policy secure · release, build 5.3 r5 38279 document revision 1.0 published september 2016 pulse...
TRANSCRIPT
Release, Build 5.3 R5 38279
Document Revision 1.0
Published September 2016
Pulse Policy Secure
Release Notes
Pulse Policy Secure version 5.3 R5 Build 38279
Pulse Client version 5.2 R5 Build 869
Odyssey Access Client version 37585
Product Release 5.3R5
Pulse Policy Secure Release Notes
Pulse Secure, LLC
2700 Zanker Road, Suite 200
San Jose, CA 95134
http://www.pulsesecure.net
© 2016 by Pulse Secure, LLC. All rights reserved
Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their
respective owners.
Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC
reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
The information in this document is current as of the date on the title page.
END USER LICENSE AGREEMENT
The Pulse Secure product that is the subject of this technical documentation consists of (or is intended for
use with) Pulse Secure software. Use of such software is subject to the terms and conditions of the End
User License Agreement (“EULA”) posted at http://www.pulsesecure.net/support/eula. By downloading,
installing or using such software, you agree to the terms and conditions of that EULA.
Pulse Policy Secure Release Notes
Contents
Introduction ............................................................................................................................................. 5
Hardware Platform .................................................................................................................................. 5
Virtual Appliance Editions ........................................................................................................................ 5
Interoperability and Supported Platforms ............................................................................................... 5
Upgrading to Pulse Policy Secure 5.3R5 ................................................................................................... 6
New Features in the 5.3R5 Release .......................................................................................................... 7
Noteworthy changes in 5.3R5 .................................................................................................................. 8
Resolved Issues in 5.3R5 .......................................................................................................................... 9
Known Issues in 5.3R5............................................................................................................................ 10
Documentation ...................................................................................................................................... 12
Documentation Feedback ...................................................................................................................... 12
Technical Support .................................................................................................................................. 12
Requesting Technical Support ............................................................................................................. 12
Revision History ..................................................................................................................................... 12
Pulse Policy Secure Release Notes
List of Tables
Table 1: Virtual Appliance Qualified Systems ........................................................................................... 5
Table 2 Upgrade Paths ............................................................................................................................. 6
Table 3 List of New Features .................................................................................................................... 7
Table 4 List of Resolved Issues in 5.3R5 .................................................................................................... 9
Table 5 List of Known Issues in 5.3R5 release ......................................................................................... 10
Table 6: Revision History ........................................................................................................................ 12
Pulse Policy Secure Release Notes
Introduction These release notes contain information about new features, software issues that have been resolved and
known issues. If the information in the release notes differs from the information found in the
documentation set, follow the release notes.
This is an incremental release notes document that describes the changes made from 5.3R4 release to
5.3R5. The 5.3R4 release notes still apply except for the changes mentioned in this document. Please refer
to 5.3R5 release notes for the complete version.
Hardware Platform You can install and use this software version on the following hardware platforms:
MAG2600, MAG4610, MAG6610, MAG6611, MAG SM160, MAG SM360
PSA-300, PSA-3000, PSA-5000, PSA-7000c/f
To download software for these hardware platforms, go to: https://www.pulsesecure.net/support/
Virtual Appliance Editions This software version is available for the following virtual appliance editions:
Demonstration and Training Edition (DTE)
Service Provider Edition (SPE)
The following table lists the virtual appliance systems qualified with this release.
Table 1: Virtual Appliance Qualified Systems
Platform Qualified System
VMware
IBM BladeServer H chassis
BladeCenter HS blade server
vSphere 5.5
Allocation for virtual appliance: 4vCPU, 4GB memory and 20GB disk space
KVM
QEMU/KVM v2.3.0
Linux Server CentOS 6.6 on an Intel Xeon CPU L5640 @ 2.27GHz
o NFS storage mounted in host
o 24GB memory in host
o Allocation for virtual appliance: 4vCPU, 4GB memory and 20GB disk space
To download the virtual appliance software, go to: https://www.pulsesecure.net/support/
Interoperability and Supported Platforms Refer to the Supported Platforms Guide on the software download site for details about supported versions of the Cisco and Aruba WLC, PAN firewall, Junos, Screen OS enforcer, client browsers, client mobile devices, and operating systems.
Pulse Policy Secure Release Notes
Upgrading to Pulse Policy Secure 5.3R5
The following table describes the tested upgrade paths.
Table 2 Upgrade Paths
Release Description
Pulse Policy Secure Software Upgrade
Automatic updates to this release are supported for all PPS releases after
and including PPS 5.1 R1.
This release does not support ICx500 series, IC4000 and IC6000
devices. These hardware models have reached end-of-life (EOL).
Pulse Secure Desktop 5.2R5 Client Software Upgrade Refer to the Pulse Secure Desktop Client 5.2 release notes.
Odyssey Access Client Upgrade Same version of Odyssey client is retained for this release.
PPS Agent (OAC) PPS handles 1500 concurrent endpoint upgrades.
Standalone OAC Client
This release supports the standalone, non-PPS version of Odyssey
Access Client. Instructions for installing OAC on standalone clients are
contained in the help guide under the section Getting Started > Initial
Configuration.
Endpoint Security Assessment Plug-in (ESAP)
Compatibility
ESAP package version 3.0.1 is the minimum version to be compatible
with Pulse Policy Secure version 5.3R5. The default version for ESAP is
3.0.1.
Network and Security Manager (NSM) Compatibility NSM is not supported.
Pulse Policy Secure Release Notes
New Features in the 5.3R5 Release The following table describes the major features that are introduced in this release
Table 3 List of New Features
Feature Description
Device Profiler
Pulse Policy Secure now includes an on-box profiler solution to detect and automatically
profile managed and un-managed devices on the network for better network visibility and
control.
Key features:
1. Ability to detect and classify unmanaged devices using multiple profiling
techniques such as DHCP fingerprinting, SNMP discovery, Nmap scanning
and HTTP UA fingerprinting.
2. Ability to detect and classify managed devices using information from Pulse
Client or OAC client.
3. Dashboard view of all devices on the network along with their profile
information.
4. Access control based on device attributes such as Manufacturer name, OS or
type of device.
5. Support for Active Passive cluster configuration.
Integration with new OPSWAT SDK v4
Pulse Policy Secure leverages OPSWAT integration for endpoint desktop compliance
evaluation. With this release the newer version of OPSWAT v4 is used as the earlier
version will be EOL’ed by end of 2016.
Note: Ensure that all the servers and clients are upgraded before upgrading to OPSWAT
v4.
Federation Server Database is changed
LMDB instead of Berkeley DB.
LMDB stores the Federation server session data and provides more stability and better
scalability.
Hyper-V hypervisor
Hyper-V hypervisor is now support has been added as part of this to extended platform
support for virtual appliances.
Kernel Watchdog is not supported on Hyper-V platforms. In PPS, on Maintenance >
system > options page kernel watchdog checkbox is grayed out.
Realm/Role Mapping based on
custom expression
PPS admin are now enabled to apply or filter out roles based on certain incoming
attributes such as RADIUS request attributes, Location and Protocol used.
Palo Alto Firewall 7.x
PPS supports integration with Palo Alto version 7.x along with the existing 6.x version.
Pulse Policy Secure Release Notes
Noteworthy changes in 5.3R5 1. Pulse Policy Server (PPS) acting as License clients, running C5.1R1 and above will not be able to
lease licenses from License Servers running on PCS 8.0R1 to PCS 8.0R4. If you plan to upgrade PPS
License clients to C5.1R1 and above versions, you would have to upgrade your License Servers to
8.0R5 and above. See KB40095 for more information.
2. When custom ciphers are selected, there is a possibility that some ciphers are not supported
by the web browser. Also, if any of ECDH/ECDSA ciphers are selected, they require ECC
certificate to be mapped to the internal/external interface. If ECC certificate is not installed,
admin may not be able to login to the box. The only way to recover from this situation is to
connect to the system console and select option 8 to reset the SSL settings from the console
menu. Option 8 resets the SSL setting to its default. So, the previously set SSL settings are
lost. This is applicable only to Inbound SSL settings.
3. Pre-5.0 Android and pre-9.1 iOS devices don’t support Suite B ciphers. So if Suite B is enabled,
Pulse client on pre-5.0 Android and pre-9.1 iOS devices will not be able to connect to PCS device.
4. With OPSWAT v4 SDK, the new product support list is being worked upon and updated by
OPSWAT periodically, which is delivered as part of ESAP. In case of any issue related to
compliance evaluation or remediation for any specific product, then ensure that latest ESAP is
used or roll back to OPSWAT v3 SDK.
Pulse Policy Secure Release Notes
Resolved Issues in 5.3R5 The following table describes the issues that are resolved when you upgrade.
Table 4 List of Resolved Issues in 5.3R5
PR Number Description
PRS-339052 PPS granular cipher: 8021.x is not honoring SSL settings configured in admin UI.
PRS-339692 With SNMP Enforcement, if roles in MAC authentication realm is different than in User realms, then the roles
associated with MAC authentication realm will be shown as eliminated roles in Active Users Endpoint
Security status page even though no Host checker policy is associated with that role.
PRS-340040
With ECC Device Certificate, SRX-PPS communication does not work with TLS1.2 and PFS. As a
workaround, create virtual port with RSA certificate and use this port for making PPS-SRX connection. The
following setup allows PPS to use ECC cert for general traffic and configure RSA cert only for SRX:
1. Create two virtual ports, install ECC cert and RSA cert. Each cert (ECC or RSA) is bound to a
different virtual ports.
2. Select a cipher selection that has many ciphers, including both EC cipher as well as RSA ciphers.
For example, select either Maximize Security cipher option.
3. Configure SRX to connect to the virtual port where RSA cert is bound to.
PRS-339512 Ruckus Guest Access, user session is not deleted in PPS after radius accounting stop is received from WLC.
PRS-340612 SNMP Enforcement feature is not supported with Active/Active cluster mode. It is supported for
Active/Passive cluster mode only.
PRS-339627 Pulse client L3 connection after SNMP MAC address authentication may prompt for credentials if the VLAN
is changed due to change in roles.
PRS-341379 End-user cannot install host checker component and Pulse Client using Firefox ESR 45.
PRS-341334
For Port Security configured in HP switch with SNMPv3, after the endpoint receives IP and the SNMP
Session is deleted from PPS. In the active user’s page, the MAC-Authentication might fail happen and
endpoint might not receive the IP address. As a workaround, Admin has to manually reset the intrusion flag in
HP Switch or reset to a dummy address.
Pulse Policy Secure Release Notes
Known Issues in 5.3R5 The following table describes the issues that are known when you upgrade.
Table 5 List of Known Issues in 5.3R5 release
PR Number Description
PRS-347101
Cluster (Active-Active/Active-Passive) upgrade from C5.3R5 to future releases (i.e. release after C5.3R5)
fails. This issue is fixed in C5.3R5.2 (Build 40009) release. More details on the issue and the remediation
during an upgrade is described in KB40388.
Cluster (Active-Active/Active-Passive) upgrade from C5.1Rx/C5.2Rx/ C5.3R1-C5.3R4 to C5.3R5 works
fine.
PRS-343579 During reboot, sequence of timing may lead to pareventd process crash, however there is no user impact.
PRS-341419 Profiler: Date format is incorrect in Device details popup in Active Users Page.
PRS-339421 SNMP Enforcement feature is not supported on HP 5500 Series switch (earlier 3Com Switch).
PRS-340392 With “SuiteB - Accept only SuiteB ciphers (Requires an ECC certificate)” option in security settings, PPS connection
to SRX and Screen OS does not work. Workaround: See PRS-340040.
PRS-334875
Clients that imported truncated configurations (configuration for certs that had DN values containing double-quote
characters) before the fix was released, will not be able to establish 802.1x connections. As a workaround ensure that
the client is connected to a fixed (5.3 or 5.2r4, or later) PPS device through non-802.1x. Using this connection, a new
configuration file is downloaded to the client. Upon completion the client can connect again through 802.1x.
PRS-309431 With OPSWAT Patch Management Host Checker policy, the missing patches will be detected only with admin
privileges for SCCM 2012 and SCCM 2007.
PRS-318679 For Host Checker with Bit Locker Encryption software, the encrypted drives will be reported as encrypted only when
these drives are in Unlocked state.
PRS-339456 Some Windows machines take around 20 minutes for detecting missing patches, which is the Microsoft OS behavior.
The same is observed with Host Checker Patch Management policy evaluation.
PRS-344555
When the same Pulse Client is connected to multiple PPS/PCS servers with different OPSWAT versions 3 and 4, then
the compliance evaluation is done using the server configured OPSWAT version. The compliance evaluation will be
conducted in sequence as for each server connection respective server specific version will be downloaded. It’s
recommended to activate the OPSWAT v4 SDK only after all the servers and clients are upgraded.
PRS-343928 V3 and V4 SDK requires admin privileges to turn on the MAC In Built firewall configuration as part of remediation.
PRS-343232 BitLocker Encryption status is not detected if the user has restricted user privileges on Windows machine.
PRS-344807 On Google chrome browser, HC failures does not change the role on PPS until HC times out.
Pulse Policy Secure Release Notes
PR Number Description
PRS-344156 In the case of Profiler, if a single device has multiple sessions then the Device Discovery Report will not show all
active sessions. It displays only the last established session.
PRS-344007 In the case of Profiler, search with value "SNMP" displays some devices in the search results even if the SNMP
doesn’t exist in the device details record for those devices.
PRS-343920 In the case of Profiler DDR table, clicking the + button displays nothing when only CAM table entry is available for
endpoint. It must display "No Details Available".
PRS-343639 In the case of Profiler, NMAP classification does not update the OS info in DDR table for some Juniper switches.
PRS-342009 In the case of Profiler, any change in attribute state for a device is communicated back to the PPS policy engine
immediately. Therefore, a refresh interval is not applicable for Profiler Authorization Server.
PRS-341732 In the case of Profiler, Dashboard reports do not account for devices whose manufacturer/category/os is blank
PRS-341419 In the case of Profiler, Date format is incorrect in Device details popup in Active Users Page
PRS-343617 In the case of Profiler, an error popup is observed during a search operation on DDR table (Intermittent). Refresh the
page to resolve the issue.
PRS-344995
If device profiled using UA, OS information may sometimes get overwritten as user disconnects and reconnects
802.1x session.
Pulse Policy Secure Release Notes
Documentation
The complete documentation for PPS is available at https://www.pulsesecure.net/techpubs/pps
This section lists the changes in documentation:
In Pulse Policy Secure Release 5.3R5, the Table of Contents (TOC) in the PPS Admin Guide is
restructured for better content flow and ease of accessibility.
See Chapter 18 Pulse Secure Profiler for the profiler information in the PPS Admin Guide.
Only minimal content on OAC is available in the PPS Admin Guide. For more information, see https://www.pulsesecure.net/techpubs/oac-ee/.
Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the
documentation. You can send your comments to [email protected]
Technical Support
Technical product support is available through the Pulse Secure Global Support Center (PSGSC).
http://www.pulsesecure.net/support/
Call us at 1-844-751-7629 (toll-free in the USA). If outside US or Canada, use a country number listed from one of the regional tabs
For more technical support resources, browse the support website: http://www.pulsesecure.net/support/
Requesting Technical Support
To open a case or to obtain support information, please visit the Pulse Secure Support Site: http://www.pulsesecure.net/support/
Revision History
Table 7 lists the revision history for this document.
Table 6: Revision History
Revision Description
September 2016 PPS Release 5.3R5 updates.