Juniper Host Checker (tncc.jar)

The Host Checker mechanism is a security scanner for the Juniper VPNs, in the same vein as Cisco's CSD and GlobalProtect's HIP. It is also used by the Pulse Secure protocol but support it in Pulse is not included in OpenConnect yet.

Background

Many sites require a Java applet to run certain tests as a precondition of authentication. This works by sending a DSPREAUTH cookie to the client which is attempting to authenticate, and the Java code in tncc.jar then runs and communicates with the server, handing back a new value for the DSPREAUTH cookie to be used when autnentication continues.

This Java applet is a black-box binary provided by a server outside of the client's control, and therefore has similar security concerns to Cisco's CSD trojan.

TNCC support in OpenConnect

OpenConnect supports running the tncc.jar binary with a little assistance. A Python wrapper script, tncc-wrapper.py, is provided in the trojans/ subdirectory of the OpenConnect distribution. It can be used along with the tncc-preload.so from this repository. It may also be necessary to pass a Mozilla-compatible user agent string:

  ./openconnect --protocol=nc --useragent 'Mozilla/5.0 (Linux) Firefox' --csd-wrapper=trojans/tncc-wrapper.py vpn.example.com
Because of the security dangers of executing a server-provided trojan binary, this script should ideally be executed with the permissions of a low-privilege user (e.g. --csd-user=nobody).

Alternatively, the juniper-vpn-py project provides a tncc.py which emulates the behaviour of the tncc.jar binary, rather than actually executing it. Because this script does not actually execute a server-provided binary, security concerns are greatly alleviated. However, this alternative script may require customization to work with VPNs that have modified the behaviour of their Host Checker binaries in some way.