Pulse Secure Connection Set Options

The following items apply to all connections in a connection set.

• Allow saving logon information—Controls whether the Save Settings check box is available in login dialog boxes in the Pulse client. If you clear this check box, the Pulse client always requires users to provide credentials. If you select this check box, users have the option of saving their credentials.

The Pulse Secure client can retain learned user settings. These settings are retained securely on the endpoint, evolving as the user connects through different Pulse servers. The Pulse Secure client can save the following settings:

• Certificate acceptance
• Certificate selection
• Realm
• Username and password
• Proxy username and password
• Secondary username and password
• Role

Note: If the authentication server is an ACE server or a RADIUS server and authentication is set to Users authenticate using tokens or one-time passwords, Pulse ignores the Allow saving logon information option. If the user sees a username and token prompt and the Save settings check box is disabled. Pulse supports soft token, hard token, and smart card authentication.

Note: In 5.2R5 Pulse Secure desktop client introduced two new features to improve the end-user experience during certificate authentication. The administrative console option to configure this feature is now available in 5.3R2. This feature enables the following:

• Improved automatic certificate-selection algorithm
• Ability to prefer smart-card certificates over other certificates

Figure 42 Client Certificate Selection Option

When a user opts to save settings, that information is used for each subsequent connection without prompting. If a setting changes (for example, if a user changes a password), the saved setting is invalid and connection attempts fail. In this case, the user must use the client’s Forget Saved Settings feature, which clears all user-saved settings.

• Allow user connections—Controls whether connections can be added by the user.
• Always-on Pulse Client— Prevent end users from circumventing Pulse connections. This option disables all configuration settings that allow the end user to disable or remove Pulse connections, service or software. For more details refer to Always-on VPN.

Note: Checking the “Always-on Pulse Client” option does not prevent end users with administrative privileges from stopping the Pulse Secure service on the endpoint device. Create a group policy object (GPO) to prevent users from disabling the Pulse Secure service. For more details on how to create GPOs refer to the article found in Microsoft’s Website.

Figure 43 Pulse Secure Connection Set Options

• VPN only access— When the Pulse client connects to Pulse Connect Secure having lock down mode enabled, it will enable lock-down mode and block network if VPN is not in connected state.

When VPN only access option is enabled, the Enable captive portal detection and Enable embedded browser for captive portal will be automatically checked and cannot be edited.

• Display splash screen—Clear this check box to hide the Pulse splash screen that normally appears when the Pulse client starts.
• Dynamic certificate trust—Determines whether users can opt to trust unknown certificates. If you select this check box, a user can ignore warnings about invalid certificates and connect to the target Pulse server.
• Dynamic connections—Allows connections within this connection set to be automatically updated or added to a Pulse Secure client when the user connects to the Pulse server through the user Web portal, and then starts Pulse through the Web portal interface. Dynamic connections are created as manual rather than automatic connections, which means that they are run only when the user initiates the connection or the user browses to a Pulse server and launches Pulse from the server’s Web interface.

If dynamic connections are disabled, and the user logs in through the Web portal of a Pulse server that is not already included in the Pulse client’s connection set, then starting Pulse from the Web portal does not add a new Pulse connection for that Pulse server. If you choose to disable dynamic connections, you can still allow users to manually create connections by enabling Allow User Connections.

• Enable captive portal detection—To detect the presence of a captive portal hotspot enable this option. It can be applied only to Pulse Connect Secure and Pulse Policy Secure (L3) connections.
• Enable embedded browser for captive portal—When enabled, pulse uses an embedded web browser that the end user can use to traverse captive portal pages and to gain network connectivity for establishing a VPN connection. This applies only when captive portal detection is enabled.
• Enable embedded browser for authentication—When enabled, pulse uses an embedded browser for web authentication, rather than external browser.

• FIPS mode enabled—Enable FIPS mode communications for all Pulse connections in the connection set. The Federal Information Processing Standard (FIPS) defines secure communications for the U.S. government. When a Pulse connection is operating in FIPS mode, FIPS On appears in the lower corner of the Pulse client interface. If the Pulse server hardware does not support FIPS mode operations, FIPS mode configuration options are not present in the admin console interface. FIPS mode operations are supported on PSA-V Series Pulse Secure Gateways and some SA series appliances. The device must be running Pulse Policy Secure R5.0 or later or Pulse Connect Secure R8.0 or later.

Note: Users cannot enable FIPS mode from within the Pulse client. You must create FIPS-enabled connections on the server and deploy them.

• Prevent caching smart card PIN—Enabling this field will allow system administrators to prevent smart card PIN values from being cached. This feature is applicable only to Windows.
• Wireless suppression—Disables wireless access when a wired connection is available. If the wired connection is removed, Pulse enables the wireless connections with the following properties:

• Connect even if the network is not broadcasting.
• Authenticate as computer when computer information is available.
• Connect when this network is in range.

Note: Wireless suppression occurs only when the wired connection is connected and authorized. If you enable wireless suppression, be sure to also configure a connection that enables the client to connect through a wired connection.