https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44503/   In Security Advisories 44503, Pulse Secure advised us all to upgrade previous Windows Client 9.1R5 and older (such as 5.3R7.1, 9.0R4, 9.1R3.1) to 9.1R7 to address client-side vulnerabilities.   My question:   Most of our appliances are running Pulse Connect Secure 8.3R7.1 (pending replacement with PCS 9.1R7 to be built).   Since PCS 8.3R7.1 use different/older PSAL, different/older Pulse Setup Client, different/older Pulse Installer Service, IF I upload the Pulse Desktop Client (PDC) 9.1R7 package "ps-pulse-9.1r7.0-b2525-package.pkg" to those PCS 8.3R7.1 appliances and set that PDC 9.1R7 to be the ACTIVE CLIENT PACKAGE, will it PROPERLY/CORRECT install / upgrade existing older versions of Pulse Desktop Client 5.3R7.1 and 9.0R4 and 9.1R3.1 on my endpoints properly when those older Pulse Desktop Clients connect to those appliances?   The reason is ask is because PCS 8.3R7.1 use different/older PSAL, different/older Pulse Setup Client, different/older Pulse Installer Service.   The Security Advisory said in Question 5, "Question 5: How do I deploy the patched Pulse Secure Desktop clients to my endpoints?     Answer: If you intend to deploy a patched Pulse Secure Desktop Client, upload the client bundle to your PCS or PPS gateway, configure it as the active version, and have your end users connect to the gateway. The Pulse Secure Desktop Client will auto-upgrade upon connection.", ---> but since PCS is 8.3 branch and PDC is 9.1 branch are different, I am uncertain whether that will work correctly.   Any advice would be greatly appreciated.  Thanks. ... View more

Pulse Connect Secure 9.0R4 virtual appliance Pulse Client 9.0R4 for Windows x64 SecureAuth MFA + AD LDAP   Back when our Pulse Connect Secure was running 8.3R7.1, whenever we connect to the appliance using Pulse Client 5.3R7.1 or Pulse Client 9.0R4, it would launch Internet Explorer for authentication to SecureAuth MFA, then afterwards run ActiveX to launch external Host Checker. It will pass the 1st Host Checker policy and will fail the 2nd Host Checker policy.  However, because Global HC is set to "Perform dynamic policy reevaluation" = DISABLED, and the Realm-Level HC is set to EVALUATE, and the Role-Level HC is set to ALLOW ALL USERS, it will successfully map to the Layer 3 VPN role and establish the L3 VPN connection just fine. That external Host Checker process "dsHostChecker.exe" will remain active for the duration of the L3 VPN session and called home every 10 minutes to check in.   Now that our Pulse Connect Secure appliance is upgraded to 9.0R4, whenever we connect to the appliance using Pulse Client 9.0R4, it would launch Pulse Client's built-in browser and apparently used "PulseSecureService.exe" Service for Host Checking. The logs on the appliance indicated that, just like before it passed the 1st Host Checker policy and will fail the 2nd Host Checker policy. However, because Global HC is set to "Perform dynamic policy reevaluation" = DISABLED, and the Realm-Level HC is set to EVALUATE, and the Role-Level HC is set to ALLOW ALL USERS, it will successfully map to the Layer 3 VPN role and establish the L3 VPN connection just like before.  ---> The problem is that AFTER 10 minutes (the defined interval for re-evaluation), the Pulse Client 9.0R4 for some reasons COULD NOT perform the periodic RE-EVALUATION at 10-minute interval, and it will immediately drop the L3 VPN connection.   This is causing major issue for us in migrating to 9.x (8.3Rx will reach end of support in October 2019) because we are required to have MFA in front and required to run Host Checker to determine who is allowed to have L3 VPN   Any thoughts as to why Pulse Client 9.0R4 with its built-in browser COULD NOT run Host Checker at periodic interval with our setup (MFA+LDAP)?  No matter what settings we have for Host Checker at Global Level, at Realm Level, or at Role Level, Host Checking just wouldn't run after 10 minutes, then the connection just dropped. ... View more

Is something wrong with the "download.pulsesecure.net"?   All our appliances have not been able to download the "epupdate_hist.xml" since last night   https://download.pulsesecure.net/software/av/uac/epupdate_hist.xml   When manually going to the above link and entered the download credentials, "download.pulsesecure.net" threw a "401" error. ... View more

Pulse Connect Secure 8.3R3, 8.3R6, etc.   Many of our users run the McAfee consumer endpoint protection product on their called "McAfee Total Protection" version 16.x various releases (R13, R15, etc.)   We were using ESAP 3.2.8 SDK v4.  Many of our users complained that Host Checker could not detect their McAfee Total Protection 16.x product (with the latest updates dated 10/11/2018) and Host Checker kept throwing error about their Windows 10 Windows Defender real-time protection isn't enabled. Error message is "Windows Defender 4.13.xxxxx.x" does not comply with policy. Compliance requires real time protection enable." (naturally it's disabled because McAfee is installed).  As a result, they're unable to establish  VPN connection.   Pulse Secure stated in the Release Notes for ESAP 3.3.1 that 3.3.1 supports McAfee Total Protection 16.x:   https://www.pulsesecure.net/download/techpubs/current/1404/pulse-connect-secure/esap/3.3.x/ps-esap-3.3.1-releasenotes.pdf   ---> Even after we uploaded and activated ESAP 3.3.1 and the Host Checker on the users' home machines were upgraded, Host Checker with ESAP 3.3.1 OPSWAT SDK v4 still couldn't detect McAfee Total Protection 16.x at all.   Anyone else encountering the issue?  This is most frustrating, as it resembled similar issue with Norton Security Suite 22.12.0.104 back in mid-March 2018. ... View more

Pulse Connect Secure 8.3R3 ESAP 3.2.8 SDKv4 Endpoints running Windows 10 Enterprise x64 version 1709 with all security updates up to July 2018   When using McAfee ENS 10.5.3, Host Checker (ESAP 3.2.8 SDKv4) detected everything correctly.   When using McAfee 10.6.0.542, Host Checker (ESAP 3.2.8 SDKv4) continued throwing error that "Compliance requires latest virus definitions", even though the endpoints had the latest virus defs.   According to Pulse Secure documentation here:   According to Pulse documentation,  ESAP 3.2.8 SDKv4 supports McAfee Endpoint Security 10.x, but apparently it does NOT work with McAfee ENS 10.6.x     Has anybody else run into this issue?     ... View more

Pulse Connect Secure 8.3R3 ESAP 3.2.5 ---> ESAP 3.2.6, OPSWAT SDK v4   McAfee Endpoint Security 10.5.3 real time protection on Windows  was detected correctly with ESAP 3.2.5   After upgrading ESAP to 3.2.6, Host Checker fails to detect real time protection for McAfee Endpoint Security 10.5.3 on Windows (never tried Mac)   In User Access Log, kept throwing error "reason 'Rule-AV:McAfee Endpoint Security 10.5.3 does not comply with policy. Compliance requires real time protection enabled."   After rolling back to 3.2.5, detection of  real time protection for McAfee Endpoint Security 10.5.3 on Windows  worked correctly again.   Does anybody here experience the same issue?   We're aware of a similar issue in the recent past (as described in KB43668) when Host Checker also failed to detect real time protection on Windows for Symantec Endpoint Protection 14.0.3x ... View more