© 2014 by Pulse Secure, LLC. All rights reserved 1
Pulse Connect Secure
Pulse Policy Secure
Solutions Deployment Guide for Design and
Configuration
Product Release 8.1/5.1
Document Revision 1.0
Published: 2014-12-15
Solutions Deployment Guide for Design and Configuration
Pulse Secure, LLC 2700 Zanker Road, Suite 200 San Jose, CA 95134 http://www.pulsesecure.net
© 2014 by Pulse Secure, LLC. All rights reserved
Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All other trademarks, service marks,
registered trademarks, or registered service marks are the property of their respective owners.
Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC reserves the right to change,
modify, transfer, or otherwise revise this publication without notice.
Pulse Connect Secure / Pulse Policy Secure Solutions Deployment Guide for Design and Configuration
The information in this document is current as of the date on the title page.
END USER LICENSE AGREEMENT
The Pulse Secure product that is the subject of this technical documentation consists of (or is intended for use with) Pulse Secure software.
Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at
http://www.pulsesecure.net/support/eula. By downloading, installing or using such software, you agree to the terms and conditions of that
EULA.
Revision History
2014-12-15 – Initial Version
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 3
Table of Contents
Introduction ---------------------------------------------------------------------------------------------------------------------------- 5
Audience --------------------------------------------------------------------------------------------------------------------------------- 5
Pulse Connect Secure ---------------------------------------------------------------------------------------------------------------- 5
a) How to configure GSLB (Global Server Load balancing) in Stingray Traffic Manager for disaster
recovery of Pulse Connect Secure Active/Passive clusters at multiple locations ----------------------------- 5
Pulse Policy Secure ----------------------------------------------------------------------------------------------------------------- 16
a) How to configure Pulse Policy Secure to communicate with Trapeze Wireless Controllers: ----- 16 b) How to deploy and configure multiple standalone Pulse Policy Secure devices behind F5 Load
balancer in NAC environment: ------------------------------------------------------------------------------------------- 25
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 4
List of Figures Figure 1 Notional Design ------------------------------------------------------------------------------------------------------------ 6 Figure 2 Clustering -------------------------------------------------------------------------------------------------------------------- 7 Figure 3 Cluster Mapping ----------------------------------------------------------------------------------------------------------- 8 Figure 4 GSLB Locations ------------------------------------------------------------------------------------------------------------- 8 Figure 5 GLB Services ---------------------------------------------------------------------------------------------------------------- 9 Figure 6 GLB Services > DNS GSLB ---------------------------------------------------------------------------------------------- 10 Figure 7 GLB Services > DNS GSLB > Connection Settings --------------------------------------------------------------- 11 Figure 8 Pool > DNS-loadbalance ----------------------------------------------------------------------------------------------- 12 Figure 9 virtual servers > dns-gslb --------------------------------------------------------------------------------------------- 13 Figure 10 DNS GSLB ---------------------------------------------------------------------------------------------------------------- 14 Figure 11 Radius Client ------------------------------------------------------------------------------------------------------------ 16 Figure 12 Alpha-WLAs ------------------------------------------------------------------------------------------------------------- 17 Figure 13 Radius Return Attribute --------------------------------------------------------------------------------------------- 17 Figure 14 Endpoints - VLAN ------------------------------------------------------------------------------------------------------ 18 Figure 15 Tasks Panel -------------------------------------------------------------------------------------------------------------- 20 Figure 16 802.1x Service Profile Wizard -------------------------------------------------------------------------------------- 21 Figure 17 Wireless Services - Configuration --------------------------------------------------------------------------------- 21 Figure 18 Wireless Service Profiles -------------------------------------------------------------------------------------------- 22 Figure 19 Service Profile Properties ------------------------------------------------------------------------------------------- 22 Figure 20 Radius Servers ---------------------------------------------------------------------------------------------------------- 23 Figure 21 Network Topology ---------------------------------------------------------------------------------------------------- 26 Figure 22 Load Balancer ----------------------------------------------------------------------------------------------------------- 27
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 5
Introduction This document provides design and configuration information for successfully deploying Pulse
Connect Secure/Policy Secure in various scenarios. This document provides detailed summary of
different environmental (configuration, load, topology, and tools) conditions under which the
overall solutions works.
Audience The deployment guide is intended for customers, sales, partners, field, TAC and other users who
install and configure the Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS) solutions.
Pulse Connect Secure a) How to configure GSLB (Global Server Load balancing) in
Stingray Traffic Manager for disaster recovery of Pulse Connect Secure Active/Passive clusters at multiple locations
Use case
A large organization with multiple geographic locations have to provide disaster recovery of
secure remote access to its employees, partners, and contractors.
What is the proposed solution in case of a disaster/network disruption?
The active/passive (A/P) cluster solution ensures that users will be able to access resources even
if one of the devices fails. But, in case of a disaster or network disruption where both the nodes
of active/ passive cluster fails at one location, users will not be able to access the resources. To
overcome the downtime, the proposed solution deployment will help the users to access the
resources by connecting to the devices deployed in other location.
Disaster recovery is achieved through DNS-based Global Server Load Balancing (GSLB) where the
requests to Pulse Connect Secure will be routed through Load balancer. The load balancer
determines an action depending on the client network and also checks if the backend
datacenter is up or down. If one of the sites is down, it automatically sends the request to the
other site.
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 6
Notional Design
The figure shows the design that was proposed for the deployment. Two Pulse Connect Secure
devices were deployed at two geographical locations and are connected to a DNS-based Global
Server Load balancer configured in Stingray Traffic Manager.
Sample scenario:
1. Two Pulse Connect Secure SM-160s in A/P cluster at each location.
2. Stingray Traffic Manager load balancer for DNS based GSLB.
3. DNS server for the end point client network.
4. Datacenters in the protected network.
Figure 1 Notional Design
What are the configurations required to deploy this solution?
There are four components to be configured to ensure this solution works:
1. Pulse Connect Secure configuration
2. DNS server (end point side) configuration
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 7
3. Load balancer configuration
4. End client DNS server configuration
1. Pulse Connect Secure Configuration
In the Pulse Connect Secure A/P Cluster, navigate to Clustering -> Properties and configure the
External VIP for A/P clusters (For example: 192.168.10.201 – for cluster 1 and 192.168.10.8 – for
cluster 2)
Figure 2 Clustering
2. DNS Server on the End client network configuration
In the DNS server (For example: 192.168.11.4 is the DNS IP), map the hostname with Pulse
Connect Secure VIPs. In this case, you can see three entries in the forward lookup zone for the
same host name.
Pulse-sol-sa – 192.168.10.201 (mapped with A/P cluster 1 VIP)
Pulse-sol-sa – 192.168.10.9 (mapped with A/P cluster 2 VIP)
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 8
FIGURE 3 CLUSTER MAPPING
Now, this DNS server will be used for GSLB DNS based load balancing in the Stingray Traffic
Manager server.
3. Load balancer Configuration
Login to Stingray Traffic Manager. Ensure you have the GSLB license.
3.1 GSLB locations:
Browse to Catalogs -> Locations and create the locations by selecting the country names – US,
UK and so on (in this case, lab1 and lab2 locations were created).
Figure 4 GSLB Locations
Once you create the locations, browse to GLB services tab and define similar rules and settings
for the locations.
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 9
3.2 GLB Services:
1. Click GLB Services and enter a service name (For example: DNS GSLB), domain names
(For example: Pulse-sol-sa.trinity.pbu.local) and add the locations.
Figure 5 GLB Services
2. Click Service.
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 10
Figure 6 GLB Services > DNS GSLB
3. In the Basic Settings, choose Yes to enable the option.
4. Navigate to Locations and Monitoring and check if the GSLB Locations are added.
5. Click Load Balancing.
6. Select the Geographic option and then click Save.
7. Click Rules and add a rule.
NOTE: This is the most important step to provide a script to ensure that users can reach
the other node in case of a failure.
In the below script PBU Lab1 and PBU lab2 are the location names.
NOTE: The below script works only with Stingray Traffic Manager.
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 11
if( string.ipmaskmatch( request.getremoteip(), "10.1.0.0/16" ) ){
$status = glb.service.isLocationLive("PBU Lab1");
if ($status == 0)
{
glb.service.useLocation( 'PBU Lab2' );
}
else
{
glb.service.useLocation( 'PBU Lab1' );
}
}
else if ( string.ipmaskmatch( request.getremoteip(), "10.2.0.0/16" ) ){
$status = glb.service.isLocationLive("PBU Lab2");
if ($status == 0)
{
glb.service.useLocation( 'PBU Lab1' );
}
else
{
glb.service.useLocation( 'PBU Lab2' );
}
}
8. Click Connection settings and specify the custom TTL as 60 seconds. This assists the user
to reach the other node in case of failure in 60 seconds.
Figure 7 GLB Services > DNS GSLB > Connection Settings
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 12
9. Navigate to Services -> Pools section.
3.3 Pools Configuration:
Create a new pool by providing the name. For example, DNS LB, Node: DNS server 192.168.11.4
– actual DNS server of the end client network and monitor as “DNS”. Click the Create Pool
button. The following page appears.
Figure 8 Pool > DNS-loadbalance
In this page, configure the following options:
Load balancing – roundrobin
Health Monitoring – DNS
Connection Management – Transparency is disabled
3.4 Virtual Server Configuration:
Navigate to Services -> Virtual Servers page.
Create a virtual server by providing the server name (For example: dns-gslb), protocol as DNS,
and port as 53. Then select the traffic pool that you just created and click Create Virtual Server
button. The following page appears.
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 13
Figure 9 virtual servers > dns-gslb
In this page, you need to configure the following options for the virtual server:
1. Click GLB Services and assign the service you just created (For example: DNS GSLB) and
save it.
2. Enable Request Logging option or retain the default settings.
3. Enable Connection Management.
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 14
Figure 10 DNS GSLB
Stingray Traffic manager load balancer configuration is now complete. Ensure that the DNS
server (192.168.11.4 in this case) is reachable by load balancer (For example: 192.168.11.5).
4. End Client Configuration
Go to the actual end client from where you connect to Connect Secure URL (Pulse-sol-
sa.trinity.pbu.local). Change the DNS server settings to load balancer IP (192.168.11.5). This
ensures that once you connect to the Connect Secure, it will reach the load balancer.
Subsequently, the load balancer determines the action based on the location that the request
originated.
5. Test cases to verify the deployed solution
In order to sync the configuration between Connect Secure clusters at different locations, A/P
cluster at one location will be configured to propagate the configuration from one location to
the other location on a regular basis.
Test Case 1: Take an end client in location 1 (For example: US)
Ping Pulse-sol-sa.trinity.pbu.local and it will resolve to 192.168.10.201 (A/P cluster 1 – VIP) and
it must be successful.
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 15
Now go to Connect Secure A/P cluster 1 and change the VIP to a random IP address (For
example: 1.1.1.1). Now open the end client PC and try to ping the same URL: Pulse-sol-
sa.trinity.pbu.local. After 60 seconds (since load balancer TTL time is configured to 60 seconds),
it will start resolving to the second IP address – 192.168.10.9 (A/P cluster 2 - VIP).
Test case 2: Take an end client in location 2 (For example: UK)
Ping Pulse-sol-sa.trinity.pbu.local and it will resolve to 192.168.10.9 (A/P cluster 2 – VIP) and it
must be successful.
Now go to Connect Secure A/P cluster 2 and change the VIP to a random IP address (For
example: 1.1.1.1). Now open the end client PC and try to ping same URL: Pulse-sol-
sa.trinity.pbu.local. After 60 seconds (since load balancer TTL time is configured), it will start
resolving to the second IP address – 192.168.10.201 (A/P cluster 1 - VIP).
By executing the above test cases, users can reach the other location in case of a failure.
CONCLUSION:
The proposed disaster recovery solution achieves its goal to overcome the downtime with the
help of DNS-based GSLB. The load balancer takes a decision depending on the client network
and also checks if the backend datacenter is up or down. If one of the sites is down, it
automatically sends the request to the other site.
WAN clustering is not supported in Connect Secure. Hence it is required to propagate the
configuration from one location to other location on a timely basis to ensure that configuration
is in sync at both the locations.
User sessions will not be synced from one location to another. In case of failures, users need to
connect again.
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 16
Pulse Policy Secure
a) How to configure Pulse Policy Secure to communicate with Trapeze Wireless Controllers:
This section describes deploying standalone Pulse Policy Secure (PPS) to communicate with
Trapeze Wireless Controllers.
What is the configuration required on Pulse Policy Secure?
In the Policy Secure framework, the sign-in page, realm, and AAA server configurations are
associated. They determine user and user role. A user submits credentials through a sign-in page
that specifies a realm, which is associated with an AAA server. If the access request meets the
realm’s authentication policy, the system forwards the user’s credentials to the associated
authentication server. The authentication server’s job is to verify the user’s identity. After
verifying the user, the authentication server sends approval. If the realm also uses the server as
a directory/attribute server, the AAA server sends the user’s group information or other user
attribute information. The access management framework then evaluates the realm’s role-
mapping rules to determine the user roles that apply to the session.
PPS acts as a RADIUS server that allows to centralize the authentication and accounting for the
users. WLC is added as RADIUS clients.
The below screenshot displays the WLCs that are added as Radius client in PPS.
Figure 11 Radius Client
To configure Radius client, the administrator must login to PPS, navigate to Network Access ->
Radius Client and create a new radius client by providing the IP address of the WLC shared
secret password.
NOTE: The administrator should select Trapeze Networks option for the Make/Model field.
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 17
Figure 12 Alpha-WLAs
The administrator must configure the Radius return attribute that returns the attributes to the
Radius clients (WLC) after authentication. This can be a VLAN-ID or any other filter type. For
example, firewall filters applied to access switches.
To configure the return attributes on PPS, the administrator must navigate to Network Access ->
Radius Return attribute page in the PPS Administrator User Interface.
Figure 13 Radius Return Attribute
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 18
Figure 14 Endpoints - VLAN
How to configure the Trapeze Wireless Controller:
You can configure Trapeze WLC by any of the following methods:
1. RingMaster client GUI
2. WLC Command Line Interface
RingMaster software presents a graphical user Interface (GUI) to its users that consists of a
series of screens, windows, and dialog boxes. Before using RingMaster Client to perform any
configuration, RingMaster services must be started on its host. It depends on the platform
where it is installed.
For Windows systems, RingMaster services are started automatically post complete software
installation and whenever the host system is restarted.
For Linux systems, administrator can start and stop the RingMaster services manually from
command line interface using shell script installed during RingMaster service installation.
For Macintosh OS systems, RingMaster services must be launched manually.
RingMaster can be installed on hardware appliances also.
Once the RingMaster services start running on the host server, RingMaster client can be used to
perform WLAN planning configuration.
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 19
a. To start the RingMaster client:
For Windows systems, use the related desktop icon created by the installer, or select
Start -> Programs -> Juniper Networks -> RingMaster -> RingMaster
For Linux systems, change directories to: RingMaster_installation_directory/bin and
enter ./ringmaster
For Macintosh systems, select Finder -> Applications -> RingMaster, or click the
RingMaster icon in the dock. The RingMaster Services Connection dialog displays.
b. Enter the IP address or fully-qualified hostname of the server on which RingMaster
services are installed. If RingMaster services is installed on the same machine as the one
running RingMaster Client, enter 127.1.0.1 as the IP address. This is a standard IP
loopback address.
c. Specify a service port, if different from the port number in the Service Port listbox.
d. Click Next to connect to the server.
e. If Certificate Check dialog is displayed, click Accept.
How to configure Wireless SSID via RingMaster client GUI interface:
When you click on a task in the Tasks panel that is present in the right side of the screen,
RingMaster opens a dialog box or a configuration wizard (a series of dialog boxes).
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 20
Figure 15 Tasks Panel
For example, after selecting the Configuration button on the main window toolbar, click Create
WLAN Controller to open a dialog box that allows configuring basic WLAN Controller
parameters.
The following example shows the series of dialogs in the 802.1x Service Profile wizard.
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 21
Figure 16 802.1x Service Profile Wizard
Appropriate values must be provided in the series of dialog boxes to produce a Wireless service
Profile as shown in the figure below.
Figure 17 Wireless Services - Configuration
To open a dialog box containing the configurable settings for an object, select an object in the
table, and then click Properties. An example shown below displays the Wireless Service Profiles:
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 22
Figure 18 Wireless Service Profiles
The following figure shows the properties of a wireless profile when one of them is selected
Figure 19 Service Profile Properties
How to configure Radius server in WLC via Ringmaster client (GUI):
To configure RADIUS Servers:
1. Select Services -> Setup from the RingMaster menu bar. RingMaster Services is displayed.
2. Select the Access Control tab.
3. Select Radius Servers
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 23
Figure 20 Radius Servers
4. Select Enable RADIUS Authentication or unselect to disable it.
5. Select a Default User Group.
6. Provide information for Primary RADIUS Server and Secondary RADIUS Server as required.
How to configure Wireless SSID via CLI
a) Service profile creation: To create a service profile and assign it to SSID, use the
command:
set service-profile <profile-name> ssid-name <ssid-name>
An SSID can be 32 alphanumeric characters long.
b) Disabling or re-enabling encryption for an SSID: To specify whether the Wireless SSID is
encrypted or unencrypted, use the command:
set service-profile <profile-name> ssid-type [clear | crypto]
The default value is crypto.
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 24
c) Disabling or re-enabling Beaconing of a SSID: To disable or re-enable beaconing of a
SSID, use the command:
set service-profile <profile-name> beacon {enable | disable}
By default SSIDs are beaconed. When the beaconing for a SSID is disabled, the radio still
sends beacon frames but the SSIF name in the frames are blank.
d) Changing the Fallthru authentication type: By default access is denied to users who do
not match an 802.1x or MAC authentication rule. Therefore such users fall through
these authentication types. To change the fall through method, use the command:
set service-profile <profile-name> auth-fallthru {last-resort | none | web-portal}
If web-portal is selected, the web-portal-form and web-portal-acl must be configured.
e) Changing the Short Retry Threshold: The short retry threshold specifies the number of
times a radio can send a short unicast frame for an SSID without receiving an
acknowledgment for the frame. A short unicast frame is a frame that is shorter than the
RTS threshold. To change the short retry threshold, use the command:
set service-profile <profile-name> short-retry threshold
The threshold can be a value from 1 through 15. The default is 5.
f) Configuring 802.1x on the Wireless SSID:
set authentication dot1x ssid <ssid-profile-name> pass-through <PPS-radius-group>
set accounting dot1x ssid <ssid-profile-name> start-stop <PPS-radius-group>
How to configure Radius server in WLC via CLI:
1. Configure the PPS server as a RADIUS server on WLC:
set radius server <PPS_name> address <PPS_IP_address> auth-port <auth_port>
deadtime 0 key <secret_key>
The default port for RADIUS authentication is 1812.
2. Configure a server group and add the configured PPS server as a member:
set server group <PPS_group_name> members <PPS_name>
3. Configure radius server retransmission timeouts and dead interval timeouts:
set radius server PPS-Radius address <PPS-IP> timeout 5 retransmit 3 deadtime 5
encrypted-key <KEY>
WLC can be configured to distribute authentication requests across multiple RADIUS
servers in a server group. It reduces the load on single PPS server and increases
resiliency on the system. When load-balancing is configured, radius requests of the first
client are directed to first PPS server in the group, radius requests of the second client
are directed to the second PPS server in the group, and so on.
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 25
b) How to deploy and configure multiple standalone Pulse Policy Secure devices behind F5 Load balancer in NAC environment:
What are the current limitations that can be solved using this deployment?
When Pulse Secure client initiates an 802.1x authentication via a switch, it send radius access
requests to the Load balancer VIP listening on radius port (1812/1645). The radius request,
having originated from switch IP, is load balanced to one standalone PPS that returns the VIP
address back to Pulse Secure Client (supplicant). Pulse Secure client then makes a control
channel connection to the Load balancer VIP listening on port 443 using source as client
machine IP address. This SSL request might get load balanced to another standalone PPS
thereby failing to establish an SSL connection as there is no user session prevalent in second
PPS.
Without Pulse Secure client being unable to establish control channel connection with PPS,
Layer 3 enforcement functionalities (example resource access behind Firewall joined as PPS
Enforcer) will not work.
How to address the current limitation on standalone PPS?
Instead of trying to load-balance both L2 and L3 sessions, only the Layer 2 connection request is
load balanced. Each standalone node should return a unique VIP which is then used for the
Layer 3 control channel establishment.
Network Topology:
The network topology given below will clearly explain the solution where Windows 7 (64)
laptop/desktop is connected to an EX switch dot1x enabled port. The F5 Load balancer is
configured in 2-arm mode where one interface connects to the EX switch and another interface
connects to internal interface of PPS. Both the PPS devices run on MAG SM-360 hardware
platform.
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 26
Figure 21 Network Topology
What is the standard PPS configuration required to deploy this solution?
a) Configure 2 roles in the PPS devices - for full-access provision and for remediation.
b) Configure 2 role mapping rules under one realm. Each role mapping rule is mapped to a
unique AD group that contains 100 users. These 100 users are mapped to two roles, one
with full-access and the other one either wired or wireless.
c) Configure Hostcheck – “Windows Firewall and Any Permitted AntiVirus” are configured for
granting Full-Access.
d) Evaluate Hostcheck in Realm level and enforce in Role level. If the user fails to comply with
HC policy, user will be mapped to Remediation role. Full-Access role will be removed.
e) For the PPS to support two-armed load balancing mode, configure unique VIP address under
load balancer setting in the System -> Network -> Load Balancer section of the IC Admin UI.
Ensure you enable the checkbox Between endpoints and Junos Pulse Secure.
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 27
Figure 22 Load Balancer
F5 Load Balancer Configuration:
In order to support standalone PPS devices behind F5 load balancer, the load balancer needs to
be configured appropriately. Here are the steps for configuring BIGip-F5 3400 model (9.3.1 Build
37.1)
a. Configure single VIP to process all SSL requests (port 443) to two PPS nodes. This will be
required when a user attempts to access Load balancer hostname via browser to
download Pulse Secure client.
b. Configure another VIP to process all Radius request (both authentication and accounting
at port 1812, 1813 respectively) to two PPS standalone nodes. This is required for the
radius client (switch) to send radius requests to Load balancer VIP.
c. Now, we have load balanced the L2 connection and then have each controller return a
unique VIP which is then used for the L3 connection. So, configure 2 unique VIP with
each VIP pointing to each PPS’s internal interface.
d. For TCP connections, configure persistence connections based upon the source IP
address on the requests. This ensures that the NCP connection from the user's machine
will be sent to the same controller as long as they retain their IP address.
Hence four VIPs are configured in F5 load balancer- the first two VIP maps to 2 nodes
and the next two VIPS maps to unique 2 standalone nodes.
Following is the sample Big IP configuration:
route default inet {
gateway <NEXT-HOP>
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 28
}
Unique Pool configured for SSL for each PPS
pool Pool1-ssl {
member <IP1-INT>:https
}
pool Pool2-ssl {
member <IP2-INT>:https
}
2 Pools configured for Radius Authentication request for all PPS
pool Pool-Radius-Auth {
member <IP1-INT>:radius
member <IP2-INT>:radius
}
2 Pools configured for Radius Accounting request for all PPS
pool Pool-Radius-Acct {
member <IP1-INT>:radius-acct
member <IP2-INT>:radius-acct
}
2 Pool configured for SSL for all PPS
pool pool-ssl-all {
member <IP1-INT>:https
member <IP2-INT>:https
}
2 VIPs configured for SSL requests for each ICs
virtual VIP-PPS1-port443 {
destination <IP1-EXT>:https
ip protocol tcp
persist source_addr
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 29
pool Pool1-ssl
}
virtual VIP-PPS2-port443 {
destination <IP2-EXT>:https
ip protocol tcp
persist source_addr
pool Pool2-ssl
}
virtual VIP-ssl-all {
destination <IP-EXT>:https
ip protocol tcp
persist source_addr
pool Pool-ssl-all
}
Configuring VIP for Radius requests for all PPS
virtual VIP-Radius-Auth {
destination <IP-EXT>:radius
ip protocol udp
pool Pool-radius-auth
}
Configuring VIP for Radius Accounting requests for all PPS
virtual VIP-Radius-Acct {
destination <IP-EXT>:radius-acct
ip protocol udp
pool Pool-Radius-Acct
}
Solutions Deployment Guide for Design and Configuration
© 2014 by Pulse Secure, LLC. All rights reserved 30
Switch Configuration
Given below is the dot1x related configuration for the two ports when the EX-4200 switch is
used as a Radius client in the solution. These two ports are connected to two Windows 7 clients.
NOTE: Re-authentication is disabled.
Since all the PPS nodes are standalone, session information will not be shared across all nodes
when Pulse re-authenticates after a specific time. Thus user session will not resume seamlessly.
Hence it is recommended to disable re-authentications.
set interfaces <INTERFACE-ID> unit 0 family ethernet-switching port-mode access
set interfaces <INTERFACE-ID> unit 0 family ethernet-switching vlan members sol-guest-vlan
set protocols dot1x authenticator interface <INTERFACE-ID> supplicant single
set protocols dot1x authenticator interface <INTERFACE-ID> quiet-period 15
set protocols dot1x authenticator interface <INTERFACE-ID> no-reauthentication
set protocols dot1x authenticator interface <INTERFACE-ID> supplicant-timeout 60
set protocols dot1x authenticator interface <INTERFACE-ID> guest-vlan sol-guest-vlan
Conclusion:
There is no limit on the number of sessions a single PPS can handle which can be derived
from maximum platform limit capacity.
Pulse Secure client might take 5-20 seconds to completely establish Layer 2 and Layer 3
connections.