Pulse Connect Secure 9.1R12 Host Checker component has a major issue: it CANNOT find Machine Certificate.
We have a Host Checker policy to check to make sure machine certificate was issued by our Enterprise CA.
We upgraded the appliance from PCS 9.1R11.5 to PCS 9.1R12
When using Pulse Clients 9.1R10, 9.1R11.5, 9.1R12, when the Client attempted to invoke internal host checking (the host checking component was sent by the PCS 9.1R12 appliance, presumably), it simply cannot find the Machine Certificate on Windows 10, even though "certlm.msc" clearly shows the Machine Cert exists.
This issue did NOT exist on 9.1R11.5
Hi @tnguyendoit , did you get anywhere with this? We use host checker for machine certs with Win 10 and I'm concerned about upgrading now.
Our Pulse admin team opened a case with Pulse Secure Support. They collected the various logs for analysis. Nothing yet.
Easy to reproduce/recreate the issue on a PCS 9.1R12 appliance.
1> Under Trusted Client CAs, upload the Root CA and Issuing CA certs so that they chained correctly. Set them to participate.
2> Set up a Host Checker policy with appropriate rule to check for a Machine Certificate issue by that Issuing CA from Step # 1
3> Set up a separate realm. Set this realm to use Host Checker from Step # 2, set it to evaluate only at the realm level.
4> Create a role and enable Layer 3 VPN tunneling (SSL) feature for this role. Configure Connection Set (check the box to use the embedded browser, set the Connection to use the SIgn-in URL in Step # 6, etc), then consequently configure the Component Set, and edit this role and make sure this role is feeding that Component Set to the Pulse Client.
5> For the role in Step # 4, set the Host Checker restrictions to allow this role ONLY IF it passes the machine cert-check Host Checker Policy from Step # 2
5> For the Realm in Step # 3, create a role-mapping rule to map to the Role in Step # 4
6> Create a Sign-in URL which uses the Realm in Step # 3
7> Export the approriate Component Set settings to a PULSEPRECONFIG file
8> Install any of the recent Pulse Desktop Client (9.1R10, 9.1R11.5 FIPS or non-FIPS, 9.1R12 FIPS or non-FIPS) on an endpoint (e.g. laptop) which has a Machine Certificate issued by the Issuing CA from Step # 1 and use jamCommand to import the PULSEPRECONFIG into the Pulse Client.
9> Open the Pulse Desktop Client and connect to the PCS 9.1R12 using the preconfigured connection entry
---> The Pulse Desktop Client will throw an error about endpoint out of compliance and reason "Machine certificate not found"
On the appliance, in the User Access Logs, you would see Event AUT22925 - Host Checker policy 'some-host-checker-policy' failed on host xxx.xxx.xxx.xxx . Reason: 'Rule-some-hc-rule:Machine certificate was not found'
Same setup, when connected to appliance running PCS 9.1R11.5 worked just fine.
Thanks for that @tnguyendoit . That's really dissapointing. Seems Pulse/Ivanti are really struggling with quality control in a rush to fix issues.
Hi, thanks for the contribution.
Could you please share whether the issue was resolved by the Pulse Secure Support?
So, I was poking around this morning to compare the Host Checker policies on the non-working PCS 9.1R12 UAT appliance and the PCS 9.1R11.5 PRODUCTION appliance, and we noticed something we had not noticed before... For some reasons the "Stored host checking results" option was turned on on the UAT, whereas it's turned off on the PRODUCTION.
We then turned the option off/on a couple times (saved configs every time) to clear the stored HC results, and for whatever reason, the PCS 9.1R12 Host Checker appears to recognize the machine certificate now.
Don't know the cause but after we did that, it appeared to be working for us on the previously non-working UAT.