About Ray

Ray

Hi @AndrewD , Pulse Connect Secure (PCS) is name of the product which offers the VPN solutions, mostly points to the firmware utilized by the VPN server. ESAP aka Endpoint Security Assessment Plug-in database which has the SDK and security products information to support the endpoint security assessment using the component called Host Checker. Thanks, Ray.

Ray

Please replicate the issue and send me the pulse client logs for review. 1. Open Pulse Client. 2. File >> Logs >> Annotate >> "any text" 3. File >> Logs >> Log level >> Detailed. 4. Replicate the issue i.e leave the pulse client to stay at connecting status. 5. File >> Logs >> Save as.

Ray

Are you invoking any application called Pulse Client or Windows Secure Application Manger (WSAM) before using the mstsc.exe client? If yes, then you're using the SAM proxy to tunnel all the application data initiated by the mstsc.exe (defined on the VPN server) and sent them to the VPN server for forwarding. TDI driver will be used to do the wrapping part.

Ray

Hello @A.D , Can you please PM me the screenshot of the certificate which you have uploaded to the keychain access? Thanks, Ray.

Ray

Hi @A.D , Please follow the below steps to add user certificate on the Mac machine: Get the user certificate (with private key i.e. p12/pfx file) Navigate to Finder > Applications > Utilities > Keychain Access Select ‘System’ in the left-hand column. Open ‘File > Import Items’ and import the ‘user certificate (with private key)’ files into the ‘System’ keychain. The certificate should now show with a red X. That means it is untrusted. To provide trust, double-click the certificate. Under "Trust", change the setting at the top (When using this certificate) to "Always Trust".

Ray

Hi Mike, From my experience, YES. I have both openVPN and Pulse client installed on my laptop; both are working without any issues/conflict. Hence, their coexistence will work out. But to be honest, I've seen only ONE customer had issues while connecting to pulse client when openVPN client was installed (pulse virtual adapter didn't get initialised). Thanks, Ray.

Ray

Can you please reproduce the issue and send me the pulse client logs for review? Pulse client -- Support -- Send logs.

Ray

Can you please redownload the DMG package from pulse secure support portal and try to install the client again?

Ray

I guess you're clicking on a terminal services bookmark, is that correct? If yes, then you're leveraging pulse secure terminal services client (modified version of mstsc) which sends RDP calls embedded inside SSL payload.

Ray

Thank you for providing the screenshot link. For the reason string, it seems that the host checker is not able to detect the Antivirus installed, which is why we're seeing Windows Defender does not comply with policy (other AntiVirus will disable the defender). In simple words, host checker sees only the windows defender with it's disabled state and VPN server denies the connection since it doesn't pass the compliance. Are you seeing the same reason string for the windows 7 antivirus rule? I guess...it should be the same.

Ray

Please upload the images to any of the image hosting site and share the link to view.

Ray

SAM proxy uses TDI (Transport Driver Interface) to intercept and wrap the TCP/UDP traffic initiated by the configured application and sends it to the VPN server for forwarding, and the VPN server will source the traffic from it's internal port. Hope this helps.

Ray

Hmm... ok. What type of rules were applied for windows 7 and Windows 8 machines? Can you send me the screenshot of the error message displayed to the users?

Ray

So, you're noticing that the users are not seeing any error message related to the failed HC policies (evaluated on realm i.e. applied at role level)???

Ray

Thank you for attaching the screenshot links. Network connect is not supported for Mac Mojave. Does the Pulse client based connection gives any error message at last or just stuck in connecting state?

Ray

What is the Pulse client version? Are the users access the resources using L3 tunnel or SAM access? Does the problematic users are able to access the resources when connecting using the working user machines?

Ray

On the VPN tunneling connection profile, please set the DNS search order to any of first two options (Client first, then device or Device first, then client) and check the behaviour. Overwriting the client side DNS with the tunnel DNS servers will happen if the DNS search is set to "Device DNS only" or using FQDN based split tunneling policies.

Ray

Can you please send a screenshot of the page where the process gets stuck?

Ray

Are the clients not receiving any IP address from the configured DHCP server? What DHCP options are you looking for?

Ray

Thank you for the clarification. I don't think there is any configuration on the server side which can be tweaked to send 302 redirect to the new URL when accessing the old URL, @zanyterp: any suggestions? Can't we simply change the newly authentication realm to be used by the old URL under the signing policies on the VPN server and configure the SAML IDP to post the SAML response to the / relay-state instead of /realm2?

Ray

I believe, starting from pulse client 5.3R4 version this behaviour has been introduced. Please use 5.3R3 or below to overcome this behaviour.

Ray

Please start policy tracing and TCP dump on the VPN server and review to find out the cause. Policy Tracing: Maintenance -- Troubleshooting -- User sessions --- Policy Trace; Enable preauthentication, authentication, role-mapping -- Start recording. TCP Dump: Take a dump if LDAP (cleartext) is used for authentication. Maintenance -- Troubleshooting -- Tools -- TCP Dump; Enter the filter as "host<space>LDAP server IP address" (without quotes).

Ray

Can you confirm the VPN transport mode? ESP or SSL? Right click on the connection -- Advanced connection details. Please reproduce and attach the debug logs for review. (File -- logs -- save as).

Ray

What is version of MacOS and Pulse secure client ? Are you able to login from Browser?

Ray

So you would like the users to be redirected to Identity provider page when accessing */realm2 sign-in URL of the VPN??

Ray

Thank you for responding back @CDriVe. Yes, please provide the non-working and working MSI logs along with Pulse client debug logs in detailed level (after remote installation, please set the log level to detailed - Logs >> Log level >> Detailed and replicate the connect requested issue, save the logs by Logs >> Save as.) for review.

Ray

Right, Intermediate certificates has to be added on the VPN server to make the certificate chain complete and dynamic trust (accepting the untrusted certs) is not available in Linux client. Please PM me the VPN server URL for reviewing the certificate chain.

Ray

By looking at the network icon it seems that you're using Windows 10 - 1903. Did you recently upgrade your Windows OS and started noticing this behaviour or was it working with the same version of Windows before? Are you able to access the resources even though the network says "No Internet Access"? I believe that should be the case.

Ray

Oh 😦 That's unfortunate. Hope they will get you a replacement.

Ray

Incompatibility between Intel WiFi 9560 and Pulse Client has been reported and being investigated. However, disabling the WiFi adapter is new, as we have seen issue related to resource access when 9560 adapter and Pulse client was used.

Re: New to Pulse Secure

Re: Cannot connect to my University machine

Re: Pulse Connect Secure - How Does This Work?

Re: Unable to launch PulseSecure on MacOS

Re: Unable to launch PulseSecure on MacOS

Re: Pulse Secure Client - does it work with openVP...

Re: Pulse Secure on One Plus 6 (Android)

Re: Pulse Secure Client 9.1r2.0-b901-installer OS ...

Re: Pulse Connect Secure - How Does This Work?

Re: Unsatisfactory page

Re: Unsatisfactory page

Re: Anyone know how secure application manager wor...

Re: Unsatisfactory page

Re: Unsatisfactory page

Re: Cannot connect to my University machine

Re: Pulse Secure Issues

Re: Not overwrite DNS in client (pulse client)

Re: Cannot connect to my University machine

Re: Anyone know about DHCP Options rule ? please t...

Re: Redirecting sign-in URL for SAML MFA

Re: Pulse Issue with Remote Desktop

Re: Login failed using auth server ADviaLDAP (LDAP...

Re: Vpn reconnect every 5 minutes while I'm using ...

Re: Cannot connect to my University machine

Re: Redirecting sign-in URL for SAML MFA

Re: Remote Installations Not Installing Setup Clie...

Re: Unacceptable TLS certificate - Centos 7

Re: Pulse Secure 9.1.1 kills my connection (Window...

Re: Pulse Secure Terminal Services Client Error

Re: deactivate and activate WiFi intel AC 9560