@Burakhan It is not recommended to have 0 or mismatch license count on the cluster nodes. Please consider installing the same amount of licenses on both cluster members to avoid unexpected outages.   Having 0 on the passive node, will return 0 licenses in case of your active device failure.   Please refer to https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40093/?kA1j0000000Jri9 This KB article would explain the importance of having equal license count. ... View more

@mourad80 It should work as long as you have split tunnel configuration on both tunnels i.e., only the required traffic will passthrough the VPN. Making one tunnel traffic to go inside another would cause performance issues.   Which one you'd be connecting first? What is the purpose of WRT tunnel? ... View more

@gaugot It's a known issue, being investigated by our Dev team. Using M1 compatible JDK will only make the HOB applet to work but not JSAM :( ... View more

@amigo_z Yes, we can keep the same Pulse Client connections URL as long as the IP address resolve to the AWS instance. Regarding the internal access, yes, we would need to have site-to-site VPN tunnel from AWS to on-prem edge device. ... View more

[email protected] Do you see any errors when connected to pulse vpn? Please file a support ticket with us. ... View more

@Housy What's the BD TS version? Please confirm if you can see the version listed under - https://help.ivanti.com/ps/help/en_US/ESAP/3.9.X/ps-esap-3.9.2-supportedproducts-v4sdk.pdf ... View more

@ajschot After disconnecting the Pulse Secure VPN, are we able to see any traffic sent to the IKEv2 leaving from the machine? If the IKEv2 is not working after Pulse disconnection, then I'd like to see if the Ikev2 is able to stay connected? Is it stable but not sending any traffic through ike tunnel?   Is the DNS resolutions fail after pulse disconnected? ... View more

@ajschot Access to the internal server is working before connecting to Pulse , but stops after connecting to Pulse. In order for it work again, you have to reboot the machine. IKEv2 is the base VPN connection and on-top which you're connecting to Pulse and the resources which you can access after connecting to IKEv2 is intact. Is my understanding correct?   Do you know what type of tunnel being pushed by pulse secure? full tunnel or split tunnel? I think it'd be mostly split tunnel.   Do you see any changes in the route table after connecting to Pulse w.r.t internal server ip/subnet that you're not able to access? ... View more

@NetworkBod Yes, please. Support team would help to debug this further. Ideally, it would be a rewrite filter. :) Thank you! ... View more

@ipvpn I believe what you're referring is expected to happen in cloud as the underlying network infra. doesn't support proxy ARP which means even if you assign VPN client IPs from the same subnet as your VPN's internal port, traffic will not routed back to those client as they're not launched as a instance i.e., not sourced by any real instance.   So, which is exactly why you can reach your VMs from PCS internal port and vice versa as they're the real instances created. Hence, to make this setup work, you have to enable the source NAT feature on the PCS (System >> Network >> VPN tunneling >> Source NAT), which enables the VPN server to NAT all outgoing traffic with its own internal port IP address and you'll receive a response back. :)   It's ok to use source NAT option for a while especially when you have less - moderate users. However, it is recommended to have a NAT gateway deployed in subnet1 which would take care of the source NAT part thereby improving the performance. Having this approach would also require us to disable source IP check for the cloud instance (not sure if Azure has any such thing, but AWS does), so that VPN server can send traffic from different source IP addresses without getting dropped by the VPC. ... View more

@tomas013 Yes, please. Thank you! ... View more

@NetworkBod  Hmm.. Interesting.. I just tested the setup in my lab device which is running 9.1R13 by accessing outlook.office.com which redirects me to login.microsoftonline.com and it works as expected (no blank page). So the blank page issue is not there in 9.1R13 code.   Do you have any rewrite filters applied? (Users >> Resource policies >> Web >> Rewriting filters).   If you don't have any, then please open a support ticket with us. Our support team should be able to provide you a rewrite filter that would resolve the issue.   ... View more

@voltmaster Thanks for the details. Is it a full tunnel or split tunnel? If it's a split tunnel, are you able to access Internet resources and just the access to Intranet fails? Since, you have mentioned that you are able to connect to INTERNET successfully through MSFT server, I suspect NO issues with Internet access, hence NAT part is working fine. Now, I'd like to know what access is failing through the VPN tunnel..so asked the above question.   What's the VPN tunnel IP address subnet?       a) Is it the same as your local subnet (workstation <-> MSFT server) or different?   What's the first hop gets printed when you traceroute to any of the INTRANET traffic?       a) Do you see the VPN tunnel (10.200.200.200) as first hop or your MSFT server IP (default gateway)?       b) Please share the route table output (route print) after connecting to VPN through MSFT connection.     ... View more

@MatthiasG Yeah. bridging with virtual interface will not help to get another IP address for the VM, as there's no DHCP thing to get you another IP from VPN. Hence, VM doesn't get IP address from the internal network like your host does.   As far I see, NAT'ing is the only way of making your VM to communicate with domain network over VPN tunnel through your host machine, otherwise you have to connect to VPN from the VM itself which I think you don't want to. ... View more

@NetworkBod Do you see the blank page when loading login.microsoftonline.com?   If yes, that's a known issue with "integrity" method (browser dev tools > console > errors related to sha integrity will be recorded) of the Azure page which I believe resolved in the latest releases.   What is the firmware version of the VPN? IIRC, it should happen only in chrome based browsers like Edge, Chrome, etc. Can you please try using IE and see if the page loads? ... View more

@theisenb Do you see the Pulse Secure Setup Client component present under uninstall programs list? If yes, then what's the version of the component? ... View more

@voltmaster Thanks for the details. So if I picturize correctly, your server has two NICs.. one connects to internal network through a switch and other connects to DSL modem which is your internet uplink. Is that correct?   Now, when you said " If I connect to my DSL moden it works." does that mean you have connected your laptop/PC to the switch/VLAN that sits in-between MSFT server and DSL modem, so that your PC gets direct Internet access without going through MSFT Server? The PC where you're seeing these issues, is it domain joined? When the setup works, do you see the connection type as "Domain network + company's domain name on it" under network connections as opposed to "Unidentified network + public network"? ... View more

@JohnHenrysHammer I think the version is reversed :) Is it 9.1R13 and users are facing disconnects when using WiFi? Is it happening over LAN connection as well?   Is there any user using the same WiFi model and not affected by this disconnection issue? How frequent are these disconnects?   Do we see any network change happening during the time of disconnect, like WiFi gets reset automatically and reconnect?   In the pulse client debug logs, do you see any event with the line is no longer present after issue occured? ... View more

@ledafaze It should be available in their sites if they have one. For example, DigiCert has a page which has all of their Root & Inter CA available for download. https://www.digicert.com/kb/digicert-root-certificates.htm ... View more

@cwoelkers New realm doesn't have host checker and you still the message in openconnect? Do we have mutiple realms (one with & without HC) mapped to the same sign-in URL? ... View more

@veronicamb So that means your VPN connection is dropping and silently reconnecting every 2 - 3 minutes? Please check the advanced connection details (right click on the connection) and check if it resets to 0 for every 2 - 3 minutes. ... View more

@NetworkBod I believe we cannot do SSO for Office365 using form post method, as O365 has dynamic form contents which VPN cannot create on-the-fly. I remember using a trick which is configure SAML SSO policy in the VPN server, and enable persistent cookie under user role. So that would do is when the user logs into Outlook for the very first time, they'd be redirected to Azure for auth. and since everything happens within the VPN's rewrite scope, persistent cookie will enable the VPN server to remember those Azure auth cookies and save it as part of the user record. Hence, from the second time onwards, users will not be prompted for authentication as the VPN server will re-use the session cookie while connecting to Azure like the browsers do. :)   Since you asked for possible methods, there's another one but it cannot be done with O365 + Azure suite, which is SAML Chaining i.e., you can the VPN server to act as IdP for the resource i.e. Outlook, however, we would be POSTing the data to Azure (which is another IdP - Azure, in this instance, acting as SP for the VPN and the real IdP for the Outlook) and then proxy/rewrite the SAML response sent by VPN to Outlook by giving a feel that it actually came from Azure itself (so that Outlook can trust the response) and permit access based on the rules we setup. I remember this cannot be done with O365 as Azure will not support the SAML chaining feature, however, feel to check with MSFT. ... View more

@MatthiasG If Hyper-V can create a NAT interface based of Pulse client virtual adapter, then it should be possible to make the connection from the Hyper-V guests through that NAT connection or you can bind the virtual adapter to a dummy interface like MSFT loopback interface and then share the internet through inbuilt Internet Connection Sharing service. ... View more

[email protected] @camusjazz @ayesha  Can you confirm if the behavior is seen using wired/LAN connection as well? If it's only occuring when using Wi-Fi connection and you're driver model has 160Mhz, then please try upgrading the Pulse Client to the latest version (9.1R10 or higher) or try the manual workaround suggested in this article - https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB43833/?kA1f1000000fz7V ... View more

@VJames @tomas013 Suggested steps should work for HOB applet access, however, it may fail for JSAM access. Can you please file a support ticket with us for further investigation? ... View more

@ChristodeBeer Are you observing BSOD when using L3 connection or it occurs when you connect to PSAM?. If I recall correctly, there's a BSOD issue in SAM driver which is being investigated.   Can you confirm if you see BSOD when using L3 connection only? ... View more

Any issues with PDC will be identified and rectified during the official qualification process done by our QA team. However, I'd recommend filing a support ticket, so that support and dev team would be notified about these issues. ... View more