Hey all, we’ve used Pulse Secure for a few years now and had low numbers of concurrent users as we’re not historically massively into remote working as a business.
Covid-19 hit and we’ve basically got almost our whole workforce of several hundred people needing to work remotely.
Because their laptops were already setup with the Pulse Installer Service and software the simplest thing to do was to increase the Pulse license count.
So I now have a new Pulse Secure appliance with several hundred concurrent user licenses which was cheap in the circumstances but it also means I’m committed to Pulse for a few years now as it’s a substantial investment in hardware + licenses + support.
We don’t do anything much with the Pulse other than tunnel and push a couple of RDP boxes to the web interface.
I don’t have any complaints about it and nobody is queueing up to say there are things they can’t do with it because for most people they fire up the tunnel and they’re “in the office” but slower.
But I’ve got it and it cost a lot so I’m wondering what functionality is there that I might be overlooking as unnecessary but that is actually really cool and useful?
At the same time if it aint broke…
All I know is that Pulse VPN broke the Azure Portal for one of my customers and their users. As soon as they flipped it off, everything worked as intended. It’s like pulse refused to send the correct traffic.
Pulse has ICE licenses (“In Case of Emergency”) you can activate to up your capacity to the max your box allows, which comes in handy if you have more employees than licenses, and there’s a pandemic around like we have now.
Other cool features, Pulse has a “Secure Application Manager” feature where you can essentially use it to for example prevent direct access via RDP to your servers, unless the SAM tunnel is set up, and you can put additional security like 2FA on this SAM tunnel.
We’ve also set up a “machine tunnel” profile in our Pulse client. This tunnel comes up as long as nobody is logged on to the machine, only authenticates using the machine certificate, and restricts traffic to specific servers only, like AD and SCCM. We use this to upgrade our machines remotely. Simply ask users to leave their machine on, connected to the internet, but not logged in, one night per week. Patching and software upgrades get done in that timeslot, all connected through this machine tunnel.
I know that Pulse doesn’t have a good pass through record when I have used it, to install most printers on a machine. Pulse is required to be turned off for installs. It does work well with Wi-Fi Direct printers in my experience though.
I’ve used Pulse for 6 years. I have the Essentials license and largely just use it like you. The purchase does what it was purchased to do and I am not compelled to find more uses just because it was expensive.
The license you have will dictate if you can do anything beyond “VPN” stuff, but if you’re on Essentials, it’s largely just different ways to provide external secure access to internal resources. There is a TON of granularity in the VPN config, so if you just have a basic tunnel with access to a range of IP’s, you can explore locking that down further to ports/protocols, or use SAM instead of basic L3 VPN or web portals you already use. If something works fine as a web portal app, using SAM is kind of waste of effort IMO. SAM sits in the spot between web portal app and full L3 VPN. Some basic info here on SAM: https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB9536
As mentioned, you could also look into using certificate based machine tunnels and always on VPN feature. This lets the device stay on-net even if someone isn’t logged in (if it’s powered on an has internet, it’s on VPN all the time). You can also configure it to use machine tunnel when a user is NOT logged in, then convert to user tunnel automatically once they login, which is the best option. This lets you configure the device to have different access when it’s machine tunnel so there’s less risk vector. Once the user logs in it seamlessly re-auths as the user, where their role can have more access.
Check your connected clients and make sure they’re using ESP. I enabled it on my cluster as part of COVID-19 WFH and the performance is great for our users now. Had about 10 non-technical users come to me telling me how their VPN is now so much faster than it was before the upgrade. I also noticed it since I switched to ESP day two so it’s a good thing to check.
Hello Folks…
Offtopic question :
I always get confused between cluster status “Leader” VS “Enabled” in an active/passive setup.
Please guide.
Holy shit I was having a hell of a hard with the portal these past few weeks. Will have to keep this in mind
Thanks mate, we looked at ICE and in the circumstances and the pricing we got it didn’t look like it made sense as we don’t know how long we’re in the mess for and you never know if remote working practises might change when we do come out the other side now people know what can be done.
The SAM application is interesting maybe but the only thing I can think of where we might use that is if we wanted/needed to let people access RDP from their home (non-work) computers.
We don’t want to do that but if we did I think we’d just use the web portal and the HTML5 rewriting as it’s as light-touch as it gets.
I’ve used Pulse for 6 years. I have the Essentials license and largely just use it like you. The purchase does what it was purchased to do and I am not compelled to find more uses just because it was expensive.
Yes mate and to be fair I’m not being pushed to do more with it but every so often you have an “oh crap” moment when someone points something out to you.
I’ve looked and read and for us nothing leaps out right now and to be fair we’ve used it long enough that I’d hope if there were features we’d benefit from I’d have already seen/heard/read about them.
Glad to put the word out!
You know when you read a KB and think so are you going to fix this or is it considered a “feature”…
One of SAM’s prime uses is to shield the “administrative access” inroutes to your servers. Basically firewall-wise you’d shield your user network from your datacenter network except for the ports that applications use, but your servers wouldn’t be reachable through RDP, SSH, Remote Powershell, etc without the SAM tunnel active.
It makes it a lot harder for rogue users or hackers to compromise your servers that way.
It seems like something they can fix given one of the options it to disable their network service on the NIC. On the other hand, disabling RSC also works, and RSC has been known to cause issues with certain NIC’s (really drivers) for years. It probably impacts a small number of actual WiFi NIC’s so it’s likely very low on their to-do list to try and resolve in code.
I recently got hit by this with a laptop model change on the Lenvo laptops we buy where went from RealTek WiFi NICs to Intel 9260’s. We disable RSC on the NIC as of now,b ut I’m testing the latest Intel WiFi driver (from intel.com) and so far that seems to resolve the issue without disabling RSC. That could point to it being a fault on Intel’s part, or it could mean Intel found a way to resolve the issue so they rolled it into their driver update. I do know that the latest drive Lenovo pushes through System Update/Vantage and has on their website still has the issue, but that driver isn’t as new as what intel.com has. It’s also kind of curious to me that Lenovo went back to RealTek WiFi NIC in the laptops we buy when the E series rolled the models over again.