What is the impact of these changes?
With these changes the end-user experience will also change when launching Pulse Secure TS sessions as outlined below.
Use Case #1
If the remote host machine does not have a valid certificate signed by a trusted CA, the end user will see the following security warning below. (Although it is not recommended, the user can accept the certificate warning and click "Yes" to connect to the remote host.)
Use Case #2
If SSO is not configured in the Terminal Services Resource Profile, end users will be prompted for credentials with a Windows security pop up prior to connecting to the remote host.
- User experience in Pre 8.2R1 and 8.1R7 releases. The TS session is established and users enter their credentials and authenticate via WinLogon at the remote host desktop.
- User experience post 8.2R1 and 8.1R7 releases. End user is prompted for credentials with a Windows security pop up prior to establishing the connection to the remote host. The credentials are then passed to the remote host bypassing WinLogon and the user is logged on to the remote host desktop.
Resolution to disable NLA with Pulse Secure Terminal Services:
In 8.1R10, an option called Disable NLA was added to revert the native PCS Terminal Services client and behavior. To disable NLA through the Administrator Web UI, perform the following steps:
- Navigate to Users > User Roles > [ROLE_NAME] > Terminal Services > Sessions > [SESSION_NAME]
- Select Disable NLA
To allow an end user to define their own Terminal Services sessions with NLA disabled in the Admin Web UI go to Users > User Roles > [ROLE_NAME] > Terminal Services > Options and select "User can add sessions" in addition to "User can disable NLA".
The end user will then be able to login to the PCS and create Terminal Services session with the option to disable NLA.
If you want to continue with NLA enabled, the following solutions can be applied.
For Use Case #1:
This security warning is generated because the remote host is using a certificate that is self-signed or is not signed by a trusted certificate authority (CA). If this is the case, the remote host is potentially vulnerable to man-in-the-middle (MITM) attacks. To resolve this issue, we recommend the following:
- Install a certificate on the remote host that is signed by a trusted CA.
- If a self-signed certificate is used on the remote host, use a group policy to install this certificate in the client's Trusted CA certificate store.
For Use Case #2:
Pulse Secure WTS has been re-architectured to leverage the security benefits that NLA provides and aligns Pulse Secure's product with Microsoft's recommended practices. For any other use cases not covered by the changes outlined in this article, please contact Pulse Secure technical support for further assistance.
Refer to the following links for more information on NLA and its benefits:
To avoid the Windows Security pop up in Use Case #2, configure SSO (single sign-on) in the Terminal Services Resource Profile or in the bookmark settings on the role.
From the admin console:
- Navigate to Users > [User Role] > Terminal Services > Sessions or Resource Profiles > Terminal Services Resource Profiles.
- From the list, select the corresponding bookmark or resource profile.
- In the Session section, enter credential variables or values:
- If PCS login and RDP session credentials are the same, enter <USER> in the Username field then select Variable Password enter <PASSWORD> in the variable password field.
- If PCS login and RDP session credentials are different, enter the actual username and domain values in DOMAIN/USERNAME format (i.e. ACMEGIZMO/test) and manually enter password in password field.
For user created bookmarks:
- Login to PCS device
- From the landing page, click on the Item Properties icon for the TS bookmark.
- Under Session section, enter the username and password for the RDP session.
- Click Save Changes.