Pulse Secure alternatives?

Hello. We use pulse secure vpn appliances for access to more secure networks within our environment. The concept is great - RDP links are easy for the user, the protocol break at the appliance makes for easy compliance documentation.

Their delivery in the past has been ok, but recently it’s gotten worse. Support is less than helpful. And we have issue after issue it seems.

I’m asking the community for real world experience with other vpn appliances or solutions that are similar. Cost is absolutely a factor, but not the only factor.

Thanks!

Up until this snafu, we’ve been quite happy with the Pulse appliances. You have to weigh the cost of switching to something else, with putting up with the minor bugs here and there. Mind you, breaking RDP wasn’t minor- this was huge…with us as well.

But if you think switching to another vendor is going to solve all your problems, it won’t. Eventually that vendor will release a buggy code as well. Code is only written and tested by people. People make mistakes.

Even Microsoft’s cloud has had it’s share of issues over the past month.

It might be best with regards to cost + ease.

I mean, if you’re a Palo Alto fw network already, I’d say take a look at Global Protect. But switching to Palo Alto isn’t necessarily cheap, you know?

If you don’t need ease and want free, you can easily build very secure ssh tunnels for just about anything including RDP traffic. But, ideally, that might best for a VDI and the extra security you get there by not having foreign hosts “join your network” arbitrarily.

You can do more with SSH, but again, if it were me, I’d use the proxy style approach (tunnel to remote desktop) to better secure the network.

Are you keeping up with the updates and patches?

Are the issues that continue, related to INTEL NICs in the computers? Which they still haven’t addressed properly.

So the use case is that these are used as a jump point to a protected segment of your network? Sounds like you use the VPN portal only and not the client. Is this correct?

Are they available externally?

Got a basic drawing or list of requirements?

Why not OpenVPN for the tunneling to your Network and Apache Guacamole as RDP Client?

Cisco AnyConnect is a fine vpn appliance. Just don’t ask it to do any NGFW.

I wonder what issues you are experiencing. Apart from “the” issue (cert expiration), it’s been rock solid for us. Then again, it means I usually don’t have to contact support so I guess I can’t say anything regarding that.

We seem to have problem after problem with these things. The idea is perfect, their execution is lacking. They also keep getting passed around from vendor to vendor, and with each move the support gets worse and worse. The engineers on my team are at their wits end with the things. I don’t know that we will move on from them for sure, but we will be evaluating other solutions.

If it were IT folks only accessing these networks, I’d be 100% on board with SSH tunneling. In fact that’s how we started accessing these networks…but as business needs changed, technicians and engineers started requesting and “requiring” access, so something a little more user friendly was needed.

GP is an option in theory, but due to compliance we would need other infrastructure as well. A jump host for example. Not a show stopper, just one extra thing to maintain.

Yeah, the patches are non stop and when they fix one issue, they break something else. It’s taking up way too much of our time.

Yes that’s correct. The Pulse appliances provide the users a link to an HTML5 based client. Which is great when it works. Brain dead simple for the user.

Not available from the internet. Only from the internal network.

I can whip together an example diagram when i get a chance.

Thanks!

Yeah, if done well, the jump host method would be how you’d put together an “ease of use” ssh style thing… but you’d have to do the work. But if done well, should be easy for the end user.

Guacamole would the the cheapest pivot. Provided you have the infrastructure to support it and a firewall to retain your network segmentation.

If you have the money a PAM solution like Thycotic or CyberArk would be good as well.

You know, the Pulse appliance is just running Guacamole. This is probably the cheapest solution. We do have firewalls coming out of our collective buttholes.

Indeed it is, the version they run is extremely out of date.