Reset Search
 

 

Article

KB19294 - Hosts file is modified/accessed when a VPN Tunneling client is launched

« Go Back

Information

 
Last Modified Date7/31/2015 7:27 AM
Synopsis

The article explains why the Pulse Secure desktop client and Network Connect modify the hosts file.

Problem or Goal

The hosts file entry is added by the VPN Tunneling client (Pulse Secure Desktop client or Network Connect) to ensure the following:

  1. Pulse Connect Secure (PCS) hostname is resolvable after the tunnel is launched.
  2. The PCS hostname resolves to the same external IP after the tunnel is launched. This means that if ISP resolves your PCS hostname to 66.129.233.89, before you connect the VPN tunneling client, then it needs to continue to resolve to 66.129.233.89 after the tunnel is launched. This may not always happen if the PCS internal DNS servers resolve the PCS hostname to an Internal IP or some other IP.
  3. The PCS hostname should not resolve to any other PCS device other than where your session was started.
If the above conditions are not met, then the following issues can occur:
  • VPN Tunneling session is terminated immediately upon connecting.

    If the PCS DNS servers resolve the PCS hostname to an internal IP address after the VPN tunnel is launched, then the following may occur depending on what Roaming Option you have configured:

    If "Roaming Session” is Disabled - When the VPN tunnel made a connection to the browser to PCS's Internal interface (for example 192.168.36.2), after the tunnel has been started, the PCS will register a source IP change as the connection is now coming from the VPN Tunnel IP instead of the WAN IP. The connection will come from the VPN IP 192.168.36.2 is configured to go through the VPN tunnel. Since the roaming session is disabled, the source IP change will result in a disconnect.

    If "Roaming Session" is Enabled - The later connection to the browser from the VPN IP to PCS's internal interface will not cause the session to be terminated. However, all traffic will now go through the VPN tunnel instead of the external interface of PCS's web server. This will add an unnecessary load to the PCS device.

    Roaming Session can be enabled\disabled by going to Role > Session Options:

  • PCS hostname does not resolve or there is no route
    The PCS DNS servers resolve the PCS hostname to an internal IP address after the VPN tunnel is launched and the PCS’s internal gateway router does not have a route to the PCS's internal IP address or if the PCS's DNS servers cannot resolve the PCS hostname at all.
     
    • The browser will redirect to a "Server not found page" after NC launches.

      Example: Secure.company.com resolves to 66.129.233.89 before NC connects, but once the VPN client connects and the tunnel is up, the VPN tunnel connection will now resolve to 192.168.36.2. Since the VPN client is in the 37 subnet and the PCS is in the 36 subnet, a route is required to reach the PCS.


      PCS hostname: secure.company.com
      PCS External IP: 66.129.233.89, PCS Internal IP: 192.168.36.2, PCS Internal GW IP: 192.168.36.1 (/24)
      NC DNS Server: 192.168.36.3
      NC Addresses: 192.168.37.1-254 (/24)

       
      1. Launch a VPN tunnel through the application or from a browser.
      2. In this example the PCS hostname is resolved to 66.129.233.89 by the local ISP.
      3. Enter the login credentials.
      4. If the VPN client connects before the browser redirects back to the landing page, a "Server not found" message is displayed. This happens because secure.company.com is resolved to 192.168.36.2. At this point there is not a route for the IP defined within the client machine (the VPN tunneling client will only add routes for the subnet that the VPN IP Address Pool is on).
    • Host Checker or Cache Cleaner will terminate the session

      If Host Checker or Cache Cleaner are configured and enforced on the role (in a case where PCS hostname does not resolve or there is no route to new PCS IP) then the client will no longer be able to reach the PCS; thus Host Checker/Cache Cleaner will not able to send a periodic status update to the PCS and the session will be terminated. This occurs because the PCS is unable to determine the security compliance on the client machine.


      NOTES:
      • If your network topology dictates that the PCS internal IP interface and the IP addresses or DHCP server reside on different subnets, add static routes to PCS’s internal gateway router to get around this issue. Ensure the VPN Tunneling address pool can reach 192.168.36.2-3 and other enterprise resources. For the example used above, add the route for 192.168.36.1 (example route: route 192.168.37.0/24 next-hop 192.168.36.2).

      • If the VPN addresses are in the same subnet as the PCS and PCS DNS servers, then no route is needed.
  • Load Balancing

    If your PCS's are in a Load Balancing configuration, Round Robin DNS is not a supported method of load balancing (clustered or non-clustered).  If you require load balancing to evenly distribute the load across all your PCS devices, it is recommended that you implement the use of an external load balancer which has source IP session persistence enabled. Otherwise, the client may send requests to a PCS which does not have any session data for the user once the tunnel is connected. In the case of Network Connect, this will result in error "The Network Connect session timed out (nc.windows.app.23790)". See KB17848 - [SSL VPN/MAG/UAC] Access issues and timeout errors when SA SSL VPNs are in a Load Balancing configuration for more details.

Cause
Solution

In PCS version 5.0R4 and above VPN Tunneling client started adding the following entry to the beginning of the hosts file to ensure that the PCS hostname resolves to the same IP which it resolved to before the tunnel was launched; this has carried over into the Pulse Secure Desktop client.

#For NC, no new entry above, between this and next comments
206.194.33.44 secure.company.com
#end of NC entry
 
  1. Hosts Entry for PCS is added in the hosts file (for Network Connect and Pulse Secure Desktop client) on the local computer.
  2. The Hosts Entry is modified by “dsNcService” or “dsAcccessService” which runs in system context. No other permissions are needed. At a graceful termination (sign-out or timeout) of the VPN client connection, the Hosts file is restored. If the Hosts file was not restored in a prior case due to an ungraceful termination, the Hosts file will be restored at the next time when the user launches Network Connect or Pulse Secure Desktop client.

Furthermore, if your environment requires end users not to have Administrator Privileges the scenarios listed above will support the PCS Hosts file modification. Modification of the Hosts file is not necessary for Network Connect or Pulse Secure Desktop client to launch.

Please note: If there are changes made to the hosts file while the VPN session is open, these will be removed when the session is ended as the original file is restored

Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255