Pulse Policy Secure

Virtual Machine
Initial Setup and Configuration Guide
Contents
Introduction ........................................................................................................................................................................... 1

Setup and Configuration ........................................................................................................................................................ 2

Prerequisites .................................................................................................................................................................. 2

Overview ........................................................................................................................................................................ 2

Section 1: Installation of the VM .................................................................................................................................... 2

Section 2: CLI Configuration (Initial Configuration Wizard) ............................................................................................ 3

Section 3: Profiler Configuration...................................................................................................................................... 8

Section 4: PPS Configuration .......................................................................................................................................... 8

Section 5: End-User Login ............................................................................................................................................. 20

Section 6: Logs and Policy Trace ................................................................................................................................... 22

Section 7: Deployment Guides ..................................................................................................................................... 24

Introduction
Pulse Policy Secure is a Network Access Control (NAC) solution built for the next generation of networks. Pulse Policy
Secure delivers an easy-to-use BYOD ready granular access control solution that is context aware, identity enabled,
location and device based for the most complex datacenter and cloud environments. Pulse Policy Secure enables safe,
protected network and cloud access for a diverse user audience over a wide range of devices.

This document will guide the user through the setup of Pulse Policy Secure (PPS) Virtual Machine (VM) from initial install
to first end-user login to the PPS.

Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 1

Setup and Configuration
Prerequisites
• A supported hypervisor such as VMWare (Server, Fusion, or Workstation), KVM or Hyper-V
• Pulse Secure Virtual Appliance install package (.ovf) or physical hardware
• Pulse Secure PPS software package (.pkg)
• Pulse Secure Profiler Fingerprint Database package (ps-pps-profiler-fpdb-*.pkg)
• Connectivity to a DNS server

The configuration steps assume the PPS will be run as a virtual machine. If using a physical box, proceed to Section 2
(CLI Configuration.)

Overview
1) Installation of the VM
2) CLI Configuration
a. Network Setup
b. Admin Account Setup
c. Self-Singed Certificate Creation
3) Profiler Configuration
a. Discover devices using DHCP
b. Discover devices using SNMP
4) PPS Configuration
a. Configuration Verification
b. PPS Package Update
c. System Local End-User Account Creation
d. Realm and Role Configuration
5) End-user Login
a. Clientless Login
b. Pulse Desktop Login
6) Log View and Policy Trace

Section 1: Installation of the VM

Have the installation package ready, which includes an .ovf file. The installation package can be downloaded from the
Trial website, and may need to be unzipped. The process shown below is for VMware Fusion on a Mac. Importing onto
an ESXi server is slightly different in regards to selecting the image, however the rest of the process is the same.

Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 2

Import .ovf file: Click ‘Continue’ and then select the location of where the virtual machine will be saved.

After the import is finished. The virtual appliance will reboot.

Section 2: CLI Configuration (Initial Configuration Wizard)

Once the appliance has booted up for the first time, it will enter into the initial configuration wizard. The following
information will need to be entered:
 Cluster options or stand-alone server prompt.
 License agreement prompt.
 Internal port IP address, network mask, and gateway.
 Primary DNS server.
 Optional: Secondary DNS server.
 DNS domain(s).
 Optional: WINS server.
 Admin credential creation prompts.
 Self-signed certificate creation prompt.

Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 3

Cluster options or stand-alone server prompt. Click ‘y’ to configure this appliance as a stand-alone.

Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 4

License agreement prompt. You can click ‘r’ to read the license agreement or ‘y’ to agree to the licensing.

Internal port IP address, network mask, and gateway.

Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 5

Primary DNS server.

Optional secondary DNS server, mandatory DNS domain(s) and optional WINS server.

Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 6

Once networking information is complete – you can confirm.

Admin credential creation prompts.

Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 7

Self-signed certificate creation prompt.

Once the certificate has been created, PPS initial setup will be complete. The device will reboot and you will be able to
access it using the web-based Admin Console via https://<ip address or FQDN>/admin.
Section 3: Pulse Profiler Configuration for Device Visibility
Pulse Policy Secure has built-in device profiling that can automatically detect and classify all devices on the network
using DHCP-fingerprinting, SNMP discovery, and HTTP-UA fingerprinting.
Once you are logged in to the web-based Admin Console, you now need to configure the built-in Profiler using the
following 5 steps:
1. Navigate to Authentication > Auth Servers page.
2. Select Local Profiler from the server type drop-down and click New Server.
3. Enter a name for the Auth. server.
4. Click Browse and upload the device fingerprints package.
5. Click Save Changes to save the configuration settings. Please note this
operation may take a few minutes to complete.
Discover devices using DHCP
Devices on the network that have DHCP-based IP addresses are automatically profiled by PulseProfiler as they
connect to the network. However, to enable this type of profiling, you need to ensure that all the DHCP requests are
forwarded to the internal port of Pulse Policy Secure – this configuration needs to be done on one or more switches in
your network. Use the commands in the table below to configure the switch(es).
Configure DHCP relay on switches to forward DHCP packets to Pulse Policy Secure.

Switch Vendor Commands

Cisco interface <VLAN_NAME>
ip helper-address <DHCP_SERVER_IP>
ip helper-address <PPS_IP>

Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 8

 Juniper set forwarding-options helpers bootp interface
<VLAN_NAME>
set forwarding-options helpers bootp server
<DHCP_SERVER_IP>
HP vlan <VLAN_NAME> helpers bootp server <PPS_IP>
set forwarding-options
ip helper-address <DHCP_SERVER_IP>
ip helper-address <PPS_IP>

Navigate to System > Reports > Devices Discovery for initial views of devices on the network. The discovery process
typically takes a few minutes to a few hours depending on the network complexity.

Discover devices using SNMP

To discover and profile devices with static IP addresses, you need to add SNMP-enabled switches in the SNMP
management page of the web based Admin Console.

1. Select Authentication > Auth Servers > [Local Profiler]. Set the SNMP Poll interval
to 5 mins. Click on Save Changes.
2. Click on the SNMP Device link in the help text for SNMP Poll Interval. Enter
information about the switch. Do not select the SNMP Enforcement check box since
we will use the switch for profiling only.
3. Save the changes. The SNMP Device Configuration table should get updated with
the new switch information. Status should be GREEN.
4. Wait 15 minutes for the new polling interval to take effect, or restart services using
Maintenance > System > Platform > Restart Services button so the new
configuration is active immediately after restart.
Navigate to System > Reports > Devices Discovery to view another set of devices with static IP addresses on the
network. Pulse Profiler will periodically poll the switches to ensure that new devices get profiled as they connect to
the network.
Section 4: PPS Configuration
Once the CLI configuration has been completed, the administrator will have access to PPS web-based Admin Console.
This section will cover the required and optional steps in PPS configuration process. This first step is an (optional)
package upgrade.

To login to PPS, open a web browser and go to https://<ip address or FQDN>/admin and input the administrator
credentials defined in the CLI Configuration process. Since we are using a self-signed certificate, you will see a prompt
from the browser asking if you trust this certificate. You can trust it and continue.

Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 9

Package Upgrade (optional). Note that once you upgrade, there is a rollback option should the administrator wish to
move back to the previous version of PPS.

Navigate to Maintenance > System > Upgrade/Downgrade. Under “Install Service Package” click “Browse” and select
the new .pkg to be install. Then click “Install”. The installer will open a loading window, wait for the progress bar to
complete and click close. Note: do not navigate away from the upgrade page. It will take a few minutes for the install
process to begin.

Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 1

0
Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 10
During the process, you will see updates on the screen.

Once the process is completed, PPS will require a reboot. The system reboot will take a few minutes. Once the process
completes, PPS will again be available via the web browser. You can check on the status from the console window of
Fusion or ESXi.

Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 11

Navigate to the Maintenance > System to verify the new package is running. This is also the location for the rollback
option.

System Local End-User Account Creation (required) is where the administrator can create end-user login accounts for
the PPS. This can also be done by linking an external authentication server.

Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 12

Navigate to Authentication > Auth. Servers and click on “System Local”. You will be taken to the Settings tab.

Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 13

Click on the “Users” tab. Click “New…” and enter a Username, Password, and Confirm Password. Click “Save Changes”.

Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 14

You will be returned to the screen showing your new user bob.

Realm and Role Configuration (optional) is where the admin can define Realms and Roles for the end-users. By default,
all users are placed in the Users Realm which will map all users to the Users Role. There is no need to create new realms
or roles at this point.

Note: role-mapping rules can be defined to place users in Roles based on many different attributes, such as username,
certificate or a batch of custom expressions. The Roles will define the level of access to different features and resources
available on the network.

Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 15

First, navigate to User Roles > User Roles to view the current User Roles.

Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 16

Next, navigate to User Realms > User Realms. By default the User Realm is created. Note that this realm is using
“System Local” for authentication.

Role-mapping is also configured to allow all users in “System Local” to map to the role “Users”.

Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 17

By clicking on the role “Users” above, or navigating to Users > User Roles > Roles, you can see that basic connectivity is
configured. However, we need to enabled Agentless (or clientless, browser-based) access.

Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 18

Click on “Users” and then go to the “Agent” tab. By default, “Install Agent for this role” and “Install Pulse Secure client”
is enabled. This means when you attempt the Browser-based connection as seen in Section 4, the Pulse Secure client
will be downloaded to your desktop.

Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 19

We will need to click on the “Agentless” tab and click “Enabled Agentless Access for this role” and click “Save Changes”.

Section 5: End-User Login

Browser-based Connection
We will show how an end-user can log in both via clientless (web browser) and via Pulse on a desktop device. Mobile
devices will use the built-in native supplicant.

The end-users will login to the PPS at https://<ip address or FQDN>/using the credentials defined in the System Local
End-User Account Creation process.

Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 20

Since we have enabled “Agent” access in Section 3, you will first be prompted to install the Pulse Secure client. This will
only be seen the first time. Once the Pulse Secure client is installed, this step will not be done.

After the installation, this is the landing page for the PPS the end users will see upon login. The user session will remain
up as long as the user is on this page.

Client-based Connection (Desktop)

The end-users may also login to the PPS via the desktop Pulse client. If enabled, the Pulse desktop client will be
downloaded and installed. The connection to PPS will also be automatically configured. In our example, the connection
is called “Test PPS”. Click “Connect” and enter credentials (bob | test123) which were created earlier.

Client-based Connection (Mobile)

Pulse Secure does not provide a mobile client for Policy Secure connections. These connections can be made using the
portal, or using the native supplicant on the iOS/Android device for RADIUS-based or 802.1X deployments.

Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 21

Section 6: Logs and Policy Trace
This section can assist the administrator in resolving issues with the PPS and end-user login or access issues. The log files
can be found in System > Logs/Monitoring. From here the administrator has access to many forms of logging data,
including event logs and user logs.

The policy tracing can be found in Maintenance > Troubleshooting > User Sessions > Policy Trace. Here the
administrator can trace user events to easily locate and resolve issues. Below is an example of an end-user sign-in with
policy tracing turned on.

Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 22

Here is a sample of the output from the Policy Trace.

Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 23

Section 7: Deployment Guides
Once there is basic connectivity, the next step is to start looking at what functionality of PPS to use. PPS can be used as
a standalone RADIUS server. PPS can also be used for SNMP enforcement, along with 802.1X and Layer 3 enforcement
with a Juniper Network SRX or Palo Alto Networks firewall.

For more information, please go to https://www.pulsesecure.net/policy-secure/

Pulse Policy Secure – Virtual Machine Setup and Configuration Guide 24