- Pulse Connect Secure 8.2R5 and above
- Pulse Secure Desktop client 5.2R5 and above (Window and macOS)
Starting in 8.2R5, Pulse Connect Secure has a new option called Always-on Pulse Client
> Pulse Secure Client
> [Connection Name]). This option is designed to ensure all network traffic is sent through the VPN tunnel.
When the Always-on VPN feature is enabled, the following changes will automatically be made to connection set:
- Enable captive portal detection (Enabled)
- Enable embedded browser for captive portal (Enabled)
- Allow user connections (Disabled)
- When the end user login to their machine, the Pulse Secure Desktop client will automatically attempt to connect to the PCS device.
- During the authentication phase, all network traffic will be blocked besides traffic to the PCS device.
- Once the end user connects to the PCS device, only traffic by the VPN Tunneling ACL policy will be allowed.
- End user will be unable to disconnect from the VPN tunnel.
Additionally, by default, Lock down this connection (also known as Lock-down mode) is not automatically enabled. To enable this option, Always-On VPN must be enabled. This feature does limit network connectivity when Pulse client is attempting to make a connection to the Pulse Connect Secure device. For more information about Lock-down mode, please refer to KB40363 - Behavior of "Lock Down this connection" (also known as Lock Down Mode)
Always-On VPN does not prevent end users with admin privileges from stopping the Pulse Secure Service or the Base Filtering Engine (BFE) which are required to establish a VPN connection. If there is a need to prevent administrators or end users from stopping these services, endpoint should be joined to the domain to enforce the following recommendations / restrictions:
- Disable Add/Remove Programs for all VPN users (Under User Configuration\Administrative Templates\Control Panel\Add/Remove Programs)
- Restrict write permissions for end users to C:/ProgramData/Pulse Secure directory
- The startup type for "Pulse Secure Service" should be set to "Automatic", and permission to start and stop the service should be removed from "Administrators".
- Ensure "SYSTEM" retains permission to start and stop the service.
- A "Pulse Secure Admins" should be created on the domain. Permission to start and stop the service should be assigned to "Pulse Secure Admins". The "Domain Admins" and any other group who need permission to start and stop Pulse Secure can be made members of the "Pulse Secure Admins" group.
- Disabling the ability to stop the Base Filtering Engine (BFE) should be done in a manner similar to what is described above for the Pulse Secure Service
To restrict permission to start and stop service using a group policy, perform the following steps:
- On a Windows Server 2008, 2012 or 2016, install the Wireless LAN Service. If not installed, JNPRTtlsProvider.dll will fail to register during the Pulse client installation.
- Open Server Manager
- Select Features > Add Feature
- Select Wireless LAN Service
- Click Install > Close > Done
- Use the Pulse Secure desktop client MSI file for installation
(Note: On Windows 2016 servers, JNPRTtlsProvider.dll will fail to register, even if Wireless LAN Service is installed. An error message will appear during the Pulse client installation. The error can be accepted and the Pulse installation will complete.)
- Once installation is complete, start the Group Policy Management MMC.
- Navigate to the Computer Configuration\Window Settings\Security Settings\System Services
- From the right pane, double-click on Pulse Secure Service
- Click the checkbox for Define this policy setting
- Set the Service startup mode as Automatic
- Click Edit Security
- Click Allow for Start, stop and pause for "Pulse Secure Admins" and remove permissions for "Administrators"
- Perform steps 6-9 for Base Filtering Engine (BFE)