About r@yElr3y

r@yElr3y

It's a server-side upgrade. Upgrading the PCS to 9.1R11.x will push the fixed version of client binaries out to the user machines automatically when they connect to VPN post upgrade.

r@yElr3y

@koa @mojo Can you please open a support with us and provide the Pulse Client debug logs for review.

r@yElr3y

@giamp It's a server side configuration. Please navigate to Users >> User roles >> role name >> General >> Session Options >> Max. session length.

r@yElr3y

@hashmat Yes, that's correct. As mentioned before, I haven't used SSH tunnel through Putty (need to read about that), but the configuration that you did is correct. I can confirm that. So, what type of resource are you trying to access through the laptop's proxy connection? Is it SSH or Web resource?

r@yElr3y

@bartley Correct! You're seeing the same behavior. Though split tunnel is enabled, which adds the most matching route on the client machine'r route table, MS TEAMS continues to use all active interface for communication. This is under investigation by MS, as informed by MS support.

r@yElr3y · ‎03-16-2021

@gilipeled Can you please open a support ticket with us for further debugging this issue as this might need to be investigated by our engineering team? ESAP 3.7.6 (latest) supported list shows the below Sophos products: Reference - https://www-prev.pulsesecure.net/download/techpubs/current/2286/pulse-connect-secure/esap/3.7.x/ps-esap-3.7.6-supportedproducts-v4sdk.pdf (Page# 51)

r@yElr3y · ‎03-16-2021

@bartley Thank you for sharing the details. I have used the same list in my lab and did not face any issues with my Teams application (replication is only with Teams app, did not test other office apps). However, intermittenly noticed packets sent to destination 52.11X.XX.XX (part of 52.112.0.0/14) through both virtual and physical interface at the same time i.e. somehow MS TEAMS is not honoring the route table and sends the traffic using all active interfaces. Are you seeing the same behavior in your environment?

r@yElr3y · ‎03-16-2021

@eloiseau Unfortunately, we cannot modify or control the saved credentials through the registry settings as that would pose serious security risk. Saved creds would be encrypted using the cryptoAPI libraries.

r@yElr3y · ‎03-16-2021

@bartley Removing FQDN split tunnel policies and making the tunnel mode as FULL works without any issues? As per Microsoft, Split tunnel deny would make the high-sensitive traffic to go out using the physical interface and rest of the non-sensitive traffic continue to use the VPN tunnel and that should not cause any delays with the O365 applications. what version of pulse client being used? is it 9.1R8.2 or above?

r@yElr3y · ‎03-16-2021

@wot Is it a full or split tunnel? What happens if you do a traceroute for the fileshare ip address? Do you see the first hop as 10.200.200.200? Are any other users facing the same issue or is it only you? Command - tracert -d <IP address>

r@yElr3y · ‎03-16-2021

@DoctorKisow Unfortunately, there's no other way that I can think of which would be make the Pulse Client to differentiate the certificates and pick only one without prompting. Since, both certs would be having private key, EKU set as client auth, their rank would be equal, and thus pulse client prompts the user to select them... which would not work for the machine tunnel. Either use the wireless certificate for VPN authentication, or have a new CA to push certificates only for VPN.

r@yElr3y · ‎03-16-2021

@afahre Debuglogs will be present under C:\ProgramData\Pulse Secure\Logging directory. ProgramData is hidden folder, hence enable show hidden folders or directy type the path in the explorer address bar.

r@yElr3y · ‎03-14-2021

@hashmat It shoud work unless your administrator did block local network access when connected to VPN using route precedence or using ACL to block P2P communication (server side options). I have not used Putty SSH tunnel before, but have used similar kinda thing using HTTPS proxy i.e. proxying web requests through my host which is connected to VPN thereby making that host to act as HTTPS proxy. Are you saying that you're able to the traffic sent by the laptop2 (network device) on laptop1 (VPN connected host) over it's virtual interface, but not connecting to the forwarded destination i.e. no traffic intiated by laptop1 to the dest. server?

r@yElr3y · ‎03-14-2021

@nicolai This is something that need to be checked with your accounts team (sales team). Please get in touch with them.

r@yElr3y · ‎03-14-2021

@Mweary Credential provider will enable the Pulse Client to connect to VPN before the Windows loads (pre-login session.) https://docs.pulsesecure.net/WebHelp/Content/PCS/PCS_AdminGuide_8.2/Credential%20Provider%20Authentication.htm https://docs.pulsesecure.net/WebHelp/PDC/9.0R1/Content/PDC_AdminGuide_9.0R1/Configuring_a_Pulse_Credential.htm

r@yElr3y · ‎03-14-2021

Duplicate post of https://community.pulsesecure.net/t5/Pulse-Policy-Secure/preconfig-setting/m-p/45091

r@yElr3y · ‎03-14-2021

@eloiseau What you're seeing is expected. Allow-save - false will be delete both. and sso-cached-credential - true will pass the creds used to login to the windows profile.

r@yElr3y · ‎03-14-2021

@antonio79 Please open a support ticket with us as this might be investigated with the help of OPSWAT team.

r@yElr3y · ‎03-14-2021

@antonio79 Please open a support ticket with us as this might be investigated along with OPSWAT team.

r@yElr3y · ‎03-14-2021

@DoctorKisow Are you having two identity certificates issued by the same CA or one by root CA and other one by the Intermediate CA? If you have a root CA and Inter.CA, then try disabling the " Trusted for Client Authentication" option under the trusted client CA. If there's only one CA that signed both certs, then you can use EKU OID filtering option to do the trick, however, caveats are: # Custom EKUOID has to present on the desired certificate (cert template should be modified for this) # Pulse Desktop Client 9.1R5 and higher will not work for machine certificate, only user certs will be filtered using EKUOID value (identified as not-supported scenario, hence considered as enhancement). So, only 9.1R4 & below versions of PDC has to be used for this approach to work. Config reference - https://docs.pulsesecure.net/WebHelp/PDC/9.1R3/Content/PDC_AdminGuide_9.1R3/Configuring_Client_Certificate_Selection_Option.htm

r@yElr3y · ‎03-14-2021

@CommSysRST It is important to note that Pulse Secure will allow access to the resources configured under Activesync policy (optionally, we can enforce certificate authentication) and expects the backend OWA/Exchange server to authenticate the users who are accessing the resources (just like any other reverse proxy solutions or Load balancers). If you don't find any trace present in the Exc. servers as described by MS, then you should be safe. Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

r@yElr3y · ‎03-14-2021

@ItsMe I don't think it is supported. CredProv type connection will attempt to do SSO with the provided windows credentials and I don't think it can be done over a embedded browser session (browser framework) as there will be web content that need to be rendered (provided by SAML IDP).

r@yElr3y · ‎03-14-2021

@sh4yd9w What version of Pulse Client being used? I believe, this has been addressed in the latest version of Pulse Client i.e. hosts file will not be modified. @zanyterp Please confirm and share your thoughts.

r@yElr3y · ‎03-14-2021

@Stijn Please open a support ticket with us and provide the complete MSI logs for review.

r@yElr3y · ‎03-14-2021

@ludogomez Please open a support ticket with us as this would require more investigation than we do in the forums.

r@yElr3y · ‎03-14-2021

@Saran Vasudevan It is expected to 32bit for Pulse Secure Service and Pulse Tray process, however the contents i.e. DLLs are both 64-bit and 32-bit. hence, it is perfectly fine.

r@yElr3y · ‎03-14-2021

john.stuart@hii-tsd.com It is not available at this time as informed by @zanyterp . You have to create separate program based rules.

r@yElr3y · ‎03-14-2021

@johndoe1105 Can you check the DNS servers assigned to your physical interface (WIFI)? Are you using Win10 or macOS?

r@yElr3y · ‎03-14-2021

@yutsi Create a VPN ACL under Resource policies >> VPN tunneling >> Access control and deny access to the user subnet.

r@yElr3y · ‎03-14-2021

@meduser Please open a support ticket with us along with the information requested by @zanyterp + PSAL logs which would be present under ~/Library/Logs/PulseApplicationLauncher.log

Re: Terminal Service does not work for Home Office

Re: Failed to connect to the Pulse Secure service ...

Re: Pulse VPN client disconnects every hour?

Re: Windows 10 Putty local forwarding over vpn doe...

Re: Packet loss over tunnel with splittunnel enabl...

Re: SOPHOS Intercept X advance with EDR - Host Che...

Re: Packet loss over tunnel with splittunnel enabl...

Re: preconfig setting

Re: Packet loss over tunnel with splittunnel enabl...

Re: Pulse loses its connection in explorer

Re: Machine Authentication, Multiple Installed Cer...

Re: Pulse Desktop Client Stuck on "Connecting" sta...

Re: Windows 10 Putty local forwarding over vpn doe...

Re: Apple Macs with M1 chips, Pulse Secure VPN and...

Re: Is it possible to connect to VPN at W10 Login ...

Re: preconfig setting and username/password

Re: preconfig setting

Re: pulse secure vpn with av sophos agent installe...

Re: Pulse secure vpn with av sophos agent installe...

Re: Machine Authentication, Multiple Installed Cer...

Re: Pulse Secure ActiveSync and Hafnium

Re: Azure AD SAML and Pre-desktop login

Re: Pulse Secure hosts File

Re: Upgrade Pulse Secure 9.1.11 fails

Re: Client disconnect frequently

Re: Why Pulse application 64bit running as 32bit ?

Re: Pulse Desktop Client Lockdown Exception Rules

Re: Network Connectivity Issues After Using Pulse ...

Re: prevent traffic between connected win 10 vpn c...

Re: Pulse secure application launcher failed to la...