Hello,this is Keigo.
I have questions regardress Host Checker on Pulse Secure Desktop Client.
1.If the realm level check and role level check are valid on Host checker,HC checks the enponint three times ?(①Primary Authentication ②Realm Check ③Role Check）
2.Are there 2 types of Host Checker on Pulse Secure Desktop Client?
(①Built-in Host Checker ②Host Checker in Pulse Secure Desktop Client)
3.If there are No.2 quesiton is correct,what is the different of Built-in HC and HC in PSC?
does enybody know?
@Keigo 1) realm level HC check happens before authentication and role level HC check happens after authentication. If both are enabled, compliance will be checked two times before you get connected.
2) Two types of HC components, one is agentless HC (standalone HC component which gets installed through browser session) and another one is agent-based HC (this is the HC plugin present inside the PDC).
PDC HC is a plugin (C:\Program Files (x86)\Common Files\Pulse Secure\TNC Client Plugin\HostCheckerService.dll) whose context was created by the Pulse Secure Service EXE, however, the agentless HC is a separate application (dshostchecker.exe)
Operational wise, both are similar to get the job done
Thanks for reply r@yElr3y,
1)When I connect VPN by using Web portal,the following flow is correct?(I am setteing PW and ID authentication and HostChecker which check the registory key)
(When i use vpn, I will enter the URL on Internet Explorer)
①User accesses sign in page(enter URL on IE)
②User sign in by using PW and ID
③realm level check will happen on agentless HC
⑤Pulse Secure Client will start-up
⑥role level check on agent-based HC
2)I have facing trouble on PSC.
When I connect VPN through Web Portal,the following logs on MAG and I cant connect sometime.
①Primary Authentication successful for ~~
②Host Checker policy "~~~" passed on host ~~~
③Login suceeded for ~~~ ~~~Realm
④Session resumed from user agent "Pulse-Secure/220.127.116.1143(windows)~~~
⑤VPN Tunnelingession started for user with IPv4 address ~~~
⑥User with IP ～～～ connected with SSL tansport mode.
⑦Host Checker policy "~~~~" failed on host ~~~ address ~~ user ~~ reason "~~~~"
⑧Active user "~~" in realm "~~~" is deleted sice user does not qualify reevaluated policies.
⑨VPN Tunneling: session ended for user with IPv4 address ~~~
⑩Closed connection to ~~ after 2 seconds ,with 0bytes reand and 0 bytes written.
I am setting same policy on realm level and role level checks.
Why I cant pass the second Host Check and What is the Second Check?
I am setting realm and role Host Check and Dynamic policy evaluation isn't valid.
I look forward to hearing from you soon.
When you login from IE and start Pulse Client, role level host check will be happen after authentication i.e. before you start the Pulse client, and it should connect with the help of DSID cookie transferred from the web session.
Do you have Dynamic Policy Re-eval on the user realm or on the host checker rule (monitor this rule for change)?
What do you see in the Pulse client debuglogs for the registry check?
Thank you for reply.
I dont have Dynamic Policy Re-eval on the user realm and role on the host checker rule.
I saw the log,but i couldnt find where written about host checker.
So the debuglog is huge amount,how can I find the log about host checker?
@Keigo Set the log level to detailed, replicate the setup, save the logs and then look for host check started and host check finished keywords. Between those events would be having the HC transaction.