cancel
Showing results for 
Search instead for 
Did you mean: 

Pulse licensing server and SSL decryption

SOLVED
Highlighted
Occasional Contributor

Pulse licensing server and SSL decryption

Hello,

 

Has anyone had any success with configuing a secure SSL decryption policy for allowing a PSA-V to contact the Pulse Licensing Server?  SSL decryption breaks the traffic.  I excepted the URL "pcls.pulseone.net" from decryption; however, the traffic was still breaking.  This seems to be because the PSA-V is contacting a range of Amazon AWS IPs before getting to the licensing servers.  I had to set a policy excepting *all* Internet traffic from the PSA-V, and I'd like to tighten that up.

 

Any help is appreciated!

 

Thanks in advance!

 

Best regards,

- Steve

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Moderator

Re: Pulse licensing server and SSL decryption

No, I don't have any info. regarding the non-intrusive SSL decryption setups or configs. Per my understanding, as long as the response contents are not modified or blocked as anamoly by the FW, we should be good.

PCS Expert
Pulse Connect Secure Certified Expert

View solution in original post

5 REPLIES 5
Highlighted
Moderator

Re: Pulse licensing server and SSL decryption

Please add the decryption CA certificate on the VPN server's trusted server CA list (Configuration >> Certificates >> Trusted server CA) and check the behavior, it should work.

 

If see any SSL errors related to cert trust in the events/admin access logs when it's not working, then following the above step should fix the issue.

PCS Expert
Pulse Connect Secure Certified Expert
Highlighted
Occasional Contributor

Re: Pulse licensing server and SSL decryption

Hi Ray,

Thanks for the information.  Unfortunately, that didn't resolve the issue.  After taking the SSL decryption root cert and importing it to Trusted Server CA store on the PSA-V, the firewall still shows a decryption error when the PSA-V contacts "ec2-xx-xx-xx-xx.us-west-2.compute.amazonaws.com".

 

The event log shows the message LIC30543:

License server low-level protocol error, server=pcls.pulseone.net, Code = [60] : SSL peer's certificate verification error

 

What's interesting is that in the admin access log (which I hadn't thought to look at before), it looks like the license codes were successfully downloaded (I replaced our codes with x's):

 

Info LIC31492 2020-05-08 10:11:13 - ive - [127.0.0.1] Root:: System()[] - License download server provision response - '{"return_code":0,"return_message":"OK","license_keys":["xxxxx xxxx xxxxx xxxxx xxxxx"]}'
Info LIC31491 2020-05-08 10:11:13 - ive - [127.0.0.1] Root:: System()[] - License download server provision request return code - '200

 

Thank you,

- Steve

Highlighted
Moderator

Re: Pulse licensing server and SSL decryption

@RSKadish It seems that the VPN server is trusting the PCLS connection and receives the license keys from the cloud server, so we should be good. Did the license got installed on the VPN server successfully, Configuration >> Licensing >> License summary.

 

If yes, then you need to monitor and confirm whether the periodic heartbeats b/w the PCLS (Cloud) server and the VPN server is happening without any issues.

PCS Expert
Pulse Connect Secure Certified Expert
Highlighted
Occasional Contributor

Re: Pulse licensing server and SSL decryption

Hi Ray,

 

Thanks.  So, my question was, how do I configure SSL decryption on a firewall not to break when communicating with the license server and these Amazon EC servers that you guys use.  Do you have any information on that?

 

Best regards,

- Steve

Highlighted
Moderator

Re: Pulse licensing server and SSL decryption

No, I don't have any info. regarding the non-intrusive SSL decryption setups or configs. Per my understanding, as long as the response contents are not modified or blocked as anamoly by the FW, we should be good.

PCS Expert
Pulse Connect Secure Certified Expert

View solution in original post