New Features

The following table describes major features that are introduced in the corresponding release:



Release 9.1R13.1 Features

ISA virtual platforms as license clients

ISA virtual platforms can be configured as license clients from 9.1R13.1. For more information, refer to the License Management Guide.

Release 9.1R13 Features

AWS marketplace publishing

AWS marketplace publishing with GP3 AMI image to reduce the PCS upgrade time on AWS.

Release 9.1R12.1 Features

No new features applicable to this release.

Release 9.1R12 Features

Integrity Checker

The integrity tool allows an administrator to verify the PCS Image installed on Virtual or Hardware Appliances This tool checks the integrity of the complete file system and finds any additional/modified files in the system.

Intune integration enhancements

This feature enhancement allows Windows users to fetch attributes from Intune by using MAC address option.

Advanced HTML5 Enhancements

The feature enhancement allows users to create admin/end-user Advanced HTML5 bookmarks.

SeamlessMigration of PCS instance in AWS.

This feature allows to modify internal port and external port of PCS deployed in AWS.

Choice of interface for each configured syslog server

This feature enhancement allows to add Source interface selection for each syslog servers configured in the PCS. It enables the admin to select a source interface with which address packets are sent to the syslog server.

REST API Enhancements for Named Users

This feature enables the admin to access the named users and its information and delete them on both PCS and License Server in Named User Repository mode using REST APIs.

Release 9.1R11.5 Features

No new features applicable for this release.

Release 9.1R11.4 Features

No new features applicable for this release.

Release 9.1R11.3 Features

No new features applicable for this release.

Release 9.1R11 Features

Advanced HTML5 solution

(General Availability version)

PCS supports Advanced HTML5 Access solution. This Advanced HTML5 Access solution supports two Advanced HTML5 sessions by default and includes multiple monitors, session recording, audio recording, high sound quality, and camera support.

From 9.1.R11, Advanced HTML5 access is available as General Availability version.

Release 9.1R10 Features

No new features applicable for this release. Refer to Noteworthy Information in 9.1R10 Release for more details.

Release 9.1R9.1 Features

No new features applicable for this release.

Release 9.1R9 Features

SNMP v3 multiple user support

PCS supports two users to be registered with an SNMP engine with different authentication and privilege settings.

ESP Tunnel for Mixed Mode

PCS provides option to use ESP tunnel for 6in4 and 4in6 traffic.

Advanced HTML5 solution

(Trial version)

PCS supports Advanced HTML5 Access solution. This Advanced HTML5 Access solution supports two Advanced HTML5 sessions by default and includes multiple monitors, session recording, audio recording, high sound quality, and camera support.

Remote microphone support in WTS

Supports microphones connected to the client computer during the remote session.

Release 9.1R8.2 Features

No new features added in this release.

Release 9.1R8.1 Features

No new features added in this release.

Release 9.1R8 Features

UEBA package for fresh installation of PCS/PPS

In case you have a fresh installation of PCS/PPS, you may download latest UEBA package from Pulse Secure Support Site ( and add the package at Behavior Analysis page before using Adaptive Authentication or Geolocation based Conditional Access.

Show users by access type

Apart from showing the number of concurrent user sessions, PCS Dashboard now shows the L4 access type (PSAM) and Clientless access type (Browser) logins as non-tunnel users.

PCS Protection from Overload

This feature disallows user login, user login via Pulse Desktop, HTML5 connection or connection to a web resource when the CPU load is above a certain threshold. By default, this option is disabled for PCS upgrades and enabled for new installation.

Reset/Unlock TOTP user through REST API

This release provides REST API to Reset/Unlock a user under a TOTP server.

New license SKUs for PCS/PPS

In this release, added around 120 new license SKUs for PCS/PPS.

Support for pool of NTP servers and NTP status check

PCS now supports pool of NTP servers up to 4 NTP servers to sync date and time.

Release 9.1R7 Features

Automatic enable/disable ICE license

This release provides automatic management of ICE license. PCS enables ICE license when the logged in users count crosses the maximum licensed users count and disables ICE license when the logged in users count drops below the maximum licensed users count.

As an example, If you installed 100 licensed user counts, when the 101th user logs in, ICE license gets automatically enabled.

Show current HTML5 RDP sessions in Dashboard

This release provides HTML5 sessions information in the dashboard and the trend graph that helps admin to view the CPU usage and take necessary action to provide better remote access experience for the users.

Support for srcset attribute in HTML

PCS provides support for the responsive images (in web applications) via rewriter by rewriting the srcset attribute value. The corresponding images would be fetched on client application based on screen size, resolutions and other features.

Enable/Disable FQDN ACL

FQDN ACL feature was enabled by default earlier even though there are no policies configured. A new admin configurable option to enable or disable FQDN ACL feature is added in 9.1R7 at System > Configuration > VPN tunneling.

Release 9.1R6 Features

Hyperlink to Host Checker Policies

In the User Realms > Authentication Policy > Host Checker page, the policy names now have hyperlinks. Click the link to view the policy configuration.

Hardware ID in the System Maintenance page

The System > Maintenance > Platform page displays Hardware ID along with the other platform details.

Serial number in the Licensing screen

The System > Configuration > Licensing page, displays Hardware Id and Serial number.

Enable/Disable option for ICE license

This release provides REST API to do the following on a Standalone/Cluster:

enable/disable ICE license

get the current status of ICE license.

Release 9.1R5 Features

Terraform template support for AWS and Azure

PCS can be deployed using Terraform templates on supported hypervisors and cloud platforms.

Location based Conditional Access

Conditional Access feature for Cloud Secure now provides a mechanism to enforce access control policies based on location parameters by defining policies for applications.

Password management for Open LDAP

LDAP based password management works with generic LDAP servers such as OpenLDAP.

Microsoft Intune MDM integration

In this release, the Pulse Secure device access management framework supports integration with Microsoft Intune.

HTML5 Sessions report

Active number of HTML5 sessions on PCS can be obtained using a REST API call to api/v1/stats/active-html5-sessions.

MSSP Reporting enhancements

It is now possible to extract any particular license client/cluster report through REST API. Enhancements include:

Cluster-wise view in the license report.

License report in JSON format through REST.

Options to get cluster/client/period sub-section of the granular report through REST.

SSLDump for VLAN

In this release, SSLDump utility supports VLAN. Admins can use this tool for debugging / data collection purpose.

Edit default gateway configuration

In PCS hosted on a cloud environment, it is now possible to edit default gateway configuration from UI.

Host Checker feature enhancement

Host Checker policy to detect and allow hard disk in which encryption is in progress.

License server with Active-Active cluster

Administrators can:

create license server with Active Active cluster on virtual/cloud and hardware platforms.

lease all different type of licenses to license clients from any node of active-active cluster.

surrender/recall licenses from any node of active-active cluster.

Release 9.1R4.3 Features

No new features added for this release

Release 9.1R4.2 Features

No new features added for this release

Release 9.1R4.1 Features

No new features added for this release

Release 9.1R4 Features

PCS VA on Alibaba Cloud

PCS now supports VA deployment on Alibaba Cloud.

Conditional Access

Conditional Access feature for Cloud Secure provides a mechanism to enforce access control policies based on user and device parameters by defining policies for applications. Conditional Access policies are evaluated during application access time while roles are mapped to the session during the session creation time.

REST API enhancements

Enhancements include:

Update to “Getting Active Sessions”

Update to “Getting System Information”

Added “Fetching the User Login Statistics”

Added “Health Check Status”

Added “VIP Failover”

Added “Applying License”

Added “Deleting License”

Added “Getting License Clients”

Added ”Getting License Report from License Server”

Added Profiler REST APIs

vTM and PCS Integration for Load Balancing

The Platform Limit, Maximum Licensed User Count and Cluster Name attribute values are available for optimal load balancing.

Support for Windows Redstone 6

In 9.1R4 release, Windows Redstone 6 - version 1909 is qualified.

Support for SharePoint 2019

In 9.1R4 release, SharePoint 2019 is qualified.

Support for VMware VDI 7.9, and 7.10

In 9.1R4 release, VMware VDI versions 7.9 and 7.10 are qualified.

Support for Citrix Virtual Apps and Desktops 7 1909

In 9.1R4 release, Citrix Virtual Apps and Desktops 7 1909 is qualified.

Protect passwords stored in local auth server using stronger hash

When a new local authentication server is created, now admin has a choice to store the password with strong hashing using pbkdf2.

Support license reporting per license client

Licensing report is enhanced with usage statistics for each PCS instance - maximum user count per month per PCS/per MSSP.

MSSPs can now:

generate accurate usage reports of their customers.

make the structured report in XML format to enable for parsing and usage for dashboard.

Release 9.1R3 Features

Consolidated system and troubleshooting logs

The various system logs and troubleshooting logs that help in investigating user access issues and system issues can be configured and accessed using the Log Selection page.

Connect to nearest available DC

The LDAP authentication configuration is enhanced in 9.1R3 to locate the nearest Microsoft domain controllers, which are spread across the globe, by resolving DNS SRV records.

Zero touch provisioning

From 9.1R3 release, PCS can detect and assign DHCP networking settings automatically at the PCS VM boot up. In the script included in the PSA-V package, the PCS parameters should be set to null in order to fetch the networking configuration automatically from the DHCP server.

This feature is not supported on PSA hardware.

PCS hosted in OpenStack cloud

OpenStack is an open source cloud computing platform that allows deploying and managing a cloud infrastructure as an IaaS service. As part of this release, Pulse Secure supports deploying PCS KVM in OpenStack cloud.

VMware tools support

From 9.1R3 release, VMware support is qualified for VMware 10.3.10, ESXi 6.7 Update 2c.

Debug Log storage expansion

From 9.1R3 release, the maximum debug log size is increased to 1024 MB on hardware platforms.

Periodic iostat data collection

From 9.1R3 release, the “iostat” information is gathered periodically and made available as part of node monitoring in system snapshot.

Control copy/paste option for a user from an HTML5 session

9.1R3 release provides option to the administrators as well as end-user to enable/disable copy/paste from HTML5 RDP sessions. This option will be available under User Roles as well as Admin Created Bookmarks”.

Enhancements to Local Authentication Server default password

From 9.1R3 release, for a fresh installation, the valid password range defined is 0-999. Minimum length 10 and maximum length 128 are set as default values.

Restricting access to default resource policies

From 9.1R3 release, for a fresh installation, the following predefined resource policies are set to “Deny” state by default.

Web Access Resource Policy “Initial Policy for Local Resources”

Windows File Access Resource Policy “Initial File Browsing Policy”

The predefined policy for VPN Tunneling is not provided.

IKEv2 Fragmentation

IKEv2 packets can be larger than the MTU especially the IKE_AUTH packets which include the certificate chain. These larger IKE packets get fragmented in the intermediate devices. This feature implements fragmentation at IKE level and avoids IP fragmentation.

MSS value for TCP connections on Tun devices

Due to larger IPv6 header as compared to IPv4, if the MSS of the PCS external interface is not set appropriately, the packets would be dropped on the external interface. This feature enables to set MSS to a lower value so that TCP connections are not dropped for 6-in-4 cases or when there is NAT translation somewhere in the network before reaching PCS.

Release 9.1R2 Features

SP-Initiated SAML SSO

Pulse Secure supports SP-initiated SAML SSO when PCS is configured as IdP in gateway mode. PCS uses the existing user session in generating SAML assertion for the user for SSO.

IDP initiated SAML Single Logout

This feature provides a single logout functionality wherein if a user gets logged out of a session from one application, PCS (configured as IdP) notifies all other connected applications of that user with Single Logout.

Flag Duplicate Machine ID in access logs

Pulse client expects the machine ID is unique on each machine. If multiple endpoints have the same machine ID, for security reasons, the existing sessions with the same machine id are closed.

A new access log message is added to flag the detection of a duplicate Machine ID in the following format:

Message: Duplicate machine ID "<Machine_ID>" detected. Ending user session from IP address <IP_address>. Refer document KB25581 for details.

Microsoft RDWeb HTML5 Access

The newly introduced Microsoft RDWeb resource profile controls access to the published desktops and applications based on HTML5. The Microsoft RDWeb templates significantly reduce the configuration time by consolidating configuration settings into one place and by pre-populating a variety of resource policy settings.

In the 9.1R2 release, Microsoft RDWeb HTML5 access does not support Single Sign On. SSO will be made available in the future release.

Backup configs and archived logs on AWS S3/Azure Storage

Two new methods of archiving the configurations and archived logs are available now apart from SCP and FTP methods:

Pulse Connect Secure now supports pushing configurations and archived logs to the S3 bucket in the Amazon AWS deployment and to the Azure storage in the Microsoft Azure deployment.

V3 to V4 OPSWAT SDK migration

PCS supports the migration of servers and clients to OPSWAT v4 to take advantage of latest updates.

Report Max Used Licenses to HLS|VLS

From 9.1R2 release, the licensing client (PCS) starts reporting maximum used sessions count instead of the maximum leased licenses count. For MSP customers, this change helps in billing the tenants based on maximum sessions used.

VA Partition Expansion

PCS/PPS supports upgrading from 8.2Rx to 9.1R2 for the following supported platforms:

VMware ESXi

OpenStack KVM


When upgrading a VA-SPE running 8.2R5.1 or below that was deployed with an OVF template to a higher version, the upgrade was failing. This feature solves the upgrade problem for VMware, OpenStack KVM and Hyper-V. Refer KB41049 for more details.

Release 9.1R1 Features

Software Defined Perimeter

Pulse Secure SDP uses PCS appliances which individually act as either an SDP controller or an SDP gateway. Mobile users of the Pulse Secure Client perform authentication on an SDP controller which runs an Authentication, Authorization and Accounting (AAA) Service. The SDP controller then enables direct communication between the user and the SDP gateways that protect the user’s authorized resources and enables requested encryption.

DNS traffic on any physical interface

Prior to 9.1R1 release, DNS traffic was sent over the Internal interface. Starting with 9.1R1 release, an administrator can modify the DNS setting to any physical interface namely Internal Port, External Port or Management Port.

Authentication failure management

Account Lockout option is provided to manage user authentication failures for admin users of local authentication server. The admin user account will be locked after specified number of consecutive wrong password attempts. The account will be unlocked after the specified lockout period or by using the Unlock option.

Support for “client-name” parameter in HTML5 Access

User can pass "client-name" in HTML5 rdp using launcher method. The %clientname% variable is matched with a workstation ID and normally that variable is unique and dedicated remote desktop computer name.

Deploying PSA-V in OpenStack KVM

User can deploy PSA-V in OpenStack KVM using a template.

User access to internet resources on an Azure-based or AWS-based PCS

AWS VPC GW and Azure VNet GW drop packets if the source IP is the endpoint tunnel IP. This feature NATs endpoint tunnel IP to Internal interface IP. The NAT allows user to access internet resources when connected to a VPN tunnel on an Azure or AWS-based PCS.

REST API enhancements

Enhancements include:

Getting Config without Pulse packages such as ESAP package and Pulse Client package

Backing up and restoring binary configuration