Reset Search
 

 

Article

KB44242 - Lock down mode exception rules for Windows endpoints does not work after upgrading to Pulse Connect Secure 9.0R2 - 9.0R4.1 or 9.1R1 - 9.1R2

« Go Back

Information

 
Last Modified Date8/13/2019 5:25 PM
Synopsis
This article describes an issue where lock down mode exception rules for Windows endpoints does not work after upgrading to Pulse Connect Secure (PCS) 9.0R2 - 9.0R4.1 or 9.1R1 - 9.1R2.
Problem or Goal
After upgrading to Pulse Connect Secure 9.0R2 - 9.0R4.1 or 9.1R1 - 9.1R2, lock down mode exception rules configured for Windows endpoints no longer work.

This issue does impact the following scenarios:
  • Any versions of Pulse Desktop Client 9.0R4.1 and below (when lock down exceptions are configured) AND Pulse Connect Secure has been upgraded to 9.0R2 - 9.0R4.1 or 9.1R1 - 9.1R2.

This issue does not impact the following scenarios:

Pulse Desktop Client:
  1. End user is running Pulse Desktop Client 9.1R1 and above
  2. Any versions of Pulse Desktop Client for macOS
Pulse Connect Secure:
  1. Any versions of Pulse Connect Secure 9.0R1 and below
  2. Lock down exceptions rules configured for ANY
  3. No lock down exceptions rules are configured
If lock down exceptions rules for Windows endpoints are used, the recommendation to upgrade the Pulse Desktop Client or apply the workaround given in the Solution field.
Cause
The issue occurs due to a behavior change during the upgrade process to Pulse Connect Secure 9.0R2 - 9.0R4.1 or 9.1R1 to 9.1R2 where the platform attribute was changed from 'win' (for 9.0R1 and below) to 'windows' (for 9.0R2 - 9.0R4.1 or 9.1R1 - 9.1R2).

In the debug log.log, the following entry will appear when the lock down mode exception rules are skipped and not applied:
PulseSecureService.exe ConnectionManager p2144 tB48 ConnectionManagerService.cpp:2822 - 
'ConnectionManagerService' skipping lockdown exception [TestLockdownPolicy] as this is
not supported for client platform
Solution
To resolve this issue, please upgrade to the following Pulse Desktop Client releases:
  • Pulse Desktop Client 9.1R1 
  • Pulse Desktop Client 9.0R5 (Tentative week of 17th September 2019)
The latest Pulse Desktop Client will accept either platform attribute (of win or windows) without having to make any changes to Pulse Connect Secure configuration.

Workaround:

If upgrading the Pulse Desktop Client is not possible, create new lock down mode exception rules for Windows Platform. When new lock down mode exception rules are added to the Connection Set, the platform parameter will be win, not windows.
 
{
    direction: "outbound"
    local-ip-addresses: "*"
    local-ports: ""
    name: "TestLockdownPolicy-new"
    platform: "win"
    program: ""
    program-hash: ""
    protocol: "TCP"
    remote-ip-addresses: "*"
    remote-ports: "4334"
  }

Note: A reboot of the end user machine will be required after applying the workaround to download the new connection set.
Related Links
Attachment 1 
Created ByMahendra Patel

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255