Re: Detailed description on how Wsam works

Pulseaccess · ‎04-11-2020

Hi Team

How does wsam actually work technically speaking? We are facing an issue with Dns resolution (on the PSA, dns is resolving and we have taken capture and checked that the dns response is send back as well) since it's tunneled, am not sure if dns response is reaching back to the client as there is a firewall as in between. How do we see the traffic on the firewall? Also the new wsam uses wfp drive, could this be causing an issue?

[email protected] · ‎04-13-2020

Are you using Windows SAM or Pulse SAM? I hope it is Pulse SAM, since you have mentioned about WFP. What is the OS and Pulse Client version? Issue seen on all user workstations or only few?

Intermediate F/W will not block the DNS response since it will be tunneled inside TCP-443 (SSL) data. Also, are you trying to access the site using hostname (shortname) or FQDN? Which one gets resolved successfully when testing from PSA?

Pulse Connect Secure Certified Expert

Pulseaccess · ‎04-15-2020

Hi Ray, thank you for responding.

We have understood that when the Sam destination is created with fqdn, and the request comes for that fqdn, it works but if the Sam destination is set with the ip of the server, and we access using fqdn, then it doesnt work. This was not the behavior seen in 9.0.3.not sure if on the 9.1.3,this is how the configurations should be? We have added a lot of roles with subnets etc as Sam destinations and used to work fine in earlier version

Pulseaccess · ‎04-15-2020

Also am a bit confused, starting with 9 releases, is it only psam? Because the interface is changed and similar to pulse secure desktop client.

[email protected] · ‎04-15-2020

Hi @Pulseaccess,

I think I've seen in some cases where the VPN server would do a reverse check to find the configured IP address matches with the FQDN accessed and it would allow the traffic to be SAMized, however I'ven't truly tested it in my lab. When you say it works in older version, that means, it used to work with 9.0Rx Pulse Client or VPN server? Which combination does not work?

Starting 9.1R3 code, Pulse Client SAM will be used by default.

Pulse Connect Secure Certified Expert

Pulseaccess · ‎04-16-2020

Hi [email protected]

When the Sam policy is created with ip subnets and when accessed via dns name of server, we did a packet capture on the appliance, it's getting a dns response, does it not then match with the Sam policy? Will let you know on the versions soon. Also psam does nt use virtual adapter right? It uses the physical adapter itself?

Pulseaccess · ‎04-16-2020

[email protected]

DNS resolution working when Sam policy is set with ip on old version PSA 8.3 in mag, client 8.x, 9.x

Jame1s · ‎04-16-2020

WSAM listens for any resources that the application accesses and "tunnels" that traffic through the PSC device.

Jame1s · ‎04-16-2020

WSAM listens for any resources that the application accesses and tunnels that traffic through the PSC device.

[email protected] · ‎04-16-2020

PSAM workflow should be as follows:

1. SAM client receives the configured policies for the SAM tunnel (apps & dests allowed/denied/bypassed).

2. Checks the hostname value present in the DNS request with the recevied policy and takes action - Send to VPN for resolution or Allow the DNS request directly.

3. VPN server resolves and sends the reply over to the SAM client.

4. SAM client will create a portmap (used for data transfer) for the actual resource and waits for the application to send traffic to the destination.

5. Intercepts the initiated traffic and send it to the VPN server for forwarding.

In your case, it looks like #2 is failing after #3, not sure how that could be happening... this needs internal testing.. can you please open a support ticket with us for further review?

Pulse Connect Secure Certified Expert