Testing: Pulse Connect Secure 9.0R1

Review by Götz Güttich 

All access routes secured
With Pulse Connect Secure, Pulse Secure provides an enterprise-class VPN for mobile devices and desktops under Android, Chrome OS, iOS, Linux, macOS and Windows. Pulse Connect Secure (PCS) is built to ensure easy, protected access from any endpoint to corporate applications, data, and services whether existing in the data center or in the private cloud, public cloud or SaaS. In our test laboratory, we looked at how user friendly and comprehensive this solution is for hybrid IT secure access.

Pulse Connect Secure is available as either a physical appliance or as a virtual appliance in the company network. It controls the access of users from external networks to the existing services. Optionally, it is also possible to operate the product in a private or public cloud (AWS or Azure). In order for all users to be able to access their organization’s resources at all times, the solution offers an extensive feature set. These include the protection of applications and data that are located at various locations, including SaaS applications such as Office 365.

Pulse Connect Secure is available as either a physical appliance or as a virtual appliance in the company network.


In addition to that, there is also the client-free access via a web interface, the integration of services such as Active Directory and LDAP as well as support for two-factor authentication, SAML 2.0, PKI and IAM, respectively, digital certificates. A built-in host checker, which ensures that the connecting device complies with the company’s security requirements, is also part of the scope of features. To this end, the system classifies the endpoint devices prior to authentication on the basis of pre-defined policies and only allows access if the conditions within the policies are satisfied.

In addition, there is also secure access to the virtual desktop interface (VDI) from leading manufacturers, such as Citrix XenApp/XenDesktop and VMware Horizon, granular auditing to ensure compliance, the integration of mobile device management products (MDM) and a universal client for both remote and onsite use to ensure smooth roaming. The solution is managed through an intuitive, centralized web interface.

In practice, Pulse Connect Secure works as a layer 3, 4 and 7 SSL VPN with granular access control and as an application VPN that tunnels the traffic between specific applications to certain targets. There is also IPSec/IKEv2 support for mobile devices. In addition, there are also spilt tunnelling features, authentications using hardware token, smart cards, soft token, one-time passwords and certificates as well as RDP, Telnet and SSH sessions on the basis of HTML5. A granular SSL cipher configuration is equally possible.

In Summary
The Pulse Connect Secure VPN appliance is perfectly suited to establish secure means of access to company resources via any kind of connection, whatsoever. In our test, the solution was able to score highly across a very large scope of functions. In our tests, we covered the client-free and client-based access options, the enterprise onboarding, the host checker, the connection sets, and the FQDN split tunneling – we found these comprehensive features to offer administrators highly flexible configuration options.

Despite the vast range of applications, data stores, and services, Pulse Connect Secure proved to be relatively straightforward when it came to setup and management. Both the wizards and the extensive documentation are helpful with this. In the test, it was easy to integrate our appliance into the vendor’s central cloud-based management tool Pulse One. Administrators looking for an efficient solution for securing access to their company resources should definitely take a look at Pulse Policy Secure.


The test
In the test, we installed a virtual PCS appliance in our network, configured it, and then accessed our backend services using the VPN it provided. In addition, we also took a close look at the authentication with a local user account and a time-based one-time password with Google Authenticator, the host checking feature, as well as enterprise onboarding. We also worked with various connection sets and analyzed the configuration tool with its scope of functions and its wizards.

The installation of the PCS virtual appliance proved to be relatively easy. Pulse Secure provided us with a pre-configured virtual machine (VM) in OVF format for this purpose, which we imported onto a VMware ESXi host, which ran under Version 6.7. This host worked with 32GB RAM and an Intel i7 CPU with eight cores. For the VM, however, we only needed four GB RAM and two virtual CPUs. After we had turned on the VM after the import, we merely had to accept the licence agreement and state the network configuration for the internal port.

Initial configuration
In order to start up our system, at this point we began with setting up various user accounts that were allowed to access various resources in our LAN from the WAN. First of all, we generated the accounts, then we defined the approved resources such as web applications, shares and SSH accesses and finally, we defined who could use which resource. The configuration of these points proved to be relatively simple because Pulse Secure had integrated a guide for the initial installation into the web interface, which one simply has to go through step by step.

The user role
The next step involved the definition of the user role. With the user roles, Pulse Connect Secure defines session parameters such as session settings, personalization settings (such as user bookmarks that indicate approved resources) and access functions. With the access functions, the user role merely defines which resources a user can use such as SSH accesses or web applications. It does not, however, define which specific servers the user can communicate with; we configured this policy later on in the scope of the resource profiles.

The user authentication realm
The next configuration step deals with the user authentication realm. We used the previously set-up local authentication as the authentication server for this realm. In addition, at this point in time, we also defined our role mapping rules. These lay down, for example, which user role is allotted to which user. In our case, we generated a rule that the user “gg” was able to work with the user role we had just generated. The role mapping rules do not only work with user names, but also enable the allocation of roles using certificates or expressions of a character string. The system is thus very flexible.

The resource profiles
As soon as we were finished with the definition of our authentication realm, we turned to the configuration of our resource profiles. As already mentioned, these define which specific resources the users can access. In the test, we first generated a resource profile that approved access to the PRTG monitoring server by Paessler working on our local network. As this is managed through a web interface, we selected the resource type “Web App” at this point.

Working with a second authentication server
After completing the initial configuration, we set about refining our settings. To this end, we changed the user authentication such that, besides stating the user name and password, the Google Authenticator also came into operation. To do this, we first imported the Google Authenticator app onto a smartphone (Huawei P9 under Android 7). We then defined a new authentication server of type “Google Authenticator” under “Authentication”. No other configuration was necessary. Where necessary, the administrators can also limit the number of authentication attempts allowed and other settings.

Enterprise onboarding
In the next phase of the test, we assessed the enterprise onboarding function. Enterprise onboarding means that those devices that establish a connection with the system are provided access to the corporate environment in an easy way and ongoing access is further managed by PCS. Specifically, the users can log into the PCS solution with a new device and they then automatically receive Wi-Fi and VPN connection definitions or certificate profiles with which they then use the company resources at work. In addition, with a correctly configured environment, there is no need for action by IT departments.

The host checker
It was now time to take a close look at the scope of functions of the host checker. As previously mentioned, this feature checks whether required security settings and applications such as antivirus software and firewalls are working on the device, and also analyzes the operating system version, the patch level, the browser type and many other requirements. Furthermore, it also conducts a vulnerability assessment to rule out successful malware compromise. If an endpoint turns out to be non-compliant, the host checker has means to try to remediate the issue by updating the software components affected. If that is not successful, the end device can then be moved into quarantine. Alternatively, it will be allowed limited access, depending on the configuration, or will be completely blocked.

The Pulse Secure management console.

The configuration wizards
The management tool provides a variety of support to help the administrators with the configuration of different functions. The first of these serves the step-by-step configuration of the always-on VPNs just mentioned, and we used it in the test for that purpose without any difficulties.

In the first step of the wizard, the system asked us about the connection set to be used for the VPN connection. After that, we were able to define whether the users could establish and cut off VPN connections and whether the individual connections should be secured via the lockdown mode. After that, we were able to configure additional exceptions for the lockdown mode, after which the definition of the VPN was completed and we were able to use it in operation.

The second wizard helped generate user access policies. This allows end users to access the approved resources via the PCS appliance in the way we manually set them up at the beginning of the test. Here, the administrator is led through the configuration step by step. The wizard appears somewhat more efficient than the documentation for the initial configuration we first used, as it simultaneously helped define host checker rules where we required. We would recommend relying on the wizard where possible when conducting a new installation.

FQDN split tunneling
We will briefly cover the split-tunneling function that Pulse Connect Secure provides. Split tunneling is nothing unusual with certain IP addresses or address ranges. It can be used with many products to control access to certain subnetworks using specified tunnels. With the Pulse Secure solution, however, this not only works with IP addresses, but also with FQDN resources (Fully Qualified Domain Name). The product thus enables IT staff to create a rule very simply, which allows the users direct access to the website www.salesforce.com, or similar, for example. There were no difficulties with this in the test.

Single sign on
Equally worth mentioning is the single sign-on function briefly described earlier. It ensures that users, who have already been authenticated, can use approved resources without having to sign on to them again. We used this feature in the test to, among other things, make sure that after logging in, we were not forced to have to enter our credentials again for approval when accessing the Windows Share via the bookmark we previously defined.

About the author and test lab
Götz Güttich is the founder and head of the IAIT Test Laboratory based in Cologne, Germany. Dr. Güttich has been working in the IT sector since 1996 and has conducted extensive testing for leading German network publications. The lab provides independent product tests and analysis for IT professionals as well as consulting projects in the areas of security, networking, storage, cloud and other IT solutions.

Leave a Reply

WWPI – Covering the best in IT since 1980