Juniper Host Checker (tncc.jar)

The Host Checker mechanism is a security scanner for the Juniper VPNs, in the same vein as Cisco's CSD and GlobalProtect's HIP. It is also used by the Pulse Secure protocol but support for running it with the Pulse protocol is not included in OpenConnect yet.

Background

Many sites require a Java applet to run certain tests as a precondition of authentication. This works by sending a DSPREAUTH cookie to the client which is attempting to authenticate, and the Java code in tncc.jar then runs and communicates with the server, handing back a new value for the DSPREAUTH cookie to be used when autnentication continues.

This Java applet is a black-box binary provided by a server outside of the client's control, and therefore has similar security concerns to Cisco's CSD trojan.

TNCC support in OpenConnect

OpenConnect supports running the Java binary, or emulating its behaviour, by passing the --csd-wrapper=SCRIPT argument with a shell script.

The OpenConnect distribution includes two alternative scripts to support the execution or emulation of Host Checker, in the trojans/ subdirectory:

With either of these scripts, it may also be necessary to pass a Mozilla-compatible user agent string:

  ./openconnect --protocol=nc --useragent 'Mozilla/5.0 (Linux) Firefox' --csd-wrapper=trojans/tncc-wrapper.py vpn.example.com