Download pdf - Pulse Policy Secure Virtual Machine Initial Setup and ... · Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 3 Import .ovf file: Click ‘Continue’ and then

Pulse Policy Secure

Virtual Machine

Initial Setup and Configuration Guide

Contents Introduction ........................................................................................................................................................................... 1

Setup and Configuration ........................................................................................................................................................ 2

Prerequisites .................................................................................................................................................................. 2

Overview ........................................................................................................................................................................ 2

Section 1: Installation of the VM .................................................................................................................................... 2

Section 2: CLI Configuration (Initial Configuration Wizard) ............................................................................................ 3

Section 3: Profiler Configuration...................................................................................................................................... 8

Section 4: PPS Configuration .......................................................................................................................................... 8

Section 5: End-User Login ............................................................................................................................................. 20

Section 6: Logs and Policy Trace ................................................................................................................................... 22

Section 7: Deployment Guides ..................................................................................................................................... 24

Introduction

Pulse Policy Secure is a Network Access Control (NAC) solution built for the next generation of networks. Pulse Policy

Secure delivers an easy-to-use BYOD ready granular access control solution that is context aware, identity enabled,

location and device based for the most complex datacenter and cloud environments. Pulse Policy Secure enables safe,

protected network and cloud access for a diverse user audience over a wide range of devices.

This document will guide the user through the setup of Pulse Policy Secure (PPS) Virtual Machine (VM) from initial install

to first end-user login to the PPS.

Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 1


Setup and Configuration

Prerequisites

• A supported hypervisor such as VMWare (Server, Fusion, or Workstation), KVM or Hyper-V

• Pulse Secure Virtual Appliance install package (.ovf) or physical hardware

• Pulse Secure PPS software package (.pkg)

• Pulse Secure Profiler Fingerprint Database package (ps-pps-profiler-fpdb-*.pkg)

• Connectivity to a DNS server

The configuration steps assume the PPS will be run as a virtual machine. If using a physical box, proceed to Section 2

(CLI Configuration.)

Overview

1) Installation of the VM

2) CLI Configuration

a. Network Setup

b. Admin Account Setup

c. Self-Singed Certificate Creation

3) Profiler Configuration

a. Discover devices using DHCP

b. Discover devices using SNMP

4) PPS Configuration

a. Configuration Verification

b. PPS Package Update

c. System Local End-User Account Creation

d. Realm and Role Configuration

5) End-user Login

a. Clientless Login

b. Pulse Desktop Login

6) Log View and Policy Trace

Section 1: Installation of the VM

Have the installation package ready, which includes an .ovf file. The installation package can be downloaded from the

Trial website, and may need to be unzipped. The process shown below is for VMware Fusion on a Mac. Importing onto

an ESXi server is slightly different in regards to selecting the image, however the rest of the process is the same.


Import .ovf file: Click ‘Continue’ and then select the location of where the virtual machine will be saved.

After the import is finished. The virtual appliance will reboot.

Section 2: CLI Configuration (Initial Configuration Wizard)

Once the appliance has booted up for the first time, it will enter into the initial configuration wizard. The following

information will need to be entered:

Cluster options or stand-alone server prompt.

License agreement prompt.

Internal port IP address, network mask, and gateway.

Primary DNS server.

Optional: Secondary DNS server.

DNS domain(s).

Optional: WINS server.

Admin credential creation prompts.

Self-signed certificate creation prompt.


Cluster options or stand-alone server prompt. Click ‘y’ to configure this appliance as a stand-alone.


License agreement prompt. You can click ‘r’ to read the license agreement or ‘y’ to agree to the licensing.

Internal port IP address, network mask, and gateway.


Primary DNS server.

Optional secondary DNS server, mandatory DNS domain(s) and optional WINS server.


Once networking information is complete – you can confirm.

Admin credential creation prompts.


Self-signed certificate creation prompt.

Once the certificate has been created, PPS initial setup will be complete. The device will reboot and you will be able to

access it using the web-based Admin Console via https://<ip address or FQDN>/admin.

Section 3: Pulse Profiler Configuration for Device Visibility Pulse Policy Secure has built-in device profiling that can automatically detect and classify all devices on the network using DHCP-fingerprinting, SNMP discovery, and HTTP-UA fingerprinting. Once you are logged in to the web-based Admin Console, you now need to configure the built-in Profiler using the following 5 steps:

1. Navigate to Authentication > Auth Servers page.

2. Select Local Profiler from the server type drop-down and click New Server.

3. Enter a name for the Auth. server.

4. Click Browse and upload the device fingerprints package.

5. Click Save Changes to save the configuration settings. Please note this

operation may take a few minutes to complete.

Discover devices using DHCP Devices on the network that have DHCP-based IP addresses are automatically profiled by PulseProfiler as they connect to the network. However, to enable this type of profiling, you need to ensure that all the DHCP requests are forwarded to the internal port of Pulse Policy Secure – this configuration needs to be done on one or more switches in your network. Use the commands in the table below to configure the switch(es).

Configure DHCP relay on switches to forward DHCP packets to Pulse Policy Secure.

Switch Vendor Commands

Cisco interface <VLAN_NAME> ip helper-address <DHCP_SERVER_IP> ip helper-address <PPS_IP>


Juniper set forwarding-options helpers bootp interface <VLAN_NAME> set forwarding-options helpers bootp server <DHCP_SERVER_IP> set forwarding-options helpers bootp server <PPS_IP>

HP vlan <VLAN_NAME> ip helper-address <DHCP_SERVER_IP> ip helper-address <PPS_IP>

Navigate to System > Reports > Devices Discovery for initial views of devices on the network. The discovery process

typically takes a few minutes to a few hours depending on the network complexity.

Discover devices using SNMP To discover and profile devices with static IP addresses, you need to add SNMP-enabled switches in the SNMP management page of the web based Admin Console.

1. Select Authentication > Auth Servers > [Local Profiler]. Set the SNMP Poll interval

to 5 mins. Click on Save Changes.

2. Click on the SNMP Device link in the help text for SNMP Poll Interval. Enter information about the switch. Do not select the SNMP Enforcement check box since we will use the switch for profiling only.

3. Save the changes. The SNMP Device Configuration table should get updated with the new switch information. Status should be GREEN.

4. Wait 15 minutes for the new polling interval to take effect, or restart services using

Maintenance > System > Platform > Restart Services button so the new

configuration is active immediately after restart.

Navigate to System > Reports > Devices Discovery to view another set of devices with static IP addresses on the network. Pulse Profiler will periodically poll the switches to ensure that new devices get profiled as they connect to the network.

Section 4: PPS Configuration

Once the CLI configuration has been completed, the administrator will have access to PPS web-based Admin Console.

This section will cover the required and optional steps in PPS configuration process. This first step is an (optional)

package upgrade.

To login to PPS, open a web browser and go to https://<ip address or FQDN>/admin and input the administrator

credentials defined in the CLI Configuration process. Since we are using a self-signed certificate, you will see a prompt

from the browser asking if you trust this certificate. You can trust it and continue.


Package Upgrade (optional). Note that once you upgrade, there is a rollback option should the administrator wish to

move back to the previous version of PPS.

Navigate to Maintenance > System > Upgrade/Downgrade. Under “Install Service Package” click “Browse” and select

the new .pkg to be install. Then click “Install”. The installer will open a loading window, wait for the progress bar to

complete and click close. Note: do not navigate away from the upgrade page. It will take a few minutes for the install

process to begin.



During the process, you will see updates on the screen.

Once the process is completed, PPS will require a reboot. The system reboot will take a few minutes. Once the process

completes, PPS will again be available via the web browser. You can check on the status from the console window of

Fusion or ESXi.


Navigate to the Maintenance > System to verify the new package is running. This is also the location for the rollback

option.

System Local End-User Account Creation (required) is where the administrator can create end-user login accounts for

the PPS. This can also be done by linking an external authentication server.


Navigate to Authentication > Auth. Servers and click on “System Local”. You will be taken to the Settings tab.


Click on the “Users” tab. Click “New…” and enter a Username, Password, and Confirm Password. Click “Save Changes”.


You will be returned to the screen showing your new user bob.

Realm and Role Configuration (optional) is where the admin can define Realms and Roles for the end-users. By default,

all users are placed in the Users Realm which will map all users to the Users Role. There is no need to create new realms

or roles at this point.

Note: role-mapping rules can be defined to place users in Roles based on many different attributes, such as username,

certificate or a batch of custom expressions. The Roles will define the level of access to different features and resources

available on the network.


First, navigate to User Roles > User Roles to view the current User Roles.


Next, navigate to User Realms > User Realms. By default the User Realm is created. Note that this realm is using

“System Local” for authentication.

Role-mapping is also configured to allow all users in “System Local” to map to the role “Users”.


By clicking on the role “Users” above, or navigating to Users > User Roles > Roles, you can see that basic connectivity is

configured. However, we need to enabled Agentless (or clientless, browser-based) access.


Click on “Users” and then go to the “Agent” tab. By default, “Install Agent for this role” and “Install Pulse Secure client”

is enabled. This means when you attempt the Browser-based connection as seen in Section 4, the Pulse Secure client

will be downloaded to your desktop.


We will need to click on the “Agentless” tab and click “Enabled Agentless Access for this role” and click “Save Changes”.

Section 5: End-User Login

Browser-based Connection

We will show how an end-user can log in both via clientless (web browser) and via Pulse on a desktop device. Mobile

devices will use the built-in native supplicant.

The end-users will login to the PPS at https://<ip address or FQDN>/using the credentials defined in the System Local

End-User Account Creation process.


Since we have enabled “Agent” access in Section 3, you will first be prompted to install the Pulse Secure client. This will

only be seen the first time. Once the Pulse Secure client is installed, this step will not be done.

After the installation, this is the landing page for the PPS the end users will see upon login. The user session will remain

up as long as the user is on this page.

Client-based Connection (Desktop)

The end-users may also login to the PPS via the desktop Pulse client. If enabled, the Pulse desktop client will be

downloaded and installed. The connection to PPS will also be automatically configured. In our example, the connection

is called “Test PPS”. Click “Connect” and enter credentials (bob | test123) which were created earlier.

Client-based Connection (Mobile)

Pulse Secure does not provide a mobile client for Policy Secure connections. These connections can be made using the

portal, or using the native supplicant on the iOS/Android device for RADIUS-based or 802.1X deployments.


Section 6: Logs and Policy Trace

This section can assist the administrator in resolving issues with the PPS and end-user login or access issues. The log files

can be found in System > Logs/Monitoring. From here the administrator has access to many forms of logging data,

including event logs and user logs.

The policy tracing can be found in Maintenance > Troubleshooting > User Sessions > Policy Trace. Here the

administrator can trace user events to easily locate and resolve issues. Below is an example of an end-user sign-in with

policy tracing turned on.


Here is a sample of the output from the Policy Trace.


Section 7: Deployment Guides

Once there is basic connectivity, the next step is to start looking at what functionality of PPS to use. PPS can be used as

a standalone RADIUS server. PPS can also be used for SNMP enforcement, along with 802.1X and Layer 3 enforcement

with a Juniper Network SRX or Palo Alto Networks firewall.

For more information, please go to https://www.pulsesecure.net/policy-secure/

http://www.pulsesecure.net/policy-secure/