Pulse Secure Desktop Client Release Notes · Pulse Secure Desktop Client Release Notes Pulse Secure Desktop Client v5.0R16 Build 61523 For more information on this product, go to

Pulse Secure Desktop Client Release Notes

Pulse Secure Desktop Client v5.0R16 Build 61523 For more information on this product, go to www.pulsesecure.net/products.

Build

Published

Document Version

10.0

http://www.pulsesecure.net/products

Pulse Secure, LLC

2700 Zanker Road, Suite 200 San Jose, CA 95134 http://www.pulsesecure.net

© 2016 by Pulse Secure, LLC. All rights reserved

Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All other trademarks,

service marks, registered trademarks, or registered service marks are the property of their respective owners.

Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC reserves the right to

change, modify, transfer, or otherwise revise this publication without notice.

The information in this document is current as of the date on the title page.

END USER LICENSE AGREEMENT

The Pulse Secure product that is the subject of this technical documentation consists of (or is intended for use with) Pulse

Secure software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”)

posted at http://www.pulsesecure.net/support/eula. By downloading, installing or using such software, you agree to the

terms and conditions of that EULA.

http://www.pulsesecure.net/

http://www.pulsesecure.net/support/eula


© 2016 by Pulse Secure, LLC. All rights reserved 3

Contents

Introduction 6

General Notes 6

Interoperability and Supported Platforms 6

New Features 6

Caveats, Important Changes, and Deprecated Features 6

Problems Resolved in 5.0R16 6

Table 1 Problem Resolved in Pulse 5.0R16 6

Problems Resolved in 5.0R15.1 7

Problem Resolved in Pulse 5.0R15 7




Problem Resolved in Pulse 5.0R13.1 8

Table 4 Problem Resolved in Pulse 5.0R13.1 8


Table 5 Resolved in This Release 8

Pulse Secure Desktop New Features in Pulse 5.0R12 9

Pulse Secure Rebranding ...................................................................................................................................... 9



Security Issues Resolved in Pulse 5.0R12 ............................................................................................................. 10

Table 7 Security Issues Resolved in This Release 10



Security Issues Resolved in Pulse 5.0R11 11

Table 9 Security Issues Resolved in This Release 11







Noteworthy Changes in Pulse 5.0R8 13







Removal of AppAccel (WX) from this and subsequent releases on Pulse Secure client ............................... 14

Problem Resolved in Pulse 5.0R6 Release 15






Problem Resolved in Pulse 5.0R3.1 16




Known Issues in Pulse 5.0R3 17

Table 18 Known Issues 17



Known Issues in Pulse 5.0R2 19

Documentation Feedback 19

Technical Support 20



Revision History 20



Introduction

This release-notes document for the Pulse Secure desktop client version 5.0. This document provides a cumulative list of all

enhancements, fixes and known issues for the 5.0 client. If the information in the release notes differs from the

information found in the documentation set, follow the release notes.

The Pulse Secure desktop client provides a secure and authenticated connection from an endpoint device (either Windows

or Mac OS X) to a Pulse Secure gateway (either Pulse Connect Secure or Pulse Policy Secure). For a complete description of

the capabilities of this desktop client, please see the online help within the desktop client itself, or the Pulse Desktop Client

Administration Guide (which can be found at Pulse Secure’s Technical Publications site).

General Notes Security-related issues are not normally covered in Pulse Secure release notes. To find more information security advisories

affecting Pulse Secure products, please the Pulse Secure security advisory page.

Interoperability and Supported Platforms

Please refer to the Pulse Secure Supported Platforms Guide for supported versions of browsers and

operating systems in this release.

New Features No new features were introduced in the Pulse Secure Desktop Client version 5.0r16

Caveats, Important Changes, and Deprecated Features The Pulse Secure Desktop Client version 5.0R16 addresses issues described in security advisory SA40241.

Important note: In order to run the Pulse Secure desktop client version 5.0R15 or later on a Windows 7 machine, the

machine must contain a March 10, 2015 Windows 7 Update in order to be able to accept and verify SHA-2-signed binaries

properly. This Windows 7 update is described here and here. If this update is not installed (in other words if a Windows 7

machine has not received an OS update since March 10, 2015), then Pulse 5.0R15 and later will have reduced functionality

(see PRS-337311, below). (As a general rule, Pulse Secure, LLC recommends that client machines be kept current with the

latest OS updates to maximize security and stability.)

Problems Resolved in 5.0R16 Table 1 Problem Resolved in Pulse 5.0R16

Problem Report

Number

Description

https://www.pulsesecure.net/techpubs/

https://kb.pulsesecure.net/?atype=sa

https://www.pulsesecure.net/techpubs/pulse-policy-secure/pps/5.2rx

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40241/

https://support.microsoft.com/en-us/kb/3033929

https://technet.microsoft.com/en-us/library/security/3033929



PRS-342195

Pulse SAM fails to launch on Windows 10 Redstone due to Windows digital signature verification error

Problems Resolved in 5.0R15.1 The Pulse Secure Desktop Client version 5.0r15.1 addresses issues described in security advisory SA40241.

Problem Resolved in Pulse 5.0R15

Table describes issues that are resolved.

Table 2 Problem Resolved in Pulse 5.0R15

Problem

Report

Number

Description

PRS-337311 As described in the “Caveats” section of this document, the Pulse Secure desktop client version 5.0R15 and later are code-signed with SHA-2 certificates in order to meet new restrictions enforced by enforced by Microsoft operating systems in 2016. This new code-signing feature causes certain issues with older versions of Windows 7. Specifically, versions of Windows 7 that have not been patched since March 10, 2015 will not be able to load certain drivers and executables signed with SHA-2. These unpatched versions of Windows 7 will experience the error “An unexpected error occurred” when trying to run the Pulse SAM (either the standalone WSAM or the Pulse-integrated SAM) app-specific tunneling feature. Users’ log files will contain the message:

“The Juniper Networks TDI Filter Driver (NEOFLTR_821_42283) service failed to start due to the following error:

Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.”

The workaround for this issue is to update the Windows 7 operating system to include the March 10, 2015 patch that allows for the loading of SHA-2-signed binaries and drivers.



https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40241/

http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx





Table 3 Problem Resolved in Pulse 5.0R14

Problem Report

Number

Description

PRS-328239

The agent type for Pulse users on Windows 10 show up as “Windows Vista Pulse Secure” on the Active Users page.

This now been fixed to display “Windows 10 Pulse Secure”

Problem Resolved in Pulse 5.0R13.1


Table 4 Problem Resolved in Pulse 5.0R13.1

Problem Report

Number

Description

PRS-333341 When Shavlik patch assessment policies are configured as enforcement or evaluation policies, Pulse will not connect.



Table 5 Resolved in This Release

Problem Report

Number

Description

PRS-331147 Pulse may attempt to connect to a manual connection and pre configuration connection simultaneously

PRS-328635 Pulse may not connect after clicking on “Start” if the defined URL has the https:// prefix



PRS-328615 If the Pulse connection is defined with https:// prefix AND SAML authentication is used, an extra https:// may be seen

and cause connection failure

PRS-328555 Manually adding a connection in Pulse for a SAML-protected login URL may cause two entries in the after the user

connects

PRS-327459 JuniperSetupClient.ocx may be prevented from running and marked as being from an untrusted CA due to invalid SKID

validation

PRS-326650 Pulse disregards SSID priority order configured in Scan list of wireless 802.1x connection set

PRS-323072 Under certain circumstances Pulse launcher attempts to create more than one connection to the same PCS

Pulse Secure Desktop New Features in Pulse 5.0R12

Pulse Secure Rebranding

The Pulse Secure line of products (including the Pulse Secure desktop client) has been rebranded to reflect its

new affiliation with Pulse Secure, LLC. Cosmetic entities like icons, fonts, product and company names,

trademarks, copyright statements and UI colors have been changed. Product behavior was not changed as the

result of this rebranding.

Note: For Pulse Secure 5.0R12, the names of the Pulse Secure gateways (formerly collectively referred to as the

IVE, or “Instant Virtual Extranet”) have changed.

The SSL-VPN headend (formerly called the Secure Access or SA device) is now called Pulse Connect Secure. The

access-control headend (formerly called the Unified Access Control or UAC device, and also sometimes called

the Infranet Controller or IC) is now called Pulse Policy Secure.




Problem Report

Number

Description

PRS-310334 PAC settings fail to be restored properly during an ungraceful reboot

PRS-323197 “Repair” and “Uninstall” shortcuts missing from the start menu on Windows 8+



PRS-326898 Location awareness rule evaluation may delay the connection to the PCS/PPS

PRS-327019 Host Checker may fail to launch through Pulse when the PPS/PCS is configured for FIPS

Security Issues Resolved in Pulse 5.0R12

Table describes issues that are resolved when you upgrade.

Table 7 Security Issues Resolved in This Release

Problem Report

Number

Description

PRS-328517 Logjam vulnerability (Pulse 5.0)






Problem Report

Number

Description

PRS-322975 SAML-based authentication from Pulse fails to connect

PRS-322384 Pulse launcher does not work with New Pin Mode.

PRS-325004 Pulse fails to prompt for an updated secondary password if the second password is changed after being saved.

PRS-323933 When running Pulse on a Mac, if the internal DNS cannot resolve the IVE hostname then the user cannot directly

access the IVE.

PRS-323598 Pulse attempts to continuously connect to a second VPN connection continuously even though an existing VPN

connection is connected.

PRS-315604 Pulse Cache Cleaner fails to delete the contents of "Recycle Bin" when "Empty Recycle Bin and Recent Documents list

at the end of user session" is enabled.

PRS-326751 After upgrade of pulse client, L2 connection might fail.

Security Issues Resolved in Pulse 5.0R11


Table 9 Security Issues Resolved in This Release

Problem Report

Number

Description

PRS-324902 Segmentation fault in ASN1_TYPE_cmp fix (CVE-2015-0286)






Problem Report

Number

Description

PRS-322849 Pulse is sending a reconnect message every 5 seconds in L2 connection when the user disjoins the domain.

PRS-322041 Pulse may crash when choosing the option to “Forget Saved Settings” when uninstalling Pulse on a Mac OS X client.

PRS-321099 Pulse cannot handle 802.1x authentication on devices that have configured virtual NICs..

PRS-315232 EAPHost packets may be fragmented when using Host Checker.

PRS-199150 Incorrect error message is displayed in Pulse for revoked certificate when doing certificate authentication.

PRS-322740 Pulse may not connect if pre-signin notifications are configured

PRS-320935 SSL transport may be unduly slow when large packets are sent.

PRS-318910 SSL transport for Pulse is noticeably slower than Network Connect.




Problem Report

Number

Description

PRS-319255 Pulse 802.1x connections fail when password expiration messages are displayed

PRS-318525 When using machine authentication AND single user session, changing network type may trigger disconnects.



PRS-316212 Enabling wireless suppression on a connection set may cause excessive eap3host.exe processes to be spawned on

clients that do not have permission to change NIC state.

PRS-315530 Connecting on a cellular data connection may prevent access to protected resources on Windows 8.1.

PRS-257980 Pulse Credential Provider tile “Other User” should display the Pulse icon on Windows 7.

PRS-320072 Session start script to map network drives may fail to launch.

Noteworthy Changes in Pulse 5.0R8

To effectively support proxies on Windows clients, Network Connect and Pulse will generate URL-based proxy

PAC files instead of file-based proxy PAC files due to access restrictions on Windows machines. (PRS-303538,

PRS-319611)

The driver used for Pulse is reverted to JNPRNA for Windows Vista clients. (PRS-317884)




Problem Report

Number

Description

PRS-317884 When the IC and SRX use IPSEC with 802.1x and a user moves between standard access and remediation access

roles, JNPRNS will retain the previous IP.

PRS-318538 JNPRNS installation triggers BSOD on Vista; starting with Pulse 5.0R8, JNPRNA will be installed again.

PRS-315756 The Pulse client on Mac OS shows only 6 configured Pulse Connection sets.

PRS-315426 If “Search device DNS only” is set on a connection profile used by Pulse a Windows machine may require 1+ minutes

to complete login after hard power off.8.1.

PRS-318833 Pulse may not resume the VPN session correctly after an active/cluster node failover.

PRS-309684 Pulse may reconnect after a user signs out from the browser when SSL acceleration is enabled.




This release addresses the issue described in the following Juniper Security Advisory:http://kb.juniper.net/JSA10648




Problem Report

Number

Description

PRS-317942 Self-upgrade of JIS prompts for admin credentials.

PRS-316630 Pulse customization tool (Branding tool) is not working with latest Pulse Secure client on Mac OS X

PRS-316089 Pulse start up can be delayed when unreachable network drive is in PATH system variable

PRS-315986 Pulse Secure client does not prompt for secondary credentials when Defender RADIUS server is configured as

secondary authentication server.

PRS-315084 Due to race condition on WTS_LOGON Pulse 802.1x Wired connection is prompting for credentials after PC reboot

logoff and login

PRS-314240 On OSX 10.10 (Yosemite) Pulse cannot be un-installed by dragging Pulse icon to trash

PRS-312285 Pulse Commandline Launcher (PCL) does not work with RSA SecureID

PRS-282866 Wireless 802.1x: Endpoint drops wireless connection during a VLAN change


Removal of AppAccel (WX) from this and subsequent releases on Pulse Secure client

Support for AppAccel (WX) has been removed from this and subsequent releases of Pulse and the Pulse

configuration. With the removal of WX this feature will no longer be installed with the Pulse client. Upgrading

existing Pulse clients that have the AppAccel feature installed will result in this feature being removed. The

Pulse UI will also reflect this by not showing the AppAccel portion since it will no longer be installed on the

machine. If you have servers that have a Pulse connection set with WX connections then during server upgrade

http://kb.juniper.net/JSA10648



these connections are removed. This will result in version change for the connection set. When a Pulse client

configured with a connection set containing the WX connection connects to the upgraded server that client will

receive the upgraded connection set with no WX connection regardless if the client still supports WX or not.

(999653)

Problem Resolved in Pulse 5.0R6 Release



Problem Report

Number

Description

946513 During credential provider and smart card login with Pulse Secure client, when an invalid smart card PIN is entered,

Pulse keeps trying to connect instead of returning a Wrong PIN message

984758 Upgrading Pulse damages the jnprvamgr driver

1004549 Pulse installation fails on Window 7




Problem Report

Number

Description

812263 Default gatekeeper settings require manual opening of the mpkg package for DMG-based install on Mac OS 10.8+

997252 SRX-based connections may fail to pass traffic when connected from a Windows OS endpoint

984789 VPN Tunnel may fail to establish on XP if Traffic Enforcement is enabled on the role VPN Tunneling options






Problem Report

Number

Description

977758 Pulse displays invalid credentials instead of requesting for passcode when one-time-password option is disabled for

RADIUS server.

939265

Pulse configured to do dot1x user authentication using Credential Provider and smart card may fail with Need

Certificate Error. This happens when the smartcard that is used needs "AT_SIGNATURE" option for CryptGetUserKey

function.

945051 Sometimes during Sudden/Abnormal Reboot of Endpoint truncates “access.ini” file, which in turn is responsible for

Access Service crash.

955023 If a client has IPv6 enabled, a machine on the same network may be able to reach the local IP despite the tunnel policy

being set to enable traffic enforcement and disable split tunneling.

969923 IPv6 default route is removed after Pulse session is disconnected

Problem Resolved in Pulse 5.0R3.1



Problem Report

Number

Description

981148 Pulse 5.0R3.1 addresses the “heartbleed” security vulnerability (CVE-2014-0160), which was discovered in OpenSSL

(1.0.1-1.0.1f) and was publicized on April 7, 2014. In short, a coding flaw in the heartbeat functionality of OpenSSL can

allow a malicious user to read arbitrary 64KB blocks of RAM on vulnerable devices. Details of the vulnerability can be

found at the openssl.org site; its effects on Juniper products are described in JSA10623 on Juniper ’s Knowledge Base

(KB) site.

Pulse Secure client for Windows and Mac versions 4.0r5 through 5.0r3 contain this vulnerability. Users can eliminate

the vulnerability on client devices by upgrading their client machines to 5.0r3.1 (build #44983) or later.

Note that the “heartbleed” vulnerability also exists on the server side of the Pulse connection. For updates on the

server-side as well as the client side of this vulnerability, please consult KB article KB29004.






Problem Report

Number

Description

959763, 965819 On machines running Pulse 5.0r1 or 5.0r2, Pulse may freeze under certain conditions, including:

When the endpoint displays the splash screen after the device resumes from sleep

During the 'Remediating' state

959840 User prompted for realm selection when multiple connections are configured and the user logs in as a username

password user.

971965 Pulse UI message displaying the presence/absence of the wireless adapter is not being updated frequently enough.

969904

After receiving connection information from the server, the client can fail to save the data and report the following errors:

'UiModel' Error getting machine::setting conn-info using conn-store client.

and

Failed CreateFile: 32 C:\Program Files (x86)\Common Files\Juniper

Networks\ConnectionStore

This problem can happen on machines that are either very slow, or, that are running Antivirus software that

substantially delays access to files

970841 Under very limited and intermittent conditions after upgrading to Pulse 5.0r2, Pulse may stop sending traffic through the

VPN tunnel.

Known Issues in Pulse 5.0R3

Table describes the open issues with Pulse Secure client.

Table 18 Known Issues

Problem Report

Number

Description

962446 Pulse running in FIPS mode on an endpoint running McAfee Application Control can cause a self-test failure. Juniper

Knowledgebase article KB28876 describes how to recognize this issue and how to configure McAfee Application

Control to avoid this issue.

970837

Some 3rd party applications can lock DLLs that must be changed during a Pulse upgrade. When this happens, a reboot

is required to finish the upgrade. To minimize the likelihood of being asked to reboot after a Pulse upgrade, we

recommend that you close all applications prior to upgrading Pulse.



974070 The "Dynamic VPN to SRX" firewalls feature that was added in Pulse 5.0r3 is not supported on OSX versions 10.7 and

earlier. If you attempt to establish an SRX connection on Mac OS 10.7 or earlier, you will encounter a "Failed to get

HTTP response" error.

954731 On Mac OSX devices running 5.0r3 and later Pulse, the Advanced Connection Details screen will always report

'Session time remaining' as zero seconds when a Dynamic VPN connection is established to an SRX firewall. This

value can be ignored.

960981 Users of Java 7 update 45 may see the erroneous warning message ‘This application will be blocked in a future Java

security update because the JAR file manifest does not contain the Permissions attribute. ’ A bug in Java 7 update 45

causes the Permissions attribute not to be read if the Trusted-Library attribute is also in the manifest. The solution to

avoid this warning is to upgrade to Java 7 update 51 or later.

912652 On OSX 10.9 (Mavericks) and 10.8 (Mountain Lion), Safari 6.1/7's default action of blocking Java applets prevents

Pulse from being deployed from the browser

925097 On Vista and greater OS, when using Pulse Collaboration, there may be two Collaboration processes (dscboxui.exe)

present.

932287 If a user signs into Pulse Connect Secure (SSL-VPN) and then migrates their session to a Pulse Connect Secure (an

IC), the Federation-Wide Sessions display on the IF-MAP server (navigate to IF-MAP Federation -> This Server ->

Federation-Wide Sessions) may contain two nearly identical rows for the one session.

When the user later signs out of the IC, a vestigial row may be left behind, with all cells blank except the "User" cell.

These extra rows can be ignored unless thousands of them accumulate. An accumulation might affect the IF-MAP

server's performance and storage capacity.

Workaround: to eliminate the extra rows, on the JPACS (IC) box to which the users have migrated:

1. Click IF-MAP Federation -> Overview.

2. Select No IF-MAP.

3. Click Save Changes.

4. Select IF-MAP client or IF-MAP server, whichever was in effect at step 1.

5. Click Save Changes.

This workaround disrupts users' access to protected resources, so it should be scheduled during a quiet time.




Table describes the issues resolves in Pulse Secure client 5.0R2.


Problem Report

Number

Description

937818 When there is no network/internet connection, users are unable to login to the client machine when credential provider

connection is in enabled in Pulse.

882595 When Pulse is connected to SA via PPPOE with 'Search the device's DNS servers first, then client' option enabled, the

DNS resolution requests are still sent to PPPoE's DNS server rather than IVE's DNS Server.

97984 When 'Back to my mac' is enabled through iCloud on Mac OS X, end user cannot reach any resources through the VPN

tunnel with Pulse Secure client.

944594 Pulse Location awareness does not work when router/DHCP server assigns primary and the secondary DNS as the

same IP.

Known Issues in Pulse 5.0R2

Table describes the option issues with Pulse Secure client.

Table 20 Known Issues

Problem Report

Number

Description

There are no new issues to report in this release.

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation.

You can send your comments to [email protected].

mailto:[email protected]



Technical Support

If you need additional information or assistance, you can contact the Pulse Secure Global Support Center (PSGSC) in the

following ways:

• http://www.pulsesecure.net/support • [email protected] • Call us at 844-751-7629 (outside the U.S., see phone numbers here)

Revision History

Table lists the revision history for this document.

Table 21 Revision History

Revision Description

August 11, 2014 Initial publication.

February 17, 2015 Included Pulse5.0R9 release notes

March 24, 2015 Included Pulse5.0R10 release notes

May 22, 2015 Included Pulse5.0R11 release notes

August 7, 2015 Included Pulse5.0R12 release notes

September 24, 2015 Included Pulse5.0R13 release notes

October 30, 2015 Included Pulse5.0R13.1 release notes

January 20, 2016 Included Pulse5.0R14 release notes

April 20, 2016 Included Pulse5.0R15 release notes

July 2016 Included Pulse 5.0R15.1 release notes

October 2016 Included Pulse 5.0R16 release notes

http://www.pulsesecure.net/support

mailto:[email protected]

https://www.pulsesecure.net/support/support-contacts/