Pulse Connect Secure: Release Notes PCS 8.2R5 Build 49363

Pulse Connect Secure
Release Notes
PCS 8.2R5 Build 49363
Release, Build
Published
Document Version
Pulse Connect Secure Release Notes
INTRODUCTION .................................................................................................................................................... 3
HARDWARE PLATFORMS ..................................................................................................................................... 3
VIRTUAL APPLIANCE EDITIONS .............................................................................................................................. 3
UPGRADE PATHS ................................................................................................................................................... 4
GENERAL NOTES .................................................................................................................................................... 4
NEW FEATURES IN THIS CURRENT 8.2R5 RELEASE .............................................................................................. 5
NOTEWORTHY CHANGES ....................................................................................................................................... 6
FIXED ISSUES IN CURRENT 8.2R5 RELEASE ............................................................................................................. 7
KNOWN ISSUES IN CURRENT 8.2R5 RELEASE ......................................................................................................... 7
NEW FEATURES IN 8.2R4 RELEASE ..................................................................................................................... 11
FIXED ISSUES IN 8.2R4 RELEASE ........................................................................................................................... 12
KNOWN ISSUES IN 8.2R4 RELEASE ....................................................................................................................... 12
FIXED ISSUES IN 8.2R1.1....................................................................................................................................... 22
NEW FEATURES IN 8.2R1.................................................................................................................................... 23
KNOWN ISSUES IN 8.2R1...................................................................................................................................... 25
FIXED ISSUES IN 8.2R1 ......................................................................................................................................... 28
DOCUMENTATION .............................................................................................................................................. 29
DOCUMENTATION FEEDBACK .............................................................................................................................. 29
TECHNICAL SUPPORT ........................................................................................................................................... 29
REVISION HISTORY ................................................................................................................................................ 29
© 2016 by Pulse Secure, LLC. All rights reserved 2

Introduction
This document is the release notes for Pulse Connect Secure Release 8.2. This document
contains information about what is included in this software release: supported features,
feature changes, unsupported features, known issues, and resolved issues. If the
information in the release notes differs from the information found in the documentation set,
follow the release notes.
Hardware Platforms
You can install and use this software version on the following hardware platforms:
 MAG2600, MAG4610, MAG6610, MAG6611, MAG SM160, MAG SM360
 PSA300, PSA3000, PSA5000, PSA7000F, PSA7000C
To download software for these hardware platforms, go to:

https://www.pulsesecure.net/support/
Virtual Appliance Editions

This software version is available for the following virtual appliance editions:
 Demonstration and Training Edition (DTE)
 Service Provider Edition (SPE)
The following table lists the virtual appliance systems qualified with this release.
Platform Qualified System
 HP ProLiant DL380 G5 with Intel(R) Xeon(R) CPU

VMware
 ESXi 6.0, 5.5U3, 5.5
 CentOS 6.6 with Kernel cst-kvm 2.6.32-504.el6.x86_64

 QEMU/KVM v1.4.0
KVM  Linux Server Release 6.4 on an Intel Xeon CPU L5640 @ 2.27GHz
o 24GB memory in host
 Allocation for virtual appliance: 4vCPU, 4GB memory and 20GB disk space
Hyper-V  Microsoft Hyper-V Server 2012 R2
To download the virtual appliance software, go to: https://www.pulsesecure.net/support/

Upgrade Paths
The following table describes the tested upgrade paths.
Release Description
8.2Rx You can upgrade to 8.2R5.
8.0Rx or 8.1Rx You can upgrade directly to 8.2Rx simply by installing the 8.2Rx update.
Earlier than 8.0Rx or

First upgrade to release 8.0Rx or 8.1Rx; then upgrade to 8.2Rx
8.1Rx
Pulse Secure Desktop

5.2Rx Client Software Refer to the Pulse Secure Desktop Client 5.2 release notes.
Upgrade
Note: If your system is running Beta software, roll back to your previously installed official software
release before you upgrade to 8.2R5 This practice ensures the rollback version is a release suitable for
production.
General notes
1. For policy reasons security issues are not normally mentioned in release notes. To find
more information about our security advisories, please see our security advisory page
2. In 8.2R1.1 and above, all PCS client access binaries (Network Connect, WSAM, Host
Checker, JSAM, Windows Terminal Services, Citrix Terminal Services) are signed with a
SHA-2 code signing certificate to improve security and ensure compatibility with
Microsoft OS’s 2016 restrictions on SHA-1 code signing. This certificate will expire on
Jan 13, 2019.
Important note: Windows 7 machines must contain a March 10, 2015 Windows 7 Update
in order to be able to accept and verify SHA-2-signed binaries properly. This Windows 7
update is described here and here. If this update is not installed (in other words if a
Windows 7 machine has not received an OS update since March 10, 2015), then PCS
8.2R1.1 and later will have reduced functionality (see PRS-337311 below). (As a
general rule, Pulse Secure, LLC recommends that client machines be kept current with
the latest OS updates to maximize security and stability).
3. In 8.2R1 and 8.2R1.1, the Pulse Linux client packages will not be available under the
Admin installer’s page. However, the 8.1R7 Pulse Linux client is compatible with PCS
8.2R1 and 8.2R1.1. The previously downloaded/installed Pulse Linux clients will also
work with 8.2R1 PCS.
4. In 8.2R2, the 8.1R8 Pulse Linux client package (both RPM and Debian packages) are
available under the Admin installers page.
You can also download the Pulse Linux client packages from the Pulse Secure
Licensing and Download Center, under the download section for PCS 8.1R7 and

8.1R8.
5. When custom ciphers are selected, there is a possibility that some ciphers are not
supported by the web browser. Also, if any of ECDH/ECDSA ciphers are selected, they
require ECC certificate to be mapped to the internal/external interface. If ECC certificate
is not installed, admin may not be able to login to the box. The only way to recover from
this situation is to connect to the system console and select option 8 to reset the SSL
settings from the console menu. Option 8 resets the SSL setting to its default. So, the
previously set SSL settings are lost. This is applicable only to Inbound SSL settings.
6. Pre-5.0 Android and pre-9.1 iOS devices don’t support Suite B ciphers. So if Suite B is
enabled, Pulse client on pre-5.0 Android and pre-9.1 iOS devices will not be able to
connect to PCS device.
New Features in this current 8.2R5 release

The following table describes the major features that are introduced in this release.
Feature Description
DNS resolution for hostname with IPv6 addresses is supported from this release.
IPv6 support for DNS  Enables admin to configure DNS servers with IPv6 addresses.
 Allows applications to resolve IPv6 resources using DNS server.
Active Directory Standard mode authentication server is extended to support IPv6 based
IPv6 Support for Active Directory backend servers from this release. Authentication and Authorization features supported
Server with IPv4 will work with IPv6. Dual mode, IPv4 only and IPv6 only based interfaces are
supported with this feature.
RADIUS authentication server is extended to support IPv6 backend server deployments.

IPv6 support for RADIUS
Authentication and Authorization features supported with IPv4 will work with IPv6.
The Pulse Cloud Secure technology provides seamless and secure access to cloud-
based applications. With this PCS release, end users with iOS, Android mobile or
Windows, and Mac desktops can now connect to enterprise cloud/SaaS applications
through Single Sign-on.
The following capabilities are available as a part of the Cloud Secure technologies:
 Single Sign-On to Cloud Applications like Salesforce, Dropbox with PCS as IDP
Cloud Secure
through SAML assertion
 Office 365 Single Sign-On with PCS as IDP
 Compliance check and failure notification support with Pulse Workspace as
MDM server for mobile devices and Pulse Client for desktop users.
 Role Based Access Control for the Cloud applications
 Dashboard support for cross platform visibility

Feature Description
This release supports TOTP authentication by using the Google Authenticator algorithm for
generating shared secret keys and tokens. User can deploy Google Authenticator as a multi-
factor authenticator within PCS.
 Google Authenticator works as an additional authentication mechanism.
 A new user can register in the following ways:
Google Authenticator 2FA  Using single barcode: Click on “Scan Barcode” and then point your
Integration camera at the QR code on your computer screen.
 Using manual entry: Click on “Manual Entry” and enter the email address
of your Google Account. Then, enter the secret key on your computer
screen into the box next to the key and select "Done".
Currently, this feature is supported with-in a cluster boundary and cannot work with
standalone that works behind load balancer.
PCS and PPS support sending admin-access, user-access, events and sensors logs to
admin-configured syslog servers. Currently, if a TCP|TLS syslog server becomes unreachable
(due to a network outage or due to a syslog server outage), the logs getting logged in
Fault-tolerance for TCP and TLS PCS/PPS during this time are not sent to the syslog server.
Syslog Servers This feature helps the syslog server to recover the logs lost during a disconnect. The
administrator can configure fault-tolerance on syslog serves by enabling this option from the
admin UI. PPS/PCS reads the lost pending logs during a disconnect from the log disk and
transports them to the syslog server on a reconnect.
IKEv2 EAP-TLS is a mutual authentication method that uses certificate based authentication
Mobility Support for IKEv2 mechanism. This release extends current IKEv2 EAP authentication framework to support
authentication with EAP-TLS EAP-TLS authentication method. Adding this feature support allows mobile devices supporting
IKEv2 EAP-TLS to authenticate and securely connect to VPN.
The “Pulse Application Launcher” (PAL), which launches and installs Pulse Secure desktop
Pulse Application Launcher for
clients via browsers without relying on Java or ActiveX technologies, has been enhanced to
Firefox
support the Firefox browser (release 45.0).
Pulse Policy Secure leverages OPSWAT integration for endpoint desktop compliance
evaluation. With this release the newer version of OPSWAT v4 will be used as the earlier
Integration with new
version will be EOL by end of 2016.
OPSWAT SDK v4
Note: Kindly ensure that all the servers and clients are upgraded prior to switching on the
OPSWAT v4
Noteworthy changes
With OPSWAT v4 SDK new product support list is being worked upon and updated by
OPSWAT periodically, which is delivered as part of ESAP. In case any issue observed
related to compliance evaluation or remediation for any specific product, then do ensure t hat
latest ESAP is applied or switch to OPSWAT v3 SDK.

Fixed Issues in current 8.2R5 release

The following table lists issues that have been fixed and are resolved by upgrading to this release.
Problem Report Release Note

Number
PCS-3384 Admin Log not updated when multiple monitor option is enabled/disabled
While using the floating toolbar for HTML5 access feature, you may notice a small black strip on the
PRS-340765
extreme right side of the browser. Moving the floating toolbar to the left will render it properly.
Chrome browser does not go to home page automatically after user clicks on Terminal Service
PRS-339514
bookmarks. As a workaround, user need to manually click the link provided to go to home page.
PRS-339296 PCS does not send syslog traffic through internal port, if mgmt port is disabled.
Cache cleaner doesn't clean up the Recycle bin and the folder data when we sign in and sign out from
PRS-341030
IE browsers.
Watchdog restart webserver on setting encryption strength as Suite B and RSA cert is configured for
PRS-340481
internal port
PRS-339052 PPS granular cipher: 8021.x is not honoring SSL settings configured in admin UI
PRS-339434 XML Import of User Realm fails, if User-agent-pattern contains starting or trailing whitespaces
Pulse and other clients cannot be launched from chrome browser when PFS or SuitB ciphers are being
PRS-340387 used on the 8.2R3 SA and end users already have older version of Pulse application launcher installed
on their machines.
In the situation that “weak ciphers not allowed” option is disabled before upgrading to 8.2R3,
PRS-341306 configuration is exported before any update to the ciphers, this exported configuration would fail to be
imported again later.
PCS-4045 HTML5 Error messages which get displayed after session disconnect are not localized.
PRS-341379 End-user cannot install host checker component and Pulse Client using Firefox ESR 45
PRS-330382 Intermittent false positive SNMP alert as ifAdminStatus down.
Known Issues in current 8.2R5 release

The following table lists Known issues in 8.2R5 release.
Problem Report Description

Number


Number
Warning or Error message may not be seen while disabling IPv6 on management port or disabling port
PRS-343499 from Admin UI or through XML import. This happens when AAA traffic over management port is
configured for Administrative network.
PRS-342734 Configuration Mismatch happens when HTML5 Access is selected in User Role (upgrade bug).
Import of security/ssl-options XML from older (7.x/8.1) version on to 8.2R5 causes "Custom cipher does
PRS-342551
not match the available selection" error.
When the login to Node A is not followed by a clean logout and closure of the browser, a login of the
same user to Node B does not reflect recently deleted bookmarks in the user session. Instead, the
PRS-339873
bookmarks from Node B get synced back to Node A. This happens whenever there is a warning that
'User Record Synchronization’ is in progress.
With Legacy NC client, QR code will not be shown in TOTP registration page. As workaround users
PCS-4584
need to enter secret key manually.
PCS-4579 Syslog FT: Need to provide drop-down box for configuring FT settings for all the cluster members.
SSH rewriting prompts to accept fingerprints of SSH server. There is no functional impact and the
PRS-342154
workaround is to accept the prompt and proceed with the connection.
PRS-343579 During reboot, sequence of timing may lead to pareventd process crash, but there is no user impact.
After importing binary user config, the device might be unreachable. This is an intermittent issue and
PRS-345028
admin will need to restart services to bring the device back up.
When TOTP auto-unlock feature is enabled, the locked out TOTP users will be automatically unlocked
PCS-4583
only upon their next login attempt after lock period expires
With Legacy NC client, QR code will not be shown in TOTP registration page. As workaround users
PCS-4584
need to enter secret key manually.
When accounting is enabled for PCS then for WSAM users accounting stop message may not be sent
PRS-344821
for WSAM session.
Symptom:
Host-Checker fails to launch on Mac OS.
Conditions:
If custom sign-in pages from pre-8.2R5 is used, and the pulse connect secure is upgraded to 8.2R5 or
PRS-344892 later.
Work Around:
After upgrading to 8.2R5 or later, if Custom sign-in pages are used, it is required for the Admins to
download the new sample.zip file from Authentication->Sign in->Sign-in-Page, merge your changes in
new custom sign-in page, and upload the modified file.
User may not be able to use WSAM on Windows Redstone.

PRS-341802 This is the restriction of driver signing imposed by operating system. Workaround is there but since it is
risky for system it is not recommended.


Number
Whenever two VDI terminals are opened in chrome/Firefox/Edge one after the other, the second VDI
terminal shuts the first one. This means, we can access only the second VDI terminal but not the first
PRS-338371
one. Note that this issue will occur when working on chrome/Firefox/Edge which is using the PSAL
component for launching clients. There is no problem in opening two VDI terminals in IE.
Whenever PCS's end user configuration is set to Chinese simplified, and PSAL is opened through
PRS-336184 Chrome browser on a Chinese PC, the characters on the PSAL dialog box appear in Chinese traditional
but not Chinese simplified.
Certificate authentication configuration for Linux client is not supported and might result in a crash on
PRS-343838
cent OS 6.4.
Auto uninstall of NC might fail due a timing issue. Workaround is to try the sign-out operation second
PRS-344167
time.
For Cloud Secure, in case for a single PWS user with more than 5 devices are registered, then for that
PRS-343759 specific user the authentication token may not get pushed to the mobile device resulting to failure in
o365 access
For Cloud Secure, on Windows 10 desktop the PSAL has to be pre-installed for seamless SSO access
PRS-342249
of the thick applications.
In the Cloud Secure dashboard, the statistical chart data represents the cloud applications specific
PRS-344470
information and not the ECP flow data of o365 access on mobile devices.
Live upgrade of IF-MAP serer is not supported and will cause downtime. An upgrade should be
PRS-303232
scheduled for off hours, a time when the minimum number of users will be affected.
PRS-324568 Guest user sessions are reported as "802.1x Auth" in "Auth Mechanism" chart on dashboard
Symptom:
Some of the syslogs are not received in the TCP|TLS syslog server after a re-connect.
Conditions:
PRS-342658
- Fault Tolerance feature is enabled for the TCP|TLS syslog server
- TCP|TLS syslog server is down, and comes back after a while
- PCS/PPS re-transmits the syslogs generated during the syslog server downtime
- New logs are generated when the PCS/PPS is retransmitting the pending logs
iOS user when tries to join secure meeting it fails. They see an error "Exceeds license for number of
PRS-342845
users".
Samba diagnostic log to troubleshoot Active Directory Server will log

PRS-343655 “NT_STATUS_INTERNAL_ERROR” when using Kerberos only Authentication protocol.
It will not harm the functionality of Active Directory Server features with this error logging.
Configuration distribution of 'Pulse Collaboration' using Pulse One may fail with an error "Please specify
a Room for the Meeting Name". A workaround is to not include 'Pulse Collaboration' in the configuration
PRS-344139
settings used for the group by editing the appliance group from the Pulse One console, and try
configuration distribution again.


Number
PRS-342944 Configuring DNS servers with IPv6 addresses for Layer 3 VPN tunneling is not supported.
With OPSWAT Patch Management Host Checker policy, the missing patches will be detected only with
PRS-309431
admin privileges for SCCM 2012 and SCCM 2007.
For Host Checker with Bit Locker Encryption software, the encrypted drives will be reported as encrypted
PRS-318679
only when these drives are in Unlocked state.
In some Windows machines it takes around 20 minutes for detecting missing patches, which is the
PRS-339456 Microsoft OS behavior. The same will be observed with Host Checker Patch Management policy
evaluation as well.
When the same Pulse Client is connected to multiple PPS/PCS servers with different OPSWAT versions
3 and 4, then the compliance evaluation would be done using the server configured OPSWAT version.
PRS-344555 The compliance evaluation will be conducted in sequence as for each server connection respective
server specific version will be downloaded. Its recommended to switch on the OPSWAT v4 SDK post all
the servers are upgraded.
With V3 and V4 SDK, we require admin privileges to turn on the MAC In Built firewall as part of
PRS-343928
remediation.
BitLocker Encryption status won't get detected if we run with restricted user privileges on Windows
PRS-343232
machine.
Symptom:
Unable to manage PCS config through NSM. PCS returns 'No IVE data Version' rpc error.
Conditions:
PRS-345193 PCS is running 8.2R5 and later
NSM Admin trying to change PCS config and trying to update device through the NSM Client.
Workaround:
None
With Google Chrome browser, Host Checker failures does not changes the role on PPS until Host
PRS-344807
Checker times out.
Cluster may split during archiving. In the situation when cluster did split, it recovers within a minute. The
probability of cluster split is higher in the situation where additional Pulse package is uploaded to PCS,
and User Record is scheduled to be archived at the same time as one or more items in the archive
configuration page. To work around this issue, the following is recommended: 1. Remove unnecessary
PRS-341063
Pulse client package from PCS. The Pulse client package can be downloaded from Pulse Secure
support site whenever it is needed; 2. Schedule archiving in a way that each selectable item in the
archive configuration page is archived at different time – either different hour of the day, or different day
of the week. Resolution for this issue is been worked on and will be released soon.
In 8.2, if there is one or more role configured with 2000+ ACLs, after users from the role with 2000+
PRS-342396 ACLs establish VPN connection, users from the next role unable to establish VPN tunnel. Resolution for
this issue is been worked on and will be released soon.

New Features in 8.2R4 release

Feature Description
1. When NDcPP option is enabled, only NDcPP allowed crypto algorithms are
allowed.
Changes made to be compliant 2. Device certification 3072 bit key length support
with NDcPP certification 3. Device certification revocation check
4. Client cert auth for syslog certification revocation check.
Note: NDcPP certification in progress.
The Pulse Linux client now supports the following operations to be done through the UI
1. Connection management (add/edit/delete connections)
2. Connect/disconnect to VPN
Pulse Linux client UI
3. Check VPN status and statistics
4. Upload logs to PCS
5. Configure the client log level
Pulse Linux client has been qualified for the following MFA mechanisms
1. RSA (software token and hardware token)
Support for multifactor
2. Duo Security
authentication with Pulse Linux
3. Safenet
client
4. But the Pulse Linux should be able to support other MFA methods too as the
client uses web based UI to authenticate into the PCS
Pulse Linux client supports the system proxy in the following modes
1. Manual configuration
2. Auth proxy
Support for system proxy in
3. Pac file configuration
command line mode
In this release, there are some limitations in running the Pulse Linux client in UI mode with
system proxy configured. Command line mode of the client does not have those limitations
and it works.

Fixed Issues in 8.2R4 release


Number
PRS-337187 Dsserver tasks issues seen and they are having timeout/disconnect issues for Pulse Mobile
PRS-340595 PCS reports it cannot verify Pulse One certificate despite correct certificate was loaded.
PRS-339030 Some Pulse users are unable to access resources intermittently.
PRS-342088 After 8.2R3 ran a few days without user access, there is a bug causes admin and user unable to login.
Known Issues in 8.2R4 release


Number
When CA Certificate Policy is set to fail that causes the certificate authentication through other CAs to
PRS-341792
fail.
Adding a connection with duplicate name closes the connection creation window after the warning in
PRS-341773
Pulse Linux client
PRS-341921 Pulse Linux client does not automatically reconnect during the network outages.


Feature Description
Previously JSAM component is unable to establish a connection with a backend server

Support proxy Authentication for when a proxy server is present in the middle.
JSAM when using NTLM With this feature, this limitation will be removed and JSAM will be able to handle the
proxy authentication challenge from the proxy server successfully.
Secure Access - Support for

Dual monitor configuration when User should be able to stretch the display into multiple monitors.
using Windows Terminal Admin will be able to configure the option as part of RDP profile selection
Services
RSA SecurID Risk-Based Authentication is a token less, multi-factor enterprise

RSA Risk Based authentication solution that uses risk scoring to determine that users are who they say
Authentication(RBA) support they are while preserving the username and password login experience. Provides a
with PCS Cluster token alternative – token less authentication is a convenient way for your users to
authenticate securely, via a web interface, without the need for a token.
Hyper-V is another hypervisor that we must support as part of extended platform

support for virtual appliances.
Secure Access - Support for
Note: Kernel Watchdog is not supported on Hyper-V platforms. In PCS/PPS, on
Hyper-V hypervisor
Maintenance->system->options page kernel watchdog checkbox is grayed out.
Transition or first step to provide Azure support
Pulse Cloud Secure technology provides secure access to the cloud, while offering
additional benefits. With this PCS release, we are delivering Cloud Secure tech
preview. End user with iOS devices can now connect to enterprise cloud/SaaS
application in a seamless and secure fashion.
Cloud Secure – Solution Tech Following capabilities are available as part of Cloud Secure technologies
Preview  Single Sign On of Cloud Applications like Salesforce, Dropbox with PCS as
IDP through SAML assertion
 Office 365 Single Sign On with PCS as IDP (through SAML ECP support)
 PulseOne as MDM server integration with PCS to provide compliance check
of iOS device during authentication
1. SA Admin, can configure SA as IdP for SAML SSO easily.

2. End users can do SSO in the application without being prompted for
Cloud Secure - SAML changes passwords.
for Secure Access 3. End user can login to end application behind rewritter/PTP on being
redirected from Enterprise Landing Page.

Feature Description
This feature provides ability to select specific ciphers and order the ciphers with
preference orders. There is an Inbound SSL option tab as well as an Outbound SSL
Granular Cipher Configuration option tab. The Inbound SSL tab controls all incoming SSL traffic; the Outbound SSL
option controls the outbound SSL connections from PCS: connection to SCEP server,
Syslog server, and rewriter and ActiveSync connections.
This feature allows the end user to create and edit bookmarks and access them over
RDP via HTML5. When an admin enables this feature, the end user can perform the
following:
• Create/Update bookmarks
HTML5 RDP – End User can • Enable/Disable SSO based Authentication
create HTML5 access • Enable/Disable accessing resource operation like file transfer, printing etc.
bookmarks • Select the Encryption type
• Set the remote program options.
Note that creating HTML5 based user bookmarks for Terminal services sessions is not
supported on mobile devices, however end users can create these from a Windows or
Mac machine and access the bookmarks from your mobile device.
Currently support of following applications:

 Policy Server 12.5 SP3/SP4
 VmWare View client 2.X , 3.X
Third Party Applications
 Sharepoint 2013 SP1
Support
 Storefront 3.1 (Beta)
 Windows 10 (Threshold 2)
 OWA 2016 (via Rewriter and PTP)
Enhance UX - Fail open if User will be able to launch PCS jar files even if the certificate expired but were signed
certificate used for signing jar files when the certificate had a valid timestamp.
has expired.


Number
In the admin UI, longer role names are not completely visible under available roles on resource policy
PRS-338476
page.
PRS-339141, PRS- Enabling Suite B or PFS option causes some clients fail to connect to PCS. Known clients that fail to
338701, PRS-339321, connect include but not limited to the following: Network Connect client, Pulse Collaboration client, WSM
PRS-339405, PRS- client, VDI client, Host Checker, WTS client and Pulse Mobile Android version 4.4.4. A warning will be
339133, PRS-339161 added in the future on the configuration page to alert admin of the potential.


Number
PRS-339254 3072 bit is shown erroneously as one of the possible key length for certificate.
PRS-339328 FIPS ON Mode allows RC4 Ciphers in TLS1.1 and TLS1.2 Custom Settings.
On Windows 10, unable to launch previous component (prior to 8.2) when 8.2 Installer Service is
PRS-339024
installed.
If you download Pulse 5.2 package from the my.pulsesecure.net site, then upload it to your PCS, then
make it your active version, then browse to: Maintenance > System > Installers and attempt to download
PRS-336902
either the Windows or Mac Pulse installer, you will see a blank white page and no client installer will be
downloaded.
PRS-340498 Citrix listed Apps are not launching with IE and FF
PRS-340349 CTS custom ICA bookmark with SSO does not work
PRS-340253 NC service not starting after upgrading from 7.1R2
PRS-339600 Domain name parameter is not passed for WTS after upgrading to 8.2R1.1
PRS-337893 Remote App is not launching when the "Launch seamless window" option is set on WTS bookmark
PRS-337999 Support for configuring RDP with custom port
PRS-336856 Suppressing the certificate warning for the WTS
Non authenticated users were unable to join meeting with "Edge" and "Chrome" browser in absence of
Pulse Secure Application Launcher already installed on the PC.
PRS-338691
Workaround:
User can manually download and install Pulse Application Launcher from the meeting-join page.
Problem:
Pulse Connect Secure gateways version 8.2 and later are unable to web-deploy version 5.1 and earlier
Pulse Secure desktop clients.
Symptoms:
When attempting to web-deploy a pre-5.2 Pulse desktop client from an 8.2 PCS gateway, the end user's
web browser will hang on "Launching Pulse Secure".
PRS-337378
Workaround:
There are a number of recommended workarounds:
1) Install the Pulse Secure 5.1RX client using the MSI file, then connect to 8.2R1. This could be done
either by manually invoking the MSI file, or, by leveraging a software distribution system like SMS.
2) Connect to a 8.1RX PCS gateway and get Pulse 5.1RX web deployed, then connect to an 8.2R1
gateway after deployment.



Number
In admin UI, "Allowed servers (and ports)" configuration from "Role | SAM | Applications | WSAM
Allowed Servers" page, allows incorrectly formatted "server-port" values to be saved. When this
PRS-340573
incorrect configuration is exported (XML) from one appliance and tried to import on the other appliance,
import operation will fail due to the incorrectly formatted "server-port" values.
PCS-3384 Admin Log not updated when multiple monitor option is enabled/disabled
HTML5 RDP If you have switched you primary and secondary mouse clicks of the mouse, HTML5
PRS-340760
access feature does not recognize these changes.
While using the floating toolbar for HTML5 access feature, you may notice a small black strip on the
PRS-340765
extreme right side of the browser. Moving the floating toolbar to the left will render it properly.
Chrome browser does not go to home page automatically after user clicks on Terminal Service
PRS-339514
bookmarks. As a workaround, user need to manually click the link provided to go to home page.
Symptom:
PCS does not send syslogs to remote syslog server
Conditions:
1) Management port is enabled on the PCS.
2) PCS connects to Remote Syslog Server through management port.
PRS-339296
3) Admin disables management port.
4) PCs is expected to send traffic through internal port. However, it does not.
Workaround:
Make changes in any of the syslog server entries (eg. change facility or connection type). This should
trigger the PCS to re-establish the connection with the Syslog Server, and start sending syslogs.
Symptom: Cache cleaner doesn't clean up the Recycle bin and the folder data when we sign in and sign
out from IE browsers
Conditions:
PRS-341030
1) Create a cache cleaner policy to empty the recycle bin and custom folders
2) From the endpoint, connect to PCS from IE browser and then sign out.
3) Cache cleaner doesn’t clean up the Recycle bin and the custom folders
Symptom:
Guest OS name shows as Other Linux(32bit) for VA-SPEs deployed on VMware ESXi
Conditions:
PRS-334398 PCS running pre-8.2 and deployed on VMware ESXi, and upgraded to 8.2.
Workaround:
It is only a display issue. Kernel would be upgraded to 64-bit after upgrade to 8.2.
Freshly deployed VA-SPE using 8.2 OVF will not exhibit this issue.


Number
Symptom:
PCS does not send syslogs to remote syslog server
Conditions:
1) Management port is enabled on the PCS.
2) PCS connects to Remote Syslog Server through management port.
PRS-339295 3) Admin disables management port.
4) PCs is expected to send traffic through internal port. However, it does not.
Workaround:
- Make changes in any of the syslog server entries(eg. change facility or connection type). This
should trigger the PCS to re-establish the connection with the Syslog Server, and start sending
syslogs.
When Suite B is enabled, only ECC ciphers were enabled. At this point, ECC certificate must be
configured for all ports, including internal ports. If RSA certificate is configured for internal port by
PRS-340481 mistake, this prevents any connections to PCS, including watchdog connection. Because
Watchdog fails to connect to webserver, it thinks webserver is unresponsive thus restarts
webserver.
Cache cleaner does not perform the cleaning when user signs out from IE browser. If user
PRS-341029
connects and signs out from PCS again, then the cleaning is performed.
When CC Proxy with NTLM authentication is configured with domain\user, user will not be able to
PRS-338642
access resources via JSAM.
Pre-5.0 Android and pre-9.1 iOS devices don’t support Suite B ciphers. So if Suite B
PM-1972 is enabled, Pulse client on pre-5.0 Android and pre-9.1 iOS devices will not be able
to connect to PCS device.
PRS-339052 PPS granular cipher: 8021.x is not honoring SSL settings configured in admin UI.
Symptom:
XML Import of User Realm fails, if User-agent-pattern contains starting or trailing whitespaces
Workaround:
1. If user agent has a trailing space, add a leading space also.
PRS-339434
2. If user agent has a leading space, add a trailing space also.
This will ensure the XML import goes through.
This will not be seen if the user-agent-pattern does not have any trailing/leading
spaces also.
The PSAL client installed in previous release (before 8.2R3) doesn’t support Suite B or PFS
ciphers, thus auto-upgrade to 8.2R3 doesn’t work. If user had PSAL clients installed, there are two
PRS-340387 options:
1. Do not enable PFS or Suite B ciphers until all users upgraded PSAL to 8.2R3 version.
2. User must download PSAL from a 8.2R4 PCS device and install manually.


Number
In the situation that “weak ciphers not allowed” option is disabled before upgrading to 8.2R3,
configuration is exported before any update to the ciphers, this exported configuration would fail to
PRS-341306
be imported again later. To work around this issue, 1) make a modification on the cipher selection
page; or 2) manually update the value of “weak ciphers not allowed” in XML file to be enabled.
PRS-339683 Cloud Secure dashboard is not displaying failed App details.
PCS-4045 HTML5 Error messages which get displayed after session disconnect are not localized.
When launching HC on MAC using the safari browser, at times if PSAL download prompt is looping then
PRS-341427
kill the PSAL process and launch the HC again
End users logging in from Firefox ESR browser using java delivery (Firefox version 45 and above + Java
8 Update 91) will see prompt to save Setup Client Installer if Host Checker is configured. They can
PRS-341379
save and cancel the installer file and click on the link “Once java is installed and enabled, please Click
here to continue” for continuing the login.
If a user with restricted permissions creates a Secure Meeting and attempts to allow a remote user to
PRS-340749 control a window associated with privileged process (the “Grant Control” function), the remote user will
not be able to manipulate that privileged window.


The following table describes the major features that are introduced in 8.2R2 release.
Feature Description
This Pulse Secure Linux Client feature is to support java-free host checking functionality on
Linux. Pulse Secure Linux Client checks endpoint properties for file, process and port rule
Linux command line client
types to allow access to protected resources. Pulse Secure Linux Client. Host Checker
Host Checker
functionality complies with the standards produced by the Trusted Network Connect (TNC)
subgroup of Trusted Computing Group.
The 8.2r2 Pulse Connect Secure gateway now supports custom sign-in pages for the Pulse
Secure desktop client. (Previously, custom-sign-in pages were supported only for the
Network Connect client.) Custom sign-in pages allow for the creation of HTML authentication
Custom Sign-in Page and password-management screens to provide customized localization, online help, error
messages, server redirection, and page styles using CSS (cascading style sheets). This new
support for the Pulse desktop client is identical to that of the custom-sign-in-page support in
the Network Connect client.
VMWare Horizon view

In this release, user can launch virtual desktop using Horizon view client 2.x or 3.x
client 2.x and 3.x support


Number
PRS-322363 Webserver process restarts under heavy load.
The user access log may show a mismatched logged in username between ActiveSync user and PCS
PRS-329411
username.
PRS-331805 Online help for Network Connect on MAC OSX is missing.
For Network Connect and Pulse VPN users, if a user session ends during a DHCP renew transaction, a
PRS-332212
process crash may occur causing IP addresses to not be provisioned from the DHCP server.
PRS-333721 The Network Connect GINA tile is not present on Windows 10 clients.
PRS-334156 Improved Pulse One related error messages in the event log.
When using the following rewriter settings, a POST request results in an Internal Server Error:
PRS-334161 Unrewritten pages open in new window
Action = Don’t rewrite (with redirect)


Number
While connecting from Pulse client after session resumption, realm information is missing from user
PRS-335285
access logs.
PRS-335517 System snapshot failing intermittently from serial console, whereas it works fine through the admin UI.
The configuration XML that is uploaded to Pulse One is not consistent, causing Pulse One to see
PRS-336161
configuration changes or conflicts which do not actually exist.
Internal error seen when saving changes under User Roles --> Files --> Options page for Roles with
PRS-336255
Files options disabled
PRS-336378 When using the rewriter, uploading attachments in Lotus Notes 9 fails when using Internet Explorer.
XML Import of LDAP Server duplicates the user-attributes. This issue can cause issues with Pulse One
PRS-336944
being out of sync with the master appliance.
PRS-337120 When VLAN/source IP is set on the role, accessing protected resources fails.
PRS-337315 XML import fails when Pulse One tries to distribute a SAML authentication server.
PRS-337334 User attributes in the hostname/IP field for HTML5 RDP bookmarks is not supported.
PRS-337496 Registering with Pulse One may result in slow memory leak.
PRS-337742 Options in user role and XML schema for HTML5 Access are missing.
PRS-337752 Unable to connect with Windows Terminal Services (WTS) using a custom port (other than port 3389)
Google font style (Oxygen) used in the new admin interface requires the device to have access to the
PRS-337870
Internet.
PRS-337911 Pre-authentication sign-in notification appears twice when custom sign-in page are used.
VPN users that are mapped to roles which are configured with ACLs containing IP ranges are unable to
PRS-337924
establish a VPN tunnel.
PRS-338062 PCS shows a blank page with "Content-type: text/html" during login.



Number
If a system configuration file that does not contain Pulse One registration data is imported into a PCS
PRS-339822 appliance that is registered with Pulse One then the resulting appliance will not be registered with
Pulse One but will have Pulse One related processes running. These extraneous processes can
impact performance on the device. We therefore recommend that you Clear Configuration on the Pulse
One Settings page in the admin console before importing the system configuration file.
Active VDI sessions are not listed in SA admin "Active Virtual Desktop Sessions" if end user connects
PRS-338204
with Horizon view client 2.x or 3.x
Users are unable to connect to multiple VDI or Terminal Service bookmarks when logged in using the
PRS-338370
Chrome browser.
PRS-338646 With View 3.x client users are not able to enter valid credentials if SSO fails.
View client 3.x fails to launch virtual desktop if proxy is configured in client machine.
PRS-338270 This is a VMWare Limitation. Here is the KB from VMWare:

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=208996
9
User access log records the connection broker IP rather than the desktop IP in the successful
PRS-338277
connection message.
The Pulse desktop client does not honor the idle-session timeout in ESP mode when the idle-session timeout is
PRS-331861
greater than 16 minutes.
The VMware View client fails to be installed when the following is true: Firefox or Edge browser is used
PRS-338197
AND the delivery option is configured as “Access the URL through the Pulse Connect Secure”.
PRS-338362 An SSL error may be seen after clicking on a VDI bookmark when using VMware View 3.x.
A PCS or PPS with the IVS license installed is unable to connect to Pulse One. The license cache may
PRS-335995 need to be reset by importing a system.cfg without an IVS license in order to successfully register the
appliance with Pulse One.
PRS-337815 The Pulse Secure client for Linux does not support periodic Host Checker updates.
PRS-335901 Pulse Linux client does not support Multi-Factor Authentication (MFA).
PRS-338860 Pulse Linux client does not support client certificate authentication.


Number
PRS-337981 Pulse Linux: Pulse Client does not print any error when user attempts to establish duplicate tunnels.
The VPN clients on Linux, both the 64-bit Pulse Linux client and the 32-bit Network Connect client, do
PRS-336407
not support configurations where the proxy is placed between PCS and protected resource.
PSD-1177 Pulse Secure client for Linux does not utilize the system proxy settings.
PRS-337937 Pulse Secure client for Linux shows does not disconnect after uploading logs to the PCS gateway.
The Pulse service used by the Pulse Secure client for Linux does not stop automatically if the tunnel is
PRS-337741
destroyed due to network connectivity failure.
The Pulse One configuration settings were part of user settings until 8.1R6 of PCS; and from 8.1R7 of
PCS these settings are part of the system settings. The Pulse One configuration settings will be
PRS-336136
overwritten when a user settings configuration from 8.1R6 or lesser version, is imported to 8.1R7 or
higher. XML import of Pulse One configuration settings are not affected by this change.
Fixed Issues in 8.2R1.1

The following table lists issues that have been fixed and are resolved by upgrading to 8.2R1.1 release.

Number
When using the new admin UI and there is more than one page of role mapping rules, clicking “Save
PRS-337308
Changes” causes some rules to be removed without log messages.
On 32-bit Windows machine, users received "An authentication error has occurred" error message when
PRS-337010
launching Windows Terminal Services bookmark if admin enabled Windows Terminal Services client
logging.
PRS-336843 Source IP Restrictions do not activate as expected.
A new feature in 8.2r1 shows a warning in the Admin UI if the insecure RC4 cipher is enabled. This new
feature does not properly detect when RC4 is enabled when hardware acceleration is turned on. If
PRS-335501
hardware acceleration is not enabled, or the device does not have the hardware accelerator installed,
the feature works as expected.
PCS (part of A/A cluster) that is registered, connected with Pulse One, may cause a cluster split
PRS-336158
(possibly after a long run).
On the Admin login page with multiple realm selection option, the first realm selection is not reflected on
PRS-331800 UI but it does login to the selected realm. User can clean the browser history to overcome this UI
behavior.
Remote desktop protocol (RDP) client restriction bypass issue. Please see
PRS-337032
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40166 for more details.

New Features in 8.2R1

The following table describes the major features that are introduced in 8.2R1 release.
Feature Description
Due to the end of ActiveX and Java support on many browsers, an alternate solution is provided in this
release for the proper launching of client applications such as Pulse Desktop Client.
Pulse Secure
This release uses a custom URL, pulsesecure://, to deliver and launch client applications. When
Application Launcher
invoked, the custom URL will automatically trigger new application – Pulse Application Launcher.
(replacement for
The Pulse Application Launcher has the ability to accept the parameters from the user’s browser and
NPAPI)
launch the client application.
This solution currently works on Chrome on Windows OS and Safari on Mac OS X.
iOS Support for

accessing
RDP/Telnet/SSH In this release, users can access remote sessions using iOS.
sessions using a
HTML5 browser
IPv6 SNMP Support PCS can send and receive SNMP alerts via IPv6 interface configured at the trap server.
Update “Last VPN The “Last VPN Connect” attribute in LDAP is updated when a user logs in. Admins can then run
Connect” time "reaper" scripts against their Active Directory and remove users that may not have logged in since "X"
attribute in LDAP number of days.
Windows 2012 R2
Windows 2012 R2 is now qualified with Pulse Connect Secure 8.2 software (auth only).
Support
RSA Auth Manager

RSA Auth Manager is now qualified with Pulse Connect Secure 8.2 software.
8.1
Network level
authentication support Windows Terminal Services (WTS) now supports Microsoft’s Network Level Authentication.
for WTS

Feature Description
Description
 Users can launch RDP, Telnet, and SSH sessions via admin-created bookmarks.
 Single sign on and NLA (Network Level Authentication) is supported by default.
 Admin can configure screen resolution, color depth, DPI and additional settings as outlined in
the admin guide when creating the bookmarks.
 Users can transfer files from local machine to the remote machine and vice versa.
Support for accessing o If the admin has enabled it, a special G:\ drive is available in the remote machine.
RDP/Telnet/SSH This drive contains a folder called "Download". Any files dropped in this folders are
sessions using automatically transferred between local and remote machines.
HTML5-compliant  Users can copy and paste text from local machine to remote machine and vice versa
browsers o Users can bring the clipboard access screen to the foreground by clicking on Ctrl +
Alt + Shift. This will automatically include clipboard data that exists in the remote
machine...to be transferred to the local machine.
Supported Operating Systems
 The solution works on all supported browsers (Internet Explorer, Safari, Chrome) that run on
desktop operating systems such as Windows, OS X and Linux.
 The solution works on Android OS and iOS.
The PCS administration web UI look and feel has been redesigned to improve the user interface
experience. In PCS 8.2 release, user will have option to choose new user interface or switch to the
classic user interface. The default UI is the new user interface. To use this new web UI, the PCS
UX admin revamp
device must be connected to the external network. If the PCS device does not have connectivity to the
external network, then the new user interface cannot be used and the classic user interface must be
used.
Citrix Xen 7.6,

Citrix XenApp 7.6 and StoreFront 2.6 & 3.0 is now qualified with Pulse Connect Secure 8.2 software.
StoreFront 2.6 & 3.0
VMWare Horizon
VMware Horizon View 6.0.1, 6.1 & 6.2 HTML 5 access is qualified with Pulse Connect Secure 8.2
View 6.0.1, 6.1 & 6.2
software.
HTML5 access.
When a certificate has expired or is about to expire, there is currently no notification available to the
admin to take corrective or preventive action to renew certificates. The “Certificate Expiration Warning”
Certificate expiration
feature provides the admin with a warning at the time of login. Also, the admin can query the
warning
certificates about to expire in a configured number of days for the type of certificates that are of
interest.
Windows 10 support Microsoft’s latest Windows release, Windows 10, is qualified with Pulse Connect Secure (Only IE 11
browser).
OCSP logging With the Online Certificate Status Protocol (OCSP) Logging Enhancement feature, the admin will be
able to see the username, OCSP responder IP address and certificate serial number in the OCSP logs.
With this information, the admin will be able to debug any OCSP related issues by correlating Connect
Secure user access logs and logs from OCSP responders. In addition to that, admin will be able to filter
all the OCSP related logs for a particular user for debugging OCSP related issue related to that user.

Feature Description
AES is preferred over

RC4 AES is a preferred cipher over RC4. Ie. If a client that supports both AES and RC4 connects to PCS,
AES is used.
RC4 Warning A new feature in 8.2r1 shows a warning in the Admin UI if the insecure RC4 cipher is enabled. This
new feature does not properly detect when RC4 is enabled when hardware acceleration is turned on. If
Known Issues in 8.2R1


Number
When a two node SM-360 cluster is subjected to high load (approximately 17,000 users), the clustering
process on one of the nodes is unable to communicate to the other leading to a cluster split and rejoin.
PRS-339416
In such situations, our recommendation is to reduce the load against the cluster by splitting the cluster
into individual standalone devices or by distributing the load across multiple clusters.
In Chrome browser, User is presented with 'Application launcher not installed' page twice when Host
PRS-328634 Checker is enabled along with auto launch of applications such as pulse desktop client or WSAM, This
is due to Chrome issue https://code.google.com/p/chromium/issues/detail?id=468698
Custom Statement-of-Health policies will not function properly on Windows 10 because of Microsoft's
phasing-out of support for the NAP (Network Access Protection) plugin. As such, if you have such a
PRS-330443 policy enabled (to verify, go to the PCS/PPS admin console and look under Authentication->Endpoint
Security->Host Checker Policy->Windows->Rule Settings->"Custom: Statement of Health"), then you
must disable it for all Windows 10 users.
PRS-335517 System snapshot failing intermittently from serial console. Taking snapshot from admin UI works fine.
For Host Checker with Bit Locker Encryption software, the encrypted drives will be reported as
PRS-318679
encrypted only when these drives are in Unlocked state.
With OPSWAT Prebootatch Management Host Checker policy, the missing patches will be detected
PRS-309431
only with admin privileges for SCCM 2012 and SCCM 2007
The Pulse Application Launcher, which assists in the launching of Pulse clients from web browsers,
PRS-336183 displays text in Traditional Chinese when run a Simplified Chinese locale. There is no workaround at
this time to get Simplified Chinese displayed by the Pulse Application Launcher.
In order to make localization work properly for pulse client side applications on Windows platforms, end
PRS-336129 user needs to set correct language for non-Unicode programs under "Control Panel"->"Clock,
Language and Region"->"Region"
On a fresh Windows 10 machine, Network Connect might fail to establish a tunnel for the first time. An
PRS-333621
error message is shown (“timeout" error message). Subsequent tries work fine.


Number
Symptom: Restricted users cannot upgrade the Pulse Secure desktop client.
Conditions: On a Windows machine, if an end user who has restricted permissions (as opposed to
administrative permissions) attempts upgrade the Pulse Secure desktop client from a pre-5.2 version to
a 5.2-or-later version using a web browser, the upgrade will fail with the message "You do not have the
proper privileges to install the application."
PRS-335317 Workaround: There are a number of ways to avoid this issue. The best way is to initiate the upgrade of
the client by launching the client and connecting to the upgraded Pulse Secure gateway (as opposed to
launching a web browser and connecting the web browser to the gateway). This client-initiated
upgrade will complete as expected - it is only web-based upgrades that will not function. An alternative
workaround would be to give the end user administrative privileges before attempting the web-based
upgrade
During the uninstall of the Network Connect (NC) client under certain circumstances on Windows
PRS-334329
machines, end users may be presented with a User Access Control (UAC) prompt.
On OS X, logging out of the user UI may display "Stopping components..." in the browser. Refresh the
PCS-2785
page to log in again.
On OS X, file transfer, when using the new HTML5/RDP feature, does not work when using Safari. The
PCS-2787
workaround is to use Chrome instead.
File transfer (using the new HTML5/RDP feature) does not work if "Disable Audio" option is un-
PCS-2789
checked.
PCS-2790 RDP session through IE11 doesn't play audio since audio codec is not supported.
If printing is enabled, it may allow users to transfer some file types (when using HTML5/RDP feature),
PCS-2791
even if file transfer is disabled.
When encryption is configured for "Standard RDP Encryption" or "TLS Encryption" then Username
PCS-2792 should be configured as <DOMAIN Name>\<Username> and not just <Username>. This is mainly
applicable for servers that are joined to a domain.
On iOS File transfer to/from RDP machine through the Safari Browser does not work. The workaround
PCS-2850
is to use the Chrome browser.
PCS-2851 On iOS, the remote sessions using HTML5/RDP do not include sound.
PCS-2883 Cannot use a variable in the Host Name entry for HTML5/RDP feature.
PRS-332326 Client certificate based authentication using ECC Certificate doesn't work in Safari Browser.
Client certificate authentication doesn't work in Safari Browser when LDAP Server is configured as
PRS-332372
Authentication server along with Certificate based Realm Restriction.
The Certificate Expiration Warning feature will automatically start reporting certificates about to expire 7
PRS-335105 days after installing (or upgrading to) this version. If you need to find out the expiration status
immediately after an install (or upgrade) click on the “Check Now” button.
PRS-335115 Broadcast IP packet through a tunnel from an external client is not forwarded to the backend network.


Number
IPSEC Compression is not available for tunnels formed with 8.2 PCS gateway. IPSEC Compression
PRS-331687 checkbox is removed from the Connection Profiles Web UI page. Customers who has existing configs
with IPSEC Compression will find that tunnels are negotiated with no compression in 8.2.
A new feature in 8.2r1 shows a warning in the Admin UI if the insecure RC4 cipher is enabled. This
new feature does not properly detect when RC4 is enabled when hardware acceleration is turned on. If
PRS-335501
A "500 internal error" is seen when saving changes under User Roles --> Files --> Options page (only
PRS-336255 for Roles with Files options disabled). Issue is seen with new roles created and not with default Users
Roles.
On the Admin login page with multiple realm selection option, with chrome browser the first realm
PRS-331800 selection is not reflected on UI but it does login to the selected realm. User can clean the browser
history to overcome this UI behavior.
On end-user Mac machine, for browser base connections the debug log file is not created if the pulse
PRS-336684 client is not installed on the Mac machine. For troubleshooting purpose the pulse client would need to
be installed on the mac machine.
If multiple realms along with host checker policies are configured for sign-in url, “Endpoint Security
PRS-336333
Status” on Active Users page is shown as “Not Applicable”
Console Protection authenticates with users created in Default Network even when IVE is functioning
PRS-316786
in Administrative Network
SA (part of A/A cluster) that is registered, connected with PulseOne, may cause a cluster split (possibly
PRS-336159
after a long run).
The OCSP Responder URL gets updated in Root CA rather than in Sub CA when Client is
PRS-331122 Authenticated using Certificate Issued from Sub CA which is configured for "Inherit from Root CA"
mode.
PRS-337120 When VLAN/source IP is set on the role, access intranet resources fails.
When launching clients from the browser, a blank page might be seen with “Content-type: text/html”
PRS-337425
before the launch of the client. This blank page will disappear and the client will launch successfully.
Zero downtime for end users during an upgrade of an Active-Active or Active-Passive cluster is not
PRS-337686 available when upgrading from an older release to either 8.2R1 or 8.2R1.1. Post upgrade, the end
users that were connected prior to the upgrade will have to re-authenticate to the PCS device.


Number
As described in the “General Notes” section of this document (search for “SHA-2”), PCS client access
binaries in 8.2R1.1 and later are code-signed with SHA-2 certificates in order to meet new restrictions
enforced by Microsoft operating systems in 2016. This new code-signing feature causes certain
issues with older versions of Windows 7. Specifically, versions of Windows 7 that have not been
patched since March 10, 2015 will not be able to load certain drivers and executables signed with SHA-
2. These unpatched versions of Windows 7 will experience the error “An unexpected error occurred”
when trying to run WSAM. Users’ log files will contain the message:
PRS-337311 “The Juniper Networks TDI Filter Driver (NEOFLTR_821_42283) service failed to start due to
the following error:
Windows cannot verify the digital signature for this file. A recent hardware or software
change might have installed a file that is signed incorrectly or damaged, or that might be
malicious software from an unknown source.”
The workaround for this issue is to update the Windows 7 operating system to include the March 10,
2015 patch that allows for the loading of SHA-2-signed binaries and drivers.
Fixed Issues in 8.2R1

The following table lists issues that have been fixed and are resolved by upgrading to 8.2R1 release.

Number
PRS-316902 Wi-Fi profile with EAP-TTLS can't be configured on Windows 7 client.
PRS-296395 Pulse collaboration is not working correctly with native Mac Book Air 11” resolution 1366x768.
After Windows client onboarded, modifying the Pulse connection set on SA is not reflected on Windows
PRS-316775 client. Re-onboard on Windows client doesn't refresh Pulse connection set either. -- add more detail
about how to get the new Pulse connection set onto Windows client.
License client pulls license count from license server, the client's event log mistakenly shows the license
PRS-319000
count as its user count. The actual user count in system is correct.
In a 2 node cluster, delete all licenses from both nodes, re-import a previously exported config into one
node, parevntd crash was observed, but import completes successfully, pareventd restarts automatically
PRS-318766
and continues without an issue. If only deletes all the licenses for one of the node, dsparevent didn't
crash. The crash was because the cache was not in sync.
Problem: Accessing VMWare Horizon View HTML5 Access 6.0.1, 6.1 and 6.2 via PCS Rewriter throws
PRS-331722
blank Screen.
Going through the huge list of Trusted server CAs to identify expired certificates is tedious so a new filter
PRS-331732
is added in trusted server CA page to show only the expired certificates.

Documentation
Pulse documentation is available at https://www.pulsesecure.net/techpubs/
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can improve the
documentation.
You can send your comments to techpubs-comments@pulsesecure.net.
Technical Support
When you need additional information or assistance, you can contact “Pulse Secure Global
Support Center (PSGSC):
• http://www.pulsesecure.net/support
• support@pulsesecure.net
• Call us at 1- 844-751-7629 (toll-free USA)

For more technical support resources, browse the support (website http://www.pulsesecure.net/support).
Revision History
The following table lists the revision history for this document.
Revision Description
6.0 Sept 2016 8.2R5 update
5.0 June 2016 8.2R4 update
4.0 May 2016 8.2R3 update
3.1 April 11, 2016 Added PRS-339416 under known issues of 8.2R1
3.0 April 1, 2016 8.2R2 update
2.0 February 2016 8.2R1.1 update
1.0 January 7, 2016 Initial publication – 8.2R1

Pulse Connect Secure: Release Notes PCS 8.2R5 Build 49363

Uploaded by

Copyright:

Available Formats

Pulse Connect Secure: Release Notes PCS 8.2R5 Build 49363

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pulse Connect Secure: Release Notes PCS 8.2R5 Build 49363

Uploaded by

Copyright:

Available Formats

Pulse Connect Secure

© 2016 by Pulse Secure, LLC. All rights reserved 2

 MAG2600, MAG4610, MAG6610, MAG6611, MAG SM160, MAG SM360

 PSA300, PSA3000, PSA5000, PSA7000F, PSA7000C

To download software for these hardware platforms, go to:

Virtual Appliance Editions

 Demonstration and Training Edition (DTE)

 Service Provider Edition (SPE)

Platform Qualified System

 HP ProLiant DL380 G5 with Intel(R) Xeon(R) CPU

 CentOS 6.6 with Kernel cst-kvm 2.6.32-504.el6.x86_64

Hyper-V  Microsoft Hyper-V Server 2012 R2

To download the virtual appliance software, go to: https://www.pulsesecure.net/support/

© 2016 by Pulse Secure, LLC. All rights reserved 3

8.2Rx You can upgrade to 8.2R5.

Earlier than 8.0Rx or

Pulse Secure Desktop

© 2016 by Pulse Secure, LLC. All rights reserved 4

New Features in this current 8.2R5 release

RADIUS authentication server is extended to support IPv6 backend server deployments.

© 2016 by Pulse Secure, LLC. All rights reserved 5

© 2016 by Pulse Secure, LLC. All rights reserved 6

Fixed Issues in current 8.2R5 release

Problem Report Release Note

PRS-330382 Intermittent false positive SNMP alert as ifAdminStatus down.

Known Issues in current 8.2R5 release

Problem Report Description

© 2016 by Pulse Secure, LLC. All rights reserved 7

Problem Report Description

User may not be able to use WSAM on Windows Redstone.

© 2016 by Pulse Secure, LLC. All rights reserved 8

Problem Report Description

Samba diagnostic log to troubleshoot Active Directory Server will log

© 2016 by Pulse Secure, LLC. All rights reserved 9

Problem Report Description

© 2016 by Pulse Secure, LLC. All rights reserved 10

New Features in 8.2R4 release

© 2016 by Pulse Secure, LLC. All rights reserved 11

Fixed Issues in 8.2R4 release

Problem Report Release Note

PRS-339030 Some Pulse users are unable to access resources intermittently.

Known Issues in 8.2R4 release

Problem Report Description

© 2016 by Pulse Secure, LLC. All rights reserved 12

New Features in 8.2R3 release

Previously JSAM component is unable to establish a connection with a backend server

Secure Access - Support for

RSA SecurID Risk-Based Authentication is a token less, multi-factor enterprise

Hyper-V is another hypervisor that we must support as part of extended platform

1. SA Admin, can configure SA as IdP for SAML SSO easily.

© 2016 by Pulse Secure, LLC. All rights reserved 13

Currently support of following applications:

Fixed Issues in 8.2R3 release

Problem Report Release Note

© 2016 by Pulse Secure, LLC. All rights reserved 14

Problem Report Release Note

PRS-340498 Citrix listed Apps are not launching with IE and FF

PRS-340253 NC service not starting after upgrading from 7.1R2

PRS-337999 Support for configuring RDP with custom port