Introduction

Hardware Platforms

You can install and use this software version on the following hardware platforms:

PSA300, PSA3000, PSA5000, PSA7000f, PSA7000c

To download software for these hardware platforms, go to: https://support.pulsesecure.net/

Virtual Appliance Editions

This software version is available for the following virtual appliance editions:

Virtual Pulse Secure Appliance (PSA-V)

From 9.1R1 release onwards, VA-DTE is not supported.

From 9.0R1 release, Pulse Secure has begun the End-of-Life (EOL) process for the VA-SPE virtual appliance. In its place, Pulse Secure has launched the new PSA-V series of virtual appliances designed for use in the data center or with cloud services such as Microsoft Azure, Amazon AWS, OpenStack Fabric and Alibaba Cloud.

The following table lists the virtual appliance systems qualified with this release:

Platform

Qualified System

VMware

ESXi 7.0 Update 2c

OpenStack KVM

CentOS 7.7

QEMU/OpenStack KVM v1.4.0

Linux Server Release 6.4 on an Intel Xeon CPU L5640 @ 2.27GHz

24GB memory in host

Allocation for virtual appliance: 4vCPU, 4GB memory and 40GB disk space

Hyper-V

Microsoft Hyper-V Server 2016 and 2019

Azure-V

Standard DS2 V2 (2 Core, 2 NICs)

Standard DS3 V2 (4 Core, 3 NICs)

Standard DS4 V2 (8 Core, 3 NICs)

AWS-V

T2.Medium (2 Core, 3 NICs and 2 NICs)

T2.Xlarge (4 Core, 3 NICs)

T2.2Xlarge (8 Core, 3 NICs)

Alibaba Cloud

ecs.g6.2xlarge (8 vCPU, 32GB, 2 NICs)

To download the virtual appliance software, go to: https://support.pulsesecure.net/

VMware Applications

The following table lists the VMware applications qualified:

Platform

Qualified

VMware

 

VMware Horizon View Connection Server version 7.12

Rewriter

VMware Horizon Agent version 7.12

VDI Profiles

VMware Horizon View HTML Access version 5.4

VDI Profiles

VMware Horizon View Client version 5.4

VDI Profiles

Upgrade Paths

The following table describes the tested upgrade paths. Please note that here x and y refer to the following:

x: Latest maintenance release version:

y: Versions less than x

Upgrade From

Qualified

Compatible

9.1Rx

Yes

-

9.1Ry

-

Yes

9.0Rx

Yes

-

9.0Ry

-

Yes

For versions prior to 9.0, first upgrade to release 9.0Rx|9.0Ry, and then upgrade to 9.1Rx.

If your system is running beta or hot-fix version of the software, roll back to your previously installed official software release before you upgrade to 9.1Rx. This practice ensures the rollback version is a release suitable for production.

Note: On a PCS/PPS virtual appliance, we highly recommend to freshly deploy a PSA-V from 8.3Rx and higher based OVF, when any of the following conditions are met:

If the disk utilization goes beyond 85%.

If an admin receives iveDiskNearlyFull SNMP Trap.

If the factory reset version on the PSA-V is 7.x|8.0.

Upgrade Scenario Specific to Virtual Appliances

PSA-Vs cannot be upgraded to 9.1R10 without a core license installed. Follow these steps to upgrade to 9.1R10:

x: Latest maintenance release version

1.If PSA-V is running 8.3Rx:

Upgrade to 9.0Rx.

Install Core license through Authcode.

Upgrade to 9.1Rx.

2.If PSA-V is running 9.0Rx or later:

Install Core license through Authcode.

Upgrade to 9.1Rx.

For more details, see the “Noteworthy Information in 9.1R4.3 Release” section.

General notes

1.For policy reasons security issues are not normally mentioned in release notes. To find more information about our security advisories, please see our security advisory page.

2.In 8.2R1.1 and above, all PCS client access binaries (Network Connect, WSAM, Host Checker, JSAM, Windows Terminal Services, Citrix Terminal Services) are signed with a SHA2 code signing certificate to improve security and ensure compatibility with Microsoft OS’s 2016 restrictions on SHA1 code signing. This certificate will expire on April 12, 2021. For details, refer to KB articles KB14058 and KB43834.

3.Important note: Windows 7 machines must contain a March 10, 2015 Windows 7 Update in order to be able to accept and verify SHA2-signed binaries properly. This Windows 7 update is described here and here. If this update is not installed, PCS 8.2R1.1 and later will have reduced functionality (see PRS-337311 below). (As a general rule, Pulse Secure, LLC recommends that client machines be kept current with the latest OS updates to maximize security and stability).

4.When custom ciphers are selected, there is a possibility that some ciphers are not supported by the web browser. If any ECDH/ECDSA ciphers are selected, they require ECC certificate to be mapped to the internal/external interface. If an ECC certificate is not installed and mapped to the internal and external ports (if enabled), administrators may not be able to login to the appliance. The only way to recover from this situation is to connect to the system console and select option 8 to reset the SSL settings. Option 8 resets the SSL setting to factory default. Any customization is lost and will need to be reconfigured. This is applicable only to Inbound SSL settings.

5.Pre-5.0 Android and pre-9.1 iOS devices don’t support Suite B ciphers. If Suite B is enabled, Pulse client on pre-5.0 Android and pre-9.1 iOS devices will not be able to connect to PCS device.

6.Minimum ESAP version supported on 9.1R10 is 3.4.8 and later.

From 9.1R2 release onwards, Network Connect (NC) client and legacy Windows Secure Application Manager (WSAM) client are not supported.

From 9.1R1 release onwards, Active Directory Legacy Mode configuration is not supported. If you have an existing Active Directory authentication server using Legacy Mode, first migrate to Standard Mode and then upgrade PCS. For the detailed migration procedure, refer KB40430.

Noteworthy Information in 9.1R12 Release

SNMP monitoring enhancement to map index numbers of the interfaces across ifTable and ipAddrTable.

The grace period for expired licenses is now reduced from 91 days to 31 days.

Logs are refined and enhanced. They now include session information such as the Session ID, Session start data and end data.

Enhancements to dsagentd done to address session resumption issues.

Source IP restrictions can now be disabled for admin realms from the serial console menu through an option we have provided newly.

Noteworthy Information in 9.1R11.5 Release

Added an option for the Admin to enable users to download the Pulse Client Components removal (Pulse Upgrade Helper) tool on Windows End User machines upon Browser access. This option helps to remediate the certificate expiry issue. For more information, refer KB44781 and KB44810.

This release provides important security hardening. For more information refer to SA44800.

Source IP restriction (RFC1918) is removed on Admin Realms for fresh deployments on OpenStack KVM platform. Default source IP restrictions are applicable for PSA appliances, VMWare, and Hyper-V platforms.

Noteworthy Information in 9.1R11.4 Release

This release provides important security hardening. For more information refer to SA44784.

Noteworthy Information in 9.1R11 Release

The HTTP only DSDID session cookies were introduced from Release 9.0R3. From release 9.1R11 onwards, the DSDID cookies are enabled by default for all new roles created. On upgrade, if DSDID is not enabled for any of the roles, a warning message displays on the dashboard. A link displays on the UI, administrator can click to enable DSDID cookies option for all the roles.

Major browsers disable TLS1.0 and TLS1.1 by default. Administrators are recommended to use TLS1.2 and later and also select Maximize Security option under Configuration > Security> SSL options for inbound and outbound connections. If not selected, a warning message displays.
From 9.1R11 onwards, for new ESP VPN Tunneling Connection Profiles, AES256/SHA256 (maximize security) encryption is chosen by default.

User logs and Administrator logs are refined and enhanced to display more information.

A source IP restriction is added on Admin Realms so that admins can connect with only private addresses (RFC1918) on fresh deployments or when the configurations are cleared. This restriction is applicable to PSA appliances, VMWare, Hyper-V, and OpenStack KVM.

From 9.1R11, SHA1 hashing algorithm is removed from the “Maximize Security (High Ciphers)” settings

Noteworthy Information in 9.1R10 Release

Added stability improvements for L4 JSAM connections.

Added following licensing reporting enhancements on MSSP deployments:

When the license client has concurrent users license installed locally, the client excludes the local installed count while sending lease usage to the license server.

When the license client has ICE license enabled or has an evaluation license installed which gives maximum platform limit for concurrent users, the license lease usage reported by client is zero.

The license client allows 10% extra usage over the licensed limit. This applies for maximum lease limit as well. In such case, the license client reports only the maximum lease limit usage. For example, if license client has leased 100 licenses and 110 users are logged in, license client reports only 100 as usage to the license server.

Host header validation is introduced in 9.1R10. When this option is enabled on the server under System > Configuratin > Security > Miscellaneous, the Pulse Client upgrade through PCS may fail. For more information, refer to KB44646.

Added graphs to display advanced HTML5 connections under System Status dashboard. Refer to “Displaying System Status” in Pulse Connect Secure Administration Guide.

Noteworthy Information in 9.1R8 Release

For 9.1R8, Pulse Collaboration Client is packaged using PCS 9.1R7 build.

Noteworthy Information in 9.1R4.3 Release

In 9.1Rx OVF a critical issue was observed. The 9.1R4.3 release addresses this issue.

On some of the installations, it was observed that a few read-only files were being overwritten. Customers are experiencing HTTP 500 response for some of the admin requests. The 9.1R4.3 release addresses this issue.

Upgrade works only if VA is deployed with 8.3 OVF onwards. If VA is deployed with pre 8.3 OVF, upgrade to this image will not work.

Refer to KB44408 for the recommendations / best practices to deploy Virtual Appliance and the logs needed for analysis/troubleshooting.