This article provides steps for PCS Admins to set up JSAM access to Websites hosted by a PCS device that are not rewritten properly and require debugging by the Pulse Secure support and engineering teams.
Why is this necessary and what does JSAM access provide?
The Pulse Secure support and engineering teams need to be able to replicate rewrite issues in-house in order to identify the problem and provide a fix. When the problematic site is configured for access via JSAM on their PCS device, the Pulse Secure team accesses the problematic site via JSAM as a data stream that is not rewritten which allows us to manipulate the data stream with settings on an internal PCS device and duplicate the end-user experience without changing a production environment and does not require multiple live debugging sessions with PCS administrators and end-users.
Will this affect any users and/or impact production in any way?
No. JSAM can be configured on a separate role and applied to a realm separate from production. A separate sign-in URL is also created and production users will not be see any differences when signing in or viewing their web portal page after logging in. JSAM does not affect system performance. Pulse Secure does not require admin access to be able to debug the issue--only user access via JSAM.
Problem or Goal
In debugging rewrite issues Pulse Secure engineering and dev teams require a way to replicate the issue. Configuring the problem Web resource over JSAM gives Pulse Secure dev team the ability to access the Web content as a direct stream and issue can be reproduced in-house and a fix can be provided. With JSAM access, the time to resolve a Web rewrite issue is reduced substantially.
Provision access to Pulse Secure
Create a new user role named Pulse Secure (for example) and enable Secure Application Manager > Java version on the role from the Generalsettings tab.
Click the SAMtab and select "Options" or browse to User Roles > Pulse Secure > SAM > Options and in the Java SAM options, enable Automatic Host Mapping.
Go to Auth Servers > System Local and add a new user. This is the user account that Pulse Secure will use to sign-in to the PCS appliance and launch JSAM.
Create a new User Realm named Pulse Secure that authenticates users from the System Local auth server.
Create a role-mapping rule on the Pulse Secure realm based on username that maps the Pulse Secure user to the Pulse Secure role. (If you instead choose to configure the role-mapping rule on an existing realm or on a new realm but with an existing role, we recommend that you check the option to "Stop Processing rules when this rule matches". After saving the changes, move the test rule to the top of the list so that it is not possible for the Pulse Secure user to get mapped to any other roles.)
Go to Signing In > Sign In Policies and create a New URL. Enter "*/pulsesecuretest" as the Sign-In URL and in the Authentication realm section, select the radio button for "User picks from list of authentication realms" and select the Pulse Secure realm from the Available realms and move it to the Selected Realms.
Go to User Roles > Pulse Secure > SAM and configure the JSAM policy as shown below:
Setup JSAM access
Go to Resource Profiles > Web and create a new profile
Set the profile Type to Custom (default setting) then enter a name for the Profile and enter the Base URL. (The Base URL is host name of the backend resource that the rewrite issue occurs with.)
A Web ACL is created automatically from the Base URL. Add additional Web ACL resources if needed. Make sure to click "Add" to save each Web ACL.
Click "Show ALL autopolicy types >>" and select Autopolicy: Rewriting Options and select No Rewriting: Use JSAM.
A JSAM Policy is automatically created from the base server URL. Click any field to modify the application details. In this example, a Client Loopback IP of 127.0.10.1 has been added. If this field is left blank, JSAM will automatically choose and configure a loopback IP.
Enable the option to Launch JSAM to automatically start JSAM when user clicks on the Web bookmark.
Add additional servers as needed. Be sure to click "Add" to save each server entry.
Be sure to click the checkbox next to a modified entry to save the changes.
When finished click Save and Continue.
Select the Pulse Secure role from the Available roles and Add it to the Selected Roles.
The Web Bookmark tab will open and display the bookmark URL which has been automatically created. You can create additional Web Bookmarks here as needed.
Use the Pulse Secure sign-in URL and account access to sign-in, click the web bookmark, and verify the traffic is going over the JSAM tunnel. Browse to the page that the problem exists with and verify that it is "working as expected" since this is the expected result via JSAM.
Update the case with instructions for the Pulse Secure support team to follow to replicate the issue once they click the Web Bookmark. This can also be provided in a Word doc containing screenshots.
Export the Users config by going to Import / Export > Import / Export Users and save a copy of the User config and upload this to the case.
Contact the Pulse Secure case owner and provide the login details for JSAM access and/or update the case with the details.