KB43776 - Domain profile does not get assigned once Pulse VPN tunnel is connected.

This article describes an issue with Windows clients that belong to a domain where the domain profile does not get assigned once Pulse VPN tunnel is established.  

 

Windows clients that belong to a domain get assigned a firewall or public profile instead of a domain or private profile once Pulse VPN tunnel is connected.  This can result in the following:
 

• Failure to push GPO's to the client
• Failure to map network drives
• Failure to access domain resources 

Windows computers have a system for detecting internet connectivity known as Network Location Awareness (NLA). It controls many aspects of how Windows categorizes internet connections, such as whether to assign networks as private or public.  Whenever a network change is detected, the nlasvc (NLA service) runs and attempts to authenticate with the AD domain controller that the client PC is a member of.  Upon successful authentication to the domain controller, the user is assigned a domain profile.  If authentication to the domain controller fails, then Windows assigns the user a firewall or public profile which blocks them from accessing domain resources.  

During Pulse VPN tunnel setup, routes are modified, which triggers NLA service to authenticate to the domain controller to assign the proper profile to the user.  If the NLA service completes its connection attempt before the Pulse routes are configured, then a negative DNS entry for the domain controller gets cached on the client PC and once the Pulse VPN tunnel is completely setup, NLA service does not make another attempt to contact the domain controller, which causes the user to get assigned a firewall profile instead of a domain profile.

 

This issue is fixed in the following versions:

Pulse Desktop client 5.3R6 and up
Pulse Desktop client 9.0R2 and up

(Note: It is not necessary to upgrade the PCS OS server version in order to get the fix.  Only the Pulse desktop client needs to be updated).

As a workaround, negative DNS caching can be disabled in the registry.  See How to Disable Client-Side DNS Caching in Windows XP and Windows Server 2003.

 

 KB43703 - DNS client restart after VPN launch is not done on Windows 10 RedStone 3 and above where we have replaced dns client restart logic with "ipconfig /flushdns"