cancel
Showing results for 
Search instead for 
Did you mean: 

PCS on AWS behind an ALB - initial setup - SSL issues?

SOLVED
New Contributor

PCS on AWS behind an ALB - initial setup - SSL issues?

Hi ,

We are trying to set up a PCS BYOL 3 NIC virtual appliance on AWS to provide extra VPN capacity.

Placed the PCS behind an NLB (network load balancer - for TCP/ 443) and it seems to work fine. We are using only port 443.

Clents are able to start RDP sessions from from bookmarks.

 

When we place the same PCS appliance behind an ALB (application load balancer - layer 7) we are not able to start RDP sessions. 

The following error message pops-up:

"Pulse Secure Terminal Services Clientcould not establish connection to secure gateway. Click OK to exit and retry...." 

 

Using self-signed certs on the PCS and ALB, but that should work with an older browser and after all the usual warnings. 

 

Since using an NLB is fine, I think the issue is somewhere with how the SSL certs are handled. We'd prefer to use an ALB, because that would allow us to add a WAF as extra protection.

 

Any help would be much appreciated.

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Moderator

Re: PCS on AWS behind an ALB - initial setup - SSL issues?

I believe the ALB would be configured with SSL offloading/HTTPS listener feature on AWS, correct?

 

If yes, then the issue would be caused due to the SSL offloading part, Terminal services client (as a matter of fact, all pulse components) would be doing a cert-hash check to prevent MiTM attack, i.e. if the server certificate hash received by the client different than the hash value computed, it would terminate the session with the posted error message. Only way to make it work is to disable SSL offloading for VPN server traffic.

 

In a nutshell, Client receives >> Server certificate (provided by ALB) >> Computes to HashA >> Inside the received SSL payload there will be HashB (computed by VPN) i.e. hash of the VPN server's real certificate.

 

Check >> HashA != HashB >> Terminate Smiley Very Happy

 

Hope this clarifies your query.

PCS Expert
Pulse Connect Secure Certified Expert

View solution in original post

3 REPLIES 3
Highlighted
Moderator

Re: PCS on AWS behind an ALB - initial setup - SSL issues?

I believe the ALB would be configured with SSL offloading/HTTPS listener feature on AWS, correct?

 

If yes, then the issue would be caused due to the SSL offloading part, Terminal services client (as a matter of fact, all pulse components) would be doing a cert-hash check to prevent MiTM attack, i.e. if the server certificate hash received by the client different than the hash value computed, it would terminate the session with the posted error message. Only way to make it work is to disable SSL offloading for VPN server traffic.

 

In a nutshell, Client receives >> Server certificate (provided by ALB) >> Computes to HashA >> Inside the received SSL payload there will be HashB (computed by VPN) i.e. hash of the VPN server's real certificate.

 

Check >> HashA != HashB >> Terminate Smiley Very Happy

 

Hope this clarifies your query.

PCS Expert
Pulse Connect Secure Certified Expert

View solution in original post

Highlighted
New Contributor

Re: PCS on AWS behind an ALB - initial setup - SSL issues?

Thank you. AWS support confirmed that an ALB would not do passthrough SSL.

We will have to stick with an NLB solution and integrate a WAF some other way.

Highlighted
Moderator

Re: PCS on AWS behind an ALB - initial setup - SSL issues?

@izima Thank you for the update Smiley Happy

PCS Expert
Pulse Connect Secure Certified Expert