandbox, as other applets are:

 

if(new File(System.getProperty("user.home")).listFiles() == null) {

        System.setProperty("user.home", System.getProperty("java.io.tmpdir"));
}
 

The specifics of the sandbox weren't easy to find on google, so for your reference, here is the file ( com.oracle.java.JavaAppletPlugin.sb from the Webkit project source ) that shows the sandbox constraints: https://trac.webkit.org/browser/trunk/Source/WebKit2/Resources/PlugInSandboxProfiles/com.oracle.java.JavaAppletPlugin.sb

 

I think something along the lines of the above would greatly improve user-friendliness.



#8 Gavin Chappell

Gavin Chappell
  • Moderators
  • 434 posts
  • LocationNottingham, UK

Posted 11 April 2014 - 10:39 AM

Shane, that looks like it could be a useful post. It's not necessarily that simple as there are things that we need to persist outside of a sandboxed environment in order to be able to run them via the agent to manipulate the OS (things like Device Configuration and the installers for IPsec and PPTP spring to mind), but you're right that it would be nice to get a better solution to this if possible.



#9 Chuck McEwen

Chuck McEwen
  • Members
  • 2 posts

Posted 13 June 2014 - 09:45 AM

Following these directions worked like a charm for Safari 7.0.4 with Java 1.7u60

Thanks so much!