Reset Search
 

 

Article

KB28876 - Pulse Secure Desktop running in FIPS mode on an endpoint running McAfee Application Control can cause a self-test failure

« Go Back

Information

 
Last Modified Date8/10/2015 4:06 PM
Synopsis
This article describes how Pulse Secure Desktop running in FIPS mode on an endpoint running McAfee Application Control can cause a self-test failure, and provides a workaround to the issue.

(FIPS: Federal Information Processing Standards)

 

Problem or Goal

Pulse Secure Desktop can connect to Pulse Connect Secure (PCS) or Pulse Policy Secure (PPS) in non-FIPS mode, but not in FIPS mode. The problem has been observed on Pulse Secure Desktop 5.0 and McAfee Application Control 6.1.

Cause

The issue occurs because Pulse uses a FIPS DLL that is loaded into a specific part of memory. When FIPS is enabled, Pulse looks in that part of memory and validates that the DLL has not been tampered with. McAfee Application Control, however, forces applications to use memory randomly. In so doing, it moves the Pulse libraries to a different part of memory; thus, the FIPS test always fails. As a result, Pulse logs the error in normal-level debug logs, as shown in the example error message below:

00171,09 2014/02/06 14:05:48.179 1 SYSTEM dsAccessService.exe ConnectionManager p5728 t1670 ConnectionManagerService.cpp:113 - 'ConnectionManager' dsFipsModeOn failed: -536543227

00200,09 2014/02/05 08:20:45.966 1 SYSTEM dsAccessService.exe salib_OSSL p6808 t1A38 win_ssl.cpp:226 - 'win_ssl_connect' SSL_connect = 755622022: error:2D09E086:FIPS routines:FIPS_digestfinal:selftest failed

00201,09 2014/02/05 08:20:45.966 1 SYSTEM dsAccessService.exe salib_OSSL p6808 t1A38 win_ssl.cpp:226 - 'win_ssl_connect' SSL_connect = 755626118: error:2D09F086:FIPS routines:FIPS_digestupdate:selftest failed

Solution

To work around this problem, define specific rules in McAfee Application Control to exclude the Pulse DLL from its memory verification process.

The procedure for defining the rules is described in the" Define bypass rules" section of the McAfee Change Control and McAfee Application Control 6.1.0 Product Guide.

The procedure is summarized below.

  • Perform one of these tasks:
    • Define a new Application Control rule group to define bypass rules to reuse across multiple endpoints.
    • Create a new Application Control policy to apply bypass rules to a single endpoint.
    • Select the Exceptions tab.
    • Click Add. The Add Attribute window appears.
    • Enter the file name below:

    C:\Program Files (x86)\Common Files\Juniper Networks\JUNS\dsAccessService.exe

    • Select the required options.
    • Optionally, for the VASR Forced Relocation Bypass option, specify the name of the DLL to relocate:

    C:\Program Files (x86)\Common Files\Juniper Networks\JUNS\libeay32.dll

    • Click OK.

    Note

    • For detailed instructions on how to define a new Application Control rule group, see Create a rule group in the McAfee Change Control and McAfee Application Control 6.1.0 Product Guide.
    • For detailed instructions on how to create a new Application Control policy, see Create a policy in the McAfee Change Control and McAfee Application Control 6.1.0 Product Guide.
    Related Links
    Attachment 1 
    Created ByData Deployment

    Feedback

     

    Was this article helpful?


       

    Feedback

    Please tell us how we can make this article more useful.

    Characters Remaining: 255