In the Pulse Secure Desktop client 5.2R5 release, Always-On VPN was introduced. This option is designed to ensure all network traffic is sent through the VPN tunnel during the authentication phase. For more information about the Always-On VPN feature, please refer to KB40375 - Always-On VPN Feature
In the Pulse Secure Desktop client 5.3R1 and Pulse Connect Secure 8.3R1 release, VPN Only Access feature was introduced as a separate feature to improve and provide additional flexibility compared to Always-On VPN feature. Here are the key differences that VPN Only Access provides:
- Removes the requirement for the connection to be automatic
- End user can manually connect and disconnect from a connection.
- Lock down mode must be enabled on all connections when more than one connection is configured.
- Expected behavior: If a connection does not have lock down mode configured, lock down will not be disabled or removed and network connectivity will be blocked after the tunnel is created.
- If location awareness is configured, additional consideration is required to ensure location awareness results in a FALSE statement to disable or removed lock down mode after the tunnel is created.
- All connections must be pushed from the same server-id.
- Expected behavior: If the server-id does not match, lock down will not be disabled or removed when a tunnel is created.
VPN only access does not prevent end users with admin privileges from stopping the Pulse Secure Service or the Base Filtering Engine (BFE) which are required to establish a VPN connection. If there is a need to prevent administrators or end users from stopping these services, endpoint should be joined to the domain to enforce the following recommendations / restrictions:
- Disable Add/Remove Programs for all VPN users (Under User Configuration\Administrative Templates\Control Panel\Add/Remove Programs)
- Restrict write permissions for end users to C:/ProgramData/Pulse Secure directory
- The startup type for "Pulse Secure Service" should be set to "Automatic", and permission to start and stop the service should be removed from "Administrators".
- Ensure "SYSTEM" retains permission to start and stop the service.
- A "Pulse Secure Admins" should be created on the domain. Permission to start and stop the service should be assigned to "Pulse Secure Admins". The "Domain Admins" and any other group who need permission to start and stop Pulse Secure can be made members of the "Pulse Secure Admins" group.
- Disabling the ability to stop the Base Filtering Engine (BFE) should be done in a manner similar to what is described above for the Pulse Secure Service
To restrict permission to start and stop service using a group policy, perform the following steps:
- On a Windows Server 2008, 2012 or 2016, install the Wireless LAN Service. If not installed, JNPRTtlsProvider.dll will fail to register during the Pulse client installation.
- Open Server Manager
- Select Features > Add Feature
- Select Wireless LAN Service
- Click Install > Close > Done
- Use the Pulse Secure desktop client MSI file for installation
(Note: On Windows 2016 servers, JNPRTtlsProvider.dll will fail to register, even if Wireless LAN Service is installed. An error message will appear during the Pulse client installation. The error can be accepted and the Pulse installation will complete.)
- Once installation is complete, start the Group Policy Management MMC.
- Navigate to the Computer Configuration\Window Settings\Security Settings\System Services
- From the right pane, double-click on Pulse Secure Service
- Click the checkbox for Define this policy setting
- Set the Service startup mode as Automatic
- Click Edit Security
- Click Allow for Start, stop and pause for "Pulse Secure Admins" and remove permissions for "Administrators"
- Perform steps 6-9 for Base Filtering Engine (BFE)