Introduction
Hardware Platforms
You can install and use this software version on the following hardware platforms:
•PSA300, PSA3000, PSA5000, PSA7000f, PSA7000c
To download software for these hardware platforms, go to https://support.pulsesecure.net/.
Virtual Appliance Editions
This software version is available for the following virtual appliance editions:
•Virtual Pulse Secure Appliance (PSA-V)
- 9.1R1 release onwards, VA-DTE is not supported.
- From 9.0R1 release, Pulse Secure has begun the End-of-Life (EOL) process for the VA-SPE virtual appliance. In its place, Pulse Secure has launched the new PSA-V series of virtual appliances designed for use in the data center or with cloud services such as Microsoft Azure, Amazon AWS, OpenStack Fabric and Alibaba Cloud.
The following table lists the virtual appliance systems qualified with this release:
Platform |
Qualified System |
---|---|
VMware |
•HP ProLiant DL380 G5 with Intel(R) Xeon(R) CPU •ESXi 7.0 Update 2c |
OpenStack KVM |
•CentOS 7.7 •QEMU/OpenStack KVM v1.4.0 •Linux Server Release 6.4 on an Intel Xeon CPU L5640 @ 2.27GHz •24GB memory in host •Allocation for virtual appliance: 4vCPU, 4GB memory and 40GB disk space |
Hyper-V |
•Microsoft Hyper-V Server 2016 and 2019 |
Azure-V |
•Standard DS2 V2 (2 Core, 2 NICs) •Standard DS3 V2 (4 Core, 3 NICs) •Standard DS4 V2 (8 Core, 3 NICs) |
AWS-V |
•T2.Medium (2 Core, 3 NICs and 2 NICs) •T2.Xlarge (4 Core, 3 NICs) •T2.2Xlarge (8 Core, 3 NICs) |
Alibaba Cloud |
•ecs.g6.2xlarge (8 vCPU, 32GB, 2 NICs) |
To download the virtual appliance software, go to: https://support.pulsesecure.net/
VMware Applications
The following table lists the VMware applications qualified:
Platform |
Qualified |
---|---|
VMware |
|
VMware Horizon View Connection Server version 7.12 |
Rewriter |
VMware Horizon Agent version 7.12 |
VDI Profiles |
VMware Horizon View HTML Access version 5.4 |
VDI Profiles |
VMware Horizon View Client version 5.4 |
VDI Profiles |
Upgrade Paths
The following table describes the tested upgrade paths. Please note that here x and y refer to the following:
x: Latest maintenance release version:
y: Versions less than x
Upgrade From |
Qualified |
Compatible |
---|---|---|
9.1Rx |
Yes |
- |
9.1Ry |
- |
Yes |
9.0Rx |
Yes |
- |
9.0Ry |
- |
Yes |
For versions prior to 9.0, first upgrade to release 9.0Rx|9.0Ry, and then upgrade to 9.1Rx.
If your system is running beta or hot-fix version of the software, roll back to your previously installed official software release before you upgrade to 9.1Rx. This practice ensures that the rollback version is a release suitable for production.
Note: On a PCS/PPS virtual appliance, we highly recommend to freshly deploy a PSA-V from 8.3Rx and higher based OVF, when any of the following conditions are met:
•If the disk utilization goes beyond 85%.
•If an admin receives iveDiskNearlyFull SNMP Trap.
•If the factory reset version on the PSA-V is 7.x|8.0.
Upgrade Scenario Specific to Virtual Appliances
PSA-Vs cannot be upgraded to 9.1R10 without a core license installed. Follow these steps to upgrade to 9.1R10:
x: Latest maintenance release version
1.If PSA-V is running 8.3Rx:
•Upgrade to 9.0Rx.
•Install the Core license through Authcode.
•Upgrade to 9.1Rx.
2.If PSA-V is running 9.0Rx or later:
•Install the Core license through Authcode.
•Upgrade to 9.1Rx.
For details, see the “Noteworthy Information in 9.1R4.3 Release” section.
General notes
1.For policy reasons security issues are not normally mentioned in release notes. For more information on our security advisories, please see our security advisory page.
2.In 8.2R1.1 and above, all the PCS client access binaries (Network Connect, WSAM, Host Checker, JSAM, Windows Terminal Services, Citrix Terminal Services) are signed with a SHA2 code signing certificate to improve security and ensure compatibility with Microsoft OS’s 2016 restrictions on SHA1 code signing. This certificate will expire on April 12, 2021. For details, refer to the KB articles KB14058 and KB43834.
3.Important note: Windows 7 machines must contain a March 10, 2015 Windows 7 Update to be able to accept and verify the SHA2-signed binaries properly. This Windows 7 update is described here and here. If this update is not installed, then PCS 8.2R1.1 and later will suffer from reduced functionality (see PRS-337311 underneath). (As a general rule, Pulse Secure, LLC recommends that client machines be kept current with the latest OS updates to maximize security and stability).
4.When custom ciphers are selected, there is a possibility that some of the ciphers are not supported by the web browser. If any ECDH/ECDSA ciphers are selected, they require an ECC certificate to be mapped to the internal/external interface. If a ECC certificate is not installed and mapped to the internal and external ports (if enabled), administrators may not be able to sign in to the appliance. The only way to recover from this situation is to connect to the system console and select option 8 to reset the SSL settings. Option 8 resets the SSL setting to factory default. Any customization is lost and will need to be reconfigured. This is applicable only to Inbound SSL settings.
5.Pre-5.0 Android and pre-9.1 iOS devices don’t support Suite B ciphers. If Suite B is enabled, Pulse client on pre-5.0 Android and pre-9.1 iOS devices will not be able to connect to the PCS device.
6.The minimum ESAP version supported on 9.1R10 is 3.4.8 and later.
- 9.1R2 release onwards, Network Connect (NC) client and legacy Windows Secure Application Manager (WSAM) client are not supported.
- From 9.1R1 release onwards, Active Directory Legacy Mode configuration is not supported. If you have an existing Active Directory authentication server using Legacy Mode, first migrate to Standard Mode and then upgrade PCS. For the detailed migration procedure, refer KB40430.
Noteworthy Information in 9.1R13 Release
•At role level, based on the admin selection of solution type, end users can create HTML5 bookmarks.
•Logs are enhanced to include client certificate information.
•Refer to KB44408 for the recommendations / best practices to deploy Virtual Appliance and the logs needed for analysis/troubleshooting.
•An option to configure the PSAL time-out under System Maintenance à Options.
•A warning message regarding the session disconnection displays when the localization settings are changed.
•Logs are enhanced to provide more ICT related information.
Noteworthy Information in 9.1R12 Release
•SNMP monitoring enhancement to map index numbers of the interfaces across ifTable and ipAddrTable.
•The grace period for expired licenses is now reduced from 91 days to 31 days.
•Logs are refined and enhanced. They now include session information such as the Session ID, Session start data and end data.
•Enhancements to dsagentd done to address session resumption issues.
• Source IP restrictions can now be disabled for admin realms from the serial console menu through an option we have provided newly.
Noteworthy Information in 9.1R11.5 Release
•Added an option for the Admin to enable users to download the Pulse Client Components removal (Pulse Upgrade Helper) tool on Windows End User machines upon Browser access. This option helps to remediate the certificate expiry issue. For more information, refer KB44781 and KB44810.
•This release provides important security hardening. For more information refer to SA44800.
•Source IP restriction (RFC1918) is removed on Admin Realms for fresh deployments on OpenStack KVM platform. Default source IP restrictions are applicable for PSA appliances, VMWare, and Hyper-V platforms.
•An option is available on adminUI to force the users to re-authenticate on IDP inspite of the active user session.
Noteworthy Information in 9.1R11.4 Release
•This release provides important security hardening. For more information refer to SA44784.
Noteworthy Information in 9.1R11 Release
•The HTTP only DSDID session cookies were introduced from Release 9.0R3. From release 9.1R11 onwards, the DSDID cookies are enabled by default for all new roles created. On upgrade, if DSDID is not enabled for any of the roles, a warning message displays on the dashboard. A link displays on the UI, administrator can click to enable DSDID cookies option for all the roles.
•Major browsers disable TLS1.0 and TLS1.1 by default. Administrators are recommended to use TLS1.2 and later and also select Maximize Security option under Configuration > Security> SSL options for inbound and outbound connections. If not selected, a warning message displays.
From 9.1R11 onwards, for new ESP VPN Tunneling Connection Profiles, AES256/SHA256 (maximize security) encryption is chosen by default.
•User logs and Administrator logs are refined and enhanced to display more information.
•A source IP restriction is added on Admin Realms so that admins can connect with only private addresses (RFC1918) on fresh deployments or when the configurations are cleared. This restriction is applicable to PSA appliances, VMWare, Hyper-V, and OpenStack KVM.
•From 9.1R11, SHA1 hashing algorithm is removed from the “Maximize Security (High Ciphers)” settings
Noteworthy Information in 9.1R10 Release
•Added stability improvements for L4 JSAM connections.
•Added following licensing reporting enhancements on MSSP deployments:
•When the license client has concurrent users license installed locally, the client excludes the local installed count while sending lease usage to the license server.
•When the license client has ICE license enabled or has an evaluation license installed which gives maximum platform limit for concurrent users, the license lease usage reported by client is zero.
•The license client allows 10% extra usage over the licensed limit. This applies for maximum lease limit as well. In such case, the license client reports only the maximum lease limit usage. For example, if license client has leased 100 licenses and 110 users are logged in, license client reports only 100 as usage to the license server.
•Host header validation is introduced in 9.1R10. When this option is enabled on the server under System > Configuratin > Security > Miscellaneous, the Pulse Client upgrade through PCS may fail. For more information, refer to KB44646.
•Added graphs to display advanced HTML5 connections under System Status dashboard. Refer to “Displaying System Status” in Pulse Connect Secure Administration Guide.
Noteworthy Information in 9.1R8 Release
For 9.1R8, Pulse Collaboration Client is packaged using PCS 9.1R7 build.
Noteworthy Information in 9.1R4.3 Release
•In 9.1Rx OVF a critical issue was observed. The 9.1R4.3 release addresses this issue.
•On some of the installations, it was observed that a few read-only files were being overwritten. Customers are experiencing HTTP 500 response for some of the admin requests. The 9.1R4.3 release addresses this issue.
•Upgrade works only if VA is deployed with 8.3 OVF onwards. If VA is deployed with pre 8.3 OVF, upgrade to this image will not work.
•Refer to KB44408 for the recommendations / best practices to deploy Virtual Appliance and the logs needed for analysis/troubleshooting.