Pulse Connect Secure

Release Notes
PCS 8.2R1.1 Build 42861

Release, Build
Published
Document Version
 Pulse Connect Secure Release Notes

INTRODUCTION .................................................................................................................................................... 3
HARDWARE PLATFORMS ..................................................................................................................................... 3
VIRTUAL APPLIANCE EDITIONS .............................................................................................................................. 3
Table 1 Virtual Appliance Qualified Systems ................................................................................................................3
UPGRADE PATHS ................................................................................................................................................... 4
Table 2 Upgrade Paths .............................................................................................................................................4
NEW FEATURES .................................................................................................................................................... 4
Table 3 List of New Features ......................................................................................................................................4
GENERAL NOTES .................................................................................................................................................... 6
OPEN ISSUES .......................................................................................................................................................... 6
Table 4 List of Open Issues in this release .....................................................................................................................7
FIXED ISSUES IN 8.2R1.1......................................................................................................................................... 9
Table 5 List of Issues Fixed in this Release ....................................................................................................................9
FIXED ISSUES IN 8.2R1 ......................................................................................................................................... 10
Table 6 List of Issues Fixed in this Release ..................................................................................................................10
DOCUMENTATION .............................................................................................................................................. 11
DOCUMENTATION FEEDBACK .............................................................................................................................. 11
TECHNICAL SUPPORT ........................................................................................................................................... 11
REVISION HISTORY ................................................................................................................................................ 11
Table 7 Revision History ..........................................................................................................................................11

© 2016 by Pulse Secure, LLC. All rights reserved 2

 Pulse Connect Secure Release Notes

Introduction
This document is the release notes for Pulse Connect Secure Release 8.2. This document
contains information about what is included in this software release: supported features,
feature changes, unsupported features, known issues, and resolved issues. If the
information in the release notes differs from the information found in the documentation set,
follow the release notes.

Hardware Platforms
You can install and use this software version on the following hardware platforms:

 MAG2600, MAG4610, MAG6610, MAG6611, MAG SM160, MAG SM360

 PSA300, PSA3000, PSA5000, PSA7000F, PSA7000C

To download software for these hardware platforms, go to:

https://www.pulsesecure.net/support/

Virtual Appliance Editions

This software version is available for the following virtual appliance editions:

 Demonstration and Training Edition (DTE)

 Service Provider Edition (SPE)

Table 1 lists the virtual appliance systems qualified with this release.

Table 1 Virtual Appliance Qualified Systems

Platform Qualified System

 IBM BladeServer H chassis

VMware  BladeCenter HS blade server
 vSphere 6.0.1, 6.1, 6.2, 5.1, 5.0, and 4.1

 ESXi 5.5, 5.5 U3

Virtual SA
 ESXi 6.0

 CentOS 6.6 with Kernel cst-kvm 2.6.32-504.el6.x86_64

 QEMU/KVM v1.4.0
 Linux Server Release 6.4 on an Intel Xeon CPU L5640 @ 2.27GHz
KVM
o NFS storage mounted in host
o 24GB memory in host
o Allocation for virtual appliance: 4vCPU, 4GB memory and 20GB disk space

To download the virtual appliance software, go to: https://www.pulsesecure.net/support/

© 2016 by Pulse Secure, LLC. All rights reserved 3

 Pulse Connect Secure Release Notes

Upgrade Paths
Table 2 describes the tested upgrade paths.

Table 2 Upgrade Paths

Release Description

8.2R1 You can upgrade to 8.2R1.1. The upgrade path is tested.

8.0Rx or 8.1Rx You can upgrade directly to 8.2Rx simply by installing the 8.2Rx update. The upgrade path is tested.

Earlier than 8.0Rx or

First upgrade to release 8.0Rx or 8.1Rx; then upgrade to 8.2Rx
8.1Rx

Pulse Secure Desktop

5.2R1 Client Software Refer to the Pulse Secure Desktop Client 5.2 release notes.
Upgrade

Note: If your system is running Beta software, roll back to your previously installed official software
release before you upgrade to 8.2R1. This practice ensures the rollback version is a release suitable for
production.

New Features
Table 3 describes the major features that are introduced in this release.

Table 3 List of New Features

Feature Description

Due to the end of ActiveX and Java support on many browsers, an alternate solution is provided in this
release for the proper launching of client applications such as Pulse Desktop Client.
Pulse Secure
This release uses a custom URL, pulsesecure://, to deliver and launch client applications. When
Application Launcher
invoked, the custom URL will automatically trigger new application – Pulse Application Launcher.
(replacement for
The Pulse Application Launcher has the ability to accept the parameters from the user’s browser and
NPAPI)
launch the client application.
This solution currently works on Chrome on Windows OS and Safari on Mac OS X.

iOS Support for

accessing
RDP/Telnet/SSH In this release, users can access remote sessions using iOS.
sessions using a
HTML5 browser

IPv6 SNMP Support PCS can send and receive SNMP alerts via IPv6 interface configured at the trap server.

Update “Last VPN The “Last VPN Connect” attribute in LDAP is updated when a user logs in. Admins can then run
Connect” time "reaper" scripts against their Active Directory and remove users that may not have logged in since "X"
attribute in LDAP number of days.

© 2016 by Pulse Secure, LLC. All rights reserved 4

 Pulse Connect Secure Release Notes

Feature Description

Windows 2012 R2
Windows 2012 R2 is now qualified with Pulse Connect Secure 8.2 software (auth only).
Support

RSA Auth Manager

RSA Auth Manager is now qualified with Pulse Connect Secure 8.2 software.
8.1

Network level
authentication support Windows Terminal Services (WTS) now supports Microsoft’s Network Level Authentication.
for WTS

Description
 Users can launch RDP, Telnet, and SSH sessions via admin-created bookmarks.
 Single sign on and NLA (Network Level Authentication) is supported by default.
 Admin can configure screen resolution, color depth, DPI and additional settings as outlined in
the admin guide when creating the bookmarks.
 Users can transfer files from local machine to the remote machine and vice versa.
Support for accessing o If the admin has enabled it, a special G:\ drive is available in the remote machine.
RDP/Telnet/SSH This drive contains a folder called "Download". Any files dropped in this folders are
sessions using automatically transferred between local and remote machines.
HTML5-compliant  Users can copy and paste text from local machine to remote machine and vice versa
browsers o Users can bring the clipboard access screen to the foreground by clicking on Ctrl +
Alt + Shift. This will automatically include clipboard data that exists in the remote
machine...to be transferred to the local machine.
Supported Operating Systems
 The solution works on all supported browsers (Internet Explorer, Safari, Chrome) that run on
desktop operating systems such as Windows, OS X and Linux.
 The solution works on Android OS and iOS.

The PCS administration web UI look and feel has been redesigned to improve the user interface
experience. In PCS 8.2 release, user will have option to choose new user interface or switch to the
classic user interface. The default UI is the new user interface. To use this new web UI, the PCS
UX admin revamp
device must be connected to the external network. If the PCS device does not have connectivity to the
external network, then the new user interface cannot be used and the classic user interface must be
used.

Citrix Xen 7.6,

Citrix XenApp 7.6 and StoreFront 2.6 & 3.0 is now qualified with Pulse Connect Secure 8.2 software.
StoreFront 2.6 & 3.0

VMWare Horizon
VMware Horizon View 6.0.1, 6.1 & 6.2 HTML 5 access is qualified with Pulse Connect Secure 8.2
View 6.0.1, 6.1 & 6.2
software.
HTML5 access.

When a certificate has expired or is about to expire, there is currently no notification available to the
admin to take corrective or preventive action to renew certificates. The “Certificate Expiration Warning”
Certificate expiration
feature provides the admin with a warning at the time of login. Also, the admin can query the
warning
certificates about to expire in a configured number of days for the type of certificates that are of
interest.

© 2016 by Pulse Secure, LLC. All rights reserved 5

 Pulse Connect Secure Release Notes

Feature Description

Windows 10 support Microsoft’s latest Windows release, Windows 10, is qualified with Pulse Connect Secure (Only IE 11
browser).

OCSP logging With the Online Certificate Status Protocol (OCSP) Logging Enhancement feature, the admin will be
able to see the username, OCSP responder IP address and certificate serial number in the OCSP logs.
With this information, the admin will be able to debug any OCSP related issues by correlating Connect
Secure user access logs and logs from OCSP responders. In addition to that, admin will be able to filter
all the OCSP related logs for a particular user for debugging OCSP related issue related to that user.
AES is preferred over
RC4 AES is a preferred cipher over RC4. Ie. If a client that supports both AES and RC4 connects to PCS,
AES is used.

RC4 Warning A new feature in 8.2r1 shows a warning in the Admin UI if the insecure RC4 cipher is enabled. This
new feature does not properly detect when RC4 is enabled when hardware acceleration is turned on. If
hardware acceleration is not enabled, or the device does not have the hardware accelerator installed,
the feature works as expected.

General notes
1. In 8.2R1, the code signing certificate used to sign the Pulse Secure client components
will expire on October 2, 2017.

2. In 8.2R1.1 and above, all PCS client access binaries (Network Connect, WSAM, Host
Checker, JSAM, Windows Terminal Services, Citrix Terminal Services) are signed with a
SHA-2 code signing certificate to improve security and ensure compatibility with
Microsoft OS’s 2016 restrictions on SHA-1 code signing. This certificate will expire on
Jan 13, 2019.

Important note: Windows 7 machines must contain a March 10, 2015 Windows 7 Update
in order to be able to accept and verify SHA-2-signed binaries properly. This Windows 7
update is described here and here. If this update is not installed (in other words if a
Windows 7 machine has not received an OS update since March 10, 2015), then PCS
8.2R1.1 and later will have reduced functionality (see PRS-337311 below). (As a
general rule, Pulse Secure, LLC recommends that client machines be kept current with
the latest OS updates to maximize security and stability).

3. If you are upgrading from 8.1R7, the Pulse Linux client packages (both RPM and Debian
packages) will not be available under the Admin installers page. However, the 8.1R7
Pulse Linux client is compatible with PCS 8.2R1 and the previously
downloaded/installed Pulse Linux clients will work with 8.2R1 PCS. You can also
download the Pulse Linux client packages from the Pulse Secure Licensing and
Download Center, under the download section for PCS 8.1R7.

4. For policy reasons security issues are not normally mentioned in release notes. To find
more information about our security advisories, please see our security advisory page

Open Issues
Table 4 lists open issues in this release.

© 2016 by Pulse Secure, LLC. All rights reserved 6

 Pulse Connect Secure Release Notes

Table 4 List of Open Issues in this release

Problem Report Description

Number

In Chrome browser, User is presented with 'Application launcher not installed' page twice when Host
PRS-328634 Checker is enabled along with auto launch of applications such as pulse desktop client or WSAM, This
is due to Chrome issue https://code.google.com/p/chromium/issues/detail?id=468698
Custom Statement-of-Health policies will not function properly on Windows 10 because of Microsoft's
phasing-out of support for the NAP (Network Access Protection) plugin. As such, if you have such a
PRS-330443 policy enabled (to verify, go to the PCS/PPS admin console and look under Authentication->Endpoint
Security->Host Checker Policy->Windows->Rule Settings->"Custom: Statement of Health"), then you
must disable it for all Windows 10 users.

PRS-335517 System snapshot failing intermittently from serial console. Taking snapshot from admin UI works fine.

For Host Checker with Bit Locker Encryption software, the encrypted drives will be reported as
PRS-318679
encrypted only when these drives are in Unlocked state.

With OPSWAT Patch Management Host Checker policy, the missing patches will be detected only with
PRS-309431
admin privileges for SCCM 2012 and SCCM 2007

The Pulse Application Launcher, which assists in the launching of Pulse clients from web browsers,
PRS-336183 displays text in Traditional Chinese when run a Simplified Chinese locale. There is no workaround at
this time to get Simplified Chinese displayed by the Pulse Application Launcher.
In order to make localization work properly for pulse client side applications on Windows platforms, end
PRS-336129 user needs to set correct language for non-Unicode programs under "Control Panel"->"Clock,
Language and Region"->"Region"
On a fresh Windows 10 machine, Network Connect might fail to establish a tunnel for the first time. An
PRS-333621
error message is shown (“timeout" error message). Subsequent tries work fine.
Symptom: Restricted users cannot upgrade the Pulse Secure desktop client.
Conditions: On a Windows machine, if an end user who has restricted permissions (as opposed to
administrative permissions) attempts upgrade the Pulse Secure desktop client from a pre-5.2 version to
a 5.2-or-later version using a web browser, the upgrade will fail with the message "You do not have the
proper privileges to install the application."
PRS-335317 Workaround: There are a number of ways to avoid this issue. The best way is to initiate the upgrade of
the client by launching the client and connecting to the upgraded Pulse Secure gateway (as opposed to
launching a web browser and connecting the web browser to the gateway). This client-initiated
upgrade will complete as expected - it is only web-based upgrades that will not function. An alternative
workaround would be to give the end user administrative privileges before attempting the web-based
upgrade
During the uninstall of the Network Connect (NC) client under certain circumstances on Windows
PRS-334329
machines, end users may be presented with a User Access Control (UAC) prompt.

On OS X, logging out of the user UI may display "Stopping components..." in the browser. Refresh the
PCS-2785
page to log in again.

On OS X, file transfer, when using the new HTML5/RDP feature, does not work when using Safari. The
PCS-2787
workaround is to use Chrome instead.

File transfer (using the new HTML5/RDP feature) does not work if "Disable Audio" option is un-
PCS-2789
checked.

PCS-2790 RDP session through IE11 doesn't play audio since audio codec is not supported.

© 2016 by Pulse Secure, LLC. All rights reserved 7

 Pulse Connect Secure Release Notes

Problem Report Description

Number

If printing is enabled, it may allow users to transfer some file types (when using HTML5/RDP feature),
PCS-2791
even if file transfer is disabled.

When encryption is configured for "Standard RDP Encryption" or "TLS Encryption" then Username
PCS-2792 should be configured as <DOMAIN Name>\<Username> and not just <Username>. This is mainly
applicable for servers that are joined to a domain.

On iOS File transfer to/from RDP machine through the Safari Browser does not work. The workaround
PCS-2850
is to use the Chrome browser.

PCS-2851 On iOS, the remote sessions using HTML5/RDP do not include sound.

PCS-2883 Cannot use a variable in the Host Name entry for HTML5/RDP feature.

PRS-332326 Client certificate based authentication using ECC Certificate doesn't work in Safari Browser.

Client certificate authentication doesn't work in Safari Browser when LDAP Server is configured as
PRS-332372
Authentication server along with Certificate based Realm Restriction.

The Certificate Expiration Warning feature will automatically start reporting certificates about to expire 7
PRS-335105 days after installing (or upgrading to) this version. If you need to find out the expiration status
immediately after an install (or upgrade) click on the “Check Now” button.

PRS-335115 Broadcast IP packet through a tunnel from an external client is not forwarded to the backend network.

IPSEC Compression is not available for tunnels formed with 8.2 PCS gateway. IPSEC Compression
PRS-331687 checkbox is removed from the Connection Profiles Web UI page. Customers who has existing configs
with IPSEC Compression will find that tunnels are negotiated with no compression in 8.2.

A new feature in 8.2r1 shows a warning in the Admin UI if the insecure RC4 cipher is enabled. This
new feature does not properly detect when RC4 is enabled when hardware acceleration is turned on. If
PRS-335501
hardware acceleration is not enabled, or the device does not have the hardware accelerator installed,
the feature works as expected.

A "500 internal error" is seen when saving changes under User Roles --> Files --> Options page (only
PRS-336255 for Roles with Files options disabled). Issue is seen with new roles created and not with default Users
Roles.

On the Admin login page with multiple realm selection option, with chrome browser the first realm
PRS-331800 selection is not reflected on UI but it does login to the selected realm. User can clean the browser
history to overcome this UI behavior.

On end-user Mac machine, for browser base connections the debug log file is not created if the pulse
PRS-336684 client is not installed on the Mac machine. For troubleshooting purpose the pulse client would need to
be installed on the mac machine.

If multiple realms along with host checker policies are configured for sign-in url, “Endpoint Security
PRS-336333
Status” on Active Users page is shown as “Not Applicable”

Console Protection authenticates with users created in Default Network even when IVE is functioning
PRS-316786
in Administrative Network

© 2016 by Pulse Secure, LLC. All rights reserved 8

 Pulse Connect Secure Release Notes

Problem Report Description

Number

SA (part of A/A cluster) that is registered, connected with PulseOne, may cause a cluster split (possibly
PRS-336159
after a long run).

The OCSP Responder URL gets updated in Root CA rather than in Sub CA when Client is
PRS-331122 Authenticated using Certificate Issued from Sub CA which is configured for "Inherit from Root CA"
mode.

PRS-337120 When VLAN/source IP is set on the role, access intranet resources fails.

When launching clients from the browser, a blank page might be seen with “Content-type: text/html”
PRS-337425
before the launch of the client. This blank page will disappear and the client will launch successfully.

Zero downtime for end users during an upgrade of an Active-Active or Active-Passive cluster is not
PRS-337686 available when upgrading from an older release to either 8.2R1 or 8.2R1.1. Post upgrade, the end
users that were connected prior to the upgrade will have to re-authenticate to the PCS device.

As described in the “General Notes” section of this document (search for “SHA-2”), PCS
client access binaries in 8.2R1.1 and later are code-signed with SHA-2 certificates in order
to meet new restrictions enforced by Microsoft operating systems in 2016. This new
code-signing feature causes certain issues with older versions of Windows 7. Specifically,
versions of Windows 7 that have not been patched since March 10, 2015 will not be able
to load certain drivers and executables signed with SHA-2. These unpatched versions of
Windows 7 will experience the error “An unexpected error occurred” when trying to run
WSAM. Users’ log files will contain the message:

PRS-337311 “The Juniper Networks TDI Filter Driver (NEOFLTR_821_42283) service failed to
start due to the following error:

Windows cannot verify the digital signature for this file. A recent hardware or
software change might have installed a file that is signed incorrectly or damaged,
or that might be malicious software from an unknown source.”

The workaround for this issue is to update the Windows 7 operating system to include
the March 10, 2015 patch that allows for the loading of SHA-2-signed binaries and
drivers.

Fixed Issues in 8.2R1.1

Table lists issues that have been fixed and are resolved by upgrading to this release.

Table 5 List of Issues Fixed in this Release

Problem Report Release Note

Number

© 2016 by Pulse Secure, LLC. All rights reserved 9

 Pulse Connect Secure Release Notes

Problem Report Release Note

Number

When using the new admin UI and there is more than one page of role mapping rules, clicking “Save
PRS-337308
Changes” causes some rules to be removed without log messages.
On 32-bit Windows machine, users received "An authentication error has occurred" error message when
PRS-337010
launching Windows Terminal Services bookmark if admin enabled Windows Terminal Services client
logging.
PRS-336843 Source IP Restrictions do not activate as expected.

A new feature in 8.2r1 shows a warning in the Admin UI if the insecure RC4 cipher is enabled. This new
feature does not properly detect when RC4 is enabled when hardware acceleration is turned on. If
PRS-335501
hardware acceleration is not enabled, or the device does not have the hardware accelerator installed,
the feature works as expected.

PCS (part of A/A cluster) that is registered, connected with Pulse One, may cause a cluster split
PRS-336158
(possibly after a long run).

On the Admin login page with multiple realm selection option, the first realm selection is not reflected on
PRS-331800 UI but it does login to the selected realm. User can clean the browser history to overcome this UI
behavior.

Remote desktop protocol (RDP) client restriction bypass issue. Please see
PRS-337032
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40166 for more details.

Fixed Issues in 8.2R1

Table lists issues that have been fixed and are resolved by upgrading to this release.

Table 6 List of Issues Fixed in this Release

Problem Report Release Note

Number

PRS-316902 Wi-Fi profile with EAP-TTLS can't be configured on Windows 7 client.

PRS-296395 Pulse collaboration is not working correctly with native Mac Book Air 11” resolution 1366x768.

After Windows client onboarded, modifying the Pulse connection set on SA is not reflected on Windows
PRS-316775 client. Re-onboard on Windows client doesn't refresh Pulse connection set either. -- add more detail
about how to get the new Pulse connection set onto Windows client.
License client pulls license count from license server, the client's event log mistakenly shows the license
PRS-319000
count as its user count. The actual user count in system is correct.
In a 2 node cluster, delete all licenses from both nodes, re-import a previously exported config into one
node, parevntd crash was observed, but import completes successfully, pareventd restarts automatically
PRS-318766
and continues without an issue. If only deletes all the licenses for one of the node, dsparevent didn't
crash. The crash was because the cache was not in sync.

Problem: Accessing VMWare Horizon View HTML5 Access 6.0.1, 6.1 and 6.2 via PCS Rewriter throws
PRS-331722
blank Screen.

Going through the huge list of Trusted server CAs to identify expired certificates is tedious so a new filter
PRS-331732
is added in trusted server CA page to show only the expired certificates.

© 2016 by Pulse Secure, LLC. All rights reserved 10

 Pulse Connect Secure Release Notes

Documentation
Pulse documentation is available at https://www.pulsesecure.net/techpubs/

Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can improve the
documentation.
You can send your comments to [email protected].

Technical Support
When you need additional information or assistance, you can contact “Pulse Secure Global
Support Center (PSGSC):

• http://www.pulsesecure.net/support

• [email protected]

• Call us at 1- 844-751-7629 (toll-free USA)

For more technical support resources, browse the support (website http://www.pulsesecure.net/support).

Revision History
Table lists the revision history for this document.
Table 7 Revision History
Revision Description

February 2016 8.2R1.1 update

January 7, 2016 Initial publication.

© 2016 by Pulse Secure, LLC. All rights reserved 11