Reset Search
 

 

Article

KB15208 - Why am I receiving "Setup Control - Warning" when I launch PCS client components? Is it required to launch/install PCS/PPS client components?

« Go Back

Information

 
Last Modified Date12/17/2015 3:35 PM
Synopsis

This article shows how to address the inherent trust problems with two launch mechanisms, as administrators can create a text file (called a whitelist) that contains a list of trusted PCS Series and/or Pulse Policy Secure appliances, fully qualified domain names (FQDN) or IP addresses, one per line. The article addresses the issue of: "Why am I receiving "Setup Control - Warning" when I launch PCS client components? Is it required to launc/install PCS/PPS client components?"

Problem or Goal

When software launches from a PCS Appliance or PPS Appliance that is not in the administrator whitelist or the user whitelist, the user is prompted if they want to launch the software with the message "Do you want to download, install and/or execute software from the following server". If the user declines, the launch fails.  If the user accepts, the launch proceeds. The user also has the option to automatically add the PCS Series Appliance to the user whitelist file by selecting one of the following options from the message window:

 
  • Always - Add the server to the user whitelist file and download, install or launch the software
  • Yes - Download, install or launch the software but don’t add the server to the user whitelist file
  • No - Don’t download, install or launch software and don’t add the server to the user whitelist file

When software launches from an PCS SeriesAppliance or PPS that is not in the administrator whitelist and Allow Admin List Only enforcement is used, the launch fails and the user receives the error message “You are not allowed to launch software downloaded from the following server. Contact your system administrator for assistance.”  If the PCS Series Appliance or PPS Appliance is in the administrator whitelist, the launch proceeds as requested.

Cause
The PCS Appliance uses two mechanisms to install and launch client software from a web browser:
 
  • ActiveX controls (available only for Windows/IE)
  • Java applets
With both mechanisms, the user is prompted to trust ActiveX controls and Java applets they have not run before. Inherent problems with these types of mechanisms are:
 
  • When the user trusts an ActiveX control that control is trusted forever.
  • When trusting a Java applet, users are trusting all code that is signed by the exact same code signing certificate.
Solution
To address the inherent trust problems with these two mechanisms, administrators can create a text file (called a whitelist) that contains a list of trusted PCS and/or PPS Appliances, fully qualified domain names (FQDN) or IP addresses; one per line.   Administrators can configure two types of whitelists:
 
  • Admin whitelist - The admin whitelist file can be modified only by the endpoint administrator. The administrator must use SMS or other mechanism to copy the admin whitelist file to the end-user's system. Admin whitelist files are located in:
     
    OSLocation
    Windows%ProgramFiles%\Juniper Networks\Whitelist.txt
    Macintosh
    and Linux
    /usr/local/juniper/whitelist.txt
  • User whitelist - Users can themselves make the decision to trust a PCS Appliance. When the user makes a decision to trust a PCS Appliance, the PCS Appliance is added to the user whitelist. User whitelist files are located in:
     
    OSLocation
    Windows%AppData%\Juniper Networks\Whitelist.txt
    Macintosh/~/Library/Application Support/Juniper Networks/whitelist.txt
    Linux/~/.juniper_networks/whitelist.txt


If the first line of the whitelist file contains AllowAdminListOnly (case insensitive), then the Allow Admin List Only enforcement mode is used. Otherwise, the prompt mode enforcement is used. A excerpt of a whitelist file using Allow Admin List Only enforcement is shown here:
AllowAdminListOnly
qa.pulsesecure.net
dev1.pulsesecure.net
172.XX.XX.XXX

To add clusters to the whitelist file:
 
  • For Active/Passive clusters enter the VIP in the whitelist (if using IP-based access to the cluster); otherwise, use the FQDN.
  • For Active/Active clusters enter the load balancer hostname in the whitelist.
 
Note: The trusted server list feature is for applications launched from a browser window; it does not apply to applications launched from the command-line or other means. Prompt enforcement is the default mode when upgrading the PCS Series software to 6.5 (and later).


This procedure outlines the process for determining whether to launch the software:
 
  1. If the URL of the page initiating the launch does not begin with HTTPS, abort the launch and notify the user.
  2. Else if the admin whitelist exists:
    • If the origin site is listed in the whitelist, proceed with the launch.
    • If the origin site is not in the whitelist and the whitelist starts with “AllowAdminListOnly”, abort the launch and notify the user.
  3. Else if the user whitelist exists:
     
    • If the origin site is in the user whitelist, proceed with the launch.
  4. Prompt the user if they trust the origin site.
  5. If the user agrees to trust the origin:
     
    • If they select Always then add the server to user whitelist file. 
    • Proceed with the launch.
  6. Abort the launch.
Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255