Configuring Location Awareness Rules for Pulse Secure Client

The location awareness feature enables a Pulse Secure client to recognize its location and then make the correct connection. For example, you can define rules so that a Pulse client that is started in a remote location automatically establishes a VPN connection to Pulse Connect Secure, and then that same client automatically connects to Pulse Policy Secure when it is started in the corporate office. If Pulse detects that it is connected to the corporate LAN and it already has a VPN connection (for example, the VPN connection was suspended when the computer was put into hibernation), it first discovers that the VPN location awareness rules are no longer true, disconnects that VPN connection, and then evaluates the location awareness rules for the other configured connections.

Location awareness relies on rules you define for each Pulse connection. If the conditions specified in the rules resolve to TRUE, Pulse attempts to make the connection. If the conditions specified in the rules do not resolve to TRUE, Pulse tries the next connection. To set up the location awareness rules that select among many connections, you must define location awareness rules for each connection. Each location awareness rule is based on the endpoint’s ability to reach an IP address or resolve a DNS name over a specified network interface.

The following location awareness example includes two connections. Each connection is configured to connect to only one target server. The first connection is a Pulse Policy Secure connection that resolves to TRUE when the endpoint is connected to the corporate LAN. The second connection is a Pulse Connect Secure connection that resolves to TRUE when the endpoint is located in a remote location. If Pulse detects that it is connected to the corporate LAN and it already has a VPN connection, it disconnects that VPN connection.

Pulse Policy Secure connection

If the DNS server that is reachable on the endpoint’s physical network interface is one of your organization’s internal DNS servers, then establish the connection.

Pulse Connect Secure connection

If the DNS server that is reachable on the endpoint’s physical network interface is not one of your organization’s internal DNS servers, and the DNS name of your Pulse Connect Secure device resolves to the external facing IP address of the Pulse Connect Secure device, then establish the connection.

Note: Connections can be set to manual, automatic, or controlled by location awareness rules. When the user logs in, the Pulse client attempts every connection in its connections list that is set to automatic or controlled by location awareness rules.

Note: To create a negative location awareness rule, you first create the positive state and then use rule requirement logic to use the rule as a negative condition.

To configure location awareness rules:

  1. If you have not already done so, create a connection or open an existing connection.

You can configure location awareness rules for SRX connections and Connect Secure or Policy Secure (L3) connections. Location awareness rules do not apply to UAC (802.1X) connections.

  1. Click the Mode list, and then select one of the options, User, Machine, or Machine or user.
  2. If you selected User as the Mode, Under Options, select Connect automatically. If you selected Machine or User or Machine, Connect automatically is enabled by default.
  3. Under Location awareness rules, click New.

Alternatively, you can select the check box next to an existing rule, and then click Duplicate to create a new rule that is based on an existing rule.

  1. Specify a name and description for the rule.
  2. In the Action list, select one of the following:

Note: The Pulse client software evaluates IP and DNS policies on network interface changes. DNS lookups occur on DNS configuration changes or when the time-to-live setting (10 minutes) expires for a particular host record. If Pulse cannot resolve the host for any reason, it polls the configured DNS server list every 30 seconds. If the host had been resolved successfully previously and the time-to-live timer has not expired, the polling continues until the timer expires. If the host had not been resolved successfully previously, the resolution attempt fails immediately.

  1. Click Save Changes.

After you create the rule or rules, you must enable each rule you want to use for the connection. To enable a negative form of a rule, use a custom version of the rule. To enable location awareness rules:

  1. In the list of connection awareness rules for a connection, select the check box next to each rule you want to enable.
  2. To specify how to enforce the selected location awareness rules, select one of the following options:
  1. Click Save Changes.

Related Documentation