Download pdf - Pulse Secure Desktop Client · These release notes contain information about Pulse Secure Desktop Client new features, software issues that have been resolved and new issues that

Pulse Secure Desktop Client

Release Notes 5.0 R14

Build

Published

Document Version

7.0

Contents

Introduction 4

Interoperability and Supported Platforms 4

Problem Resolved in Pulse 5.0R14 4

Table 1 Problem Resolved in Pulse 5.0R14 4

Problem Resolved in Pulse 5.0R13.1 5

Table 2 Problem Resolved in Pulse 5.0R13.1 5


Table 3 Resolved in This Release 5

Pulse Secure Desktop New Features in Pulse 5.0R12 6

Pulse Secure Rebranding ...................................................................................................................................... 6



Security Issues Resolved in Pulse 5.0R12 ............................................................................................................... 6

Table 5 Security Issues Resolved in This Release 7



Security Issues Resolved in Pulse 5.0R11 8

Table 7 Security Issues Resolved in This Release 8





Noteworthy Changes in Pulse 5.0R8 10




Pulse Secure Desktop Client Release Notes 5.0R13.1

© 2015 by Pulse Secure, LLC. All rights reserved 3




Removal of AppAccel (WX) from this and subsequent releases on Pulse Secure client ............................... 11

Problem Resolved in Pulse 5.0R6 Release 12






Problem Resolved in Pulse 5.0R3.1 13




Known Issues in Pulse 5.0R3 14

Table 17 Known Issues 14



Known Issues in Pulse 5.0R2 16

Documentation 16

Pulse documentation is available at https://www.pulsesecure.net/techpubs/ 16

Documentation Feedback 17

Technical Support 17

Revision History 17



Introduction

These release notes contain information about Pulse Secure Desktop Client new features, software issues that

have been resolved and new issues that affect Pulse behavior. If the information in the release notes differs from

the information found in the documentation set, follow the release notes.

Interoperability and Supported Platforms

Please refer to the Pulse Secure Supported Platforms Guide for supported versions of browsers and

operating systems in this release.

Note: For policy reasons all of the security issues fixed are not normally mentioned in release notes. To find more

information about our security advisories please see our security advisory

page: https://kb.pulsesecure.net/?atype=sa"

Problem Resolved in Pulse 5.0R14

Table describes issues that are resolved.

Table 1 Problem Resolved in Pulse 5.0R14

Problem Report

Number

Description

PRS-328239

The agent type for Pulse users on Windows 10 show up as “Windows Vista Pulse Secure” on the Active Users page.

This now been fixed to display “Windows 10 Pulse Secure”

https://www.pulsesecure.net/techpubs/pulse-policy-secure/pps/5.2rxhttps://kb.pulsesecure.net/?atype=sa



Problem Resolved in Pulse 5.0R13.1


Table 2 Problem Resolved in Pulse 5.0R13.1

Problem Report

Number

Description

PRS-333341 When Shavlik patch assessment policies are configured as enforcement or evaluation policies, Pulse will not connect.



Table 3 Resolved in This Release

Problem Report

Number

Description

PRS-331147 Pulse may attempt to connect to a manual connection and pre configuration connection simultaneously

PRS-328635 Pulse may not connect after clicking on “Start” if the defined URL has the https:// prefix

PRS-328615 If the Pulse connection is defined with https:// prefix AND SAML authentication is used, an extra https:// may be seen

and cause connection failure

PRS-328555 Manually adding a connection in Pulse for a SAML-protected login URL may cause two entries in the after the user

connects

PRS-327459 JuniperSetupClient.ocx may be prevented from running and marked as being from an untrusted CA due to invalid SKID

validation

PRS-326650 Pulse disregards SSID priority order configured in Scan list of wireless 802.1x connection set

PRS-323072 Under certain circumstances Pulse launcher attempts to create more than one connection to the same PCS



Pulse Secure Desktop New Features in Pulse 5.0R12

Pulse Secure Rebranding

The Pulse Secure line of products (including the Pulse Secure desktop client) has been rebranded to reflect its

new affiliation with Pulse Secure, LLC. Cosmetic entities like icons, fonts, product and company names,

trademarks, copyright statements and UI colors have been changed. Product behavior was not changed as the

result of this rebranding.

Note: For Pulse Secure 5.0R12, the names of the Pulse Secure gateways (formerly collectively referred to as the

IVE, or “Instant Virtual Extranet”) have changed.

The SSL-VPN headend (formerly called the Secure Access or SA device) is now called Pulse Connect Secure. The

access-control headend (formerly called the Unified Access Control or UAC device, and also sometimes called

the Infranet Controller or IC) is now called Pulse Policy Secure.




Problem Report

Number

Description

PRS-310334 PAC settings fail to be restored properly during an ungraceful reboot

PRS-323197 “Repair” and “Uninstall” shortcuts missing from the start menu on Windows 8+

PRS-326898 Location awareness rule evaluation may delay the connection to the PCS/PPS

PRS-327019 Host Checker may fail to launch through Pulse when the PPS/PCS is configured for FIPS

Security Issues Resolved in Pulse 5.0R12

Table describes issues that are resolved when you upgrade.



Table 5 Security Issues Resolved in This Release

Problem Report

Number

Description

PRS-328517 Logjam vulnerability (Pulse 5.0)






Problem Report

Number

Description

PRS-322975 SAML-based authentication from Pulse fails to connect

PRS-322384 Pulse launcher does not work with New Pin Mode.

PRS-325004 Pulse fails to prompt for an updated secondary password if the second password is changed after being saved.

PRS-323933 When running Pulse on a Mac, if the internal DNS cannot resolve the IVE hostname then the user cannot directly

access the IVE.

PRS-323598 Pulse attempts to continuously connect to a second VPN connection continuously even though an existing VPN

connection is connected.

PRS-315604 Pulse Cache Cleaner fails to delete the contents of "Recycle Bin" when "Empty Recycle Bin and Recent Documents list

at the end of user session" is enabled.

PRS-326751 After upgrade of pulse client, L2 connection might fail.

Security Issues Resolved in Pulse 5.0R11


Table 7 Security Issues Resolved in This Release

Problem Report

Number

Description

PRS-324902 Segmentation fault in ASN1_TYPE_cmp fix (CVE-2015-0286)






Problem Report

Number

Description

PRS-322849 Pulse is sending a reconnect message every 5 seconds in L2 connection when the user disjoins the domain.

PRS-322041 Pulse may crash when choosing the option to “Forget Saved Settings” when uninstalling Pulse on a Mac OS X client.

PRS-321099 Pulse cannot handle 802.1x authentication on devices that have configured virtual NICs..

PRS-315232 EAPHost packets may be fragmented when using Host Checker.

PRS-199150 Incorrect error message is displayed in Pulse for revoked certificate when doing certificate authentication.

PRS-322740 Pulse may not connect if pre-signin notifications are configured

PRS-320935 SSL transport may be unduly slow when large packets are sent.

PRS-318910 SSL transport for Pulse is noticeably slower than Network Connect.




Problem Report

Number

Description

PRS-319255 Pulse 802.1x connections fail when password expiration messages are displayed

PRS-318525 When using machine authentication AND single user session, changing network type may trigger disconnects.



PRS-316212 Enabling wireless suppression on a connection set may cause excessive eap3host.exe processes to be spawned on

clients that do not have permission to change NIC state.

PRS-315530 Connecting on a cellular data connection may prevent access to protected resources on Windows 8.1.

PRS-257980 Pulse Credential Provider tile “Other User” should display the Pulse icon on Windows 7.

PRS-320072 Session start script to map network drives may fail to launch.

Noteworthy Changes in Pulse 5.0R8

To effectively support proxies on Windows clients, Network Connect and Pulse will generate URL-based proxy

PAC files instead of file-based proxy PAC files due to access restrictions on Windows machines. (PRS-303538,

PRS-319611)

The driver used for Pulse is reverted to JNPRNA for Windows Vista clients. (PRS-317884)




Problem Report

Number

Description

PRS-317884 When the IC and SRX use IPSEC with 802.1x and a user moves between standard access and remediation access

roles, JNPRNS will retain the previous IP.

PRS-318538 JNPRNS installation triggers BSOD on Vista; starting with Pulse 5.0R8, JNPRNA will be installed again.

PRS-315756 The Pulse client on Mac OS shows only 6 configured Pulse Connection sets.

PRS-315426 If “Search device DNS only” is set on a connection profile used by Pulse a Windows machine may require 1+ minutes

to complete login after hard power off.8.1.

PRS-318833 Pulse may not resume the VPN session correctly after an active/cluster node failover.

PRS-309684 Pulse may reconnect after a user signs out from the browser when SSL acceleration is enabled.




This release addresses the issue described in the following Juniper Security Advisory:http://kb.juniper.net/JSA10648




Problem Report

Number

Description

PRS-317942 Self-upgrade of JIS prompts for admin credentials.

PRS-316630 Pulse customization tool (Branding tool) is not working with latest Pulse Secure client on Mac OS X

PRS-316089 Pulse start up can be delayed when unreachable network drive is in PATH system variable

PRS-315986 Pulse Secure client does not prompt for secondary credentials when Defender RADIUS server is configured as

secondary authentication server.

PRS-315084 Due to race condition on WTS_LOGON Pulse 802.1x Wired connection is prompting for credentials after PC reboot

logoff and login

PRS-314240 On OSX 10.10 (Yosemite) Pulse cannot be un-installed by dragging Pulse icon to trash

PRS-312285 Pulse Commandline Launcher (PCL) does not work with RSA SecureID

PRS-282866 Wireless 802.1x: Endpoint drops wireless connection during a VLAN change


Removal of AppAccel (WX) from this and subsequent releases on Pulse Secure client

Support for AppAccel (WX) has been removed from this and subsequent releases of Pulse and the Pulse

configuration. With the removal of WX this feature will no longer be installed with the Pulse client. Upgrading

existing Pulse clients that have the AppAccel feature installed will result in this feature being removed. The

Pulse UI will also reflect this by not showing the AppAccel portion since it will no longer be installed on the

machine. If you have servers that have a Pulse connection set with WX connections then during server upgrade

http://kb.juniper.net/JSA10648



these connections are removed. This will result in version change for the connection set. When a Pulse client

configured with a connection set containing the WX connection connects to the upgraded server that client will

receive the upgraded connection set with no WX connection regardless if the client still supports WX or not.

(999653)

Problem Resolved in Pulse 5.0R6 Release



Problem Report

Number

Description

946513 During credential provider and smart card login with Pulse Secure client, when an invalid smart card PIN is entered,

Pulse keeps trying to connect instead of returning a Wrong PIN message

984758 Upgrading Pulse damages the jnprvamgr driver

1004549 Pulse installation fails on Window 7




Problem Report

Number

Description

812263 Default gatekeeper settings require manual opening of the mpkg package for DMG-based install on Mac OS 10.8+

997252 SRX-based connections may fail to pass traffic when connected from a Windows OS endpoint

984789 VPN Tunnel may fail to establish on XP if Traffic Enforcement is enabled on the role VPN Tunneling options






Problem Report

Number

Description

977758 Pulse displays invalid credentials instead of requesting for passcode when one-time-password option is disabled for

RADIUS server.

939265

Pulse configured to do dot1x user authentication using Credential Provider and smart card may fail with Need

Certificate Error. This happens when the smartcard that is used needs "AT_SIGNATURE" option for CryptGetUserKey

function.

945051 Sometimes during Sudden/Abnormal Reboot of Endpoint truncates “access.ini” file, which in turn is responsible for

Access Service crash.

955023 If a client has IPv6 enabled, a machine on the same network may be able to reach the local IP despite the tunnel policy

being set to enable traffic enforcement and disable split tunneling.

969923 IPv6 default route is removed after Pulse session is disconnected

Problem Resolved in Pulse 5.0R3.1



Problem Report

Number

Description

981148 Pulse 5.0R3.1 addresses the “heartbleed” security vulnerability (CVE-2014-0160), which was discovered in OpenSSL

(1.0.1-1.0.1f) and was publicized on April 7, 2014. In short, a coding flaw in the heartbeat functionality of OpenSSL can

allow a malicious user to read arbitrary 64KB blocks of RAM on vulnerable devices. Details of the vulnerability can be

found at the openssl.org site; its effects on Juniper products are described in JSA10623 on Juniper’s Knowledge Base

(KB) site.

Pulse Secure client for Windows and Mac versions 4.0r5 through 5.0r3 contain this vulnerability. Users can eliminate

the vulnerability on client devices by upgrading their client machines to 5.0r3.1 (build #44983) or later.

Note that the “heartbleed” vulnerability also exists on the server side of the Pulse connection. For updates on the

server-side as well as the client side of this vulnerability, please consult KB article KB29004.






Problem Report

Number

Description

959763, 965819 On machines running Pulse 5.0r1 or 5.0r2, Pulse may freeze under certain conditions, including:

When the endpoint displays the splash screen after the device resumes from sleep

During the 'Remediating' state

959840 User prompted for realm selection when multiple connections are configured and the user logs in as a username

password user.

971965 Pulse UI message displaying the presence/absence of the wireless adapter is not being updated frequently enough.

969904

After receiving connection information from the server, the client can fail to save the data and report the following errors:

'UiModel' Error getting machine::setting conn-info using conn-store client.

and

Failed CreateFile: 32 C:\Program Files (x86)\Common Files\Juniper

Networks\ConnectionStore

This problem can happen on machines that are either very slow, or, that are running Antivirus software that

substantially delays access to files

970841 Under very limited and intermittent conditions after upgrading to Pulse 5.0r2, Pulse may stop sending traffic through the

VPN tunnel.

Known Issues in Pulse 5.0R3

Table describes the open issues with Pulse Secure client.

Table 17 Known Issues

Problem Report

Number

Description

962446 Pulse running in FIPS mode on an endpoint running McAfee Application Control can cause a self-test failure. Juniper

Knowledgebase article KB28876 describes how to recognize this issue and how to configure McAfee Application

Control to avoid this issue.

970837

Some 3rd party applications can lock DLLs that must be changed during a Pulse upgrade. When this happens, a reboot

is required to finish the upgrade. To minimize the likelihood of being asked to reboot after a Pulse upgrade, we

recommend that you close all applications prior to upgrading Pulse.



974070 The "Dynamic VPN to SRX" firewalls feature that was added in Pulse 5.0r3 is not supported on OSX versions 10.7 and

earlier. If you attempt to establish an SRX connection on Mac OS 10.7 or earlier, you will encounter a "Failed to get

HTTP response" error.

954731 On Mac OSX devices running 5.0r3 and later Pulse, the Advanced Connection Details screen will always report

'Session time remaining' as zero seconds when a Dynamic VPN connection is established to an SRX firewall. This

value can be ignored.

960981 Users of Java 7 update 45 may see the erroneous warning message ‘This application will be blocked in a future Java

security update because the JAR file manifest does not contain the Permissions attribute.’ A bug in Java 7 update 45

causes the Permissions attribute not to be read if the Trusted-Library attribute is also in the manifest. The solution to

avoid this warning is to upgrade to Java 7 update 51 or later.

912652 On OSX 10.9 (Mavericks) and 10.8 (Mountain Lion), Safari 6.1/7's default action of blocking Java applets prevents

Pulse from being deployed from the browser

925097 On Vista and greater OS, when using Pulse Collaboration, there may be two Collaboration processes (dscboxui.exe)

present.

932287 If a user signs into Pulse Connect Secure (SSL-VPN) and then migrates their session to a Pulse Connect Secure (an

IC), the Federation-Wide Sessions display on the IF-MAP server (navigate to IF-MAP Federation -> This Server ->

Federation-Wide Sessions) may contain two nearly identical rows for the one session.

When the user later signs out of the IC, a vestigial row may be left behind, with all cells blank except the "User" cell.

These extra rows can be ignored unless thousands of them accumulate. An accumulation might affect the IF-MAP

server's performance and storage capacity.

Workaround: to eliminate the extra rows, on the JPACS (IC) box to which the users have migrated:

1. Click IF-MAP Federation -> Overview.

2. Select No IF-MAP.

3. Click Save Changes.

4. Select IF-MAP client or IF-MAP server, whichever was in effect at step 1.

5. Click Save Changes.

This workaround disrupts users' access to protected resources, so it should be scheduled during a quiet time.




Table describes the issues resolves in Pulse Secure client 5.0R2.


Problem Report

Number

Description

937818 When there is no network/internet connection, users are unable to login to the client machine when credential provider

connection is in enabled in Pulse.

882595 When Pulse is connected to SA via PPPOE with 'Search the device's DNS servers first, then client' option enabled, the

DNS resolution requests are still sent to PPPoE's DNS server rather than IVE's DNS Server.

97984 When 'Back to my mac' is enabled through iCloud on Mac OS X, end user cannot reach any resources through the VPN

tunnel with Pulse Secure client.

944594 Pulse Location awareness does not work when router/DHCP server assigns primary and the secondary DNS as the

same IP.

Known Issues in Pulse 5.0R2

Table describes the option issues with Pulse Secure client.

Table 19 Known Issues

Problem Report

Number

Description

There are no new issues to report in this release.

Documentation

Pulse documentation is available at https://www.pulsesecure.net/techpubs/

http://www.pulsesecure.net/techpubs/



Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation.

You can send your comments to [email protected].

Technical Support

When you need additional information or assistance, you can contact “Pulse Secure Global

Support Center (PSGSC):

• http://www.pulsesecure.net/support

• [email protected]

• Call us at 1-844 751 7629 (Toll Free, US)

For more technical support resources, browse the support (website http://www.pulsesecure.net/support).

Revision History

Table lists the revision history for this document.

Table 21 Revision History

Revision Description

August 11,2014 Initial publication.

February 17,2015 Included Pulse5.0R9 release notes

March 24,2015 Included Pulse5.0R10 release notes

May 22,2015 Included Pulse5.0R11 release notes

August 7,2015 Included Pulse5.0R12 release notes

September 24,2015 Included Pulse5.0R13 release notes

mailto:[email protected]://www.pulsesecure.net/supportmailto:[email protected]://www.pulsesecure.net/support)



October 30,2015 Included Pulse5.0R13.1 release notes

January 20,2016 Included Pulse5.0R14 release notes