Pulse One Integration (Deprecated for 21.x)

Overview

ICS appliance can be integrated with the Pulse Workspace console server to auto-provision workspace based on user's group membership and to enable seamless active sync email access for mobile clients. Once this integration is in place, the mobile devices that are managed by Pulse Workspace will get seamless mail access from Enterprise mail server without requiring the users to configure their mail clients.

To configure Pulse Workspace command handlers to auto-provisioning workspace or to enable seamless active sync email access for mobile clients, do the following:

1.Register ICS with Pulse Workspace

2.Maintain Notification Channel

3.Renew Credentials

4.Configure User Role (For seamless Active Sync support)

5.Configure LDAP Authentication Servers to use for Group Lookup (For User's group membership-based auto-provisioning)

Register ICS with Pulse Workspace

ICS has to be registered with Pulse Workspace before it can be used for seamless mail access for Pulse Workspace configured mobile devices. On successful registration, Pulse Workspace sends ICS the following information:

The following table lists the Registration Information:

Registration Information

Description

Hawk Credentials

All communication from ICS to Pulse Workspace are authenticated using the HAWK. Pulse Workspace sends this information in the registration response. The response consists of:

Key

Key Identifier

Message Authentication Code Generation Algorithm

Device Identification Information

Each ICS device is uniquely identified in Pulse Workspace. This identification information is sent to ICS in the registration response to be used in all communications.

Notifications Channel URL

To receive any unsolicited notification from Pulse Workspace, ICS creates and maintains a websocket channel with Pulse Workspace. The endpoint URL on the Pulse Workspace for this channel is sent as part of the registration response.

Base API URL

On receiving any unsolicited notification on the websocket, ICS sends a REST request to Pulse Workspace to fetch additional information. The base URL for these REST APIs is sent by Pulse Workspace in the registration response.

Maintain Notification Channel

ICS creates a websocket channel with the Pulse Workspace server. Pulse Workspace sends notification to ICS over this channel. This channel is teared down by the Pulse Workspace once in 24 hours and ICS needs to reconnect to Pulse Workspace on this event. Also, when the HAWK credentials become invalid, the websocket channel is teared down.

ICS keeps the websocket channel up all the time and also takes corrective measures whenever there is a disruption on this channel.

Renew Credentials

HAWK credentials sent by Pulse Workspace are valid for 7 days. After this time, the credentials need to be renewed. When the credentials are in renew state, the notification channel will fail and any communication from ICS to Pulse Workspace cannot be authenticated. The existing credentials can only be used to request the new credentials.

HAWK credentials expire after 30 days. Once the credentials expire, ICS needs to be reconfigured and reregistered using a new registration code. This results into new device identification information and new HAWK credentials.

Configure User Role (For seamless Active Sync support)

Configure the User role that will be used for creating the device records on ICS for Pulse Workspace devices. On creation of a workspace, Pulse Workspace requests ICS to create a device record so that the mobile device which maps to that workspace can access email using ICS as activesync proxy. This requires ICS to know which role should be used for creating the device records. ICS administrator needs to configure this information using the admin UI.

Configure LDAP Authentication Servers to use for Group Lookup (For User's group membership-based auto-provisioning)

Configure the LDAP Authentication server that will be used for handling group validation and user's group membership related requests on ICS for Pulse Workspace Server. ICS administrator needs to configure this information using the admin UI.

Pulse One Configuration

This section covers the configuration required on ICS to enable it to register with the Pulse Workspace console server.

Pulse One Settings

 

The following table lists the Pulse One Configuration Details:

Field

Description

Registration URL

This is the URL to which ICS sends the registration request. The format of the URL is https://<PWS API Host Name>/api/v1/register. The Pulse Workspace API Host name is displayed to the administrator when he/she creates an entry for this appliance on the Pulse Workspace console server.

Registration Code

This is the code that ICS sends to Pulse Workspace in the registration request. This code is generated and displayed to the administrator when he/she creates an entry for this appliance on the Pulse Workspace console server.

Credential Renegotiation Interval

This is the time in days after which ICS automatically does renegotiation of HAWK credentials with Pulse Workspace.

Credentials Exchange time

This is the time at which the last successful credential exchange took place.

Hashing Algorithm

This is the algorithm used for generating the MAC for HAWK authentication. Currently the only supported value is HS256 which is HMAC using SHA-256.

Client Device ID

This is the unique identification information of the ICS device on the Pulse Workspace server. This information is received in the registration response.

Notification URL

This is the URL at which the websocket endpoint is present at the Pulse Workspace server. This information is received in the registration response.

Registration Status

Reports current status of registration.

Gray - not yet registered

Yellow - registration in progress

Green - registered successfully

RED - registration failed/renew credentials/credentials expired

Notification Channel Status

Reports current status of notification channel.

Gray - not yet connected/connection not required

Yellow - connection in progress

Green - connected

RED - connection failed

Save Changes

Saves the configuration and triggers registration, if required.

Clear configuration

Clears all the configuration and disconnects the notification channel.

Renegotiate credentials

Triggers renegotiation of credentials.

  • Hawk is an HTTP authentication scheme providing a method for making authenticated HTTP requests with partial cryptographic verification of the request, covering the HTTP method, request URI, and host.
  • To back up and restore Pulse One configuration, administrator should use the binary export/import of system configuration.

Pulse Workspace Handlers

This section covers the configuration of the command handlers that handle the messages received on the notification channel.

Pulse Workspace Handlers

 

Active Sync Handler Configuration

This section covers the configuration of the activesync command handlers that create/delete the device records in ICS when Pulse Workspace sends a notification.

The following table describes the Active Sync Handler Configuration:

Field

Description

Device Role

This is the role assigned to the device records created by ICS for the Pulse Workspace registered devices.

Clear Active sync Device Records

This option would delete all the device records pushed from Pulse Workspace Console Server.

  • Administrator should ensure that secure email feature is enabled for this user role.
  • Use "Clear Active sync Device Records" option only if:
    • This ICS is no longer the active sync provider for Pulse Workspace Server.
    • To troubleshoot Device Record sync-up related issues, clear all Pulse Workspace Onboarded Device Records and recreate only the valid Device Records during next active sync Device Record sync-up. Device Record sync-up can happen if there is any new workspace created or existing workspace state is modified or due to periodic sync up initiated by the Pulse Workspace server for every one hour.

Group Lookup Handler Configuration

This section covers the configuration of group lookup command handlers that validate the group existence and also fetches the user's group membership from the configured backend LDAP server when Pulse Workspace sends a notification.

The following table lists the Group Lookup Handler Configuration:

Field

Description

Available Auth Servers

All the configured LDAP Server will be listed under this.

Selected Auth Servers

Select the LDAP authentication server to handle the Group lookup requests.

Only one authentication server per domain should be selected.

This functionality is supported only with 'Active Directory' type LDAP server.

To back up and restore Pulse One command handler configuration, administrator should use the binary export/import of user configuration