Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

PCS on AWS behind an ALB - initial setup - SSL issues?

SOLVED
Go to solution
izima
New Contributor
‎05-07-2020 06:56:AM
‎05-07-2020 06:56:AM

PCS on AWS behind an ALB - initial setup - SSL issues?

Hi ,

We are trying to set up a PCS BYOL 3 NIC virtual appliance on AWS to provide extra VPN capacity.

Placed the PCS behind an NLB (network load balancer - for TCP/ 443) and it seems to work fine. We are using only port 443.

Clents are able to start RDP sessions from from bookmarks.

 

When we place the same PCS appliance behind an ALB (application load balancer - layer 7) we are not able to start RDP sessions. 

The following error message pops-up:

"Pulse Secure Terminal Services Clientcould not establish connection to secure gateway. Click OK to exit and retry...." 

 

Using self-signed certs on the PCS and ALB, but that should work with an older browser and after all the usual warnings. 

 

Since using an NLB is fine, I think the issue is somewhere with how the SSL certs are handled. We'd prefer to use an ALB, because that would allow us to add a WAF as extra protection.

 

Any help would be much appreciated.

 

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
r@yElr3y
Moderator
Moderator
‎05-07-2020 10:46:PM
‎05-07-2020 10:46:PM

Re: PCS on AWS behind an ALB - initial setup - SSL issues?

I believe the ALB would be configured with SSL offloading/HTTPS listener feature on AWS, correct?

 

If yes, then the issue would be caused due to the SSL offloading part, Terminal services client (as a matter of fact, all pulse components) would be doing a cert-hash check to prevent MiTM attack, i.e. if the server certificate hash received by the client different than the hash value computed, it would terminate the session with the posted error message. Only way to make it work is to disable SSL offloading for VPN server traffic.

 

In a nutshell, Client receives >> Server certificate (provided by ALB) >> Computes to HashA >> Inside the received SSL payload there will be HashB (computed by VPN) i.e. hash of the VPN server's real certificate.

 

Check >> HashA != HashB >> Terminate Smiley Very Happy

 

Hope this clarifies your query.

PCS Expert
Pulse Connect Secure Certified Expert

View solution in original post

3 REPLIES 3
r@yElr3y
Moderator
Moderator
‎05-07-2020 10:46:PM
‎05-07-2020 10:46:PM

Re: PCS on AWS behind an ALB - initial setup - SSL issues?

I believe the ALB would be configured with SSL offloading/HTTPS listener feature on AWS, correct?

 

If yes, then the issue would be caused due to the SSL offloading part, Terminal services client (as a matter of fact, all pulse components) would be doing a cert-hash check to prevent MiTM attack, i.e. if the server certificate hash received by the client different than the hash value computed, it would terminate the session with the posted error message. Only way to make it work is to disable SSL offloading for VPN server traffic.

 

In a nutshell, Client receives >> Server certificate (provided by ALB) >> Computes to HashA >> Inside the received SSL payload there will be HashB (computed by VPN) i.e. hash of the VPN server's real certificate.

 

Check >> HashA != HashB >> Terminate Smiley Very Happy

 

Hope this clarifies your query.

PCS Expert
Pulse Connect Secure Certified Expert
izima
New Contributor
‎05-08-2020 06:55:AM
‎05-08-2020 06:55:AM

Re: PCS on AWS behind an ALB - initial setup - SSL issues?

Thank you. AWS support confirmed that an ALB would not do passthrough SSL.

We will have to stick with an NLB solution and integrate a WAF some other way.

r@yElr3y
Moderator
Moderator
‎05-08-2020 12:34:PM
‎05-08-2020 12:34:PM

Re: PCS on AWS behind an ALB - initial setup - SSL issues?

@izima Thank you for the update Smiley Happy

PCS Expert
Pulse Connect Secure Certified Expert
0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.