Pulse Secure vADC solutions are supported on Google Cloud Platform, with hourly billing options for applications that need to scale on-demand to match varying workloads. A range of Pulse Secure Virtual Traffic Manager (Pulse vTM) editions are available, including options for the Pulse vTM Developer Edition and Pulse Secure Virtual Web Application Firewall (Pulse vWAF), available as both a virtual machine and as a software installation on a Linux virtual machine. This article describes how to quickly create a new Pulse vTM instance through the Google Cloud Launcher. For additional information about the use and configuration of your Pulse vTM instance, see the product documentation available at www.pulsesecure.net/vadc-docs. Launching a Pulse vTM Virtual Machine Instance To launch a new instance of the Pulse vTM virtual machine, use the GCE Cloud Launcher Web site. Type the following URL into your Web browser: https://cloud.google.com/launcher Browse or use the search tool to locate the Pulse Secure package applicable to your requirements, then click the package icon to see the package detail screen. To deploy a new Pulse vTM instance 1. To start the process of deploying a new instance, click Launch on Compute Engine. 2. Type an identifying name for the instance, select the image version, then select the desired geographic zone and machine type. Individual zones might have differing computing resources available and specific access restrictions. Contact your support provider for further details. 3. Ensure the boot disk correspond to your computing resource requirements. Pulse Secure recommends not changing the default disk size as this might affect the performance of your Pulse vTM. 4. By default, GCE creates firewall rules to allow HTTP and HTTPS traffic, and to allow access to the Web-based Pulse vTM Admin UI on TCP port 9090. To instead restrict access to these services, untick the corresponding firewall checkboxes. Note: If you disable access to TCP port 9090, you cannot access the Pulse vTM Admin UI to configure the instance. 5. If you want to use IP Forwarding with this instance, click More and set IP forwarding to "On". 6. Pulse vTM needs access to the Google Cloud Compute API, as indicated in the API Access section. Keep this option enabled to ensure your instance can function correctly. 7. Click Deploy to launch the Pulse vTM instance. The Google Developer Console confirms that your Pulse vTM instance is being deployed. Next Steps After your new instance has been created, you can proceed to configure your Pulse vTM software through its Admin UI. To access the Admin UI for a successfully deployed instance, click Log into the admin panel. When you connect to the Admin UI for the first time, Pulse vTM presents the Initial Configuration wizard . This wizard captures the networking, date/time, and basic system settings needed by your Pulse vTM software to operate normally. For full details of the configuration process, and for instructions on performing various other administrative tasks, see the Cloud Services Installation and Getting Started Guide .
... View more
This article discusses how to prepare a bootable USB flash drive for use with the Brocade vTM appliance image.
To read more about the process of setting up the appliance image on your prepared USB flash drive, see the Brocade Virtual Traffic Manager: Appliance Image Installation and Getting Started Guide.
Erasing a USB flash drive
Brocade recommends first using the usb-creator-gtk tool to perform a full erase/format of the USB drive you want to use. This tool is available on most standard Linux-based workstations and includes a graphical user interface.
To erase a USB flash drive with usb-creator-gtk
Insert a USB drive into your workstation.
Select your USB drive in the "Disk to use" list.
Click Erase Disk.
Alternatively, use any tool or command-line program that is able to fully erase your USB drive.
After you have completed this process, follow the instructions to set up the Brocade vTM appliance image in the Brocade Virtual Traffic Manager: Appliance Image Installation and Getting Started Guide .
Note: To deploy the Brocade vTM appliance image on a USB flash drive, your selected flash drive must be bootable. Check with your USB flash drive vendor to verify its suitability if it appears not to be detected when attempting to boot from it after following the procedure above.
... View more
In a large distributed cluster that spans a public network, you may wish to apply fine-grained control over which traffic managers can be used to make configuration updates, and which traffic managers are restricted to operate in a 'read-only' mode with respect to configuration: The administrator can control which devices can update the configuration in the cluster. stingray-1 is grayed out because the administrator is currently using the admin interface on that traffic manager A restricted traffic manager can still receive configuration updates, and will still broadcast state/statistical data, but effectively becomes unable to replicate configuration updates out to other cluster members. How do I administer a restricted traffic manager? Restricted traffic managers receive configuration updates and management commands from your other traffic managers, so no regular administration is necessary. For security purposes, the Administration UI and Control API on restricted traffic managers is disabled. However, there may be times when you need to modify the machine-specific settings (e.g. Networking, Time/Date, SNMP, or EC2-specific settings) that are only accessible through the UI of the traffic manager concerned. You can temporarily enable that traffic manager's control!canupdate setting in order to access its Administration UI. This can only be achieved through one of your unrestricted traffic managers, on the System > Security administration page. How to avoid your entire cluster becoming uncontactable Should you run into a situation where your unrestricted cluster members become uncontactable for some reason, you may not be able to administer your cluster. You cannot to add new traffic managers in order to regain control of the cluster. In order to mitigate this risk, it is strongly advised that you maintain at least one redundant unrestricted traffic manager in your cluster at all times. It's too late for that - what can I do? Option 1: Manually promote a traffic manager You can re-enable control over your restricted cluster members by making one of them temporarily unrestricted. This will give you access to the Admin UI of that traffic manager, or alternatively allow a new master traffic manager to be deployed and joined to the cluster. Due to the secure nature of inter-cluster communications, your other cluster members will not immediately recognise this config change as authentic. Instead, you will need to update each cluster member's stored config individually with details of the first traffic manager's change of status. The following method describes this procedure. It assumes you have SSH access to each of the traffic managers in your cluster: Nominate one of the restricted traffic manager machines as a temporary master. SSH to it as a suitable super-user; Edit the ZEUSHOME/zxtm/global.cfg file, and remove the control!canupdate config line; On each of your other working cluster members, SSH to them and locate the ZEUSHOME/zxtm/conf/zxtms file for the traffic manager you plan to promote Edit this file and remove the control!canupdate config line; Your temporary master traffic manager should now be accessible through its Admin UI and it should be able to make configuration changes. You should remove any failed traffic managers from your cluster. If you then want to add a new cluster member and give it update permissions: On the System > Security page of the temporary master Admin UI, ensure control!canupdate!default is set to Yes . This will mean that new cluster members are added with unrestricted status by default; Set up the new traffic manager instance as normal; Join this new traffic manager to the cluster; Optionally: set the original traffic manager back to restricted by disabling its control!canupdate setting from the UI of the new traffic manager You can then use the new traffic manager to manage your cluster. If there is any doubt as to the integrity of existing traffic managers, you should re-install them from scratch before joining them to any cluster where they may have unrestricted status. Option 2: Add a new traffic manager to the cluster If you cannot trust the integrity of any of the remote traffic managers, you will need to create a new cluster and import the configuration from the old cluster to the new. SSH on to a restricted traffic manager machines as a suitable super-user; Take a config backup using zconf ; Install a new Stingray Traffic Manager instance to be used as the new master, and import the config backup to it via zconf ; On the System > Security page, ensure control!canupdate!default is set to No . This will mean that joining cluster members are added with restricted status by default; Reset each remote traffic manager to factory defaults. This will completely wipe your traffic manager configuration, so you may wish to create a cautionary backup first via zconf: For Virtual Appliances, run z-reset-to-factory-defaults from the command line, and then re-run the the Initial Configuration Wizard. For software installations, use the ZEUSHOME/zxtm/configure script; Join each clean traffic manager to the new master traffic manager cluster. Repeat until all traffic managers are present. This article was originally written by Tim Stace
... View more