Always-on VPN and VPN Only Access Options Settings

The Pulse Connect Secure (PCS) administrator console provides a simplified way to configure the possible Always-on VPN and VPN Only Access options. Enabling some options restricts or automatically modifies several other options in the Machine Settings.

Machine Settings Configuration

Settings	Description	When Always-on VPN is enabled	When VPN Only Access is enabled
Always-on Pulse Client	Prevents end users from circumventing Pulse connections. This option disables all configuration settings that allow the end user to disable or remove Pulse connections, services, or software. Default: Disabled	Enabled; Editable	Disabled; Editable
VPN Only Access	Prevents any traffic flow through unless a Locked-down VPN connection is in connected state. Default: Disabled	Enabled; Not editable	Enabled; Editable
Allow saving logon information	Saves the certificate trust and password information. Default: Enabled	Enabled; Editable	Enabled; Editable
Allow user connection	Allows to add user connections. Default: Disabled	Disabled; Not editable	Disabled; Editable
Display Splash Screen	Displays the splash screen on Pulse connection. Default: Enabled	Enabled; Editable	Enabled; Editable
Dynamic certificate trust	Allows to trust unknown certificates. Default: Enabled	Enabled; Editable	Enabled; Editable
Dynamic connections	Allows devices to automatically deploy connections. Default: Enabled	Enabled; Editable	Enabled; Editable
EAP Fragment Size	Indicates the maximum number of bytes in an EAPoL message from the Pulse Desktop client for 802.1x connections. Range: 450 - 3000 bytes Default: 1400	Enabled; Editable	Enabled; Editable
Enable captive portal detection	Allows the Pulse Desktop client to notify the end user that a VPN connection cannot be established until the requirements of a captive portal are fulfilled. Default: Disabled	Enabled; Not editable	Enabled; Not editable
Enable embedded browser for captive portal	Allows the Pulse Desktop Client to use an embedded web browser for captive portal pages. Default: Enabled and not editable when Enable captive portal detection is enabled.	Enabled; Not editable	Enabled; Not editable
FIPS mode enabled	Deploy Pulse Desktop Client with FIPS enabled. Default: Disabled	Disabled; Editable	Disabled; Editable
Wireless suppression	Disconnects all wireless interfaces when a wired interface gets connected to a network. Default: Disabled	Disabled; Editable	Disabled; Editable
Prevent caching smart card PIN	Ensures the smart card PIN value is not cached by the Pulse Desktop Client process. Default: Disabled	Disabled; Editable	Disabled; Editable

When Always-on Pulse Client is enabled, VPN Only Access option is automatically enabled in machine settings and cannot be edited.

When Always-on Pulse Client is enabled, the Connection Set and the Connections have the following effects.

•Impeding the end user’s ability to disconnect or disable VPN connections

•Ensuring that captive portals can still be traversed even when connectivity is locked-down.

•“Always-on Pulse Client” check box does not prevent end users (with administrator privileges) from stopping endpoint services (the Pulse Secure Service and the Base Filtering Engine (BFE)) which are required to establish the VPN connections.