New Features

Release 9.1R12.1 Features

No new features applicable to this release.

Release 9.1R12 Features

The integrity tool allows an administrator to verify the PCS Image installed on Virtual or Hardware Appliances This tool checks the integrity of the complete file system and finds any additional/modified files in the system.

This feature enhancement allows Windows users to fetch attributes from Intune by using MAC address option.

The feature enhancement allows users to create admin/end-user Advanced HTML5 bookmarks.

This feature allows to modify internal port and external port of PCS deployed in AWS.

This feature enhancement allows to add Source interface selection for each syslog servers configured in the PCS. It enables the admin to select a source interface with which address packets are sent to the syslog server.

This feature enables the admin to access the named users and its information and delete them on both PCS and License Server in Named User Repository mode using REST APIs.

Release 9.1R11.5 Features

No new features applicable for this release.

Release 9.1R11.4 Features

No new features applicable for this release.

Release 9.1R11.3 Features

No new features applicable for this release.

Release 9.1R11 Features

PCS supports Advanced HTML5 Access solution. This Advanced HTML5 Access solution supports two Advanced HTML5 sessions by default and includes multiple monitors, session recording, audio recording, high sound quality, and camera support.

From 9.1.R11, Advanced HTML5 access is available as General Availability version.

Release 9.1R10 Features

No new features applicable for this release. Refer to Noteworthy Information in 9.1R10 Release for more details.

Release 9.1R9.1 Features

No new features applicable for this release.

Release 9.1R9 Features

PCS supports two users to be registered with an SNMP engine with different authentication and privilege settings.

PCS provides option to use ESP tunnel for 6in4 and 4in6 traffic.

PCS supports Advanced HTML5 Access solution. This Advanced HTML5 Access solution supports two Advanced HTML5 sessions by default and includes multiple monitors, session recording, audio recording, high sound quality, and camera support.

Supports microphones connected to the client computer during the remote session.

Release 9.1R8.2 Features

No new features added in this release.

Release 9.1R8.1 Features

No new features added in this release.

Release 9.1R8 Features

In case you have a fresh installation of PCS/PPS, you may download latest UEBA package from Pulse Secure Support Site (my.pulsesecure.net) and add the package at Behavior Analysis page before using Adaptive Authentication or Geolocation based Conditional Access.

Apart from showing the number of concurrent user sessions, PCS Dashboard now shows the L4 access type (PSAM) and Clientless access type (Browser) logins as non-tunnel users.

This feature disallows user login, user login via Pulse Desktop, HTML5 connection or connection to a web resource when the CPU load is above a certain threshold. By default, this option is disabled for PCS upgrades and enabled for new installation.

This release provides REST API to Reset/Unlock a user under a TOTP server.

In this release, added around 120 new license SKUs for PCS/PPS.

PCS now supports pool of NTP servers up to 4 NTP servers to sync date and time.

Release 9.1R7 Features

This release provides automatic management of ICE license. PCS enables ICE license when the logged in users count crosses the maximum licensed users count and disables ICE license when the logged in users count drops below the maximum licensed users count.

As an example, If you installed 100 licensed user counts, when the 101th user logs in, ICE license gets automatically enabled.

This release provides HTML5 sessions information in the dashboard and the trend graph that helps admin to view the CPU usage and take necessary action to provide better remote access experience for the users.

PCS provides support for the responsive images (in web applications) via rewriter by rewriting the srcset attribute value. The corresponding images would be fetched on client application based on screen size, resolutions and other features.

FQDN ACL feature was enabled by default earlier even though there are no policies configured. A new admin configurable option to enable or disable FQDN ACL feature is added in 9.1R7 at System > Configuration > VPN tunneling.

Release 9.1R6 Features

In the User Realms > Authentication Policy > Host Checker page, the policy names now have hyperlinks. Click the link to view the policy configuration.

The System > Maintenance > Platform page displays Hardware ID along with the other platform details.

The System > Configuration > Licensing page, displays Hardware Id and Serial number.

This release provides REST API to do the following on a Standalone/Cluster:

•enable/disable ICE license

•get the current status of ICE license.

Release 9.1R5 Features

PCS can be deployed using Terraform templates on supported hypervisors and cloud platforms.

Conditional Access feature for Cloud Secure now provides a mechanism to enforce access control policies based on location parameters by defining policies for applications.

LDAP based password management works with generic LDAP servers such as OpenLDAP.

In this release, the Pulse Secure device access management framework supports integration with Microsoft Intune.

Active number of HTML5 sessions on PCS can be obtained using a REST API call to api/v1/stats/active-html5-sessions.

It is now possible to extract any particular license client/cluster report through REST API. Enhancements include:

•Cluster-wise view in the license report.

•License report in JSON format through REST.

•Options to get cluster/client/period sub-section of the granular report through REST.

In this release, SSLDump utility supports VLAN. Admins can use this tool for debugging / data collection purpose.

In PCS hosted on a cloud environment, it is now possible to edit default gateway configuration from UI.

Host Checker policy to detect and allow hard disk in which encryption is in progress.

Administrators can:

•create license server with Active Active cluster on virtual/cloud and hardware platforms.

•lease all different type of licenses to license clients from any node of active-active cluster.

•surrender/recall licenses from any node of active-active cluster.

Release 9.1R4.3 Features

No new features added for this release

Release 9.1R4.2 Features

No new features added for this release

Release 9.1R4.1 Features

No new features added for this release

Release 9.1R4 Features

PCS now supports VA deployment on Alibaba Cloud.

Conditional Access feature for Cloud Secure provides a mechanism to enforce access control policies based on user and device parameters by defining policies for applications. Conditional Access policies are evaluated during application access time while roles are mapped to the session during the session creation time.

Enhancements include:

•Update to “Getting Active Sessions”

•Update to “Getting System Information”

•Added “Fetching the User Login Statistics”

•Added “Health Check Status”

•Added “VIP Failover”

•Added “Applying License”

•Added “Deleting License”

•Added “Getting License Clients”

•Added ”Getting License Report from License Server”

•Added Profiler REST APIs

The Platform Limit, Maximum Licensed User Count and Cluster Name attribute values are available for optimal load balancing.

In 9.1R4 release, Windows Redstone 6 - version 1909 is qualified.

In 9.1R4 release, SharePoint 2019 is qualified.

In 9.1R4 release, VMware VDI versions 7.9 and 7.10 are qualified.

In 9.1R4 release, Citrix Virtual Apps and Desktops 7 1909 is qualified.

When a new local authentication server is created, now admin has a choice to store the password with strong hashing using pbkdf2.

Licensing report is enhanced with usage statistics for each PCS instance - maximum user count per month per PCS/per MSSP.

MSSPs can now:

•generate accurate usage reports of their customers.

•make the structured report in XML format to enable for parsing and usage for dashboard.

Release 9.1R3 Features

The various system logs and troubleshooting logs that help in investigating user access issues and system issues can be configured and accessed using the Log Selection page.

The LDAP authentication configuration is enhanced in 9.1R3 to locate the nearest Microsoft domain controllers, which are spread across the globe, by resolving DNS SRV records.

From 9.1R3 release, PCS can detect and assign DHCP networking settings automatically at the PCS VM boot up. In the script included in the PSA-V package, the PCS parameters should be set to null in order to fetch the networking configuration automatically from the DHCP server.

This feature is not supported on PSA hardware.

OpenStack is an open source cloud computing platform that allows deploying and managing a cloud infrastructure as an IaaS service. As part of this release, Pulse Secure supports deploying PCS KVM in OpenStack cloud.

From 9.1R3 release, VMware support is qualified for VMware 10.3.10, ESXi 6.7 Update 2c.

From 9.1R3 release, the maximum debug log size is increased to 1024 MB on hardware platforms.

From 9.1R3 release, the “iostat” information is gathered periodically and made available as part of node monitoring in system snapshot.

9.1R3 release provides option to the administrators as well as end-user to enable/disable copy/paste from HTML5 RDP sessions. This option will be available under User Roles as well as Admin Created Bookmarks”.

From 9.1R3 release, for a fresh installation, the valid password range defined is 0-999. Minimum length 10 and maximum length 128 are set as default values.

From 9.1R3 release, for a fresh installation, the following predefined resource policies are set to “Deny” state by default.

•Web Access Resource Policy “Initial Policy for Local Resources”

•Windows File Access Resource Policy “Initial File Browsing Policy”

The predefined policy for VPN Tunneling is not provided.

IKEv2 packets can be larger than the MTU especially the IKE_AUTH packets which include the certificate chain. These larger IKE packets get fragmented in the intermediate devices. This feature implements fragmentation at IKE level and avoids IP fragmentation.

Due to larger IPv6 header as compared to IPv4, if the MSS of the PCS external interface is not set appropriately, the packets would be dropped on the external interface. This feature enables to set MSS to a lower value so that TCP connections are not dropped for 6-in-4 cases or when there is NAT translation somewhere in the network before reaching PCS.

Release 9.1R2 Features

Pulse Secure supports SP-initiated SAML SSO when PCS is configured as IdP in gateway mode. PCS uses the existing user session in generating SAML assertion for the user for SSO.

This feature provides a single logout functionality wherein if a user gets logged out of a session from one application, PCS (configured as IdP) notifies all other connected applications of that user with Single Logout.

Pulse client expects the machine ID is unique on each machine. If multiple endpoints have the same machine ID, for security reasons, the existing sessions with the same machine id are closed.

A new access log message is added to flag the detection of a duplicate Machine ID in the following format:

Message: Duplicate machine ID "<Machine_ID>" detected. Ending user session from IP address <IP_address>. Refer document KB25581 for details.

The newly introduced Microsoft RDWeb resource profile controls access to the published desktops and applications based on HTML5. The Microsoft RDWeb templates significantly reduce the configuration time by consolidating configuration settings into one place and by pre-populating a variety of resource policy settings.

In the 9.1R2 release, Microsoft RDWeb HTML5 access does not support Single Sign On. SSO will be made available in the future release.

Two new methods of archiving the configurations and archived logs are available now apart from SCP and FTP methods:

Pulse Connect Secure now supports pushing configurations and archived logs to the S3 bucket in the Amazon AWS deployment and to the Azure storage in the Microsoft Azure deployment.

PCS supports the migration of servers and clients to OPSWAT v4 to take advantage of latest updates.

From 9.1R2 release, the licensing client (PCS) starts reporting maximum used sessions count instead of the maximum leased licenses count. For MSP customers, this change helps in billing the tenants based on maximum sessions used.

PCS/PPS supports upgrading from 8.2Rx to 9.1R2 for the following supported platforms:

•VMware ESXi

•OpenStack KVM

•Hyper-V

When upgrading a VA-SPE running 8.2R5.1 or below that was deployed with an OVF template to a higher version, the upgrade was failing. This feature solves the upgrade problem for VMware, OpenStack KVM and Hyper-V. Refer KB41049 for more details.

Release 9.1R1 Features

Pulse Secure SDP uses PCS appliances which individually act as either an SDP controller or an SDP gateway. Mobile users of the Pulse Secure Client perform authentication on an SDP controller which runs an Authentication, Authorization and Accounting (AAA) Service. The SDP controller then enables direct communication between the user and the SDP gateways that protect the user’s authorized resources and enables requested encryption.

Prior to 9.1R1 release, DNS traffic was sent over the Internal interface. Starting with 9.1R1 release, an administrator can modify the DNS setting to any physical interface namely Internal Port, External Port or Management Port.

Account Lockout option is provided to manage user authentication failures for admin users of local authentication server. The admin user account will be locked after specified number of consecutive wrong password attempts. The account will be unlocked after the specified lockout period or by using the Unlock option.

User can pass "client-name" in HTML5 rdp using launcher method. The %clientname% variable is matched with a workstation ID and normally that variable is unique and dedicated remote desktop computer name.

User can deploy PSA-V in OpenStack KVM using a template.

AWS VPC GW and Azure VNet GW drop packets if the source IP is the endpoint tunnel IP. This feature NATs endpoint tunnel IP to Internal interface IP. The NAT allows user to access internet resources when connected to a VPN tunnel on an Azure or AWS-based PCS.