1

PRODUCT BULLETIN

Bulletin Date

March, 2017

Applicable to All Regions

Effective Change Date

April, 2017

Introduction

Today’s digital era is challenging workforce productivity, from the 9-to-5

workdays to means of accessing and digesting data. More importantly, access to

data and applications across different mediums, mobile to cloud, are redefining

traditional IT processes and policies. Pulse Secure has made it easier to secure

your data center, provide mobile access and enable new cloud services with our

integrated Secure Access Solution. This Product Bulletin describes new features

and functions available in Pulse Connect Secure 8.3r1, Pulse Policy Secure 5.4r1,

and the Pulse Secure desktop client 5.3r1.

These new releases from Pulse Secure enable network administrators to expand

their secure access solution support for network performance and security.

Aside from the enhanced IPv6 and HTML5 support, these releases have improved

visibility across remote and local networks along with other enhanced

integrations like expanding the ecosystems with market leading Next Generation

Firewall from Fortinet. With Pulse Workspace for smartphones and tablets,

enterprises now have a simple way to eliminate data-at-rest risks while

continuing to support any mobile app so that their end users can access

collaboration apps on the go - from campus to the road. Likewise, streamlined

wizards have been developed for both Cloud Secure feature in Connect Secure

and Policy Secure so that popular use cases can be deployed with best practices

guidelines. For the end-user, SSO support for On-Premise users is now available

along with VPN only Access (Windows) for improved access.

2

What’s New

Common Features for Pulse Connect Secure 8.3R1 & Pulse Policy Secure 5.4R1.

Key Feature Benefit

Virtual License Server

In License server deployments, customers can deploy the License server as a virtual machine

to support fully virtualized environments. For details, refer to the License Management Guide.

Minimum client Version Enforcement

(Windows and Mac)

Admins can now enforce that end users have an updated version of the Pulse client before

access is allowed (See Pulse Client Section for details).

Management personality on PSA7000 Pulse One Appliance is now available onsite. This is only available in Pulse PSA7000. Please

contact support for more information.

HSTS header Support

PCS and PPS set HSTS header for all 200 OK HTTP response.

Pulse Connect Secure 8.3r1

Highlighted Features in this Release

Figure 1: Enable Virtual License Server

Key Feature Benefit

Certificate Based Active-Sync with

Kerberos Constrained Delegation

Provides secure, transparent access to Exchange ActiveSync by acting as a Kerberos Proxy that

translates certificate based authentication to Kerberos tickets using Kerberos Constrained Delegation,

without requiring the Kerberos Key Distribution Center (KDC) to be exposed to the Internet.

IPv6 Enhancements

ESP Tunnel Mode now supports IPv6 with Pulse client bundled with 8.3R1 and later. Only 6-in-6 mode

is supported.

Administrators can now create layer-3 Access Control Lists (ACLs) using IPv6 addresses.

IPv6 addresses can be configured for VLAN interfaces

Split tunneling support for IPv6 (see Pulse Client section for details).

Rewriter support for IPv6. This includes: Basic Web ACL Policy, Selective Re-Writing, Custom Headers,

Web Proxy, Form Post SSO Support, Basic Filter Policy, HTML rewriting, JavaScript rewriting and CSS

rewriting. Additional items will be added in a phased manner in following releases.

Host-checker is qualified to work with IPv6 addresses, except for downloading updates from non-

Pulse Secure servers that may still on IPv4.

SSL - SNI Extension support

PCS now supports the use of Server Name Indication (SNI) SSL extension to communicate with backed

servers that require SNI. SNI is typically enabled on backend servers to support multiple hostnames on

the same IP address without having to resort to wildcard certificates.

SNI support is enabled for rewriter, PTP, SAML, JSAM, WSAM, Pulse One, license server, CRL,

ActiveSync, Syslog, and SCEP. OCSP, LDAPS, PushConfig are not supported.

Granular control over L4 PerAppVPN

functionality on iOS devices

Prior to 8.3R1 versions, we could only define the allowed destinations. Now, admins have granular

control over the destination list (IP/FQDN) defined for the L4 PerAppVPN functionality on iOS devices.

For example, an admin can now deny specific hosts (finance.xyz.net) and allow other destinations in

the domain (*.xyz.net) or vice versa. In addition, a default Allow or Deny rule can also be configured

for Non-defined WSAM Destinations.

Note: This configuration is available within admin GUI under the user Role -> SAM ->Applications->

WSAM destinations -> Add Server.

Citrix StoreFront support

Customers can now use CTS client as well as WSAM to access Citrix StoreFront.

3

Key Feature Benefit

VLAN for HTML5

VLANs can now be configured for HTML5 based access to datacenter resources

SHA2, AES256 and DH14 in IKEv2 Phase

1

Customers can now use these stronger ciphers in the IKEv2 phase 1 when using IPSEC mode.

Option for NLA classic behavior

Newer Microsoft OS (e.g. Win 10) require NLA, which was enabled by default for WTS in earlier

releases that leads to double authentication prompts (NLA and RDP) after 8.1R7. While NLA will

continue to be enabled by default, admin now has the option to switch to classic (pre-8.1R7) behavior

at a role and bookmark level.

Figure 2: Certificate Based Active-Sync with Kerberos Constrained Delegation

Figure 3: Layer-3 Access Control Lists (ACLs) Using IPv6 Addresses

4

Cloud Secure specific features in Pulse Connect Secure 8.3r1

Key Feature Benefit

Cloud SSO support for On-Premise users

(PPS Integration)

Seamless access to cloud applications (with SSO and Compliance checks), from outside the network,

as well as inside the network.

PWS Integration

Cloud Secure can enforce detailed compliance checks on mobile devices managed by PWS, before

allowing access to cloud resources.

ADFS Impersonation

ADFS Impersonation is a deployment mode for Cloud Secure where Cloud Secure may be introduced

for ‘Remote’ devices, where ‘Compliance’ based access is considered critical for access to cloud

resources. ADFS in this scenario may continue to provide SSO for internal devices, though it will not

be able to guarantee device compliance for these devices.

Pulse One Visibility

One management plane to see devices, users & applications across all Pulse portfolio.

Setup Wizard Cloud Secure now introduces a click through Setup wizard, which makes setting up Cloud Secure for

Secure access to cloud resources, a breeze!

SiteMinder integration

We now support Cloud Secure deployment with SiteMinder, in a Federated configuration.

Figure 4: Cloud Secure wizard: Configuration Screen

5

Figure 5: Allows to change the entity ID on the UI for impersonating the ADFS

Figure 6: In PPS, choice to configure PWS as MDM server

6

Figure 7: In PWS, Config Option to Use Wifi Profile for Compliance Check

Figure 8: In PCS enable usage of Federation sessions for providing On Premise access

7

Pulse Policy Secure 5.4r1

Highlighted Features in this Release

Key Feature Benefit

• Light-touch Deployment on Pulse

Policy Secure (PPS)

• Quick NAC deployment through use cases wizards

• Leverage existing PCS configuration for quick PPS deployment

• Reduce operational tasks

• IPv6 – 802.1x Authentication

• Extending 802.1x Authentication support over both IPv4 and IPv6 provides flexibility

for customers to configure and leverage similar authenticated Network access

policies on any type of network.

• Fortinet Identity-based Integration

via Syslog

• Extending NAC/BYOD (Bring Your Own Device) to perimeter defense

• Secure access for remote connections to local protected resources

• L2/L3 bridging for Agentless session

• Provide secure access for BYOD devices via port-based security, role-based access

and compliance check with agentless session.

• Cloud SSO support for On-Premises

users

• Provide Cloud Apps SSO to On-Premise users without need of establishing a VPN

tunnel.

• Consume a single user license to access cloud applications

• Pulse Workspace MDM integration

• Seamless mobility by providing Compliance check for On-Premise mobile devices

connecting to the corporate WiFi network via PPS.

• Machine Certificate validation via

Host Checker

• Enhance the machine certificate policy validation (by validating the private key) to

avoid security issues (Ex: Exporting certificates from machine and importing on

other)

• Endpoint Visibility for remote

connection via PCS

• Profiler offers a single pane of glass view across local and remote users.

• Consistent role mapping can be done based on device profiles across local and

remote users.

• SNMP discovery for additional

switches/WLCs and Device discovery

using SNMP trap

• Provide visibility for statically configured IP devices connected to the wired switches -

Cisco, HP, Juniper, D-Link, Foundry, Nortel and Wireless Controllers - Aruba, Cisco,

Ruckus, Trapeze.

• SNMP trap support enables administrator to get a real-time device status update

when it connects/disconnects from the network.

• Profile endpoints using CDP/LLDP,

WMI, MDM integration, RSPAN DHCP

traffic

• A Quick device profiling method by fetching CDP/LLDP Information from the

configured switches and classify the devices right away as they found.

• Enable administrator to profile Windows endpoints with reliable data.

• Enable administrator to leverage MDM attributes to classify mobile devices.

• RSPAN DHCP fingerprinting provides flexibility and ease of use for administrator to

profile endpoints.

• New Device Discovery Reporting and

Dashboard with advanced filters and

historical data

• A complete visibility of all devices (local or remote) in the network and search for any

devices Administrator is looking for.

• Visual representation of active sessions for remote and on-premises connections.

• The dashboard with widgets and charts to understand the state of the system as well

as to monitor day to day changes.

8

Figure 9: Light-Touch PPS Deployment

Figure 10: New Profiler Dashboard

9

Figure 11: IPv6 support for 802.1x Authentication

Figure 12: Remote (VPN) and Onsite (NAC) Connections

10

Figure 13: RSPAN (DHCP), WMI, MDM Support

Figure 14: CDP/LLDP Support

11

Pulse Secure Desktop Client 5.3r1

Highlighted Features in this Release

Key Feature Benefit

• IPv6 Split Tunneling (Windows & Mac)

• Split Tunneling allows enterprises to optimize traffic routing by letting enterprise data flow

through the enterprise gateway, and all other directly from user’s device to the internet.

This ability is now also supported for IPv6 destinations.

• IPv6 802.1x Authentication (Windows

& Mac)

• Extend 802.1x Auth support over both IPv4 and IPv6 offers customers the ability to apply

network access policies on any type of network

• User Certificate Authentication on

Linux (Linux)

• User Certificate authentication allows secure and seamless user experience when setting

up VPN tunnel. This ability is now also available with our Pulse Desktop Linux client.

• Support for Debian Linux (Linux)

• In spirit of providing broad platform support for our customers, we have now added

Debian Linux as a validated platform, to an existing (and impressive) list if supported Linux

platforms.

• Minimum Client version enforcement

(Windows & Mac)

• From a compliance standpoint, it is critical for our customers to have the ability of

enforcing all their users, to be on a select version of the Pulse Secure client, which is

known to have fixed the latest security bugs. This feature lets IT mandate such a client

version, and force all users to upgrade to it, before they may be allowed access to

corporate resources.

• VPN only Access (Windows)

• VPN only access is an extension to our existing ‘Always ON’ VPN and adds flexibility to the

function, by letting users be in control of when they want to access the VPN. When a user

is not connected to the VPN, all network access is blocked. When a user needs to access

something on the network, they must sign into the VPN, and in successfully doing so, get

the network access allowed by IT.

• Windows 10 Redstone support

(Windows)

• Complete support for Windows 10 Redstone.

Figure 15: Minimum Client Version Enforcement

12

Figure 16: IPv6 Split Tunneling

Figure 17: VPN Only Access

13

Learn More Resources

• Pulse Connect Secure datasheet

• Pulse Policy Secure datasheet

• Pulse Cloud Secure product brief

www.pulsesecure.net

About Pulse Secure, LLC Pulse Secure, LLC is a leading provider of access and mobile

security solutions to both enterprises and service providers.

Enterprises from every vertical and of all sizes utilize Pulse Secure’s

Virtual Private Network (VPN), Network Access Control ( NAC) and

mobile security products to enable secure end-user mobility in

their organizations. Pulse Secure’s mission is to provide integrated

enterprise system solutions that empower business productivity

through seamless mobility.

Corporate and Sales Headquarters

Pulse Secure LLC

2700 Zanker Rd. Suite 200

San Jose, CA 95134

www.pulsesecure.net

Copyright 2017 Pulse Secure, LLC. All rights reserved. Pulse Secure and the Pulse Secure logo are registered

trademarks or Pulse Secure, LLC. All trademarks, service marks, registered marks, or registered service marks are the

property of their respective owners. Pulse Secure assumes no responsibility for any inaccuracies in this document.

Pulse Secure reserves the right to change, modify, transfer, or otherwise revise this publication without notice.