Virtual Appliances Overview

Running Pulse Connect Secure or Pulse Policy Secure software in a VMware virtual machine as a virtual appliance provides service providers with robust scalability and isolation. The server software from VMware supports several virtual machines on a high-end multiprocessor platform. Deploying a dedicated virtual appliance for each customer guarantees complete isolation among systems.

Virtual Appliance Editions and Requirements

Virtual appliance available:

PSA-V Edition

PSA-V is targeted at service providers who are interested in provisioning a remote access solution for a large number of customers.

Hardware and Software Requirements

The following VMware Qualified System and KVM Qualified System tables list the virtual appliance systems qualified with this release.

The following table contains data regarding the VMware Qualified System:

VMware Tools Version

 

vCenter/ESXi Version

Qualified Pulse Connect Secure and Secure Access System Versions

Qualified Pulse Policy Secure and Access Control System Versions

Hardware Requirements

10.3.10

ESXi 6.7 Update 2c

9.1R5, 9.1R4, 9.1R3

9.1R5, 9.1R4, 9.1R3

ESXi 6.7 Update 2c requires a host machine with:

At least two CPU cores

Requires the NX/XD bit to be enabled for the CPU in the BIOS.

Requires a minimum of 4 GB of physical RAM. It is recommended to provide at least 8 GB of RAM to run virtual machines in typical production environments.

Support for hardware virtualization (Intel VT-x or AMD RVI) must be enabled on x64 CPUs.

Refer here for more details on VMware qualified system.

10.2.0

ESXi 6.7

9.0R3, 9.0R4, 9.1R1

9.0R3, 9.0R4, 9.1R1

VMware's HA feature is qualified; VMware’s DRS & Fault Tolerance features are not qualified.

PCS 9.0R3 supports OVF version 10 (pre-9.0R3 supported OVF version 7). It can be deployed only on ESXi 5.5 and later.

The following table contains data regarding the KVM Qualified System:

QEMU/KVM Version

Qualified Pulse Connect Secure and Secure Access System Versions

Qualified Pulse Policy Secure and Access Control System Versions

Hardware Requirements

QEMU emulator version 2.9.0

9.0R1

9.0R1

Linux Kernel 2.6.32(64-bit) and later

QEMU emulator version 2.9.0

8.3R3

5.4R3

Linux Kernel 2.6.32(64-bit) and later

QEMU emulator version 2.3.0

8.2

5.3

Linux Server Release 6.4 on an Intel Xeon CPU L5640 @ 2.27GHz

NFS storage mounted in host

24GB memory in host

v1.4.0

8.1

8.0R5

7.4R10

5.1

5.0R5

4.4R10

PCS 9.0R3 supports "virtio" as a default disk driver.

The following table contains data regarding the Hyper-V Qualified System:

QEMU/KVM Version

Qualified Pulse Connect Secure and Secure Access System Versions

Qualified Pulse Policy Secure and Access Control System Versions

Hardware Requirements

Microsoft Hyper-V Server 2016 and 2019

9.1RX

9.1RX

64-bit processor with second-level address translation (SLAT).

VM Monitor Mode extensions

Memory of at least 4 GB of RAM.

Virtualization support turned on in the BIOS or UEFI.

For more details refer here.

Microsoft Hyper-V Server 2012R20

8.3, 8.2R5

5.4, 5.3R5

64-bit processor with second-level address translation (SLAT).

VM Monitor Mode extensions

Memory of at least 4 GB of RAM.

Virtualization support turned on in the BIOS or UEFI .

For more details refer here.

Recommended Virtual Appliance Deployment

For PCS-VA versions prior to 8.3, first upgrade to release 8.3Rx, then to 9.0Rx, and then upgrade to 9.1R4.2 where x is the latest maintenance release version.

For PCS-VA versions prior to 8.3, upgrade to 9.1R4.3 and above is not supported.

For PCS-VA version 8.3Rx, first upgrade to 9.0Rx, and then upgrade to 9.1Rx.

Refer to KB44408 for the recommendations / best practices to deploy Virtual Appliance and the logs needed for analysis/troubleshooting.

Supported Features on Virtual Appliances

All features of Pulse Connect Secure and Pulse Policy Secure are available on virtual appliances with the exception of the following:

Instant Virtual System (IVS)

An option is available for switching between a virtual terminal and a serial console. Switching between these options requires a restart of the virtual appliance.

Virtual appliances do not allow licenses to be installed directly on them. As such, virtual appliances can be only license clients. All virtual appliance licenses are subscription-based.

We recommend you use the same NTP server for the virtual appliance and the license server to keep the times synchronized. When synchronizing with an NTP server, the Synchronize quest time with host option in the VMware vSphere Client user interface must be enabled. On the virtual appliance, select Edit Settings > Options > VMware Tools to set this option.

Virtual appliances support the following SCSI controller types:

BusLogic

LSI Logic Parallel (default)

LSI Logic SAS

vSphere users can select the SCSI controller type by opening their Virtual Machine Properties window, clicking the Hardware tab and then double-clicking the SCSI Controller entry.

Virtual Appliance Package Information

The PSA-V downloadable zip contains the following files:

README-scripts.txt— Up-to-date information on the contents of the zip file and how to run the scripts.

PSA-V-VMWARE-PCS-64003.5-VT-disk1.vmdk—A virtual disk file that contains the Pulse Connect Secure or Pulse Policy Secure software. The VT version assumes using a virtual terminal to set up the initial network configuration.

PSA-V-VMWARE-PCS-64003.5-VT.ovf—An OVF specification that defines the virtual appliance and contains a reference to the disk image.

create-va.pl—A script for deploying a virtual appliance connected to the VMware vCenter Server.

va.conf—A sample configuration file for use with the create-va.pl script.

perlclient/plugin/ive.pm—A side file for configuring virtual appliances through NETCONF.

perlclient/plugin/ive_methods.pl—A side file for configuring virtual appliances through NETCONF.

perlclient/examples/get_active_users.pl—A script used to get the current active users on the PSA-V virtual appliance. Cannot be used for configuring the PSA-V virtual appliance.

perlclient/examples/get_active_users.xsl—A file used for formatting and displaying the output returned by get_active_users.pl.

perlclient/examples/get_active_users.xml—A file used for formatting and displaying the output returned by get_active_users.pl.

edit_config_ive.pl–-A Perl script for editing the PSA-V virtual appliance configuration.

For Pulse Connect Secure, the virtual appliance is delivered in OVF and is preconfigured as follows:

40-GB virtual disk

2 virtual CPU 

2-GB memory 

Three virtual network interfaces 

For Pulse Policy Secure, the virtual appliance is delivered in OVF and is preconfigured as follows:

40-GB virtual disk

One virtual CPU

2-GB memory

Three virtual network interfaces

You can change this configuration by editing the OVF prior to importing it or by editing the virtual machine properties once it is created.

When customizing the configuration, do not reduce the disk size.

Pulse Connect Secure version 7.3 and later and Pulse Policy Secure version 4.3 and later use VMware OVF version 7. This is the preferred version. Virtual appliances created with versions prior to Pulse Connect Secure version 7.3 and Pulse Policy Secure version 4.3 use VMware OVF version 4. To upgrade to VMware OVF version 7, you must run Pulse Connect Secure version 7.3 or later or Pulse Policy Secure version 4.3 or later.

The OVF specification defines three logical networks:

Internal Network

External Network

Management Network

When importing the OVF file, these three networks must be mapped to the appropriate virtual networks on the ESXi server.

When the virtual appliance is powered on for the first time, it expands the software package and performs the installation. After creating a fully installed and configured PSA-V virtual appliance, clone it to a template and export that template. From the template, you can then instantiate additional PSA-V virtual appliances.

Source Network names are not retained in the exported OVF template.

Once configured, you can use any of the following methods to manage the Pulse Connect Secure and Pulse Policy Secure portion of the virtual appliance:

Pulse Secure’s Device Management Interface (DMI)

The inbound DMI listens to port 830 on both the internal and management interfaces.

Pulse Connect Secure or Pulse Policy Secure admin console

Pulse Connect Secure or Pulse Policy Secure serial and virtual terminal console menus

The DMI is an XML-RPC-based protocol used to manage Pulse Secure appliance. This protocol allows administrators and third-party applications to configure and manage Pulse Secure appliance bypassing their native interfaces. Virtual appliances are compliant with DMI. By default, the inbound DMI is enabled in virtual appliances.

PSA-V Virtual Appliance Utility Scripts

Several utility scripts are included with the PSA-V virtual appliance package. These scripts assist with:

Deployment

Initial setup of the PSA-V virtual appliance

Configuring the PSA-V virtual appliance

You can configure your network with your own set of tools. However, be aware that using tools such as vApp lists options in a different order than what you would see during a typical Pulse Connect Secure or Pulse Policy Secure initial configuration session. As such, even though the scripts included in the PSA-V package are optional, we recommend you use them.

The scripts are divided into the following sets:

Deploy the virtual appliance in the VMware vSphere environment on the ESXi hypervisor through vCenter using OVF properties.

Use this script if you are using VMware vCenter Server and VMware ESXi for deploying the virtual appliance. This script can be used on both Virtualization Technology and serial editions of virtual appliances.

Deploy the virtual appliance in the VMware vSphere environment using a serial port.

If you are using VMware ESXi to run the virtual appliance, you can use these scripts for deployment. These scripts use the service console of ESXi and can be used only with the serial edition of virtual appliances.

Use NETCONF Perl client to configure the virtual appliance.

Plug-in and sample scripts for NETCONF Perl client can be used to configure the virtual appliance after it is deployed and powered on. The scripts use DMI for connecting to Pulse Connect Secure or Pulse Policy Secure on port 830.

Deploy the virtual appliance on KVM.

Use this script if you are using a kernel-based virtual machine (KVM) for deploying the virtual appliance.

Related Documentation

Overview of Deploying Virtual Appliances on VMware ESXi

Using the PSA-V Sample Scripts

Clustering Support for Virtual Appliances

From 9.0 onward, the clustering feature has been enabled on PSA-V in both the active-passive and active-active modes. Admins can now configure clustering settings similar to what is available on the hardware. PSA-V supports only two node cluster for both AP and A/A modes. The cluster works with both CONSEC and named user licenses. PSA-Vs will continue to dynamically lease licenses from a license server. The supported scale numbers on AP and A/A cluster will be available during GA time.

The supported platforms are:

VMWare ESXi

KVM

Hyper-V

Azure

AWS

AliCloud

Cluster and License Support Combination

On Hypervisors the VA PCS cluster and VLS are supported. The table below provides the combination of cluster and license support:

Sl. No

Hypervisors

Cluster AA

Cluster AP

VLS Standalone support

License server HA

1

VMware – ESXi

Yes

Yesmi

Yes

Yes

2

KVM

Yes

Yes

Yes

Yes

3

Hyper-V

Yes

Yes

Yes

Yes

4

Azure

Yes

NA*

Yes

NA*

5

AWS

Yes

NA*

Yes

NA*

6

AliCloud

Yes

NA*

Yes

NA*

* - this is due to limitations in Azure, AWS and AliCloud.

Cluster needs to be formed with similar number of core nodes. Clusters which are formed with dissimilar number of cores/CPUs are not supported.