Release Notes - Pulse Secure

Pulse
Release Notes
Version
5.0R1
Build
41197
Published
July 2015
Revision
00
Pulse Release Notes 5.0
Contents
Introduction 3
Interoperability and Supported Platforms 3
Pulse 5.0 New Features 3
Local Subnet Access with Split Tunneling Disabled 4
Federal Information Processing Standard (FIPS) Enhancement for Pulse
Windows Client
4
The Pulse Client Customization 4
Pulse Client Usability Enhancements 4
Remove Override 4
Advanced Connection Details5
New Exit Menu for Pulse for Apple OS X
5
Application Acceleration on Pulse Mobile VPN Connections 5
Pulse as SAML Client 6
Microsoft Windows In-box Pulse Client 6
IPSec Support for Mac OSX Connections to Pulse Access Control Service 7
Problems Resolved in This Release 7
Known Issues 8
Documentation 12
Documentation Feedback 12
Technical Support 12
Revision History 13
© 2015 by Pulse Secure, LLC. All rights reserved
2
Pulse Release Notes 5.0
Introduction
These release notes contain information about Pulse new features, software issues that have been resolved and
new issues that affect Pulse behavior. If the information in the release notes differs from the information found
in the documentation set, follow the release notes.
Interoperability and Supported Platforms
Please refer to the Pulse Supported Platforms Guide for supported versions of browsers and operating
systems in this release.
Pulse 5.0 New Features
• Local Subnet Access with Split Tunneling Disabled on page 4
• Federal Information Processing Standard (FIPS) Enhancement for Pulse Windows Client on page 4
• The Pulse Client Customization on page 4
• Pulse Client Usability Enhancements on page 4
• Application Acceleration on Pulse Mobile VPN Connections on page 5
• Pulse as SAML Client on page 6
• Microsoft Windows In-box Pulse Client on page 6
• IPSec Support for Mac OSX Connections to Pulse Access Control Service on page 7
© 2015 by Pulse Secure, LLC. All rights reserved
3
Pulse Release Notes 5.0
Local Subnet Access with Split Tunneling Disabled
Split tunneling allows a VPN client to have network traffic routed through the VPN tunnel and through the
endpoint’s physical adapter to local subnets. Pulse 5.0 adds a new option that allows local subnet access when
split tunneling is disabled without allowing access to other connected local subnets.
The Pulse clients for Windows, Apple OS X, Google Android, and Apple iOS and the Network Connect client
all support split tunneling. Split tunneling is configured as part of the role that is assigned to a user after
authentication. When the client and Pulse Secure Access Service establish a VPN tunnel, the Pulse server takes
control of the routing environment on the endpoint to ensure that only permitted network traffic is allowed
access through the VPN tunnel. Split tunneling settings enable you to further define the VPN tunnel environment
by permitting some traffic from the endpoint to reach the local network or another connected subnet. When
split tunneling is enabled, split tunneling resource policies enable you to define the specific IP network resources
that are excluded from access or accessible through the VPN tunnel.
Federal Information Processing Standard (FIPS) Enhancement for Pulse Windows Client
The United States Federal Information Processing Standard (FIPS) defines security and interoperability
requirements for computer systems that are used by the U.S. government. Pulse for Windows, iOS, and Android
support FIPS mode operations when communicating with Pulse Secure Access Service and Pulse for Windows
supports FIPS mode operations when communicating with Pulse Access Control Service. New in Pulse R5.0,
when it is operating in FIPS mode, FIPS On appears in the bottom corner of the Pulse for Windows client.
The Pulse Client Customization
The Pulse customization tool (BrandPackager) enables you to customize the appearance of the Pulse Windows
and Apple OS X clients. You can add your own identity graphic to the Pulse splash screen, to the program
interface, and to Windows credential provider tiles. You can also customize error and informational message
text, the text that appears in dialog boxes and on buttons, and make limited changes to Pulse online Help. For
example, you might want to add your help desk phone number to Pulse error messages.
BrandPackager is available for download from https://www.pulsesecure.net
Pulse Client Usability Enhancements
Pulse for Windows and Pulse for Mac OSX have new user interface features.
Remove Override
Pulse connections that are deployed administratively can be configured to connect automatically.
For example, an endpoint might have one Pulse connection that always activates when the endpoint
is started. Automatic connections simplify connectivity by limiting manual connection decisions.
The Pulse connection set properties can allow the user to override automatic connections. If the
user manually disconnects an automatic connection, that connection loses its ability to behave
automatically until the Pulse service is restarted. Even if the user manually reconnects, the connection
can no longer respond automatically. Pulse R5.0 displays an indication next to automatic connections
that no longer respond automatically, which allows the user to select a new menu option to restore
the connection to automatic behavior. Figure 1 on page 5 shows the manual override text on the
Pulse for Windows client. Pulse for Mac OSX also includes the text and menu item to control manual
override.
© 2015 by Pulse Secure, LLC. All rights reserved
4
Pulse Release Notes 5.0
Figure 1: Pulse Client with an Automatic Connection Overridden
Advanced Connection Details
The Advanced Connection Details dialog box for an active Pulse VPN connection now
displays the IP address for the Pulse virtual interface.
New Exit Menu for Pulse for Apple OS X
Pulse for Apple OS X has a new simplified menu for starting and stopping Pulse.
Application Acceleration on Pulse Mobile VPN Connections
Pulse for Android and Pulse for Apple iOS support application acceleration through Riverbed® Steelhead®
mobile technology. Steelhead mobile technology performs WAN optimization to improve performance of web
browsing, email, and other applications. When there is a Steelhead Mobile Controller (SMC) in the network path
with the Pulse Secure Access server, Pulse mobile clients can use application acceleration services over VPN
connections.
Configuration is simple. If you have the Steelhead Mobile Controller installed and configured in your network,
you need only enable Steelhead optimization and specify the SMC IP address as one of the settings for the
role you assign to VPN users. When the client communicates with the SMC, the SMC downloads the required
configuration.
Pulse mobile client users can also manually enter the SMC IP address for accelerated communications for
connections that do not connect to Pulse Secure Access Service.
© 2015 by Pulse Secure, LLC. All rights reserved
5
Pulse Release Notes 5.0
Pulse as SAML Client
Pulse for Windows and Pulse for Apple OS X clients can operate in a Security Assertion Markup Language (SAML)
Single Sign-on (SSO) authentication environment. SAML configuration on the server is unchanged from previous
releases. If you have a SAML Single Sign-on environment, you can map the Pulse user roles to the SAML Single
Sign-on realm. The Pulse user sees a different credential window. In a SAML environment, the Pulse Secure
Access server uses the sign-in page defined as part of the sign-in policy. The Pulse client embeds the sign-in
page within a Pulse dialog box. Figure 2 on page 5 shows the Pulse for Windows credential screen for SAML
authentication.
Figure 2: Pulse for Windows Credential Screen for SAML Authentication
SAML operations require Pulse R5.0 and Pulse Secure Access Service R8.0. Authentication fails if the Pulse client
or the Pulse server has not been upgraded. Pulse supports only one realm for SAML authentication. The Pulse
client uses the first listed realm and ignores any others.
Microsoft Windows In-box Pulse Client
Microsoft Windows 8.1 introduced a Pulse VPN client as part of the Windows operating system. (Microsoft calls
this an “in-box” application.) The Windows in-box Pulse client appears as a VPN Provider network option within
Windows 8.1 and greater endpoints, including Windows RT endpoints. The user can establish a layer 3 VPN
connection to Pulse Secure Access Service. The Pulse administrator can create, manage, and remove Pulse VPN
© 2015 by Pulse Secure, LLC. All rights reserved
6
Pulse Release Notes 5.0
connections on the Windows endpoint through Windows PowerShell® scripts. Pulse 5.0 documentation includes
example PowerShell scripts for configuring Windows in-box Pulse clients.
IPSec Support for Mac OSX Connections to Pulse Access Control Service
ESP is the default IPSec tunnel mode for Pulse connections to Pulse Access Control Service. When a NAT device
is detected between the Pulse client and the infranet enforcer, UDP/ESP is used. If the Pulse Secure Access
Service administrator chooses to force UDP/ESP mode, that behavior now extends to Mac OSX connections.
Problems Resolved in This Release
Table 1 on page 7 describes issues that are resolved when you upgrade. You can click the PR number to see
the complete problem description on the Pulse Secure Support Web site. (Login required).
Table 1: Resolved in This Release
Problem Report Number
Description
477822
It is currently not possible to provide Pulse access for delegated admin role on SA/IC devices.
515109
When specifying a Location Awareness policy, the Network List Manager (NLM) may not honor the
entire range of IP addresses when both the third and fourth octets are specified as 0.0 (xx.xx.0.0 –
yy.yy.0.0). As a workaround, the entire range of addresses from 0-255 should be considered.
549408
When using a Smartcard, the user is prompted by either the Smartcard provider or Microsoft Base
Smartcard Crypto Provider CSP for the PIN/Password. This prompt is not managed by Pulse and may
remain displayed after a Pulse connection is disconnected or the Pulse process has exited.
782569
When connected to a Pulse Secure Access server from a browser with a host name and clicking the
Start button on the browser with the Pulse connection specified as an IP address, Pulse will not auto
start the Secure Access connection.
809992
When Pulse prompts the user to upgrade and a compliance check fails, the upgrade may fail if
the remediation window is displayed. Closing the remediation window may allow the upgrade to
complete.
838602
When a non-broadcast SSID is deleted from the Pulse wireless connection setting on the Pulse Secure
Access server, the SSID connection on Pulse may not be removed.
827782
If pulse is upgraded while connected via Remote Desktop, then the Pulse tray icon will not display the
correct status until restarting Pulse.
843785
When attempting to upgrade Pulse, the user may be informed on subsequent upgrade tempts that a
reboot is required to complete the installation. To workaround this issue, delete the file “C:\Program
Files (x86)\Common Files\Pulse Secure\JSCDT\REBOOT” and reattempt the upgrade.
© 2015 by Pulse Secure, LLC. All rights reserved
7
Pulse Release Notes 5.0
Table 1: Resolved in This Release (continued)
Problem Report Number
Description
847310
To enable Anti-Virus or Firewall predefined host checks on Windows 8 with Pulse, ESAP 2.2.7 is
required.
847590
Windows errormessage appears whenmaking wireless L2 connections with Credential Provider.
864153
EES does not install through the Pulse interface on Spanish XP.
Known Issues
Table 2 on page 8 describes the open issues with Pulse. You can click the PR number to see the complete
problem description on the Pulse Secure Support Web site. (Login required.)
Table 2: Known Issues
Problem Report Number
Description
514609
When using a packet capture/monitor tool like Wireshark or NetMon (on XP), certain IP packets sent
may appear to be sent twice. This is most often observed when the network capture mechanism
enables “Promiscuous Mode” on the network adapter.
524205
The Pulse UI may not display correctly on screen resolutions of 800 x 600 or less.
677671
When Pulse with is connected to a Pulse Secure Access server and assigned to a Pulse Secure
Application Manager (SAM) role, the user may not be able to access a hostname using a Fully Qualified
Domain Name (FQDN) that resolves to a local DNS.
724457
If Pulse is installed in client machine that runs Kaspersky driver with version 6.1.18.0.( Kaspersky
AV 6.0.2 installed), SAM TDI driver won’t get loaded and user won’t be connected to SAM role untill
machine is restarted. Solution is to restart the machine.
730216
Install Java plug-in on Mac Lion while deploying Pulse through web browser.
731979
There is no feedback to the user that host check failed because ofmissing host checker.
744704
Pulse on Macintosh does not support the Safari browser auto proxy discovery settings.
745651
Pulse on Mac: SA connection can get stuck in “connect requested” after fast user switch.
© 2015 by Pulse Secure, LLC. All rights reserved
8
Pulse Release Notes 5.0
Table 2: Known Issues (continued)
Problem Report Number
Description
746628
While downloading and enabling Enhanced Endpoint Security (EES), Pulse may display status
indicating that EES not running.
749362
The Location Awareness rules with Action ‘DNS server’ or ‘Resolve address’ may not work as expected
on Pulse for Macintosh. Note: On all OSX versions, the ‘DNS server’ rule will not detect DNS servers
that the user has manually assigned to an interface. DNS servers assigned by DHCP will work
correctly. On Snow Leopard and earlier, the ‘Resolve address’ rule always evaluates to false. On Lion
and Mountain Lion, the ‘Resolve address’ works correctly.
750033
Pulse throws set up client error when ran as administrator from Start->Programs Menu in Win7 64 bit
machine.
768922
The Pulse client is not passing Multi-cast traffic through a tunnel to the Pulse Secure Access server on
Windows 7 endpoints when multicast support is enabled on the Pulse Secure Access server.
773704
Pulse deployment would fail on windows 8 using Metro style IE 10.
774974
Behavior of Pulse features not supported over IPv6 (e.g. Pulse SAM) is undefined in IPv6 scenarios.
786215
Protected resources may not be accessible via hostnames with split tunnel enabled with Pulse on Mac
Mountain Lion (OSX 10.8) platforms.
786236
Mac Lion: Pulse upgrade 3.0 to 3.1 is not working on Mac Lion when connecting to SA with IPv6 addr/
hostname.
788015
Pulse3.1 CP: wireless suppression doesn’t seemto work at CP time.
798544
The Pulse Commandline Launcher may return the error invalid arguments when the URL specified
does not exactly match the URL specified in the Pulse connection entry.
812263
Mac OS 10.8 newgatekeeper feature causes all app installs to fail due to default gatekeeper settings.
825113
When a Pulse tunnel is disconnected in IPv6-in-IPv6 tunneling mode (6in6), the default IPv6 route
for physical interface is not restored; as a result, network connectivity is lost. This problem occurs
because of a bug in Apple’s OSX Mountain Lion (10.9). Apple’s “Radar” bug-tracking number is
12945619, and the DTS number is 244125795.
832352
When disconnecting a suspended connection to a Pulse Secure Access server, the session
information on the Pulse Secure Access server active users page may still be displayed.
© 2015 by Pulse Secure, LLC. All rights reserved
9
Pulse Release Notes 5.0
Table 2: Known Issues (continued)
Problem Report Number
Description
834055
When attempting to connect to a Pulse Secure Access server after having upgraded Symantec
Endpoint Protection to version 12 with Pulse installed, the connection may fail to setup the virtual
adapter properly. To work around this issue, reinstall Pulse.
838602
When a non-broadcast SSID is deleted from the Pulse wireless connection setting on the Pulse Secure
Access server, the SSID connection on Pulse may not be removed.
839770
When attempting to connect to a Pulse Access Control server, Pulse may display the message
“Authentication unexpectedly terminated by Windows 802.1x supplicant” while performing an 802.1x
authentication after a server upgrade. To work around this issue, disconnect Pulse and reconnect.
839770
840842
When attempting to connect to a Pulse Access Control server, Pulse may display the message
“Authentication rejected by server” on the first attempt to perform an 802.1x authentication after a
server upgrade. To work around this issue, disconnect Pulse and reconnect.
842586
While logged into the Pulse Secure Access server via the browser and clicking the icon to launch
Pulse, any existing saved credentials for that connection will be overwritten.
843178
When Pulse is configured for two roles, one allowing full access and the other limited access, during
host check evaluation Pulse may display the connecting status when switching between full and
limited access.
852345
847310
To enable Anti-Virus or Firewall predefined host checks on Windows 8 with Pulse, ESAP 2.2.7 is
required.
850206
When the system is coming out of sleep and both wired and wireless connections are configured on
the Pulse Secure Access or Pulse Access Control server with wireless suppression enabled, the user
may be prompted for user credentials.
852345
When Pulse is configured for two roles, one allowing full access and the other limited access, during
host check evaluation Pulse may display the connecting status when switching between full and
limited access.
860043
If ‘Dynamic certificate trust’ option is checked for Pulse connection set on IVE, Pulse FIPS connection
to FIPS server will be successful even when device certificate’s root CA is not trusted on client
endpoint.
876592
For some local subnets, the Pulse client on OSX is unable to enforce a split tunnel that allows only
local subnet traffic to bypass the tunnel. This bug appears to result from a limitation in the OSX
firewall feature. See workaround.
© 2015 by Pulse Secure, LLC. All rights reserved
10
Pulse Release Notes 5.0
Table 2: Known Issues (continued)
Problem Report Number
Description
897984
When ‘Back to my mac’ is enabled through iCloud on Mac OS X, end user cannot reach any resources
through the VPN tunnel with Pulse.
897986
Pulse provides less upload bandwidth than Network Connect with SSL VPN tunnels. For example,
when uploading a very large file (i.e., greater than 50 MB) through a SSL VPN tunnel, Pulse could
take as much as two and a half times longer than NC. Exact performance variance depends on a
number of factors, including underlying network substrate speed, server loading, etc. Note that this
performance discrepancy between Pulse and NC does not occur with VPN tunnels that use the UDP/
ESP protocol, which is the default VPN protocol. Generally, this performance discrepancy would be
experienced only by users needing to use SSL due to the need to have FIPS compliance.
898845
When attempting to connect to an IC from an endpoint having a tunnel-in-tunnel configuration
containing a Location Awareness Rule with an ‘Endpoint address’ action, sometimes Pulse fails to
connect to the IC (despite the fact that the IC’s IP address is pingable from the endpoint device).
During the failure, Pulse reports a “network error” and the following message is logged: Network
errors can be caused by temporary conditions such as an invalid IP address, a server not available,
and so on. Please try the operation again. Restart your system and try the operation again. If the
problem persists, contact your network administrator.
909674
Session options should always configured with greater than 10 minutes. Session Resumption doesn’t
happen for sessions which are less than 10 minutes.
921633
HTTP hyperlinks cannot be opened from Pulse dialogs customized with the Pulse Branding Tool on
Mac/OSX devices due to a bug on Pulse for Mac/OSX. There is no current workaround to this issue.
For this reason, Pulse Secure recommends against adding hyperlinks to Pulse for Mac/OSX messages.
925236
MAC 10.8.5: Proxy is not working, impersonation of pulse.pac file is not happeing after connecting
Pulse. The IVE administrator can provide an ipv6 ip pool in the connection profile. In this case, the
proxy pac file creation works correctly and the server-side proxy credential popup is displayed when
accessing protected resource.
929221
A change to the way negative DNS responses are cached in Windows 8.1 can cause certain IPv4
destinations to be unreachable via SAM tunnels on dual-stacked IPv4/IPv6 Windows 8.1 endpoints.
See workaround.
930434
Pulse will cease to function properly during any in-place upgrade of Windows. For example, if Pulse
is installed on a Windows 8.0 machine, and then if the machine is upgraded to Windows 8.1, then
the Pulse will no longer function. The act of upgrading Windows causes Pulse’s drivers to become
corrupted. This problem is caused by limitations in the Windows operating system (WINSE480562),
and cannot be fixed using Pulse’s current driver architecture. The workaround for this problem is to
uninstall Pulse, then upgrade the Windows OS, then reinstall Pulse. Note that this problem exists for
all versions of Pulse 5.0 and earlier (not just Pulse 5.0).
936913
If you have Pulse installed and then you upgrade OS/X to 10.9 (Mavericks), the directory that contains
Pulse’s log information will be deleted by the upgrade. Pulse will still function, but it will not save new
log data, which could make diagnosis of future problems difficult. To workaround this issue, simply
uninstall and reinstall Pulse.
© 2015 by Pulse Secure, LLC. All rights reserved
11
Pulse Release Notes 5.0
Table 2: Known Issues (continued)
Problem Report Number
Description
937262
In limited circumstances on Windows 8.x devices when Wifi connectivity is spotty/lossy, Pulse will
fallback to SSL tunnel mode, and no additional connections to the SA can be established (e.g.
browser). This problem is caused by a issue in the Windows OS relating to notifications of changes to
the routing table. This issue is described at social.msdn.microsoft.com/Forums. The Microsoft case
number is 113100210832636. This problem happens more on tablets than on other kinds of devices,
for reasons that are not clear. There is no known work around to this issue.
939216
Pulse can periodically disconnect on Mac OSX 10.9 on networks with GLBP (Gateway Load Balancing
Protocol) enabled. This problem occurs because of a change in OSX 10.9 that causes the OSX
machine to unicast (rather than broadcast) ARP requests. This issue has been written up in a number
of places, including here:
https://discussions.apple.com/thread/5483424
The workaround is to run the following on the client:
$ sudo sysctl -w net.link.ether.inet.arp_unicast_lim=0 net.link.ether.inet.arp_unicast_lim: 5 -> 0
(You can set this also in /etc/sysctl.conf.) This command disables the unicast ARP requests.
Documentation
Pulse documentation is available at http://www.pulsesecure.net/techpubs.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation.
You can send your comments to techpubs-comments@pulsesecure.net.
Technical Support
When you need additional information or assistance, you can contact “Pulse Secure Global Support Center
(PSGSC):
• http://www.pulsesecure.net/support
• support@pulsesecure.net
• Call us at (408) 372-9600
For more technical support resources, browse the support (website http://www.pulsesecure.net/support).
© 2015 by Pulse Secure, LLC. All rights reserved
12
Pulse Release Notes 5.0
Revision History
Table 3 on page 11 lists the revision history for this document.
Table 3: Revision History
Revision
Description
00/November 2013
Initial publication.
© 2015 by Pulse Secure, LLC. All rights reserved
13
Download PDF