Hello, do you how can I filter Network Connect users in order to prevent users from connecting to the gateway with Network Connect but only with Pulse Secure client. Do you know if there is an option to only allow Pulse Secure client users or to deny Network Connect users ? Or with a specific user agent or a specific attribut to filter with a Custom Expression in the role mapping ? Thanks in advance.
Hi - Yes you should be able to do this using a 2 step process:
1. Step1: Disable the Network Connect client that users get an option to start from the browser. To achieve this, enable â€˜Pulse Secure Clientâ€™ ( Role - > General > Overview) for each role that has L3 VPN enabled and you want to block Network Connect and allow Pulse. This will ensure most end-users canâ€™t launch NC from a regular browser session as only Pulse Client will show up.
2. Step 2: Block various standalone network connect clients (the ones that can be launched directly from installed applications without having to login via a browser) For this at the realm and role level add user-agent restrictions to block these clients. For example add a user-agent restrictions to deny access for user-agents with pattern *NcWin* This will ensure that none of the standalone network connect clients from a windows machine can login. I don't have the exact user-agent string patterns from Mac and Linux NC standalone clients handy. However you can find these by attempting to login from the Mac and Linux NC standalone clients and starting a packet capture on the gateway. When you read the decrypted version of this packet capture you will should be able to find the user-agent strings.