Reset Search
 

 

Article

KB40503 - Connectivity to any resource fails when Pulse Secure Desktop client is installed and Lock Down Mode is enabled.

« Go Back

Information

 
Last Modified Date1/25/2018 3:13 AM
Synopsis
This article describes an issue where connectivity to resources fail (for ex. Windows logon (Winlogon), and anti-virus (AV) updates) when Pulse Secure Desktop client is installed and Lock Down Mode is enabled.
Problem or Goal
Example 1:
When the end user is attempting to authenticate to a domain with the Pulse Secure Desktop client is installed and Lock Down Mode is enabled.  The following error message will appear:
There are currently no logon servers available to service the logon request.

Example 2:
When an end user is attempting to authenticate to a realm with host checker configured and AV compliance checks fail, the end user is unable to download the latest AV definition list.
Cause
This issue occurs when all conditions are met:
  • Pulse client connection option for establishing connection is set to "User" mode.
  • Pulse client connection option to "Lock down this connection" is enabled.
  • Pulse has been installed on a domain machine.
  • User can be physically on the network logging on to the domain controller or remotely using cached domain credentials. 
This issue occurs due to lock down mode is enabled.  The main design of this feature is to block all network traffic when the Pulse client is attempting to connect to the Pulse Connect Secure (PCS) device except:
  • UDP/TCP port 88 (Kerberos)
  • UDP/TCP port 389 (LDAP)
  • TCP port 636 (LDAPS)
  • TCP port 445 (NETBIOS)
  • UDP port 67,68,547,546, (DHCP)
  • TCP port 135 (RPC)
  • TCP port 3268 (Global Catalog)
  • UDP/TCP port 53 (DNS)
  • UDP port 5353 (Multicast DNS)

For Winlogon traffic to successfully be sent from the client to the logon server, this requires to allow dynamic port range from 1025 to 5000.  This is currently not supported.  For more information, please refer to https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx.
Solution
Currently, this behavior is working as designed.  In environments where users need to logon to the corporate domain, please use the following recommended workarounds:
  • Configure the connection set for machine authentication
  • Lockdown mode exception rules can be added in 8.3R3 version.    
               When Always-on VPN Feature with Lockdown mode enabled, we will be able to see the option "Lockdown mode exception rules".  Admin can configure these rules for which traffic need to be exempted when Lock-down mode has applied at user end. This feature is intended for Windows users only.
  • Disable the option  " Lockdown this connection" on the Pulse connection set.

 
Related Links
Attachment 1 
Created ByTravis Bradbury

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255