cancel
Showing results for 
Search instead for 
Did you mean: 

Client 9.0R4, Connect Secure 9.0R4 appliance, MFA+LDAP, Client couldnt run Host Checker at 10-minute

Occasional Contributor

Client 9.0R4, Connect Secure 9.0R4 appliance, MFA+LDAP, Client couldnt run Host Checker at 10-minute

Pulse Connect Secure 9.0R4 virtual appliance

Pulse Client 9.0R4 for Windows x64

SecureAuth MFA + AD LDAP

 

Back when our Pulse Connect Secure was running 8.3R7.1, whenever we connect to the appliance using Pulse Client 5.3R7.1 or Pulse Client 9.0R4, it would launch Internet Explorer for authentication to SecureAuth MFA, then afterwards run ActiveX to launch external Host Checker. It will pass the 1st Host Checker policy and will fail the 2nd Host Checker policy.  However, because Global HC is set to "Perform dynamic policy reevaluation" = DISABLED, and the Realm-Level HC is set to EVALUATE, and the Role-Level HC is set to ALLOW ALL USERS, it will successfully map to the Layer 3 VPN role and establish the L3 VPN connection just fine. That external Host Checker process "dsHostChecker.exe" will remain active for the duration of the L3 VPN session and called home every 10 minutes to check in.

 

Now that our Pulse Connect Secure appliance is upgraded to 9.0R4, whenever we connect to the appliance using Pulse Client 9.0R4, it would launch Pulse Client's built-in browser and apparently used "PulseSecureService.exe" Service for Host Checking. The logs on the appliance indicated that, just like before it passed the 1st Host Checker policy and will fail the 2nd Host Checker policy. However, because Global HC is set to "Perform dynamic policy reevaluation" = DISABLED, and the Realm-Level HC is set to EVALUATE, and the Role-Level HC is set to ALLOW ALL USERS, it will successfully map to the Layer 3 VPN role and establish the L3 VPN connection just like before.  ---> The problem is that AFTER 10 minutes (the defined interval for re-evaluation), the Pulse Client 9.0R4 for some reasons COULD NOT perform the periodic RE-EVALUATION at 10-minute interval, and it will immediately drop the L3 VPN connection.

 

This is causing major issue for us in migrating to 9.x (8.3Rx will reach end of support in October 2019) because we are required to have MFA in front and required to run Host Checker to determine who is allowed to have L3 VPN

 

Any thoughts as to why Pulse Client 9.0R4 with its built-in browser COULD NOT run Host Checker at periodic interval with our setup (MFA+LDAP)?  No matter what settings we have for Host Checker at Global Level, at Realm Level, or at Role Level, Host Checking just wouldn't run after 10 minutes, then the connection just dropped.

1 REPLY 1
Moderator
Moderator

Re: Client 9.0R4, Connect Secure 9.0R4 appliance, MFA+LDAP, Client couldnt run Host Checker at 10-mi

Hello there,

Thank you for bringing this to our attention.

if possible, Can you please replicate the issue using Pulse Client and provide me the detailed level logs for review.

Set the detailed level logs:

File >> logs >> log level >> detailed. Also do annotate before replication.

Thank you,
Ray.