Starting with Pulse Secure Desktop 5.2R5, a new option was added in the Pulse connection configuration (Under Pulse Secure Client
) called "Lock down this connection".
Requirements / Limitations:
- Pulse Secure Desktop 5.2R5 or above (Windows only)
- Works with VPN Only Access or Always-On VPN
- Lock down mode is supported only for IPv4 endpoints.
- Configuring a location awareness rule is highly recommended to detect if the endpoint is on or off the corporate network.
- When the location awareness rule is TRUE, the Pulse client will automatically connect. When a VPN connection is successful, lockdown mode will be lifted.
- When the location awareness rule is FALSE, the Pulse client will not automatically connection and lockdown mode will be lifted.
- If no location awareness rule is configured, lockdown mode is always remain in place until a successful VPN connection is made.
- Lock down mode will be enforced after the end user make the initial connection to the Pulse Connect Secure device or by a pre-configuration push. Lock down is not supported or enforced for connections created by the end user.
- If lock down is enforced by another connection and the end user attempts to create and make a connection to another device, lock down mode will remain in place and block all network connectivity.
- Pulse Connect Secure administrator will need to ensure lock down mode is enabled for the configured user role. When the end user connects using a manual connection, lock down configuration will be pushed during the connection and ensure lock down mode is lifted after the connection is made.
Note: Captive portal remediation with embedded mini-browser
and Enable captive portal
will automatically enabled with lock down mode to ensure endpoint can connect captive portal scenarios.
What is Lock Down mode?
Lock down mode is designed to prohibit network communication outside of the VPN Tunnel when the Pulse client is attempting to create a VPN connection to the Pulse Connect Secure (PCS) device.
For example, when configured along with Location Awareness rules to determine when the endpoint is off of the corporate network, the following steps should occur:
- Pulse Secure client will automatically attempt to create a VPN connection
- During the creation of the tunnel, all network traffic will be prohibited from the endpoint besides the required traffic to make the VPN connection to the PCS device.
- Once the VPN connection is created, lock down mode is disabled.
While location awareness is not required to enable lock down mode, Pulse Secure does recommend to configure location awareness to avoid potential issues. Without location awareness, the VPN connection will not automatically start and lock down mode will remain in place until a successful VPN connection is made.