Professional Documents
Culture Documents
Pulse Policy Secure VM Setup and Config-1 Update
Pulse Policy Secure VM Setup and Config-1 Update
Pulse Policy Secure VM Setup and Config-1 Update
Virtual Machine
Initial Setup and Configuration Guide
Contents
Introduction ........................................................................................................................................................................... 1
Prerequisites .................................................................................................................................................................. 2
Overview ........................................................................................................................................................................ 2
Introduction
Pulse Policy Secure is a Network Access Control (NAC) solution built for the next generation of networks. Pulse Policy
Secure delivers an easy-to-use BYOD ready granular access control solution that is context aware, identity enabled,
location and device based for the most complex datacenter and cloud environments. Pulse Policy Secure enables safe,
protected network and cloud access for a diverse user audience over a wide range of devices.
This document will guide the user through the setup of Pulse Policy Secure (PPS) Virtual Machine (VM) from initial install
to first end-user login to the PPS.
The configuration steps assume the PPS will be run as a virtual machine. If using a physical box, proceed to Section 2
(CLI Configuration.)
Overview
1) Installation of the VM
2) CLI Configuration
a. Network Setup
b. Admin Account Setup
c. Self-Singed Certificate Creation
3) Profiler Configuration
a. Discover devices using DHCP
b. Discover devices using SNMP
4) PPS Configuration
a. Configuration Verification
b. PPS Package Update
c. System Local End-User Account Creation
d. Realm and Role Configuration
5) End-user Login
a. Clientless Login
b. Pulse Desktop Login
6) Log View and Policy Trace
Optional secondary DNS server, mandatory DNS domain(s) and optional WINS server.
Once the certificate has been created, PPS initial setup will be complete. The device will reboot and you will be able to
access it using the web-based Admin Console via https://<ip address or FQDN>/admin.
Section 3: Pulse Profiler Configuration for Device Visibility
Pulse Policy Secure has built-in device profiling that can automatically detect and classify all devices on the network
using DHCP-fingerprinting, SNMP discovery, and HTTP-UA fingerprinting.
Once you are logged in to the web-based Admin Console, you now need to configure the built-in Profiler using the
following 5 steps:
1. Navigate to Authentication > Auth Servers page.
2. Select Local Profiler from the server type drop-down and click New Server.
3. Enter a name for the Auth. server.
4. Click Browse and upload the device fingerprints package.
5. Click Save Changes to save the configuration settings. Please note this
operation may take a few minutes to complete.
Discover devices using DHCP
Devices on the network that have DHCP-based IP addresses are automatically profiled by PulseProfiler as they
connect to the network. However, to enable this type of profiling, you need to ensure that all the DHCP requests are
forwarded to the internal port of Pulse Policy Secure – this configuration needs to be done on one or more switches in
your network. Use the commands in the table below to configure the switch(es).
Configure DHCP relay on switches to forward DHCP packets to Pulse Policy Secure.
Navigate to System > Reports > Devices Discovery for initial views of devices on the network. The discovery process
typically takes a few minutes to a few hours depending on the network complexity.
1. Select Authentication > Auth Servers > [Local Profiler]. Set the SNMP Poll interval
to 5 mins. Click on Save Changes.
2. Click on the SNMP Device link in the help text for SNMP Poll Interval. Enter
information about the switch. Do not select the SNMP Enforcement check box since
we will use the switch for profiling only.
3. Save the changes. The SNMP Device Configuration table should get updated with
the new switch information. Status should be GREEN.
4. Wait 15 minutes for the new polling interval to take effect, or restart services using
Maintenance > System > Platform > Restart Services button so the new
configuration is active immediately after restart.
Navigate to System > Reports > Devices Discovery to view another set of devices with static IP addresses on the
network. Pulse Profiler will periodically poll the switches to ensure that new devices get profiled as they connect to
the network.
Section 4: PPS Configuration
Once the CLI configuration has been completed, the administrator will have access to PPS web-based Admin Console.
This section will cover the required and optional steps in PPS configuration process. This first step is an (optional)
package upgrade.
To login to PPS, open a web browser and go to https://<ip address or FQDN>/admin and input the administrator
credentials defined in the CLI Configuration process. Since we are using a self-signed certificate, you will see a prompt
from the browser asking if you trust this certificate. You can trust it and continue.
Navigate to Maintenance > System > Upgrade/Downgrade. Under “Install Service Package” click “Browse” and select
the new .pkg to be install. Then click “Install”. The installer will open a loading window, wait for the progress bar to
complete and click close. Note: do not navigate away from the upgrade page. It will take a few minutes for the install
process to begin.
Once the process is completed, PPS will require a reboot. The system reboot will take a few minutes. Once the process
completes, PPS will again be available via the web browser. You can check on the status from the console window of
Fusion or ESXi.
System Local End-User Account Creation (required) is where the administrator can create end-user login accounts for
the PPS. This can also be done by linking an external authentication server.
Realm and Role Configuration (optional) is where the admin can define Realms and Roles for the end-users. By default,
all users are placed in the Users Realm which will map all users to the Users Role. There is no need to create new realms
or roles at this point.
Note: role-mapping rules can be defined to place users in Roles based on many different attributes, such as username,
certificate or a batch of custom expressions. The Roles will define the level of access to different features and resources
available on the network.
Role-mapping is also configured to allow all users in “System Local” to map to the role “Users”.
Browser-based Connection
We will show how an end-user can log in both via clientless (web browser) and via Pulse on a desktop device. Mobile
devices will use the built-in native supplicant.
The end-users will login to the PPS at https://<ip address or FQDN>/using the credentials defined in the System Local
End-User Account Creation process.
After the installation, this is the landing page for the PPS the end users will see upon login. The user session will remain
up as long as the user is on this page.
The policy tracing can be found in Maintenance > Troubleshooting > User Sessions > Policy Trace. Here the
administrator can trace user events to easily locate and resolve issues. Below is an example of an end-user sign-in with
policy tracing turned on.