We have a customer that requires us to connect to their network through their web portal running "Pulse Connect Secure". Once I authenticate I'm able to connect to our devices on our network.
I'm used to "traditional" VPN clients where once I log in with a username/password I get an IP address, subnet mask, gateway, and a route added to my machine. This isn't happening when I log into their Pulse Connect Secure web portal, yet I'm still able to connect to our devices on their network with Microsoft RDP.
How does this wizardry work? I've been trying to find some high level technical details by searching on Google but I'm not finding much. Can anyone throw some knowledge my way? Maybe some terms I can search for that will explain how this magic works? The only thing I can think of is that the .exe application that loads on my machine redirects the traffic to their network, but how does that .exe intercept the network traffic of mstsc.exe? Is it a TCP wrapper of sorts?
There are a few different ways this may be happening. It could be using the Java applet or JSAM/WSAM to give you an application-level connection using your RDP client.
Pulse Connect Secure authorizes the resources that are accessed by users through an extranet session hosted by the appliance. Pulse Connect Secure intermediates the data that flows between external users and the company’s internal resources to provide robust security. During the process of intermediation, the PCS receives secure requests from the external, authenticated users and makes the request to the internal resources on behalf of the users. By intermediating, the need to deploy extranet toolkits in traditional demilitarized zones (DMZ) or provision a remote access VPN for employees is eliminated.
You can also find a diagram of this flow for your reference:
Nowadays there are two modes of accessing your internal resources over VPN;
1. Connecting to VPN using VPN clients and getting access to your internal resources. In this, you will have control access of resources regardless of any resource, port, or application. However, you can restrict that full control with help of denying policies.
2. Also, you can connect to VPN with web browser portal. In that case, you don't need to install any client software. You can just simply log in on VPN Web Page and there you will get access links to your internal resources. This access is maintained by VPN device with help of HTML5 and Java toolkits. In this case, you can position access link of web, remote, mail, ftp etc. resources on your VPN web portal