Adding a Configuration to a New Pulse Client Installation

When you install Pulse Client for Windows or Pulse Client for macOS client on an endpoint using the default Pulse Client installation program, the endpoint has all the Pulse Client components it needs to connect to Pulse Secure servers. However, Pulse Client needs a configuration that identifies the Pulse Secure servers it can connect to, that is, the connections. Connection properties also define how the connections are to be started, manually, automatically, or according to location awareness rules, and how Pulse Client connections receive updates. These connection set properties are also called machine settings. Figure 95 shows the default Pulse Client connection set properties (machine settings) that are passed to Pulse Client as its configuration. Figure 96 shows the connection set properties as they appear in a Pulse Client preconfiguration file, which you can use to add the Pulse Client configuration when you install Pulse Client. The preconfiguration file also includes Pulse Client connections.

There are two methods for installing an initial configuration on a new Pulse Client:

•Use a Pulse Client preconfiguration file (.pulsepreconfig) when you install Pulse Client on endpoints using the default Pulse Client installer.

•Instruct users to open a browser and login to the Pulse Secure server Web portal where the Pulse Client configuration has been defined. After successful login, the user should start Pulse Client from the Web page. Or you can enable Auto-launch as a role option to have the Pulse Client installation begin automatically after login.

The first time Pulse Client connects to a server that offers a Pulse Client configuration, the configuration settings are installed on the client, and the client is bound to that server, which means that only that server can update the client's configuration. Any Pulse Secure server can update the Pulse Client software version if that feature is enabled, and any Pulse Secure server can add a connection to an existing Pulse Client configuration if the Dynamic connections option is enabled as part of the connection set on the binding server. Only the binding server can update Pulse Client's configuration.

If the Pulse Client configuration has Dynamic connections enabled, then connections from other Pulse Secure servers are automatically added to Pulse Client's connections list when the user connects to the other Pulse Secure server through that server's Web portal, and the user starts Pulse Client using the Pulse Secure server's Web portal interface. For example, a user has a Pulse Client configuration from PulseServerA (the binding server) and the Pulse Client configuration allows dynamic connections. If the user browses to PulseServerB and successfully authenticates through that server's Web portal and clicks the Pulse Client button, the server adds a PulseServerB connection to the Pulse Client configuration, and it appears in Pulse Client's connection list. This new connection is set to start manually so that it does not attempt to connect when the endpoint is restarted or conflict with the connections from the binding server. A dynamic connection is added to Pulse Client's connections list. However, the connection's target URL is Pulse Web server URL; it does not use the URL that is defined for the connection in the server's Pulse Client connection properties. In most cases, these URLs will be the same.

You can see a Pulse Client configuration by creating and viewing a pulsepreconfig file. (To create the file, go to the Pulse Client Component screen, select a component set, and then click the Download Pulse Configuration button.) The .pulsepreconfig file contains a section that defines the machine settings and separate sections for each Pulse Client connection deployed to the client, as shown in figure.

The machine settings and each centrally configured connection include the server ID (server-id) of the binding server. When a user browses to a Pulse Secure server, the server can offer a new configuration, (that is, updates to the machine settings). If the server-id under machine settings matches, Pulse Client accepts the configuration update. If the server-id does not match, Pulse Client ignores the update.

Configuration files have a version number as well. When Pulse Client connects to its binding server, Pulse Client compares the version of its existing configuration to the version on the server. If the server version is later than the existing client version, the client configuration is updated. The update might add, change, or remove connections and change machine settings.

If you have several Pulse Secure servers and you want to provision the same Pulse Client configuration from all of the servers, the server ID of the Pulse Client configuration must be the same across all of the servers. To accomplish this, you create the configuration on one server, and then use the "push config" feature of the Pulse Secure server to push the configuration to the other Pulse Secure servers. This method ensures that the server ID of the configuration file is the same across all of the Pulse Secure servers so that clients can receive a configuration update from any of the Pulse Secure servers.