Overview of Pulse Secure Desktop Client
This chapter contains the following sections:
Introducing Pulse Secure Desktop Client
Pulse Client and Software Defined Perimeter (SDP)
Pulse Client Configuration Overview
Pulse Client Error Messages Overview
Accessing Pulse Client Error Messages on macOS Endpoints
Deleting Pulse Client Log Files
Uploading Pulse Client Log Files
Migrating from Odyssey Access Client to Pulse Client
Migrating from Network Connect to Pulse Client
Predictable Pulse Secure Server Hostname Resolution with IPv6
Introducing Pulse Secure Desktop Client
Pulse Secure Desktop Client (Pulse Client) is an extensible multi-service network client that supports integrated connectivity and secure location-aware network access. Pulse Client simplifies the user experience by letting the network administrator configure, deploy, and control the Pulse Client software and the Pulse Client connection configurations that reside on the endpoint.
The Pulse Secure suite comprises client and server software. The client enables secure authenticated network connections to protected resources and services over local and wide area networks. The Pulse Client software can connect with Pulse Connect Secure to provide remote access to enterprise and service provider networks. Pulse Client also delivers secure, identity-enabled network access control (NAC) for LAN-based network and application access when it is deployed with Pulse Policy Secure. Pulse Client also integrates with Pulse Collaboration Suite for online meeting services.
Users of mobile devices (smart phones and tablets) can install the Pulse Secure Client for Mobile Devices (Pulse Mobile Client) app from the respective app stores for secure connectivity to Pulse Connect Secure. Windows 8.1 (Pro and RT) introduced a Pulse Secure VPN client as part of the operating system.
The Pulse Client for Windows user interface (see Figure 1) lists the deployed Pulse Client connections. Each connection is a set of properties that enables network access through a specific Pulse Secure server. The user can expand a connection to see more details about the connection.
From 5.3R2, Pulse Client connects to PSA device through proxy at the first attempt and then try connecting directly upon failure.
VPN Connection Details
To view the VPN connection details:
1.Click the VPN connection to select it.
2.Click File > Connections. Refer to the following figure.
Figure 1Pulse Secure Client for Windows - VPN Connection Details
To view the Advanced Connection Details dialog:
1.Click the VPN connection to select it.
2.Click File > Connections > Advanced Connection Details.
The connection detail information is not updated automatically. For example, the session time remaining shows how much time remains when you open the dialog. To update advanced detail information, click Refresh or click the check box labeled automatically refresh.
Figure 2Advanced Connection Details - VPN
The Advanced Connection Details window gives the following information:
|
Field Name |
Description |
|
Session time remaining |
The duration that the current VPN session will remain active before credentials must be re-entered or the session manually extended. |
|
Session Duration |
|
|
Tunnel type |
This describes that the connection is a VPN tunnel. |
|
VPN type |
The protocol used to create the tunnel (SSL or ESP). |
|
Assigned IPv4 |
The IPv4 address assigned to the Pulse virtual adapter. |
|
Bytes in |
Number of bytes received through the tunnel. |
|
Bytes out |
Number of bytes sent through the tunnel. |
|
Connection Source |
This describes how the Pulse client received the connection entry: If the value is Preconfigured, then the connection entry came from a Connection Set that was downloaded from a gateway. And if the value is Dynamic, then it means that the connection entry was resulted from launching the Pulse client by connecting a web browser to a Pulse Secure gateway and pressing the "Start" button on the web page |
PSAM Connection Details
To view the PSAM connection details:
1.Click the connection to select it.
2.Click File > Connections. Refer to the following figure.
Figure 3Pulse Secure Client for Windows - PSAM Connection Details
To view the Advanced Connection Details dialog:
1.Click the connection to select it.
2.Click File > Connections > Advanced Connection Details.
The connection detail information is not updated automatically. For example, the session time remaining shows how much time remains when you open the dialog. To update advanced detail information, click Refresh or click the check box labeled automatically refresh.
Figure 4Advanced Connection Details - PSAM
The Advanced Connection Details window gives the following information:
|
Field Name |
Description |
|
Session time remaining |
The duration that the current VPN session will remain active before credentials must be re-entered or the session manually extended. |
|
Session Duration |
|
|
Tunnel type |
This describes that the connection is a port/application mapping through SAM (Secure Access Manager). |
|
VPN type |
The protocol used to create the tunnel (SSL or ESP). |
|
Bytes in |
Number of bytes received through the tunnel. |
|
Bytes out |
Number of bytes sent through the tunnel. |
To view the Application Details:
1.Click the PSAM connection to select it.
2.Click File > Connections > Application Details. Refer to the following figure.
Figure 5Advanced Connection Details - PSAM
Pulse Client also displays a system tray icon that provides connection status, and can allow the user to connect and disconnect and enables quick access to the program interface. One tray icon provides status for all active connections.
Typically, the network administrator defines and deploys the Pulse Client connections but you can also enable users to define, edit, and remove their own connections.
Table 1Pulse Client for Windows Connection Status
|
Indicator |
Description |
|
|
Connected. |
|
|
Connecting. |
|
|
Connected with limitations |
|
|
Connection attempt failed. |
|
|
Connection suspended. |
|
|
Connected to the local network but no Internet access available. Public WiFi locations often deploy a captive portal that requires the user to enter authentication information or to accept terms of service before network access is granted. Pulse Client detects the presence of captive portals and does not initiate a connection to a Pulse Secure server until Internet access is granted. |
Pulse Client supports the Federal Information Processing Standard (FIPS), which defines secure communication practices for the U.S. government. If FIPS is enabled on the endpoint, "FIPS On" appears near the bottom the Pulse Client window.
A single system tray icon indicates the status of all active Pulse Client connections. You can right-click the system tray icon to control Pulse Client connections, to access Pulse Collaboration Suite meeting functions, to open the Pulse Client interface, or to exit from Pulse Client. The following table shows the connection status indicated by the system tray icon.
Table 2Connection Status in the System Tray Icon.
|
Indicator |
Description |
|
|
No connection |
|
|
Connecting. A connection stays in this state until it fails or succeeds. |
|
|
Suspended |
|
|
Connected with issues |
|
|
Connection failed |
|
|
Connected |
|
|
Connected to the local network but no Internet access available. Public WiFi locations often deploy a captive portal that requires the user to enter authentication information or to accept terms of service before network access is granted. Pulse Client detects the presence of captive portals and does not initiate a connection to a Pulse Secure server until Internet access is granted. |
Pulse Client supports Apple computers running macOS. You deploy Pulse Client to Mac endpoints the same way you deploy the Windows client. Figure 6 shows the Pulse Client for Mac interface.
Figure 6Pulse Client for Mac client Interface
Pulse Client for Mac endpoints supports the following:
Connections to Pulse Policy Secure
Connections to Pulse Connect Secure
Pulse Clients connect to the Pulse Connect Secure in SSL fallback mode.
Connections to Juniper Networks SRX Series gateways.
macOS endpoints can connect to SRX Branch series SRX100-SRX650 gateways that are running a Junos OS release between v10.2 and v12.3, and that have dynamic VPN access enabled and configured. SRX gateways do not support deployment of Pulse Client.
Requires Pulse Client for Mac 5.0R3 or later and OS X 10.8 or later.
Pulse Client for Mac connect to the gateway as an IPsec IKEv1 VPN connection.
Pulse Dynamic VPN functionality is compatible with SRX-Branch (SRX100-SRX650) devices only. SRX Data Center (SRX1400-SRX5800 - also called SRX HE or High End) devices do not support Pulse Dynamic VPN from either Windows or Mac clients.
On Pulse Client for macOS, IPsec connections to SRX are unable to use the DNS IP address supplied by the SRX.
Host Checker
Host Checker for macOS supports the following rules and remediation actions:
Port
Process
File
Custom IMC
Enable Custom Instructions
Kill Processes
Delete Files
Send reason strings
From the user perspective, Pulse Client presents a clean, uncomplicated interface. The user can enter credentials, select a realm, save settings, and accept or reject the server certificate. When you configure the client, you can specify whether to permit end users to modify settings, such as by adding connections.
Security Assertion Markup Language (SAML) Authentication
Pulse Client facilitates SAML authentication for Single Sign-on (SSO) in the following two ways:
The Pulse Client user sees an embedded browser (see Figure 7) - if Enable embedded browser for authentication is enabled in Pulse Client Connection Set Options.
Pulse Client will close the embedded browser, once the SAML authentication is done.
If user resizes the Embedded browser window, size will remain same even if user reconnects to Pulse Client. Embedded browser window size will remain as pre-selected size which was set by the user for the first time, until user resizes it again.
Figure 7SAML Authentication with Embedded browser
The Pulse Client user sees an external browser (see Figure 8). if Enable embedded browser for authentication is disabled in Pulse Client Connection Set Options.
Figure 8SAML Authentication (External Browser)
Custom Sign-in Page in Embedded browser
To upload a custom sign-In page in Pulse Client, admin needs to perform the following steps:
1.Log into Pulse Connect Secure/Pulse Policy Secure as admin.
2.Go to Authentication > Signing-In > Sign-In Pages > Upload Custom Sign-In Pages.
3.Select the option "Use Custom Page for the Pulse Desktop Client Logon".
Figure 9Setting "Use Custom Page for the Pulse Desktop Client Logon" in Pulse Connect Secure
Figure 10Setting "Use Custom Page for the Pulse Desktop Client Logon" in Pulse Policy Secure
4.Click Browse and select the custom sign-in page file and click Upload Custom Pages.
5.Go to Signing In > Sign-In Policies > New Sign-In Policy to create the new Sign-In policy.
6.Under "Sign-In pages", select the uploaded custom page from the drop-down box to associate custom Sign-In page with the Sign-In Policy.
Figure 11Associating a Custom Sign-in Page with a Sign-in Policy - Pulse Policy Secure
Pulse Client can open a custom sign-In page in the following two ways:
A Pulse Client user sees an embedded browser (see Figure 12) if Enable embedded browser for authentication is enabled in Pulse Client Connection Set Options for Pulse Connect Secure.
Pulse Client closes the embedded browser once the authentication is done.
If user resizes the Embedded browser window, size will remain same even if user reconnects to Pulse Client. Embedded browser window size will remain as pre-selected size which was set by the user for the first time, until user resizes it again.
Whenever user logs into the custom sign-in URL from Pulse Client, embedded browser will be launched with custom sign-in pages uploaded into it.
Figure 12Custom Sign-In page support for Embedded browser
A Pulse Client user sees an external browser (see Figure 13) if Enable embedded browser for authentication is disabled in Pulse Client Connection Set Options.
Figure 13Custom Sign-In page uploading in External browser
L3 and Pulse SAM coexistence (supported on Windows only) enables the user to establish Layer 3 connection to Pulse Connect Secure and Pulse SAM connection simultaneously (refer to Figure 14). This feature is available from 9.0R3 onwards.
Figure 14L3 and Pulse SAM Connection Coexistence
To achieve, L3 and PSAM coexistence, Pulse Client should have minimum two Pulse Connect Secure connections, each for L3 and PSAM. Also, maximum three active user connections are allowed at once.
Limitation for L3 and Pulse SAM coexistence:
At any given point, for any user only one L3 and one L4 is supported.
With L3 and PSAM coexistence, the way the packet is tunneled, depends on how the L3 and PSAM tunnel are configured. It can be done in following two ways:
Following are the 2 scenarios, where L3 and PSAM coexistence is supported.
Scenario-1: PSAM is behind L3
PCS1 has L3 tunnel configuration and PCS2 is behind PCS1.
If specific set of resources is not accessible on PCS1 server and needs to access from PCS2 server, which is accessible through PCS1 server, then additional authentication is needed to access PCS2 server. As access to PCS2 server is possible only after making connection to PCS1 server, it is the case of PSAM tunnel inside L3 tunnel.
Scenario-2: L3 and PSAM are independent
PCS1 has L3 tunnel configuration and PCS2 has Pulse SAM configuration.
L3 Connection for Pulse Connect Secure is established, split tunneling should be enabled and exclude the PCS2 IP from the spilt tunneling networks.
If single user needs to access two different set of resources available on PCS1 and PCS2, then one specific set of resources is under PCS1 and another set of resources is under PCS2.
As PCS1 and PCS2 are at different locations and user can not establish two L3 connections to access both set of resources on PCS1 and PCS2, so PSAM can provide the secure access to set of resources on PCS2.
L3 based FQDN Split Tunneling feature with PSAM coexistence is not supported.
Pulse Client for Windows is compatible with Microsoft Windows 10 HVCI settings. Windows 10 HVCI settings are part of Windows Device Guard security features for mitigating cybersecurity threats. When HVCI is enabled, Windows OS performs code integrity checks and allows only secured applications. Pulse Client for Windows is compatible with these settings which would help customers adopt the latest security features of Windows.
Pulse SAM IPv6 support is available for Windows 7, Windows 8.1, and Windows 10.
Internet Protocol Version 6 (IPv6) is the protocol designed to succeed Internet Protocol Version 4 (IPv4). From 9.1R1 release onwards, Pulse SAM (PSAM) will support IPv6 Pulse SAM tunneling along with IPv4 Pulse SAM tunneling with the help of new option for internet traffic filtering, Windows Filtering Platform (WFP) driver.
WFP driver supports both IPv6 and IPv4, however TDI driver supports only IPv4. WFP driver allows the user to provide a deeper inspection and control of packets by modifying or examining TCP/IP traffic at any TCP/IP stack layer.
Administrator can switch from WFP driver (supporting both IPv6 and IPv4) to classic TDI driver (supporting IPv4 only) with fallback mechanism, in case of any issue due to WFP driver installation.
Following are the steps to switch from WFP to TDI:
1.Go to Users > User Role.
2.Select the role.
3.Go to SAM > Options. The screen in Figure 15 appears.
4.Select Enable fail-over to TDI for Pulse SAM connection.
Figure 15Enable fail-over to TDI for Pulse SAM connection
Benefits
Following are the benefits of this feature:
PSAM will be able to filter the traffic from Windows 10 and Windows 8.1 Metro Mode Applications.
PSAM will be able to filter the traffic from Internet Explorer 11 with Enhanced Protected mode.
PSAM will support Dual Stack (both IPv6 and IPv4).
Deployment Scenarios
The following table summarizes the IPv6 in IPv6, IPv4 in IPv6 and IPv6 in IPv4 scenarios:
Table 3Deployment Scenarios
|
PDC |
Endpoint |
PCS External Interface |
PCS Internal Interface |
Tunnel |
Description of the Connection |
|
Dual Stack or IPv6 only |
Dual Stack (IPv6 and IPv4) or IPv6 only |
IPv6 |
Dual Stack or IPv6 only |
IPv6-in-IPv6 |
IPv6 resource on IPv6 PSAM session. |
|
Dual Stack or IPv6 only |
Dual Stack (IPv6 and IPv4) or IPv6 only |
IPv6 |
IPv4 |
IPv4-in-IPv6 |
IPv4 resource on IPv6 PSAM session. |
|
Dual Stack or IPv4 only |
Dual Stack (IPv6 and IPv4) or IPv6 only |
IPv4 |
Dual Stack or IPv4 |
IPv6-in-IPv4 |
IPv6 resource on IPv4 PSAM session. |
Pulse Client 9.0R1 Pulse SAM connection fails with Pulse Connect Secure 9.1R1 version. For more details, refer to 9.1R1 Pulse Secure Desktop Client Release Notes document on the Pulse Secure website (www.pulsesecure.net).
The location awareness feature enables you to define connections that are activated automatically based on the location of the endpoint. Pulse Client determines the location of the endpoint by evaluating rules that you define. For example, you can define rules to enable Pulse Client to automatically establish a secure tunnel to the corporate network through Pulse Connect Secure when the user is at home, and to establish a Pulse Policy Secure connection when the user is in the office and connected to the corporate network over the LAN. Pulse Client does not re-establish a VPN tunnel when the endpoint re-enters the trusted/corporate network. Location awareness rules are based on the client's IP address and network interface information.
Centralized Pulse Client Configuration Management
Centralized configuration management is a key feature of Pulse Client. Pulse Client connection sets (the configurations that define how and when a Pulse Client connects), are bound to a particular Pulse Secure server. The binding server is the one that provides the initial configuration to the Pulse Client. For example, if you create a Pulse Client connection set on Server A, and then distribute those connections to endpoints, those clients are bound to Server A.
A bound client is managed by its particular Pulse Secure server. The Pulse Secure administrator defines Pulse Client connections and software components that are installed on the endpoint. When Pulse Client connects to the Pulse Secure server that is managing it, the server automatically provisions configuration and software component updates. The administrator can permit the user to add, remove, and modify connections. The administrator can also allow dynamic connections (connections that are added by Pulse Secure servers when the user logs into the server using a browser). A dynamic connection enables a bound client to add connections from Pulse Secure servers other than the one the client is bound to. Dynamic connections are created as manual rather than automatic connections, which means that they are run only when the user initiates the connection or the user browses to a Pulse Secure server and launches Pulse Client from the server's Web interface. Dynamic connections create the connection with the minimum configuration required to make the connection, which means that the URL used to install or launch Pulse Client from the Pulse Secure server's Web interface is used as the Connection URL and connection name. Binding Pulse Clients to a particular server ensures that the client does not receive different configurations when it accesses other Pulse Secure servers. A bound endpoint receives connection set options and connections from its binding server, but it can have its Pulse Client software upgraded from any Pulse Secure server that has the automatic upgrade option enabled. (SRX gateways do not support Pulse Client software updates.)
Pulse Client can be bound to only one Pulse Secure server connection set at a time. Pulse Client can receive updates and changes to that bound connection set from other Pulse Secure servers only if the connection set is exported from the Pulse Secure server and then imported to another Pulse Secure server.
Pulse Client does not need to be bound to a Pulse Secure server. An unbound client is managed by its user. If Pulse Client software is installed without any connections, the user must add connections manually. Dynamic connections can be added by visiting the Web portals of Pulse Secure servers. An unbound client does not accept configuration updates from any Pulse Secure server.
For a more detailed explanation of the binding process, see Adding a Configuration to a New Pulse Client Installation.
If you configure your access environment to support the Pulse Client session migration feature, users can log in once through a Pulse Secure server on the network, and then securely access additional Pulse Secure servers without needing re-authentication. For example, a user can connect from home through Pulse Connect Secure, and then arrive at work and connect through Pulse Policy Secure without having to log in again. Session migration also enables users to access different resources within the network without repeatedly providing credentials. IF-MAP Federation is required to enable session migration for users.
Smart Connections - List of URLs
Each Pulse Client connection that connects to Pulse Policy Secure or Pulse Connect Secure can be configured with a list of Pulse Secure servers. Pulse Client attempts to connect to each of the servers in the URL list until it succeeds. You can choose different modes to control the behavior of a Pulse Client connection that is starting from a disconnected state, start at the top of the list, start with the most recently connected URL, or choose randomly. The random option helps distribute the connection load across different Pulse Secure servers. If a Pulse Client connection that is already established gets disconnected, for example, the wireless connection is interrupted, Pulse Client always tries to connect to the most recently connected URL. If that connection fails, Pulse Client uses the server list. The Pulse Client user can also choose a connection from the list as shown in Figure 16.
Figure 16Pulse Client for Windows with a List of Connection URLs
Users cannot add CA servers or manage the server list. Pulse Client handles certificates in the same way that a browser handles certificates. If the Pulse Client dynamic certificate trust option is enabled for a connection, the user can accept or reject the certificate that is presented if it is not from a CA that is defined in the endpoint's certificate store.
Pulse Client supports the Host Checker application to assess endpoint health and update critical software. Host Checker is a client-side agent that is based on Trusted Network Connect standards. You configure rules in Host Checker policies for Pulse Connect Secure and Pulse Policy Secure to specify the minimum criteria for the security compliance of endpoints that are allowed to enter the network. Endpoints that fail can be connected through a remediation role that provides limited access.
Host Checker can be deployed from a Pulse Secure server to Pulse Clients on Windows and macOS endpoints. It will be downloaded and run when a browser is used on a Windows or macOS endpoint to connect to the Pulse Secure server Web portal. You can use Host Checker policies at the realm or role level.
Host Checker for mobile clients (iOS, Android, and Windows Phone) is included as part of the Pulse Client app. Host Checker runs on the mobile client if Host Checker policies are configured and enabled on the server.
Checker is not supported in the use case where the user employs a browser on the mobile device to connect to the Pulse Secure server Web portal.
For Windows and OS X clients, you can use Host Checker to perform the following:
Virus signature monitoring
You can configure Host Checker to monitor and verify that the virus signatures, operating systems, and software versions installed on client computers are up to date. You can configure automatic remediation for those endpoints that do not meet the specified criteria.
Patch management information monitoring and patch deployment
You can configure Host Checker policies that check for Windows endpoints' operating system service pack, software version, or desktop application patch version compliance.
Patch verification remediation options
Pulse Client and Host Checker support endpoint remediation through Microsoft System Management Server or Microsoft System Center Configuration Manager (SMS/SCCM). With SMS/SCCM, Pulse Client triggers a preinstalled SMS/SCCM client to get patches from a pre-configured server.
Endpoint configuration
You can configure custom rules to allow Host Checker to check for third-party applications, files, process, ports, registry keys, and custom DLLs.
Pulse Mobile Client supports a set of Host Checker functions that vary from one OS to the next. For complete information on Host Checker for mobile clients, see Implementing Host Checker Policies for Pulse Mobile Client for iOS Devices, Implementing Host Checker Policies for Pulse Mobile Client for Android, and Host Checker for Pulse Mobile Client for Windows Phone.
Pulse Client supports RSA SecurID authentication through soft token, hard token, and smart card authenticators. The SecurID software (RSA client 4.1 and later) must already be installed on the client machine.
Public WiFi locations often deploy a captive portal that requires the user to enter authentication information or to accept terms of service before network access is granted. Pulse Client detects the presence of captive portals and does not initiate a connection to a Pulse Connect Secure or Policy Secure server until internet access is granted. Pulse Client displays appropriate status information to enable the user to establish the portal and network connections.
Captive portal detection notes:
Captive portal detection is supported on Pulse Client for both Windows and Mac. Captive portal detection is not supported on Windows In-Box Pulse Client or Pulse Secure Client for Mobile Devices.
If Pulse Client connects through a proxy in Captive Portal scenario, the captive portal detection algorithm is disabled and Pulse Client tries connecting directly to PCS.
SRX connections do not support captive portal detection.
Pulse Collaboration Suite Integration
Pulse Collaboration Suite is accessible through the Pulse Client interface on Windows, macOS, Android, and iOS. (Android clients must be R4.0 or later. iOS clients must be R3.2 or later.) Pulse Collaboration Suite enables users to schedule and attend secure online meetings. In meetings, users can share their desktops and applications with one another over a secure connection. Meeting attendees can collaborate by enabling remote control of their desktops and through text chatting.
The notifications feature on Pulse Connect Secure and Pulse Policy Secure allows the network administrator to display notifications to Pulse Client users prior to the user logging in and after the user has already logged in. For example, you could display a legal statement or a message stating who is allowed to connect to the server before you display the Pulse Client credentials dialog. After the user has connected, you could display a message that notifies the user of scheduled network or server maintenance or of an upcoming company meeting.
After you deploy Pulse Client software to endpoints, software updates occur automatically. If you upgrade the Pulse Client configuration on the server, updated software components are pushed to a client the next time it connects. You can disable this automatic upgrade feature.
The automatic update feature is supported on Pulse Connect Secure and Pulse Policy Secure servers only. SRX gateways do not support automatic Pulse Client software updates.
If you configure Pulse Client to make 802.1X-based connections, a reboot might be required on Windows endpoints.
Pulse Client Customization and Rebranding
The Pulse Client customization tool (BrandPackager) enables you to customize the appearance of Pulse Client for Windows and Pulse Client for Apple OS X. You can add your own identity graphic to the Pulse Client splash screen, to the program interface, and to Windows credential provider tiles. Figure 17 shows graphic customizations applied to the Pulse Client for Windows. You can also customize error and informational message text, the text that appears in dialog boxes and on buttons, and make limited changes to Pulse Client online Help. For example, you might want to add your help desk phone number to Pulse Client error messages and the Pulse Client online Help.
BrandPackager is available for download from the Pulse Secure website (www.pulsesecure.net).
Figure 17Pulse Client Interface and Splash Screen with Branding Graphics
“Pulse Secure Client for Mobile Devices Overview”
“Customizing Pulse Secure Desktop Client Overview”
Pulse Client and Software Defined Perimeter (SDP)
Traditional network-based security (Network Defined Perimeter) architectures use firewalls on the network perimeter to limit access to public IP addresses. This exposes the network to a variety of network-based attacks.
Connectivity in a Software Defined Perimeter (SDP) system is based on a need-to-know model, in which mobile devices are verified and authorized before access to application infrastructure is granted. Application infrastructure cannot be detected remotely and has no visible DNS information or exposed IP addresses. This protects networked resources from many common network-based attacks.
Pulse Secure SDP uses PCS appliances which individually act as either an SDP controller or an SDP gateway. Mobile users of Pulse Client perform authentication on an SDP controller which runs an Authentication, Authorization and Accounting (AAA) Service. The SDP controller then enables direct communication between the user and the SDP gateways that protect the user's authorized resources and enables requested encryption. This does not require the general exposure of public IP addresses. It also separates the control plane and the data plane.
Pulse Secure SDP supports a number of networks topologies, and can include both cloud-based and data center-based resources. For example:
Figure 18Software Defined Perimeter Example
For full details of installation and configuration of SDP, see the Software Defined Perimeter documentation on the Pulse Secure website (www.pulsesecure.net).
Pulse Client Configuration Overview
You configure Pulse Client settings on the Pulse Secure server so that when users request authentication, they are assigned a role based on the role mappings and optional security profile that you create. Access to specific resources is permitted only for users and devices that provide the proper credentials for the realm, that are associated with the appropriate roles, and whose endpoints meet security restrictions. If a user attempts to connect to the network from an endpoint that does not comply with the security restrictions you have defined, the user cannot access the realm or role.
As you plan your Pulse Client configuration, be sure you know how you want to deploy Pulse Client. You can use one or more of the following Pulse Client deployment options:
Use the defaults or make changes to the Pulse Client default component set and default connection set, and then download and distribute Pulse Client by having users log in to the gateway's user Web portal and be assigned to a role. After the installation is complete, users have all the connections they need to access network resources.
Create connections that an endpoint needs for connectivity and services, download the Pulse Client settings file (.pulsepreconfig), download default Pulse Client .msi installation program, and then run the .msi installation program by using an msiexec command with the settings file as an option. You can use the msiexec command to deploy Pulse Client using a standard software distribution process, such as SMS/SCCM.
Distribute Pulse Client with no preconfiguration. You can download the default Pulse Client installation file (Mac or Win) from the device, and then distribute the file to endpoints using your organization's standard software distribution methods. Because the installer does not contain preconfigured connections, users must define network connections manually. Or you can create dynamic connections on each access gateway. These connections are automatically downloaded to the installed Pulse Client when users provide their login credentials to the gateway's user Web portal.
The following tasks summarize how to configure Pulse Client on the device:
Create and assign user roles to control who can access different resources and applications on the network. If you are converting your access environment from agentless or a VPN Tunneling environment, you should create new roles that are specific for Pulse Client.
Define security restrictions for endpoints with Host Checker policies.
Define user realms to establish authentication domains. If you are converting your access environment from agentless or a NC environment, typically you can use your existing realms.
Associate the roles with appropriate realms to define your access control hierarchy using role mapping.
Define Pulse Client component sets, connection sets, and connections.
Deploy Pulse Client to endpoints.
“Introducing Pulse Secure Desktop Client”
“Pulse Client Connection Set Options for Pulse Policy Secure”
“Creating a Client Connection Set for Pulse Connect Secure”
“Creating a Client Component Set for Pulse Connect Secure”
“Configuring a Role for Pulse Connect Secure”
The Pulse Client interface (Windows and OS X) displays a system tray icon (Windows) or a menu bar icon (OS X) that indicates connection status, provides access to menu items that let the user connect and disconnect from networks and meetings, and enables quick access to the program interface. Only one icon is visible even when there are multiple connections. One icon provides the status for all connections by indicating the most important connection state information.
Table 4Pulse Client Icon States (Windows Tray and OS X Menu Bar)
|
Indicator |
Description |
|
|
Connected. |
|
|
Connecting. |
|
|
Connected with limitations |
|
|
Connection attempt failed. |
|
|
Connection suspended. |
|
|
Connected to the local network but no Internet access available. Public WiFi locations often deploy a captive portal that requires the user to enter authentication information or to accept terms of service before network access is granted. Pulse Client detects the presence of captive portals and does not initiate a connection to a Pulse Secure server until Internet access is granted. |
“Introducing Pulse Secure Desktop Client”
For detailed information about supported platforms and installation requirements, see the Pulse Secure Supported Platforms Guide, available from the Pulse Secure website (www.pulsesecure.net).
“Introducing Pulse Secure Desktop Client”
“Pulse Secure Client for Mobile Devices Overview”
Pulse Client Error Messages Overview
Pulse Client error and warning messages reside in message catalog files on the endpoint. Each message includes a short description that states the problem and a long description that provides more details and suggests actions the user can take to resolve the issue.
You can edit Pulse Client messages by using the optional Pulse Client branding tool, BrandPackager. See Editing Pulse Client Messages for more information.
All message catalog files are localized. The filename indicates the language. For example, MessageCatalogConnMgr_EN.txt is the English-language version of the file. The following filename conventions indicate the language:
DE-German
EN-English
ES-Spanish
FR-French
IT-Italian
JA-Japanese
KO-Korean
PL-Polish
ZH-Chinese (Traditional)
ZH-CN-Chinese (Simplified)
“Introducing Pulse Secure Desktop Client”
“Customizing Pulse Secure Desktop Client Overview”
Accessing Pulse Client Error Messages on macOS Endpoints
Pulse Client error and warning messages reside in message catalog files on the OS X endpoint. Each message includes a short description that states the problem and a long description that provides more details and suggests actions to resolve the issue.
You can edit Pulse Client messages by using the optional Pulse Client branding tool, BrandPackager. See Editing Pulse Client Messages for more information.
All message catalog files are localized. The filename indicates the language. For example, MessageCatalogPulseUI_EN.txt is the English-language version of the file. The following filename conventions indicate the language:
DE-German
EN-English
ES-Spanish
FR-French
IT-Italian
JA-Japanese
KO-Korean
PL-Polish
ZH-Chinese (Traditional)
ZH-CN-Chinese (Simplified)
To view Pulse Client catalog files on macOS endpoint, use Finder to display the package contents of the Pulse Client application.
“Introducing Pulse Secure Desktop Client”
“Customizing Pulse Secure Desktop Client Overview”
Pulse Client writes information to log files on Windows and Apple OS X endpoints. If you need to investigate a problem with connectivity on a Pulse Client endpoint, you can instruct the user to save the client logs and e-mail them to you.
The user saves logging information by opening Pulse Client and then clicking File > Logs > Save As. All relevant log files are added to a single file, LogsAndDiagnostics.zip. The user saves the .zip file and then makes it available to you.
Pulse Client maintains its own log files on all supported platforms. On Windows, Pulse Client also logs its major operational events into Windows Event Log. Network administrators can review the Pulse Client event log to help troubleshoot problems. Table 5 lists the Pulse Client messages that can appear in the Windows event log.
To view the Pulse Client messages:
1. Open the Windows Event Viewer.
2. Click Applications and Services > Pulse Secure > Operational.
Table 5Pulse Client Event Log Messages
|
ID |
Level |
Message |
Description |
|
600 |
error |
The connection <ID> failed authentication: Error <ID>. |
802.1X EAP authentication failure. |
|
601 |
informational |
User has canceled authentication of the connection <ID>. |
The user canceled 802.1X EAP authentication. |
|
602 |
error |
Failure writing wireless LAN profile for connection <ID> Error <ID>: Reason <ID>: Profile: <ID>. |
A failure occurred while a wireless LAN profile was being created or modified. |
|
603 |
error |
Failure writing wireless LAN profile for connection <ID> Error <ID>. |
A failure occurred while a wireless LAN profile was being deleted. |
|
604 |
error |
Failure writing wired LAN profile for connection <ID> Error <ID>: Profile: <ID>. |
A failure occurred while a wired LAN profile was being created or modified. |
|
605 |
error |
Failure writing wired LAN profile for connection <ID> Error <ID>. |
A failure while a wired LAN profile was being deleted. |
|
500 |
informational |
Pulse servicing has completed successfully. All components are up to date. |
Pulse Client servicing was successful. |
|
501 |
informational |
Pulse servicing has completed successfully. All components are up to date. |
Servicing was requested but all components were up to date. |
|
502 |
error |
Pulse servicing has failed. Failure summary: |
Pulse Client servicing failed. |
|
100 |
informational |
User requested connection <ID> to start. |
The user initiated a connect request. |
|
101 |
informational |
User requested connection <ID> to stop. |
The user initiated a disconnect request. |
|
102 |
informational |
Connection <ID> is starting because its policy requirements have been met. Connection Policy: <ID>. |
A connection was started because of a policy evaluation. |
|
103 |
informational |
Connection <ID>) is stopping because of its policy requirements. Connection Policy: <ID>. |
A connection was stopped because of a policy evaluation. |
|
104 |
informational |
Connection <ID> is stopping because of transition to context <ID>. |
The machine-to-user connection was disconnected to transition to another identity. |
|
105 |
informational |
Connection <ID> is starting because of transition to context <ID>. |
The machine-to-user connection was connected as part of the transition to another identity. |
|
106 |
informational |
Connection <ID> is disconnected due to computer suspend. |
The connection to Pulse Connect Secure was disconnected because the computer is being suspended. |
|
107 |
informational |
Connection <ID> is disconnected due to login error. |
A credential provider connection was disconnected because of a login error. |
|
108 |
informational |
Connection <ID> is disconnected because it was modified. |
A connection was disconnected because it was modified. |
|
109 |
informational |
User requested connection <ID> to suspend. |
The user initiated a suspend request. |
|
110 |
informational |
User requested connection <ID> to resume. |
The user initiated a resume request. |
|
1 |
informational |
The Pulse Secure service version <ID> has successfully started. |
The Pulse Client service started. |
|
2 |
informational |
The Pulse Secure service has stopped. |
The Pulse Client service stopped. |
|
200 |
error |
No connections matching URL <ID> were found in Pulse database. Request to start a connection from the browser has failed. |
Pulse Client failed to resume a connection from the browser. |
|
400 |
error |
The host check for connection <ID> has failed. Failed policies: <ID>. |
Host Checker failed one or more policies. |
|
300 |
informational |
The connection <ID> was established successfully through web-proxy <ID>. |
Pulse Client established a connection to Pulse Connect Secure or Pulse Policy Secure through a Web proxy. |
|
301 |
informational |
The connection <ID> was established successfully to address <ID>. |
Pulse Client established a direct (nonproxy) connection to Pulse Connect Secure or Pulse Policy Secure. |
|
302 |
informational |
The connection <ID> was disconnected. |
The Pulse Client connection was disconnected from the Pulse Secure server. |
|
303 |
error |
The connection <ID> encountered an error: <ID> Peer address: <ID>. |
A connection encountered an error. |
|
304 |
error |
The connection <ID> was disconnected due to change in routing table. Interface address changed from <ID> to <ID>. |
Pulse Client detected a change in the route to the Pulse Secure server. |
|
305 |
informational |
VPN tunnel transport for connection <ID> switched from ESP to SSL mode due to missing ESP heartbeat. |
ESP to SSL fallback occurred because of missing ESP heartbeats. |
|
306 |
informational |
VPN tunnel for connection <ID> is switched to ESP mode. |
Tunnel transport switched to ESP mode. |
|
307 |
error |
The connection <ID> encountered an error: System error: <ID> Peer address: <ID>. |
The Pulse Client connection failed because of a system error. |
|
308 |
error |
The server disconnected connection <ID> Reason <ID>: Peer address: <ID>. |
The server disconnected a connection. |
“Deleting Pulse Client Log Files”
“Uploading Pulse Client Log Files”
Deleting Pulse Client Log Files
Pulse Secure recommends that you do not delete Pulse Client log files.
Pulse Client controls log file size automatically. When a current log file reaches 10MB, a new one is created and the oldest log file is deleted. If you need to delete Pulse Client log files, do not delete the file without first moving it to the Recycle Bin or renaming it.
To safely delete Pulse Client log files on a Windows endpoint:
1.Use a command line or Windows Explorer to locate and delete debuglog.log and, optionally, debuglog.log.old. When prompted if you want to move the file to the Recycle Bin, answer Yes. Do not press Shift+Delete, which permanently deletes a file without moving it to the Recycle bin.
The file location varies depending on which version of Windows the endpoint is running. For example, the following path is valid for a Windows 7 Enterprise 64-bit endpoint: C:\ProgramData\Pulse Secure\Logging.
2.Empty the Recycle Bin.
Alternatively, you could first rename debuglog.log and then delete it. After you delete the log file, Pulse Client creates a new one. However, that operation might take some time depending on the activities of Pulse Client.
Uploading Pulse Client Log Files
The Pulse Client for Windows makes it easy to transmit diagnostic log bundles to PCS gateways for analysis by system administrators. To send a log bundle to the PCS, when a VPN connection is active, run the following from the desktop client user interface: File > Logs > Upload.
Figure 19Uploading Pulse Client Log Files
The user must select the server to send the logs to. A dialog will appear that shows the progress of the upload.
Note that a system administrator must enable this feature on the server side before an end user can upload log files to the Pulse Secure gateway. To do this, the system administrator must launch the Pulse Secure server administrative console and navigate to Users > Roles > General > Session Options > Enable Upload Logs.
The admin must check the "Enable Upload Logs" checkbox, as shown below:
Figure 20Enable Upload Logs
The admin must also enable which clients can send log files by traversing the following menus in the admin console and clicking on Pulse Client: System > Log/Monitoring > Client-Side Log > Settings
Once this work is done, the system administrator can view uploaded logs in the administrative console here: System > Log/Monitoring > Client-Side Log > Uploaded Logs
Figure 21Viewing Upload logs
“Pulse Client Error Messages Overview”
Migrating from Odyssey Access Client to Pulse Client
Odyssey Access Client® (OAC) is 802.1X network access client software that supports the Extensible Authentication Protocol (EAP) for secure wireless LAN access. Together with an 802.1X-compatible authentication server, OAC secures WLAN communications. OAC also serves as a client for enterprises that are deploying identity-based (wired 802.1X) networking. OAC provides wireless access to enterprise networks, home Wi-Fi networks, and public hotspots.
Pulse Client is an extensible multiservice network client that supports integrated connectivity and secure location-aware network access. Pulse Client simplifies the user experience by letting the network administrator configure, deploy, and control Pulse Client software and the Pulse Client connection configurations that reside on the endpoint. Pulse Client can provide 802.1X authentication and Layer 3 access services.
Like OAC, Pulse Client software is bundled with Pulse Policy Secure software. However, there are significant differences between OAC and Pulse Client and you should be aware of these differences when you plan a migration from OAC to Pulse Client. The following list includes planning considerations and best-practices for a migration project. See the related topics list for details about the Pulse Client configuration tasks.
The 802.1X communication protocol that you use with OAC might need to be changed to support Pulse Client. OAC supports the full range of 802.1X protocols; Pulse Client supports only EAP-TTLS/EAP-JUAC. See Comparing Odyssey Access Client and Pulse Secure Desktop Client, which lists the 802.1X protocols supported by OAC and Pulse Client.
One common migration practice is to create new sign-in policies, user realms, and user roles for Pulse Client, and then control the cut-over to Pulse Client by enabling Pulse Client sign-in policies and disabling OAC sign-in policies. The new policies, realms, and roles can be clones of the existing OAC policies, realms, and roles as a starting point. However, Pulse Client has more robust connection decision capabilities so you will probably want to edit your Pulse Client roles to take advantage of the Pulse Client capabilities. For example, you can replace both OAC and Network Connect with Pulse Client and use one client for authenticated LAN access and secure SSL VPN access. Location awareness rules allow Pulse Client to detect the network environment and choose a network connection based on current location.
How many OAC configuration do you use? You need a Pulse Client configuration for each of the OAC configurations you currently use. A Pulse Client access configuration is called a connection. It comprises properties that define how, when, and where a connection is established with a Pulse Secure gateway. When you create the Pulse Client connections that you distribute to Pulse Clients, you configure how the connection can be established. Pulse Client connections support machine authentication and credential provider authentication. Figure 22 shows an instance of Pulse Client for Windows that includes multiple connections.
Figure 22Pulse Client Interface (Windows Version)
Odyssey Access Client is a wireless supplicant. Pulse Client, by design, is not a wireless supplicant. Pulse Client uses the underlying wireless supplicant on the endpoint, which is typically provided by the endpoint's OS X or Windows operating system. When you migrate to Pulse Client and uninstall OAC, you remove the OAC wireless supplicant and the endpoint falls back to using wireless connectivity provided by the OS. You define 802.1X authentication connections for Pulse Client to enable authenticated 802.1X connectivity in the enterprise network. Any custom network configurations that users added to their local OAC configuration are lost when OAC is removed. For example, if a user added connection information to connect to a home wireless network, the user will need to redefine that connection in the endpoint's wireless supplicant. A best practice is to mention this needed configuration to users as part of the Pulse Client roll-out. In OAC, network auto-scan lists are defined on the client. With Pulse Client, you can define an auto-scan list as part of an 802.1X connection that is pushed to Pulse Client.
Do you use wireless suppression in your OAC environment? Wireless suppression disables wireless connections as long as the client has a wired network connection. You enable wireless suppression as part of a Pulse Client connection set. Pulse Client connection set properties define the decision process that Pulse Client uses to establish network connections.
If you are using OAC FIPS Edition, you need to deploy Pulse Client 5.0 or later to support the same level of FIPS compliance that is supported by OAC.
Do you allow users to modify configuration settings after you deploy them in your OAC environment? When you create a Pulse Client connection, you can define whether users can override the connection decision that has been defined by the Pulse Secure administrator as part of the Pulse Client connection. You can also disable the user's ability to create new connections. Connections created by users are manual connections, that is, the connection is not tried unless the user opens Pulse Client and selects it.
Do you allow OAC users to add, remove, or modify trusted servers and certificates? Pulse Client does not expose this functionality to users. Pulse Client handles certificates in the same fashion as a browser. When you define a Pulse Client connection you can allow users to choose to accept an unverified certificate, which allows users to connect to servers that use a self-signed certificate.
“Comparing Odyssey Access Client and Pulse Secure Desktop Client”
“Pulse Client Connection Set Options for Pulse Policy Secure”
“Machine Authentication for Pulse Policy Secure Overview”
“Configuring Location Awareness Rules for Pulse Client”
“Machine and User Authentication Through a Pulse Client Connection for Pulse Policy Secure”
“Remote Desktop Protocol Compatibility with a Pulse Client 802.1X Machine Authentication Connection”
“Pulse Secure Desktop Client Installation Overview”
Migrating from Network Connect to Pulse Client
Pulse Client and Network Connect (NC) can run at the same time on an endpoint.
The Pulse Client installation program checks for NC. If the installation program finds NC Release 6.3 or later, the Pulse Client installation proceeds. If NC is not at least Release 6.3, the program displays a message telling the user to upgrade NC. For detailed information about supported platforms and installation requirements, see the Pulse Secure Supported Platforms Guide, available from the Pulse Secure website (www.pulsesecure.net).
On endpoints that connect to Pulse Connect Secure, if Pulse Client is running on the Windows main desktop, you cannot launch Pulse Client within Secure Virtual Workspace (SVW). SVW is not supported with Pulse Client.
SVW is not supported by Pulse Policy Secure 5.1 and later and Pulse Connect Secure 8.1 and later. If a Pulse Secure server has SVW policies configured, those policies are removed during the upgrade.
“Comparing Odyssey Access Client and Pulse Secure Desktop Client”
“Comparing Network Connect and Pulse Client”
Predictable Pulse Secure Server Hostname Resolution with IPv6
When connecting to a Pulse Secure server, Pulse Client uses the services of the endpoint operating system to resolve the hostname to an IP address. If a Pulse Secure server hostname resolves to both IPv4 and IPv6 addresses, an IPv4 or an IPv6 address is presented to Pulse Client as the preferred IP address. The behavior depends on the operating system and how it is configured. For example, Windows 7 adheres to IETF standards that define how to establish the default address selection for IPv6. macOS 10.6 does not support that standard. Additionally, Windows 7 default settings can be changed by netsh commands, so RFC compliance can be modified on the endpoint. For these and other reasons, it is difficult to predict which Pulse Secure server IP address would get resolved to on a given client machine.
For predictable hostname resolution, we recommend that you use different Pulse Secure server hostnames for IPv6 and IPv4 addresses. For example, configure myserver1.mycompany.com for IPv4 addresses and myserver1-v6.mycompany.com for IPv6 addresses. The Pulse Secure server administrator can publish myserver1-v6.mycompany.com to the Pulse Client users who are expected to connect over IPv6, and others will continue using myserver1.mycompany.com.