Download pdf - Pulse Secure Desktop Client 5.1r1 Release Notes · Pulse Secure Desktop Client – Release Notes 5.1 © 2014 by Pulse Secure, LLC. All rights reserved 6 Figure 1. List of URLs on

© 2014 by Pulse Secure, LLC. All rights reserved

Pulse Secure Desktop Client 5.1r1

Release Notes 5.1.1 Build 51831

Product Release 5.1

Document Revision 1.0

Published: 2014-12-15

© 2014 by Pulse Secure, LLC. All rights reserved 2

Pulse Secure, LLC 2700 Zanker Road, Suite 200 San Jose, CA 95134 http://www.pulsesecure.net


Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All other trademarks, service marks, registered

trademarks, or registered service marks are the property of their respective owners.

Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC reserves the right to change, modify, transfer,

or otherwise revise this publication without notice.

The information in this document is current as of the date on the title page.

END USER LICENSE AGREEMENT

The Pulse Secure product that is the subject of this technical documentation consists of (or is intended for use with) Pulse Secure software. Use of

such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at http://www.pulsesecure.net/support/eula.

By downloading, installing or using such software, you agree to the terms and conditions of that EULA.

http://www.pulsesecure.net/

http://www.pulsesecure.net/support/eula

© 2014 by Pulse Secure, LLC. All rights reserved 3

Table of Contents

Introduction ........................................................................................................................................................ 4

Interoperability and Supported Platforms ..................................................................................................... 4

Pulse Secure Rebranding ................................................................................................................................ 4

New Features ...................................................................................................................................................... 4

Enhanced Location Awareness ............................................................................................................. 4

Captive Portal Detection ....................................................................................................................... 5

Smart Connections ................................................................................................................................ 5

“Disable client-side proxy settings” Option .......................................................................................... 6

Pulse Secure for Windows Phone 8.1 ................................................................................................... 6

General Pulse 5.1 Caveats ............................................................................................................................... 7

User-Agent String change ..................................................................................................................... 7

MD5 hashes deprecated for TLS 1.2 Certs ............................................................................................ 8

Connecting to Servers with Old Versions of Pulse ................................................................................ 8

Access Control Lists ............................................................................................................................... 8

Upgrading OSX with Pulse Already Installed ......................................................................................... 8

End of Support of Certain Features ...................................................................................................... 8

Captive Portal ........................................................................................................................................ 8

HostChecker Wild-Carding .................................................................................................................... 9

802.1X Auth Incompatibility with Kaspersky AV ................................................................................... 9

Deprecated Features ............................................................................................................................. 9

Policies for Deprecated Features .......................................................................................................... 9

Removal of Application Acceleration (WX) ......................................................................................... 10

Fixed Issues...................................................................................................................................................... 10

Open Issues ...................................................................................................................................................... 11

Documentation ................................................................................................................................................. 14

Technical Support ........................................................................................................................................... 14

Revision History .............................................................................................................................................. 15

Pulse Secure Desktop Client – Release Notes 5.1


4

Introduction

This release notes contain information about new features in the Pulse Secure desktop client, software

issues that have been resolved and new issues that affect Pulse behavior. If the information in the

release notes differs from the information found in the documentation set, follow the release notes.

NOTE: For Pulse Secure 5.1, the names of the Pulse Secure gateways (formerly collectively referred to as the

IVE, or “Instant Virtual Extranet”) have changed. The SSL-VPN headend (formerly called the Secure Access

or SA device) is now called Pulse Connect Secure. The access-control headend (formerly called the Unified

Access Control or UAC device, and also sometimes called the Infranet Controller or IC) is now called Pulse

Policy Secure.

Interoperability and Supported Platforms

Refer to the Pulse Secure Desktop Client 5.1 Supported Platforms Guide for supported versions of

browsers and operating systems in this release.

Pulse Secure Rebranding

The Pulse Secure line of products (including the Pulse Secure desktop client) has been rebranded to

reflect its new affiliation with Pulse Secure, LLC. Cosmetic entities like icons, fonts, product and

company names, trademarks, copyright statements and UI colors have been changed. Product behavior

was not changed as the result of this rebranding.

New Features

Enhanced Location Awareness

The enhanced-location-awareness feature enables you to define Pulse connections that are activated

automatically based on the location of the endpoint. Pulse determines the location of the endpoint by

evaluating rules that are based on the client’s IP address and active network interface. For example, you

can define rules to enable Pulse to automatically establish a secure tunnel to the corporate network

through Pulse Connect Secure when the user is at home, and to establish a Pulse Policy Secure

connection when the user is in the office and connected to the corporate network over the LAN. The

location awareness feature has been enhanced to ensure that Pulse does not re-establish a VPN tunnel

when the endpoint re-enters the trusted/corporate network.

http://www.pulsesecure.net/support



5

Captive Portal Detection

Public WiFi locations often deploy a captive portal that requires the user to enter authentication

information or to accept terms of service before network access is granted. Pulse detects the presence

of captive portals and does not initiate a connection to a Pulse Connect Secure or Policy Secure server

until Internet access is granted. Pulse displays appropriate status information to enable the user to

establish the portal and network connections. This feature requires no configuration.

Captive portal detection notes:

Captive portal detection is supported on Pulse for Windows and Pulse for Mac. Captive portal detection is not supported on the Windows In-Box Pulse VPN client or the Pulse Secure mobile client.

If Pulse connects through a proxy, the detection algorithm is disabled, and Pulse indicates a failed connection attempt to the user.

SRX connections do not support captive portal detection.

Smart Connections

A connection entry displayed in the Pulse client UI can now be associated with multiple connection URLs

(to Pulse Policy Secure and Pulse Connect Secure gateways). The Pulse client attempts to connect to

each of the URLs until it succeeds. You can choose different modes to control the behavior of a Pulse

connection that is starting from a disconnected state:

start at the top of the list

start with the most recently connected URL

choose randomly

The random option helps distribute the connection load across different Pulse Secure gateways. If a

Pulse connection that is already established gets disconnected (for example, if the wireless connection is

interrupted), then Pulse always will try to connect to the most recently connected URL. If that

connection fails, then Pulse uses the server list. The Pulse user can also choose a connection from the

list, as shown in Figure 1.



6

Figure 1. List of URLs on the Pulse for Windows Client

“Disable client-side proxy settings” Option

For Pulse Secure 5.1 and Connect Secure 8.1, there is a new Proxy server setting option called “Disable client-side proxy settings.” When enabled, the Pulse client will disable any client-side proxy settings upon tunnel creation so that client requests will be directly served through the Pulse Secure gateway. When the tunnel is disconnected, the client proxy settings will be restored. See the Pulse Connect Secure 8.1 Admin Guide for details.

Pulse Secure for Windows Phone 8.1

After installing the Pulse Secure VPN app on a Windows Phone (Windows Phone 8.1 or later), the user can configure a connection and establish Layer 3 VPN (SSL) communications to Pulse Connect Secure. Pulse for Windows Phone can also be configured through mobile device management (MDM). Configuration on the Pulse server to support Pulse for Windows Phone is the same as for the Pulse for Windows client. You use sign-in policies, authentication realms, roles, and VPN tunnel policies to define authentication and access permissions.

NOTE: Users must have their server’s root certificate installed on the Windows Phone before attempting to

connect to the Pulse server.

Supported Features:

Pulse for Windows Phone supports VPN (SSL) connections to a Pulse Connect Secure gateway.

Only one connection at a time can be active.

The user can manually connect and disconnect.

Username and password.

Username and RSA token code. (User PIN and system PIN are supported.)

Client certificate, smart card, and virtual smart card.



7

Authentication server prompts for retry, change password, create PIN, change PIN, and specify next token code.

Realm and role selection and preferred realm and role. (The user cannot choose to save a connection preference.)

Sign-in notification messages.

Secondary authentication.

HTTPS proxy.

IPv4 and IPv6.

Host Checker. You create and enable the Windows Phone OS Check rule if you are using a Host Checker policy that is applied across endpoints running different operating systems.

Pulse for Windows Phone - Supported Tunneling Functions:

Split tunneling enabled and disabled supported.

Pulse for Windows Phone connections always have local subnet access enabled.

Split tunneling policies: IPv4 inclusion and exclusion routes, and IPv6 inclusion routes.

In split-tunneled mode, the DNS search order options do not apply. Pulse forwards only those DNS requests contained by the configured DNS suffixes to the specified DNS servers. You can specify the VPN option Search device DNS only to forward all DNS requests to configured DNS servers.

General Pulse 5.1 Caveats

User-Agent String change

In Pulse 5.1, there is a change in the format of the AgentString that the client passes to the server. Specifically, the string has been extended to include the client version. If you have a role that has an AgentString matching rule, then you may need to edit the rule as necessary to match the new format. The new string will have the form:

Junos-Pulse/8.1.0.46016 (Windows 8.1) Pulse/5.1.0.46016

where the value following "Junos-Pulse/" is the protocol (IVE) version and the value following "Pulse/" is the client software version.

Further note that this agent string format is used for the Pulse "In-Box" VPN Plugin and Pulse for Windows Phone 8.1. For example, the In-Box Plugin will have the form:

Junos-Pulse/8.1.0.47666 (Windows 8.1) JunosPulseVpn/1.0.0.206

Junos-Pulse/7.4.0.0 (Windows RT; x64) JunosPulseVpn/1.0.0.206

and Windows Phone will have the form:

Junos-Pulse/7.4.0.0 (Windows Phone; ARM) JunosPulseVpn/1.0.1.6



8

Bear in mind that there are certain parenthetical qualifiers that can be inserted in the user-agent string, for example, "ARM", "x64", and "FIPS". As such, it is recommended that you leverage the wildcarding feature whenever creating rules in the admin-console to make sure that changes in the user string (including the addition of new modifiers) do not cause rule failures.

MD5 hashes deprecated for TLS 1.2 Certs

Pulse 5.1’s TLS 1.2 implementation no longer supports the use of certificates signed with MD5 hashes. Please generate new certificates with a cryptographically-stronger hash function.

Note that Microsoft deprecated use of MD5 in certificate verification. Details are here.

Connecting to Servers with Old Versions of Pulse

Pulse 5.1 (and beyond) clients can no longer connect to servers containing Pulse 1.0 components. See: PR 991447.

Access Control Lists

The Pulse for Windows installer creates/uses the "C:\windows\winsxs\InstallTemp" directory. If an access-control list prevents the Pulse installer from creating/accessing a directory with this name, then the Pulse installation will fail. See PR 1005558.

Upgrading OSX with Pulse Already Installed

There are known issues when upgrading OSX (the OS itself) on a machine that already has Pulse installed. For example, if Pulse is installed on OSX 10.9, and then the machine is upgraded to OSX 10.10, then certain Pulse functions may break - including, but not necessarily limited to, logging. As such, it is highly recommended that users who upgrade from one major version of OSX to another uninstall and then reinstall Pulse. See PR 977477 and PRS-301018 (Upgrade OS/X to 10.9 removes installed /var/log/Juniper Networks/Logging/debuglog file).

End of Support of Certain Features

A number of features have been deprecated from Pulse 5.1. These features include WAN Acceleration (WX), Enhanced Endpoint Security (EES), Secure Virtual Workspace (SVW), Shavlik, iPass Integration and Windows CE (Pulse supports Windows Phone 8.1, though). See the hyperlinks below for details on the End of Support for these features. See the caveat below about policies relating to deprecated features.

Captive Portal

Pulse 5.1’s new Captive Portal feature is “best effort,” because not all captive portals can be reliably detected. Specifically, if port 80 on a captive-portal webserver does not respond quickly enough (within 1 second), then Pulse will fail to detect the captive portal. In these edge cases, Pulse will attempt to create a port 443 connection to the captive portal and will display a trusted-server certificate prompt.

http://support.microsoft.com/kb/2862973

https://prsearch.juniper.net/PR991447


https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR977447



9

HostChecker Wild-Carding

HostChecker rules containing custom checks with wildcard entries for NetBIOS names will fail for non-alphanumeric characters. Wildcards (“*”) will match only the characters A-Z, a-z, and 0-9. Any other characters (e.g., "-") must be explicitly mentioned in the NetBIOS name rule; alternatively, the "." character can be used.

802.1X Auth Incompatibility with Kaspersky AV

Pulse 802.1x authentication will fail when https port monitoring is enabled on Kaspersky Anti-Virus v6.0. Pulse will report that its 'iftProvider' fails to connect to the Infranet Controller/IC (Policy Secure/PS) at port 443. The failure occurs because the Kaspersky feature interferes with Pulse's ability to communicate on port 443. The symptoms are:

1. The Pulse client displays a prompt for authentication after the connection is created.

2. Pulse enters the "connecting" state.

3. 802.1x auth success is visible from the EX switch interface, and a ping to the protected resource from the client pc will succeed.

4. Pulse prompts for re-auth again, and the cycle repeats from step 1.

As such, do not use Kaspersky https port monitoring on machines using Pulse.

Deprecated Features

The following features have been removed from the Pulse Secure clients and gateways.

Secure Virtual Workspace – For details, see http://kb.juniper.net/TSB16424.

Enhanced Endpoint Security (EES) – For details, see http://kb.juniper.net/TSB16018 and

PR985780.

Application Acceleration (WX) – For details, see http://kb.juniper.net/TSB16224 and

PR999653.

iPass Support – For details, see http://kb.juniper.net/TSB16194. (PRS-309703)

Policies for Deprecated Features

If you have servers that have SVW or EES policies configured, then during the upgrade to 5.1/8.1 these policies will be replaced with dummy policies. Because the SVW and EES policy configuration pages will not be present on the admin console after the upgrade, these dummy policies will be listed under the regular HostChecker policies section. The text "Deprecated" will be added to the end of these policy names to distinguish them from other policies. Each of these dummy policies will contain a dummy rule. However, SVW policies under custom actions will not be removed, and will instead will simply fail when evaluated. This approach keeps restrictions on roles and realms intact, and security is ensured by "failing closed" rather than "failing open".

http://kb.juniper.net/TSB16424





http://kb.juniper.net/InfoCenter/index?page=content&id=TSB16194&cat=EOL_1&actp=LIST



10

As such, admins may need to clean up SVW policies after the upgrade. A button is provided on the HC main page to delete all these policies. This button will delete all these deprecated policies and their usage on roles/realms. This is somewhat similar to what exists for Shavlik->Opswat migration.

Removal of Application Acceleration (WX)

Support for AppAccel (WX) has been removed from this and subsequent releases of Pulse and the Pulse configuration. See PR 999653. With the removal of WX, this feature will no longer be installed with the Pulse client. Upgrading existing Pulse clients that have the AppAccel feature installed will result in this feature being removed. The Pulse UI will also reflect this by not showing the AppAccel portion since it will no longer be installed on the machine.

If you have servers that have a Pulse connection set with WX connections, then during server upgrade these connections are removed. This will result in version change for the connection set.

When a Pulse client configured with a connection set containing the WX connection connects to the upgraded server, that client will receive the upgraded connection set with no WX connection, regardless if the client still supports WX or not.

Fixed Issues

Table 1 describes issues that are resolved when you upgrade. Click the PR number to see the complete

problem description on the Juniper Networks Support Web site. (Login required.)

Table 1 Resolved in This Release

Problem Report Number Description

788015 When Credential Provider connections are enabled, Pulse may not honor wireless suppression settings.

897984 When 'Back to my mac' is enabled through iCloud on Mac OS X, end user cannot reach any resources through the VPN tunnel with Pulse.

897986 Pulse SSL throughput performance improvement.

929221 A change to the way negative DNS responses are cached in Windows 8.1 can cause certain IPv4 destinations to be unreachable via SAM tunnels on dual-stacked IPv4/IPv6 Windows 8.1 endpoints.

The following page describes the change to Windows 8.1:

http://technet.microsoft.com/en-us/library/dn305896.aspx

This change causes "no such name" responses to be stored in the DNS cache, causing some IPv4 destinations to be unreachable.






http://technet.microsoft.com/en-us/library/dn305896.aspx



11


967535 SA active users page should display Agent version information. As the result of this change, the server's active-users page will now display each connected client's Pulse version string.

NOTE: This fix required a change to the AgentString that the Pulse client passes to

the server. Specifically, the AgentString has been extended to include the

client version string. If you have a role that uses an AgentString matching

rule, then you might need to edit the rule to match the new format. See the

PR details for more information.

987704 Upgrade of openssl.

Open Issues

Table 2 describes the open issues with the Pulse Secure desktop client. Click the PR number (when

available) to see the complete problem description on the Juniper Networks Support Web site. (Login

required.)

Table 2 Known Issues


PRS-321444 Symptom: End user connects to a Pulse Connect Secure or Pulse Policy Secure gateway using a browser expecting a Pulse Desktop client upgrade, but the client software is not upgraded. Conditions: This problem can occur intermittently on Mac OSX machines. Workaround: If an upgrade on Mac is expected but is not initiated upon connection to the gateway, then reboot the Mac endpoint and try again. The upgrade should be initiated upon reconnection.


https://gnats.juniper.net/web/default/967535-3




12


996337 Pulse logins will fail if the following sequence of actions is executed:

1) Change the default value of application data folder %appdata%

Default value will be "C:\Users\<username>\AppData and change it to

C:\Users\NewAppdata\AppData

2) Configure Host Checker and Credential Provider

3) Restart client machine

4) Login to system using Credential Provider

In this case, the end user will be unable to login using credential provider.

This problem occurs because credential provider tries to load Host Checker from the %appdata% folder, but credential provider cannot retrieve the non default %appdata% folder, because credential provider runs in system context, whereas the %appdata% environment variable runs in the user context.

514609 When using a packet capture/monitor tool like Wireshark or NetMon (on XP), certain IP packets sent may appear to be sent twice. This is most often observed when the network capture mechanism enables "Promiscuous Mode" on the network adapter.

524205 The Pulse UI may not display correctly on screen resolutions of 800 x 600 or less.

525667 The Connect Secure or Policy Secure administrator must associate a connection set with Pulse enabled user roles in order for Pulse to be properly deployed to endpoints. Pulse will not be installed or upgraded if the Pulse role references an empty connection set.

724457 If Pulse is installed in client machine that runs Kaspersky driver with version 6.1.18.0 (Kaspersky AV 6.0.2 installed), SAM TDI driver won't get loaded and user won't be connected to SAM role until machine is restarted. Solution is to restart the machine.

734114 On Mac OSX, IVE browser page is blank after proxy is configured for the first time.

744704 Pulse on Macintosh does not support the Safari browser auto proxy discovery settings.

745651 Pulse on Mac: SA connection can get stuck in "connect requested" after fast user switch.

749362 The Location Awareness rules with Action 'DNS server' or 'Resolve address' may not work as expected on Pulse for Macintosh. Note: On all OSX versions, the 'DNS server' rule will not detect DNS servers that the user has manually assigned to an interface. DNS servers assigned by DHCP will work correctly. On Snow Leopard and earlier, the 'Resolve address' rule always evaluates to false. On Lion and Mountain Lion, the 'Resolve address' works correctly.












13


750033 Pulse throws set up client error when run as administrator from Start->Programs Menu in Win7 64 bit machine.

768922 The Pulse client is not passing Multi-cast traffic through a tunnel to the Pulse Connect Secure gateway on Windows 7 endpoints when multicast support is enabled on the Connect Secure gateway.

773704 Pulse deployment would fail on windows 8 using Metro style IE 10.

774974 Behavior of Pulse features not supported over IPv6 (e.g. Pulse SAM) is undefined in IPv6 scenarios.

786215 Protected resources may not be accessible via hostnames with split tunnel enabled with Pulse on OSX platforms.

842586 While logged into the Pulse Connect Secure gateway via the browser and clicking the icon to launch the Pulse Secure client, any existing saved credentials for that connection will be overwritten.

932287 Duplicate and vestigial sessions appear in IF-MAP Federation-Wide Sessions display.

970837 Some 3rd party applications can lock DLLs that must be changed during a Pulse upgrade. When this happens, a reboot is required to finish the upgrade. To minimize the likelihood of being asked to reboot after a Pulse upgrade, we recommend that you close all applications prior to upgrading Pulse.

954731 On Mac OSX devices running 5.0r3 and later Pulse, the Advanced Connection Details screen will always report 'Session time remaining' as zero seconds when a Dynamic VPN connection is established to an SRX firewall. This value can be ignored.

960981 Users of Java 7 update 45 may see the erroneous warning message ‘This application will be blocked in a future Java security update because the JAR file manifest does not contain the Permissions attribute.’ A bug in Java 7 update 45 causes the Permissions attribute not to be read if the Trusted-Library attribute is also in the manifest. The solution to avoid this warning is to upgrade to Java 7 update 51 or later.

912652 On OSX 10.9 (Mavericks) and 10.10 (Yosemite), Safari 6.1/7's default action of blocking Java applets prevents Pulse from being deployed from the browser. The PR text details the workaround.

925097 On Windows 7 and greater, when using Pulse Collaboration, there may be two Collaboration processes (dscboxui.exe) present.
















14


932287 If a user signs into Pulse Connect Secure gateway (SSL-VPN) and then migrates his session to a Pulse Policy Secure gateway (NAC), the Federation-Wide Sessions display on the IF-MAP server (navigate to IF-MAP Federation -> This Server -> Federation-Wide Sessions) may contain two nearly identical rows for the one session.

When the user later signs out of the IC, a vestigial row may be left behind, with all cells blank except the "User" cell.

These extra rows can be ignored unless thousands of them accumulate. An accumulation might affect the IF-MAP server's performance and storage capacity.

Workaround: to eliminate the extra rows, on the JPACS (IC) box to which the users have migrated:

Click IF-MAP Federation -> Overview.

Select No IF-MAP.

Click Save Changes.

Select IF-MAP client or IF-MAP server, whichever was in effect at step 1.

Click Save Changes.

This workaround disrupts users' access to protected resources, so it should be scheduled during a quiet time.

Documentation

Links to Pulse Secure documentation can be found at http://www.pulsesecure.net/support.

We encourage you to provide feedback, comments, and suggestions so that we can improve the

documentation. You can send your comments to [email protected].

Technical Support

When you need additional information or assistance, you can contact the Pulse Secure Global Support

Center (PSGSC):


1-888-314-5822 within the United States

1-408-745-9500 from outside the United States

For more technical support resources, browse the support website

(http://www.pulsesecure.net/support).



mailto:[email protected]

http://www.juniper.net/support/requesting-support.html

http://www.juniper.net/support/requesting-support.html




15

Revision History

Table 3 lists the revision history for this document.

Table 3 Revision History

Revision Description

December 15, 2014 Initial publication