Reset Search
 

 
Article

KB40503 - Connectivity to any resource fails when Pulse Secure Desktop client is installed and Lock Down Mode is enabled.

Printable View
« Go Back

Information

 
Last Modified Date3/1/2018 3:54 PM
Synopsis
This article describes an issue where connectivity to resources fail (for ex. Windows logon (Winlogon), and anti-virus (AV) updates) when Pulse Secure Desktop client is installed and Lock Down Mode is enabled.
Problem or Goal
Example 1:
When the end user is attempting to authenticate to a domain with the Pulse Secure Desktop client is installed and Lock Down Mode is enabled.  The following error message will appear: 
There are currently no logon servers available to service the logon request.

Example 2:
When an end user is attempting to authenticate to a realm with host checker configured and AV compliance checks fail, the end user is unable to download the latest AV definition list.
Cause
This issue occurs when all conditions are met:
  • Pulse client connection option for establishing connection is set to "User" mode.
  • Pulse client connection option to "Lock down this connection" is enabled.
  • Pulse has been installed on a domain machine.
  • User can be physically on the network logging on to the domain controller or remotely using cached domain credentials. 
This issue occurs due to lock down mode is enabled.  The main design of this feature is to block all network traffic when the Pulse client is attempting to connect to the Pulse Connect Secure (PCS) device except:
  • UDP/TCP port 88 (Kerberos)
  • UDP/TCP port 389 (LDAP)
  • TCP port 636 (LDAPS)
  • TCP port 445 (NETBIOS)
  • UDP port 67,68,547,546, (DHCP)
  • TCP port 135 (RPC)
  • TCP port 3268 (Global Catalog)
  • UDP/TCP port 53 (DNS)
  • UDP port 5353 (Multicast DNS)

For Winlogon traffic to successfully be sent from the client to the logon server, this requires to allow dynamic port range from 1025 to 5000.  This is currently not supported.  For more information, please refer to https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx.
Solution
To resolve this issue, Pulse Secure recommends to upgrade to the following releases:
  • Pulse Connect Secure 8.3R3 and above
  • Pulse Secure Desktop client 5.3R3 and above
Starting in the following releases, lockdown mode exception rules are now supported. This allows the administrator to allow specific program or ports when lockdown mode is enabled.  For more information about lockdown mode exception rules, please refer to the 5.3R3 Pulse Secure Desktop Client Administrator Guide.

If an upgrade is not possible, please use the following recommended workarounds:
  • Configure the connection set for machine authentication
  • Disable the option Lockdown this connection on the Pulse connection set.
Related Links
Attachment 1 
Created ByTravis Bradbury

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255