Installing Pulse One

To install Pulse One, perform the following processes:

1.Reserve an IP address and a fully-qualified domain name (FQDN) for your appliance's external interface.

For example, 10.64.22.22 and p1.example.com.

2.Configure your DNS infrastructure so that the FQDN resolves to the IP address.

3.Choose a Certificate Authority (CA) to create the Pulse One Appliance's certificate.

Ideally, the CA should be trusted by both browsers and PCS / PPS appliances. To identify the CAs that are trusted by PCS, log into a PCS appliance and navigate to Configuration > Certificates > Trusted Server CAs. The same process can be used for PPS.

4.Install an SSH client (if not already present) on your computer:

•Linux generally includes an SSH client; enter ssh at the shell prompt.

•OSX generally includes an SSH client; start the terminal application and enter ssh.

•Windows 10 generally includes an SSH client; open a command prompt and enter ssh.

5.Connect to the appliance's management interface using an SSH client. If SSH is not possible, you can connect to the serial port using Telnet.

You are prompted for an initial admin username and password.

6.Enter the required information.

You are logged into the CLI automatically.

7.Create a locksmith user account, in case the initial account's credentials are lost. At the Pulse One prompt:

account create locksmith

You are prompted for a password for the new user.

Pulse Secure strongly recommends storing the password securely.

8.Configure the management network interface to use a static IP address rather than DHCP:

network interface management --ip <ip_address> --netmask <netmask>
--gateway <gateway_address>

9.Configure the external network interface:

network interface external --ip <ip_address> --netmask <netmask>
--gateway <gateway_address>

For example:

network interface external --ip 10.64.22.22 --netmask 255.255.0.0
--gateway 10.64.0.1

The netmask and gateway must be correct for the subnet.

10.Configure the DNS servers:

network dns --primary <ip_address> --secondary <ip_address>

The secondary IP address is optional but recommended. For example:

network dns --primary 10.64.0.10 --secondary 8.8.8.8

11.Review your network settings:

network show

Correct any settings as required.

12.Configure the Simple Mail Transfer Protocol (SMTP) settings. The general syntax is:

smtp set --sender <from_email> --server <server_address>
[--port <port_number>] [--username <username> --password] [--tls]

Pulse Secure advises that you always enable TLS to ensure the use of authentication and encryption.

•If your SMTP server does not require a username and password, these can be omitted. For example:

smtp set --sender [email protected] --server smtp.example.com

•If your SMTP server requires a username and password, include these options on the command line, and enter the password when prompted. For example:

smtp set --sender [email protected] --server smtp.example.com
--username USERNAME --password

•If your SMTP server requires encrypted (TLS) connections, also include the –tls option:

smtp set --sender [email protected] --server smtp.example.com
--username USERNAME --password –tls

For details of the smtp set command’s other options, refer to the Pulse One Command Reference.

13.Configure the Network Time Protocol (NTP) settings:

ntp server <ntp server address> --enable

For example:

ntp server 10.64.72.72 --enable

14.Add license keys:

licenses add <license key>

This step can be done at this time or later.

15.Provision the Pulse One appliance:

system provision <pulse_one_FQDN_lower_case> --admin-username <username>
--admin-email <email >

The admin username is for logging into the web UI, and can be different from the username for logging into the CLI. For example:

system provision p1.example.com --admin-username jsmith
--admin-email [email protected]

You are prompted for a password. Pulse Secure recommends a strong password.

This step creates a temporary, self-signed certificate. This allows you to connect to the web UI, though you will receive a certificate warning. If you use a private CA, browsers will also present certificate warnings. Certificate warnings indicate risk, so it is usually better to use a public CA.

16.Generate a Certificate Signing Request (CSR):

https csr

The CSR is displayed.

17.Select and copy the CSR.

18.In a browser, navigate to your chosen CA, and when prompted for a CSR, paste in the CSR.

19.Obtain from the CA:

•The root certificate or (if available) the certificate bundle (chain).

•The certificate issued for your appliance.

20.Enter the root certificate or certificate bundle:

https set ca-bundle

When prompted, paste in the root certificate or bundle.

21.Enter the certificate issued for your appliance:

https set cert

When prompted, paste in the certificate issued for your appliance.

22.If you want encryption to be enabled for log collection:

log-aggregator settings –tls

Pulse Secure advises that you always enable TLS to ensure the use of authentication and encryption.

23.Restart the services to pick up all new settings:

services restart

24.Browse to the /admin path on your appliance's FQDN. For example, browse to

https://p1.example.com/admin

Your browser should not display a certificate warning.

25.Log into your appliance using your UI username and password.

The Pulse One Appliance is now ready to manage PCS and PPS appliances.

Further steps are required to prepare Pulse One to manage workspaces, or to create a Pulse One cluster.