5.2R3.0 Pulse Secure Desktop Client Release Notes

  • View
    246

  • Download
    0

Embed Size (px)

Text of 5.2R3.0 Pulse Secure Desktop Client Release Notes

  • Pulse Secure Desktop Client Release Notes Pulse Secure Desktop Client v5.2r3 Build 537 For more information on this product, go to www.pulsesecure.net/products.

    Product Release

    Published

    Revision

    5.2r3, #537

    May 2016

    1.5

    http://www.pulsesecure.net/products

  • Pulse Secure Desktop Client Release Notes

    2016 by Pulse Secure, LLC. All rights reserved 2

    Pulse Secure, LLC 2700 Zanker Road, Suite 200 San Jose, CA 95134 http://www.pulsesecure.net

    2016 by Pulse Secure, LLC. All rights reserved

    Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All other trademarks,

    service marks, registered trademarks, or registered service marks are the property of their respective owners.

    Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC reserves the right to

    change, modify, transfer, or otherwise revise this publication without notice.

    The information in this document is current as of the date on the title page.

    END USER LICENSE AGREEMENT

    The Pulse Secure product that is the subject of this technical documentation consists of (or is intended for use with) Pulse

    Secure software. Use of such software is subject to the terms and conditions of the End User License Agreement (EULA)

    posted at http://www.pulsesecure.net/support/eula. By downloading, installing or using such software, you agree to the

    terms and conditions of that EULA.

    http://www.pulsesecure.net/http://www.pulsesecure.net/support/eula

  • Pulse Secure Desktop Client Release Notes

    2016 by Pulse Secure, LLC. All rights reserved 3

    Table of Contents

    Introduction 4

    Interoperability and Supported Platforms 4

    New Features 4

    Single Sign On (SSO) using Credential Provider 4

    Improved IPv6 Security 4

    Qualification of Pulse Secure desktop client interoperation with Google Authenticator 4

    Enhanced SHA-2 Code Signing 5

    Improved Large-scale Configuration Deployment and Diagnosis 5

    General Notes 9

    Caveats, Important Changes, and Deprecated Features 9

    Product Codes (GUIDs) for SCCM Deployments 9

    Pulse 5.2R3 9

    Problems Resolved in 5.2r3 10

    Problems Resolved in 5.2r2 11

    Problems Resolved in 5.2r1.1 12

    Problems Resolved in 5.2r1 12

    Known Issues in this Release 15

    Documentation Feedback 21

    Technical Support 21

    Revision History 21

  • Pulse Secure Desktop Client Release Notes

    2016 by Pulse Secure, LLC. All rights reserved 4

    Introduction This release-notes document for the Pulse Secure desktop client version 5.2. This document provides a cumulative list of all

    enhancements, fixes and known issues for the 5.2 client. If the information in the release notes differs from the

    information found in the documentation set, follow the release notes.

    The Pulse Secure desktop client provides a secure and authenticated connection from an endpoint device (either Windows

    or Mac OS X) to a Pulse Secure gateway (either Pulse Connect Secure or Pulse Policy Secure). For a complete description of

    the capabilities of this desktop client, please see the online help within the desktop client itself, or the Pulse Desktop Client

    Administration Guide (which can be found at Pulse Secures Technical Publications site).

    Interoperability and Supported Platforms Please refer to the Pulse Desktop Client Supported Platforms Guide for supported versions of operating systems, browsers,

    and servers in this release.

    New Features The 5.2r3 Pulse Secure desktop client contains many new features, which are described here.

    Single Sign On (SSO) using Credential Provider

    The Pulse Secure desktop client for Windows 5.2r3 contains new single-sign on capability that can reduce the

    number of times end users are prompted for credentials. If this feature is enabled for a given Pulse Secure

    gateway connection, then the system login credentials will be cached and used for that connection. If credential

    provider is enabled (recommended), then the cached credentials will come from credential provider; otherwise,

    the credentials will come from the previous authentication on any connection that has this property checked.

    [PSD-1159]

    Improved IPv6 Security

    The Pulse Secure desktop client version 5.2r3 contains route monitoring functionality for IPv6. This security mechanism

    ensures that if a user (or a program) modifies the IPv6 routing table in a manner that violates the tunneling policy of an

    active VPN connection, then the Pulse Secure desktop client will disconnect the tunnel and reconnect, therefore wiping out

    the change to the routing table. This change ensures that a routing-table change cannot cause network traffic to bypass an

    active tunnel in violation of that tunnels policy. This IPv6 functionality is analogous to the existing IPv4 route monitor

    functionality. [PSD-1308]

    Qualification of Pulse Secure desktop client interoperation with Google Authenticator

    The Pulse Secure desktop client 5.2r3 has been qualified to interoperate with Google Authenticator, which provides two-

    factor authentication.

    https://www.pulsesecure.net/techpubs/https://www.pulsesecure.net/techpubs/pulse-client/pulse-secure-client-desktophttps://en.wikipedia.org/wiki/Google_Authenticator

  • Pulse Secure Desktop Client Release Notes

    2016 by Pulse Secure, LLC. All rights reserved 5

    More information on this interoperation and how it can be configured can be found in Pulse Secures KB40172. [PSD-1310]

    Enhanced SHA-2 Code Signing

    The 5.2r3 Pulse Secure desktop client for Windows enhances the way its binaries and other artifacts are digitally signed.

    These changes improve security by making it vastly more computationally difficult for malicious code to impersonate the

    Pulse Secure desktop client.

    Pulse clients 5.2r1.1 and later are signed with a SHA-2-signed code-signing certificate to improve security and adhere to

    new Microsoft OS restrictions. (Previous versions of the client were signed with a SHA-1 certificate see the Pulse Secure

    Desktop client 5.2r1.1 release notes for details.) 5.2r3 improves upon this 5.2r1.1 enhancement by ensuring that SHA-2

    file message digests are used in the code-signing process for all 5.2r3 and later Pulse clients. In addition, 5.2r3 Pulse

    client Java bundles leverage SHA-2 timestamp hashes and timestamp-authority certificates.

    Note: Please see the Caveats section, below, for an important caveat regarding SHA-2 code signing. [PSD-373]

    Improved Large-scale Configuration Deployment and Diagnosis

    The 8.2r3 Pulse Connect Secure (PCS) gateway, the 5.3r3 Pulse Policy Secure (PPS) gateway, and 5.2r3 Pulse Secure desktop

    client contain enhancements that:

    Help system administrators adhere to large-scale configuration best practices, and

    Simplify diagnosis of issues relating to configuration distribution across multiple Pulse Secure gateways.

    Each enhancement is described, below.

    Adhering to configuration best practices

    The PCS gateways admin console now contains both a visual indicator and a warning message that help a system

    administrator avoid modifying a shared Connection Set in a manner inconsistent with best practices. To understand the

    value of these changes, it is best to first understand best practices regarding the management of Connection Sets across

    multiple Pulse Secure gateways.

    If you have multiple Pulse Secure gateways, and if your objective is to ensure that Connection Sets are consistent across

    these gateways, then it is recommended that you modify your Connection Sets in the following way:

    https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40172

  • Pulse Secure Desktop Client Release Notes

    2016 by Pulse Secure, LLC. All rights reserved 6

    1) Designate one gateway as the primary gateway

    2) Make the Connection Set changes on that primary gateway

    3) Move that Connection Set to the other gateways either through the gateways XML export and import functionality,

    or, through the gateways Push Config mechanism

    These best practices ensure that Connection Sets are consistent, regardless of which gateway a client connects to. If these

    practices are not followed, an end user could see different Connection entries in the Pulse client UI depending on which

    gateway the client is connected to, and this could cause user confusion. The following two admin-console changes help

    system administrators avoid this situation.

    Visual Indicator:

    The admin console of a Pulse Secure gateway will now gray out the listing of Connection Sets that are owned by other Pulse

    Secure gateways. This visual indicator warns that editing the Connection Set could cause inconsistencies among that

    Connection Set across multiple gateways. If youd like to edit a Connection Set that is grayed out, and if youd like to ensure

    that Connection Sets are consistent across multiple gateways, then the best practice is to make the change on the primary

    gateway, then export the updated Connection Set to other gateways using the export/import or Push-Config functionality

    mentioned above. See the Acme Set 2 listing below for a depiction of this visual indicator:

    Warning Message:

    If a system administrator elects to edit a Connection Set on a gateway that is not the owner of that Connect