Sunteți pe pagina 1din 923

Pulse Policy Secure

Administration Guide

Product Release 5.0

Document Revision 1.0

Published: 2015-05-29

© 2015 by Pulse Secure, LLC. All rights reserved.


Pulse Secure, LLC
2700 Zanker Road, Suite 200
San Jose, CA 95134
http://www.pulsesecure.net

Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All other trademarks, service marks,
registered trademarks, or registered service marks are the property of their respective owners.

Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.

Pulse Policy Secure Administration Guide

The information in this document is current as of the date on the title page.

END USER LICENSE AGREEMENT

The Pulse Secure product that is the subject of this technical documentation consists of (or is intended for use with) P ulse Secure software.
Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at
http://www.pulsesecure.net/support/eula. By downloading, installing or using such software, you agree to the terms and conditions of that
EULA.”

© 2015 by Pulse Secure, LLC. All rights reserved

ii © 2015 by Pulse Secure, LLC. All rights reserved.


Abbreviated Table of Contents
About This Guide .........................................................................................................xxxv

Part 1 Getting Started


Chapter 1 Pulse Policy Secure ............................................................................................................... 3
Chapter 2 Initial Configuration ................................................................................................................. 9
Chapter 3 Deployments with ScreenOS and Junos OS Infranet Enforcers ........................... 77
Chapter 4 Deployments with EX Series Ethernet Switches...................................................... 157
Chapter 5 Layer 2 Network Access Control Policies ...............................................................165
Chapter 6 Deployments with Network and Security Manager ............................................... 209
Chapter 7 User Role Access with the SRX Series Firewall ......................................................... 215

Part 2 Access Management Framework


Chapter 8 General Access Management .....................................................................................231
Chapter 9 User Roles ............................................................................................................................... 261
Chapter 10 AAA Servers............................................................................................................................ 279
Chapter 11 Authentication Realms .........................................................................................................425
Chapter 12 IF-MAP Federation ..........................................................................................................443
Chapter 13 Sign-in Policies .................................................................................................................. 471

Part 3 Endpoint Defense


Chapter 14 Host Checker ......................................................................................................................... 489

Part 4 System Management


Chapter 15 Network and Host Administration ................................................................................ 547
Chapter 16 Certificate Security Administration .............................................................................. 593
Chapter 17 FIPS Level 1 Support (Software FIPS).............................................................. 637
Chapter 18 Configuration File Administration ................................................................................ 657
Chapter 19 System Maintenance ......................................................................................................699
Chapter 20 Logging and Monitoring .................................................................................................. 715
Chapter 21 Troubleshooting Tools............................................................................................................... 751
Chapter 22 Clustering .......................................................................................................................... 773
Chapter 23 Customizable Admin and End-User UIs ..................................................................801
Chapter 24 Delegating Administrator Roles ..................................................................................... 803

© 2015 by Pulse Secure, LLC. All rights reserved. iii


Pulse Policy Secure Administration Guide

Chapter 25 Deployments with IDP ................................................................................................. 813

Part 5 Appendix
Chapter 26 Policy Secure gateway 4500 and 6500 ...................................................................829
Chapter 27 Using the IC6500 FIPS Appliance (Hardware FIPS) ..................................... 835
Chapter 28 Custom Expressions and System Variables Reference......................................... 843

Part 6 Index
Index ......................................................................................................................................... 865

iv © 2015 by Pulse Secure, LLC. All rights reserved.


Table of Contents
About This Guide ......................................................................................................... xxxv
Objectives ......................................................................................................................... xxxv
Audience ........................................................................................................................... xxxv
Documentation Conventions ....................................................................................... xxxv
Documentation.............................................................................................................. xxxvii
Obtaining Documentation ......................................................................................... xxxvii
Documentation Feedback........................................................................................... xxxvii
Requesting Technical Support .................................................................................. xxxvii
Self-Help Online Tools and Resources............................................................ xxxviii
Opening a Case with PSGSC ........................................................................................... xxxviii

Part 1 Getting Started


Chapter 1 Pulse Policy Secure ............................................................................................................... 3
Understanding the Pulse Policy Secure Solution ................................................................. 3
Pulse Policy Secure Solution Overview........................................................................... 3
Pulse Policy Secure Components ........................................................................................ 4
The Pulse Policy Secure Solution in the Network ............................................................5
How the Pulse Policy Secure Determines User Access and Protects Resources .. 7
Chapter 2 Initial Configuration .................................................................................................................9
Understanding Pulse Policy Secure Deployment Options ............................................... 10
Pulse Policy Secure Solution Configuration Overview .........................................................11
Before You Configure the Pulse Policy Secure...................................................................... 12
Using Task Guidance .................................................................................................................. 12
Configuring the Pulse Policy Secure Solution ....................................................................... 13
Deploying the Pulse Policy Secure Solution to Users ......................................................... 16
Pulse Policy Secure Deployment Summary ....................................................................... 19
Understanding the Initial Pulse Policy Secure Deployment User
Experience ............................................................................................................................ 19
Specifying the Client that Endpoints Use for Access ................................................................21
Creating an Initial Configuration of OAC for Windows Endpoints ................................ 22
Understanding OAC Configuration Settings for Windows Endpoints ......................... 23
Defining the Initial Configuration for OAC for Windows ..................................................... 24
Using the Preconfigured Installer for OAC on Windows Endpoints............................. 29
Preconfiguring OAC Using the Custom Installer ............................................................... 29
Validating the IC Series Certificate ............................................................................................30
Using OAC Licenses with the IC Series .................................................................................. 31
Manually Installing OAC......................................................................................................................... 31
Manually Configuring OAC for 802.1X (Windows or Macintosh) .................................. 32

© 2015 by Pulse Secure, LLC. All rights reserved. v


Pulse Policy Secure Administration Guide

Provisioning Detailed Configuration Profiles for Macintosh OAC Endpoints ............. 34


Understanding Deployments with Pulse Secure Clients .................................................34
Pulse Overview .................................................................................................................. 34
Session Migration ...............................................................................................................35
Location Awareness ...............................................................................................................35
Security Certificates on Pulse ..............................................................................................35
User Experience .................................................................................................................35
Platform Support .....................................................................................................................36
Downloading Pulse to Endpoints with Security Software Installed ......................36
Configuring the Pulse Client for a Role...................................................................................... 36
Pulse Client Configuration Overview ......................................................................................37
Deploying Pulse Client Software to Users ....................................................................37
Pulse Components ..................................................................................................................38
Pulse Client Connections .....................................................................................................39
Default Configuration .............................................................................................................. 40
Understanding Client Connection Set Options .............................................................. 40
Creating a Client Connection Set ..............................................................................................46
Configuring Location Awareness Rules for Pulse Secure Client ....................................49
Understanding Pulse Component Set Options ................................................................ 52
Creating a Client Component Set .............................................................................................53
Installing the Pulse Secure Client on Windows Endpoints Using a Preconfiguration
File..................................................................................................................................................54
Installing the Pulse Client Using Advanced Command-Line Options .............. 56
Examples ............................................................................................................................. 57
Repairing a Pulse Installation on a Windows Endpoint .......................................... 58
Installing the Pulse Secure Client on OS X Endpoints Using a Preconfiguration
File..................................................................................................................................................59
Installing the Pulse Client on OS X Endpoints Using Command-Line
Options ....................................................................................................................... 59
Pulse Secure Client Command-line Launcher ......................................................................60
Using jamCommand to Import Pulse Secure Connections ............................................63
Configuring Machine-Only Machine Authentication for a Pulse Secure
Connection .................................................................................................................................64
Configuring User-After-Desktop Machine Authentication for a Pulse Secure
Connection .................................................................................................................................65
Machine and User Authentication Through a Pulse Connection for Pulse Policy
Secure ................................................................................................................................... 66
Preferred Realm and Role for Pulse Secure Client Machine Authentication ............67
Remote Desktop Protocol Compatibility with Pulse Secure 802.1X Machine
Authentication Connection.................................................................................................69
Credential Provider Authentication for Pulse Policy Secure
Overview .............................................................................................................................. 69
Machine Authentication for Pulse Policy Secure Overview ...............................................71
Additional Methods for Accessing Protected Resources Behind the IC Series
Device............................................................................................................................................ 72
Configuring Agentless Access to Protected Resources.......................................................... 73
Using the Java Agent ........................................................................................................................ 74
Configuring the Java Agent .........................................................................................................74

vi © 2015 by Pulse Secure, LLC. All rights reserved.


Table of Contents

Chapter 3 Deployments with ScreenOS and Junos OS Infranet Enforcers ......................... 77


Using the Infranet Enforcer as a Policy Enforcement Point .............................................79
Understanding Deployments with Junos Infranet Enforcers.............................................. 79
Communication Summary ............................................................................................. 80
Configuration Summary....................................................................................................81
Version Requirements ............................................................................................................. 81
Using Certificate-Based Security with Junos Enforcer Deployments ............................82
Binding an Interface to a Security Zone on a Junos Enforcer ..........................................83
Binding the Physical Interface on the Junos Enforcer ........................................................85
Configuring the Junos Enforcer to Communicate with the Access Control
Service .................................................................................................................................. 86
Setting Up the Junos Enforcer to Work with Pulse Policy Secure……………………..87
Connecting with the Junos Enforcer ........................................................................................88
The IC Series and the Infranet Enforcer..................................................................................89
Understanding Deployments with ScreenOS Infranet Enforcers .................................90
Deployment Summary .................................................................................................... 90
Communication Summary ............................................................................................. 90
Configuration Summary....................................................................................................91
Version Requirements .............................................................................................................. 92
Using Certificate-Based Security with Infranet Enforcer Deployments .......................92
Task Summary: Setting Up Certificates for the IC Series and Infranet
Enforcer ........................................................................................................................................ 93
Setting Up Certificates for the IC Series and Infranet Enforcer .....................................94
Using OpenSSL to Create a CA and Sign the Server Certificate ....................................95
Creating a CA and Signing the Server Certificate Using OpenSSL .............................. 95
Importing the Certificate Into the Infranet Enforcer ............................................................. 97
Configuring Certificate Authority Server Settings .................................................................. 97
Binding an Interface to a Security Zone on a ScreenOS Enforcer ..................................99
Binding the Physical Interface.................................................................................................. 100
ScreenOS Enforcer Configuration Overview ....................................................................... 100
Configuring the ScreenOS Connection................................................................................ 101
Setting Up an Infranet Enforcer in Route Mode ................................................................. 102
Create a Route Mode Interface with the ScreenOS Enforcer ........................................ 103
Setting Up an Infranet Enforcer in Transparent Mode .................................................... 106
Creating a Transparent Mode Instance on the ScreenOS Enforcer ........................... 107
Viewing the Configuration of a Policy Secure gateway on the ScreenOS Enforcer . . .
108 Configuration Details Displayed............................................................................. 108
Web UI ................................................................................................................................ 108
CLI........................................................................................................................................ 109
Understanding the Infranet Enforcer Captive Portal Feature ........................................... 109
Before Configuring Captive Portal............................................................................................ 110
Creating a Redirect Policy on the Infranet Enforcer ............................................................... 111
Overriding the Default Redirection Destination for Captive Portal ............................... 112
Creating a Redirect Policy on the Junos Enforcer ................................................................. 113
Creating a Redirect Policy on the ScreenOS Enforcer ..................................................... 114
Understanding Deployments with ScreenOS Enforcer Virtual Systems........................ 116
ScreenOS Virtual Systems Overview .......................................................................... 116
Overlapping IP Addresses.................................................................................................... 117

© 2015 by Pulse Secure, LLC. All rights reserved. vii


Pulse Policy Secure Administration Guide

Deployment Example ............................................................................................................ 118


Deployment with IF-MAP Federation Example .......................................................... 119
Configuring the Policy Secure gateway for Overlapping IP Addresses ....................... 120
IPsec Policies ............................................................................................................................. 121
Using IPsec with the Infranet Enforcer..................................................................................... 122
Understanding Pulse Policy Secure Support for IPsec Routing Policies ...................... 123
About IPsec .............................................................................................................................. 123
Access Solution Service Client Support for IPsec Routing Policies ...................... 123
Infranet Enforcer Support for IPsec Routing Policies ............................................... 124
Infranet Enforcer IPsec Policy Features .......................................................................... 124
Dynamic IPsec Routing Policies with ScreenOS Enforcers ...................................... 125
Refreshing IPsec Policies on the IC Series ................................................................... 125
Understanding IPsec Routing Policy Configuration Options .......................................... 126
Configuration Overview .................................................................................................. 126
Configuration Summary................................................................................................. 126
Advanced Configuration Options................................................................................ 127
IPsec Routing Policies .............................................................................................................. 128
Before you Begin ............................................................................................................................ 128
Configuring IPsec Routing Policies ...................................................................................... 129
Using IP Address Pool Policies for IPsec in a NAT Environment .................................... 130
Understanding IP Address Pool Policies ............................................................................ 132
Configuring an IP Address Pool Policy..................................................................................... 133
Understanding ScreenOS Enforcer Source Interface Policies ......................................... 135
Configuring Source Interface Policies .................................................................................. 135
Using the Pulse Policy Secure User Interface to Create Basic ScreenOS
Enforcer IPsec Policies ................................................................................................... 136
Setting Up ScreenOS Enforcer IPsec Routing Policies ....................................................... 137
Configuring ScreenOS Enforcer IPsec Encryption Settings ................................................ 138
Using ScreenOS Enforcer Bidirectional VPN Policies ....................................................... 139
Creating a ScreenOS Bidirectional VPN Policy....................................................................... 139
Configuring Junos Enforcer IPsec Routing Policies .......................................................... 140
Configuration Summary ................................................................................................. 140
Configuration Example......................................................................................................... 141
Infranet Enforcer Policies Overview ..................................................................................... 144
About Resource Access Policies ............................................................................................. 145
Using the Juniper Networks EX Series Ethernet Switch as an Enforcer with
a Resource Access Policy ........................................................................................... 146
Configuring Resource Access Policies ................................................................................ 147
User Role Policies on the Junos Enforcer ................................................................................. 148
Understanding Infranet Enforcer Source IP Security Policies ......................................... 148
Source IP Security Policy Overview ........................................................................... 149
ScreenOS Infranet Enforcer Configuration Summary .............................................. 150
Junos Infranet Enforcer Configuration Summary...................................................... 150
Understanding Infranet Enforcer Auth Tables ........................................................................... 150
Understanding Dynamic Auth Table Allocation ................................................................... 151
Configuring Dynamic Auth Table Allocation ........................................................................ 152
Configuring Auth Table Mapping Policies for Source IP Enforcement ......................... 152
Configuring Auth Table Mapping Policies ......................................................................... 154

viii © 2015 by Pulse Secure, LLC. All rights reserved.


Table of Contents

Chapter 4 Deployments with EX Series Ethernet Switches .................................................... 157


Pulse Policy Secure and Using the EX Series Switch as an Infranet Enforcer ............. 157
Using the EX Series Switch as an Infranet Enforcer ............................................................ 158
Pulse Policy Secure and EX Series Switch Configuration Task Summary ................. 159
Connecting Pulse Policy Secure and the EX Series Switch................................................ 160
Understanding Captive Portal with Pulse Policy Secure and the
EX Series Switch .................................................................................................................... 160
Understanding Auth Tables with the EX Series Switch ...................................................... 161
Using Resource Access Policies with the EX Series Switch ............................................ 161
Chapter 5 Layer 2 Network Access Control Policies ...............................................................165
Using the Pulse Policy Secure RADIUS Server ..................................................................... 166
Understanding Pulse Policy Secure RADIUS Server Features ............................................ 167
Understanding Pulse Policy Secure Authentication Protocols ......................................... 168
Using Pulse Policy Secure Authentication Protocol Sets..................................................... 170
Using an 802.1X IP Phone with the IC Series ............................................................. 173
Configuring Authentication Protocol Sets ............................................................................. 173
Using RADIUS Proxy ...................................................................................................................... 174
Understanding RADIUS Authentication and Accounting Time Limits ........................ 176
Understanding 802.1X Network Access Control Deployments..................................... 178
Task Summary: Configuring the Policy Secure gateway as a RADIUS Server for an
802.1X Network Access Device ......................................................................................... 180
Using Location Groups with Network Access Devices ................................................... 180
Configuring a Location Group ............................................................................................... 182
Understanding the RADIUS Client Configuration................................................................ 183
RADIUS Client Configuration Overview ..................................................................... 183
Sending Disconnect Requests to NADs (Dynamic Authorization Support)
Using a RADIUS Client Policy ................................................................................... 184
Before Configuring a RADIUS Client ................................................................................ 184
Configuring a RADIUS Client ................................................................................................ 185
Using RADIUS Client Dictionary Files ....................................................................................... 186
Uploading a New RADIUS Client Dictionary ...................................................................... 187
Creating a RADIUS Dictionary Based on an Existing Model .......................................... 187
Creating RADIUS Dictionary Files ............................................................................................... 188
Understanding RADIUS Attributes Policies ........................................................................ 190
RADIUS Attributes Policy Configuration Guidelines ......................................................... 191
Creating a RADIUS Attributes Policy ........................................................................................ 192
Understanding RADIUS Request Attribute Policies ......................................................... 194
Configuring a RADIUS Request Attribute Policy................................................................... 195
Understanding RADIUS Attribute Logging.............................................................................. 195
Configuring RADIUS Attribute Logging .................................................................................. 196
Using RADIUS Attributes in Access Policies ...................................................................... 196
Use Case 1: Configuring VLAN Assignment by Returning RADIUS Tunnel
Attributes ......................................................................................................................... 196
Use Case 2: Configuring VLAN Assignment Along with Other Attributes . . . 197
Use Case 3: Configuring VLAN Assignment or Policies by using the Filter-ID
Return Attribute ............................................................................................................ 197

© 2015 by Pulse Secure, LLC. All rights reserved. ix


Pulse Policy Secure Administration Guide

Use Case 4: Configuring VLAN Assignment in a Heterogeneous


Environment............................................................................................................... 197
Use Case 5: Using RADIUS Attributes with OAC to Avoid Disconnecting
Concurrent Network Connections.......................................................................198
Use Case: Using an EX Series Ethernet Switch as a RADIUS Client ...........................199
Associating an Infranet Enforcer with the Pulse Policy Secure RADIUS
Server.......................................................................................................................................... 202
Use Case: Using a Non-Pulse Secure 802.1X Supplicant ............................................ 203
Before Configuring a Non-Pulse Secure Supplicant .................................................... 204
Configuring a Non-Pulse Secure Supplicant for 802.1X .............................................. 205
Configuring Access to Switches and Access Points from a Browser .......................... 206
Authenticating Users with Non-Tunneled Protocols ....................................................... 206
Enabling Endpoints to Connect to VLANs behind the Policy Secure gateway ........ 207
Chapter 6 Deployments with Network and Security Manager ............................................. 209
Understanding Network and Security Manager Support for Policy Secure gateways .
. 209 How the IC Series and NSM Communicate................................................... 209
Available Services and Configuration Options......................................................... 211
DMI Communication with the IC Series ...................................................................... 211
Configuring the Policy Secure gateway for the Initial DMI Connection ..................... 212
General NSM Operations....................................................................................................... 214
Using NSM with the IC Series and the Infranet Enforcer........................................ 214
Managing IPsec with the Infranet Enforcer Through NSM .................................... 214
Adding IC Series Clusters..................................................................................................... 214
Chapter 7 User Role Access with the SRX Series Firewall .......................................................215
User Role Firewall Policies .................................................................................................... 215
Licensing Restrictions and Disabled Features ..................................................................... 216
Terminology for Active Directory SPNEGO Authentication with User Role
Policies ................................................................................................................................. 217
User Authentication Sequence for Active Directory.......................................................... 219
Supported Versions ...................................................................................................................... 220
Configuration Summary .......................................................................................................... 221
Configure an Active Directory Instance on Pulse Policy Secure……………………..222
Active Directory Integration Notes ............................................................................................ 223
Sample Active Directory Commands......................................................................... 224
Additional Information .................................................................................................. 224
User Log Messages on the MAG Series Device ..........................................................225
Create the Keytab File and Enable Single Sign-on ............................................................225
Configuring SPNEGO Authentication in Browsers ............................................................ 226
Browser Configuration.......................................................................................................... 226

Part 2 Access Management Framework


Chapter 8 General Access Management .................................................................................... 231
Access Management Overview .............................................................................................. 231
Understanding Realm and Role Restrictions ................................................................. 232
Restrictions Overview .................................................................................................... 232
Accessing Authentication Realms .................................................................................. 233

x © 2015 by Pulse Secure, LLC. All rights reserved.


Table of Contents

Accessing User Roles ........................................................................................................... 233


Realm and Role Restrictions Sequence ........................................................................ 234
Understanding the Evaluation Process for Policies, Rules, Restrictions, and
Conditions ......................................................................................................................... 234
Using the Dynamic Policy Evaluation Feature .................................................................. 239
Dynamic Policy Evaluation Overview ........................................................................ 239
Understanding Dynamic Policy Evaluation ................................................................ 240
Understanding Standard Policy Evaluation ................................................................. 240
Enabling Dynamic Policy Evaluation ............................................................................ 240
Using Source IP Access Restrictions ................................................................................... 241
Source IP Access Restriction Overview ..................................................................... 241
Specifying Source IP Restrictions ................................................................................... 242
Specifying Browser Access Restrictions ............................................................................. 243
Specifying Certificate Access Restrictions .......................................................................... 244
Specifying Password Access Restrictions............................................................................. 245
Specifying Host Checker Access Restrictions .................................................................... 246
Specifying RADIUS Request Attributes ................................................................................. 247
Selecting Single Sign-on ............................................................................................................. 247
Specifying Session Limits .......................................................................................................... 248
Specifying Resources for User Access Control .................................................................. 249
Using Host Enforcer Policies .................................................................................................. 251
Understanding Session Migration ....................................................................................... 255
Session Migration Overview .......................................................................................... 255
Session Migration and Session Timeout ................................................................... 257
How Session Migration Works .......................................................................................... 257
Session Migration and Session Lifetime.................................................................... 258
Session Migration and Load Balancers........................................................................ 258
Authentication Server Support ....................................................................................... 258
Task Summary: Configuring Session Migration................................................................. 259
Configuring Session Migration for the Pulse Client ........................................................ 260
Chapter 9 User Roles ............................................................................................................................... 261
Understanding User Roles........................................................................................................... 261
User Roles Overview ...................................................................................................... 261
User Role Evaluation ............................................................................................................ 262
Permissive Merge Guidelines ....................................................................................... 265
Configuration of User Roles ............................................................................................... 265
Defining Default Options for User Roles................................................................................. 266
Configuring General Role Options ....................................................................................... 267
Configuring a Guest User Account Management Role ................................................... 267
Using Role Restrictions .............................................................................................................. 268
Specifying Session Options ................................................................................................. 268
Specifying UI Options for Agentless Access ........................................................................... 271
Setting Up E-mail for Guest User Accounts........................................................................ 272
Creating a MAC Address Authentication Role ....................................................................... 274
Specifying Role Access Options ........................................................................................ 274
Use Case: Using a Host Checker Policy with the Host Enforcer ...................................... 276

© 2015 by Pulse Secure, LLC. All rights reserved. xi


Pulse Policy Secure Administration Guide

Chapter 10 AAA Servers ............................................................................................................................279


AAA Server Overview ............................................................................................................. 279
Understanding the Role of AAA Servers in the Pulse Secure Access
Management Framework ......................................................................................... 280
Authentication Protocols Used by AAA Servers ........................................................... 281
AAA Server Configuration Task Summary ................................................................. 281
Using the Local Authentication Server ................................................................................. 282
Local Authentication Server Overview ...................................................................... 282
Understanding the Local Authentication Server ............................................ 282
Requirements and Limitations............................................................................. 282
Configuring the Local Authentication Server................................................................ 283
Creating User Accounts....................................................................................................... 285
Managing User Accounts .................................................................................................... 287
Creating Administrator User Accounts .......................................................................... 289
Using Active Directory .................................................................................................................. 290
Microsoft Windows Platform Active Directory Service Overview ...................... 290
Understanding Active Directory ............................................................................... 291
Active Directory Feature Support ......................................................................... 291
Interoperability Requirements and Limitations................................................ 291
Understanding the Active Directory Standard Configuration and Active
Directory Legacy Mode Configuration........................................................... 292
Configuring Authentication and Authorization with Active Directory Service
(Standard Mode) ..................................................................................................... 292
Configuring Authentication and Authorization with Active Directory Service
(Legacy Mode)........................................................................................................... 297
Displaying the User Accounts Table ........................................................................................ 302
Using Kerberos SSO ...................................................................................................................... 303
Kerberos SSO Support Overview ................................................................................ 303
Requirements and Limitations ........................................................................................ 303
Enabling Kerberos SSO ............................................................................................. 304
Understanding Multi-Domain User Authentication ........................................................ 304
Multi-Domain User Authentication Overview ........................................................ 305
Windows NT User Normalization .................................................................................... 305
Kerberos Support ................................................................................................................. 305
Windows NT4 Support ....................................................................................................... 306
Understanding Active Directory and Windows NT Group Information
Support ..................................................................................................................................... 306
Active Directory Group Information Overview .......................................................... 306
Windows NT4 Group Information Overview ............................................................. 307
Importing and Exporting an Active Directory Mode Configuration................................ 307
Using the Anonymous Server .................................................................................................. 308
Anonymous Server Overview ...................................................................................... 308
Understanding the Anonymous Server .............................................................. 308
Anonymous Server Feature Support ................................................................... 308
Interoperability Requirements and Limitations .............................................. 309
Configuring Authentication with the Anonymous Server ........................................ 309
Monitoring Anonymous User Sessions ...................................................................... 311

xii © 2015 by Pulse Secure, LLC. All rights reserved.


Table of Contents

Using the Certificate Server ........................................................................................................312


Certificate Server Overview............................................................................................ 312
Understanding the Certificate Server ...................................................................... 312
Feature Support ....................................................................................................... 312
Interoperability Requirements and Limitations ............................................... 312
Configuring Authentication with the Certificate Server ........................................... 313
Displaying the User Accounts Table ...........................................................................................315
Using an LDAP Server .................................................................................................................... 316
LDAP Server Overview ................................................................................................... 316
Understanding LDAP Server...................................................................................... 316
LDAP Feature Support ............................................................................................ 317
Interoperability Requirements and Limitations ............................................... 317
Configuring Authentication with an LDAP Server ....................................................... 317
Displaying the User Accounts Table ............................................................................................322
Using the LDAP Password Management Feature .............................................................. 323
LDAP Password Management Feature Overview .................................................. 323
Enabling LDAP Password Management .................................................................. 324
LDAP Password Management Support......................................................................... 324
LDAP Password Management for Windows AD Versions ...................................... 326
Troubleshooting LDAP Password Management .................................................... 328
Using the MAC Address Authentication Server ..................................................................... 328
MAC Address Authentication Server Overview ..................................................... 328
Understanding MAC Address Authentication ................................................... 328
MAC Address Authentication Server Feature Support................................... 329
Interoperability Requirements and Limitations............................................... 329
Licensing ................................................................................................................... 329
MAC Address Authentication Framework Configuration Overview............. 329
802.1x Framework Configuration Overview..................................................... 330
Ethernet Switch MAC Address Authentication Configuration
Overview ........................................................................................................... 330
Configuring the MAC Address Authentication Server ............................................... 330
Displaying the User Accounts Table ............................................................................................332
Example: Using Endpoint Discovery and Profiling for MAC Address
Authentication .................................................................................................................. 334
About Endpoint Discovery and Profiling ....................................................................... 334
Obtaining the MAG-SM360-PROFILER Service Module ................................... 335
Installing the MAG-SM360-PROFILER Service Module ................................... 335
Getting Started with Endpoint Profiler on the MAG-SM360-PROFILER
Service Module ....................................................................................................... 336
Licensing the Beacon Endpoint Profiler Software ....................................................... 337
Using the Beacon Endpoint Profiler to Discover Devices in Your Network . . 338
Configuring the Beacon Endpoint Profiler LDAP Features ...................................... 338
Configuring the Pulse Policy Secure MAC Address Authentication Framework
............................................................................................................................................. 344
Configuring the Authentication Protocol Set ................................................... 345
Configuring the Authentication Servers ............................................................... 346
Configuring User Roles for the MAC Address Authentication Realm . . . 353
Configuring the MAC Address Authentication Realm and Role Mapping
Rules ......................................................................................................................... 354

© 2015 by Pulse Secure, LLC. All rights reserved. xiii


Pulse Policy Secure Administration Guide

Configuring the RADIUS Framework ...................................................................... 357


Configuring the EX Series Switch ................................................................................... 360
Using an NIS Server ...................................................................................................................... 367
NIS Server Overview ....................................................................................................... 367
Understanding NIS Server .......................................................................................... 367
Feature Support ........................................................................................................... 368
Interoperability Requirements and Limitations .............................................. 368
Configuring Authentication with an NIS Server ........................................................... 368
Displaying the User Accounts Table ...........................................................................................371
Using a RADIUS Server ................................................................................................................. 372
RADIUS Server Overview .............................................................................................. 372
Understanding RADIUS Server ................................................................................. 372
Feature Support ............................................................................................................ 372
Using Challenge Expressions ............................................................................... 373
Using RADIUS Attributes ............................................................................................ 373
Understanding RADIUS Accounting ..................................................................... 380
Interoperability Requirements and Limitations............................................... 382
Configuring Authentication with a RADIUS Server .................................................... 383
Displaying the User Accounts Table ...................................................................................... 389
Using an ACE Server .................................................................................................................... 390
RSA Authentication Manager Overview ...................................................................... 391
Understanding RSA Authentication Manager ................................................... 391
Feature Support ............................................................................................................ 392
Interoperability Requirements and Limitations............................................... 392
Configuring Authentication with RSA Authentication Manager ........................ 393
Displaying the User Accounts Table ........................................................................................ 395
Using a SiteMinder Server .......................................................................................................... 396
SiteMinder Server Overview ......................................................................................... 396
Understanding SiteMinder Server.......................................................................... 396
Feature Support ............................................................................................................ 397
Interoperability Requirements and Limitations .............................................. 398
Configuring the Back-End SiteMinder Server ........................................................... 399
Configuring the SiteMinder Agent ....................................................................... 400
Configuring the Authentication Scheme ........................................................... 400
Configuring the SiteMinder Domain................................................................... 402
Configuring the SiteMinder Realm ....................................................................... 402
Configuring a Rule or Response Pair to Pass Usernames............................ 402
Configuring Authentication with a SiteMinder Server ........................................... 403
Displaying the User Accounts Table............................................................................................414
Troubleshooting the SiteMinder Server Configuration...................................................... 415
Using an SQL Server ..................................................................................................................... 416
SQL Server Overview ...................................................................................................... 416
Understanding SQL Server ........................................................................................ 416
Feature Support ............................................................................................................ 416
Interoperability Requirements and Limitations ................................................ 419
Configuring Authentication with an Oracle SQL Server............................................. 419
Displaying the User Accounts Table ............................................................................................422
Troubleshooting Oracle Error Codes ....................................................................................... 423

xiv © 2015 by Pulse Secure, LLC. All rights reserved.


Table of Contents

Chapter 11 Authentication Realms ........................................................................................................ 425


Understanding Authentication Realms ................................................................................... 425
Before Configuring a Realm ...................................................................................................... 426
Creating an Authentication Realm............................................................................................. 427
Configuring a MAC Address Authentication Realm ........................................................ 429
Defining Authentication Access Policies ............................................................................ 432
Understanding Role Mapping Rules ........................................................................................ 432
Specifying Role Mapping Rules for an Authentication Realm ..................................... 433
Using the LDAP Server Catalog ................................................................................................ 435
Customizing User Realm UI Views ......................................................................................... 440
Chapter 12 IF-MAP Federation ..........................................................................................................443
Understanding Federated Deployments .............................................................................. 443
IF-MAP Federation Overview ....................................................................................... 444
Example Topology ...................................................................................................................... 445
IF-MAP Federation Configuration Overview ........................................................... 447
Supported IF-MAP Clients ................................................................................................. 448
IF-MAP and Session Migration ......................................................................................... 448
IF-MAP Federation Licensing ............................................................................................ 448
IF-MAP Logging..................................................................................................................... 449
IF-MAP Federation Network Timing Considerations ................................................ 449
About IF-MAP Federation Performance ....................................................................... 449
IF-MAP Federation Quick Start ................................................................................................. 450
Task Summary: Configuring IF-MAP Federation................................................................... 451
Configuring IF-MAP Server Settings ...................................................................................... 453
Configuring IF-MAP Client Settings ...................................................................................... 454
Understanding Session-Export and Session-Import Policies ...................................... 455
Session-Export and Session-Import Policies Overview....................................... 455
Default Session-Export and Session-Import Policy Action ................................... 457
Advanced Session-Export and Session-Import Policies ........................................ 457
Administrative Domains in Session-Export Policies ............................................... 457
Configuring Session-Export Policies ..................................................................................... 458
Configuring Session-Import Policies .................................................................................... 460
Modifying Session-Export and Session-Import Policies ................................................ 461
Troubleshooting the IF-MAP Federation Network ............................................................... 462
Viewing Active Federated Session Tables....................................................................................... 462
Viewing Active Users on the IF-MAP Client ............................................................. 462
Viewing Active Users on the IF-MAP Server .............................................................. 463
Understanding IF-MAP Server Replicas ................................................................................ 463
Configuring IF-MAP Server Replicas ...................................................................................... 465
Understanding Clustering in a Federated Deployment.................................................. 465
IF-MAP Server Clustering ..................................................................................................... 465
IF-MAP Client Clustering .................................................................................................... 467
Understanding Coordinated Threat Control in an Federated Deployment ............... 467
Using IDP Devices in a Federated Deployment ............................................................. 469
Using IF-MAP Enabled Network Equipment .................................................................. 469

© 2015 by Pulse Secure, LLC. All rights reserved. xv


Pulse Policy Secure Administration Guide

Chapter 13 Sign-in Policies .................................................................................................................. 471


About Sign-In Policies.............................................................................................................. 471
Task Summary: Configuring Sign-In Policies...................................................................... 472
About Configuring Sign-In Policies ..................................................................................... 473
Configuring Administrator Sign-In Policies ....................................................................... 474
Associating Authentication Realms and Protocols with User Sign-in Policies . . 475
Before Configuring Sign-In Policies ..................................................................................... 479
Configuring and Managing Sign-In Policies ....................................................................... 480
Configuring User Sign-In Policies ................................................................................... 480
Enabling and Disabling Sign-in Policies ..................................................................... 481
Specifying the Order of Evaluation ................................................................................ 481
Using Sign-In Notifications ................................................................................................... 482
Configuring and Implementing Sign-In Notifications...................................................... 483
Configuring Sign-In Pages ................................................................................................................ 485
Sign-In Page Options ..................................................................................................... 485
Configuring Standard Sign-In Pages .................................................................................. 486

Part 3 Endpoint Defense


Chapter 14 Host Checker ......................................................................................................................... 489
Host Checker and Trusted Network Computing.............................................................. 490
Host Checker Compatibility ......................................................................................... 491
Host Checker Overview ........................................................................................................ 492
Upgrading the Software Version ............................................................................................ 492
Creating Global Host Checker Policies ................................................................................. 493
Task Summary: Configuring Host Checker ......................................................................... 494
Using Host Checker for Machine Account Logins ............................................................ 495
Using the Predefined Enhanced Endpoint Security Option ........................................ 496
Enhanced Endpoint Security Option Overview ...................................................... 496
Enhanced Endpoint Security User Experience ....................................................... 497
Enabling the Enhanced Endpoint Security Option ............................................... 498
Checking for Third-Party Applications Using Predefined Rules....................................... 498
Configuring a Predefined Antivirus Rule with Remediation Options (Windows
and Macintosh) ............................................................................................................... 500
Configuring a Predefined Firewall Rule with Remediation Options (Windows
and Macintosh)............................................................................................................... 502
Configuring a Predefined AntiSpyware Rule (Windows and Macintosh) ................ 504
Specifying Customized Requirements Using Custom Rules ....................................... 505
Using a Wildcard or Environment Variable in a Host Checker Rule................................ 511
Patch Management Info Monitoring and Patch Deployment ..................................... 512
Additional Functionality with Pulse 2.0......................................................................... 513
User Experience ............................................................................................................... 514
Using a System Management Server ............................................................................... 514
Configuring Virus Signature Version Monitoring and Patch Assessment Info
Monitoring and Patch Deployment ........................................................................... 515
Configuring Patch Remediation Options ............................................................................ 518
Configuring Host Checker Patch Assessment Rules ........................................................... 518
Using Third-Party Integrity Measurement Verifiers.............................................................. 520

xvi © 2015 by Pulse Secure, LLC. All rights reserved.


Table of Contents

Configuring a Remote IMV Server ..............................................................................................521


Implementing a Third-Party IMV Policy................................................................................ 526
Using Statement of Health Integration Host Checker Policies....................................... 527
Configuring a Statement of Health Host Checker Policy ............................................... 529
Implementing Host Checker Policies .................................................................................. 531
Executing Host Checker Policies ................................................................................. 532
Configuring Host Checker Restrictions.............................................................................. 533
Understanding Host Checker Policy Remediation ........................................................... 535
Remediation Options...................................................................................................... 535
Remediation User Experience .................................................................................... 536
Configuring General Host Checker Remediation ................................................................. 537
Upgrading the Endpoint Security Assessment Plug-In ............................................... 538
Specifying General Host Checker Options ..................................................................... 540
Specifying Host Checker Installation Options ................................................................. 542
Installing Host Checker Automatically or Manually ........................................................ 543
Using Host Checker Logs ............................................................................................................. 544

Part 4 System Management


Chapter 15 Network and Host Administration ................................................................................ 547
Network and Host Administration Overview ...................................................................... 547
Configuring the Internal Port ...................................................................................................... 548
Configuring the External Port.................................................................................................... 553
Using the Management Port .................................................................................................... 557
Management Port Overview ........................................................................................ 557
Supported Platforms .................................................................................................................. 558
Configuring the Management Port .............................................................................. 558
Using the Serial Console to Configure the Management Port ........................... 562
Importing Configurations that Include a Management Port
Configuration .................................................................................................................. 562
Configuring Administrator Access................................................................................... 563
Configuring VLAN Ports.............................................................................................................. 563
Using Virtual Ports ........................................................................................................................ 566
Configuring Virtual Ports.................................................................................................... 566
Using Device Certificates with Virtual Ports.............................................................. 568
Configuring the System Date and Time .............................................................................. 571
Configuring Network Services.................................................................................................... 574
Managing the Routes Table........................................................................................................................577
Managing the Hosts Table...........................................................................................................................579
Managing the ARP Table ........................................................................................................................... 580
Managing the Neighbor Discovery Table ...........................................................................................581
Configuring SSL Options ...................................................................................................... 582
Configuring Miscellaneous Security Options ................................................................... 587
Using the Serial Port .................................................................................................................... 589
Connecting to the Serial Port Console .......................................................................... 589
Using the Serial Console to Roll Back to a Previous OS Version ......................... 590
Using the Serial Console to Reset the System to the Factory Image................ 591

© 2015 by Pulse Secure, LLC. All rights reserved. xvii


Pulse Policy Secure Administration Guide

Chapter 16 Certificate Security Administration ............................................................................. 593


Understanding Digital Certificate Security............................................................................. 593
Using Device Certificates.............................................................................................................. 595
Understanding Device Certificates ................................................................................. 595
Understanding Self-Signed Certificates ...................................................................... 595
Importing a Device Certificate and Private Key ............................................................ 596
Creating a Certificate Signing Request ....................................................................... 599
Importing a Signed Certificate Created from a CSR................................................ 600
Understanding Intermediate Certificates....................................................................... 601
Importing Intermediate CA Certificates ...................................................................... 602
Importing a Renewed Certificate That Uses the Existing Private Key .............. 603
Downloading a Device Certificate .................................................................................. 604
Using Device Certificates With Virtual Ports .............................................................. 604
Using Trusted Client CAs............................................................................................................ 608
Understanding Trusted Client CAs............................................................................... 608
Trusted Client CA Implementation Notes .................................................................. 609
Understanding CRLs ..................................................................................................... 609
Understanding OCSP....................................................................................................... 611
Importing a Trusted Client CA Certificate ..................................................................... 611
Renewing a Certificate......................................................................................................... 613
Configuring Auto-Importing of Client Certificates .................................................... 613
Configuring Options for Trusted Client CA Certificates ........................................... 615
Configuring a Proxy Server for CRL Downloads and OCSP Status Checks . . 621
Using Trusted Server CAs ............................................................................................................. 622
Understanding Trusted Server CAs ................................................................................. 623
Uploading Trusted Server CA Certificates ..................................................................... 623
Restoring the Prepopulated Group of Trusted Server CA Certificates ............. 625
Renewing a Trusted Server CA Certificate................................................................... 625
Deleting a Trusted Server CA Certificate ..................................................................... 626
Understanding ECC Certificates ............................................................................................. 626
About Suite B .................................................................................................................. 627
Using ECC Certificates with Pulse Connect Secure and Access Control
Service ........................................................................................................................ 627
Example: Assigning an ECC P-256 Certificate to an External Virtual Port and
Giving Preference to Suite B Ciphers ............................................................................ 628
Configuring the External Port .......................................................................................... 628
(optional) Configuring the Virtual Ports ..................................................................... 629
Creating the Certificate Signing Request for a New Certificate ......................... 630
Importing the Signed Certificate Created from a CSR ............................................ 632
Presenting the Certificate on the Network ..................................................................... 632
Setting the Security Options ...................................................................................... 633
Chapter 17 FIPS Level 1 Support (Software FIPS).............................................................. 637
Understanding Pulse Secure FIPS Level 1 Support ......................................................... 637
What Is FIPS? .................................................................................................................. 637
What Is FIPS Level 1 Support? ...................................................................................... 638
FIPS Supported Platforms ................................................................................................................ 638
Enabling FIPS Level 1 Support ............................................................................................... 638
Verifying the Certificate on the Client ................................................................................. 642

xviii © 2015 by Pulse Secure, LLC. All rights reserved.


Table of Contents

Using TCP Dump to View Cipher Information ................................................................644


Turning Off FIPS Level 1 Support from the Serial Console ................................................ 647
Installing a Self-Signed Certificate From the Serial Console ........................................ 647
Supported Cipher Suites when FIPS Level 1 Support is Enabled and Disabled . . 648
Supported Cipher Suites When FIPS Level 1 Support is Disabled......................... 648
Supported Cipher Suites When FIPS Level 1 Support is Enabled ......................... 652
Chapter 18 Configuration File Administration ................................................................................ 657
Configuration File Administration Overview ..................................................................... 657
Configuring Archiving for System Logs, Configuration Files, and Snapshots . . . 658
Using the Configuration Backup and Restore Feature........................................................ 664
Using the Import/Export Feature for Binary System Configuration Files ................... 665
Binary System Configuration File Overview ............................................................. 666
Exporting a Binary System Configuration File .............................................................. 667
Importing a Binary System Configuration File .............................................................. 668
Using the Import/Export Feature for Binary User Configuration Files ......................... 670
Binary User Configuration File Overview.................................................................... 670
Exporting a Binary User Configuration File ................................................................... 671
Importing a Binary User Configuration File ................................................................. 673
Using the Import/Export Feature for XML Configuration Files ........................................ 674
XML Configuration File Overview ................................................................................. 674
Guidelines and Limitations............................................................................................ 674
Exporting an XML Configuration File .............................................................................. 675
Importing an XML Configuration File.............................................................................. 679
Guidelines for Modifying Configuration XML Files.............................................................. 680
Preparing to Modify a Configuration XML File .............................................................. 680
Understanding the XML Export File ................................................................................ 681
Comparing Configuration Settings and Values Shown in the User Interface
with the Ones in the XML File ................................................................................. 684
Understanding Referential Integrity Constraints...................................................... 684
Using Operation Attributes ............................................................................................. 686
Example: Using the Configuration XML File Import/Export Feature to Add Multiple
Users ................................................................................................................................... 688
Using the Push Configuration Feature .................................................................................... 690
Push Configuration Overview .................................................................................... 690
Guidelines and Limitations .............................................................................................. 690
Configuring Targets ..................................................................................................................... 691
Configuring Push Settings................................................................................................ 693
Viewing Configuration Push Results ................................................................................. 696
Chapter 19 System Maintenance ......................................................................................................699
Using the System Maintenance Pages ....................................................................................... 699
Configuring System Maintenance Options ..................................................................... 700
Upgrading the System Software................................................................................................. 703
Downloading a Software Package .................................................................................. 703
Uploading a Software Package........................................................................................ 704
Upgrading the System Software .................................................................................... 705
Downgrading the System Software .................................................................................. 707
Rolling Back the System Software .................................................................................. 707
Downloading Client Installer Files............................................................................................. 708

© 2015 by Pulse Secure, LLC. All rights reserved. xix


Pulse Policy Secure Administration Guide

Restarting, Rebooting, and Shutting Down the System..................................................... 711


Testing Network Connectivity ............................................................................................... 712
Chapter 20 Logging and Monitoring .................................................................................................. 715
Logging Overview .................................................................................................................... 715
Configuring Events to Log............................................................................................................ 716
Configuring SNMP .................................................................................................................... 719
Configuring Syslog......................................................................................................................... 728
Enabling Client-Side Logging ..................................................................................................... 731
Displaying System Status ............................................................................................................. 731
Displaying Hardware Status ...................................................................................................... 735
Displaying Active Users ......................................................................................................... 738
Displaying System Logs ................................................................................................................ 739
Displaying Events Logs ........................................................................................................ 740
Displaying User Access Logs .............................................................................................. 742
Displaying Admin Access Logs ......................................................................................... 743
Displaying Sensor Logs........................................................................................................ 743
Using Log Filters.............................................................................................................................. 744
Reviewing the Configuration of Predefined Log Format Filters .............................. 744
Creating a Custom Log Collection Filter ......................................................................... 745
Example: Using the Source IP Address Filter............................................................. 747
Displaying User Access Statistics ........................................................................................... 748
Chapter 21 Troubleshooting Tools............................................................................................................... 751
Using the Admin Console Troubleshooting Tools .................................................................. 751
Using Policy Tracing .............................................................................................................................. 752
Using the Debug Log ..................................................................................................................... 757
Using the RADIUS Diagnostic Log ............................................................................................. 759
Using the tcpdump Utility ..................................................................................................... 760
Using Network Troubleshooting Commands ................................................................... 762
Troubleshooting TCP and UDP Port Status ........................................................................ 765
Running NSLookup to Test Name Server Connectivity.................................................. 768
Using the Kerberos Debugging Utility................................................................................ 770
Using Remote Debugging ........................................................................................................... 771
Chapter 22 Clustering .......................................................................................................................... 773
About Clustering............................................................................................................................. 773
About Cluster Licensing ......................................................................................................... 775
Task Summary: Deploying a Cluster ........................................................................................ 776
Defining and Initializing a Cluster ............................................................................................ 777
Joining an Existing Cluster.......................................................................................................... 778
Before You Begin ................................................................................................................... 778
Specifying a Policy Secure gateway to Join to a Cluster ....................................... 778
Adding a Policy Secure gateway to a Cluster Through the Admin Console.. 779
Re-Adding a Node to a Cluster................................................................................................ 779
Deploying Two Nodes in an Active/Passive Cluster ........................................................ 780
Failing Over the VIP to Another Node ................................................................................. 782
Deploying Two or More Units in an Active/Active Cluster ................................................. 782
Synchronizing the Cluster State................................................................................................ 784
Specifying Active/Passive, Active/Active, and Other Cluster Settings ...................... 787

xx © 2015 by Pulse Secure, LLC. All rights reserved.


Table of Contents

Adding Multiple Cluster Nodes ........................................................................................... 788


Managing Network Settings for Cluster Nodes .................................................................. 789
Changing the IP Address of a Cluster Node ...................................................................... 789
Deleting a Cluster............................................................................................................................ 790
Restarting or Rebooting Cluster Nodes ............................................................................... 790
Summary: Admin Console Cluster Procedures ................................................................. 791
Monitoring Clusters....................................................................................................................... 793
NSRP Clustering Considerations with the ScreenOS Enforcer ................................... 794
Using the Policy Secure gateway with an SRX Series Cluster .......................................... 795
Troubleshooting Cluster Communication Problems ......................................................... 795
Summary: Serial Console Cluster Procedures .................................................................... 797
Joining a Policy Secure gateway to a Cluster Through Its Serial Console.................... 798
Disabling a Clustered Policy Secure gateway Using Its Serial Console......................... 799
Chapter 23 Customizable Admin and End-User UIs ..................................................................801
Customizable Admin Console and End User Elements Overview ................................ 801
Customizable End-User Interface Elements Overview ......................................... 802
Chapter 24 Delegating Administrator Roles ..................................................................................... 803
About Delegating Administrator Roles...................................................................................... 803
Creating Administrator Roles ..................................................................................................... 804
Specifying Management Tasks to Delegate ........................................................................ 805
Delegating System Management Tasks ............................................................................... 805
Delegating User and Role Management .................................................................. 806
Delegating User Realm Management ....................................................................... 806
Delegating Administrative Management ................................................................. 806
Delegating Resource Policy Management ............................................................... 807
Defining Role Management Privileges for an Administrative Role ................................. 807
Defining Realm Management Privileges for an Administrative Role ............................. 808
Defining Security Administrator Privileges............................................................................. 809
Defining General System Administrator Role Settings ....................................................... 810
Chapter 25 Deployments with IDP ..................................................................................................813
About IDP Technology ......................................................................................................................... 813
IDP Deployment Scenarios Overview ............................................................................... 815
Understanding Pulse Policy Secure Deployments with IDP
Devices....................................................................................................................................... 817
About IDP Devices ................................................................................................................. 817
Coordinated Threat Control Overview ....................................................................... 817
Deployments with IDP Series Devices ......................................................................... 818
Deployments with IDP-Enabled Infranet Enforcers ................................................. 818
Monitoring IDP-Reported Events ................................................................................... 819
Activating IDP for the ScreenOS or Junos Enforcer ............................................................. 820
Managing Interoperation with IDP Devices ......................................................................... 820
Configuring Communication with an IDP Device ...................................................... 820
Enabling or Disabling IDP Sensors.............................................................................. 821
Reconnecting to an IDP Sensor ...................................................................................... 822
Refreshing and Displaying the Connection Status .................................................... 822
Deleting an IDP Sensor Entry ........................................................................................ 822
Defining Automatic Response Sensor Event Policies ...................................................... 823

© 2015 by Pulse Secure, LLC. All rights reserved. xxi


Pulse Policy Secure Administration Guide

Identifying and Managing Quarantined Users Manually ............................................. 824


Using Role-Based Policies to Monitor User Activity ......................................................... 825

Part 5 Appendix
Chapter 26 Policy Secure gateway 4500 and 6500 ...................................................................829
IC Series 4500 and 6500 Overview ................................................................................... 829
Standard Hardware .............................................................................................................. 829
IC Series 6500 Field-Replaceable Units....................................................................... 829
Understanding Device Status LED Behavior ...................................................................... 830
Understanding Ethernet Port LED Behavior .......................................................................... 831
Replacing a Cooling Fan ............................................................................................................ 832
Replacing a Hard Drive .......................................................................................................... 833
Replacing a Power Supply ........................................................................................................... 834
Chapter 27 Using the IC6500 FIPS Appliance (Hardware FIPS) ..................................... 835
FIPS Overview .......................................................................................................................... 835
Understanding Name and Password Restrictions ........................................................... 836
Initializing a Keystore ................................................................................................................. 837
Reinitializing the Keystore .......................................................................................................... 837
Joining a Cluster............................................................................................................................. 838
Changing the Security Officer Password ................................................................................. 839
Changing the Web User Password ............................................................................................... 839
Upgrading the Sun HSM Firmware ......................................................................................... 840
Importing and Exporting Keystore Binary Files ................................................................. 840
Understanding FIPS Device Status LED Behavior .............................................................. 841
Chapter 28 Custom Expressions and System Variables Reference......................................... 843
Using Custom Expressions in Rule Configuration ............................................................... 843
Custom Expressions ....................................................................................................... 843
Custom Expression Elements ......................................................................................... 844
Wildcard Matching ............................................................................................................... 847
Using Multi-Valued Attributes........................................................................................... 847
Specifying Multivalued Attributes in a Bookmark Name ................................... 848
Distinguished Name Variables........................................................................................... 849
System Variables .......................................................................................................................... 849
Custom Variables and Macros ......................................................................................... 858
append ............................................................................................................................... 859
daysdiff ..................................................................................................................................... 860
regmatch ................................................................................................................................... 861
Specifying Fetch Attributes in a Realm ....................................................................... 861
Specifying the homeDirectory Attribute for LDAP .................................................... 862

Part 6 Index
Index ................................................................................................................................................... 865

xxii © 2015 by Pulse Secure, LLC. All rights reserved.


List of Figures
Part 1 Getting Started
Chapter 1 Pulse Policy Secure ............................................................................................................... 3
Figure 1: 802.1X Layer 2 with the Infranet Enforcer ................................................................ 6
Figure 2: Layer 3 with the Infranet Enforcer ............................................................................... 6
Figure 3: 802.1X Layer 2 without the Infranet Enforcer ......................................................... 6
Chapter 2 Initial Configuration .................................................................................................................9
Figure 4: Configuration and Installation Overview ........................................................... 38
Figure 5: Junos Pulse Role Mapping Rule ............................................................................... 68
Chapter 3 Deployments with ScreenOS and Junos OS Infranet Enforcers ......................... 77
Figure 6: Binding the Interfaces ...................................................................................................85
Figure 7: Binding a Physical Interface to a Security Zone ................................................100
Figure 8: Captive Portal Event Flow ......................................................................................... 109
Figure 9: Multiple vsys in Shared and Unshared Zones ..................................................... 117
Figure 10: Layer 3 Authentication with Overlapping IP Addresses ................................. 119
Figure 11: IF-MAP Authentication with Overlapping IP Addresses ................................. 120
Figure 12: Using an IP Address Pool in a NAT Environment ........................................... 131
Figure 13: Policy Interaction ........................................................................................................ 145
Figure 14: Using Auth Table Mapping Policies.................................................................. 153
Chapter 5 Layer 2 Network Access Control Policies .............................................................. 165
Figure 15: Policy Secure gateway as a RADIUS Server for an 802.1X Network Access
Device...........................................................................................................................................179
Figure 16: Using Location Groups to Group Network Access Devices .......................... 182
Figure 17: 802.1X Deployment with the EX4200 Switch .................................................. 201
Figure 18: Using a RADIUS Attributes Policy to Specify VLANs for Endpoints . . 208
Chapter 7 User Role Access with the SRX Series Firewall .......................................................215
Figure 19: Example Configuration .............................................................................................. 219

Part 2 Access Management Framework


Chapter 8 General Access Management .................................................................................... 231
Figure 20: Access Management Sequence for Realm and Role Restrictions . . . 234
Figure 21: IC Series Authenticates User Against Realm and Primary Server 235
Figure 22: IC Series Authorizes User .................................................................................. 236
Figure 23: IC Series Maps User to One or More User Roles and Pushes
Policies ............................................................................................................................... 236
Figure 24: OAC and Infranet Enforcer Evaluate Policies Based on User Roles . . . 237
Figure 25: Infranet Enforcer Allows or Denies Access Based on Policy Match . . . 239
Figure 26: Requirements for Pulse Session Migration ....................................................257

© 2015 by Pulse Secure, LLC. All rights reserved. xxiii


Pulse Policy Secure Administration Guide

Chapter 9 User Roles ............................................................................................................................... 261


Figure 27: Security Checks Performed by the IC Series to Create a Session
Role ............................................................................................................................................. 263
Chapter 10 AAA Servers............................................................................................................................ 279
Figure 28: Local Authentication Server Configuration Page ................................................ 283
Figure 29: User Account Configuration Page ............................................................................ 286
Figure 30: User Accounts Table ............................................................................................................ 288
Figure 31: Update User Account Configuration Page ............................................................ 289
Figure 32: Admin Users Configuration Page.............................................................................. 290
Figure 33: New Active Directory/Windows NT Server Configuration Page ............. 293
Figure 34: New Active Directory Legacy Mode Configuration Page ................................. 298
Figure 35: User Accounts Table ...............................................................................................................303
Figure 36: Anonymous Server Configuration Page – Pulse Policy Secure . . . 310
Figure 37: Anonymous Server Configuration Page – Pulse Connect Secure.............. 310
Figure 38: User Access Log ......................................................................................................... 311
Figure 39: Certificate Server Configuration Page – Pulse Policy Secure ................... 313
Figure 40: Certificate Server Configuration Page – Pulse Connect Secure ............ 314
Figure 41: User Accounts Table ................................................................................................................316
Figure 42: LDAP Server Configuration Page – Pulse Policy Secure ............................ 318
Figure 43: LDAP Server Configuration Page – Pulse Connect Secure ...................... 319
Figure 44: User Accounts Table ...............................................................................................................323
Figure 45: New MAC Address Authentication Server Configuration Page ................... 331
Figure 46: User Accounts Table ...............................................................................................................333
Figure 47: Endpoint Profiler and Pulse Policy Secure Deployment ............................... 335
Figure 48: Beacon System Login Prompt......................................................................... 336
Figure 49: Beacon Setup Dialog Box ........................................................................................ 337
Figure 50: License Key Page During Validation ................................................................. 338
Figure 51: License Key Page After Validation ......................................................................... 338
Figure 52: Endpoint Profiles Management Page ................................................................... 339
Figure 53: Endpoint Profiles Listing ......................................................................................... 339
Figure 54: Endpoint Profiles VoIP Phone Listing ................................................................... 340
Figure 55: PolyComVOIP Profile Configuration Page ............................................................... 341
Figure 56: Selecting and Enabling LDAP for All Profiles .................................................... 342
Figure 57: Integrations Management Page................................................................................. 342
Figure 58: Update Beacon Modules Page ................................................................................. 343
Figure 59: Configure Beacon Modules Page .............................................................................. 343
Figure 60: Modules Stopped ..................................................................................................... 344
Figure 61: Modules Running ....................................................................................................... 344
Figure 62: Authentication Protocol Sets ................................................................................. 345
Figure 63: Authentication Protocol Sets............................................................................... 346
Figure 64: Selecting a New LDAP Authentication Server ............................................... 346
Figure 65: LDAP Authentication Server Settings .............................................................. 348
Figure 66: LDAP Authentication Server Settings with LDAPS Option and Port
636 Enabled ........................................................................................................................... 350
Figure 67: LDAP Server Catalog ............................................................................................... 350
Figure 68: LDAP Server Query Results ..................................................................................... 351
Figure 69: Selecting a New MAC Address Authentication Server .............................. 352
Figure 70: MAC Address Authentication Server Settings .................................................. 352

xxiv © 2015 by Pulse Secure, LLC. All rights reserved.


List of Figures

Figure 71: User Role General Configuration .......................................................................... 353


Figure 72: User Role Agent Configuration ............................................................................. 354
Figure 73: User Role Agentless Configuration ...................................................................... 354
Figure 74: MAC Address Authentication Realm Settings .................................................. 355
Figure 75: MAC Address Authentication Realm Role Mapping Settings..................... 356
Figure 76: MAC Address Authentication Realm Role Mapping Rule Summary . . 357
Figure 77: Location Group Settings.......................................................................................... 358
Figure 78: RADIUS Client Settings .......................................................................................... 358
Figure 79: RADIUS Return Attribute Policy Settings ............................................................ 359
Figure 80: NIS Server Configuration Page – Pulse Policy Secure ........................... 369
Figure 81: NIS Server Configuration Page – Pulse Connect Secure .......................... 370
Figure 82: User Accounts Table ..............................................................................................................371
Figure 83: RADIUS Server Configuration Page – Pulse Policy Secure .................. 384
Figure 84: RADIUS Server Configuration Page – Pulse Connect Secure ............ 385
Figure 85: User Accounts Table ............................................................................................................ 390
Figure 86: ACE Server Configuration Page – Pulse Policy Secure ......................... 393
Figure 87: ACE Server Configuration Page – Pulse Connect Secure ................... 394
Figure 88: User Accounts Table .......................................................................................................... 396
Figure 89: SiteMinder Server Configuration Page – Pulse Policy Secure ............. 405
Figure 90: SiteMinder Server Configuration Page – Pulse Connect Secure ...... 406
Figure 91: SiteMinder Advanced Settings – Pulse Policy Secure ................................... 411
Figure 92: SiteMinder Advanced Settings – Pulse Connect Secure .......................... 412
Figure 93: User Accounts Table...............................................................................................................415
Figure 94: SQL Server Configuration Page .................................................................................. 420
Figure 95: User Accounts Table ...............................................................................................................423
Chapter 11 Authentication Realms .........................................................................................................425
Figure 96: MAC Address Authentication Realm Configuration Page............................... 430
Figure 97: Adding an Attribute for LDAP in the Server Catalog ....................................... 437
Figure 98: Adding LDAP Groups .......................................................................................... 438
Figure 99: Adding Active Directory Groups ....................................................................... 440
Chapter 12 IF-MAP Federation ..........................................................................................................443
Figure 100: IF-MAP Overview ............................................................................................. 445
Figure 101: Federation IF-MAP Topology ..................................................................................... 446
Figure 102: Session-Import and Session-Export Policies ............................................... 456
Figure 103: Replication of IF-MAP Servers............................................................................. 464
Figure 104: IF-MAP Server Clustering................................................................................... 466
Figure 105: IF-MAP Federation in a Heterogeneous Network with IDP ...................... 468
Chapter 13 Sign-in Policies .................................................................................................................. 471
Figure 106: Realm Selection, Phase 1 .................................................................................. 477
Figure 107: Realm Selection, Phase 2 ................................................................................. 478
Figure 108: Realm Selection, Phase 3 .............................................................................. 479

Part 3 Endpoint Defense


Chapter 14 Host Checker ......................................................................................................................... 489
Figure 109: SOH Integration with a Network Policy Server ................................................ 528

© 2015 by Pulse Secure, LLC. All rights reserved. xxv


Pulse Policy Secure Administration Guide

Part 4 System Management


Chapter 15 Network and Host Administration ................................................................................547
Figure 110: Internal Port Configuration Page ............................................................................. 550
Figure 111: Internal Port SAS Configuration Page ..................................................................... 551
Figure 112: External Port Configuration Page............................................................................. 554
Figure 113: External Port SAS Configuration Page .................................................................. 555
Figure 114: Management Port Configuration Page – Pulse Policy Secure . . . 559
Figure 115: Management Port Configuration Page – Pulse Connect Secure ........... 560
Figure 116: VLAN Port Configuration Page................................................................................ 564
Figure 117: VLAN Port SAS Configuration Page........................................................................ 565
Figure 118: Virtual Port Configuration Page ................................................................................567
Figure 119: Virtual Port SAS Configuration Page ......................................................................567
Figure 120: Certificate Details Page ............................................................................................... 569
Figure 121: Date and Time Configuration Page – Pulse Policy Secure .........................572
Figure 122: Date and Time Configuration Page – Pulse Connect Secure ..................573
Figure 123: Network Services Configuration Page ................................................................... 575
Figure 124: Network Services SAS Configuration Page .........................................................576
Figure 125: Routes Table ..............................................................................................................................578
Figure 126: Routes Table for SAS ....................................................................................................578
Figure 127: Hosts Table – Pulse Policy Secure .................................................................. 579
Figure 128: Hosts Table – Pulse Connect Secure .......................................................... 579
Figure 129: ARP Table .................................................................................................................................580
Figure 130: ARP Cache Table .................................................................................................................. 581
Figure 131: Neighbor Discovery Table .................................................................................................. 582
Figure 132: Neighbor Discovery Table for SAS .......................................................................... 582
Figure 133: SSL Options Configuration Page............................................................................. 584
Figure 134: Miscellaneous Security Options Configuration Page ....................................587
Figure 135: Serial Console Menu .........................................................................................589
Chapter 16 Certificate Security Administration ............................................................................. 593
Figure 136: Security Alert When the Device Certificate Is Not Issued by a Trusted
CA ................................................................................................................................................ 596
Figure 137: Device Certificates Management Page – Pulse Policy Secure – Pulse
Policy Secure...................................................................................................................... 597
Figure 138: Device Certificates Management Page – Pulse Connect Secure . . . 597
Figure 139: Import Certificate and Key Page ............................................................................. 598
Figure 140: New Certificate Signing Request ...................................................................... 600
Figure 141: Pending Certificate Signing Request ................................................................. 601
Figure 142: Intermediate CAs Management Page .................................................................. 602
Figure 143: Renew Certificate Page ...............................................................................................604
Figure 144: Certificate Details Page ............................................................................................ 606
Figure 145: Trusted Client CA Management Page – Pulse Policy Secure.................. 612
Figure 146: Trusted Client CA Management Page – Pulse Connect Secure ............ 612
Figure 147: Import Trusted Client CA Page ................................................................................. 612
Figure 148: Trusted Client CA Details Page ............................................................................... 613
Figure 149: Auto-Import Options Page ....................................................................................... 614
Figure 150: Trusted Client CA Details Page ............................................................................... 616
Figure 151: CRL Checking Options .......................................................................................618
Figure 152: OCSP Options Page ...................................................................................................... 619

xxvi © 2015 by Pulse Secure, LLC. All rights reserved.


List of Figures

Figure 153: Responder Signer Certificate Page........................................................................ 620


Figure 154: Proxy Settings Page ....................................................................................................... 622
Figure 155: Trusted Server CA Management Page – Pulse Policy Secure . . . 624
Figure 156: Trusted Server CA Management Page – Pulse Connect Secure .............. 624
Figure 157: Import Trusted Server CA Page................................................................................ 624
Figure 158: Trusted Server CA Details Page .............................................................................. 626
Figure 159: Configuring the External Port for IPv4 ......................................................... 629
Figure 160: Creating the Virtual Port on the External Port ............................................... 630
Figure 161: Creating an ECC P-256 Certificate Signing Request .................................... 631
Figure 162: CSR Successfully Created ..................................................................................... 631
Figure 163: Pending CSR ............................................................................................................. 632
Figure 164: Associating the ECC P-256 With The External Virtual Port
p_ecdsa256 ....................................................................................................................... 633
Figure 165: Setting Custom SSL Cipher Selections ........................................................ 634
Figure 166: Confirming Custom Ciphers .......................................................................... 635
Chapter 17 FIPS Level 1 Support (Software FIPS).............................................................. 637
Figure 167: Enabling FIPS Level 1 Support.......................................................................... 640
Figure 168: Example of Allowed Encryption Strengths................................................... 641
Figure 169: Events Log Entries for FIPS Level 1................................................................. 642
Figure 170: Admin Access Logs for FIPS Level 1 Encryption Strength Changes . . 642
Figure 171: Connecting to a Port Using an ECC Curve P-256 Certificate ...................... 642
Figure 172: Viewing the Connection Certificate Information ........................................ 643
Figure 173: Certificate Public Key.................................................................................................... 643
Figure 174: Viewing the TCP Dump Output ....................................................................... 644
Figure 175: Issued to Certificate on the Device Certificates Pages ................................ 644
Chapter 18 Configuration File Administration ................................................................................ 657
Figure 176: Archiving Configuration Page – Pulse Policy Secure .............................. 660
Figure 177: Archiving Configuration Page – Pulse Connect Secure .............................. 661
Figure 178: Local Backups Management Page – Pulse Policy Secure ...................... 664
Figure 179: Local Backups Management Page – Pulse Connect Secure ................. 665
Figure 180: Export Binary System Configuration File Configuration Page – Pulse
Policy Secure .................................................................................................................... 667
Figure 181: Export Binary System Configuration File Configuration Page – Pulse
Connect Secure............................................................................................................... 668
Figure 182: Import Binary System Configuration File Configuration Page ................... 669
Figure 183: Binary Export User Configuration File Configuration Page – Pulse Policy
Secure ................................................................................................................................. 672
Figure 184: Binary Export User Configuration File Configuration Page – Pulse
Connect Secure .............................................................................................................. 672
Figure 185: Import User Configuration Binary File Configuration Page ......................... 673
Figure 186: Export XML File Configuration Page – Pulse Policy Secure ................... 676
Figure 187: Export XML File Configuration Page – Pulse Connect Secure ........... 677
Figure 188: Import XML File Configuration Page...................................................................... 679
Figure 189: Object Referential Integrity Constraints ....................................................... 685
Figure 190: Push Configuration Target List and Source Device Settings Page – Pulse
Policy Secure .................................................................................................................... 692
Figure 191: Push Configuration Target List and Source Device Settings Page – Pulse
Connect Secure............................................................................................................... 692

© 2015 by Pulse Secure, LLC. All rights reserved. xxvii


Pulse Policy Secure Administration Guide

Figure 192: Push Configuration Targets Configuration Page .............................................. 693


Figure 193: Push Configuration Selected Settings Page .................................................... 694
Figure 194: Push Configuration Results Page ........................................................................... 697
Chapter 19 System Maintenance ......................................................................................................699
Figure 195: System Maintenance Options Configuration Page ......................................... 701
Figure 196: Software Upgrade Page .............................................................................................. 705
Figure 197: Software Upgrade Status Page.................................................................................. 706
Figure 198: System Maintenance Platform Page .................................................................. 708
Figure 199: System Maintenance Client Installers Page – Access Control
Service ................................................................................................................................ 709
Figure 200: System Maintenance Client Installers Page – Pulse Connect
Secure ................................................................................................................................. 710
Figure 201: System Maintenance Platform Page ...................................................................... 712
Figure 202: System Maintenance Platform Page ....................................................................... 713
Chapter 20 Logging and Monitoring .................................................................................................. 715
Figure 203: Log Events Settings Configuration Page.............................................................. 717
Figure 204: SNMP Configuration Page – Pulse Policy Secure ............................... 720
Figure 205: SNMP Configuration Page – Pulse Connect Secure ................................ 721
Figure 206: Syslog Server Configuration Page – Pulse Policy Secure ................... 729
Figure 207: Syslog Server Configuration Page – Pulse Connect Secure ............ 730
Figure 208: Client Logs Configuration Page ............................................................................... 731
Figure 209: System Status Page – Pulse Policy Secure ................................................ 732
Figure 210: System Status Page – Pulse Connect Secure ........................................... 733
Figure 211: System Status Settings Configuration Page....................................................... 734
Figure 212: System Maintenance Page – Pulse Policy Secure ..................................... 736
Figure 213: System Maintenance Page – Pulse Connect Secure .............................. 736
Figure 214: System Active Users Page – Pulse Policy Secure ..................................... 738
Figure 215: System Active Users Page – Pulse Connect Secure................................. 738
Figure 216: Events Logs Page – Pulse Policy Secure ..................................................... 740
Figure 217: Events Logs Page – Pulse Connect Secure.................................................... 741
Figure 218: Log Filters Page .............................................................................................................. 744
Figure 219: Log Filters Page – Pulse Connect Secure ................................................... 745
Figure 220: New Filter Page – Pulse Policy Secure ........................................................ 746
Figure 221: Using IP Address Filters ........................................................................................ 748
Figure 222: User Statistics Page – Pulse Policy Secure ................................................. 749
Figure 223: User Statistics Page – Pulse Connect Secure ........................................... 749
Chapter 21 Troubleshooting Tools............................................................................................................... 751
Figure 224: Policy Tracing Configuration Page – Pulse Policy Secure ....................... 753
Figure 225: Policy Tracing Page During Recording .............................................................. 755
Figure 226: Policy Tracing Results Page ...................................................................................... 756
Figure 227: Debug Logging Configuration Page – Pulse Policy Secure .................... 758
Figure 228: Debug Logging Configuration Page – Pulse Connect Secure ........... 758
Figure 229: RADIUS Diagnostic Logging Configuration Page............................................. 760
Figure 230: TCP Dump Configuration Page – Pulse Policy Secure ........................... 761
Figure 231: TCP Dump Configuration Page – Pulse Connect Secure .................... 761
Figure 232: Network Troubleshooting Commands Configuration Page – Pulse
Policy Secure.................................................................................................................... 763

xxviii © 2015 by Pulse Secure, LLC. All rights reserved.


List of Figures

Figure 233: Network Troubleshooting Commands Configuration Page – Pulse


Connect Secure .............................................................................................................. 764
Figure 234: Successful TCP Port Probe ................................................................................. 767
Figure 235: Unsuccessful UDP Port Probe.......................................................................... 768
Figure 236: Network Troubleshooting Commands Configuration Page – Pulse
Policy Secure .................................................................................................................. 769
Figure 237: Network Troubleshooting Commands Configuration Page – Pulse
Connect Secure .............................................................................................................. 769
Figure 238: Kerberos Debugging Utility Configuration Page.............................................. 770
Figure 239: Remote Debugging Configuration Page – Pulse Policy Secure . . . 771
Figure 240: Remote Debugging Configuration Page – Pulse Connect Secure. . 772
Chapter 22 Clustering .......................................................................................................................... 773
Figure 241: Active/Passive Clustering ..................................................................................... 781
Figure 242: Active/Active Clustering....................................................................................... 783
Chapter 25 Deployments with IDP ..................................................................................................813
Figure 243: IC Series and Standalone IDP Topology ............................................................... 815
Figure 244: IC Series and ISG-IDP Topology............................................................................... 816
Figure 245: IDP in a Layer 2 Deployment ........................................................................... 816

© 2015 by Pulse Secure, LLC. All rights reserved. xxix


Pulse Policy Secure Administration Guide

xxx © 2015 by Pulse Secure, LLC. All rights reserved.


List of Tables
About This Guide .........................................................................................................xxxv
Table 1: Notice Icons ............................................................................................................ xxxvi
Table 2: Text Conventions .................................................................................................. xxxvi

Part 1 Getting Started


Chapter 2 Initial Configuration ................................................................................................................. 9
Table 3: Summary of Actions Required to Configure the Pulse Policy Secure Solution
.................................................................................................................................................11
Table 4: Configuration Topics .............................................................................................................. 12
Table 5: Scenarios and Methods of Deployment ............................................................. 19
Table 6: Initial OAC Configuration Settings............................................................................... 23
Table 7: Configurable Parameters for Pulse Connection Sets............................................. 40
Table 8: Pulse Components ..........................................................................................................52
Table 9: Pulse Launcher Arguments ......................................................................................61
Table 10: Pulse Launcher Return Codes .................................................................................62
Chapter 3 Deployments with ScreenOS and Junos OS Infranet Enforcers ........................... 77
Table 11: Junos Enforcer Features ................................................................................................ 82
Table 12: ScreenOS Options......................................................................................................92
Table 13: Configuration Topics........................................................................................................ 126
Table 14: Syntax for IP Address Pools ....................................................................................... 133
Chapter 4 Deployments with EX Series Ethernet Switches...................................................... 157
Table 15: EX Series Switches and Filter Term Limitations .............................................. 161
Chapter 5 Layer 2 Network Access Control Policies ...............................................................165
Table 16: Authentication Protocols ......................................................................................... 170
Table 17: Authentication Protocol Set Configuration Guidelines .................................. 172
Table 18: RADIUS Event Time Limits ................................................................................... 176
Table 19: Valid Data Types ................................................................................................................. 188
Chapter 7 User Role Access with the SRX Series Firewall ......................................................... 215
Table 20: Understanding Log Messages Related to Active Directory and
SPNEGO .............................................................................................................................. 225

Part 2 Access Management Framework


Chapter 8 General Access Management .....................................................................................231
Table 21: DNS Hostname Special Characters ........................................................................ 250
Table 22: Port Possible Values......................................................................................................... 250
Table 23: Before you Configure a Host Enforcer Policy................................................... 252

© 2015 by Pulse Secure, LLC. All rights reserved. xxxi


Pulse Policy Secure Administration Guide

Table 24: Examples of Specifying Resources in a Host Enforcer Policy ..................... 254
Chapter 10 AAA Servers............................................................................................................................ 279
Table 25: Supported AAA Servers ........................................................................................... 280
Table 26: Local Authentication Server Settings................................................................. 284
Table 27: User Account Configuration Settings ................................................................... 286
Table 28: Active Directory Mode Settings ............................................................................... 294
Table 29: Active Directory Legacy Mode Settings.............................................................. 299
Table 30: Anonymous Server Settings ...................................................................................... 310
Table 31: Certificate Server Settings ......................................................................................... 314
Table 32: LDAP Server Settings ................................................................................................ 320
Table 33: Supported Password Management Functions ............................................... 325
Table 34: AD/NT Password Management Matrix ............................................................. 327
Table 35: MAC Address Authentication Server Settings .................................................... 331
Table 36: Key LDAP Authentication Server Settings ......................................................... 347
Table 37: Key MAC Address Authentication Realm Settings ........................................... 355
Table 38: Key MAC Address Authentication Realm Role Mapping Settings........... 356
Table 39: NIS Server Settings ................................................................................................... 370
Table 40: RADIUS Attributes ....................................................................................................... 374
Table 41: Attributes Common to Start and Stop Messages ............................................. 381
Table 42: Start Attributes .............................................................................................................. 382
Table 43: Stop Attributes .............................................................................................................. 382
Table 44: RADIUS Server Settings .......................................................................................... 386
Table 45: Sign-in Methods ..................................................................................................... 391
Table 46: ACE Server Settings ................................................................................................... 394
Table 47: SiteMinder Server Settings .................................................................................... 407
Table 48: SiteMinder Advanced Configuration Options ................................................. 413
Table 49: SQL Statement Format Specifiers ...................................................................... 418
Table 50: SQL Statement Parameter Names and Types .................................................... 418
Table 51: Password Hash Format .......................................................................................... 419
Table 52: SQL Server Settings ................................................................................................... 420
Table 53: Oracle Error Codes .................................................................................................... 424
Chapter 11 Authentication Realms .........................................................................................................425
Table 54: MAC Address Authentication Realm Configuration Guidelines ................. 431
Chapter 13 Sign-in Policies .................................................................................................................. 471
Table 55: RADIUS Sub-Protocols and Compatible Authentication Servers............ 475

Part 3 Endpoint Defense


Chapter 14 Host Checker ......................................................................................................................... 489
Table 56: Wildcard Characters for Specifying a File Name or Process Name............. 511
Table 57: Environment Variables for Specifying a Directory Path on Windows . . . 511
Table 58: Environment Variables for Specifying a Directory Path on Macintosh,
Linux and Solaris ............................................................................................................ 511

Part 4 System Management


Chapter 15 Network and Host Administration ................................................................................ 547
Table 59: Internal Port Configuration Guidelines .............................................................. 551

xxxii © 2015 by Pulse Secure, LLC. All rights reserved.


List of Tables

Table 60: External Port Configuration Guidelines............................................................... 555


Table 61: Management Port Configuration Guidelines .................................................... 560
Table 62: VLAN Port Configuration Guidelines.................................................................. 565
Table 63: Virtual Port Configuration Guidelines ............................................................... 567
Table 64: Date and Time Configuration Guidelines ........................................................ 573
Table 65: Network Services Configuration Guidelines .................................................... 576
Table 66: Routes Table Controls ................................................................................................ 578
Table 67: Hosts Table Controls .................................................................................................. 579
Table 68: ARP Table Controls................................................................................................... 581
Table 69: Neighbor Discovery Table Controls ....................................................................... 582
Table 70: SSL Options Configuration Guidelines ............................................................. 586
Table 71: Miscellaneous Security Options Configuration Guidelines ......................... 587
Table 72: Serial Console Menu Options ............................................................................. 590
Chapter 16 Certificate Security Administration .............................................................................. 593
Table 73: Auto-Import Options Settings................................................................................. 614
Table 74: Trusted Client CA Settings ....................................................................................... 617
Table 75: OCSP Options Settings.............................................................................................. 619
Table 76: Responder Signer Certificate Settings ................................................................. 620
Table 77: Proxy Settings ............................................................................................................... 622
Chapter 17 FIPS Level 1 Support (Software FIPS).............................................................. 637
Table 78: Supported Cipher Suites With FIPS Level 1 Support Off, Hardware
Acceleration Enabled and RSA Server Certificates In Use ................................... 648
Table 79: Supported Cipher Suites With FIPS Level 1 Support Off, Hardware
Acceleration Enabled and ECC Server Certificates In Use .................................. 649
Table 80: Supported Cipher Suites With FIPS Level 1 Support Off, Hardware
Acceleration Enabled and RSA Server Certificates In Use ................................... 650
Table 81: Supported Cipher Suites With FIPS Level 1 Support Off, Hardware
Acceleration Disabled and ECC Server Certificates In Use ................................... 651
Table 82: Supported Cipher Suites With FIPS Level 1 Support On and ECC Server
Certificates In Use ........................................................................................................... 653
Table 83: Supported Cipher Suites With FIPS Level 1 Support On and RSA Server
Certificates In Use ........................................................................................................... 654
Chapter 18 Configuration File Administration ................................................................................ 657
Table 84: Utilities for Configuration File Administration ................................................... 657
Table 85: Archiving Configuration Guidelines................................................................... 662
Table 86: Local Backups Management Guidelines.......................................................... 665
Table 87: Export Binary System Configuration File Configuration and Action
Guidelines .......................................................................................................................... 668
Table 88: Import Binary System Configuration File Configuration and Action
Guidelines .......................................................................................................................... 669
Table 89: Binary Export User Configuration File Configuration and Action
Guidelines .......................................................................................................................... 673
Table 90: Import Binary User Configuration File Configuration and Action
Guidelines .......................................................................................................................... 673
Table 91: XML Import/Export Guidelines and Limitations ............................................ 675
Table 92: Export XML File Configuration and Action Guidelines .................................. 678
Table 93: Import XML File Configuration and Action Guidelines.................................. 679

© 2015 by Pulse Secure, LLC. All rights reserved. xxxiii


Pulse Policy Secure Administration Guide

Table 94: Structured XML Files: Basic Information and Guidelines............................681


Table 95: Legal Operator Attribute Relationships ........................................................... 687
Table 96: Push Configuration Guidelines and Limitations............................................. 691
Table 97: Push Configuration Target Source Device Configuration Options ............. 692
Table 98: Push Configuration Targets Configuration Guidelines .................................. 693
Table 99: Push Configuration Selected Settings and Action Guidelines................... 694
Chapter 19 System Maintenance ......................................................................................................699
Table 100: System Maintenance Options Configuration Guidelines ............................ 701
Chapter 20 Logging and Monitoring .................................................................................................. 715
Table 101: Event Log Severity Levels......................................................................................... 715
Table 102: Log Events Settings .................................................................................................. 717
Table 103: SNMP Configuration Settings ................................................................................ 721
Table 104: MIB Objects ........................................................................................................... 724
Table 105: Syslog Server Configuration Guidelines .......................................................... 730
Table 106: Hardware Status Information ............................................................................ 736
Table 107: RAID and Hard Drive Status for Policy Secure gateways............................. 737
Table 108: RAID and Hard Drive Status for the MAG-SM360 ..................................... 737
Table 109: Active Users Page .......................................................................................................... 739
Table 110: Log Management Features.................................................................................... 741
Table 111: Filter Settings.............................................................................................................. 746
Chapter 21 Troubleshooting Tools............................................................................................................... 751
Table 112: Policy Trace Configuration Guidelines............................................................. 753
Table 113: Post-Trace Options .............................................................................................. 756
Table 114: Debug Log Configuration Guidelines............................................................... 758
Table 115: RADIUS Debug Log Configuration Guidelines.............................................. 760
Table 116: Debug Log Configuration Guidelines.............................................................. 761
Table 117: Network Troubleshooting Commands Configuration Guidelines ............. 765
Table 118: Kerberos Debugging Utility Configuration Guidelines............................... 770
Table 119: Remote Debugging Configuration and Action Guidelines ........................ 772
Chapter 22 Clustering .......................................................................................................................... 773
Table 120: License Distribution Examples............................................................................. 775
Table 121: Cluster Status Page Information ...................................................................... 791
Table 122: IP Address and Serial Number Combinations .............................................. 794
Table 123: Cluster Status ............................................................................................................. 795

Part 5 Appendix
Chapter 26 Policy Secure gateway 4500 and 6500 ...................................................................829
Table 124: Device Status LEDs .............................................................................................. 831
Table 125: 4-Port Copper Gigabit Ethernet LEDs (available on IC4500 and
IC6500)............................................................................................................................... 831
Chapter 27 Using the IC6500 FIPS Appliance (Hardware FIPS) ..................................... 835
Table 126: FIPS Device Status LEDs ................................................................................... 841
Chapter 28 Custom Expressions and System Variables Reference......................................... 843
Table 127: Custom Expression Elements ............................................................................ 844
Table 128: System Variables and Examples ....................................................................... 849

xxxiv © 2015 by Pulse Secure, LLC. All rights reserved.


About This Guide

 Objectives on page xxxv


 Audience on page xxxv
 Documentation Conventions on page xxxv
 Documentation on page xxxvii
 Obtaining Documentation on page xxxvii
 Documentation Feedback on page xxxvii
 Requesting Technical Support on page xxxvii

Objectives

This guide describes basic configuration procedures for Pulse Policy Secure, formerly
known as Unified Access Control or Access Control Service. This document is part of the
Pulse Secure documentation set. Pulse Policy Secure is supported on the IC Series and
MAG Series platforms.

Audience

This guide is designed for network administrators who are configuring and maintaining
the Policy Secure. To use this guide, you need a broad understanding of networks in
general and the Internet in particular, networking principles, and network configuration.
Any detailed discussion of these concepts is beyond the scope of this guide.

Documentation Conventions

Table 1 on page xxxvi defines the notice icons used in this guide. Table 2 on page xxxvi defines
text conventions used throughout this documentation.

© 2015 by Pulse Secure, LLC. All rights reserved. xxxv


Pulse Policy Secure Administration Guide

Table 1: Notice Icons


Icon Meaning Description

Informational note Indicates important features or instructions.

Caution Indicates a situation that might result in loss of data or hardware damage.

Warning Alerts you to the risk of personal injury or death.

Laser warning Alerts you to the risk of personal injury from a laser.

Table 2: Text Conventions

Convention Description Examples


Bold text like this  Represents keywords, scripts, and tools in  Specify the keyword exp-msg.
text.  Run the install.sh script.
 Represents a GUI element that the user  Use the pkgadd tool.
selects, clicks, checks, or clears.
 To cancel the configuration, click Cancel.

Bold text like this Represents text that the user must type. user@host# set cache-entry-age
cache-entry-age

Fixed-width text like this Represents information as displayed on your nic-locators {


terminal’s screen, such as CLI commands in login {
output displays. resolution {
resolver-name /realms/
login/A1;
key-type LoginName;
value-type SaeId;
}

Regular sans serif typeface  Represents configuration statements.  system ldap server{
 Indicates SRC CLI commands and options stand-alone;
in text.  Use the request sae modify device failover
 Represents examples in procedures. command with the force option
 Represents URLs.  user@host# . . .
 http://www.juniper.net/techpubs/software/
management/sdx/api-index.html

Italic sans serif typeface Represents variables in SRC CLI commands. user@host# set local-address
local-address

Angle brackets In text descriptions, indicate optional Another runtime variable is <gfwif>.
keywords or variables.

Key name Indicates the name of a key on the keyboard. Press Enter.

xxxvi © 2015 by Pulse Secure, LLC. All rights reserved.


About This Guide

Table 2: Text Conventions (continued)


Key names linked with a plus sign Indicates that you must press two or more Press Ctrl + b.
(+) keys simultaneously.

Italic typeface  Emphasizes words.  There are two levels of access: user and
 Identifies book names. privileged.

 Identifies distinguished names.  SRC-PE Getting Started Guide.

 Identifies files, directories, and paths in  o=Users, o=UMC


text but not in command examples.  The /etc/default.properties file.

Backslash At the end of a line, indicates that the text Plugin.radiusAcct-1.class=\


wraps to the next line. net.juniper.smgt.sae.plugin\
RadiusTrackingPluginEvent

Words separated by the | symbol Represent a choice to select one keyword or diagnostic | line
variable to the left or right of this symbol.
(The keyword or variable may be either
optional or required.)

Documentation

For a list of related Pulse Secure documentation, see


http://www.pulsesecure.net/support. If the information in the latest Pulse Secure
Release Notes differs from the information in the documentation, follow the Pulse
Secure Release Notes.

Obtaining Documentation

To obtain the most current version of all Pulse Policy Secure technical documentation,
see the products documentation page at http://www.juniper.net/techpubs.

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can improve
the documentation. You can provide feedback by using one of the following methods:

 Document name

 Page number

 Software release version

Requesting Technical Support

Technical product support is available through the Pulse Secure Global Support
Center (PSGSC). If you have a support contract, then file a ticket with PSGSC.

© 2015 by Pulse Secure, LLC. All rights reserved. xxxvii


Pulse Policy Secure Administration Guide

 Product warranties—For product warranty information, visit


http://www.pulsesecure.net/support.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Pulse Secure, LLC has designed an online self-
service portal called the Customer Support Center (CSC) that provides you with the
following features:

 Find CSC offerings: http://www.pulsesecure.net/support

 Search for known bugs: http://www.pulsesecure.net/support

 Find product documentation: http://www.juniper.net/techpubs/

 Find solutions and answer questions using our Knowledge Base:


http://www.pulsesecure.net/support

 Download the latest versions of software and review release notes:


http://www.pulsesecure.net/support

 Search technical bulletins for relevant hardware and software notifications:


http://www.pulsesecure.net/support

 Join and participate in the Pulse Secure, LLC Community Forum:


http://www.pulsesecure.net/support

 Open a case online in the CSC Case Management tool: http://www.pulsesecure.net/support

To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: http://www.pulsesecure.net/support

Opening a Case with PSGSC

You can open a case with PSGSC on the Web or by telephone.

 Use the Case Management tool in the PSGSC at http://www.pulsesecure.net/support.

 Call 1-888-314-5822 (toll-free in the USA, Canada, and Mexico).


For international or direct-dial options in countries without toll-free numbers, see
http://www.pulsesecure.net/support.

xxxviii © 2015 by Pulse Secure, LLC. All rights reserved.


PART 1

Getting Started
 Pulse Policy Secure on page 3
 Initial Configuration on page 9
 Deployments with ScreenOS and Junos OS Infranet Enforcers on page 77
 Deployments with EX Series Ethernet Switches on page 157
 Layer 2 Network Access Control Policies on page 165
 Deployments with Network and Security Manager on page 209
 User Role Access with the SRX Series Firewall on page 215

© 2015 by Pulse Secure, LLC. All rights reserved. 1


Pulse Policy Secure Administration Guide

2 © 2015 by Pulse Secure, LLC. All rights reserved.


CHAPTER 1

Pulse Policy Secure

 Understanding the Pulse Policy Secure Solution on page 3

Understanding the Pulse Policy Secure Solution

This topic provides an overview of the Pulse Policy Secure solution. It includes the
following information:

 Pulse Policy Secure Solution Overview on page 3


 Pulse Policy Secure Components on page 4
 The Pulse Policy Secure Solution in the Network on page 5
 How the Pulse Policy Secure Determines User Access and Protects
Resources on page 7

Pulse Policy Secure Solution Overview


The Pulse Policy Secure solution provides a mechanism for authenticating users and
assessing the health of their host machines to control network access.

The Pulse Policy Secure solution coordinates network security compliance and provides
the control required to support network applications, manage network use, and reduce
threats from unauthorized users and compromised host machines attempting
to access the network.

Youconfigure rules in Host Checker policies to specify the minimum criteria for the security
compliance of host machines that are allowed to enter the network.

The policies that you create control access for users, the client or agent that users access
the network with, and the host machine or endpoint on which the clients run.

Policy enforcement is through Juniper Networks firewalls (the ScreenOS Enforcer or the
Junos Enforcer, collectively named Infranet Enforcers), 802.1X enabled switches, wireless
access points, and/or packet filters configured on the endpoints. Additionally, you can
deploy Juniper Networks Intrusion Detection and Prevention (IDP) as an enforcement
point.

The Pulse Policy Secure solution can also provide access control for unmanageable
devices like printers or IP phones using MAC address authentication.

© 2015 by Pulse Secure, LLC. All rights reserved. 3


Pulse Policy Secure Administration Guide

Pulse Policy Secure Components


The Pulse Policy Secure solution consists of these Pulse Secure components:

 Pulse Policy Secure—A central policy management server that validates the user’s
identity, determines the endpoint’s security compliance, and manages network policies.
The Pulse Policy Secure pushes the policies to the endpoint and optionally, to the
Infranet Enforcer.

 UAC agent—The Pulse Policy Secure solution uses a UAC agent to connect with
endpoints. The UAC agent is client software that runs on the endpoint and determines
the endpoint’s compliance to the enterprise security policies you specify. The UAC
agent communicates with the Pulse Policy Secure to verify the endpoint’s continued
compliance with the policies using the built-in Host Checker.

NOTE: You can also deploy the Pulse Policy Secure solution to endpoints
with a subset of features using a non-UAC agent such as a non-Pulse
Secure 802.1X supplicant. This overview focuses on using a UAC agent.

You can use the following UAC agents:

 Odyssey Access Client (OAC)—You can configure the Policy Secure gateway to
automatically install OAC on supported Windows endpoints. You can manually
install OAC on Macintosh endpoints. OAC includes built-in components (including
Host Checker) to provide maximum protection and functionality.

 Pulse Secure Client—UAC provides a single, dynamic, integrated multiservice client


for Windows. Pulse is an intelligent, location-aware network access and
acceleration client. Pulse delivers identity-enabled network security and access
control, providing comprehensive endpoint security. Host Checker is integrated
into Pulse.

In addition to using the client with a Pulse Policy Secure deployment, Pulse
supports the Pulse Connect Secure platform, WAN acceleration (WX), and Juniper
Networks SRX Series devices as a dynamic virtual private network (VPN) client.

 Java agent—For Linux endpoints, you can install a lightweight Java agent. With the
Java agent, Host Checker is downloaded automatically to assess and monitor
endpoint security.

 Host Checker (agentless)—You can configure the Policy Secure gateway to


automatically install Host Checker for agentless access deployments on
Windows, Macintosh, Linux or Solaris endpoint platforms. You use agentless
access for endpoints onto which you do not want to download OAC, Pulse, or the
Java agent.

NOTE: In this guide and other Pulse Policy Secure documentation, the
names OAC, Pulse, Java agent, and agentless Host Checker access
refer to the specific type of UAC agent.

4 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 1: Pulse Policy Secure

 Enforcement points—Devices that dynamically enforce access policies for protected


resources. You can control user access with Layer 2 or Layer 3 enforcement. The
following types of devices can be used as UAC enforcement points:

 Infranet Enforcer—A Juniper Networks security device is an optional component that


operates with the Policy Secure gateway to enforce access policies. You can use the
ScreenOS Enforcer in Layer 2 and Layer 3 deployments. An SRX series services
gateway can be used in Layer 3 deployments. The Infranet Enforcer is deployed in
front of servers and resources that you want to protect, and serves as a firewall to
enforce the security policies that you configure to control access to protected
resources.

 802.1X devices—You can use IEEE 802.1X-enabled switches or access points with
Pulse Policy Secure solution components to control access to the network using
Layer 2 authentication. The 802.1X protocol provides port-based authenticated
access to a LAN. This standard applies to both wireless and wired networks. In a
wireless network, the 802.1X authentication occurs after the client has associated
to an access point using an 802.11 association method. Wired networks use the
802.1X standard without 802.11 association.

You can use 802.1X enabled switches or access points with or without the Infranet
Enforcer as part of the solution. If you do not deploy the Infranet Enforcer, the 802.1X
enabled switch or access point functions as the enforcement point. You can create
different security zones by configuring VLANs on the network and assigning different
roles to the appropriate VLAN.

The Pulse Policy Secure Solution in the Network


The Pulse Policy Secure solution is extremely flexible and offers numerous options for
integration into your existing network.

Figure 1 on page 6 illustrates a deployment using 802.1X with a switch or access point
for Layer 2 connectivity.Figure 2 on page 6 illustrates a network deployment using Layer
3. These examples take advantage of the Infranet Enforcer to protect network resources.

You can also deploy the Pulse Policy Secure without the Infranet Enforcer by using
VLANs to segregate unauthenticated or unauthorized traffic.Figure 3 on page 6 illustrates
this kind of deployment.

© 2015 by Pulse Secure, LLC. All rights reserved. 5


Pulse Policy Secure Administration Guide

Figure 1: 802.1X Layer 2 with the Infranet Enforcer

Figure 2: Layer 3 with the Infranet Enforcer

Figure 3: 802.1X Layer 2 without the Infranet Enforcer

6 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 1: Pulse Policy Secure

How the Pulse Policy Secure Determines User Access and Protects Resources
You create policies on the Policy Secure gateway’s admin interface to control access to
resources and services. Access is based on successful authentication, the user’s
assigned role, and the security compliance of the endpoint device. For example, you can
provide full access to protected resources for an employee’s role, and limited access for
a contractor role.

You can create Host Checker policies that require endpoints to meet security requirements.
For example, you can require an endpoint to use a minimum version of an antivirus
application with up-to-date antivirus definitions. If the endpoint does not meet the security
requirements, you can configure the Host Checker policy to display instructions that tell
the user how to bring the endpoint into compliance.

After you populate the system with users, policies, and authentication services, you
determine how users gain access to network resources.

The Pulse Policy Secure and Infranet Enforcer can work together to provide granular
endpoint security and firewall services to control access to protected resources for
qualified users. If you are using the Infranet Enforcer, the Pulse Policy Secure pushes
policies to the Infranet Enforcer when the two devices connect.

Based on user identity and endpoint status, the system assigns the user a set of roles
that specify which resources the user can access. The system pushes the set of roles
associated with each endpoint’s source IP address (called “auth table” entries) to the
Infranet Enforcer. The Infranet Enforcer allows traffic between the endpoint and the
protected resources based on resource access policies that you create.

For 802.1X Layer 2 deployments in which you are not using the Infranet Enforcer, you can
set up network VLANs and direct endpoints that do not meet security requirements to a
quarantine VLAN.

The user accesses a switch or access point to be authenticated through the Pulse Policy
Secure. The user's identity and the endpoint health assessment are used to determine
which VLAN or other RADIUS attribute to use. The quarantine VLAN can limit access to
remediation servers that provide users with instructions and the software they need for
bringing their endpoint into compliance with security policies.

Related Understanding Pulse Policy Secure Deployment Options on page 10


Documentation

© 2015 by Pulse Secure, LLC. All rights reserved. 7


Pulse Policy Secure Administration Guide

8 © 2015 by Pulse Secure, LLC. All rights reserved.


CHAPTER 2

Initial Configuration

 Understanding Pulse Policy Secure Deployment Options on page 10


 Pulse Policy Secure Solution Configuration Overview on page 11
 Before You Configure the Pulse Policy Secure on page 12
 Using Task Guidance on page 12
 Configuring the Pulse Policy Secure Solution on page 13
 Deploying the Pulse Policy Secure Solution to Users on page 16
 Pulse Policy Secure Deployment Summary on page 19
 Understanding the Initial Pulse Policy Secure Deployment User
Experience on page 19
 Specifying the Client that Endpoints Use for Access on page 21
 Creating an Initial Configuration of OAC for Windows Endpoints on page 22
 Understanding OAC Configuration Settings for Windows Endpoints on page 23
 Defining the Initial Configuration for OAC for Windows on page 24
 Using the Preconfigured Installer for OAC on Windows Endpoints on page 29
 Preconfiguring OAC Using the Custom Installer on page 29
 Validating the IC Series Certificate on page 30
 Using OAC Licenses with the IC Series on page 31
 Manually Installing OAC on page 31
 Manually Configuring OAC for 802.1X (Windows or Macintosh) on page 32
 Provisioning Detailed Configuration Profiles for Macintosh OAC Endpoints on page 34
 Understanding Deployments with Pulse Secure Clients on page 34
 Configuring the Pulse Client for a Role on page 36
 Pulse Client Configuration Overview on page 37
 Understanding Client Connection Set Options on page 40
 Creating a Client Connection Set on page 46
 Configuring Location Awareness Rules for Pulse Secure Client on page 49
 Understanding Pulse Component Set Options on page 52
 Creating a Client Component Set on page 53

© 2015 by Pulse Secure, LLC. All rights reserved. 9


Pulse Policy Secure Administration Guide

 Installing the Pulse Secure Client on Windows Endpoints Using a


Preconfiguration File on page 54
 Installing the Pulse Secure Client on OS X Endpoints Using a
Preconfiguration File on page 59
 Pulse Secure Command-line Launcher on page 60
 Using jamCommand to Import Pulse Secure Connections on page 63
 Configuring Machine-Only Machine Authentication for a Pulse
Secure Connection on page 64
 Configuring User-After-Desktop Machine Authentication for a Pulse
Secure Connection on page 65
 Machine and User Authentication Through a Pulse Connection for Pulse Policy Secure
on page 66
 Preferred Realm and Role for Pulse Secure Machine Authentication on page 67
 Remote Desktop Protocol Compatibility with Pulse Secure 802.1X
Machine Authentication Connection on page 69
 Credential Provider Authentication for Pulse Policy Secure
Overview on page 69
 Machine Authentication for Pulse Policy Secure Overview on page 71
 Additional Methods for Accessing Protected Resources Behind the IC Series
Device on page 72
 Configuring Agentless Access to Protected Resources on page 73
 Using the Java Agent on page 74
 Configuring the Java Agent on page 74

Understanding Pulse Policy Secure Deployment Options

You can deploy the Pulse Policy Secure in several ways to provide access control for
network assets. You can use Layer 2 or Layer 3 authentication with the Infranet Enforcer,
or you can use Layer 2 802.1X without the Infranet Enforcer to direct users to different
VLANs. Both the ScreenOS Enforcer and the SRX Series Services Gateway (Junos
Enforcer) are supported as the policy decision point. You can use the built-in UAC agents,
OAC for Windows or Macintosh endpoints, the Java agent for Linux, or agentless access.
Alternately, you can deploy the solution with the Windows or Macintosh native 802.1X
supplicant (a non-UAC agent). With UAC 4.0 you can use the Juniper Networks Pulse
client.

NOTE: Deployment Scenario describes the basic steps for configuring the
Pulse Policy Secure and the Infranet Enforcer in an example of a server
front-end deployment scenario. You can adapt the information in that guide
to your specific deployment.

Related Pulse Policy Secure Solution Configuration Overview on page 11


Documentation

10 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

 Before You Configure the Pulse Policy Secure on page 12

 Configuring the Pulse Policy Secure Solution on page 13

 Deploying the Pulse Policy Secure Solution to Users on page 16

 Pulse Policy Secure Deployment Summary on page 19

 Understanding the Pulse Policy Secure Solution on page 3

Pulse Policy Secure Solution Configuration Overview

Table 3 on page 11 outlines the general steps for installing and configuring the Pulse
Policy Secure solution. Variables to be considered depend on the specific network
topology and the nature of your access control needs. Use this table as a general guide,
and read the product documentation for complete information of all of the network
access control options available with the Pulse Policy Secure solution.

Your access control needs are complex, and the Pulse Policy Secure solution is versatile.
Please take the time to thoroughly understand the required actions.

Table 3: Summary of Actions Required to Configure the Pulse Policy


Secure Solution

Action Required or Optional

Install the hardware Required

Upgrade and license the Pulse Policy Secure software Required

Install the Infranet Enforcer Or use 802.1X

Install Certificates Only with Infranet Enforcer

Connect the Policy Secure gateway and the Infranet Only with Infranet Enforcer
Enforcer

Configure authentication server(s) (or use the local server) Required

Configure Roles and Realms Required

Configure OAC or Pulse options Or third-party client

Configure Infranet Enforcer Resource Access policies Only with Infranet Enforcer

Configure IPsec and/or Source IP enforcement Only with Infranet Enforcer

Configure Sign-in policies, add realms and authentication protocols Required

Configure third-party agent Or OAC or Pulse

Configure Host Enforcer policies Optional

© 2015 by Pulse Secure, LLC. All rights reserved. 11


Pulse Policy Secure Administration Guide

Table 3: Summary of Actions Required to Configure the Pulse Policy


Secure Solution (continued)

Action Required or Optional

Configure Host Checker policies Required

Configure 802.1X for Layer 2 access Or use Infranet Enforcer

Related Configuring the Pulse Policy Secure Solution on page 13


Documentation
 Deploying the Pulse Policy Secure Solution to Users on page 16

 Pulse Policy Secure Deployment Summary on page 19

Before You Configure the Pulse Policy Secure

The following table summarizes the steps required to completely configure the Pulse
Policy Secure solution.

Table 4: Configuration Topics

Topic Details

Date and Time of the Infranet Enforcer and the Be sure to set the date and time of the Infranet Enforcer to match the
Pulse Policy Secure date set for the Pulse Policy Secure. If possible, use a Network Time
Protocol (NTP) server to set the date and time for both appliances.

Kerberos If you configure the Pulse Policy Secure to use Active Directory for
user authentication, Windows endpoint users can automatically sign in
to the Pulse Policy Secure using the same credentials they use to
access their Windows desktops.

Non-Pulse Secure If you are connecting with 802.1X, and you are using a non-Juniper
supplicants Networks supplicant (a non-UAC agent), the Infranet Enforcer is not
supported, unless you are using an IF-MAP Federation network with a
DHCP server.

 Configuring the Pulse Policy Secure Solution on page 13


Related
Documentation
 Deploying the Pulse Policy Secure Solution to Users on page 16

 Pulse Policy Secure Deployment Summary on page 19

 Using Kerberos SSO on page 303

Using Task Guidance

With UAC 4.1, the Pulse Policy Secure features Task Guidance. Task Guidance provides a
graphical interface to make configuring the device simpler.

12 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

When you initially log in to the Pulse Policy Secure, the main Task Guidance page is
displayed on screen.

If you close Task Guidance, you can access the feature by selecting Guidance in the upper
right corner of the screen. The console is displayed with labels for different configuration
options that you perform to configure the device. When you click on a label, that section
expands to display individual tasks.

When you navigate to a page with configuration tasks, a new console pops up to provide
instruction. You can scroll the Instruction console up and down, allowing you to view the
configuration page, or you can close the console. If you close the console, an Instruction
link is displayed in the upper right corner of the screen.

If you click the Instruction link, specific information about the current configuration page
is displayed.

After you complete a task, you are prompted to go to the next task.

Task Guidance is available with standard UAC, the RADIUS license, and the Enterprise
Guest Access (EGA) license.

Configuring the Pulse Policy Secure Solution

To configure the Pulse Policy Secure solution:

1. If you have not already done so, install the hardware.

2. If you have not already done so, upgrade and license the software.

3. If you are using the Infranet Enforcer, install the device.

4. If you are using the Infranet Enforcer, perform both of the following steps to set up
certificates on the and Infranet Enforcer:

 Import a signed server certificate into the Pulse Policy Secure.

 Import the certificate of the certificate authority (CA) that signed the Pulse Policy
Secure server certificate into the Infranet Enforcer.

5. If you are using the Infranet Enforcer, configure the connection to the Infranet Enforcer.
To determine compatible devices, see 4.3R1 Supported Platforms.

NOTE: With Pulse Policy Secure Release 4.2 and Junos OS Release 12.2,
you can use the Juniper Networks EX Ethernet Switch as an Enforcer.

As with the ScreenOS Enforcer and Junos Enforcer, you create a connection
between the two devices, and then configure resource access policies to
determine access. See “Pulse Policy Secure and EX Series Switch
Configuration Task Summary” on page 159.

© 2015 by Pulse Secure, LLC. All rights reserved. 13


Pulse Policy Secure Administration Guide

6. Configure user authentication and authorization by setting up roles, authentication


and authorization servers, and authentication realms:

a. Define user and administrator roles. Roles define user session parameters and
OAC, Pulse, or agent/agentless options. The system is preconfigured with one user
role (Users) and two administrator roles (Administrators and Read-Only).

b. Define authentication and authorization servers. Authentication and authorization


servers authenticate user credentials and determine user privileges within the
system. The system is preconfigured with one local authentication server (System
Local) to authenticate users and one local authentication server (Administrators)
to authenticate administrators. You must add users to either the local
authentication server or the external authentication servers.

c. Define authentication realms. Authentication realms contain policies specifying


conditions the user or administrator must meet to sign in to the system. For example,
you can use an authentication policy to specify that users can access protected
resources only if they are signing in from a particular location. When configuring
an authentication realm, you must create rules to map users to roles and specify
which server (or servers) the should use to authenticate and authorize realm
members.

The system is preconfigured with one realm (Users) that maps all users
authenticated through the System Local server to the Users role. The system is
also preconfigured with one realm (Admin Users) that maps all users authenticated
through the Administrators server to the .Administrators role.

NOTE: The system modifies usernames that contain spaces or


characters that are not valid on the Infranet Enforcer. For example,
usernames with spaces appear in auth table entries as one word, and
quotes in usernames appear without the quotes.

7. (Optionall) Select and configure OAC options (such as timeout values and restrictions),
or create Pulse configuration parameters.

Macintosh endpoints can use the Macintosh version of OAC. To configure client-side
settings on the Macintosh version, you can create a script from the Windows version
of Odyssey Client Administrator and import it to the Macintosh to populate agent
settings.

Alternately, you can configure endpoints to connect with agentless access, or you can
configure the lightweight Java agent for access with Linux endpoints. In an 802.1X
deployment, you can also use a non-Pulse Secure supplicant.

8. If you are using the Infranet Enforcer, configure resource access policies to specify
which roles are allowed or denied access to resources.

9. If you are using the Infranet Enforcer, do one of the following to set up source IP
enforcement and/or IPsec enforcement:

14 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

 Set up source IP enforcement by configuring an infranet auth policy on the Infranet


Enforcer. Source IP enforcement allows the Infranet Enforcer to control which zones
use resource access policies to allow or deny traffic.

 Set up IPsec enforcement on Windows endpoints that OAC supports. You can use
IPsec enforcement between the endpoint and the Infranet Enforcer instead of source
IP enforcement. To use IPsec, you must set up a VPN tunnel for a dial-up user with
IKE on the Infranet Enforcer.

10. In a Layer 2 environment without the Infranet Enforcer, configure OAC, Pulse, or a
non-Juniper Networks 802.1X supplicant for endpoints. You must also configure
policies to allow the Policy Secure gateway RADIUS server to work with the NAD
(NAD).

 If you have not already done so, install and configure the 802.1X NADs on the
network. See the documentation provided with the NAD.

 If you have not already done so, configure VLANs within the network for deployments
that are not using the Infranet Enforcer. The simplest scenario is to configure two
VLANs: one for authenticated users and a remediation VLAN for users who do not
meet authentication requirements.

11. Optionally, configure Host Enforcer policies to protect endpoints that use OAC and
enforce policies on the endpoint itself by allowing only the traffic you specify in the
Host Enforcer policies for the role. While this is not a substitute for a firewall, Host
Enforcer policies can add another layer of access control. Host Enforcer is not
supported on Pulse.

12. Create Host Checker policies and set remediation options.

13. Determine at which levels within the access management framework to enforce the
Host Checker policies:

 To enforce Host Checker policies when the user first accesses the , implement the
policies at the realm level.

 To allow or deny users access to roles based on their compliance with Host Checker
policies, implement the policies at the role level.

 To map users to roles based on their compliance with Host Checker policies, use
custom expressions.

14. If necessary, configure agentless access to protected resources for endpoint platforms
that OAC or Pulse do not support, including Linux and Solaris.

15. If necessary, configure the Java agent for access to protected endpoints for Linux.

16. Deploy the UAC solution to users.

TIP: Be sure to set the date and time of the Infranet Enforcer to match the
date set for the Pulse Policy Secure. If possible, use a Network Time
Protocol (NTP) server to set the date and time for both appliances.

Related Deploying the Pulse Policy Secure Solution to Users on page 16


Documentation

© 2015 by Pulse Secure, LLC. All rights reserved. 15


Pulse Policy Secure Administration Guide

 Understanding Licensing

 Installing a Software Service Package

 Using Certificate-Based Security with Infranet Enforcer Deployments on page 92

 Understanding User Roles on page 261

 AAA Server Overview on page 279

 Understanding Authentication Realms on page 425

 About Resource Access Policies on page 145

 Understanding Infranet Enforcer Source IP Security Policies on page 148

 Understanding Pulse Policy Secure Support for IPsec Routing Policies on page 123

 Understanding 802.1X Network Access Control Deployments on page 178

 Using Host Enforcer Policies on page 251

 Creating Global Host Checker Policies on page 493

 Additional Methods for Accessing Protected Resources Behind the Policy Secure
gateway on page 72

Deploying the Pulse Policy Secure Solution to Users

When you deploy the Pulse Policy Secure and Infranet Enforcer, users must connect to
the Pulse Policy Secure for authentication and endpoint security checking before they
are allowed to access protected resources.

NOTE: The Pulse Policy Secure runs Host Checker endpoint assessments
before users are allowed to access the network. This is accomplished inside
a Trusted Network Connect (TNC) handshake. The TNC component is
downloaded through a Network Control Protocol (NCP) connection at Layer
3, once an IP connection has been established.

With Layer 2 authentication, the initial authentication always fails, because


without an IP address the endpoint cannot download the TNC component.
You can create a special remediation role with no access restrictions to allow
endpoints to authenticate and download the required components.

16 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

The following methods can be used to provision access to users:

 Install OAC on Windows or Macintosh endpoints— OAC provides support for user
authentication and endpoint security checking on both wired and wireless networks.
It also includes an 802.1X supplicant for authentication on 802.1X networks. You can
preconfigure the Windows version of OAC with the appropriate settings for your
environment.

For Windows endpoints, the easiest way to install OAC is by having users browse to
the sign-in URL. OAC is then automatically installed on the user’s endpoint as the
default behavior.

On the Macintosh version, the client is not automatically installed. Users navigate to
a sign-in URL that redirects them to the Macintosh landing page from there, they can
manually download and install the .dmg file.

You can also manually install OAC and Pulse (Windows only) on endpoints by
downloading the installer package and providing the package to endpoint users.

If you are using 802.1X NADs that support a preconfigured VLAN that allows limited
unauthenticated network access, users can browse to the 802.1X supplicant included
in OAC or Pulse.

 Install Pulse on Windows or Macintosh endpoints—Pulse supports all of the


connection methods that can be used with OAC (Layer 2 and Layer 3 connectivity, and
wired or wireless connections). Pulse also supports static and dynamic IPsec and
Source IP enforcement as a UAC agent. Pulse supports SSL transport for SSL VPN
tunnels to SA Series SSL VPN Appliance. 802.1X with UAC is available on Windows
XP SP3, Windows Vista, and Windows 7 by leveraging components from the native
Windows supplicant.

The easiest way to install Pulse is for users to browse to the sign-in URL to a role for
which Pulse is chosen as the agent. Pulse is then automatically installed on the user’s
endpoint as the default behavior.

You can manually install Pulse on endpoints by downloading the default installer
package, or you can create a custom installer and distribute it to users via a systems
management server (SMS). For more information see the Pulse Secure
documentation.

NOTE: The Pulse Policy Secure solution supports Kerberos single


sign-on. If you use Active Directory for user authentication, Windows
endpoint users can automatically sign in using the same credentials they
use to access their Windows desktops.

 Direct endpoints that use the Java agent to a Web site to download the agent—If
you select the Java agent for access on Linux platforms, the system automatically
downloads the Java agent to the client machine after the user is authenticated.

© 2015 by Pulse Secure, LLC. All rights reserved. 17


Pulse Policy Secure Administration Guide

 Instruct users how to use agentless access—Users can connect using a browser on
Windows, Macintosh, Linux, and Solaris endpoints.

 Ensure that a non-Pulse Secure supplicant is installed—Endpoints that do not have


OAC or Pulse installed can be authenticated with 802.1X through the Policy Secure
gateway with a non-Juniper Networks supplicant.

NOTE: A non-Juniper Networks 802.1X supplicant is also termed a non-UAC


agent. A non-UAC agent is any client that connects using non-Juniper
Networks protocols (JUAC, for example) for authentication.

NOTE: If you are connecting with 802.1X, and you are using a non-Juniper
Networks supplicant (a non-UAC agent), the Infranet Enforcer is not
supported, unless you are using an IF-MAP Federation network with a DHCP
server.

You can use the following methods to help users in your deployment:

 Redirect HTTP traffic destined for protected resources to the sign-in page—To direct
users to the Pulse Policy Secure, you can configure the Infranet Enforcer to
automatically redirect HTTP traffic destined for protected resources. This Infranet
Enforcer feature is called captive portal.

 Instruct users to access the sign-in page using a browser at the URL you specify—Use
this method if you do not configure a captive portal, or if users access protected
resources using non-HTTP methods. (The captive portal feature redirects HTTP traffic
only).

 Preinstall OAC or Pulse—You can use this method if you are using 802.1X NADs that
do not allow users to connect to the Pulse Policy Secure without a client installed.
This method is also necessary for users who do not have the required administrator
rights on their endpoints to install OAC or Pulse. In these cases, you must use some
other method to preinstall OAC or Pulse on these endpoints, such as SMS (for Windows
only), remote login, or manual preinstallation.

Since the Macintosh version of OAC is not automatically installed on client machines,
preinstalling is an effective way to install OAC on the Macintosh to simplify the user
experience.

 Install and configure a non-Pulse Secure 802.1X supplicant—If endpoints connect


using a supplicant other than OAC, ensure that the authentication protocols that the
supplicant uses for authentication are compatible with the protocols used in your
access management framework configuration.

Related Creating Global Host Checker Policies on page 493


Documentation
 Creating an Initial Configuration of OAC for Windows Endpoints on page 22

 Understanding the Initial Pulse Policy Secure Deployment User Experience on
page 19

18 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

 Additional Methods for Accessing Protected Resources Behind the Policy Secure
gateway on page 72

 Understanding the Infranet Enforcer Captive Portal Feature on page 109

 Understanding Pulse Policy Secure Authentication Protocols on page 168

Pulse Policy Secure Deployment Summary

Table 5: Scenarios and Methods of Deployment

Scenarios Methods

OAC, Pulse, or non-Pulse Secure 802.1X supplicant

 Unauthenticated wired network access  Captive


portal—Redirect HTTP traffic in user’s
(no 802.1X authentication) browser to Policy Secure gateway user sign-in
URL
 Announcement—Instruct users to use a web
browser to manually find the sign-in URL
 802.1X switches that allow  Captive portal—Redirect HTTP traffic in user’s
unauthenticated access by using a browser to Policy Secure gateway user sign-in
preconfigured VLAN that allows limited URL
network access  Announcement—Instruct users to use a web
browser to manually find the sign-in URL

 802.1X switches or wireless access  Preinstallation of OAC, Pulse, or third-party


points that do not allow any means to supplicant by means of SMS or remote login on
access the Pulse Policy Secure endpoints
 Users who do not have administrator
rights on endpoint, which is required for
OAC or Pulse installation

Agentless or Java agent (no 802.1X authentication)

 Captive portal—Redirect HTTP traffic in user’s


browser to the sign-in URL
 Announcement—Instruct users to use a browser
to manually find the sign-in URL

Related Deploying the Pulse Policy Secure Solution to Users on page 16


Documentation
 Understanding the Initial Pulse Policy Secure Deployment User Experience on

page 19

Understanding the Initial Pulse Policy Secure Deployment User Experience

The user experience during initial deployment depends on whether the user is accessing
the Windows or Macintosh version of OAC, Pulse, the Java agent, an agentless
deployment, or a non-UAC agent (third-party 802.1X supplicant). Additionally, you can
preconfigure the settings for OAC and Pulse on the Policy Secure gateway
(recommended), and you can configure SSO for Windows endpoints.

© 2015 by Pulse Secure, LLC. All rights reserved. 19


Pulse Policy Secure Administration Guide

If you evaluate or enforce a Host Checker policy at the realm level, OAC and Pulse
automatically run the built-in Host Checker on the endpoint to verify for security
compliance before the user is authenticated. If the endpoint is in compliance, the user is
assigned the role. If you enforce Host Checker at the role level, the user can be
authenticated, but can access only roles whose Host Checker policies the endpoint can
pass.

 OAC on supported Windows endpoint platforms—If you have configured OAC as the
client for a role on Windows machines, the first time the user accesses the Pulse
Policy Secure using a browser, the system automatically installs OAC on the user’s
computer with the OAC configuration settings you specify. If you enable validation of
the device certificate, the user must allow the root CA certificate to be installed. After
the initial OAC installation, OAC automatically starts when the user signs into their
computer, and displays a sign-in dialog box to sign in to the Policy Secure gateway.

If you integrate a solution with Active Directory Service and enable SSO, Windows
endpoint users automatically sign in using the same credentials they use to access
their Windows desktop. The sign-in dialog box for OAC does not appear.

 OAC on supported Macintosh endpoint platforms—OAC is not automatically installed


on Macintosh endpoints. You can direct users to a sign-in page, and the system detects
what type of client is attempting to log in. If the machine is a Macintosh, the system
displays a landing page from which the user can download and manually install OAC.

 Pulse on supported Windows endpoint platforms—If you have configured Pulse as


the client for a role on Windows machines, the first time the user accesses the system
using a browser, the Policy Secure gateway automatically installs Pulse on the user’s
computer with the configuration settings you specify. The user is prompted to accept
the security certificate. After the initial installation, Pulse automatically starts when
the user signs into their computer and displays a sign-in dialog box to sign in.

If you integrate a solution with Active Directory Service and enable SSO, Windows
endpoint users automatically sign in using the same credentials they use to access
their Windows desktop. The sign-in dialog box for Pulse does not appear.

 Java agent—If you provision a Linux user for access with the Java agent, a lightweight
client is automatically downloaded after the user is authenticated through a browser.
The agent displays connection status, the IP address, and a logout mechanism. The
user is not required to leave the browser window open, but if the session expires, the
user must provide credentials through a browser again.

 Agentless access—If you configure agentless access for users on Windows, Macintosh,
Linux, or Solaris endpoints, the user always signs in directly using a browser instead of
OAC. If you evaluate or enforce a Host Checker policy at the realm level, Host Checker
is installed and is run on the endpoint.

20 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

NOTE: When using agentless access, the user must leave the browser
window that contains the sign-in page open. If the user closes the browser
window or opens a different window, the endpoint loses the connection
to the Pulse Policy Secure, and the Infranet Enforcer denies the user
access to protected resources.

 Non-UAC agent software (third-party 802.1X supplicant)—Users of non-UAC agent


software must preinstall a security certificate and configure authentication protocols
that have been configured for the access management framework. These clients can
connect only via Layer 2, so if any restrictive Host Checker policies are configured, users
cannot connect. You can configure a default VLAN with no Host Checker restrictions
for the initial login.

Related Creating an Initial Configuration of OAC for Windows Endpoints on page 22


Documentation
 Using Kerberos SSO on page 303

 Additional Methods for Accessing Protected Resources Behind the Policy Secure
gateway on page 72

Specifying the Client that Endpoints Use for Access

For each role you create, you specify which client users must employ when they access
that role.

You can specify the following clients for each role on the Agent > General tab:

 OAC (for Windows or Macintosh endpoints)

 Pulse (for Windows or Macintosh endpoints)

 Agentless Host Checker client (for all platforms)

 Java agent (for Linux and Solaris endpoints)

To provision OAC, select the Odyssey Settings for IC Access and/or Odyssey Settings for
Preconfigured Installer check box to allow you to access Odyssey configuration options
after you create a role. After you save the role, select Users > User Roles > Select Role >
Agent, and then select the Install Agent for this role check box. Then select the Install
Odyssey check box.

To configure OAC access options select Users > User Roles > Select Role > Agent > Odyssey
Settings.

To provision Pulse, agentless access, or the Java agent, do not select the Odyssey check
boxes when you create the role.

To use the agentless access option, you create a role, then you select Users > User Roles
> Select Role > Agentless, and select the Enable Agentless Access for this role check box.

© 2015 by Pulse Secure, LLC. All rights reserved. 21


Pulse Policy Secure Administration Guide

Then, configure agentless appearance options from the Users > User Roles > Select Role
> General > UI Options tab.

To specify the Java agent for a role, you create a role, then you select Users > User Roles
> Select Role > Agent, and select the Install Java Agent for this role check box.

To install Pulse on endpoints, you create a role, then you select Users > User Roles >
Select Role > Agent, and select the Install Agent for this role check box. Then, select the
Install Pulse check box.

Then, you configure Odyssey access options from the Users > User Roles > Select Role >
Agent > Pulse Settings tab.

Related Creating an Initial Configuration of OAC for Windows Endpoints on page 22


Documentation
 Understanding Deployments with Pulse Secure Clients on page 34

 Configuring Agentless Access to Protected Resources on page 73

 Using the Java Agent on page 74

 Understanding User Roles on page 261

Creating an Initial Configuration of OAC for Windows Endpoints

For Windows endpoints, you can preconfigure OAC with the settings required to connect
to the Pulse Policy Secure. You can configure all of the settings for the client on a
per-role basis. When the user first accesses the Pulse Policy Secure using a browser,
the Policy Secure gateway automatically installs OAC on the user’s computer. Each
time the user accesses a resource that is protected by the Policy Secure gateway, the
OAC configuration settings you specify are used.

NOTE: If OAC is already installed when the user accesses the Policy Secure
gateway, configuration settings you specify except for the login name in the
profile, all of the other configuration settings you specify on the Policy Secure
gateway overwrite any existing settings on the endpoint.

You can create a unique set of configuration settings for each role. For example, you can
create a role for users that use wired adapters, and another role for users that use wireless
adapters.

You determine whether or not OAC is installed at the role level, and you configure OAC
options through the Odyssey Access Client section of the Policy Secure gateway
interface.

In the admin console there are two tabs under Odyssey Settings. The IC Access tab allows
you to configure authentication and connection settings for OAC. The Preconfigured
Installer tab provides an interface that allows you to upload a preconfigured version of
OAC that you can deploy to users when they access a role.

22 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

NOTE: OAC is automatically configured to use the authentication protocol


settings in the default 802.1X authentication protocol set, which includes
Juniper Networks JUAC protocol. If you want to use different protocols for
authentication, you must configure a new protocol set on the Policy Secure
gateway, and you must configure matching settings on OAC. If you alter the
protocol settings on OAC, the client functions only as a 802.1X supplicant
for basic connectivity, and does not have any of the features of OAC such
as Host Checker, role and realm restriction enforcement and connection
with an Infranet Enforcer.

Related Specifying the Client that Endpoints Use for Access on page 21
Documentation
 Provisioning Detailed Configuration Profiles for Macintosh OAC Endpoints on page 34

 Using the Preconfigured Installer for OAC on Windows Endpoints on page 29

 Understanding Pulse Policy Secure Authentication Protocols on page 168

Understanding OAC Configuration Settings for Windows Endpoints

Table 6 on page 23 lists settings that you can configure on the Policy Secure gateway
and the settings that the Policy Secure gateway automatically configures in OAC for
you.

Table 6: Initial OAC Configuration Settings

The Policy Secure The Policy Secure


gateway gateway
adds these items to You can preconfigure these automatically configures
OAC: settings in the Policy Secure gateway: these settings
for you:
Profile  Name of profile instance in OAC.  Enables OAC to validate
 Login name. the server certificate of
the Policy Secure
 Options for using the user’s
gateway
Windows credentials or
prompting user for login name
and/or password.
 Outer authentication
protocol—Tunneled TLS (TTLS)
or Protected EAP (PEAP).
 Personal certificate usage.

Policy Secure  Name of Policy Secure gateway instance  Server URL is
gateway sign-in
in OAC. URL.  New profile is associated
with Policy Secure
gateway
connection

© 2015 by Pulse Secure, LLC. All rights reserved. 23


Pulse Policy Secure Administration Guide

Table 6: Initial OAC Configuration Settings (continued)

The Policy Secure The Policy Secure


gateway gateway
adds these items to You can preconfigure these automatically configures
OAC: settings in the Policy Secure gateway: these settings
for you:
Trusted server  Server name is common
name specified in Policy
Secure gateway server
certificate.
 Trusted root CA certificate
is added to OAC
certificate properties for
new trusted server.

Adapter  Configure the adapter that is


actively being used to access the
Policy Secure gateway (wired or
wireless adapter connected to
an
802.1X-enabled network).
 Configure a second adapter of the
other type. For example, if a wired
adapter is used to access the
Policy Secure gateway, then
automatically configure a
wireless adapter.

Network 

Do
If notadd
you addaany adapters.
wireless adapter, the If you select WEP encryption,
network name (SSID), association keys are generated
mode, and encryption method. automatically.

Related Creating an Initial Configuration of OAC for Windows Endpoints on page 22


Documentation
 Defining the Initial Configuration for OAC for Windows on page 24

 Specifying the Client that Endpoints Use for Access on page 21

Defining the Initial Configuration for OAC for Windows

To define the initial configuration of OAC:

1. In the admin console select Users > User Roles > New User Role from the left navigation
bar.

2. Enter a name for this role in the Name box.

3. Select the Odyssey Settings for IC Access and Odyssey Settings for Preconfigured
Installer check boxes to preconfigure OAC.

4. Click Save Changes. The roles configuration page opens with the name you entered
for this role at the top of the page.

5. Click the Agent tab. The Install Agent for this role check box is selected by default.

24 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

NOTE: You can continue configuring this role, or you can complete the
configuration of OAC.

6. Select the Odyssey Settings tab. The IC Access configuration page is displayed.

7. Select an option for naming the profile and Policy Secure gateway instance in OAC:

 Use Policy Secure gateway's host name—Specifies the name of the profile and
the Policy Secure gateway instance in OAC. If the Policy Secure gateway does not
have a hostname configured, the URL for the Policy Secure gateway or the
redirect URL from a captive portal is used instead.

 Use this name—Specifies the name of the profile and the Policy Secure gateway
instance in OAC.

8. Under Policy Secure gateway, select Require connection to this Policy Secure gateway
to require the enforcement of Host Enforcer policies on the endpoint that apply to
the user’s role. This option requires OAC to always attempt to connect to this Policy
Secure gateway and prevents the user from disconnecting from this Policy Secure
gateway. The user also cannot delete the properties of this Policy Secure gateway
from the OAC configuration.

In effect, this option forces the enforcement of any applicable Host Enforcer policies
whenever the endpoint is on the network. If the endpoint is not on the network or is
unable to connect to the required Policy Secure gateway, the Host Enforcer policies
are not enforced.

9. Under Profile, specify the settings to configure in the OAC profile:

a. Under Login name, specify how you want to configure the Login name setting in
the profile:

 Use qualified Windows login name (domain\user) configures the login name with
the user’s Windows domain name and username in the format domain
name\username. Use this option if you are using an Active Directory authentication
server that requires a domain name in addition to a username for authentication.

 Use unqualified Windows login name configures the login name with the user’s
Windows username only. Use this option for authentication servers that require
a username only for authentication.

 Prompt for login name using the following prompt displays a dialog box for the
user to enter a name during the initial OAC installation only. The login name is
then configured and the user is not prompted again. You can also configure the
text string used for the prompt in the dialog box.

b. Select Permit login using password to enable password authentication, and then
select an option for how OAC obtains user credentials to sign into the Policy
Secure gateway:

 Use Windows password enables OAC to automatically authenticate the user to


the Policy Secure gateway by using the user’s Windows password. During the
initial OAC installation, the user must enter a password once. OAC
automatically uses the Windows password after that.

© 2015 by Pulse Secure, LLC. All rights reserved. 25


Pulse Policy Secure Administration Guide

 Prompt for password enables OAC to prompt the user to enter a password when
the user is authenticated the first time after startup. OAC reuses the user’s
credentials for the duration of the Windows session. If you choose this option
and if you have configured SSO, OAC does not prompt the user for the password.

c. Specify whether to use Tunneled TLS (TTLS) or Protected EAP (PEAP) as the
outer authentication protocol for traffic between OAC and the Policy Secure
gateway by selecting either Use EAP-TTLS as outer authentication protocol or
Use EAP-PEAP as outer authentication protocol.

 If you select Use EAP-TTLS as outer authentication protocol and you want to use
a client certificate as part of the EAP-TTLS authentication, select Use the user’s
certificate and perform inner authentication. This option uses EAP-TTLS
certificate-based authentication and tunnels password credentials with inner
authentication. Note that the most typical use of EAP-TTLS authentication is
without a client certificate.

 If you select Use EAP-PEAP as outer authentication protocol and you want to use
a client certificate as part of the EAP-PEAP authentication, select Inner
authentication is required.

NOTE:
 Enter a name in the Anonymous name box to enable users to appear
to log in anonymously while passing the user’s login name (called
the inner identity) through an encrypted tunnel. As a result, the
user’s credentials are secure from eavesdropping and the user’s
inner identity is protected.

 If you enable the personal client certificate option, the Policy


Secure gateway automatically selects Permit login using my
Certificate and Use automatic certificate selection in the OAC
profile.

d. Enter a name in the Anonymous name box to enable users to appear to log in
anonymously while passing the user’s login name (called the inner identity) through
an encrypted tunnel. As a result, the user’s credentials are secure from
eavesdropping and the user’s inner identity is protected.

As a general rule, enter anonymous in the this box, which is the default value. In
some cases, you may need to add additional text. For example, if the outer identity
is used to route the user’s authentication to the proper server, you might be required
to use a format such as anonymous@acme.com. If you leave the Anonymous name
box blank, OAC passes the user’s login name (inner identity) as the outer identity.

10. (Only if you are using 802.1X enforcement) Under Adapters, specify the type of adapter
you want to configure in OAC:

 Configure wired adapter(s)—OAC configures the wired adapter on the user’s


computer that is actively being used to access the Policy Secure gateway on an
802.1X-enabled network. If the user is accessing the Policy Secure gateway
through a
wireless adapter during OAC installation, then OAC automatically configures a wired
adapter for wired access to the Policy Secure gateway at a later time.

26 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

 Configure wireless adapter(s)—OAC configures the wireless adapter on the user’s


computer that is actively used to access the Policy Secure gateway on an 802.1X-
enabled network. If the user is accessing the Policy Secure gateway through a wired
adapter during OAC installation, then OAC automatically configures a wireless
adapter to use for wireless access to the Policy Secure gateway at a later time.
Select this option only if the endpoint is connecting to the Policy Secure gateway
by using 802.1X. If you select this option, you must also configure the network
name (SSID) under Network. You might also need to configure other Network
properties, depending on your environment.

NOTE: On Windows systems, if you select Configure wireless adapter(s),


Windows Wireless Zero Configuration (WZC) is disabled for the wireless
adapter that OAC configures. If the user removes a wireless adapter
from the local OAC configuration, the user must enable the adapter
again by selecting Control Panel > Network Connections> adapter name
> Properties > Wireless Networks and selecting the Use Windows to
configure my network settings option.

11. (Only if you selected Configure wireless adapter) Under Network, specify the network
settings you want to configure in OAC for wireless adapters:

 Network name (SSID)—Specify the network name or service set identifier (SSID)
of the wireless network to which you want OAC to connect. A network name can
contain up to 32 alphanumeric characters and is case sensitive. You must enter the
name correctly to connect successfully. For example: <MyCorpNet>.

 Association mode—Specify the association mode you want OAC to use when
associating to the access point hardware on the network:

 Open—Connects to a network through an access point or switch that implements


802.1X authentication. Select this mode if users are not required to use shared
mode or Wi-Fi Protected Access (WPA).

 WPA—Connects to a network through an access point that implements WPA.

 WPA2—Connects to a network through an access point that implements WPA2,


the second generation of WPA that satisfies 802.11i.

 Encryption method—Specify the encryption method for OAC to use. The available
choices depend on the association mode you select:

 None—Uses 802.1X authentication without WEP keys. This option is available


only if you configure access point association in open mode. This is a typical
setting to use for wireless hotspots.

 WEP—Uses WEP keys for data encryption. You can select this option if you
selected open mode association. Select WEP encryption if the access points in
the network require WEP encryption. OAC automatically generates the WEP keys.

© 2015 by Pulse Secure, LLC. All rights reserved. 27


Pulse Policy Secure Administration Guide

 TKIP—Uses the Temporal Key Integrity Protocol. Select TKIP if the access points
in the network require WPA or WPA2 association and are configured for TKIP
data encryption.

 AES—Uses the advanced encryption standard protocol. Select AES if the access
points in the network require WPA or WPA2 association and are configured for
AES data encryption.

NOTE: If you select WEP encryption, the Policy Secure gateway


automatically selects the Keys will be generated automatically for data
privacy option in the OAC Network properties for the wireless
adapter on OAC.

12. Click Save Changes.

13. In the admin console select Roles > user > General > Overview. Then select the Odyssey
Settings for IC Access check box. Note that if the Odyssey Settings for Preconfigured
Installer check box is selected, the options on the Odyssey Settings for IC Access page
overwrite the options from the preconfigured installer.

NOTE:
 Because the configuration settings you specify on the Policy Secure
gateway overwrite existing settings on the endpoint (except for login
name), you can use the Odyssey Configuration page in the admin console
to change settings for users. For example, to remove the requirement to
connect to a particular Policy Secure gateway, clear the Require
connection to this Policy Secure gateway check box in the sign-in policy.
Then instruct users to access the IC
Series device again using a browser to download OAC with the new setting.

 The settings you specify on the Odyssey Configuration page do not configure
the settings for the OAC installer (called OdysseyAccessClient.msi) that
you can manually download from the Installers page. However, after
installation, you can instruct users to access the Policy Secure gateway
using a Web browser to automatically configure OAC using the
configuration settings you specified on the Odyssey Configuration page.

 For more information see


http://www.juniper.net/techpubs/en_US/release-independent/aaa-802/information-products/pathway-pages/oac/product/
.

Related Configuring General Role Options on page 267


Documentation
 Using Kerberos SSO on page 303

 Downloading Client Installer Files on page 708

28 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

Using the Preconfigured Installer for OAC on Windows Endpoints

You can create a preconfigured installer for OAC that is downloaded to Windows
endpoints using the Custom Installer in the Odyssey Client Administrator (OCA). The
OCA is a utility that allows you to fully configure all of the OAC settings.

A preconfigured installer contains the settings you configured using the OCA as well as
certificates. The installer might also contain a license key and a flag indicating whether
or not GINA is installed on the client. You must include the license key for OAC upgrades
if you are upgrading to UAC from an earlier version.

After you configure all of the settings with the OCA, you export the preconfigured installer
as a .zip file to a directory that is accessible to the Policy Secure gateway. You upload
the preconfigured installer file from the Policy Secure gateway admin console interface.

The settings available in the OCA allow you to comprehensively control security and
accessibility features for users who access the Policy Secure gateway. For example, you
can hide or disable the configuration icons on the sidebar of OAC, you can control
whether or not endpoints can modify adapter settings, and you can configure settings
to prevent endpoints from disabling OAC.

The preconfigured installer downloads are role based. When you create new user roles,
you can specify a preconfigured installer that you have created specifically for the role.
You can configure a different OAC feature set for each role that you create. For example,
you can create a client configuration with few restrictions for employee roles and a more
restrictive configuration for visitor roles. Alternately, you can select the same configuration
for different roles.

When OAC is installed or upgraded on an endpoint, the preconfigured installer file is


downloaded from the Policy Secure gateway. The file that is downloaded depends on
the authenticated user’s role.

If a user is assigned to more than one role, and the roles have different OAC preconfigured
installer files, the settings from the first role assigned are retained.

Related Preconfiguring OAC Using the Custom Installer on page 29


Documentation
 Defining the Initial Configuration for OAC for Windows on page 24

Preconfiguring OAC Using the Custom Installer

To preconfigure OAC:

1. Open OAC Manager and select Tools > OAC Administrator from the OAC toolbar. The
OCA console opens.

2. Configure all of the OAC settings that you want to apply for a preconfigured installer,
including certificates and license using the tools in the OCA. For more information see
the Odyssey Access Client Administration Guide.

3. Double-click Custom Installer.

© 2015 by Pulse Secure, LLC. All rights reserved. 29


Pulse Policy Secure Administration Guide

4. Select the Preconfiguration file option button.

5. Enter a name for the destination file.

6. (Optional) Select Export license key and enter any valid license key (Enterprise or FIPS
Edition) for the copies of OAC to distribute for a given role.

7. Click Browse to download the file to a selected location.

NOTE: The download consists of a .zip file containing a properties.xml


file with licenses and GINA settings, a preconfig.xml file, and certificates.

8. Click OK.

9. Select an existing role from the Users > User Roles page on the Policy Secure gateway
admin console, or create a new role.

10. Select the Odyssey Settings for Preconfigured Installer check box. Note that if you also
click the Odyssey Settings for IC Access check box, the options on that page will
overwrite the options from the preconfigured installer.

11. Click the Edit link.

12. Click the Browse button and locate the file from the selected location. The
preconfigured installer downloads the customized OAC version to all users who access
the specified role.

NOTE: If you do not create and upload an OAC configuration for a role,
users who access that role get the factory default OAC version.

Related Using the Preconfigured Installer for OAC on Windows Endpoints on page 29
Documentation

Validating the IC Series Certificate

When Windows users install OAC by accessing the Policy Secure gateway through a
browser, the Validate server certificate option on the Authentication tab of the user’s
profile is automatically enabled. When this option is enabled, OAC validates the server
certificate of the Policy Secure gateway. OAC is automatically configured to trust the
Policy Secure gateway if it can verify that the Policy Secure gateway is passing a valid
certificate.

For this verification to occur, the trusted root certificate of the CA that signed the Policy
Secure gateway’s server certificate must be installed on the endpoint. If the CA
certificate is not installed, then the user cannot authenticate.

You can install the trusted root CA certificate on the endpoint in any of the following
ways:

 Using a CA certificate that is chained to a root certificate already installed on the


endpoint, such as Verisign.

30 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

 Importing the CA certificate on the endpoint by whatever method your organization


uses to distribute root certificates.

 Uploading the CA certificate and any intermediate CA certificates to the Policy


Secure gateway. During OAC installation, the Policy Secure gateway automatically
installs the CA certificate on the endpoint. When prompted during installation, the
user must allow the installation of the CA certificate.

Related Using Trusted Server CAs on page 622


Documentation

Using OAC Licenses with the IC Series

You can configure the Windows version OAC to download by default from the Policy
Secure gateway. The downloaded edition contains all of the functionality in the
Enterprise Edition, including an 802.1X wired and wireless supplicant. The currently
installed Policy Secure gateway Endpoint License determines the maximum number of
concurrent endpoints that can access OAC with the Policy Secure gateway.

The FIPS Edition of the Windows version OAC can also be used with the Policy Secure
gateway. All editions support the full OAC feature set and OAC Administrator. The
licenses for the FIPS edition and Enterprise Edition must be purchased in addition to the
Policy Secure gateway Endpoint License. To prevent user sessions generated by these
two editions from increasing the concurrent user count against the Policy Secure
gateway Endpoint License, you can install the OAC-Add-UAC license on the Policy
Secure gateway.

NOTE: You can use the FIPS edition of OAC with the non-FIPS edition of the
Policy Secure gateway. In this case, data between OAC and an 802.1X
switch is protected by FIPS-validated encryption.

If you add a FIPS license to 64-bit OAC, the agent is an Enterprise Edition
with no FIPS capability. The only advantage in using a FIPS licensed 64-bit
OAC is that the agent can use xSec.

FIPS is not supported on the Macintosh version of OAC. The FIPS license is
accepted on the Macintosh version, but functionally the agent is equivalent
to the Enterprise Edition.

Related Using the Preconfigured Installer for OAC on Windows Endpoints on page 29
Documentation

Manually Installing OAC

If your 802.1X switch does not allow network connectivity from your computer to the
Policy Secure gateway, or if you are deploying the Macintosh version of OAC and want
to install the agent manually, use the instructions in this section to download the OAC
.msi for Windows or .dmg for the Macintosh to another computer that has network
connectivity to the Policy Secure gateway. Then, transfer the OAC .msi or .dmg file to
endpoints to manually

© 2015 by Pulse Secure, LLC. All rights reserved. 31


Pulse Policy Secure Administration Guide

install and configure OAC. You can download either 32-bit or 64-bit version of OAC for
Windows, or the Macintosh version.

To manually install OAC:

1. In the admin console, select Maintenance > System > Installers.

2. Click the Download link for the correct version and platform of OAC. The File Download
dialog box is displayed.

3. Click Save in the File Download dialog box. The Save As dialog box is displayed.

4. Select an appropriate location in the Save As dialog box.

5. Click Save in the Save As dialog box.

6. Distribute the OAC .msi or .dmg installer program to endpoints that do not have
network connectivity to the Policy Secure gateway.

7. For Windows machines, double-click the OAC installer and respond to the prompts.
For Macintosh machines, drag the installer to the Applications folder.

8. Install the trusted root CA certificate or intermediate CA on the endpoint that you
generated.

NOTE: You must have the same root CA or intermediate CA for the server
certificate chain installed in the trusted root or intermediate certificate
store of your machine.

9. To install the CA on Windows systems, open Internet Explorer and select Tools >
Internet Options > Content > Certificates and click Import. To install on a Macintosh
system, double-click the certificate and click OK. The certificate is added to Keychain.

Related Validating the IC Series Certificate on page 30


Documentation
 Manually Configuring OAC for 802.1X (Windows or Macintosh) on page 32

Manually Configuring OAC for 802.1X (Windows or Macintosh)

To manually configure OAC for 802.1X:

1. Double-click the OAC tray icon to display OAC Manager on the Windows version.
Select the icon on the Macintosh version.

2. Configure a user profile in OAC:

a. In the side pane of the OAC Manager, select Configuration > Profiles > Add. The
Add Profile dialog box is displayed.

b. Enter a name in the Profile box.

c. Enter a name in the Login name box.

32 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

d. Click the Password tab and select a password option.

e. Click OK.

3. Configure OAC for 802.1X:

a. From the side pane of the OAC Manager, click Configuration > Adapters > Add. The
Add Adapter dialog box is displayed.

b. Click either the Wireless or Wired 802.1X tab to choose an adapter.

c. Select the adapter to use for 802.1X.

d. Click OK.

NOTE: If you do not see your wireless adapter in the list, select All
Adapters. Make sure that the adapters that you select on the Wireless
tab is wireless. You cannot configure OAC for wireless connections
unless you have a wireless adapter installed.

4. Connect to a 802.1X wireless network:

a. In the side pane of the OAC Manager, select Configuration > Networks > Add. The
Networks dialog box is displayed.

b. Specify the following settings for your wireless 802.1X network:

 Select the appropriate setting for Association mode.

 Select the appropriate setting for Encryption method.

 Select Authenticate using profile, and then select the profile you created earlier
from the list box.

 Select Keys will be generated automatically for data privacy.

5. Connect to the network:

a. In the side pane of the OAC Manager, select Configuration > Adapters and select
the adapter you just added.

b. If you are using a wired network, select the profile you just created from the Profile
list on the right. If you are using a wireless network, select the wireless network you
just added from the Network list on the right.

c. Click Connect to the network.

d. When you are prompted for a login name, sign in using the username you configured,
and click OK.

e. When you are prompted for a password, enter the password you configured, and
click OK.

© 2015 by Pulse Secure, LLC. All rights reserved. 33


Pulse Policy Secure Administration Guide

Related Manually Installing OAC on page 31


Documentation

Provisioning Detailed Configuration Profiles for Macintosh OAC Endpoints

OAC does not install automatically on Macintosh endpoints. Users can log in, download,
and then install the agent. Alternately, users or the Policy Secure gateway administrator
can install the client on endpoints manually. To do this, the administrator can
download the
.dmg file from the Policy Secure gateway Maintenance > System > Installers page, and
then either distribute the file to users or install the file on individual machines. The
basic application does not include detailed profiles or settings like those that you can
configure on the Windows version through the preconfigured installer or the OAC
Administrator.

The OAC Macintosh version does not include the OAC Administrator, so detailed
configuration profiles and settings cannot be configured by the user. To provide detailed
profiles on the Macintosh client, you must configure settings on the Windows version of
OAC using the OAC Administrator. Then, use the Script Composer feature of the OAC
Administrator to generate a script that can be transferred to Macintosh machines to
populate detailed profiles on the Macintosh OAC. For details about configuring a detailed
profile, see
http://www.juniper.net/techpubs/en_US/release-independent/aaa-802/information-products/pathway-pages/oac/product/
.

Related Manually Installing OAC on page 31


Documentation

Understanding Deployments with Pulse Secure Clients

This topic gives an overview of Pulse Policy Secure deployments with Pulse Secure
clients. It includes the following information:

 Pulse Overview on page 34


 Session Migration on page 35
 Location Awareness on page 35
 Security Certificates on Pulse on page 35
 User Experience on page 35
 Platform Support on page 36
 Downloading Pulse to Endpoints with Security Software Installed on page 36

Pulse Overview
Pulse supports all the connection methods that you can use with OAC (Layer 2 and Layer
3 connectivity, and wired or wireless connections). Pulse also supports static and dynamic
IPsec and Source IP enforcement as a UAC agent. An 802.1X connection with UAC is
supported on Windows XP SP3, Windows Vista, and Windows 7 by using components
of the native Windows supplicant. Pulse supports SSL transport for SSL VPN tunnels to
Connect Secure gateways. Pulse can also provide the WAN application acceleration
services.

34 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

Session Migration
One of the primary benefits of Pulse is that users can log in once through a device on the
network and then access additional devices without reauthentication.

Using Pulse, you can permit users to migrate from location to location without
reauthentication. For example, a user can connect from home through an Connect
Secure gateway, and then arrive at work and connect through a Policy Secure gateway
without logging in again. Session migration also enables users to access different
resources within the network that are protected by Juniper Networks devices without
repeatedly providing credentials. IF-MAP Federation is required to enable session
migration for users.

Location Awareness
The location awareness feature enables you to define connections that are activated
automatically based on the location of the endpoint. Pulse determines the location of
the endpoint by evaluating location awareness rules that you define. Location awareness
rules are based on the client’s IP address and interface. For example, you can define rules
to enable Pulse to automatically establish a secure tunnel to the corporate network
through an Connect Secure gateway only when the user is at home, and to establish a
UAC connection when the user is connected to the corporate network over the LAN.
You configure the location awareness feature by defining location awareness rules for
individual connections.

Location awareness rules are available for connections that are defined on the access
device and then distributed to endpoints. Users cannot configure the location awareness
feature by manually creating a connection on the Pulse client.

Security Certificates on Pulse


Users cannot add CA servers or manage the server list. Pulse handles certificates similar
to the way a browser handles certificates. If the Pulse dynamic certificate trust option is
enabled for a connection, the user can accept or reject the certificate that is presented
if it is one that is not from a CA that is defined in the endpoint’s certificate store.

An 802.1X connection enables an added layer of certificate verification. When you define
an 802.1X connection on the access device, you can specify server certificate distinguished
names for each CA.

User Experience
Pulse presents a clean, uncomplicated interface for the user. Users can enter credentials,
select a realm, save settings, and accept or reject the server certificate. When you
configure the client, you can specify whether or not to permit users to modify settings,
such as to add connections.

The client displays the connection status until the connection is made. If a connection
fails as a result of the endpoint failing a Host Checker policy, Host Checker reason strings
and remediation options appear.

© 2015 by Pulse Secure, LLC. All rights reserved. 35


Pulse Policy Secure Administration Guide

Platform Support
The following Juniper Networks devices support Pulse:

 Pulse Policy Secure 4.0 or later

 Connect Secure gateway 7.0 or later

 WX Series JWOS 6.1 or later

 SRX Series 9.5 or later

The Pulse client is supported on Windows XP SP3 32, Windows Vista SP1/2 32 and 64,
and Windows 7.

NOTE: Although the ability to configure and deploy Pulse client software
from an SRX Series device is not yet available, endpoints can use Pulse client
software to connect to SRX Series devices that are running Junos OS Release
9.5. You can create connections that use the connection type “Firewall” and
deploy these connections from supported access devices.

Downloading Pulse to Endpoints with Security Software Installed


If endpoint security software is installed, some settings might not allow ActiveX controls
to launch, which disables the browser-based Pulse installation method. For example,
with Kaspersky 2010, users might need to remove the browser manually from the My
Security Zone in the Kaspersky client to allow the installation to run.

Related Pulse Client Configuration Overview on page 37


Documentation
 Understanding Client Connection Set Options on page 40

 Understanding Pulse Component Set Options on page 52

 Configuring the Pulse Client for a Role on page 36

 Understanding Session Migration on page 255

Configuring the Pulse Client for a Role

After you specify the connections and components that you want to distribute with the
client, you can deploy the client to endpoints. Either assign users to a role to receive the
download, or create a custom installer package and distribute it to users.

To configure the Pulse client for endpoints through a role assignment:

1. Select Users > User Roles > New User Role in the admin console, or select an existing
role.

2. For a new role, enter a name.

3. Click Save Changes. The Role configuration options appear.

36 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

4. Select the Agent tab.

5. Select the Install Agent for this role check box and then select the Install Junos Pulse
option.

6. Click Save Changes. A new Pulse settings tab is displayed.

7. On the Agent tab, click Junos Pulse Settings.

8. (Optional) Select a component set that you have created, use the Default component
set, or select none. If you select none, you must create an installer package and
distribute to users. The default installer contains all components.

9. Select Users > User Realms > Select Realm > Role Mapping > New Rule to configure
role-mapping rules that map Pulse users to the role(s) you configured.

Related Understanding Client Connection Set Options on page 40


Documentation
 Creating a Client Connection Set on page 46

 Understanding Pulse Component Set Options on page 52

 Creating a Client Component Set on page 53

 Installing the Pulse Secure Client on Windows Endpoints Using a Preconfiguration


File on page 54

 Installing the Pulse Secure Client on OS X Endpoints Using a Preconfiguration File


on page 59

Pulse Client Configuration Overview

This topic provides an overview of Pulse client configuration tasks. It includes the following
information:

 Deploying Pulse Client Software to Users on page 37


 Pulse Components on page 38
 Pulse Client Connections on page 39
 Default Configuration on page 40

Deploying Pulse Client Software to Users


One method of provisioning Pulse for users is assigning user roles. You can allow users
to download the client automatically by selecting Pulse as the agent option for a role.
The download occurs when the user connects to the Web portal for the access device.
You can transition users to the new client by configuring a new role that includes the
Pulse download, and then you can migrate users to the new role in a controlled
deployment.

To provision a custom Pulse package for users, you first configure a Pulse connection
set, which includes one or more connections. Each connection includes all the settings
that an endpoint needs to connect to a particular access device. Then you create a Pulse
component set, which allows you to choose the Pulse components to download to

© 2015 by Pulse Secure, LLC. All rights reserved. 37


Pulse Policy Secure Administration Guide

endpoints. You can select a previously created client connection set profile to associate
with the client component set.

To assign a role, you either create a new role or select an existing role. Then you choose
a client component set for that role. When users provide valid credentials at the URL you
provide, the Pulse client is downloaded automatically.

Another method of enabling users to install the Pulse client is by creating an installer
package from the main Pulse Components page and distributing the installer to endpoints
through SMS.

Figure 4 on page 38 illustrates the process for deploying the client to users.

Figure 4: Configuration and Installation Overview

Be sure to instruct users to disable or uninstall OAC before installing Pulse. Pulse and
OAC can coexist on the same endpoint, but they cannot run simultaneously. Users can
disable OAC from the Windows Task Manager.

Pulse Components
Pulse components are individual software packages that provide the software services
and features of Pulse that are deployed to the endpoint. A component set is a bundle of
selected components. The components you select affect the size of the installation
package and affect the time it takes for a client to establish an connection to a new
device. For example, you deploy Pulse to an endpoint using an installation package that
includes only the components required for a connection to a Policy Secure gateway. If
a client that is using that package later connects to an SRX Series Firewall, the device
must download the Firewall connection and all of the components required for a
firewall connection to the client.

Pulse is designed to be lightweight, so you can download only the components that are
required for individual connections. For example, if a connection does not require IPsec,
you can omit the components for IPsec.

Endpoints can download individual components on demand as they encounter different


devices that require different components. When an endpoint attempts to connect to

38 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

a Policy Secure gateway or Connect Secure gateway, the connection set determines how
to make the connection. Example components include connectivity options for 802.1X
access, WX functionality, and Policy Secure gateway IPsec.

Pulse Client Connections


You can define the connections and connection methods that are stored on a user’s
endpoint. You configure client settings on the Policy Secure or Connect Secure gateway,
and then distribute the connection options to users through the client installation or
connection. The client settings are text files that reside on the client computer.

Each time the client accesses a different device, the client settings that are configured
for that device may overwrite the files from any previous connections.

You configure client settings when you configure a client connection set.

Client settings include the following types of persistent data:

 Connections—A connection contains a connection-policy that controls when the


connection is made. For example, you can configure the client to connect automatically
at user login or manually when the user initiates the connection. Connections are not
user-specific. There is only one set of connections per client computer. All users of the
same client computer share the same set of connections.

 Connection set options—Connection set options are independent of connections.


Connection set options govern the operation of the Pulse client as a whole. They control
whether or not the client is provisioned with specific features that are used each time
a connection is made. You can enable or disable the following options:

 Allow saving logon information—Enables the Save settings check box in the certificate
trust and password prompts.

 Allow user connections—Enables the user to manually define new connections


instead of relying on connections provided from a server.

 Display Splash Screen—Controls whether the splash screen is displayed when Pulse
starts.

 Dynamic certificate trust—Controls whether users can choose to trust unknown


certificates.

 Dynamic connections—Allows a client to add a new connection when it connects


to a new supported access device.

 Wireless suppression—Automatically suppresses wireless operations on the client


computer when it connects to a wired connection, for example, when a laptop is
inserted into a docking station.

Pulse also retains learned user settings, which include user information such as passwords,
realms, and role assignments. Learned user settings are not configured by administrators.
These settings are retained securely on the endpoint, evolving as the user connects
through different devices and methods. Learned user settings are utilized by the Pulse
client to retain values entered by users. A user can enable a Save Setting check box to
have Pulse retain responses to login prompts.

© 2015 by Pulse Secure, LLC. All rights reserved. 39


Pulse Policy Secure Administration Guide

The Pulse client can save the following settings:

 Certificate acceptance

 Certificate selection

 Realm

 Username and password

 Proxy username and password

 Secondary username and password

 Role

NOTE: When a user saves settings, that information is used for each
subsequent connection without prompting. If a user changes their password,
the saved setting becomes invalid and the connection attempt will fail. In
this case, the user must use the Pulse client’s Forget Saved Settings feature.
The Forget Saved Settings feature clears the saved settings and enables
prompting.

Default Configuration
Policy Secure and Connect Secure gateways include a default client connection set and
client component set. You can provision Pulse to users with the default values without
actively creating new connection sets or component sets. The default settings for the
client permit dynamic connections, installs only the components required for the
connection, and permit an automatic connection to the Policy Secure gateway or
Connect Secure gateway to which the endpoint connects.

Related Understanding Deployments with Pulse Secure Clients on page 34


Documentation
 Understanding Client Connection Set Options on page 40

 Creating a Client Connection Set on page 46

 Understanding Pulse Component Set Options on page 52

 Creating a Client Component Set on page 53

 Configuring the Pulse Client for a Role on page 36

Understanding Client Connection Set Options

A client connection set contains general network access options, and allows you to
configure specific connection policies for client access to any access device that supports
Pulse. Table 7 on page 40 details the available options for a connection set.

Table 7: Configurable Parameters for Pulse Connection Sets


Options:

40 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

Table 7: Configurable Parameters for Pulse Connection Sets (continued)


Allow saving logon information—Controls whether the Save Settings check
box is available in logon credential dialog boxes in the Pulse client. If you clear
this check box, the Pulse client will always require users to provide their logon
credentials. If you enable this check box, users have the option of saving their
credentials.

Allow user connections—Controls whether users can add connections.

Display Splash Screen—Clear this check box to hide the Pulse splash screen
that normally appears when the Pulse client starts.

Dynamic certificate trust—Determines whether or not users can opt to trust


unknown certificates. If you enable this check box, a user can ignore warnings
about invalid certificates and connect to the target device.

Dynamic connections—Allows connections within this connection set to be


automatically updated or added to a Pulse Secure client when the user
connects to the Pulse server through the user Web portal. Dynamic
connections are created as manual rather than automatic connections,
which means that they are run only when the user initiates the connection or
the user browses to a Pulse Server and launches Pulse from the server’s Web
interface.

Wireless suppression—Disables wireless access when a wired connection is


available.

NOTE: If you enable wireless suppression, be sure to also configure a


connection that enables the client to connect through a wired connection.

When you create a connection for a connection set, you choose a connection type. The following
lists the options available for each connection type:

UAC 802.1X options:

© 2015 by Pulse Secure, LLC. All rights reserved. 41


Pulse Policy Secure Administration Guide

Table 7: Configurable Parameters for Pulse Connection Sets (continued)


Use the UAC Adapter type—Specifies the type of adapter to use for authentication: wired
802.1X or wireless.
connection type
to define
Outer username—Enables users to appear to log in anonymously while passing
authenticated
the actual login name (called the inner identity) through an encrypted tunnel.
connectivity to
As a result, the user’s credentials are secure from eavesdropping and the user’s
802.1X devices,
inner identity is protected. As a general rule enter anonymous, which is the
wired or wireless.
default value. In some cases, you may need to add additional text. For example,
Users cannot
if the outer identity is used to route the user’s authentication to the proper
create 802.1X
server, you may be required to use a format such as anonymous@acme.com.
connections
If you leave the box blank, the client passes the user’s login name (inner
from the Pulse
identity) as the outer identity.
client interface.
Users see 802.1X
connections in Scan list—If you selected wireless as the adapter type, the scan list box is
the Pulse available to specify the SSIDs to connect to in priority order.
interface only
when the
connection has
been deployed
from the server
and the specified
network is
available.

Support Non-Broadcast SSID—This option allows users to connect to a


non-broadcast wireless network from within the Pulse interface.

Trusted Server List for 802.1X Connection:

Server certificate DN—Specify the server certificate distinguished name (DN)


and its signing certificate authority (CA). An empty DN field allows a client to
accept any server certificate signed by the selected CA.

SSL VPN or UAC (L3) options:

Allow user to override connection policy—Allows a user to override the


connection policy by manually connecting or disconnecting. Typically, you
leave this option selected to make sure that a user can establish a connection
under all conditions. If you disable this check box, the user cannot change the
endpoint’s connection status, suspend/resume a connection, or shut down
Pulse Secure client.

Enable Pulse Collaboration integration on this connection—This option must


be disabled if this connection is for Pulse Policy Secure. If the connection is
for Pulse Connect Secure, you can enable this check box and use the
connection for accessing Pulse Collaboration meetings.

This server—Specifies whether you want the endpoint to connect to this


device.

URL—Allows you to specify a URL for a different device as the default


connection. You would specify a different server’s URL if you were creating
connections for other access devices in the network.

42 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

Table 7: Configurable Parameters for Pulse Connection Sets (continued)


SRX options (for Dynamic VPN):

Address—Specifies the IP address of the SRX device.

Allow user to override connection policy—Allows users to override the


connection policy by manually connecting or disconnecting.

App Acceleration options:

Allow user to override connection policy—Allows a user to override the


connection policy by manually connecting or disconnecting. Typically, you
leave this option selected to make sure that a user can establish a connection
under all conditions. If you disable this check box, the user cannot change the
endpoint’s connection status or shut down Pulse Secure client.

Community string—The Pulse Secure client and the Junos Pulse Application
Acceleration Service can form an adjacency for application acceleration only
if they belong to the same community as identified by the community string.
When you create an App Acceleration connection, be sure the community
string for the connection matches the community string defined on the Pulse
Application Acceleration Service.

Connection is established:

For all connection types, specify how the connection is established. The options vary according
to the type of connection. Connections can be established using the following options:

Manually by the user—When the endpoint is started, the Pulse client software
is started, but no connection is attempted. The user must use the Pulse client
interface to select a connection.

Automatically after user signs into the desktop—When the endpoint is started
and the user has logged in to the endpoint, the Pulse Secure client software
connects automatically. For App Acceleration connections, automatic
connection is the default because Pulse forms an adjacency with Pulse
Application Acceleration Service automatically if the service is available.

NOTE: All connections on an endpoint that are configured to start


automatically attempt to connect to their target networks at startup time. To
avoid multiple connection attempts, be sure that only one connection is
configured to start automatically or configure location awareness rules.

Automatically when the machine starts. Machine credentials used for


authentication—Enables machine authentication, which requires that Active
Directory is used as the authentication server and that machine credentials
are configured in Active Directory.

© 2015 by Pulse Secure, LLC. All rights reserved. 43


Pulse Policy Secure Administration Guide

Table 7: Configurable Parameters for Pulse Connection Sets (continued)


Automatically when the machine starts. Connection is authenticated again
when the user signs in into the desktop—Enables machine authentication
for the initial connection. After the user connects with user credentials, the
machine authentication is dropped. When the user logs off, the machine
authentication connection is restored.

NOTE: If the machine and user have different roles, each role should map to
the same connection set. Otherwise after the user connects, the existing
connection set might be replaced.

Automatically at user login—This option enables Pulse client interaction with


the credential provider software on the endpoint. The user credentials are
used to establish the authenticated Pulse connection to the network, login
to the endpoint, and login to the domain server.

NOTE: This label changed at Pulse Policy Secure R4.3. If you had selected
the old label for a Pulse connection, Automatically during desktop
authentication. User is presented with the Pulse Secure credential tile at the logon
screen, it is automatically converted to the new label, Automatically at user
login when you perform the upgrade from R4.2.

Automatically when the machine starts. Connection is authenticated again


at user login—This option enables Pulse client interaction with the credential
provider software on the endpoint. Machine credentials are used to establish
the authenticated Pulse connection to the network. When the user provides
user credentials, the connection is authenticated again. In one typical use
case, the machine credentials provide access to one VLAN and the user
credentials provide access to a different VLAN.

Location awareness rules:

44 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

Table 7: Configurable Parameters for Pulse Connection Sets (continued)


For SSL VPN or UAC (L3) and SRX connections that are set to have the
connection established automatically, you can define location awareness
rules that enable an endpoint to connect conditionally. For example, the
endpoint connects to Pulse Policy Secure if it is connected to the company
intranet or it connects to Pulse Connect Secure if it is in a remote location.

A Pulse connection uses the IP address of a specified interface on the endpoint


to determine its network location. Each location awareness rule includes the
following settings:

 Name—A descriptive name, for example, “corporate-DNS.” A name can


include letters, numbers, hyphens, and underscores.
 Action—The method the connection uses to discover the IP address. Choose
one of the following values:
 DNS Server—Allows the endpoint to connect if the endpoint’s DNS server
on the specified interface is set to one of the specified values. Use the
Condition box to specify IP addresses or address ranges.
 Resolve Address—Allows the endpoint to connect if the hostname
specified in the DNS Name box can be resolved by the DNS server for the
specified interface. If one or more address ranges are specified in the
Address Range box, the address must resolve to one of the ranges to
satisfy the expression.
 Endpoint Address—Allows the endpoint to connect if the IP address of
the specified interface is within a range specified in the IP Address Range
box.

NOTE: To create a negative location awareness rule, you first create the
positive state and then use rule requirement logic to use the rule as a negative
condition.

Machine Connection Preferences:

The Machine Connection Preferences appear if you have selected one of the
machine authentication options for how the connection is established.
Normally Pulse presents a selection dialog box if more than one realm or role
available to the user. However, a connection that is established through
machine authentication fails if a dialog box is presented during the connection
process. To suppress the selection dialogs, either ensure that only one role
and realm is available to users or specify a preferred realm and role for this
connection.

 Preferred Machine Realm—Specify the realm that this connection uses


when establishing the machine connection. The connection ignores any
other realm available for the specified logon credentials
 Preferred Machine Role Set—Specify the role or the name of rule for the
role set that this connection uses when establishing the machine connection.
The role or rule name used must be a member of the preferred machine
realm.

User Connection Preferences:

© 2015 by Pulse Secure, LLC. All rights reserved. 45


Pulse Policy Secure Administration Guide

Table 7: Configurable Parameters for Pulse Connection Sets (continued)


The User Connection Preferences options enable you to specify a realm and
role for automatic connections that would otherwise present a selection dialog
box to the user. To suppress the selection dialogs, either ensure that only one
role and realm is available to users or specify a preferred realm and role for
this connection.

 Preferred User Realm—Specify the realm that for this connection that is
used when a user logs onto the endpoint. The connection ignores any other
realm available for the user’s logon credentials
 Preferred User Role Set—Specify the preferred role or the name of rule for
the role set to be used for user authentication. The role or rule name used
must be a member of the preferred user realm.
 Select client certificate from machine certificate store—This option
enables you to specify the location of the client certificate on a Windows
endpoint as part of a Pulse connection that verifies the identity of both the
machine and the user before establishing a connection. When this check
box is selected, the Pulse connection looks at client certificates located in
the Local Computer personal certificate store. When this check box is not
selected, the connection accesses the user certificate store an a Windows
endpoint. For more information, see “Machine and User Authentication
Through a Pulse Connection for Pulse Policy Secure” on page 66

Related Creating a Client Connection Set on page 46


Documentation
 Machine Authentication for Pulse Policy Secure Overview on page 71

 Configuring Location Awareness Rules on page 49

 Machine and User Authentication Through a Pulse Connection for Pulse Policy Secure
on page 66

 Remote Desktop Protocol Compatibility with Pulse Secure 802.1X


Machine Authentication Connection on page 69

Creating a Client Connection Set

To create a client configuration:

1. On the admin console, select Users > Junos Pulse > Connections.

2. Click New.

3. Enter a name, and optionally a description for this connection set.

NOTE: You must enter a name, otherwise you cannot create a connection
set.

4. Under Options, select or clear following check boxes:

 Allow saving logon information

 Allow user connections

 Display Splash Screen

46 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

 Dynamic certificate trust

 Dynamic connections

 Wireless suppression

5. Under Connections, click New to define a new connection.

6. Enter a name and an optionally a description for this connection.

7. Select a Type for the connection. The Type identifies the device type for the
connections and can be any of the following:

 UAC (802.1X)

 SSL VPN or UAC (L3)

 SRX

 App Acceleration

8. If you select UAC (802.1X) on the type list, either enter a value or select or clear the
following check boxes:

 Adapter type

 Outer username—Enter the outer username.

 Scan list—Enter the SSIDs to connect to in your order of priority.

 Support Non-Broadcast SSID

9. Click Save Changes.

10. If you select SSL VPN or UAC (L3) after Options, select or clear the following check
boxes:

 Allow user to override connection policy

 Support Remote Access (SSL VPN) or LAN Access (UAC) on this connection

 Enable Pulse Collaboration integration on this connection

 This Server—This connection uses the URL of the server where you are creating the
connection.

 URL—If you did not select the This Server check box, you must specify the URL of
the server for the connection.

11. If you select SRX, enter an IP address in the Address box.

12. From the Options list, specify the following:

 Address

 Allow user to override connection policy

13. If you select App Acceleration, specify the following options: select the Connect
Automatically check box to permit the client to automatically connect to WX in the
network.

 Allow user to override connection policy

© 2015 by Pulse Secure, LLC. All rights reserved. 47


Pulse Policy Secure Administration Guide

 Community string

14. For all connections, specify how the connection is established. Depending on the
connection, select one of the following:

 Manually by the user—When the endpoint is started, the Pulse client software is
started, but no connection is attempted. The user must use the Pulse client interface
to select a connection.

 Automatically after user signs into the desktop—When the endpoint is started and
the user has logged in to the endpoint, the Pulse Secure client software connects
automatically. For App Acceleration connections, automatic connection is the
default because Pulse forms an adjacency with Pulse Application Acceleration
Service automatically if the service is available.

NOTE: All connections on an endpoint that are configured to start


automatically attempt to connect to their target networks at startup
time. To avoid multiple connection attempts, be sure that only one
connection is configured to start automatically or configure location
awareness rules.

 Automatically when the machine starts. Machine credentials used for


authentication—Enablesmachine authentication, which requires thatActive Directory
is used as the authentication server and that machine credentials are configured in
Active Directory.

 Automatically when the machine starts. Connection is authenticated again when the
user signs in into the desktop—Enables machine authentication for the initial
connection. After the user connects with user credentials, the machine authentication
is dropped. When the user logs off, the machine authentication connection is
restored.

NOTE: If the machine and user have different roles, each role should
map to the same connection set. Otherwise after the user connects, the
existing connection set might be replaced.

 Automatically at user login—This option enables Pulse client interaction with the
credential provider software on the endpoint. The user credentials are used to
establish the authenticated Pulse connection to the network, login to the endpoint,
and login to the domain server.

48 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

NOTE: This label changed at Pulse Policy Secure R4.3. If you had
selected the old label for a Pulse connection, Automatically during
desktop authentication. User is presented with the Pulse Secure
credential tile at the logon screen. It is automatically converted to the
new label at user login when you perform the upgrade from R4.2.

15. After you create the client connection set, create a client component set profile, and
select this connection set.

Related Understanding Client Connection Set Options on page 40


Documentation
 Understanding Pulse Component Set Options on page 52

 Creating a Client Component Set on page 53

 Configuring Location Awareness Rules on page 49

Configuring Location Awareness Rules

The location awareness feature enables a Pulse Secure client to recognize its location
and then make the correct connection when the connection is set to connect
automatically. For example, a Pulse client that is started in a remote location
automatically connects to Pulse Connect Secure. But that same client automatically
connects to Pulse Policy Secure when it is started in the corporate office.

NOTE: Location awareness and session migration are similar because they
both simplify connectivity for the user, but they do so under different
conditions. With location awareness, the Pulse client makes a decision on
where to connect when a user logs in to the computer. Session migration
occurs when the user puts the computer into a stand by or hibernate mode
without first logging out, and then opens the computer in a different network
environment. Location awareness enables the Pulse client to intelligently
start a new session. Session migration enables Pulse servers to intelligently
migrate an existing session.

Location awareness relies on rules you define for each connection. If the conditions
specified in the rules are true, Pulse attempts to make the connection. To set up the
location awareness rules that select among many connections, you must define location
awareness rules for each connection. Each location awareness rule is based on the
endpoint’s ability to reach an IP address or resolve a DNS name over a specified network
interface.

© 2015 by Pulse Secure, LLC. All rights reserved. 49


Pulse Policy Secure Administration Guide

NOTE: Location awareness behavior is affected by split tunneling


configuration. For example, if a location awareness rule relies on a address
resolution made on the physical adapter, and split tunneling is disabled, the
rule always resolves to FALSE after Pulse establishes the connection.

The following location awareness example includes two connections. The first connection
is a Pulse Policy Secure connection that resolves to TRUE when the endpoint is
connected to the corporate LAN. The second connection is Pulse Connect Secure
connection that resolves to TRUE when the endpoint is located in a remote location.

Pulse Policy Secure connection

If the DNS server that is reachable on the endpoint’s physical network


interface is one of your organization’s internal DNS servers, then
establish the connection.

Pulse Connect Secure connection

If the DNS server that is reachable on the endpoint’s physical network


interface is not one of your organization’s internal DNS servers, and the
DNS name of your Pulse Connect Secure device resolves to the external
facing IP address of the Pulse Connect Secure device, then establish the
connection.

NOTE: Connections can be set to manual, automatic, or controlled by location


awareness rules. When the user logs in, the Pulse client attempts every
connection in its connections list that is set to automatic or controlled by
location awareness rules.

NOTE: To create a negative location awareness rule, you first create the
positive state and then use rule requirement logic to use the rule as a negative
condition.

To configure location awareness rules:

1. If you have not already done so, create a connection or open an existing connection.

You can configure location awareness rules for Firewall connections and IC or SA
connections. Location awareness rules do not apply to 802.1X or App Acceleration
connections.

2. In the Connection is established area, select According to location awareness rules,


and then click New.

3. Specify a name for the rule.

4. In the Action list, select one of the following:

50 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

 DNS server—Connect if the DNS server associated with the endpoint's network
properties is (or is not) set to a certain value or set of values. Specify the DNS server
IP address in the IP address box. Also specify a network interface on which the
condition must be satisfied:

 Physical—The condition must be satisfied on the physical interfaces on the


endpoint.

 Pulse Secure—The condition must be satisfied on the virtual interface that


Pulse Secure creates when it establishes a connection.

 Any—Use any interface.

 Resolve address—Connect if the configured hostname or set of hostnames is (or is


not) resolvable by the endpoint to a particular IP address. Specify the hostname in
the DNS name box and the IP address or addresses in the IP address box. Also
specify a network interface on which the condition must be satisfied.

NOTE: The Pulse client software evaluates IP and DNS policies on


network interface changes. DNS lookups occur on DNS configuration
changes or when the time-to-live setting (10 minutes) expires for a
particular host record. If Pulse cannot resolve the host for any reason,
it polls the configured DNS server list every 30 seconds. If the host had
been resolved successfully previously and the time-to-live timer has
not expired, the polling continues until the timer expires. If the host had
not been resolved successfully previously, the resolution attempt fails
immediately.

 Endpoint Address—Connect if a network adapter on the endpoint has an IP address


that falls within or outside of a range or a set of ranges. Specify the IP address or
addresses in the IP address box. Also specify a network interface on which the
condition must be satisfied.

5. Click Save Changes.

After you create the rule or rules, you must enable each rule you want to use for the
connection. To enable a negative form of a rule, use a custom version of the rule. To
enable location awareness rules:

1. In the list of connection awareness rules for a connection, select the check box next
to each rule you want to enable.

2. To specify how to enforce the selected location awareness rules, select one of the
following options:

 All of the above rules—The condition is TRUE and the connection is attempted only
when all selected location awareness rules are satisfied.

 Any of the above rules—The condition is TRUE and the connection is attempted
when any select location awareness rule is satisfied.

 Custom—The condition is TRUE and the connection is attempted only when all
selected location awareness rules are satisfied according to the Boolean logic you

© 2015 by Pulse Secure, LLC. All rights reserved. 51


Pulse Policy Secure Administration Guide

specify in the Custom box. Use the Boolean condition to specify a negative location
rule. For example, connect to Pulse Connect Secure when Rule–1 is false and Rule–
2 is true. The boolean logic in the custom box would be: NOT Rule-1 AND
Rule-2. The accepted Boolean operators are AND, OR, NOT, and the use of ( ).

3. Click Save Changes.

Related Understanding Session Migration on page 255


Documentation

Understanding Pulse Component Set Options

A Pulse component set includes individual software components that provide Pulse
connectivity and services.

Component set options include the following choices:

 All components—Includes the components listed in Table 8 on page 52. The Enhanced
Endpoint Security (EES) component, which is available only if you have purchased an
EES license, is included if the user’s assigned role requires it. You should choose the
All components option only if you want client endpoints to be able to connect to all
supported access devices and to use WAN acceleration (WX). When you include the
WX component, the disk space requirement for the Pulse client installation increases
to 300 MB.

 No components—You should select this option to create an installer that only updates
existing Pulse client installations, for example, to add a new connection. Do not use
this option if you are creating an installer to add Pulse to endpoints that do not already
have Pulse installed.

 Minimal components—Includes only the components needed to support the selected


connections. For example, if the connection set you create includes a connection to
an IC device, the component set will include only the components required to connect
to IC devices. Minimal components is the default choice. It provides all needed
components while also limiting the size of the Pulse installation file.

For a list of all components see Table 8 on page 52.

Table 8: Pulse Components

Components Description

Core functions Allows the client to download a minimal component set and install
on endpoints.

802.1X access Includes the required components for 802.1X connections. The client
interacts with the native wired and wireless 802.1X supplicant on the
client PC.

IC or SA access Provides basic functionality that allows Pulse to interoperate with


Policy Secure or Connect Secure gateways.

52 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

Table 8: Pulse Components (continued)

Components Description

Firewall access Provides basic functionality that allows Pulse to operate as a dynamic
VPN client with Juniper Networks J Series firewalls.

WX functionality Facilitates using the client with Pulse Application Acceleration Service
for WAN acceleration.

Host Checker Includes the Trusted Network Computing (TNC) client that allows IC
or SA connections to run and enforce Host Checker policies. This
component provides support for all existing host checks on Windows
machines.

Enhanced Endpoint Allows IC and SA to use the integrated EES antimalware software.
Security

IC IPsec Allows the client to use IPsec as a communication method with the
Policy Secure gateway when a Juniper Networks security device is
employed.

SSL-VPN Facilitates SSL connections with the Pulse Connect Secure.

Related Creating a Client Component Set on page 53


Documentation
 Configuring the Pulse Client for a Role on page 36

Creating a Client Component Set

To create a client component set:

1. On the admin console, select Users > Junos Pulse > Components.

2. Click New to create a new component set.

3. If you have not yet created a client connection set, select Users > Junos Pulse >
Connections and create a new connection set. Alternately, use the default client
configuration, which permits dynamic connections, supports the outer username
anonymous, and allows the client to connect automatically to a Policy Secure or
Connect Secure gateway.

4. Specify a Name for the client component set.

5. (Optional) Enter a Description for this client component set.

6. Select a connection set that you have created, or use the default connection set.

7. For Pulse client components, select one of the following option buttons:

 All components—The installer contains all Pulse components, supporting all access
methods and all features.

 No components—The preconfigured installer is a configuration update, and only


works on endpoints that already have the Pulse Secure client installed.

© 2015 by Pulse Secure, LLC. All rights reserved. 53


Pulse Policy Secure Administration Guide

 Minimal components—The configuration is analyzed, and only the access methods


needed to support the connections in the configuration (along with Pulse core
components) are included in the installer. Additional components such as IPsec or
Host Checker are downloaded as needed at run time and are not part of the installer.

8. Click Save Changes.

9. After you create a component set, distribute the client to users through one of the
following methods:

a. Return to the main Pulse Client Components page to download and install the
preconfiguration utility and create an installer package.

b. Distribute to users through a role.

When users access the role, the installer downloads automatically to the endpoint.
The installer components and connections are applied to the endpoint client.

If client connections associated with the component set for a role are changed,
even though the list of components has not, the existing configuration on the
endpoint is replaced. This occurs either right away (if the endpoint is currently
connected), or the next time the endpoint connects.

If a user is assigned to multiple roles and the roles include different component
sets, the first role in an endpoint’s list of roles is the role that determines which
client (component set) is deployed.

Related Understanding Client Connection Set Options on page 40


Documentation
 Creating a Client Connection Set on page 46

 Understanding Pulse Component Set Options on page 52

 Configuring the Pulse Client for a Role on page 36

Installing the Pulse Secure Client on Windows Endpoints Using a Preconfiguration


File

The following procedures apply to Windows installations only.

After you create client connection sets and specify the connections to include within a
client component set, you can create a preconfiguration file with all of the connections
you want to distribute with the Pulse client. You specify the preconfiguration file as an
option when you run the Pulse MSI installer program using an msiexec
(windows\system32\msiexec.exe) command.

To create a preconfigured Pulse installer for distribution to Windows endpoints:

1. Select Users > Junos Pulse > Connections and create a connection set with the
connections that you want to distribute.

2. Select Users > Junos Pulse > Components.

3. If necessary, create a new component set with the connection sets you want to
distribute.

54 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

It does not matter which component option you select, All components, No
components, or Minimal components. The Pulse installer installs all components
unless you specify which components to install using one or more ADDLOCAL options
in the command line. If you specify one or more ADDLOCAL options, the installer
installs only the components you specify. Be sure that you specify all the components
required to support the connections you have selected.

4. Select the check boxes next to the component sets that you want to distribute.

5. Click Download Installer Configuration.

You are prompted to save the preconfiguration. You can also specify the name of the
target Pulse server for the connections, which enables you to create configuration
files that are the same except for the target server.

The default filename of the .jnprpreconfig file is the name of the selected component
set. Make note of the filename and location where you put the file. The preconfiguration
file must be available to the clients either through a network share or distributed along
with the Pulse Secure client installation file.

6. Select Maintenance > System > Installers.

If necessary for your environment, download and install the Juniper Installer Service.
To install Pulse, users must have appropriate privileges. The Juniper Installer Service
allows you to bypass privilege restrictions and allow users with limited privileges to
install Pulse. See “Downloading Client Installer Files” on page 708 for more information
about Juniper Installer Service.

7. Download the appropriate Pulse Secure installer for your Windows environment:

 Pulse Secure Installer (32-bit)

 Pulse Secure Installer (64-bit)

NOTE: For a Windows installation (.msi) that uses an automated distribution


mechanism and where the users do not have administrator privileges, you
should ensure that the installation is run in the proper context, typically the
USER context. To install in USER context, first advertise the .msi while in the
SYSTEM context. For example, to advertise the 64-bit Windows installation
to all users, use the following msiexec command:
msiexec /jm \JunosPulse.x64.msi
The advertisement allows the installation to be run in USER context even if
the user is a restricted (non-admin) user. The location where the
advertisement is run and where the actual installation is run must be the
same. If the installation is an upgrade, you must advertise the upgrade version
before running it. (Note that it is much easier to upgrade the Pulse client by
not disabling the automatic upgrade feature on the Pulse server.) After the
installation is run by the user, the Pulse client will use the correct user
certificate and context.

© 2015 by Pulse Secure, LLC. All rights reserved. 55


Pulse Policy Secure Administration Guide

Installing the Pulse Client Using Advanced Command-Line Options


The Pulse Secure installer includes the Pulse client and all the software components for
all the Pulse services. The preconfiguration file contains the definitions of the Pulse
connections that provide client access to specific Pulse servers and services.

Usage Notes:

 The preconfigured installer installs all Pulse components unless you specify the specific
components you want using ADDLOCAL options. If you use one or more ADDLOCAL
options, the preconfigured installer installs only the components specified by
ADDLOCAL. A preconfigured installer ignores the component set you select when you
create the preconfiguration file.

 When you use ADDLOCAL options, be sure that your msiexec command specifies all
the components required for your connections. For example, if the connection requires
802.1X connectivity for a connection to Pulse Policy Secure, be sure to include both
the 802.1X component and the Pulse Policy Secure component
(ADDLOCAL=PulseUAC,Pulse8021x).

 When you run msiexec, you should append /qn or /qb (msiexec options) to the
command line to suppress the installation program user interface. For example, the
user interface lets the user choose a complete installation or a custom installation,
which can override the components you specify with ADDLOCAL options. If the user
selects Complete, the msiexec program ignores the ADDLOCAL options in the command
line and installs all components. The /qn option specifies a silent install, so no user
interface appears. The /qb option also hides the user interface but it displays a progress
bar.

 The procedures in this topic are valid with Windows installations only. For information
about installing Pulse on OS X endpoints, see “Installing the Pulse Secure Client on OS
X Endpoints Using a Preconfiguration File” on page 59.

You run the Pulse preconfigured installer program with msiexec (the command line for
launching .msi programs on Windows platforms) and specify the following options.

NOTE: Command line options (CONFIGFILE and ADDLOCAL) are case


sensitive and must be all caps.

NOTE: If the path to the .jnprpreconfig file includes spaces, be sure to use
quotes around the path.

 CONFIGFILE—This property specifies a configuration file to be imported into Pulse


during installation. The property must include the full path to the configuration file. For
example:

msiexec -i JunosPulse.msi CONFIGFILE="c:\temp\my configuration.jnprpreconfig"

56 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

 ADDLOCAL—This optional property specifies which features and feature options


(subfeatures) to install when you want to install only specific Pulse features. If you do
not specify ADDLOCAL options, all Pulse components are installed. A feature comprises
the components required to support client connections. When you use ADDLOCAL,
you should append msiexec options /qn or /qb to the command line to suppress the
installation program user interface.

Feature and subfeature names are case sensitive. To specify multiple features in a
single command, separate each feature with a comma.

The ADDLOCAL property has the following features:

 PulseSA—Pulse components required for Pulse Connect Secure.

 PulseUAC—Pulse components required for Pulse Policy Secure.

 PulseSRX—Pulse components required for SRX Series Gateways.

 PulseAppAccel—Pulse components required for Pulse Application Acceleration


Service.

The ADDLOCAL property has the following optional subfeatures:

 Pulse8021x—Available with PulseUAC. Includes 802.1X connectivity components.

 SAEndpointDefense—Available with PulseSA. Includes Enhanced Endpoint Security


(EES) components for connections to Pulse Connect Secure.

 SAHostChecker—Available with PulseSA. Includes Host Checker components for


connections to Pulse Connect Secure.

 UACEndpointDefense—Available with PulseUAC. Includes EES components for


connections to Pulse Policy Secure.

 UACHostChecker—Available with PulseUAC. Includes Host Checker components


for connections to Pulse Policy Secure.

 UACIPSec—Available with PulseUAC. Includes components required to connect


to Pulse Policy Secure using IPSec from 32-bit Windows endpoints. This feature
is available in the 32-bit MSI only.

 UACIPSec64—Available with PulseUAC. Includes components required to connect


to Pulse Policy Secure using IPsec from 64-bit Windows endpoints. This feature
is available in the 64-bit MSI only.

Examples
When you use ADDLOCAL, you should append msiexec options /qn or /qb to the command
line to suppress the installation program user interface. These examples use /qb.

To install PulseUAC with 802.1X and EES support on a Windows 32-bit endpoint using
a configuration file:

msiexec -i JunosPulse.x86.msi CONFIGFILE=c:\pulse\Pulse-Connection-no.jnprpreconfig


ADDLOCAL=PulseUAC,Pulse8021x,UACEndpointDefense /qb

© 2015 by Pulse Secure, LLC. All rights reserved. 57


Pulse Policy Secure Administration Guide

To install PulseSA on a 32-bit Windows endpoint using a configuration file:

msiexec -i JunosPulse.x86.msi CONFIGFILE="c:\temp\myconfiguration.jnprpreconfig"


ADDLOCAL=PulseSA /qb

To install PulseSA with EES and Host Checker on a 64-bit Windows endpoint using a
configuration file:

msiexec -i JunosPulse.x64.msi CONFIGFILE="c:\temp\myconfiguration.jnprpreconfig"


ADDLOCAL=PulseSA,SAEndpointDefense,SAHostChecker /qb

To install PulseAppAccel on a 64-bit Windows endpoint using a configuration file:

msiexec -i JunosPulse.x64.msi CONFIGFILE="c:\temp\myconfiguration.jnprpreconfig"


ADDLOCAL=PulseAppAccel /qb

To install all Pulse components on a 64-bit Windows endpoint using a configuration file:

msiexec -i JunosPulse.x64.msi CONFIGFILE="c:\temp\myconfiguration.jnprpreconfig"


/qb

Repairing a Pulse Installation on a Windows Endpoint


Pulse Secure client uses an MSI installer, which supports a repair function. If problems
with Pulse on a Windows endpoint indicate missing or damaged files or registry
settings, the user can easily run the installation repair program. The repair program
performs a reinstallation and replaces any missing files. The repair program does not
install any files that were not part of the original installation. For example, if the file
that holds Pulse connection configurations is damaged, the file installed by the repair
program does not replace any Pulse connections that were created by the user or
deployed to the endpoint after the original Pulse installation.

To repair a Pulse installation on a Windows endpoint:

1. On the Windows endpoint where Pulse is installed, click Start > Programs > Juniper
Networks > Junos Pulse > Repair Junos Pulse.

2. Follow the prompts for the installation wizard.

When the program is finished, you might be prompted to reboot the system.

Related Installing the Pulse Secure Client on OS X Endpoints Using a Preconfiguration File
Documentation on page 59

58 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

Installing the Pulse Secure Client on OS X Endpoints Using a Preconfiguration File

The following procedures apply to OS X installations only.

After you create client connection sets and specify the connections to include within a
client component set, you can create a preconfiguration file with all the connections you
want to distribute with the Pulse client. After you run the Pulse installer on the endpoint,
you run a special command that imports the settings from the preconfiguration file into
Pulse.

To create a preconfigured Pulse installer for distribution to OS X endpoints:

1. Select Users > Junos Pulse > Connections and create a connection set with the
connections that you want to distribute.

2. Select Users > Junos Pulse > Components.

3. If necessary, create a new component set with the connection sets you want to
distribute.

It does not matter which component option you select, All components, No
components, or Minimal components. The Pulse installation program for OS X always
installs all components.

4. Select the check boxes next to the component sets that you want to distribute.

5. Click Download Installer Configuration.

You are prompted to save the preconfiguration. You can also specify the name of the
target Pulse server for the connections, which enables you to quickly create multiple
configuration files that are the same except for the target server.

The default filename of the .jnprpreconfig file is the name of the selected component
set. Make note of the filename and location where you put the file. The preconfiguration
file must be available to the clients either through a network share or distributed along
with the Pulse Secure installer file.

6. Select Maintenance > System > Installers.

7. Download the Pulse Secure installer, Pulse Secure Installer (Macintosh).

Installing the Pulse Client on OS X Endpoints Using Command-Line Options


The Pulse Secure installer includes the Pulse client and all of the software components
for all of the Pulse services. The preconfiguration (.jnprpreconfig) file contains the
definitions of the Pulse connections that provide client access to specific Pulse servers
and services. After you distribute the Pulse installation package, you must first run the
installer, and then run a separate program called jamCommand, which imports the
settings from the .jnprpreconfig file. The jamCommand program is part of the Pulse
installation.

The Pulse file you download from the Pulse server is in compressed (.dmg) format. You
must unpack the file before you run the Pulse installation program.

© 2015 by Pulse Secure, LLC. All rights reserved. 59


Pulse Policy Secure Administration Guide

The following steps include sample commands to install Pulse on an OS X endpoint and
then import Pulse connections from a .jnprpreconfig file.

1. Run the Pulse installation program:

sudo /usr/sbin/installer -pkg <full-path-to-the-pulse-install-package> -target /

2. Import the settings from the .jnprpreconfig file:

/Applications/Junos\ Pulse.app/Contents/Plugins/JamUI/jamCommand –importFIle


<full-path-to-the-jnprpreconfig-file>

Related Installing the Pulse Secure Client on Windows Endpoints Using a Preconfiguration File
Documentation on page 54

  jamCommand Reference

Pulse Secure Command-line Launcher

The Pulse Secure Launcher (pulselauncher.exe) is a standalone client-side command-


line utility that allows you to launch Pulse and connect to or disconnect from a Pulse
server (Pulse Connect Secure or Pulse Policy Secure) without displaying the Pulse
graphical user interface.

Pulse Launcher Usage Notes:

 Pulse Launcher runs on 32-bit and 64-bit endpoints.

 Pulse Launcher runs on the following platforms:

 Windows XP

 Windows Vista

 Windows 7

 The Pulse Launcher program, pulselauncher.exe, is installed as part of a Pulse client


installation in Program Files\Common Files\Juniper Networks\Integration.

 Pulse Launcher works only for the SA or IC connection type. The Pulse launcher does
not support the Firewall or 802.1X connection types.

 The Pulse Launcher program does not support the role mapping option that prompts
a user to select from a list of assigned roles. If you use the Pulse Launcher and more
than one role can be assigned to a user, you must configure the role mapping settings
for the realm to merge settings for all assigned roles. If the realm settings require the
user to select a role, the Pulse Launcher command fails and exits with return code 2.

 The Pulse Launcher program does not support secondary authentication.

To use the Pulse Launcher program:

1. Write a script, batch file, or application.

2. Include a call to the Pulse Launcher executable, pulselauncher.exe.

60 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

3. Include logic in your script, batch file, or application to handle the possible return
codes.

Table 10 on page 62 lists the Pulse Launcher return codes.

The following command shows the complete pulselauncher.exe command syntax:


pulselauncher.exe [-version|-help|-stop] [-url <url> -u <user> -p <password> -r
<realm>] [-d <DSID> -url <url>] [-cert <client certificate> -url <url> -r <realm>]
[-signout -url <url>] [-t timeout]

Table 9: Pulse Launcher Arguments

Argument Action

-version Display the Pulse Launcher version information, then exit.

-help Display available arguments information.

-stop Stop Pulse and disconnect all active connections.

-url <url> Specify the Pulse server URL.

-u <user> Specify the username.

-p <password. Specify the password for authentication.

-r <realm> Specify the realm on the Pulse server.

-d <DSID> Passes a cookie to Pulse Launcher for a specified Pulse server from another authentication
mechanism when Pulse Launcher starts. When you use the -d argument, you must also specify
the -url argument to specify the Pulse server.

-cert <client certificate> Specify the certificate to use for user authentication. For <client certificate> use the string
specified in the Issued To field of the certificate. When using the -cert argument, you must also
specify the -url and -r <realm> arguments.

To use certificate authentication with the Pulse Launcher program, you must first configure
the Pulse server to allow the user to sign in via user certificate authentication. You must also
configure a trusted client CA on the Pulse server and install the corresponding client-side
certificate in the Web browsers of end-users before running the Pulse Launcher.

If the certificate is invalid, the Pulse Launcher displays an error message on the command line
and logs a message in the log file.

NOTE: If Pulse is launched through a browser, the browser handles certificate verification. If
Pulse is launched through an application on Windows, the application handles certificate
verification. If Pulse is launched through the Pulse Launcher on Windows, Pulse Launcher
handles the expired or revoked client certificates.

-signout Disconnect and sign out from a specific server. Pulse can have multiple simultaneous
connections so the -url argument is required when you use the -signout argument.

-timeout <time in seconds> The amount of time allowed for the connection to take place before the attempt fails. Min =
45 (default), Max = 600.

© 2015 by Pulse Secure, LLC. All rights reserved. 61


Pulse Policy Secure Administration Guide

The following table lists the possible return codes pulselauncher.exe returns when it
exits.

Table 10: Pulse Launcher Return Codes

Code Description

-1 Pulse is not running.

0 Success.

1 A parameter is invalid.

2 Connection has failed or Pulse is unable to connect to the specified gateway.

3 Connection established with error.

4 Connection does not exist. Example: the command attempts to sign out from a server that was
not which has not been added on Pulse UI.

5 User cancelled connection.

6 Client certificate error.

7 Timeout error.

8 No user connection allowed from Pulse UI.

9 No policy override from Pulse UI.

100 General error.

Examples

The following command is a simple login application that captures the credentials the
user enters, and passes the credentials as arguments to pulselauncher.exe:

pulselauncher.exe -u JDoe -p my$Pass84 -url https://int-company.portal.com/usr -r


Users
pulselauncher return code: 0

The following Pulse Launcher example shows a certificate authentication:

pulselauncher.exe -url https://int-company.portal.com/usr -cert MyCert -url


https://int-company.portal.com/usr -r Users
pulselauncher return code: 0

The following example shows a command to use Pulse Launcher to specify a cookie (-d)
for a specific Pulse server (-url):

pulselauncher.exe –d 12adf234nasu234 -url https://int-company.portal.com/usr


pulselauncher return code: 0

62 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

Related Using jamCommand to Import Pulse Secure Connections on page 63


Documentation
 jamCommand Reference

Using jamCommand to Import Pulse Secure Connections

The jamCommand.exe program is a command line program that imports a .jnprpreconfig


file into the Pulse client. The jamCommand program is available for Windows (XP, Vista,
and Win7) and Mac OSX.

NOTE: The working name for Pulse Secure client during the early
development phase was Juniper Access Manager. Many Pulse filenames,
directories, and other Pulse Secure elements include the acronym “jam.”

A .jnprpreconfig file includes Pulse connection parameters. You can create a .jnprpreconfig
file on the Pulse server, and then use it as part of a Pulse installation to ensure that Pulse
users have one or more Pulse connections when they start Pulse for the first time.

NOTE: One typical use case for jamCommand on a Windows endpoint is to


first run jamCommand to import one or more Pulse connections from a
.jnprpredong file, and then run pulselauncher.exe to start Pulse.

To install Pulse connections using jamCommand:

1. Create a .jnprpreconfig file on the Pulse server.

In the Pulse server admin console, click Users > Junos Pulse > Components.

2. Select the component sets you want, and then click Download Installer Configuration.

3. Distribute the .jnprpreconfig file to the Pulse endpoints.

4. Run jamCommand with the .jnprpreconfig file as an option. For example:

On Windows:

\Program Files\Common Files\Juniper Networks\JamUI\jamCommand -importfile


myfile.jnprpreconfig

On Mac OSX:

/Applications/Junos Pulse/Contents/Plugins/JamUI/jamCommand -importfile


myfile.jnprpreconfig

If the Pulse client is running when you run jamCommand, the new Pulse connection or
connections appear immediately. The connection name appears as it was defined when
you created the connection in the Pulse server admin console.

Related Pulse Secure Command-line Launcher on page 60


Documentation

© 2015 by Pulse Secure, LLC. All rights reserved. 63


Pulse Policy Secure Administration Guide

 Installing the Pulse Secure Client on Windows Endpoints Using a Preconfiguration


File on page 54

 Installing the Pulse Secure Client on OS X Endpoints Using a Preconfiguration File


on page 59

 jamCommand Reference

Configuring Machine-Only Machine Authentication for a Pulse Secure Connection

When a Pulse connection is configured for machine-only machine authentication, the


Pulse connection is established using machine credentials when no user is logged in. The
connection is maintained after user login.

To enable a Pulse connection for machine-only machine authentication:

1. Click Users > Junos Pulse > Connections and create or select a connection set.

2. Create or edit a connection. For the connection type, you can select either UAC (802.1X)
for a Layer 2 connection or SSL VPN or UAC (L3) for a Layer 3 connection.

3. Under Connection is established, select Automatically when the machine starts. Machine
credentials used for authentication.

Machine credentials are used to connect to the Pulse Policy Secure when the
endpoint is started, before a user logs in. The connection is maintained when a
users logs in, logs out, or switches to a different login.

4. For a Layer 2 connection that uses machine certificate authentication, make sure that
the connection has an entry in the Trusted Server List. To allow any server certificate,
type ANY as the Server certificate DN. To allow only one server certificate, specify the
server certificate’s full DN, for example, C=US; ST=NH; L=Kingston; O=My Company;
OU=Engineering; CN=c4k1.stnh.mycompany.net; E=ausername@mycompany.com.

5. Specify Realm and Role Preferences to suppress realm or role selection dialogs during
the login process:

 Preferred Machine Realm—Specify the realm for this connection. The connection
ignores any other realm available for the specific login credentials

 Preferred Machine Role Set—Specify the preferred role or the name of the rule for
the role set to be used for user authentication. The role or rule name must be a
member of the preferred machine realm.

Related Machine Authentication for Pulse Policy Secure Overview on page 71


Documentation
 Credential Provider Authentication for Pulse Policy Secure Overview on

page 69

 Remote Desktop Protocol Compatibility with Pulse Secure 802.1X


Machine Authentication Connection on page 69

64 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

Configuring User-After-Desktop Machine Authentication for a Pulse Secure Connection

When a Pulse connection is configured for user-after-desktop machine authentication,


the connection is established using machine credentials when no user is logged in. After
user login, the machine connection is disconnected. Once the user logs out, user
connection is disconnected and machine connection is reestablished.

To enable a Pulse connection for user-after-desktop machine authentication:

1. Click Users > Junos Pulse > Connections, and then create or select a connection set.

2. Create or edit a connection. For the connection type, you can select either UAC (802.1X)
for a Layer 2 connection or SSL VPN or UAC (L3) for a Layer 3 connection.

3. Under Connection is established, select Automatically when the machine starts.


Connection is authenticated again when the user signs in to the desktop.

Machine credentials are used to connect to the Pulse Policy Secure when the
endpoint is started, before a user logs in. When a user logs in, the machine
authentication connection is dropped, and the user login is used instead. When the
user logs out, the machine connection is reestablished.

4. For a Layer 2 connection that uses machine certificate authentication, make sure that
the connection has an entry in the Trusted Server List. To allow any server certificate,
type ANY as the Server certificate DN. To allow only one server certificate, specify the
server certificate’s full DN, for example, C=US; ST=NH; L=Kingston; O=My Company;
OU=Engineering; CN=c4k1.stnh.mycompany.net; E=ausername@mycompany.com.

5. Specify Realm and Role Preferences to suppress realm or role selection dialogs during
the login process for both machine and user logins:

 Preferred Machine Realm—Specify the realm that this connection uses when
establishing the machine connection. The connection ignores any other realm
available for the specific login credentials

 Preferred Machine Role Set—Specify the role or the name of a rule for the role set
that this connection uses when establishing the machine connection. The role or
rule name used must be a member of the preferred machine realm.

 Preferred User Realm—Specify the realm that for this connection that is used when
a user logs onto the endpoint. The connection ignores any other realm available for
the user’s login credentials.

 Preferred User Role Set—Specify the preferred role or the name of rule for the role
set to be used for user authentication. The role or rule name used must be a member
of the preferred user realm.

Related Machine Authentication for Pulse Policy Secure Overview on page 71


Documentation
 Credential Provider Authentication for Pulse Policy Secure Overview on

page 69

 Remote Desktop Protocol Compatibility with Pulse Secure 802.1X


Machine Authentication Connection on page 69

© 2015 by Pulse Secure, LLC. All rights reserved. 65


Pulse Policy Secure Administration Guide

Machine and User Authentication Through a Pulse Connection for Pulse Policy Secure

Pulse Secure client supports certificate authentication for establishing Layer 2 and
Layer 3 connections. On Windows endpoints, a Pulse client connection accesses client
certificates located in the Local Computer personal certificate store to provide machine
authentication, or user certificates located in a user’s personal certificate store or on a
smart card for user authentication. A Pulse connection can access certificates from only
one location. For information on machine authentication, see “Machine Authentication
for Pulse Policy Secure Overview” on page 71.

You can create a Pulse connection that uses System Local, Active Directory, or RSA ACE
server authentication to verify the user and a certificate to verify machine identity before
establishing a connection. To do so, you must first enable an option for the Pulse
connection that allows the connection to check the client certificates located in the Local
Computer personal certificate store. The option, Select client certificate from machine
certificate store, is part of the User Connection Preferences of a Pulse connection. User
authentication is accomplished through realm authentication. Machine authentication
is accomplished as part of a realm certificate restriction, because the Pulse connection
uses the machine certificate. If the certificate store holds more than one valid certificate
for the connection, Pulse opens a dialog box that prompts the user to select a certificate.

The following list summarizes the steps to configure a Pulse connection on a Windows
endpoint that authenticates both the user and the machine. For detailed procedures on
how to perform each configuration task, see the related documentation links.

 Install a machine authentication certificate in the Local Computer personal certificate


store of the Windows endpoint and configure the Pulse server certificate server.

 Create a Pulse connection for the target Pulse server. The connection type can be UAC
(802.1X) or SSL VPN or UAC (L3). The Connection is established option is typically set
to Manually by the user or Automatically at user login.

 In the User Connection Preferences section of the connection properties, click the check
box labeled Select client certificate from machine certificate store. This option enables
the Pulse connection to perform the machine authentication as part of the Pulse
connection attempt.

 Create a sign-in policy on the Pulse server that specifies a user realm. The realm
authentication server can be a System Local, Active Directory, or RSA ACE server.

 Configure a certificate restriction on the realm to enable the Pulse server to request a
client certificate. Be sure to enable the option labeled Only allow users with a client-side
certificate signed by Trusted Client CAs to sign in. Because the Pulse connection is
configured to use the machine certificate, the user authentication takes place by means
of the realm certificate restriction.

Related Using the Certificate Server on page 312


Documentation
 About Sign-In Policies on page 471

66 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

Preferred Realm and Role for Pulse Secure Machine Authentication

When a Pulse Secure connection is configured to use machine authentication, any


prompts that occur during the login process cause the connection to fail. For example,
if the Pulse server authentication policy allows a user to select a realm or a role during
the login process, Pulse presents a dialog box to the user and prompts for the realm or
role selection. Toavoid failed connections caused by prompts during machine
authentication, you can specify a preferred role and realm for a Pulse connection.

For a Pulse connection that is used for machine authentication, you do not need to specify
the preferred role if either of the following conditions are true:

 Users are mapped to only one role.

 Users are mapped to more than one role, but the realm’s role mapping properties are
set to merge settings for all assigned roles.

For a Pulse connection that is used for machine authentication, you must specify the
preferred realm if the authentication sign-in policy allows the user to select a realm. If
that realm maps to only one role, you do not need to specify the role.

For a Pulse connection that is used for machine authentication, you must specify the
preferred role if either of the following conditions are true:

 The realm that the user connects to maps to more than one role and the realm’s role
mapping properties are set to require that the user must select a role. The preferred
role set must be the name of a role assigned in that realm.

 The realm that the user connects to maps to more than one role, and the realm’s role
mapping properties are defined by role mapping rules. You specify the preferred role
by specifying the name of a rule that assigns the role set. Figure 5 on page 68 shows a
role mapping rule with the rule name highlighted.

© 2015 by Pulse Secure, LLC. All rights reserved. 67


Pulse Policy Secure Administration Guide

Figure 5: Pulse Secure Role Mapping Rule

To identify the connection as a machine authentication connection, you specify how the
connection is established using one of the following options:

 Automatically when the machine starts. Machine credentials used for authentication.

This option uses the machine credentials defined in Active Directory for the machine
login process and uses the same credentials for user login. When you select this option,
the Realm and Role Set Preferences settings enable you to specify the following
options:

 Preferred Machine Realm—Type the realm name that maps to the role you want to
assign.

 Preferred Machine Role Set—Type the name of the role. The role must be one that is
identified in the realm’s role mapping properties. Alternatively, you can specify the
name of a role mapping rule that assigns the role set.

 Automatically when the machine starts. Connection is authenticated again when the
user signs in to the desktop.

This option uses the Active Directory machine credentials for the machine login process.
When machine login is complete, Pulse drops that connection and then uses the user
credentials for user login. When you select this option, the Realm and Role Set
Preferences enable you to specify the following options:

 Preferred Machine Realm—Type the realm name that maps to the role you want to
assign.

 Preferred Machine Role Set—Type the name of the role. The role must be one that is
identified in the realm’s role mapping properties. Alternatively, you can specify the
name of a role mapping rule that assigns the role set.

68 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

 Preferred User Realm—Type the realm name that maps to the role you want to assign.

 Preferred User Role Set—Type the name of the role. The role must be one that is
identified in the realm’s role mapping properties. Alternatively, you can specify the
name of a role mapping rule that assigns the role set.

NOTE: Realm and role prompts are not the only prompts that are possible
during the login process. If the Pulse connection has the Dynamic Certificate
Trust option enabled and there is an issue with the server certificate, Pulse
asks the user if it is OK to proceed. That certificate prompt causes a machine
connection to fail. Note that the Pulse prompt for upgrading Pulse software
is presented after the user connection is established, and it will not affect a
machine authentication connection.

Related Machine Authentication for Pulse Policy Secure Overview on page 71


Documentation

Remote Desktop Protocol Compatibility with Pulse Secure 802.1X Machine
Authentication Connection

If you want to use Remote Desktop Protocol (RDP) to access an endpoint over a Pulse
802.1X connection, machine authentication is required. Because of a Microsoft OS
limitation, an RDP connection attempt over a user-only 802.1X authenticated connection
will fail. To support RDP connectivity over an authenticated 802.1X connection, you must
have a machine-only connection or a machine-then-user connection. In the case of a
machine-then-user connection, when you use RDP to connect to a machine over an
802.1X connection that is connected as user, the connection transitions the 802.1X
connection to a machine connection. If you subsequently login to the machine directly,
it transitions back to a user connection.

To access the endpoint using RDP, you must define that the connection is established
using one of the following Pulse connection options:

 Automatically when the machine starts. Machine credentials used for authentication.

 Automatically when the machine starts. Connection is authenticated again when the
user signs in to the desktop.

Credential Provider Authentication for Pulse Policy Secure Overview

When Microsoft introduced Windows Vista, it moved away from a login integration
interface based on GINA (Graphical Identification and Authentication) in favor of
credential providerauthentication. The Pulse Secure credential provider integration
enables connectivity to a network that is required for the user to login to the Windows
domain. For example, the domain controller might reside behind a firewall and the
endpoint uses credential provider login to connect to Pulse Policy Secure prior to
domain login. Pulse Secure integrates with Microsoft credential providers to enable
password-based

© 2015 by Pulse Secure, LLC. All rights reserved. 69


Pulse Policy Secure Administration Guide

login and smart card login. Credential provider login is supported on Windows Vista and
later Windows platforms.

You can use the Pulse support for credential provider authentication to provide single
sign-on capabilities. Pulse establishes a connection to the network and then uses the
same credentials to login the Windows domain.

You enable Pulse credential provider support on a Pulse connection, (connection type
802.1X (UAC) or SSL VPN (L3)). After the connection has been downloaded to the
endpoint through the normal Pulse distribution methods, Pulse annotates the credential
provider tile that appears on the user login screen by adding a Pulse icon in the lower
right corner of the tile. When the user initiates the login process, Pulse establishes the
connection.

Pulse supports the following credential provider types:

 user-at-credprov—The connection is established before the user login using credentials


collected at the selected credential tile, which provides single-sign-on functionality.
The connection is maintained as an active connection on the user’s desktop.

 machine-then-user-at-credprov—The connection is established using machine


credentials when no user is logged in. When a user clicks a login tile and provides user
credentials, the machine connection is disconnected and a new connection is
established. When the user logs out, the user connection is disconnected and the
machine connection is reestablished. In one typical machine-then-user-at-cred prov
implementation, the machine connection and the user connection are mapped to
different VLANs.

Pulse credential provider support usage notes:

 If the endpoint includes more than one Pulse Layer 2 connection, Windows determines
which connection to use:

1. If a network cable is attached to the endpoint, Layer 2 wired connections are


attempted, and then wireless connections. If more than one wireless network is
available, the order is determined by the scan list specified as a Pulse connection
option.

2. After all Layer 2 options are attempted, Pulse runs location awareness rules to find
one or more eligible Layer 3 connections that are configured for credential provider
login. If more than one Layer 3 connection is found, Pulse prompts the user to select
a connection. A user can cancel the network connection attempt by clicking the
cancel button.

3. After Pulse evaluates all configured connection options, Pulse returns control to
Windows, which enables the user login operation.

 For connections that use user credentials, you can configure the Pulse connection so
that prompts are presented during the login process, for example, prompts for realm
or role selection or a server certificate trust prompt. For connections that use machine
credentials, Pulse prompts cause the connection to fail because there is no interface

70 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

to allow a response to the prompts. You can suppress any potential realm and role
choice by specifying a preferred realm and role for the connection.

 Pulse upgrade notifications and actions are disabled during credential provider login
and postponed until the user connection is established. Host Checker remediation
notifications are displayed.

Related Configuring Location Awareness Rules on page 49


Documentation

Machine Authentication for Pulse Policy Secure Overview

Machine authentication uses machine credentials (machine name and password or


machine certificate) to authenticate the endpoint. You can enable machine authentication
for Pulse Policy Secure as part of a Pulse Secure connection and distribute the
connection to endpoints through the normal Pulse distribution methods. You enable
Pulse machine authentication support on a Pulse connection, either Layer 2 or Layer 3.

The following describes the requirements for a machine authentication environment:

 The authentication server used by the Pulse connection must be Active


Directory/Windows NT for machine name/password authentication or a certificate
server for machine certificate authentication.

 The endpoint must be a member of a Windows domain, and the machine credentials
must be defined in Active Directory.

 The Pulse connection must be configured so that no prompts are presented during the
login process. For example, prompts for realm or role selection or for a server certificate
trust prompt cause the connection to fail. You can specify a preferred role and realm
for the connection, which eliminates realm and role selection dialogs.

 For machine certificate authentication, the domain workstation login certificate must
be issued by the domain certificate authority. The root certificate must be in the Machine
Trusted Certificate store instead of the certificate store for a particular user.

Pulse supports the following machine authentication types:

 machine-only—The connection is established using machine credentials when no user


is logged in. The connection is maintained after user login.

 user-after-desktop—The connection is established using machine credentials when


no user is logged in. After user login, the machine connection is disconnected. Once
the user logs out, the user connection is disconnected and the machine connection is
reestablished.

Related Preferred Realm and Role for Pulse Secure Machine Authentication on page 67
Documentation
 Configuring machine-only Machine Authentication for a Pulse Secure Connection on

page 64

 Configuring user-after-desktop Machine Authentication for a Pulse Secure


Connection on page 65

© 2015 by Pulse Secure, LLC. All rights reserved. 71


Pulse Policy Secure Administration Guide

 Machine and User Authentication Through a Pulse Connection for Pulse Policy Secure
on page 66

 Remote Desktop Protocol Compatibility with Pulse Secure 802.1X


Machine Authentication Connection on page 69

Additional Methods for Accessing Protected Resources Behind the Policy Secure
Gateway

OAC and Pulse allow users to access protected resources on the following endpoint
platforms:

 Windows (Pulse Secure client and OAC)

 Macintosh (OAC)

You can install a basic Java agent with minimal functionality for Linux platforms. You
can also allow users on Windows, Macintosh, Linux, and Solaris platforms to access
protected resources without installing and running a Pulse Secure client on the
endpoint. This type of access is referred to as agentless access.

You specify whether you want the Policy Secure gateway to install OAC or Pulse or
provision agentless access for endpoints at the role level for Windows machines. Then
you can use role-mapping to associate users with specific roles. This allows you, for
example, to assign specific users to roles that are configured for agentless access.

For example, if you have contract employees with noncompany machines onto which
you do not want to install OAC, you can create two roles: one that allows agentless
access, and one that requires installation of OAC. Then, create two associated roles: one
for agentless access and one for OAC. Add role-mapping rules based on usernames to
assign the contract employees to the agentless role, and employees to the agent role.
When a user attempts to log in, they will be assigned to a role that either provisions
agentless access or installs OAC.

You can associate different realms with different sign-in policies and sign-in pages, so
users who log in to a resource can see a sign-in page based on whether they are a regular
employee or a contractor.

72 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

NOTE:
 When using agentless access, the user must leave the browser window
open on the Policy Secure gateway sign-in page to stay signed in. If the
user closes the browser window or opens a different page, the endpoint
loses the connection to the Policy Secure gateway, and the Infranet
Enforcer denies the user access to protected resources.

 IPsec enforcement is not supported on agentless or Java agent endpoints.


You must use source IP enforcement by setting up a source-based policy
on the Infranet Enforcer.

 Host Enforcer policies are not supported on agentless or Java endpoints.

 Agentless access with the Firefox browser is the only option for the Solaris
platform.

 Some older Mozilla browsers may crash over time with agentless access.
This is because the Policy Secure gateway normally uses AJAX to send
heartbeat messages to the endpoint. You can disable AJAX when you
configure agentless access if you have clients using older browsers.

Related Specifying the Client that Endpoints Use for Access on page 21
Documentation
 Configuring a Non-Pulse Secure Supplicant for 802.1X on page 205

 Configuring Agentless Access to Protected Resources on page 73

 Using the Java Agent on page 74

 Deploying the Pulse Policy Secure Solution to Users on page 16

 Understanding Infranet Enforcer Source IP Security Policies on page 148

Configuring Agentless Access to Protected Resources

To configure agentless access to protected resources:

1. In the left navigation bar of the admin console select Users > User Roles > New User
Role.

2. Enter a name for this role.

3. Click Save Changes. The Roles configuration page is displayed.

4. Select the Agentless tab.

5. Select the Enable Agentless Access check box for this role.

6. If you have endpoints that will access the Policy Secure gateway from older Mozilla
browsers, select the Disable use of AJAX for heartbeats check box. You can then
specify these agentless roles for clients using Release 10 or earlier.

© 2015 by Pulse Secure, LLC. All rights reserved. 73


Pulse Policy Secure Administration Guide

7. Select Hide the Agentless page after Captive Portal redirect if you do not want the
browser splash page to appear aftere Captive Portal authentication.

8. Select Users > User Realms > Select Realm > Role Mapping > New Rule to configure
role-mapping rules that map agentless access users to the role(s) you configured.

NOTE: You can continue configuring this role, or you can complete the
configuration for agentless access.

Related Specifying the Client that Endpoints Use for Access on page 21
Documentation
 Additional Methods for Accessing Protected Resources Behind the Policy Secure
 gateway on
page 72

 Understanding User Roles on page 261

 Understanding Role Mapping Rules on page 432

Using the Java Agent

You can allow Linux machines to access protected resources by configuring the Java
agent option on the Policy Secure gateway for these platforms.

If you provision a role with Java agent access and direct users to a browser to sign in, the
Java agent downloads automatically onto a Linux machine after the endpoint successfully
authenticates and any applicable Host Checker policies are enforced.

The Java agent is displayed on Linux as an icon in the menu bar. The Java agent displays
connected or disconnected status, the assigned IP address and a link to log out from the
session.

The Java agent maintains a heartbeat between the endpoint and the Policy Secure
gateway. It is not necessary to leave a browser window open to maintain connectivity.

IPsec enforcement is not supported with Java agent access. You must use source IP
enforcement by setting up a source-based policy.

Related Specifying the Client that Endpoints Use for Access on page 21
Documentation
 Configuring the Java Agent on page 74

 Understanding Infranet Enforcer Source IP Security Policies on page 148

Configuring the Java Agent

To configure Java agent access for Linux and Solaris endpoints:

1. In the left navigation bar of the admin console select Users > User Roles > New User
Role.

2. Enter a name for this role.

74 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 2: Initial Configuration

3. Click Save Changes. The Roles configuration page is displayed.

4. Select the Agent tab.

5. Select the Install Java agent for this role check box. When a user assigned to this role
successfully accesses a portal that you have configured for access to the Policy
Secure gateway, the agent is downloaded automatically to the user’s machine.

6. Click Save Changes.

NOTE: You can continue configuring this role, or you can complete the
configuration for Java agent access.

7. To configure role-mapping rules that map Java agent users to the role you configured
select Users > User Realms > Select Realm > Role Mapping > New Rule.

Related Additional Methods for Accessing Protected Resources Behind the Policy Secure
Documentation gateway on page 72

  Understanding User Roles on page 261

 Understanding Role Mapping Rules on page 432

© 2015 by Pulse Secure, LLC. All rights reserved. 75


Pulse Policy Secure Administration Guide

76 © 2015 by Pulse Secure, LLC. All rights reserved.


CHAPTER 3

Deployments with ScreenOS and Junos


OS Infranet Enforcers

 Using the Infranet Enforcer as a Policy Enforcement Point on page 79


 Understanding Deployments with Junos Infranet Enforcers on page 79
 Using Certificate-Based Security with Junos Enforcer Deployments on page 82
 Binding an Interface to a Security Zone on a Junos Enforcer on page 83
 Binding the Physical Interface on the Junos Enforcer on page 85
 Configuring the Junos Enforcer to Communicate with the Pulse Policy
Secure on page 86
 Setting Up the Junos Enforcer to Work with Pulse Policy Secure on page
87
 Connecting with the Junos Enforcer on page 88
 The IC Series and the Infranet Enforcer on page 89
 Understanding Deployments with ScreenOS Infranet Enforcers on page 90
 Using Certificate-Based Security with Infranet Enforcer Deployments on page 92
 Task Summary: Setting Up Certificates for the IC Series and Infranet Enforcer on page 93
 Setting Up Certificates for the IC Series and Infranet Enforcer on page 94
 Using OpenSSL to Create a CA and Sign the Server Certificate on page 95
 Creating a CA and Signing the Server Certificate Using OpenSSL on page 95
 Importing the Certificate Into the Infranet Enforcer on page 97
 Configuring Certificate Authority Server Settings on page 97
 Binding an Interface to a Security Zone on a ScreenOS Enforcer on page 99
 Binding the Physical Interface on page 100
 ScreenOS Enforcer Configuration Overview on page 100
 Configuring the ScreenOS Connection on page 101
 Setting Up an Infranet Enforcer in Route Mode on page 102
 Create a Route Mode Interface with the ScreenOS Enforcer on page 103
 Setting Up an Infranet Enforcer in Transparent Mode on page 106
 Creating a Transparent Mode Instance on the ScreenOS Enforcer on page 107

© 2015 by Pulse Secure, LLC. All rights reserved. 77


Pulse Policy Secure Administration Guide

 Viewing the Configuration of a Policy Secure gateway on the ScreenOS Enforcer on page
108
 Understanding the Infranet Enforcer Captive Portal Feature on page 109
 Before Configuring Captive Portal on page 110
 Creating a Redirect Policy on the Infranet Enforcer on page 111
 Overriding the Default Redirection Destination for Captive Portal on page 112
 Creating a Redirect Policy on the Junos Enforcer on page 113
 Creating a Redirect Policy on the ScreenOS Enforcer on page 114
 Understanding Deployments with ScreenOS Enforcer Virtual Systems on page 116
 Configuring the Policy Secure gateway for Overlapping IP Addresses on page 120
 IPsec Policies on page 121
 Using IPsec with the Infranet Enforcer on page 122
 Understanding Pulse Policy Secure Support for IPsec Routing Policies on page 123
 Understanding IPsec Routing Policy Configuration Options on page 126
 IPsec Routing Policies on page 128
 Before you Begin on page 128
 Configuring IPsec Routing Policies on page 129
 Using IP Address Pool Policies for IPsec in a NAT Environment on page 130
 Understanding IP Address Pool Policies on page 132
 Configuring an IP Address Pool Policy on page 133
 Understanding ScreenOS Enforcer Source Interface Policies on page 135
 Configuring Source Interface Policies on page 135
 Using the Pulse Policy Secure User Interface to Create Basic ScreenOS Enforcer
IPsec Policies on page 136
 Setting Up ScreenOS Enforcer IPsec Routing Policies on page 137
 Configuring ScreenOS Enforcer IPsec Encryption Settings on page 138
 Using ScreenOS Enforcer Bidirectional VPN Policies on page 139
 Creating a ScreenOS Bidirectional VPN Policy on page 139
 Configuring Junos Enforcer IPsec Routing Policies on page 140
 Infranet Enforcer Policies Overview on page 144
 About Resource Access Policies on page 145
 Configuring Resource Access Policies on page 147
 User Role Policies on the Junos Enforcer on page 148
 Understanding Infranet Enforcer Source IP Security Policies on page 148
 Understanding Infranet Enforcer Auth Tables on page 150
 Understanding Dynamic Auth Table Allocation on page 151
 Configuring Dynamic Auth Table Allocation on page 152

78 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

 Configuring Auth Table Mapping Policies for Source IP Enforcement on page 152
 Configuring Auth Table Mapping Policies on page 154

Using the Infranet Enforcer as a Policy Enforcement Point

The Policy Secure gateway is the Layer 2 or Layer 3 policy decision point that
determines which users and endpoints can access protected resources. You can use
Juniper Networks firewalls to serve as the enforcement point to provide the ultimate
protection to ensure that network assets are secured.

You can use ScreenOS Enforcer or a Junos Enforcer with the UAC solution. A Junos
Enforcer is a J Series Services Router or an SRX Series Services Gateway configured as
a Layer 3 enforcement point. This document contains a configuration overview for using
the Policy Secure gateway with the ScreenOS Enforcer and the Junos Enforcer. For
version compatibility, see Pulse Policy Secure Supported Platforms.

The Policy Secure gateway authenticates users, ensures that endpoints meet security
policies, and serves resource access policy information to Juniper Networks security
devices.

After you configure the Policy Secure gateway and the Infranet Enforcer to successfully
communicate, you set up trust and untrust zones to define network boundaries. You
configure source IP policies or encrypted IPsec tunnels for endpoints to route traffic
between zones. Finally, you use resource access policies to permit or deny traffic to
protected resources.

For configuration instructions, see the UAC Interoperability with the ScreenOS Enforcer
and UAC Interoperability with the Junos Enforcer.

NOTE: The default keepalive time between the Policy Secure gateway and
the Infranet Enforcer is 300 seconds.

NOTE: With Pulse Policy Secure Release 4.2 and JunosOS Release 12.2,
the Juniper Networks EX Series Ethernet switch can be used as an Infranet
Enforcer. You can add an EX Series Ethernet switch in an 802.1X
deployment as an Infranet Enforcer, and then create resource access policies
to control access as the policy enforcement point.

Understanding Deployments with Junos Infranet Enforcers

This topic provides an overview of Pulse Policy Secure deployments with Junos
Infranet Enforcers. A Junos Enforcer is a J Series Services Router or an SRX Series

© 2015 by Pulse Secure, LLC. All rights reserved. 79


Pulse Policy Secure Administration Guide

Services Gateway configured as a Layer 3 enforcement point. This topic includes the
following information:

 Communication Summary on page 80


 Configuration Summary on page 81
 Version Requirements on page 81

Communication Summary
This section describes the communication between the Policy Secure gateway and the
Infranet Enforcer.

 At startup, the Junos Enforcer contacts the Policy Secure gateway. The Junos
Enforcer uses the proprietary Junos Infranet Enforcer Protocol over an SSL
connection.

 The Junos Enforcer runs on top of SSL and makes a direct connection with the Policy
Secure gateway. Optionally, the Policy Secure gateway authenticates the Junos
Enforcer by means of a client certificate obtained during the SSL handshake. All
communications between the Policy Secure gateway and the Junos Enforcer are
through the Junos Enforcer Protocol over SSL.

 With the Junos Enforcer, you can configure the Policy Secure gateway to
dynamically create auth table entries on the Infranet Enforcer after a specific
resource is requested.

 To use source IP enforcement, you create security policies on Junos Enforcers that
allow traffic from the endpoint to protected resources.

 To use IPsec enforcement, you set up a VPN tunnel for a dial-up user with Internet
Key Exchange (IKE) with an Enforcer policy. The VPN tunnel and the IPsec policy enable
the user's endpoint (OAC or Pulse) to use an IPsec tunnel to the Junos Enforcer and
access protected resources. The Policy Secure gateway sends the necessary setup
information to the client.

 When the Junos Enforcer detects traffic from an endpoint that matches a Junos Enforcer
policy, it uses the endpoint’s auth table entry to determine the role(s) associated with
that user.

 The Junos Enforcer then matches the destination IP address of the protected resource
(from the Junos Enforcer policy) with a resource access policy. The Junos Enforcer
searches for a matching role and applies the policy action.

 The Policy Secure gateway sends commands as needed to the Junos Enforcer to
remove policies or auth table entries and deny access to protected resources. This
can occur, for example, when the user’s computer becomes noncompliant with
endpoint security policies or loses its connection with the Policy Secure gateway,
when you change the configuration of a user’s role, or when you disable all user
accounts on the Policy Secure gateway in response to a security problem (such as a
virus on the network).

If you have a cluster of Pulse Policy Secure devices, you should have one Virtual IP
Address (VIP), either provided by the cluster in Active/Passive mode, or provided by
a load-balancer in an Active/Active configuration. You configure that VIP as the IP
address of your device on the Enforcer, and the cluster or load-balancer handles
which device communicates.

80 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

For failover from one cluster of Pulse Policy Secure devices to another, or from one
non-clustered device to another, you can define multiple ICs in the firewall. The
firewall connects to the first device listed, by default. If that device is (or becomes)
unavailable, the Enforcer will attempt the next IC in the list. Once the Enforcer is
connected to a Pulse Policy Secure device, it will not switch to another device unless
the first device becomes unavailable. There is no fail-back mechanism. If the first
device becomes available again, the Enforcer will not automatically switch back.

You can use the Junos Enforcer as a policy enforcement point for any number of
Policy Secure gateways or Instant Virtual Extranet (IVE) Connect Secure gateways in
a federated network.

Configuration Summary
You must perform the following basic tasks to use the Policy Secure gateway with a
Junos Enforcer:

 Configure the Policy Secure gateway and the Junos Enforcer to communicate over a
secure connection.

 Configure user authentication and authorization by setting up user roles, authentication


and authorization servers, and authentication realms on the Policy Secure gateway.

 Configure resource access policies on the Policy Secure gateway to specify which
endpoints are allowed or denied access to protected resources.

 Configure traffic enforcement between each source and destination zone with Junos
Enforcer policies using one of the following methods:

 Source IP enforcement

 IPsec enforcement

Version Requirements
JunosOS Release 9.4 or higher is required for Layer 3 enforcement with UAC
interoperability.

In UAC Release 3.1 or later, you can use either a J Series Services Router or an SRX Series
Services Gateway configured as a Layer 3 enforcement point. For complete platform
and version compatibility see 4.3R1 Supported Platforms.

NOTE: A J Series device as a Layer 2 enforcement point is fully supported


with current and future releases of Pulse Policy Secure and Pulse Secure
client.

A J Series device as a Layer 3 enforcement point is supported with future UAC


releases, but interoperability is limited to JunosOS Release 10.4 or lower.

As of Release 11.1, you cannot use J Series devices as a Layer 3 enforcement


point.

© 2015 by Pulse Secure, LLC. All rights reserved. 81


Pulse Policy Secure Administration Guide

Transparent mode is not supported on the Junos Enforcer.

Not all of the functionality of the ScreenOS Enforcer is supported. For feature
compatibility, see Table 11 on page 82

Table 11: Junos Enforcer Features

Feature Supported/Not Supported

Dynamic auth table allocation Supported

Resource access policies Supported

Auth table mapping Supported

Source IP Supported

IPsec Supported with Release 10.0

High availability Supported

Deny message to users Supported

Coordinated Threat Control (CTC – equivalent to SSG Supported with Release 10.0
IDP)

Support for vsys Not supported

Captive Portal Supported with Release 10.2

NOTE:

Related Using Certificate-Based Security with Junos Enforcer Deployments on page 82


Documentation
 Binding an Interface to a Security Zone on a Junos Enforcer on page 83

 Configuring the Junos Enforcer to Communicate with the Pulse Policy Secure on
page 86

Using Certificate-Based Security with Junos Enforcer Deployments

The Policy Secure gateway and the Junos Enforcer communicate over a secure channel.
Optionally, you can use digital security certificates as an enhanced mechanism for
establishing trust. A digital certificate is a form of identification. The certificate provides
information about the identity of the presenter and other data that helps determine
whether or not to trust the presenter.

When the Junos Enforcer first connects with the Policy Secure gateway, the devices
exchange security information to verify secure communication.

82 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

 In Pulse Secure implementations, the Junos Enforcer presents its password to the
Policy Secure gateway, and the Policy Secure gateway optionally verifies the
password before further communication is initiated. Once verified, the Policy Secure
gateway presents its device certificate to the Junos Enforcer. Verirfication of the
server certificate is not required for the Junos Enforcer to connect; however, as an
extra security measure you can verify the certificate for an additional layer of trust.

 If you are using the FIPS IC6500, only the Certificate Signing Request (CSR) method
for creating device certificates can be used. You cannot import a CA created certificate
(pfx) with a private key file on FIPS IC6500.

Public Key Infrastructure (PKI) refers to the hierarchical structure of trust required for
the successful implementation of public key cryptography.

Digital certificates are issued by a Certificate Authority (CA). With PKI, the CA is always
a trusted entity, so that the information contained in a certificate issued or signed by a
CA is guaranteed to be valid.

To ensure a secure trust relationship in the network between the Policy Secure gateway
and the Junos Enforcer is secure, you create a certificate hierarchy for this trust
relationship, and then upload the appropriate certificates into the devices.

To set up a CA certificate on the Junos Enforcer:

Import certificates on the Junos Enforcer by specifying the path in the CLI. You put the
certificate on a reachable server, then use the applicable statements to specify the
certificate from edit services.

1. To specify the full name of the Policy Secure gateway certificate that the Junos
Enforcer must match during communication, use the following statement:

set unified-access-control infranet-controller <Policy Secure gateway name> ca-profile


<specify ca-profile configured at security pki ca-profile>
For more detailed information, see the Junos OS CLI Reference and the Junos OS Initial
Configuration Guide for Security Devices.

See Certificate Security Administration for details about configuring certificate trust
between the Junos Enforcer and the Policy Secure gateway.

Related Connecting with the Junos Enforcer on page 88


Documentation

Binding an Interface to a Security Zone on a Junos Enforcer

Interfaces are a doorway through which traffic enters and exits a Juniper Networks device.
Many interfaces share the same security requirements. However, different interfaces can
have different security requirements for inbound and outbound data packets. Interfaces
with identical security requirements can be grouped together in a single security zone.

A security zone is a collection of network segments that require the regulation of inbound
and outbound traffic through policies. Security zones are logical entities to which one or

© 2015 by Pulse Secure, LLC. All rights reserved. 83


Pulse Policy Secure Administration Guide

more interfaces are bound. Many types of Juniper devices, let you define multiple security
zones based on network requirements.

You can configure multiple security zones by dividing the network into segments to which
you can then apply various security options to satisfy the needs of each segment. At a
minimum, you must define two security zones, basically to protect one area of the network
from the other. On some security platforms, you can define many security zones, bringing
finer granularity to the network security design without deploying multiple security
appliances to do so.

From the perspective of security policies, traffic enters one security zone and exits through
another security zone. This combination of a “from-zone” and a “to-zone” is defined as
a context. Each context contains an ordered list of policies. On the Junos Enforcer, you
must define at least two zones to protect one area of the network from another.

You might need to bind the physical interfaces on a Juniper security device to security
zones or you might need to change a binding to accommodate your deployment.

NOTE: Slot numbering varies by platform, and interface numbering varies


by module type. For numbering information, see the user guide that
accompanied the device for slot and interface numbering information or visit
www.juniper.net/techpubs/ to obtain a copy of the user guide specific to your
device.

On J Series Services Routers, interface ports for the system are located on
Physical Interface Modules (PIMs) that you can install in slots on the device.
In addition, each device has four built-in Gigabit Ethernet ports in slot 0. Each
physical port can have many logical interfaces configured with properties
different from the port's other logical units.

Endpoints must reside in a different security zone from your protected resources. The
Policy Secure gateway can reside in any security zone. If you place the Policy Secure
gateway in a different security zone from the one that contains endpoints, you must set a
policy allowing traffic from the endpoints to the Policy Secure gateway.

Through the policies you define, you can permit traffic between zones to flow in one or
both directions. The routes that you define specify the interfaces that traffic from one
zone to another must use. Because you can bind multiple interfaces to a zone, the routes
you chart are important for directing traffic to the interfaces of your choice.

To view the zones on a Junos Enforcer, type the following command in the CLI:
user@host#show security zones

Related Binding the Physical Interface on the Junos Enforcer on page 85


Documentation
 Junos OS Documentation

84 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

Binding the Physical Interface on the Junos Enforcer

Figure 6: Binding the Interfaces

1. To configure the interface and its IP address for the trust and untrust zones, enter the
following statements in Edit mode:

user@host# set interfaces ge-0/0/1 unit 0 family inet address 192.168.0.1/24


2. To configure the trust zone and to assign the interface to it, enter the following
statement in Edit mode:

user@host# set security zones security-zone trust interfaces interface


3. To configure the interface and its IP address for the untrust zone, enter the following
statement in Edit mode:

© 2015 by Pulse Secure, LLC. All rights reserved. 85


Pulse Policy Secure Administration Guide

user@host# set interfaces ge-0/0/1 unit 0 family inet address 10.0.0.20/24


4. To configure the untrust zone and to assign the interface to it, enter the following
statement in Edit mode:

user@host# set security zones security-zone untrust interfaces interface

NOTE: To use IPsec with the Junos Enforcer, you must enable IKE services
for the gateway. If you have multiple IPsec tunnels with multiple gateways,
the hostname for each gateway must be unique.

Related Binding an Interface to a Security Zone on a Junos Enforcer on page 83


Documentation

Configuring the Junos Enforcer to Communicate with the Pulse Policy Secure

The Junos Enforcer works with the Policy Secure gateway for Layer 3 connectivity. Users
can connect with source IP or IPsec (JunosOS Release 10.0 or later).

For the initial setup, you must specify the Policy Secure gateway name, IP address, port
number over which the Junos Enforcer and Policy Secure gateway will connect, the
interface, the password (the same password as entered on the Policy Secure
gateway), and, optionally, the CA profile and server certificate subject. Use the Junos
CLI to add this information.

You can configure the Junos Enforcer in “test only” mode. In test only mode, the Junos
Enforcer does not enforce UAC policies and allows all traffic to pass. However, all policy
decisions are logged. This allows you to set up the devices before actual deployment
and determine how the UAC solution works using different configuration options. For
example, the Policy Secure gateway and endpoints can reside on different physical
interfaces of the Junos Enforcer (using both interfaces on the Policy Secure gateway) or
on the same interface.

Policy Secure gateway policies are role based. Each policy specifies a destination (the
resources that are being protected), a set of roles, and an action (allow or deny). To
determine the roles for users, an auth table maps source IP addresses to roles. When an
endpoint accesses the Policy Secure gateway, the Policy Secure gateway populates
the Junos Enforcer with the mapping from the endpoint's IP address to the endpoint's
set of roles. When evaluating a flow, the source IP address of the initial packet is used to
look up the roles. Then the first policy that matches both the destination (resource) and
the roles is used to determine whether to permit or deny the flow.

NOTE: If you are using the Export edition of Pulse Secure, you must set the
encryption strength on the Policy Secure gateway to use 40-bit ciphers on
the Configuration > Security page of the admin console. Domestic editions
do not have this requirement.

Related Setting Up the Junos Enforcer to Work with Pulse Policy Secure on page 87
Documentation

86 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

 Connecting with the Junos Enforcer on page 88

Setting Up the Junos Enforcer to Work with Pulse Policy Secure

This example details a configuration with the Policy Secure gateway on the untrusted
interface side (the same side as endpoints). For more information, see the Junos OS
Initial Configuration Guide for Security Devices and Junos OS CLI Reference.

To configure the Junos Enforcer:

1. Set up the trusted interface. The trusted interface connects to the protected resource.
The untrusted interface connects to the Policy Secure gateway.

2. Ensure that the DHCP server is disabled or enabled as required for the deployment.

3. Create an instance of the Policy Secure gateway on the Junos security device, and
provide the network information required for connecting using the CLI. This information
includes the Policy Secure gateway host name, the IP address, and the interface to
which the device will connect. The default port for communication with the Policy
Secure gateway is 11123, you cannot change the port. You must also specify a
password that matches the password configured on the Policy Secure gateway.

For complete CLI instructions and syntax, see the Junos OS CLI Reference.

a. Specify the Policy Secure gateway’s hostname:

user@host# set services unified-access-control infranet-controller hostname


b. Specify the Policy Secure gateway’s IP address:

user@host# set services unified-access-control infranet-controller hostname address


ip-address
c. Specify the Junos interface to which the Policy Secure gateway should connect:

user@host# set services unified-access-control infranet-controller hostname interface


interface-name
d. Specify the password that the SRX Series or J Series device should use to initiate
secure communications with the Policy Secure gateway:

user@host# set services unified-access-control infranet-controller hostname password


password
4. Set the appropriate timeout and interval values, and specify a timeout action. The
timeout that you set specifies the elapsed time beyond which the Junos Enforcer
attempts to reconnect with the Policy Secure gateway if no communication is
received. The interval specifies how often the Policy Secure gateway sends a
heartbeat to the Junos Enforcer.

5. (Optional) Verify that the certificate of the CA that signed the Policy Secure
gateway’s server certificate is loaded in the Junos Enforcer and that the path to the
certificate is specified.

© 2015 by Pulse Secure, LLC. All rights reserved. 87


Pulse Policy Secure Administration Guide

NOTE: Although certificate verification is optional, there are three different


certificate options on the Junos Enforcer that will produce different results.

If certificate-verification is set to required, it is required that the device


verify any Policy Secure gateway server certificate. If any Policy Secure
gateway's
ca-profile is not configured, the commit check fails.

If certificate-verification is set to warning (the default), and the Policy


Secure gateway ca-profile is not configured, the commit check displays a
warning about the security risk with a similar warning in the syslog.

If certificate-verification is set to optional, there is no warning.

Juniper Networks highly recommends that you choose to verify the


Policy Secure gateway certificate.

6. Verify routing from the Policy Secure gateway to the untrusted interface.

7. Ensure that both the Junos Enforcer and the Policy Secure gateway are set to the
correct time. If possible, use a Network Time Protocol (NTP) Server to set the date
and time of both appliances.

When you finish configuring the Policy Secure gateway instance, the Junos Enforcer can
initiate the connection with the Policy Secure gateway. The Junos Enforcer optionally
validates the Policy Secure gateway server certificate if so configured. The device sends
the serial number to authenticate with the Policy Secure gateway.

For the Junos Enforcer to establish communication, you must configure the Junos Enforcer
on the Policy Secure gateway.

Related Connecting with the Junos Enforcer on page 88


Documentation

Connecting with the Junos Enforcer

The Junos Enforcer connects with the Infranet Enforcer over an SSL connection. To initiate
the connection between the two devices, you must specify the password and serial
number of the Junos Enforcer.

The Junos Enforcer initiates the connection to the Policy Secure gateway. The Policy
Secure gateway presents its SSL server certificate to the Junos Enforcer. Optionally,
you can configure the Junos Enforcer to verify the certificate and to specify constraints
with which the Policy Secure gateway must comply.

The Junos Enforcer and the Policy Secure gateway perform mutual authentication with
the proprietary JUEP-MAUTH challenge-response authentication based on the
password configured. For security reasons, the password is not included in the message
sent to the Policy Secure gateway.

88 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

After the SSL handshake, all further communication between the Policy Secure
gateway and the Junos Enforcer occurs over the SSL connection. The Junos Enforcer is
the client and the Policy Secure gateway is the server.

To configure the Policy Secure gateway to accept a connection from the Junos Enforcer:

1. On the left navigation bar in the Policy Secure gateway admin console, select UAC >
Infranet Enforcer > Connection.

2. Click New Enforcer. The New Infranet Enforcer dialog box is displayed. By default, the
new ScreenOS Enforcer page is displayed.

3. Select the Junos option button. The Junos Enforcer page is displayed.

4. Enter the name of the Infranet Enforcer in the Name box.

5. Enter the password for the Junos Enforcer.

6. Enter the serial number of the Junos Enforcer. You can view the serial number on the
Junos Enforcer using the command:

user@hostshow chassis hardware


7. Ensure that the server certificate for the Policy Secure gateway is configured for the
interface to which the Junos Enforcer is connecting.

8. Click Save Changes.

After you the devices to communicate, you must create security policies on the Junos
Enforcer for traffic enforcement.

Related Understanding Infranet Enforcer Source IP Security Policies on page 148


Documentation
 Setting Up the Junos Enforcer to Work with Pulse Policy Secure on

page 87

The IC Series and the Infranet Enforcer

NOTE: A Infranet Enforcer can be either a ScreenOS firewall device, or a J


Series or SRX Series Services Gateway.

The Policy Secure gateway is the policy decision point that determines which users and
endpoints can access protected resources. You can use Juniper Networks firewalls to
serve as the enforcement point to provide the ultimate protection to ensure that
network assets are secured.

You can use either a ScreenOS Enforcer or a Junos Enforcer with the UAC solution. A
Junos Enforcer is a J Series Services Router or an SRX Series Services Gateway configured
as a Layer 3 enforcement point. A ScreenOS Enforcer is an ISG Series Integrated Services
Gateway or a SSG Series Secure Services Gateway. This document contains configuration
details for the ScreenOS Enforcer. See 4.3R1 Supported Platforms for version compatibility.

© 2015 by Pulse Secure, LLC. All rights reserved. 89


Pulse Policy Secure Administration Guide

Understanding Deployments with ScreenOS Infranet Enforcers

This topic provides an overview of Pulse Policy Secure deployments with ScreenOS
Infranet Enforcers. It includes the following information:

 Deployment Summary on page 90


 Communication Summary on page 90
 Configuration Summary on page 91
 Version Requirements on page 92

Deployment Summary
The Policy Secure gateway is the policy decision point that determines which users and
endpoints can access protected resources. You can use Juniper Networks firewalls to
serve as the enforcement point to provide the ultimate protection to ensure that
network assets are secured.

Communication Summary
This section describes the communication between the Policy Secure gateway and the
Infranet Enforcer.

 At startup, the ScreenOS Enforcer contacts the Policy Secure gateway over an SSL
connection using the NetScreen Address Change Notification (NACN) protocol.

 After the ScreenOS Enforcer establishes a connection with the Policy Secure
gateway, the Policy Secure gateway opens an SSH connection with the ScreenOS
Enforcer. The Policy Secure gateway uses this SSH connection to push policy and
user authentication information to the ScreenOS Enforcer.

 With ScreenOS Release 6.0 or earlier, when the Policy Secure gateway
authenticates a user and verifies that the user’s endpoint is compliant with
endpoint security policies, the Policy Secure gateway pushes user-specific
configuration information to the ScreenOS Enforcer. This information includes an
auth table entry for each authenticated user. An auth table entry consists of the
user’s name, a set of roles, and the IP address of the wired adapter, wireless
adapter, or virtual adapter in the user’s computer. With ScreenOS Release 6.1 or
later, and with the Junos Enforcer, you can configure the Policy Secure gateway to
dynamically create auth table entries on the Infranet Enforcer after a specific
resource is requested.

 To use source IP enforcement, you create infranet auth source IP policies on ScreenOS
Enforcers that allow traffic from the endpoint to protected resources.

 To use IPsec enforcement, you set up a VPN tunnel for a dial-up user with Internet Key
Exchange (IKE) with an Enforcer policy. The VPN tunnel and the infranet auth IPsec
policy enable the user's endpoint (OAC or Pulse) to use an IPsec tunnel to the Infranet
Enforcer and to access protected resources. The Infranet Enforcer sends the necessary
setup information to the client.

90 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

 When the Infranet Enforcer detects traffic from an endpoint that matches an Infranet
Enforcer policy, it uses the endpoint’s auth table entry to determine the role associated
with that user.

 The Infranet Enforcer matches the destination IP address of the protected resource
(from the Infranet Enforcer policy) with a resource access policy. The Infranet Enforcer
searches for a matching role and applies the policy action.

 As necessary, the Policy Secure gateway sends commands to the Infranet Enforcer to
remove policies or auth table entries and deny access to protected resources. This
can occur, for example, when the user’s computer becomes noncompliant with
endpoint security policies or loses its connection with the Policy Secure gateway,
when you change the configuration of a user’s role, or when you disable all user
accounts on the Policy Secure gateway in response to a security problem (such as a
virus on the network).

The FIPS IC6500 or a non-FIPS Policy Secure gateway can be used with a ScreenOS
Enforcer that is in FIPS mode. If FIPS is enabled on the Infranet Enforcer, the admin
console displays the information on the Connection page.

You can configure an Infranet Enforcer to work with more than one Policy Secure
gateway in a high availability configuration known as a Policy Secure gateway
cluster. The Infranet Enforcer communicates with only one Policy Secure gateway
at a time. The other Policy Secure gateways are used for failover. If the Infranet
Enforcer cannot connect to the first Policy Secure gateway you added to the cluster, it
attempts to connect to successive devices in the configuration list until a connection
occurs. If the currently connected Policy Secure gateway fails, the Infranet Enforcer
attempts to connect to the first Policy Secure gateway again. The Policy Secure
gateways configured on an Infranet Enforcer should all be members of the same
Policy Secure gateway cluster.

You can use the Infranet Enforcer as a policy enforcement point for any number of
Policy Secure gateways or Instant Virtual Extranet (IVE) Connect Secure gateways in
a federated network.

Configuration Summary
You must perform the following basic tasks to use the Policy Secure gateway with an
Infranet Enforcer:

 Configure the Policy Secure gateway and the ScreenOS Enforcer to communicate
with each other over a secure connection.

 Configure user authentication and authorization by setting up user roles, authentication


and authorization servers, and authentication realms on the Policy Secure gateway.

 Configure resource access policies on the Policy Secure gateway to specify which
endpoints are allowed or denied access to protected resources.

 Configure traffic enforcement between each source and destination zone with ScreenOS
Enforcer Infranet auth policies. Use one of the following methods:

 Source IP enforcement

 IPsec enforcement

© 2015 by Pulse Secure, LLC. All rights reserved. 91


Pulse Policy Secure Administration Guide

Version Requirements
You can use either a ScreenOS Enforcer or a Junos Enforcer with the UAC solution. This
section describes version requirements for ScreenOS Enforcers. See 4.3R1 Supported
Platforms for version compatibility.

You can use Juniper ScreenOS Release 5.4 or later with UAC.

Not all ScreenOS releases support all features described in this


document.Table 12 on page 92 indicates what release version of ScreenOS is required
for specific features.

Table 12: ScreenOS Options

Feature Required ScreenOS Release

Captive portal 5.4

Configurable auth table entries 6.0

Seamless cluster failover 6.0R2

Dynamic auth table allocation 6.1

200 roles per auth table entry 6.1

Messages to authenticated but unauthorized users 6.2

Support for ISG-IDP 6.2

Support for vsys 6.2

Nonstandard port for captive portal 6.3

Related Using Certificate-Based Security with Infranet Enforcer Deployments on page 92


Documentation
 Binding an Interface to a Security Zone on a ScreenOS Enforcer on page 99

 ScreenOS Enforcer Configuration Overview on page 100

Using Certificate-Based Security with Infranet Enforcer Deployments

The Policy Secure gateway and the Infranet Enforcer communicate over a secure
channel using digital security certificates as the mechanism for establishing trust. A
digital certificate is a form of identification. The certificate provides information about
the identity of the presenter and other data that helps determine whether or not to
trust the presenter.

Public Key Infrastructure (PKI) refers to the hierarchical structure of trust required for
the successful implementation of public key cryptography.

92 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

When the Infranet Enforcer first connects with the Policy Secure gateway, the devices
exchange security information to verify secure communication.

 In ScreenOS implementations, the Policy Secure gateway presents its device


certificate, and the ScreenOS Enforcer must verify the certificate before further
communication is initiated.

 In Pulse Secure implementations, the Junos Enforcer presents its password to the
Policy Secure gateway, and the Policy Secure gateway verifies the password before
further communication is initiated. Once verified, the Policy Secure gateway presents
its device certificate to the Junos Enforcer. Verification of the server certificate is not
required for the Junos Enforcer to connect, however, you can verify the certificate for
an additional layer of trust.

 If you are using the FIPS IC6500, only the Certificate Signing Request (CSR) method
for creating device certificates can be used. You cannot import a CA-created certificate
(pfx) with a private key file on a FIPS IC6500.

Digital certificates are issued by a Certificate Authority (CA). With PKI the CA is always
a trusted entity, so the information in a certificate issued or signed by a CA is guaranteed
to be valid.

To ensure that the trust relationship in the network between the Policy Secure gateway
and the Infranet Enforcer is secure, you create a certificate hierarchy for this trust
relationship, and then upload the appropriate certificates into the devices.

Related Task Summary: Setting Up Certificates for the IC Series and Infranet Enforcer on page 93
Documentation
 Setting Up Certificates for the IC Series and Infranet Enforcer on page 94

 Using OpenSSL to Create a CA and Sign the Server Certificate on page 95

 Configuring Certificate Authority Server Settings on page 97

Task Summary: Setting Up Certificates for the IC Series and Infranet Enforcer

To allow the ScreenOS Enforcer to communicate with the Policy Secure gateway, you
must perform all of the following tasks:

 If you do not have one already, obtain the CA certificate that signed the Policy Secure
gateway server certificate to load on the Infranet Enforcer.

 Create a CSR for a Policy Secure gateway server certificate, and use the CA
certificate to sign the server certificate.

 Import the CA certificate into the Infranet Enforcer.

 Specify the CA certificate to be used to verify the Policy Secure gateway.

If the server certificate or the CA certificate is missing or expired, the Infranet Enforcer
cannot communicate with the ScreenOS Enforcer. The Infranet Enforcer does not accept
the temporary self-signed certificate that the Policy Secure gateway created during
initialization.

© 2015 by Pulse Secure, LLC. All rights reserved. 93


Pulse Policy Secure Administration Guide

Related Using OpenSSL to Create a CA and Sign the Server Certificate on page 95
Documentation

Setting Up Certificates for the IC Series and Infranet Enforcer

To set up certificates for the Policy Secure gateway and Infranet Enforcer:

1. If you do not have a CA, install and use OpenSSL to generate a CA certificate.

2. Create a CSR for a server certificate, and then sign the CSR by using either your CA or
OpenSSL.

3. Import the signed server certificate created from the CSR into the Policy Secure
gateway by selecting System > Configuration > Certificates > Device Certificates from
the left navigation bar of the Policy Secure gateway admin console.

 Under Certificate Signing Requests, click the Pending CSR link that corresponds to
the signed certificate. The Pending Certificate Signing Request dialog box is
displayed.

 Under Step 2 Import the signed certificate and then browse to the certificate file
you received from the CA. For example:

c:\openssl\certs\ic.crt

 Click Import.

4. By default, the signed server certificate is automatically associated with the internal
port on the Policy Secure gateway. To associate the certificate with the external or
virtual port, perform these steps:

 Select System > Configuration > Certificates > Device Certificates in the left navigation
bar.

 Click the link that corresponds to a certificate that you want to use. The Certificate
Details dialog box is displayed.

 Under Present certificate on these ports, specify the port that the Policy Secure
gateway should associate with the certificate. You can choose internal or external
ports and primary or virtual ports, but you cannot choose a port that is already
associated with another certificate.

 Click Save Changes.

5. Import the certificate of the CA that signed the Policy Secure gateway’s server
certificate into the Infranet Enforcer.

NOTE: To prevent your Web browser’s security warning from appearing each
time you sign into the Policy Secure gateway, import the certificate of the
CA that signed the Policy Secure gateway’s server certificate into your
browser’s list of trusted root certification authorities.

94 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

NOTE: If you later import a different server certificate and CA certificate, you
might need to initiate a new connection to use them. To initiate a new
connection, select Maintenance > System > Platform > Restart Services in the
Policy Secure gateway admin console. The Infranet Enforcer connects to the
Policy Secure gateway and validates the new certificate.

Related Creating a CA and Signing the Server Certificate Using OpenSSL on page 95
Documentation
 Importing the Certificate Into the Infranet Enforcer on page 97

 Configuring Certificate Authority Server Settings on page 97

Using OpenSSL to Create a CA and Sign the Server Certificate

If you do not have a CA, follow the instructions in this section to use OpenSSL on Windows
to create a CA certificate and to sign the CSR for the server certificate.

You can also use OpenSSL to create a trusted root CA certificate for validation of the
Policy Secure gateway by OAC or Pulse. Follow the instructions in this section to create
a CA certificate and sign the CSR for the Policy Secure gateway’s server certificate.

Related Creating a CA and Signing the Server Certificate Using OpenSSL on page 95
Documentation
 Importing the Certificate Into the Infranet Enforcer on page 97

Creating a CA and Signing the Server Certificate Using OpenSSL

To set up OpenSSL:

1. Download and install OpenSSL from


http://www.slproweb.com/products/Win32OpenSSL.html.

2. Set the install directory to c:\openssl and accept the other installation defaults.

3. At the Windows command prompt, type the following commands:

C: cd \openssl
C: md certs
C: cd certs
C: md demoCA
C: md demoCA\newcerts
C: edit demoCA\index.txt
4. Press Alt+F, S to save the file.

5. Press Alt+F, X to exit the editor.

6. At the Windows command prompt, type the following command:

C: edit demoCA\serial
7. Type 01 in the document window.

8. Press Alt+F, S to save the file.

© 2015 by Pulse Secure, LLC. All rights reserved. 95


Pulse Policy Secure Administration Guide

9. Press Alt+F, X to exit the editor.

10. At the Windows command prompt, type the following command:

C: set path=c:\openssl\bin;%path%
C: set OPENSSL_CONF=c:\openssl\bin\openssl.cfg
11. : In Wordpad (or an equivalent text editor that correctly handles Unix line breaks),
edit the openssl config file (c:\openssl\bin\openssl.cfg), change the CA policy match
for country and state from “match” to “optional”, and save your changes. The resulting
config stanza should appear as follows:

# For the CA policy


[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
12. To create a CA key, type the following command at the Windows command prompt
in the c:\openssl\certs directory:

C: openssl genrsa -out ca.key 1024


Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
........++++++
.++++++

e is 65537 (0x10001

To create and sign a CSR from the CLI:

1. Type the following command at the Windows command prompt in the c:\openssl\certs
directory:

C: openssl req -new -x509 -days 365 -key ca.key -out demoCA/cacert.pem
2. Enter the appropriate distinguished name (DN) information for the CA certificate. You
can leave some fields blank by hitting enter.

For example:

Country Name: US
State or Province Name: MA
Locality Name: Boston
Organization Name: XYZ
Org. Unit Name: IT
Common Name: ca.xyz.com
e-mail Address: user@xyz.com

To create and sign a CSR from the Web UI:

1. Select System > Configuration > Certificates > Device Certificates in the left navigation
bar.

2. Click New CSR. The new Certificate Signing Request page is displayed.

3. Enter the required information. For example:


Country Name: US
State or Province Name: MA
Locality Name: Boston

96 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

Organization Name: XYZ


Org. Unit Name: IT
Common Name: ic.xyz.com
e-mail Address: user@xyz.com
The organization name in the CSR must match the CA certificate's organization name.
If the organization names do not match, you cannot sign the CSR.

4. Enter random characters in the Random Data box.

5. Click Create CSR. The Pending Certificate Signing Request page is displayed.

6. Select and copy all of the text in the text box in Step 1 into a text editor, and save the
text file in the following directory:

c:\openssl\certs\ic.csr
7. To sign the certificate, type the following command at the Windows command prompt
in the c:\openssl\certs directory:

openssl ca -in ic.csr -out ic.crt -keyfile ca.key


8. Enter Y to sign the certificate.

9. Enter Y to commit the certificate.

You are now ready to import the server certificate into the Policy Secure gateway
and the CA certificate into the Infranet Enforcer.

Related Importing the Certificate Into the Infranet Enforcer on page 97


Documentation

Importing the Certificate Into the Infranet Enforcer

To import a CA certificate on the ScreenOS Enforcer:

1. On the Infranet Enforcer Web UI, select Objects > Certificates in the left navigation
bar.

2. Select CA from the Show list.

3. Click Browse to find and select the CA certificate (such as


c:\OpenSSL\certs\demoCA\cacert.pem) Then click Load.

4. Select CA from the Show list to display the CA certificate.

Related Setting Up Certificates for the IC Series and Infranet Enforcer on page 94
Documentation

Configuring Certificate Authority Server Settings

The CA server you use can be owned and operated by an independent CA or by your own
organization. If you use an independent CA, you must contact them for the addresses of
their CA and CRL servers (for obtaining certificates and certificate revocation lists), and
for the information they require when submitting certificate requests. When you are your
own CA, you determine this information yourself.

© 2015 by Pulse Secure, LLC. All rights reserved. 97


Pulse Policy Secure Administration Guide

On the ScreenOS Enforcer, you can use the Web UI to configure CA server settings. Select
Objects > Certificates and navigate to the proper certificate.

You can configure the following options:

 X509 Certificate Path Validation Level: Within X509 is a specification for a certificate
that binds an entity's distinguished name to its public key through the use of a digital
signature. Select Full to validate the certificate path all the way back to the root, or
select Partial to validate it only part of the way. The CRL distribution point extension
(.cdp) in an X509 certificate can be either an HTTP URL or an LDAP URL.

 Certificate Revocation Check settings:

 CRL (Certificate Revocation List): Enables the Juniper security device to use only the
CRL to check the certificate status.

 OCSP (Online Certificate Status Protocol): Enables the Juniper security device to
use only OCSP to check the certificate status.

 None: Disables CRL certificate checking. If you are not using CRL certificate checking,
be sure to disable it in the CA Server Settings dialog box.

 Best Effort: Enables the Juniper security device to use CRL to check the certificate
status. If there is no indication that the certificate is revoked, accept the certificate.

 CRL settings:

 URL Address: Specifies the internal Web-based URL of the LDAP server managing
your CRL.

 LDAP Server: Specifies the IP address or domain name of the LDAP Root CA server
that manages the CRL.

 Refresh Frequency: Applies only to the CRL only. From the list, select whether you
want to update the CRL daily, weekly, monthly, or according to the default setting
(which updates the CRL shortly after the next scheduled update).

 OCSP settings:

 URL Address: Specifies the internal Web URL of the OCSP server.

 Advanced Settings: Specifies a CA with which the Juniper security device verifies the
OCSP response.

 SCEP (Simple Certificate Enrollment Protocol) settings:

 RA CGI (registration authority certificate generation information): Specifies the RA


URL where the Juniper security device will request a CA certificate.

 CA CGI (certificate authority certificate generation information): Specifies the CA


URL.

 CA IDENT: Specifies the name of the CA for purposes of certificate ownership, if


necessary.

98 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

 Challenge: Specifies the challenge word sent to you by the CA that prove your identity
to the CA.

 Advanced Settings: Configures Advanced SCEP settings, such as polling interval and
certificate authentication.

Related Using Certificate-Based Security with Infranet Enforcer Deployments on page 92


Documentation

Binding an Interface to a Security Zone on a ScreenOS Enforcer

Security zones represent virtual sections of the network that are segmented into logical
areas. Security zones can be assigned to an interface or, on large devices, to a virtual
system.

From the perspective of security policies, traffic enters one security zone and exits through
another security zone. The ScreenOS Enforcer includes several predefined zones, for
example trust and untrust.

You might need to bind the physical interfaces on the Pulse Secure security device to
security zones, or you might need to change a binding to accommodate your
deployment.
Figure 7 on page 100 shows a typical setup for a ScreenOS Enforcer Integrated Security
Gateway 2000 (ISG 2000).

NOTE: Slot numbering varies by platform, and interface numbering varies


by module type. For slot numbering and interface information refer to the
user guide that accompanied the device.

Endpoints must reside in a security zone different from where your protected resources
reside. The trust and untrust security zones in Figure 7 on page 100 are default zones for
Route mode configurations on a ScreenOS Enforcer. For Transparent mode (on ScreenOS
Enforcers), use the v1-trust and v1-untrust security zones (not shown). The Policy
Secure gateway (not shown) can reside in any security zone. If you place the Policy
Secure gateway in a security zone that is different from the security zone that contains
endpoints, you must set a policy allowing traffic from the endpoints to the Policy
Secure gateway.

To view the zones available on the ScreenOS Enforcer, enter the get zone command in
the ScreenOS CLI. To configure custom zones, see
http://www.juniper.net/techpubs/en_US/release-independent/screenos/information-products/pathway-pages/screenos/product/index.html
.

In Figure 7 on page 100 the endpoints reside in the Untrust zone, and the protected resources
reside in the Trust zone. Port numbering is dependent on chassis configuration.

© 2015 by Pulse Secure, LLC. All rights reserved. 99


Pulse Policy Secure Administration Guide

Figure 7: Binding a Physical Interface to a Security Zone

Related Binding the Physical Interface on page 100


Documentation

Binding the Physical Interface

On the ScreenOS Enforcer, you can bind an interface to a security zone from either the
Web UI or the CLI.

ScreenOS Web UI

Select Network > Interfaces > Edit: Select a Zone from the menu then click OK.

ScreenOS CLI

set interface ethernet4/1 zone trust

set interface ethernet3/8 zone untrust

save

Related ScreenOS Enforcer Configuration Overview on page 100


Documentation

ScreenOS Enforcer Configuration Overview

You can use Route mode or Transparent mode to configure a Juniper Networks ScreenOS
Enforcer. By default, the ScreenOS Enforcer operates in Route mode. For more information

100 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

about how to set up routing, see


http://www.juniper.net/techpubs/en_US/release-independent/screenos/information-products/pathway-pages/screenos/product/index.html.

Pulse Secure recommends configuring the Infranet Enforcer to use SSHv2.

To perform ScreenOS configuration tasks the administrator must have root access.

The related documentation list provides links to information about configuring the Infranet
Enforcer. For cabling, rack mounting, and basic configuration instructions for platforms,
see IC Series Hardware.

Related Configuring the ScreenOS Connection on page 101


Documentation
 Setting Up an Infranet Enforcer in Route Mode on page 102

 Setting Up an Infranet Enforcer in Transparent Mode on page 106

Configuring the ScreenOS Connection

The ScreenOS Enforcer connects to the Policy Secure gateway over an SSH connection
that uses the NetScreen Address Change Notification (NACN) protocol. To configure a
connection between the two appliances, specify the following items on the Policy
Secure gateway in an Infranet Enforcer connection policy:

 An NACN password

 An administrator name and password for signing into the Infranet Enforcer using SSH

 The serial number of the Infranet Enforcer

The Policy Secure gateway uses the NACN password and serial number for a connection
from the ScreenOS Enforcer. When the ScreenOS Enforcer first turns on, it sends an
NACN message containing the NACN password and serial number to the Policy Secure
gateway. The Policy Secure gateway uses the serial number to determine which
ScreenOS Enforcer is attempting to connect, and the Policy Secure gateway uses the
NACN password to authenticate the ScreenOS Enforcer. The Policy Secure gateway then
begins communicating with the ScreenOS Enforcer using SSH.

To configure the Policy Secure gateway to connect to the Infranet Enforcer:

1. On the left navigation bar in the Policy Secure gateway admin console, select UAC >
Infranet Enforcer > Connection.

2. Click New Enforcer. The new ScreenOS Enforcer page is displayed.

3. Enter an NACN password for this Infranet Enforcer in the NACN password box. You
must enter this same NACN password when configuring the Infranet Enforcer.

4. In the appropriate boxes, enter the administrator name and password for signing into
the Infranet Enforcer.

5. Enter the serial number of the Infranet Enforcer. You can view the serial number on
the Home page of the Infranet Enforcer Web UI, or by using the ScreenOS CLI
command:

© 2015 by Pulse Secure, LLC. All rights reserved. 101


Pulse Policy Secure Administration Guide

get system.

6. Select No 802.1X from the Location Group list if you are not using an Infranet Enforcer
as an 802.1X RADIUS client of the Policy Secure gateway. This is the typical setting.

7. Click Save Changes.

When you finish configuring the Infranet Enforcer, the Infranet Enforcer attempts to
connect to the Policy Secure gateway. If the connection is successful, a green dot is
displayed next to the Infranet Enforcer icon under Enforcer Status select System > Status
> Overview in the Policy Secure gateway admin console. The Infranet Enforcer IP
address is also displayed in UAC > Infranet Enforcer > Connection.

NOTE: To initiate a connection immediately after you finish configuring the


Infranet Enforcer, restart the Policy Secure gateway services by clicking
Maintenance
> System > Platform > Restart Services from the Policy Secure gateway admin
console.

Related Using Certificate-Based Security with Infranet Enforcer Deployments on page 92


Documentation
 Binding an Interface to a Security Zone on a ScreenOS Enforcer on page 99

 ScreenOS Enforcer Configuration Overview on page 100

Setting Up an Infranet Enforcer in Route Mode

The Policy Secure gateway can reside on either side of the Infranet Enforcer. If the Policy
Secure gateway resides on the trust interface side, and users come in through the untrust
interface, the administrator must configure a policy (untrust to trust) on the Infranet
Enforcer that allows traffic to pass between the Policy Secure gateway and OAC or
Pulse. By default, Infranet Enforcer traffic from the untrust interface to the trust
interface is denied.

The following describes the setup with the Policy Secure gateway on the untrust
interface side (same side as users).

To configure an Infranet Enforcer in Route mode:

1. Set up the trust interface. The trust interface connects to the protected resource.The
untrust interface connects to the Policy Secure gateway. Set the following interface
(ethernet1/1) settings:

 Set routing

 Enable management of the following services:

 SSL

 SSH

 IP (optionsl)

2. Ensure that the DHCP server is disabled or enabled, as appropriate for the deployment.

102 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

3. Import the certificate of the CA that signed the Policy Secure gateway’s server
certificate into the Infranet Enforcer.

a. If you set up an NSRP cluster before you import the CA certificate into the Infranet
Enforcer, the CA certificate is automatically synchronized to all Infranet Enforcers
in the cluster. However, if you set up the NSRP cluster after you import the CA
certificate, you must manually synchronize the certificate to the other Infranet
Enforcers in the cluster by typing the following CLI command:

exec nsrp sync pki


You cannot load the self-signed Policy Secure gateway SSL certificate into the Juniper
security device. For more information about certificates and certificate options, see
Certificate Security Administration.

The certificate of the CA that signed the Policy Secure gateway’s certificate must be
imported on the Infranet Enforcer because the Infranet Enforcer must be able to
trust the Policy Secure gateway during an SSL session. When a user signs into a
server by means of SSL, the server displays a dialog box in which the user can
manually accept the certificate that is associated with that server. For the Infranet
Enforcer to skip that manual step and automatically accept the Policy Secure
gateway’s certificate, the Infranet Enforcer must have the certificate of the CA that
signed the Policy Secure gateway’s certificate.

4. Create an instance of the Policy Secure gateway on the Juniper security device.

5. Enable SSH.

6. Verify routing from the Policy Secure gateway to the untrust interface.

7. Ensure that both the Infranet Enforcer and the Policy Secure gateway have the
correct time. If possible, use a Network Time Protocol (NTP) server to set the date
and time of both appliances.

Related  Creating a Route Mode Instance with the ScreenOS Enforcer


Documentation

Create a Route Mode Interface with the ScreenOS Enforcer

Before you begin this procedure, you must possess the certificate of the CA that signed
the Policy Secure gateway’s server certificate. If you do not already have an authentic
CA from a trusted source, you must generate a self-signed CA.

After you connect to the Juniper security device and set interface management options,
you can create a Policy Secure gateway instance. You need to name the instance and set
these items:

 IP address or host name of the Policy Secure gateway

 Password to use when the Infranet Enforcer uses NACN to contact the Policy Secure
gateway

 Source interface

 CA index number (ca-idx)

© 2015 by Pulse Secure, LLC. All rights reserved. 103


Pulse Policy Secure Administration Guide

You can set these items using the Web UI or the CLI. Because the Juniper security device
can store more than one Policy Secure gateway instance, you must include the name of
the Policy Secure gateway with each command.

In the following procedure, you first set interface management options and disable the
DCHP server option. Then you enable SSHv2 and configure a Policy Secure gateway
instance named controller1. Next, you set the host IP address, which is the IP address of
the Policy Secure gateway, to 10.64.12.1. The NACN password is 8!JsP37cK9a*_HiEwe.
The NACN password must match the NACN password that you entered for the Policy
Secure gateway. The source interface is the interface that the Infranet Enforcer uses to
communicate with the Policy Secure gateway, and the CA index number is 001. For this
example, the source interface is ethernet 1/1. For a descriptive list of CA index numbers
by typing the following command at the ScreenOS CLI:

get ssl ca-list


You must use the Web UI to import the CA. For more information about certificates, see
the Concepts & Examples ScreenOS Reference Guide: Volume 5, VPNs.

To change SSH versions, delete SSH settings by typing the following CLI command:
delete ssh device all
When you use the Web UI, you do not need to fill in the Full Subject Name of IC Cert field.
If you do fill it in, be sure to enter the entire certificate subject. For example:

CN=ic1.juniper.net,CN=14087306185,CN=06990218,OU=Software,O=Juniper,S=CA, C=US
After you create the Policy Secure gateway instance, set the Policy Secure gateway
with the serial number of the Infranet Enforcer. To view the serial number of the
system, look at the
Device Information pane on the home page of the Web UI or enter the following command
at the CLI:

get system
To perform this task using the Web UI:

To create the instance using the Web UI:

1. Select Network > Interfaces > Edit > Services from the left navigation bar to set
management options.

2. Select Network > DHCP > Edit to disable the DHCP server for both interfaces (Trust
and Untrust).

3. Select and load the CA if you have not already done so.

a. Select Objects > Certificates.

b. Click Browse to find and select the certificate. Then click Load.

c. Select CA from the show list.

104 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

d. Click Server Settings and make sure Check Method is set correctly for the certificate
you are using.

e. Click OK.

4. Create the Policy Secure gateway instance.

a. Select Configuration > Infranet Auth > Controllers (List) > New.

b. Type controller1 in the Policy Secure gateway instance box.

c. Type IP/domain name: 10.64.12.1 in the IP/Domain Name box.

d. For the NACN Parameters, select ethernet1/1 from the Source Interface list.

e. Type 8!JsP37cK9a*_HiEwe in the Password box.

f. Select the CA from the Selected CA list.

5. Enable SSH version 2.

a. Select Configuration > Admin > Management > Enable SSH (v2).

To peform this task with the CLI:

To create the instance using the CLI:

1. Type the following commands:

set interface ethernet1/1 manage ssl

set interface ethernet1/1 manage ssh

set interface ethernet1/1 manage ip

set interface ethernet2/1manage ping

set interface ethernet2/1 dhcp server disable

set interface ethernet1/1 dhcp server disable

delete ssh device all

set ssh version v2

set ssh enable

set infranet controller name controller1 host-name 10.64.12.1

set infranet controller name controller1 password 8!JsP37cK9a*_HiEwe

set infranet controller name controller1 src-interface ethernet1/1

set infranet controller name controller1 ca-idx 001

save

Configuring the ScreenOS Connection on page 101


Related
Documentation
 Viewing the Configuration of a Policy Secure gateway on the ScreenOS Enforcer on page
 108

© 2015 by Pulse Secure, LLC. All rights reserved. 105


Pulse Policy Secure Administration Guide

Setting Up an Infranet Enforcer in Transparent Mode

In Transparent mode, the Juniper security device is usually installed between a core router
and an access distribution device. Services are enabled at the zone level, and VLAN1 is
used for management.

Transparent mode permits you to implement the following functionality:

 The device can act as a Layer 2 forwarding device, such as a bridge.

 You can control traffic flow between Layer 2 security zones by defining policies.

To configure a ScreenOS Enforcer in Transparent mode:

1. Set up Transparent mode using the predefined security zones, v1-trust and v1- untrust.

a. Assign interfaces to v1-trust and v1-untrust.

b. Configure the IP address for a source interface to establish connectivity with the
Policy Secure gateway. You can use V1-trust, V1-untrust, or V1-dmz.

c. Configure the broadcast mechanism to flooding (default) or ARP/traceroute.


ARP/trace-route is more secure than broadcast.

d. Enable management of the following services for VLAN1:

 SSL

 SSH

 Web (optional)

2. Set up the Juniper security device zones. The protected resources can be in either zone
(v1-trust or v1-untrust) as long as the protected resources are in a zone different from
the endpoints.

The Policy Secure gateway can also reside in either zone. If the Policy Secure
gateway resides in a zone different from the endpoints, configure a policy that allows
traffic to the endpoints through the ScreenOS Enforcer.

3. Import the certificate of the CA that signed the Policy Secure gateway’s server
certificate into the ScreenOS Enforcer.

Do not import the Policy Secure gateway SSL certificate into the Juniper Networks
security device.

For more information about certificates and certificate options, see the Concepts &
Examples ScreenOS Reference Guide: Volume 5, VPNs.

4. Create an instance of the Policy Secure gateway on the ScreenOS Enforcer.

5. Enable SSH.

6. Verify routing from the Policy Secure gateway to the V1-untrust zone.

106 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

To use IPsec enforcement with a ScreenOS Enforcer in Transparent mode, you might
need to configure a source interface policy on the Policy Secure gateway.

7. Ensure that both the Infranet Enforcer and the Policy Secure gateway have the
correct time. If possible, use a Network Time Protocol (NTP) server to set the date
and time of both appliances.

Related  Creating a Transparent Mode Instance with the ScreenOS Enforcer


Documentation
 Viewing the Configuration of a Policy Secure gateway on the ScreenOS Enforcer on page
108

Creating a Transparent Mode Instance on the ScreenOS Enforcer

To create a Policy Secure gateway instance in transparent mode, use the CLI to
perform the following actions:

 Assign all interfaces to Layer 2 zones.

 Assign an IP address to vlan1 and set the route command.

 Set interface management options.

 Configure a Policy Secure gateway instance named controller1.

 Set the host IP address, which is the IP address of the Policy Secure gateway, to
10.64.12.1.

 Enter the NACN password. The NACN password is 8!JsP37cK9a*_HiEwe. The NACN
password must match the NACN password that you entered for the Policy Secure
gateway.

 The source interface, vlan1, is the interface that the Infranet Enforcer uses to
communicate with the Policy Secure gateway. The CA index number is 001. For a
descriptive list of CA index numbers type the following CLI command:

get ssl ca-list


You must use the Web UI to import the CA.

To create the instance using the CLI:

1. Type the following commands at the CLI:

NOTE: For the firewall to operate in Transparent (Layer 2) mode, all interfaces
must be in a Layer 2 zone, such as v1-trust or in the null zone. Interfaces cannot
remain in a Layer 3 zone.

set interface eth1 zone v1-trust

set interface eth2 zone v1-untrust

set interface vlan1 ip 10.64.12.x

set interface vlan1 route

set interface vlan1 ip manageable

unset interface vlan1 manage ping

© 2015 by Pulse Secure, LLC. All rights reserved. 107


Pulse Policy Secure Administration Guide

unset interface vlan1 manage telnet

unset interface vlan1 manage snmp

unset interface vlan1 manage web

set infranet controller name controller1 host-name 10.64.12.1

set infranet controller name controller1 password 8!JsP37cK9a*_HiEwe

set infranet controller name controller1 src-interface vlan1

set infranet controller name controller1 ca-idx 0001

Related ScreenOS Enforcer Configuration Overview on page 100


Documentation
 Configuring the ScreenOS Connection on page 101

 Setting Up an Infranet Enforcer in Transparent Mode on page 106

Viewing the Configuration of a Policy Secure gateway on the ScreenOS Enforcer

This topic describes how to view details about the Pulse Policy Secure configuration
from the ScreenOS user interfaces. It includes the following information:

 Configuration Details Displayed on page 108


 Web UI on page 108
 CLI on page 109

Configuration Details Displayed


You can view the configuration of a Policy Secure gateway instance through the Web UI
and the CLI. You can view the following information:

 Name of the Policy Secure gateway instance

 IP address or domain name of the Policy Secure gateway

 Port number ( always 11122)

 Timeout (60 seconds by default)

 Source interface

The Web UI also allows you to view the NACN password.

Web UI
To view configuration information on the Web UI select the following:

1. Configuration > Infranet Auth > Controllers from the left navigation bar.

2. Configuration > Infranet Auth > General Settings from the left navigation bar.

108 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

CLI
To view configuration information at the CLI, type the following command:

1. get infranet controller name controller1

Related ScreenOS Enforcer Configuration Overview on page 100


Documentation
 Setting Up an Infranet Enforcer in Route Mode on page 102

 Setting Up an Infranet Enforcer in Transparent Mode on page 106

Understanding the Infranet Enforcer Captive Portal Feature

When you deploy the Policy Secure gateway and Infranet Enforcer, users may not
know that they must first sign into the Policy Secure gateway for authentication and
endpoint security checking before they can access a protected resource behind the
Infranet Enforcer.

To facilitate sign-in, you can configure either a redirect infranet auth policy on the
ScreenOS Enforcer or a security policy on the Junos Enforcer to automatically redirect
HTTP traffic destined for protected resources to the Policy Secure gateway. This feature
is called captive portal. When the sign-in page for the Policy Secure gateway is
displayed, the user signs in and Host Checker for OAC or Pulse or agentless Host
Checker examines the endpoint for compliance with security policies, and if the
endpoint passes the security check, access is granted to the protected resource.

Captive portal is supported on both the ScreenOS Enforcer and the Junos Enforcer.

You can configure captive portal for endpoint clients that use either source IP enforcement
or IPsec enforcement, or a combination of both methods.

Figure 8 on page 109 illustrates the sequence of events when a user attempts to access
protected resources with captive portal configured.

Figure 8: Captive Portal Event Flow

© 2015 by Pulse Secure, LLC. All rights reserved. 109


Pulse Policy Secure Administration Guide

Captive portal enables an endpoint to be redirected to a different URL when the user
attempts to access a protected resource behind an Infranet Enforcer, provided the
appropriate access policies are configured on the security device. By default, users are
not redirected if captive portal is not configured for a policy.

Related Before Configuring Captive Portal on page 110


Documentation
 Creating a Redirect Policy on the Infranet Enforcer on page 111

 Overriding the Default Redirection Destination for Captive Portal on page 112

Before Configuring Captive Portal

Topic Details

ScreenOS version The captive portal feature requires ScreenOS Release 5.4 or later running
on the ScreenOS Enforcer.

Junos version To use captive portal with the Junos Enforcer, Release 10.2 is required.

External Web server You can configure the ScreenOS Enforcer to redirect HTTP traffic to an
external Web server instead of the Policy Secure gateway. For example,
you can redirect HTTP traffic to a Web page that explains to users the
requirement to sign into the Policy Secure gateway before they can
access the protected resource. You can also explain the security policy
and include a link to the Policy Secure gateway on that Web page to
help users sign in.

HTTP vs. HTTPS The captive portal feature redirects HTTP traffic only. If the user attempts
to access a protected resource using HTTPS or another protocol such
as SMTP, the Infranet Enforcer does not redirect the user’s traffic. When
using HTTPS or another application, the user must manually sign into
the Policy Secure gateway first before attempting to access protected
resources.

HTTP proxy If there is an HTTP proxy between the endpoint and the Infranet Enforcer,
the Infranet Enforcer might not redirect the HTTP traffic.

Default port In standard configurations, ScreenOS uses default HTTP ports as the
redirect destination port for traffic. In addition to default HTTP ports,
nonstandard HTTP port 3128 is defined for HTTP-EXT traffic to
accommodate the SQUID proxy.

The Junos Enforcer, supports only port 80.

110 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

Creating a Redirect Policy on the Infranet Enforcer

To configure the captive portal feature, you must create special policies on the Infranet
Enforcer. On the Junos Enforcer, you configure a security policy using the CLI. On the
ScreenOS Enforcer, you can configure an infranet auth policy through either the Web UI
or the CLI.

When you configure a policy for captive portal, you can redirect all traffic or only
unauthenticated traffic.

 unauthenticated—Select this option if your deployment uses source IP only or a


combination of source IP and IPsec. The Infranet Enforcer redirects clear-text traffic
from unauthenticated users to the currently connected Policy Secure gateway, or
to an IP address or domain name that you specify in a redirect URL.

After a user signs in to the Policy Secure gateway and the user’s endpoint system
meets the requirements of the Policy Secure gateway’s security policies, the Infranet
Enforcer allows the user’s clear-text traffic to pass through in source IP deployments.
For IPsec deployments, OAC or Pulse create a VPN tunnel between the user and the
Infranet Enforcer. The Infranet Enforcer then applies the VPN policy that allows the
encrypted traffic to pass through.

 all—Select this option if your deployment uses IPsec only. The Infranet Enforcer redirects
all clear-text traffic to the currently connected Policy Secure gateway, or to an IP
address or domain name that you specify in a redirect URL.

After a user signs in to the Policy Secure gateway, OAC or Pulse creates a VPN tunnel
between the user and the Infranet Enforcer. The Infranet Enforcer then applies the
VPN policy that allows the user’s encrypted traffic to pass through. This option does
not allow clear text traffic to pass through the Infranet Enforcer, which protects the
network from IP spoofing.

From the Junos CLI

To enable captive portal, associate an instance of a captive portal with a security zone
use the following command format:

user@host# set security policies from-zone zone-name to-zone zone-name policy policy-name
To create the captive portal use the following command format:

user@host# permit application-services uac-policy captive-portal captive-portal-name


You can redirect all traffic, or only unauthenticated traffic on the Junos Enforcer using
the following command format:

edit services unified-access-control captive-portal policy redirect-traffic (all | unauthenticated)


From the ScreenOS Web UI

To create a redirect infranet auth policy on the ScreenOS Enforcer:

1. Click Policies on the left navigation bar.

2. Select a source zone from the From list.

3. Select a destination zone from the To list.

© 2015 by Pulse Secure, LLC. All rights reserved. 111


Pulse Policy Secure Administration Guide

4. Click New. The advanced Policy Settings page is displayed.

5. Enter the policy configuration information such as source and destination addresses.
For more about policy configuration options, see the ScreenOS Enforcer Web UI online
help.

6. Click Advanced.

7. Select Authentication, then select Infranet-Auth.

8. Specify one of the following redirection options for the infranet auth policy:

 Redirect unauthenticated traffic

 Redirect all traffic

9. (Optional) Enter a Redirect URL that specifies where to redirect matching traffic.

10. Click OK.

11. Click OK again.

You can permit more versatile redirect support on a per-policy basis. If your Infranet
Enforcer connects to different Policy Secure gateways (though only one at a time can
communicate), you can configure the URL for each redirect policy. If a policy-based URL
is defined and redirect is enabled in the policy, unauthenticated HTTP traffic that matches
the policy is redirected to that URL even if a global redirect URL is configured. If
policy-based URL redirect is not defined and redirect is enabled, unauthenticated traffic
that matches the policy is redirected to the global redirect.

From the ScreenOS CLI

To configure a redirect infranet auth policy for deployments that use either source IP only
or a combination of source IP and IPsec type the following command:

set policy from source-zone to dest-zone src_addr dst_addr any permit infranet-auth
redirect-unauthenticated
To configure a redirect infranet auth policy for deployments that use IPsec only type the
following command:

set policy from source-zone to dest-zone src_addr dst_addr any permit infranet-auth redirect-all

Overriding the Default Redirection Destination for Captive Portal

By default, after you configure a redirect infranet auth policy for ScreenOS, the Infranet
Enforcer redirects HTTP traffic to the currently connected Policy Secure gateway using
HTTPS. To perform the redirection, the Infranet Enforcer uses the IP address or domain
name that you specified when you configured the Policy Secure gateway instance on
the Infranet Enforcer. The format of the URL that the ScreenOS Enforcer uses for
default redirection is:

https://<connected IC-Series-device IP or domain name>/?target=%dest-url%


If you configured your ScreenOS Enforcer to work with multiple Policy Secure gateways
in a cluster, and the current Policy Secure gateway becomes disconnected, the
ScreenOS Enforcer automatically redirects HTTP traffic to the next active Policy Secure
gateway in its configuration list. The ScreenOS Enforcer redirects traffic to only one
Policy Secure gateway at a time.

112 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

The Policy Secure gateway domain name that you specify when configuring the Policy
Secure gateway instance in the ScreenOS Enforcer must match the Policy Secure
gateway domain name in the Web browser certificate that is used when users sign in.
Otherwise, the browser displays a certificate warning when users sign in.

You do not need to override the default redirection destination except in the following
situations:

 You are using a VIP for a cluster of Policy Secure gateway appliances, and the
ScreenOS Enforcer is configured to connect to the Policy Secure gateway’s
physical IP addresses.

 You want to redirect traffic to a Web server instead of to the Policy Secure gateway.

 If, because of split DNS or IP routing restrictions at your site, the ScreenOS Enforcer
uses a different address for the Policy Secure gateway than endpoints, you must
specify the domain name or IP address that endpoints must use to access the Policy
Secure gateway.

By default, the ScreenOS Enforcer also encodes and forwards to the Policy Secure
gateway the protected resource URL that the user entered. The Policy Secure gateway
uses the protected resource URL to help users navigate to the protected resource. The
manner in which the Policy Secure gateway uses the protected resource URL depends
on whether or not the user’s endpoint is running OAC or Pulse.

 If the user’s endpoint is not running OAC or Pulse (that is, it is in an agentless or Java
agent configuration), the Policy Secure gateway automatically opens a new browser
window and uses HTTP to access the protected resource after the user signs in.

 If the endpoint is using OAC or Pulse, the Policy Secure gateway inserts a link in the
Web page that automatically opens after the user signs in. The user must then click that
hypertext link to access the protected resource by means of HTTP in the same
browser window.

To override the default redirect destination, you must configure policies on the Infranet
Enforcer. On the Junos Enforcer, you configure a redirect–url policy using the CLI. On the
ScreenOS Enforcer, you can configure an infranet auth policy through either the Web UI
or the CLI.

Creating a Redirect Policy on the Junos Enforcer

In a Junos Enforcer security policy, specify the redirect URL in the following format:

user@host# set services unified-access-control captive-portal policy redirect-url url


By default, after you configure a captive portal policy, the JUNOS Enforcer redirects HTTP
traffic to the currently connected Policy Secure gateway by using HTTPS. To perform
the redirection, the JUNOS Enforcer uses the IP address or domain name that you
specified when you configured the Policy Secure gateway instance on the JUNOS
Enforcer.

You specify the redirect url in a Junos Enforcer security policy using the following hierarchy:
user@host# https://%ic-ip%/?target=%dest-url%=%enforcer-id%=%policy-id%=%dest-ip%
These are the four available parameters for redirection.

 target

© 2015 by Pulse Secure, LLC. All rights reserved. 113


 enforcer

© 2015 by Pulse Secure, LLC. All rights reserved. 113


Pulse Policy Secure Administration Guide

 policy

 dest-ip

Target, enforcer, and policy are required. Dest-ip is optional. For example:

redirect-url
"https://acmegizmo.juniper.net/?target=%dest-url%&enforcer=%enforcer-id%&policy=%policy-id%"
If you do not specify the redirect URL, the Junos Enforcer uses the default configuration.

NOTE: To set a redirect URL for the Junos Enforcer, use escape characters
instead of dot (.). For example:
“https://192.168.0.100/agentless/?target=http%3A%2F%2Fwww%2Ejuniper%2Enet”.

For configuration instructions and examples, see the Junos OS Initial Configuration Guide
for Security Devices.

Related Understanding the Infranet Enforcer Captive Portal Feature on page 109
Documentation
 Before Configuring Captive Portal on page 110

Creating a Redirect Policy on the ScreenOS Enforcer

From the ScreenOS Web UI

1. Select Configuration > Infranet Auth > Controllers > Edit from the left navigation bar.

2. In the Redirect URL box, specify the IP address or domain name of the Policy Secure
gateway or external Web server using HTTP or HTTPS in the following format:

https://<IP or domain name>/<url path>/?target=%dest-url%

For example, to redirect to a Policy Secure gateway and forward the protected
resource URL, enter:

https://abc.company.com/?target=%dest-url%

To redirect to a Web server and forward the protected resource URL enter:

https://server1.company.com/cgi-bin/redirect.cgi?target=%dest_url%

The ScreenOS Enforcer replaces the %dest-url% parameter with the protected
resource URL, and then forwards the protected resource URL in encrypted form to
the Policy Secure gateway.

114 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

NOTE: In the Redirect URL string, you can omit the ?target=%dest-url%
string. For example:

http://server1.company.com

If you do not include the ?target=%dest-url% string, the user must manually
open a new browser window and enter the protected resource URL again
after signing in.

From the ScreenOS CLI

1. To specify the redirect URL, enter:

set infranet controller name controller1 url "http://10.64.12.1/?target=%dest-url%"


2. To specify the redirect URL without the ?target=%dest-url% string, enter:

set infranet controller name controller1 url http://abc.company.com

Non standard Ports

With ScreenOS Release 6.3, captive portal supports HTTP traffic on any port. To use this
feature, you must define a new service on ScreenOS, and use the service in an infranet
auth policy.

You define the service with the destination ports on which HTTP is running. Select this
service in the infranet auth policy, and associate it with application “HTTP”.

For unauthenticated HTTP traffic on the port specified in the service, ScreenOS redirects
the traffic to the URL that is mentioned in the Inranet Controller configuration or that is
mentioned in the Redirect URL field of the infranet auth policy.

To configure an alternative port for redirct:

From the Web UI

1. Create a new service in ScreenOS.

2. Create an infranet auth policy and select DSTA-HTTP (or the name you are using
when you create the service) as the service in the infranet-auth policy.

3. Set the application as HTTP for the policy.

From the CLI

Type the following commands:

set service DSTA-HTTP protocol tcp dst-port 6060-6060

set policy id 1 from trust to untrust any any DSTA-HTTP permit infranet-auth
redirect-unauthenticated

set policy id 1 application HTTP


For unauthenticated HTTP traffic on the specified port, ScreenOS redirects the traffic to
the URL that is specified in the Policy Secure gateway configuration, or to the one that
is mentioned in the Redirect URL field of the infranet auth polcy.

© 2015 by Pulse Secure, LLC. All rights reserved. 115


Pulse Policy Secure Administration Guide

If nonstandard ports are not used in the infranet-auth policy, the behavior is the same
as in ScreenOS Release 6.2.

Related Understanding the Infranet Enforcer Captive Portal Feature on page 109
Documentation
 Before Configuring Captive Portal on page 110

Understanding Deployments with ScreenOS Enforcer Virtual Systems

This topic describes deployments with ScreenOS virtual systems. It includes the following
information:

 ScreenOS Virtual Systems Overview on page 116


 Overlapping IP Addresses on page 117
 Deployment Example on page 118
 Deployment with IF-MAP Federation Example on page 119

ScreenOS Virtual Systems Overview


You can logically partition a single ScreenOS Enforcer into multiple virtual systems (vsys)
to provide multitenant services. Each vsys is a unique security domain and can have its
own administrator. vsys is supported on ISG1000, ISG2000, and NS5000 series ScreenOS
Enforcers.

Support for vsys on the Policy Secure gateway allows you to provision different auth table
entries and resource access policies on discrete vsys on the same firewall. You can also
choose a vsys for ScreenOS infranet auth policies and VPN objects.

When you add a vsys to a ScreenOS Enforcer with the appropriate CLI commands, the
vsys appears as an Infranet Enforcer on the Policy Secure gateway. For more
information, see http://www.juniper.net/techpubs/en_US/release-independent/screenos/information-products/pathway-
pages/screenos/product/index.html.

On Policy Secure gateways, the vsys appears as a standalone firewall device. You
configure policies on the vsys just as you do for a separate firewall.

For resource access policies and auth table policies, you add a vsys by entering its name
in the provided field. For Enforcer policies, you select the vsys from a list. This is because
resource access policies and auth table policies can be distributed to multiple ScreenOS
Enforcers, while Enforcer policies apply to only one ScreenOS Enforcer.

Virtual systems do not inherit resource access policies or auth table policies from the
root-vsys (the ScreenOS Enforcer on which the vsys is created). If a resource access
policy or auth table policy is configured for an existing ScreenOS Enforcer, and you
subsequently create one or more vsys, you must add new policies for the vsys to allow
users to access resources behind the vsys.

If you enable command tracing in the event log, the

exec-bulkcli
command is displayed in the log for vsys events.

116 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

You can configure multiple vsys with no shared zones, or you can configure different vsys
to share a common zone. For example, you can configure all endpoints to be on the
untrust zone connecting to multiple vsys in different zones. IPsec is not supported with
a shared-zone configuration. Figure 9 on page 117 shows multiple vsys in shared and
unshared zones.

Support for vsys on the Policy Secure gateway requires ScreenOS Release 6.2 or later.

Figure 9: Multiple vsys in Shared and Unshared Zones

When a ScreenOS Enforcer Release 6.2 or later and the appropriate vsys licensing
connects to the Policy Secure gateway, the Policy Secure gateway automatically
issues a command to the firewall to enable UAC support for vsys in ScreenOS
Enforcers.

Overlapping IP Addresses
On ScreenOS, each vsys can have individual administrators, and one or more vsys can
be assigned to a single customer. For example, a service provider can provision different
vsys to different customers. In turn, these customers might use overlapping IP addresses
in their internal networks. For instance, many organizations use the internal IP address
range 192.168.0.0 – 192.168.255.255. For ScreenOS, this is not an issue because the

© 2015 by Pulse Secure, LLC. All rights reserved. 117


Pulse Policy Secure Administration Guide

ScreenOS Enforcer supports overlapping IP addresses. Previous releases of UAC did not
support overlapping IP addresses. As a result, the Policy Secure gateway was unable to
distinguish between two authorized users with matching addresses. With UAC Release
4.1, if the administrator creates mappings on the Policy Secure gateway as described in
this section, the Policy Secure gateway can recognize users with identical IP addresses
in multiple vsys, and the correct session information is sent to the ScreenOS firewall
auth table.

In the preceding scenarios, customer networks use the same internal IP address ranges
supplied by different service providers. When overlapping IP addresses occur among
different customer networks, if an IC administrator has created a mapping between the
VLAN and vsys, the Policy Secure gateway can use this mapping to correctly identify the
user and to send accurate session information to ScreenOS.

Deployment Example
In the following deployment, (see Figure 10 on page 119) authentication to the service
provider occurs through UAC on the Policy Secure gateway. On this network, different
VLANs and different firewalls are configured on the service provider side for each
customer network. Both customer networks use the same IP address ranges. When
the Policy Secure gateway correctly identifies and authenticates a user from one of the
customer networks who attempts to access a protected resource on the server
provider side, the following occurs:

 With the first login attempt, the Policy Secure gateway knows the user’s VLAN.

 When the user attempts to access a protected resource, the firewall drops the first
packet.

 With the user’s next access attempt (resend), the firewall sends the Policy Secure
gateway the vsys and source IP address.

 If the Policy Secure gateway administrator has configured a mapping on the IC


between the VLAN and the vsys for the firewall on which each customer network is
connected, the Policy Secure gateway can use the source IP and the VLAN ID to
correctly identify the user session. This allows the Policy Secure gateway to provide
session information for the ScreenOS auth table. (Note that the VLAN ID is part of the
user session information.)

118 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

Figure 10: Layer 3 Authentication with Overlapping IP Addresses

Deployment with IF-MAP Federation Example


In the following deployment, (see Figure 11 on page 120) the network configuration is
similar to the preceding example, except that the service provider uses two Policy
Secure gateways and both are in a Federated network. Both customer networks use the
same IP address ranges. In order for the Policy Secure gateway that controls access to
the protected resource to correctly identify and authenticate a user who attempts
access from one of the customer networks, the following events occur:

 When the user logs in to the first Policy Secure gateway, the Policy Secure gateway
correctly identifies the user’s VLAN. The Policy Secure gateway publishes information
about the user session to the IF-MAP server. If the Policy Secure gateway
administrator has configured a mapping on the first Policy Secure gateway between
the VLAN and an administrative domain, the Policy Secure gateway publishes the
source IP address with the administrative domain.

 When the user attempts to access a protected resource, the firewall drops the first
packet and identifies the vsys and the source IP address to the second Policy Secure
gateway. The second Policy Secure gateway looks up the source IP address in the IF-
MAP server to obtain session information so it can provision the ScreenOS auth table.
If the Policy Secure gateway administrator has configured a mapping on the second
Policy Secure gateway between the vsys and the VLAN, and between the VLAN and
an administrative domain, the second Policy Secure gateway looks up the
combination of the source IP address and administrative domain.

© 2015 by Pulse Secure, LLC. All rights reserved. 119


Pulse Policy Secure Administration Guide

 With the user’s next access attempt (resend), the firewall is provisioned and forwards
the packet to the protected resource.

Figure 11: IF-MAP Authentication with Overlapping IP Addresses

Related Configuring the Policy Secure gateway for Overlapping IP Addresses on page 120
Documentation

Configuring the Policy Secure gateway for Overlapping IP Addresses

To configure overlapping vsys IP addresses with an Infranet Enforcer with vsys mapping:

NOTE: Before you perform this configuration, you must first add Infranet
Enforcer vsys and VLANs.

1. To map a vsys with a VLAN, in the admin console, select UAC > Infranet Enforcer >
VYSYS Mapping.

2. Under Mapping with vsys, select an available vsys. Select an available VLAN.

3. Click Save Changes.

120 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

To configure overlapping vsys IP addresses with IF-MAP Federation using the


administrative domain:

1. Select UAC > Infranet Enforcer > VYSYS Mapping.

2. Under Mapping with Administrative Domain, select an available vsys. Select an


administrative domain.

3. Click Save Changes.

To configure overlapping vsys IP addresses with the Infranet Enforcer and IF-MAP
Federation using the administrative domain and vsys mapping:

1. Select System > IF-MAP Federation > Administrative Domain.

2. Under Mapping with Administrative Domain, select an available VLAN. Select an


administrative domain.

3. Click Save Changes.

NOTE: Administrators should note the following when dealing with


overlapping IP addresses:

 Overlapping IP address configurations are not supported in environments


with mixed deployments of SRX and ISG devices.

 Two VLANs with overlapping addresses should not be configured to the


same vsys.

 For overlapping vsys IP addresses with IF-MAP Federation using the


administrative domain, both the IF-MAP client and server should have
identical Administrative Domain - VLAN mappings. If there is a mismatch,
authentication table entries on the firewall may not update correctly for
federated users who become local users on the IC to which the firewall is
connected.

 IDP is not supported with overlapping IP addresses.

Related Understanding Deployments with ScreenOS Enforcer Virtual Systems on page 116
Documentation

IPsec Policies

This section describes the policies that you configure to use IPsec on the Infranet Enforcer.

 IPsec Routing Policy—Specifies which Infranet Enforcer an endpoint must use to


access a resource. This policy also specifies whether that resource requires an IPsec
tunnel for endpoints to access it. Note that an IPsec tunnel does not automatically
give the endpoint access. You configure IPsec routing policies on the Policy Secure
gateway.

 ScreenOS Infranet Auth IPsec Policy—Contains the source and destination. The
Policy Secure gateway uses the source and destination to set up a user, user group,
IKE gateway,

© 2015 by Pulse Secure, LLC. All rights reserved. 121


Pulse Policy Secure Administration Guide

and VPN for each source interface in the source zone of the policy. You can set up a
basic ScreenOS IPsec policy on the Policy Secure gateway and push the policy to the
ScreenOS Enforcer, or you can set up the policy using ScreenOS Web UI or the
command line.

 IP Address Pools Policy—Specifies a pool of virtual IP addresses that you want the
Policy Secure gateway to automatically assign to endpoints in NAT environments that
use IPsec tunnels to the Infranet Enforcer. You configure IP address pools policies on
the Policy Secure gateway.

 ScreenOS Source Interface Policy—Specifies the source interface on the ScreenOS


Enforcer that receives traffic from endpoints if the ScreenOS Enforcer is in Transparent
mode. You create this type of policy only if you want endpoints to use IPsec to
communicate with a ScreenOS Enforcer that is in Transparent mode, and you are using
virtual routers. You configure source interface policies on the Policy Secure gateway.

 Junos Enforcer Security Policy—On the Junos Enforcer, security policies are used to
define the source and destination address, the application, and the phase 2 policy. You
configure security policies on the Junos Enforcer. You cannot configure security policies
on the Policy Secure gateway.

Related Using IPsec with the Infranet Enforcer on page 122


Documentation
 Setting Up ScreenOS Enforcer IPsec Routing Policies on page 137

 Configuring ScreenOS Enforcer IPsec Encryption Settings on page 138

 Understanding Pulse Policy Secure Support for IPsec Routing Policies on page 123

 Understanding IPsec Routing Policy Configuration Options on page 126

Using IPsec with the Infranet Enforcer

On supported endpoints that use OAC or Pulse, you can use IPsec enforcement to encrypt
the traffic between an endpoint and the ScreenOS Enforcer, thereby adding another of
protection for network assets.

IPsec is not supported on agentless or Java agent endpoints, or on endpoints that connect
by means of non-UAC software. For these clients, you must use source IP enforcement
instead.

To use IPsec enforcement, you set up a VPN tunnel with IKE (Internet Key Exchange) on
the Infranet Enforcer. You can configure IPsec enforcement by creating IPsec routing
policies on the Policy Secure gateway. For IPsec on the ScreenOS Enforcer, you can
create basic IPsec policies. For IPsec with the Junos Enforcer, you must create security
policies on the device.

Alternatively, you can set up the VPN tunnel manually using ScreenOS CLI commands
or Web UI. We recommend that you use the Policy Secure gateway to set up basic VPN
policies on the Infranet Enforcer. If necessary, you can modify the VPN tunnel setup
afterwards on the Infranet Enforcer by using ScreenOS CLI commands or Web UI.

If you modify the VPN tunnel setup on the Infranet Enforcer by using the ScreenOS CLI
commands or Web UI, you must refresh the policies on the Policy Secure gateway.

122 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

When you use the Policy Secure gateway to configure IPsec on the ScreenOS Enforcer,
the Policy Secure gateway sets up a user, user group, IKE gateway, and VPN for each
source interface in the source zone of the policy, in addition to the policy itself. The
Policy Secure gateway uses the source interface number and the ID of the destination
zone to uniquely name each of these objects.

For IPsec with the Junos Enforcer you use the CLI to create security policies. With the
Junos Enforcer, the Policy Secure gateway uses the destination zone to match the IPsec
routing policies that are configured on the Policy Secure gateway.

Related Setting Up ScreenOS Enforcer IPsec Routing Policies on page 137


Documentation
 Configuring Junos Enforcer IPsec Routing Policies on page 140

Understanding Pulse Policy Secure Support for IPsec Routing Policies

This topic provides an overview of Pulse Policy Secure support for IPsec routing
policies. It includes the following information:

 About IPsec on page 123


 Access Solution Service Client Support for IPsec Routing Policies on page 123
 Infranet Enforcer Support for IPsec Routing Policies on page 124
 Infranet Enforcer IPsec Policy Features on page 124
 Dynamic IPsec Routing Policies with ScreenOS Enforcers on page 125
 Refreshing IPsec Policies on the IC Series on page 125

About IPsec
IP Security (IPsec) is a suite of related protocols for cryptographically securing
communications at the IP Packet Layer. IPsec also provides methods for the manual and
automatic negotiation of security associations (SAs) and key distribution.

An IPsec tunnel consists of a pair of unidirectional SAs – one at each end of the tunnel
– that specify the security parameter index (SPI), destination IP address, and security
protocol. In a dial-up VPN, there is no tunnel gateway on the VPN dial-up client end of
the tunnel. Rather, the tunnel extends directly to the client itself.

IPsec routing policies allow you to specify the parameters for SAs between endpoints
and the Infranet Enforcer.

Access Solution Service Client Support for IPsec Routing Policies


OAC and Pulse support IPsec using IKEv1 with XAuth. For the client to establish an IPsec
tunnel, it must retrieve configuration information from the Infranet Enforcer. This
information is forwarded to The Policy Secure gateway by the respective device. When a
user with OAC or Pulse signs in to the Policy Secure gateway, these configuration
details are passed on to the client to establish an IPsec tunnel with the Infranet
Enforcer.

To set up IPsec for endpoints with OAC or Pulse, you configure policies on the Policy
Secure gateway and on the security device. The Policy Secure gateway pushes the
required IPsec

© 2015 by Pulse Secure, LLC. All rights reserved. 123


Pulse Policy Secure Administration Guide

configuration parameters to the client when the client first attempts to connect to a
protected resource behind and Policy Secure gateway for which IPsec has been
configured.

IPsec is not supported on agentless or Java agent endpoints, or on endpoints that connect
by means of non-UAC software. For these clients, you must use source IP enforcement
instead. Source IP enforcement allows endpoints to communicate with unencrypted
traffic.

Infranet Enforcer Support for IPsec Routing Policies


IPsec is supported on both the ScreenOS Enforcer and the Junos Enforcer (beginning in
Release 10.0).

On the Infranet Enforcers, you set up a VPN tunnel with IKE (Internet Key Exchange).

For Junos Enforcers, you use the Junos OS user interface to configure the Junos Enforcer
IPsec security zones and IPsec routing policy settings. The Pulse Policy Secure IPsec
routing policies match the destination zone set in the Junos OS configuration.

For the ScreenOS Enforcer, you can use the Pulse Policy Secure user interface to
configure basic IPsec policies and then push them to the ScreenOS Enforcer. Alternatively,
you can use the ScreenOS user interface to set up the VPN tunnel. We recommend that
you use the Pulse Policy Secure user interface. When you use Pulse Policy Secure user
interface to set up the IPsec routing policy, you specify a user, user group, IKE gateway, and
VPN for each source interface in the source zone of the policy, in addition to the policy
itself. The Pulse Policy Secure uses the source interface number and the ID of the
destination zone to uniquely name each of these objects.

NOTE: If necessary, you can later use the ScreenOS user interface to modify
the VPN tunnel configuration. Whenever you modify the VPN tunnel setup
from the ScreenOS side of the configuation, you must refresh the Pulse
Policy Secure policies.

Infranet Enforcer IPsec Policy Features


This section describes the policies that you configure to use IPsec on the Infranet Enforcer.

 IPsec Routing Policy—Specifies which Infranet Enforcer an endpoint must use to


access a resource. This policy also specifies whether that resource requires an IPsec
tunnel for endpoints to access it. Note that an IPsec tunnel does not automatically
give the endpoint access. You configure IPsec routing policies on the Policy Secure
gateway.

 ScreenOS Infranet Auth IPsec Policy—Contains the source and destination. The
Policy Secure gateway uses the source and destination to set up a user, user group,
IKE gateway, and VPN for each source interface in the source zone of the policy. You
can set up a basic ScreenOS IPsec policy on the Policy Secure gateway and push the
policy to the ScreenOS Enforcer, or you can set up the policy using ScreenOS Web UI
or the command line.

 IP Address Pools Policy—Specifies a pool of virtual IP addresses that you want the
Policy Secure gateway to automatically assign to endpoints in NAT environments that
use IPsec
124 © 2015 by Pulse Secure, LLC. All rights reserved.
Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

tunnels to the Infranet Enforcer. You configure IP address pools policies on the Policy
Secure gateway.

 ScreenOS Source Interface Policy—Specifies the source interface on the ScreenOS


Enforcer that receives traffic from endpoints if the ScreenOS Enforcer is in Transparent
mode. You create this type of policy only if you want endpoints to use IPsec to
communicate with a ScreenOS Enforcer that is in Transparent mode, and you are using
virtual routers. You configure source interface policies on the Policy Secure gateway.

 Junos Enforcer Security Policy—On the Junos Enforcer, security policies are used to
define the source and destination address, the application, and the phase 2 policy. You
configure security policies on the Junos Enforcer. You cannot configure security policies
on the Policy Secure gateway.

Dynamic IPsec Routing Policies with ScreenOS Enforcers


Depending on the version of ScreenOS you are using, the steps for configuring IPsec
differs. If you are using ScreenOS Release to 6.1 and earlier, you configure ScreenOS IPsec
policies and an IPsec routing policy for each resource that you want to protect. With
ScreenOS Release 6.1 or later the Policy Secure gateway can dynamically provision IPsec
routing policies for you, eliminating the need to configure a separate policy for each
resource.

The Policy Secure gateway initially queries all connected Infranet Enforcers for version
information. If ScreenOS Release 6.1 or greater is detected, the Policy Secure gateway
initiates a command to enable dynamic provisioning.

When an authenticated endpoint without an auth table entry attempts to access a


resource through the Infranet Enforcer, the Infranet Enforcer sends a message to the
Policy Secure gateway that includes the source and destination IP, the source interface
on which the dropped packet was received, and the ID of the Enforcer policy associated
with the resource. The Policy Secure gateway uses this information to negotiate an
IPsec tunnel between the endpoint and the Infranet Enforcer and provision a dynamic
IPsec routing policy.

Refreshing IPsec Policies on the IC Series


Each time the Infranet Enforcer and Policy Secure gateway establish a new connection
with each other, the Policy Secure gateway queries the Infranet Enforcer for policy
information, which it uses for provisioning IPsec to endpoints. If you modify the IPsec
policies on the Infranet Enforcer while the Infranet Enforcer is connected to the Policy
Secure gateway, you must refresh the policies on the Policy Secure gateway so that the
Policy Secure gateway uses the new policies, otherwise, the Policy Secure gateway
continues to use the older policies until the next time it disconnects from and
reconnects to the Infranet Enforcer.

Related Understanding IPsec Routing Policy Configuration Options on page 126


Documentation
 Configuring Junos Enforcer IPsec Routing Policies on page 140

 Setting Up ScreenOS Enforcer IPsec Routing Policies on page 137

© 2015 by Pulse Secure, LLC. All rights reserved. 125


Pulse Policy Secure Administration Guide

Understanding IPsec Routing Policy Configuration Options

This topic provides an overview of IPsec routing policy configuration options. You should
become familiar with these options before you begin the configuration tasks. This topic
includes the following information:

 Configuration Overview on page 126


 Configuration Summary on page 126
 Advanced Configuration Options on page 127

Configuration Overview
An IPsec routing policy specifies which Infranet Enforcer the device endpoints must use
to access resources when using IPsec. The IPsec routing policy also specifies that
endpoints must use an IPsec tunnel to the Infranet Enforcer to access resources.

To use IPsec with ScreenOS Release 6.1 or earlier, you must configure separate IPsec
routing policies for different resources that you wish to protect. IPsec routing policies are
specific to the resources that you add.

If you are using Screen OS Release 6.1 or later, you can configure one dynamic IPsec
routing policy for each destination zone on each Infranet Enforcer.

In IPsec routing policies with ScreenOS Release 6.1 earlier, you can specify a range of
exceptions for traffic to certain resources that you do not want to use IPsec. The
exceptions can fall within the ranges of resources that the Infranet Enforcer protects. In
this case, if you create an exception for traffic that flows through the Infranet Enforcer,
you must also create another policy on the Infranet Enforcer that allows the exception
traffic to flow through.

For example, you might create an IPsec routing policy that uses IPsec for 0.0.0.0/0 (the
entire network). In the same policy, you can specify the resources that are exceptions
and that do not use IPsec, such as 172.24.80.30 (the Policy Secure gateway),
172.24.80.31 (the Infranet Enforcer), and 172.24.144/21 (a wireless network).

With ScreenOS Release 6.1 or later, policy exceptions are unnecessary. Dynamic IPsec
routing ensures that IPsec tunnels are created only for destinations that are governed
by the ScreenOS IPsec policy.

Configuration Summary

Table 13: Configuration Topics

Topic Details

Connection The Infranet Enforcer and the Policy Secure gateway must be connected before you use the
IC Seri

126 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

Table 13: Configuration Topics (continued)


Topic Details

IPsec access server on ScreenOS Enforcer You cannot establish an IPsec tunnel if IAS (IPsec access server) is enabled on the ScreenOS
command on the ScreenOS Enforcer Command Line Interface:

get ipsec access_session status

To turn off IAS, use the following command:

unset ipsec access-session enable.

For details about this functionality, see


http://www.juniper.net/techpubs/en_US/release-independent/screenos/informatio

Multiple interfaces If you configure IPsec enforcement for an Infranet Enforcer that has multiple interfaces in the
VPN, and tunnel policy for each interface. To distinguish the tunnel policies, the IC Series dev
column on UAC > Infranet Enforcer > Enforcer Policies after you click Save Changes.

Dynamic IPsec routing policies If you are using ScreenOS Release 6.1 or later you can configure the Infranet Enforcer to dyna
you create a ScreenOS source IP policy with a source and destination zone that matches the
source IP policy. Dynamic IPsec routing policies are not supported on the Junos Enforcer.

Default encryption settings on the ScreenOS Enforcer When you use the Policy Secure gateway to configure IPsec on the Infranet Enforcer, the IC
Series d
encryption settings: NoPFS, ESP, 3DES, and SHA1. You can, however, change the phase 2 pro

Bi-directional VPN policy To connect from a computer inside the protected network back to the endpoint, you can cre

CLI commands To include the CLI commands that the Policy Secure gateway sends to the Infranet Enforcer
in the IC
(select System > Log/Monitoring > Events > Settings).

Junos Enforcer zone limitation On the Junos Enforcer, only one IPsec VPN tunnel per “from-zone” to “to-zone” is supported.

Troubleshooting To troubleshoot your IPsec configuration, you can view the Event logs on the Policy Secure
gateway
Tools > Diagnostics > IPsec Diagnostics in OAC.

Advanced Configuration Options

Topic Details

IP address Do not use IPsec for the Policy Secure gateway, the Infranet Enforcer, and networks where your
exceptions endpoints are located. For example, if you create an IPsec routing policy that uses IPsec on an entire
network range (such as 0.0.0.0/0) for your protected resources, be sure to specify exceptions in the
same policy for the IP addresses assigned to Policy Secure gateway, Infranet Enforcer, and the
endpoints.

UDP encapsulation For maximum inter-operability with other third-party IPsec clients, select both Always use UDP
and virtual adapters encapsulation and Always use a virtual adapter. When both options are selected, Network address
translation (NAT) is simulated even if a NAT device is not present. We recommend that you select both
options or neither option. For example, if an endpoint contains two network interfaces, such as a wired
and a wireless interface, and a NAT device is not present between the endpoint and the Infranet Enforcer.
If the endpoint does not access a protected resource by using the interface that is connected to the
network where the Infranet Enforcer is installed, then the user cannot access the protected resource
through either interface without a virtual adapter. Because the Policy Secure gateway does not
automatically install a virtual adapter unless a NAT device is detected, enable the Always use a virtual
adapter option to simulate NAT and force the use of a virtual adapter for this use case.

© 2015 by Pulse Secure, LLC. All rights reserved. 127


Pulse Policy Secure Administration Guide

Related Using the Pulse Policy Secure User Interface to Create Basic ScreenOS Enforcer
Documentation IPsec Policies on page 136

  Setting Up ScreenOS Enforcer IPsec Routing Policies on page 137

 Configuring Junos Enforcer IPsec Routing Policies on page 140

 Configuring IPsec Routing Policies on page 129

 Using IP Address Pool Policies for IPsec in a NAT Environment on page 130

IPsec Routing Policies

An IPsec routing policy specifies which Infranet Enforcer the device endpoints must use
to access resources when using IPsec. The IPsec routing policy also specifies that
endpoints must use an IPsec tunnel to the Infranet Enforcer to access resources.

To use IPsec with ScreenOS Release 6.1 or earlier , you must configure separate IPsec
routing policies for different resources that you wish to protect. IPsec routing policies are
specific to the resources that you add.

If you are using Screen OS Release 6.1 or later, you can configure one dynamic IPsec
routing policy for each destination zone on each Infranet Enforcer.

In IPsec routing policies with ScreenOS Release 6.1 earlier , you can specify a range of
exceptions for traffic to certain resources that you do not want to use IPsec. The
exceptions can fall within the ranges of resources that the Infranet Enforcer protects. In
this case, if you create an exception for traffic that flows through the Infranet Enforcer,
you must also create another policy on the Infranet Enforcer that allows the exception
traffic to flow through.

For example, you might create an IPsec routing policy that uses IPsec for 0.0.0.0/0 (the
entire network). In the same policy, you can specify the resources that are exceptions
and that do not use IPsec, such as 172.24.80.30 (the Policy Secure gateway),
172.24.80.31 (the Infranet Enforcer), and 172.24.144/21 (a wireless network).

With ScreenOS Release 6.1 or later, policy exceptions are unnecessary. Dynamic IPsec
routing ensures that IPsec tunnels are created only for destinations that are governed
by the ScreenOS IPsec policy.

Related Before you Begin on page 128


Documentation
 Configuring IPsec Routing Policies on page 129

Before you Begin

Topic Details

IP address Do not use IPsec for the Policy Secure gateway, the Infranet Enforcer, and networks where your
exceptions endpoints are
located. For example, if you create an IPsec routing policy that uses IPsec on an entire network range
(such as 0.0.0.0/0) for your protected resources, be sure to specify exceptions in the same policy for
the IP addresses assigned to Policy Secure gateway, Infranet Enforcer, and the endpoints.

128 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

UDP encapsulation For maximum inter-operability with other third-party IPsec clients, select both Always use UDP
and virtual adapters encapsulation and Always use a virtual adapter. When both options are selected, Network address
translation (NAT) is simulated even if a NAT device is not present. We recommend that you select both
options or neither option. For example, if an endpoint contains two network interfaces, such as a wired
and a wireless interface, and a NAT device is not present between the endpoint and the Infranet Enforcer.
If the endpoint does not access a protected resource by using the interface that is connected to the
network where the Infranet Enforcer is installed, then the user cannot access the protected resource
through either interface without a virtual adapter. Because the Policy Secure gateway does not
automatically install a virtual adapter unless a NAT device is detected, enable the Always use a virtual
adapter option to simulate NAT and force the use of a virtual adapter for this use case.

Related Configuring IPsec Routing Policies on page 129


Documentation
 Using IP Address Pool Policies for IPsec in a NAT Environment on page 130

Configuring IPsec Routing Policies

To configure an IPsec routing policy:

1. In the Policy Secure gateway admin console, select UAC > Infranet Enforcer > IPsec
Routing.

2. Click New Policy.

3. On the New Policy page:

a. For Name, enter a name to label this IPsec routing policy.

b. For Description, enter an optional description.

4. If you are using ScreenOS Release 6.1 or later, and you want to configure the Policy
Secure gateway to dynamically provision IPsec routing policies, select the Dynamic
check box. The Resources and Exceptions text boxes and the Infranet Enforcer
check boxes disappear.

5. Go to step 10 to continue configuring this policy for ScreenOS Release 6.1 or later.

6. For Resources, enter the IP address and netmask of each resource that requires
endpoints to use IPsec, one per line, in the following format:

<ip address>[/netmask]

You cannot specify a host name in an IPsec routing policy. You must specify an IP
address.

7. For Exceptions, use the following format, one per line, to specify the IP address and
netmask of each resource that has traffic which you do not want to flow through the
Infranet Enforcer:

<ip address>[/netmask]

Each exception must be a subset of what you specify for Resources.

8. For Destination Zone, enter the zone that is configured on the Infranet Enforcer where
the protected resources specified in this IPsec routing policy are located. For example:
trust

9. Select these options to configure IPsec interoperability and tunnel persistence:

© 2015 by Pulse Secure, LLC. All rights reserved. 129


Pulse Policy Secure Administration Guide

 Always use UDP encapsulation—Allows the client and the Infranet Enforcer to
create an IPsec tunnel inside a third-party IPsec tunnel by using UDP encapsulation
even if a NAT device is not present. For example, for inter-operability with third-party
IPsec clients running on the endpoint The Policy Secure gateway uses port 4500
for UDP encapsulation in compliance with RFC 3948.

 Always use a virtual adapter—Forces the use of a virtual adapter on the endpoint.
If you select this option, you must also set up IP address pools even if a NAT device
is not present.

 Persistent Tunnel Mode—Allows you to determine whether or not a tunnel is


established when a user first connects to the Policy Secure gateway. If the check
box is selected, an IPsec tunnel is established, and users can access protected
resources behind the Infranet Enforcer. If the check box is not selected, the tunnel
is not automatically set up: a tunnel will not be initiated until there is a request for
traffic.

10. From the Enforcer list, choose the Infranet Enforcer to which endpoints connect to
access the resources specified in this IPsec routing policy.

11. In the Roles section, specify:

 Policy applies to ALL roles—To apply this IPsec routing policy to all users.

 Policy applies to SELECTED roles—To apply this IPsec routing policy only to users
who are mapped to roles in the Selected roles list. Be sure to add roles to this list
from the Available roles list.

 Policy applies to all roles OTHER THAN those selected below—To apply this IPsec
routing policy to all users except for those who map to the roles in the Selected
roles list. Be sure to add roles to this list from the Available roles list.

12. Click Save Changes.

Related Setting Up ScreenOS Enforcer IPsec Routing Policies on page 137


Documentation
 Configuring Junos Enforcer IPsec Routing Policies on page 140

Using IP Address Pool Policies for IPsec in a NAT Environment

The Policy Secure gateway supports the use of IPsec tunnels through NAT devices to
allow users secure access to protected resources. In a NAT environment, a virtual IP
address must be used for the IPsec tunnel’s inner address.

You can configure a pool of virtual IP addresses that the Policy Secure gateway can
automatically assign to endpoints by creating IP address pool policies. An IP address pool
is a contiguous range of IP addresses which you configure by specifying the starting
address and the number of addresses in the pool. You can associate an IP address pool
with one or more Infranet Enforcers.

IP address pool policies are required if one of the following is true:

 You are using IPsec in a NAT environment.

130 © 2015 by Pulse Secure, LLC. All rights reserved.


Chapter 3: Deployments with ScreenOS and Junos OS Infranet Enforcers

 You selected the Always use a virtual adapter option in an IPsec routing policy to enable
interoperability with other third-party IPsec clients running simultaneously on the
endpoint, such as Pulse Secure Network Connect or Microsoft IPsec.

To use NAT devices in the UACl solution, the endpoints must be located on one side of
the NAT devices, and both the Policy Secure gateway and Infranet Enforcer must be
located on the other side of the devices.

Also note the following if you are using NAT:

 NAT is not supported between the Policy Secure gateway and Infranet Enforcer.

 If there is a NAT device between the endpoint and the Policy Secure gateway, but not
between the endpoint and the Infranet Enforcer, source IP enforcement does not
work. This is also true if there is a NAT device between the endpoint and the Infranet
Enforcer, but not between the endpoint and the Policy Secure gateway.

If NAT is not detected, the client uses the endpoint’s physical IP address when creating
the IPsec tunnel to the Infranet Enforcer. The Policy Secure gateway does not allocate
an IP address from the pool.

Figure 12 on page 131 shows an example of a NAT environment where endpoints 1 and 2
have the same physical IP address: 192.168.1.1. By using an IP address pool policy, you
can configure the Policy Secure gateway to assign a unique, routable, virtual IP address
to each endpoint.

Figure 12: Using an IP Address Pool in a NAT Environment

© 2015 by Pulse Secure, LLC. All rights reserved. 131


Pulse Policy Secure Administration Guide

The following sequence of events occur when the Policy Secure gateway and a Pulse
client (OAC or Pulse Secure) use an IPsec tunnel through a NAT device:

 When the client connects to the Policy Secure gateway and authenticates the user,
the client returns the endpoint’s source IP address that is used to access the Infranet
Enforcer to the Policy Secure gateway. The Policy Secure gateway saves the source
IP address internally.

 When the user attempts to access a protected resource, an IKE exchange occurs to
set up an IPsec tunnel between the endpoint and the Infranet Enforcer.

 During the IKE exchange, the Infranet Enforcer detects the source IP address of the
endpoint and sends that IP address to the Policy Secure gateway.

 The Policy Secure gateway compares its saved source IP address for the endpoint
with the endpoint’s IP address sent from the Infranet Enforcer. If the addresses do
not match, the Policy Secure gateway determines that there is a NAT device
between the endpoint and the Infranet Enforcer. The Policy Secure gateway
automatically provisions an IP address from an IP address pool policy that you
configured (for example, 10.11.0.10-100). The Policy Secure gateway assigns the IP
address to the endpoint based on the IP address pool policy that applies to the
user’s role. The Policy Secure gateway then sends the IP address to the Infranet
Enforcer.

 The Infranet Enforcer sends that IP address from the IP address pool (for example,
10.11.0.10) to the client on the endpoint during the Xauth authentication exchange.

 The client on the endpoint configures a virtual network adapter using the IP address
sent from the Infranet Enforcer.

 The endpoint initiates an IPsec connection to the Infranet Enforcer, and the Infranet
Enforcer sets up dynamic routes for each IP address. The user can now use the endpoint
to access protected resources.

The Policy Secure gateway allocates one IP address for the duration of each client
session, which lasts as long as the client is connected to the Policy Secure gateway.
After a session ends, the Policy Secure gateway can reuse the allocated address for a
different endpoint.

When the Policy Secure gateway must provide an inner IP address for a new IPsec
tunnel, it attempts to reuse an existing inner IP address assigned to the endpoint before
allocating a new one. The Policy Secure gateway checks all of the inner IPs allocated
from IP address pools for the endpoint. For each IP address, the Policy Secure gateway
determines whether the policy from which that address was all