Access Methods
The Pulse Desktop Client supports the following kinds of connections to Ivanti gateways:
•Layer 3 VPN connections to Ivanti Connect Secure
•Layer 2 (802.1x) and Layer 3 connections to Ivanti Secure
•Per-application VPN tunneling to Ivanti Connect Secure (Windows Secure Access Manager)
There are a vast number of possible combinations of connections and configurations. For example, both Layer 2 (wired and wireless) and Layer 3 connections can be configured either with or without enforcement (Host Checker enforcement of system health and policy compliance). Although an endpoint can have only one active VPN connection to Ivanti Connect Secure, an endpoint can have multiple simultaneous Ivanti Policy Secure connections with or without a VPN connection. Also, Ivanti Policy Secure IPsec enforcement in Ivanti Connect Secure (TLS) tunnels is supported.
The following table lists the configurations that are qualified and compatible. Any combination not mentioned in the table is not supported.
Access Method Configuration |
Description |
Level of Support |
Layer 3 IPsec tunnel inside VPN outer tunnel |
Outer tunnel: TLS or ESP VPN tunnel to Ivanti Connect Secure gateway Inner tunnel: Layer 3 IPsec tunnel authenticated through Ivanti Policy Secure to ScreenOS or SRX firewall |
Qualified |
Layer 2 Ivanti Policy Secure + |
One Ivanti Policy Secure Layer 2 connection running in parallel to multiple Ivanti Policy Secure Layer 3 connections |
Qualified |
The following table lists the supported nested tunnel (tunnel-in-tunnel) configurations. The configurations are for a Ivanti Connect Secure v9.1 outer tunnel, a Ivanti Policy Secure v9.1 inner tunnel, and the Pulse Desktop Client v9.1.
Ivanti Connect Secure (Outer Tunnel Config) |
Ivanti Policy Secure (Inner Tunnel Support) |
|||||||
Split-Tunneling Mode |
Route Precedence |
Route Monitor |
Traffic Enforcement |
IPsec |
IPsec (without VA) |
Dynamic IPsec |
Source IP |
Dynamic Source IP |
Disabled |
Tunnel Routes1 |
Disabled |
Disabled |
Supported |
Supported |
Supported |
Supported |
Supported |
Disabled |
Tunnel Routes1 |
Disabled |
IPv4 Disabled and IPv6 Enabled |
Supported |
Supported |
Supported |
Supported |
Supported |
Disabled |
Tunnel Routes1 |
Disabled |
IPv4 Enabled and IPv6 Disabled |
Not Supported |
Supported |
Supported |
Supported |
Supported |
Disabled |
Tunnel Routes |
Enabled |
Enabled or Disabled |
Not Supported |
Supported |
Supported |
Supported |
Supported |
Enabled |
Tunnel Routes1 |
Disabled |
Enabled or Disabled |
Supported2 |
Supported3 |
Supported |
Supported |
Supported |
Enabled |
Tunnel Routes1 |
Enabled |
Enabled or Disabled |
Supported2 |
Supported3 |
Supported |
Supported |
Supported |
Enabled or Disabled |
Endpoint routes |
Enabled or Disabled |
Enabled or Disabled |
Supported2 |
Supported3 |
Supported |
Supported |
Supported |
1.Tunnel Routes and Tunnel Routes with Local Subnet Access behave the same way.
2.Ivanti Policy Secure IP address, IE IP address, and Ivanti Policy Secure VA pool IP addresses should be added to the Pulse split-tunnelling network policy.
3.Ivanti Policy Secure IP address, IE IP address, and protected resources should be added to a Pulse split-tunnelling network policy, and Ivanti Connect Secure should have a route to the Ivanti Policy Secure protected resource.
Pulse WSAM does not inter-operate with Ivanti Policy Secure.