Reset Search



KB40426 - How to configure Pulse based SAM access to assist Pulse Secure team to debug rewrite issues

« Go Back


Last Modified Date9/27/2017 7:29 PM
This article provides the steps to configure Pulse based SAM for Pulse Secure engineering and support teams to debug rewriter issues. 
Problem or Goal
Why is this necessary and what does Pulse SAM access provide?

The Pulse Secure support and engineering teams need to be able to replicate rewrite issues in-house in order to identify the problem and provide a fix. When the problematic site is configured for access via Pulse SAM on their PCS device, the Pulse Secure team accesses the problematic site via Pulse SAM as a data stream that is not rewritten which allows them to manipulate the data stream with settings on an internal PCS device and duplicate the end-user experience without changing a production environment and does not require multiple live debugging sessions with PCS administrators and end-users.

Note :Without the PSAM access, there could be considerable delay including multiple meeting sessions in arriving at a solution depending on the complexity of the issue at hand.

Will this affect any users and/or impact production in any way?

No.  Pulse SAM can be configured on a separate role and applied to a realm separate from production.  A separate sign-in URL is also created and production users will not be see any differences when signing in or viewing their web portal page after logging in.  Pulse SAM does not affect system performance.  Pulse Secure does not require admin access to be able to debug the issue--only user access via Pulse SAM.
​In debugging rewrite issues Pulse Secure engineering and dev teams require a way to replicate the issue.  Configuring the problem Web resource over WSAM gives Pulse Secure dev team the ability to access the Web content as a direct stream and issue can be reproduced in-house and a fix can be provided.  With WSAM access, the time to resolve a Web rewrite issue is reduced substantially.
  1. Go to Users > User Roles > New User Role to create a new user role named Pulse Secure (for example) , Enable Options > Pulse Secure Client and also enable Secure Application Manager > WSAM on the role.
User-added image
Pulse SAM
  1. Go to Resource Profiles > SAM > WSAM Destinations.
User-added image
  1. Click New Profile.
  2. Provide a name for the profile.
  3. In the WSAM destinations section add the server IP(s) or host names of the site that the rewrite issue is occurring on.  Click Add.  Continue to add sites as needed.
  4. Check the box to Create a SAM access control policy allowing access to these servers.
  5. Click Save and Continue.
User-added image
  1. On the "Roles" page, select the Pulse Secure role that was created in step 1 and apply it to the policy.
  2. Click Save and Continue.
  3. The bookmark configuration page will show the name of the bookmark that will appear on the bookmark page.  When a user clicks the bookmark, Pulse SAM will start up and tunnel the traffic to the specified hosts.
  4. Go to Auth Servers > System Local and add a new user.  This is the user account that Pulse Secure will use to sign-in to the PCS appliance and launch Pulse SAM.
  5. Create a new User Realm named Pulse Secure that authenticates users from the System Local auth server.  
  6. Create a role-mapping rule on the Pulse Secure realm based on username that maps the Pulse Secure user to the Pulse Secure role.  (If you instead choose to configure the role-mapping rule on an existing realm or on a new realm but with an existing role, we recommend that you check the option to "Stop Processing rules when this rule matches".  After saving the changes, move the test rule to the top of the list so that it is not possible for the Pulse Secure user to get mapped to any other roles.)
  7. Go to Signing In > Sign In Policies and create a New URL.  Enter "*/pulsesecuretest" as the Sign-In URL and in the Authentication realm section, select the radio button for "User picks from list of authentication realms" and select the Pulse Secure realm from the Available realms and move it to the Selected Realms. 

Final steps 

  1. Use the Pulse Secure sign-in URL and account access to sign-in, click the web bookmark, and verify the traffic is going over the Pulse SAM tunnel.  Browse to the page that the problem exists with and verify that it is "working as expected" since this is the expected result via Pulse SAM as the traffic is not being rewritten.   
  2. Update the case with instructions for the Pulse Secure support team to follow to replicate the issue once they click the Web Bookmark.  This can also be provided in a Word doc containing screenshots.  
  3. Export the Users config by going to Import / Export > Import / Export Users and save a copy of the User config and upload this to the case.
  4. Contact the Pulse Secure case owner and provide the login details for Pulse SAM access and/or update the case with the details.
Please refer KB40981 - How to capture web traffic using fiddler web debugging tool to help debug rewrite issues for collecting fiddler trace.

Please also refer attached Rewriter Troubleshooting Guide.pdf for troubleshooting assistance
Related Links
Created ByKaren Mayberry



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255