policy secure · release, build 5.3 r5 38279 document revision 1.0 published september 2016 pulse...

Release, Build 5.3 R5 38279

Document Revision 1.0

Published September 2016

Pulse Policy Secure

Release Notes

Pulse Policy Secure version 5.3 R5 Build 38279

Pulse Client version 5.2 R5 Build 869

Odyssey Access Client version 37585

Product Release 5.3R5

Pulse Policy Secure Release Notes

Pulse Secure, LLC

2700 Zanker Road, Suite 200

San Jose, CA 95134

http://www.pulsesecure.net

© 2016 by Pulse Secure, LLC. All rights reserved

Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All other

trademarks, service marks, registered trademarks, or registered service marks are the property of their

respective owners.

Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC

reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

The information in this document is current as of the date on the title page.

END USER LICENSE AGREEMENT

The Pulse Secure product that is the subject of this technical documentation consists of (or is intended for

use with) Pulse Secure software. Use of such software is subject to the terms and conditions of the End

User License Agreement (“EULA”) posted at http://www.pulsesecure.net/support/eula. By downloading,

installing or using such software, you agree to the terms and conditions of that EULA.

http://www.pulsesecure.net/

http://www.pulsesecure.net/support/eula


Contents

Introduction ............................................................................................................................................. 5

Hardware Platform .................................................................................................................................. 5

Virtual Appliance Editions ........................................................................................................................ 5

Interoperability and Supported Platforms ............................................................................................... 5

Upgrading to Pulse Policy Secure 5.3R5 ................................................................................................... 6

New Features in the 5.3R5 Release .......................................................................................................... 7

Noteworthy changes in 5.3R5 .................................................................................................................. 8

Resolved Issues in 5.3R5 .......................................................................................................................... 9

Known Issues in 5.3R5............................................................................................................................ 10

Documentation ...................................................................................................................................... 12

Documentation Feedback ...................................................................................................................... 12

Technical Support .................................................................................................................................. 12

Requesting Technical Support ............................................................................................................. 12

Revision History ..................................................................................................................................... 12


List of Tables

Table 1: Virtual Appliance Qualified Systems ........................................................................................... 5

Table 2 Upgrade Paths ............................................................................................................................. 6

Table 3 List of New Features .................................................................................................................... 7

Table 4 List of Resolved Issues in 5.3R5 .................................................................................................... 9

Table 5 List of Known Issues in 5.3R5 release ......................................................................................... 10

Table 6: Revision History ........................................................................................................................ 12


Introduction These release notes contain information about new features, software issues that have been resolved and

known issues. If the information in the release notes differs from the information found in the

documentation set, follow the release notes.

This is an incremental release notes document that describes the changes made from 5.3R4 release to

5.3R5. The 5.3R4 release notes still apply except for the changes mentioned in this document. Please refer

to 5.3R5 release notes for the complete version.

Hardware Platform You can install and use this software version on the following hardware platforms:

MAG2600, MAG4610, MAG6610, MAG6611, MAG SM160, MAG SM360

PSA-300, PSA-3000, PSA-5000, PSA-7000c/f

To download software for these hardware platforms, go to: https://www.pulsesecure.net/support/

Virtual Appliance Editions This software version is available for the following virtual appliance editions:

Demonstration and Training Edition (DTE)

Service Provider Edition (SPE)

The following table lists the virtual appliance systems qualified with this release.

Table 1: Virtual Appliance Qualified Systems

Platform Qualified System

VMware

IBM BladeServer H chassis

BladeCenter HS blade server

vSphere 5.5

Allocation for virtual appliance: 4vCPU, 4GB memory and 20GB disk space

KVM

QEMU/KVM v2.3.0

Linux Server CentOS 6.6 on an Intel Xeon CPU L5640 @ 2.27GHz

o NFS storage mounted in host

o 24GB memory in host

o Allocation for virtual appliance: 4vCPU, 4GB memory and 20GB disk space

To download the virtual appliance software, go to: https://www.pulsesecure.net/support/

Interoperability and Supported Platforms Refer to the Supported Platforms Guide on the software download site for details about supported versions of the Cisco and Aruba WLC, PAN firewall, Junos, Screen OS enforcer, client browsers, client mobile devices, and operating systems.

https://www.pulsesecure.net/support/

http://www.pulsesecure.net/techpubs


Upgrading to Pulse Policy Secure 5.3R5

The following table describes the tested upgrade paths.

Table 2 Upgrade Paths

Release Description

Pulse Policy Secure Software Upgrade

Automatic updates to this release are supported for all PPS releases after

and including PPS 5.1 R1.

This release does not support ICx500 series, IC4000 and IC6000

devices. These hardware models have reached end-of-life (EOL).

Pulse Secure Desktop 5.2R5 Client Software Upgrade Refer to the Pulse Secure Desktop Client 5.2 release notes.

Odyssey Access Client Upgrade Same version of Odyssey client is retained for this release.

PPS Agent (OAC) PPS handles 1500 concurrent endpoint upgrades.

Standalone OAC Client

This release supports the standalone, non-PPS version of Odyssey

Access Client. Instructions for installing OAC on standalone clients are

contained in the help guide under the section Getting Started > Initial

Configuration.

Endpoint Security Assessment Plug-in (ESAP)

Compatibility

ESAP package version 3.0.1 is the minimum version to be compatible

with Pulse Policy Secure version 5.3R5. The default version for ESAP is

3.0.1.

Network and Security Manager (NSM) Compatibility NSM is not supported.


New Features in the 5.3R5 Release The following table describes the major features that are introduced in this release

Table 3 List of New Features

Feature Description

Device Profiler

Pulse Policy Secure now includes an on-box profiler solution to detect and automatically

profile managed and un-managed devices on the network for better network visibility and

control.

Key features:

1. Ability to detect and classify unmanaged devices using multiple profiling

techniques such as DHCP fingerprinting, SNMP discovery, Nmap scanning

and HTTP UA fingerprinting.

2. Ability to detect and classify managed devices using information from Pulse

Client or OAC client.

3. Dashboard view of all devices on the network along with their profile

information.

4. Access control based on device attributes such as Manufacturer name, OS or

type of device.

5. Support for Active Passive cluster configuration.

Integration with new OPSWAT SDK v4

Pulse Policy Secure leverages OPSWAT integration for endpoint desktop compliance

evaluation. With this release the newer version of OPSWAT v4 is used as the earlier

version will be EOL’ed by end of 2016.

Note: Ensure that all the servers and clients are upgraded before upgrading to OPSWAT

v4.

Federation Server Database is changed

LMDB instead of Berkeley DB.

LMDB stores the Federation server session data and provides more stability and better

scalability.

Hyper-V hypervisor

Hyper-V hypervisor is now support has been added as part of this to extended platform

support for virtual appliances.

Kernel Watchdog is not supported on Hyper-V platforms. In PPS, on Maintenance >

system > options page kernel watchdog checkbox is grayed out.

Realm/Role Mapping based on

custom expression

PPS admin are now enabled to apply or filter out roles based on certain incoming

attributes such as RADIUS request attributes, Location and Protocol used.

Palo Alto Firewall 7.x

PPS supports integration with Palo Alto version 7.x along with the existing 6.x version.


Noteworthy changes in 5.3R5 1. Pulse Policy Server (PPS) acting as License clients, running C5.1R1 and above will not be able to

lease licenses from License Servers running on PCS 8.0R1 to PCS 8.0R4. If you plan to upgrade PPS

License clients to C5.1R1 and above versions, you would have to upgrade your License Servers to

8.0R5 and above. See KB40095 for more information.

2. When custom ciphers are selected, there is a possibility that some ciphers are not supported

by the web browser. Also, if any of ECDH/ECDSA ciphers are selected, they require ECC

certificate to be mapped to the internal/external interface. If ECC certificate is not installed,

admin may not be able to login to the box. The only way to recover from this situation is to

connect to the system console and select option 8 to reset the SSL settings from the console

menu. Option 8 resets the SSL setting to its default. So, the previously set SSL settings are

lost. This is applicable only to Inbound SSL settings.

3. Pre-5.0 Android and pre-9.1 iOS devices don’t support Suite B ciphers. So if Suite B is enabled,

Pulse client on pre-5.0 Android and pre-9.1 iOS devices will not be able to connect to PCS device.

4. With OPSWAT v4 SDK, the new product support list is being worked upon and updated by

OPSWAT periodically, which is delivered as part of ESAP. In case of any issue related to

compliance evaluation or remediation for any specific product, then ensure that latest ESAP is

used or roll back to OPSWAT v3 SDK.

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40095/


Resolved Issues in 5.3R5 The following table describes the issues that are resolved when you upgrade.

Table 4 List of Resolved Issues in 5.3R5

PR Number Description

PRS-339052 PPS granular cipher: 8021.x is not honoring SSL settings configured in admin UI.

PRS-339692 With SNMP Enforcement, if roles in MAC authentication realm is different than in User realms, then the roles

associated with MAC authentication realm will be shown as eliminated roles in Active Users Endpoint

Security status page even though no Host checker policy is associated with that role.

PRS-340040

With ECC Device Certificate, SRX-PPS communication does not work with TLS1.2 and PFS. As a

workaround, create virtual port with RSA certificate and use this port for making PPS-SRX connection. The

following setup allows PPS to use ECC cert for general traffic and configure RSA cert only for SRX:

1. Create two virtual ports, install ECC cert and RSA cert. Each cert (ECC or RSA) is bound to a

different virtual ports.

2. Select a cipher selection that has many ciphers, including both EC cipher as well as RSA ciphers.

For example, select either Maximize Security cipher option.

3. Configure SRX to connect to the virtual port where RSA cert is bound to.

PRS-339512 Ruckus Guest Access, user session is not deleted in PPS after radius accounting stop is received from WLC.

PRS-340612 SNMP Enforcement feature is not supported with Active/Active cluster mode. It is supported for

Active/Passive cluster mode only.

PRS-339627 Pulse client L3 connection after SNMP MAC address authentication may prompt for credentials if the VLAN

is changed due to change in roles.

PRS-341379 End-user cannot install host checker component and Pulse Client using Firefox ESR 45.

PRS-341334

For Port Security configured in HP switch with SNMPv3, after the endpoint receives IP and the SNMP

Session is deleted from PPS. In the active user’s page, the MAC-Authentication might fail happen and

endpoint might not receive the IP address. As a workaround, Admin has to manually reset the intrusion flag in

HP Switch or reset to a dummy address.


Known Issues in 5.3R5 The following table describes the issues that are known when you upgrade.

Table 5 List of Known Issues in 5.3R5 release


PRS-347101

Cluster (Active-Active/Active-Passive) upgrade from C5.3R5 to future releases (i.e. release after C5.3R5)

fails. This issue is fixed in C5.3R5.2 (Build 40009) release. More details on the issue and the remediation

during an upgrade is described in KB40388.

Cluster (Active-Active/Active-Passive) upgrade from C5.1Rx/C5.2Rx/ C5.3R1-C5.3R4 to C5.3R5 works

fine.

PRS-343579 During reboot, sequence of timing may lead to pareventd process crash, however there is no user impact.

PRS-341419 Profiler: Date format is incorrect in Device details popup in Active Users Page.

PRS-339421 SNMP Enforcement feature is not supported on HP 5500 Series switch (earlier 3Com Switch).

PRS-340392 With “SuiteB - Accept only SuiteB ciphers (Requires an ECC certificate)” option in security settings, PPS connection

to SRX and Screen OS does not work. Workaround: See PRS-340040.

PRS-334875

Clients that imported truncated configurations (configuration for certs that had DN values containing double-quote

characters) before the fix was released, will not be able to establish 802.1x connections. As a workaround ensure that

the client is connected to a fixed (5.3 or 5.2r4, or later) PPS device through non-802.1x. Using this connection, a new

configuration file is downloaded to the client. Upon completion the client can connect again through 802.1x.

PRS-309431 With OPSWAT Patch Management Host Checker policy, the missing patches will be detected only with admin

privileges for SCCM 2012 and SCCM 2007.

PRS-318679 For Host Checker with Bit Locker Encryption software, the encrypted drives will be reported as encrypted only when

these drives are in Unlocked state.

PRS-339456 Some Windows machines take around 20 minutes for detecting missing patches, which is the Microsoft OS behavior.

The same is observed with Host Checker Patch Management policy evaluation.

PRS-344555

When the same Pulse Client is connected to multiple PPS/PCS servers with different OPSWAT versions 3 and 4, then

the compliance evaluation is done using the server configured OPSWAT version. The compliance evaluation will be

conducted in sequence as for each server connection respective server specific version will be downloaded. It’s

recommended to activate the OPSWAT v4 SDK only after all the servers and clients are upgraded.

PRS-343928 V3 and V4 SDK requires admin privileges to turn on the MAC In Built firewall configuration as part of remediation.

PRS-343232 BitLocker Encryption status is not detected if the user has restricted user privileges on Windows machine.

PRS-344807 On Google chrome browser, HC failures does not change the role on PPS until HC times out.

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40388



PRS-344156 In the case of Profiler, if a single device has multiple sessions then the Device Discovery Report will not show all

active sessions. It displays only the last established session.

PRS-344007 In the case of Profiler, search with value "SNMP" displays some devices in the search results even if the SNMP

doesn’t exist in the device details record for those devices.

PRS-343920 In the case of Profiler DDR table, clicking the + button displays nothing when only CAM table entry is available for

endpoint. It must display "No Details Available".

PRS-343639 In the case of Profiler, NMAP classification does not update the OS info in DDR table for some Juniper switches.

PRS-342009 In the case of Profiler, any change in attribute state for a device is communicated back to the PPS policy engine

immediately. Therefore, a refresh interval is not applicable for Profiler Authorization Server.

PRS-341732 In the case of Profiler, Dashboard reports do not account for devices whose manufacturer/category/os is blank

PRS-341419 In the case of Profiler, Date format is incorrect in Device details popup in Active Users Page

PRS-343617 In the case of Profiler, an error popup is observed during a search operation on DDR table (Intermittent). Refresh the

page to resolve the issue.

PRS-344995

If device profiled using UA, OS information may sometimes get overwritten as user disconnects and reconnects

802.1x session.


Documentation

The complete documentation for PPS is available at https://www.pulsesecure.net/techpubs/pps

This section lists the changes in documentation:

In Pulse Policy Secure Release 5.3R5, the Table of Contents (TOC) in the PPS Admin Guide is

restructured for better content flow and ease of accessibility.

See Chapter 18 Pulse Secure Profiler for the profiler information in the PPS Admin Guide.

Only minimal content on OAC is available in the PPS Admin Guide. For more information, see https://www.pulsesecure.net/techpubs/oac-ee/.

Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the

documentation. You can send your comments to [email protected]

Technical Support

Technical product support is available through the Pulse Secure Global Support Center (PSGSC).

http://www.pulsesecure.net/support/

Call us at 1-844-751-7629 (toll-free in the USA). If outside US or Canada, use a country number listed from one of the regional tabs

For more technical support resources, browse the support website: http://www.pulsesecure.net/support/

Requesting Technical Support

To open a case or to obtain support information, please visit the Pulse Secure Support Site: http://www.pulsesecure.net/support/

Revision History

Table 7 lists the revision history for this document.

Table 6: Revision History

Revision Description

September 2016 PPS Release 5.3R5 updates.

http://www.pulsesecure.net/techpubs/

https://www.pulsesecure.net/techpubs/oac-ee/

mailto:[email protected]




policy secure · release, build 5.3 r5 38279 document revision 1.0 published september 2016 pulse...

Documents