Pulse Connect Secure (PCS) Release 9.0R1
*This post originally appeared on the Pulse Secure blog prior to the acquisition in December 2020, when Pulse Secure became part of Ivanti.
We are excited to announce the release of Pulse Connect Secure (PCS) version 9.0R1. This milestone release introduces major new features, delivering core enhancements to our comprehensive Secure Access platform.
Below are key highlights of the new release.
CLOUD AND VIRTUAL
Introducing: AWS Deployments
You migrated your enterprise applications and workloads to AWS and rued the fact that the remote access solutions in AWS did not meet the cut. You had to backhaul traffic from remote users to the PCS gateways on-prem, which then sent the traffic to AWS.
We have good news. We now have deployments and integration into the AWS IaaS cloud. You can provide secure remote access to your applications and workloads in AWS and use the AWS cloud for DR and hybrid deployments.
As with Azure, deployment in AWS is supported with BYOL (Bring Your Own Licensing) model. Available as an AWS AMI and marketplace listing coming soon.
FQDN-based L3 split tunneling to SaaS and other resources
We have made split tunneling to SaaS apps super simple. Many of you requested the ability to send traffic destined to sanctioned cloud applications outside the tunnel, without backhauling it to the data center and overloading your network pipes and PCS gateways.
With the large IP ranges of these cloud applications and the fact that they could change without notice, split tunneling was cumbersome. You can now create these rules by specifying domain names, greatly simplifying the configuration, allowing you to sleep easy knowing that the policy will continue to work even if those cloud application Gods changed the IP addresses without telling you.
Enhancements to PSA-V virtual appliances (PCS/PPS)
This release continues the evolution of our PSA-V virtual appliances that were introduced in 8.3R3. Many of you will remember our legacy VA-SPE appliances that were somewhat handicapped when compared to the physical appliances. They could not own concurrent user licenses and were forced to lease them from a license server. They could not be clustered together and suffered from other drawbacks.
This release adds clustering support for PSA-V appliances across all the supported hypervisors – Hyper-V, KVM (new on PSA-V), as well as Azure and AWS. At this time, the supported configuration is 2-node A/A clusters. A/P clusters are not supported in cloud platforms due to the platform limitations. Proxy support for communication to PCLS (Pulse Cloud Licensing Service) is also now available.
Enhanced Rewriter (Clientless Access)
One of the hottest features of PCS is our clientless access technology, providing a best-of-breed solution to securely access all things web, RDP, VDI ssh, telnet, HTML5 access etc., armed with nothing but the humble web browser.
What makes all this magic possible? It lies within our rewriting technology, rewriting any URLs generated from either the server or clients so that they point back to the VPN gateway, rather than point to an internal resource that cannot be resolved remotely.
SMB v2/v3 with File Browsing
Like tardigrades, SMB v1 is one of those resilient prehistoric Internet protocols that just refuses to die. Ask Microsoft, they might know something. SMB v1 had worked it’s way deep inside of legacy storage devices, printers and other applications and Microsoft has been a bit sluggish in removing it completely from Windows Servers, even after deprecating it many years ago.
Until 2017 that is, when SMBv1 was implicated in large ransomware attacks. Microsoft has been taking concrete measures to send it the way of the dodo, and has been urging the community to upgrade to the new versions of the protocol.
We are happy to report that file browsing now supports SMB v2 and v3 protocols in 9.0R1.
Embedded Browser for Pulse Desktop Clients (Windows and Mac)
Identity federation seems to be shaking up the Internet. Which is kind of logical when you consider the dispersion of applications and IAM solutions in an increasingly hybrid environment. SAML, the frontrunner of enterprise identify federation had to be designed with Internet friendliness as one of the top goals in mind – think HTTP/S transport.
Before 9.0R1, if you tried SAML federation with the Pulse Desktop Clients earlier, you probably noticed that the clients could not handle the HTTP/S-based SAML flows natively and had to fall back to spinning up the external system browser. Under the hood, this could also result in multiple host check policy evaluation – one from the browser context and one from the Pulse Desktop Clients – very inefficient, indeed.
Pulse Desktop Clients on Windows and Mac now support an embedded browser that is used for SAML flows to provide a native, streamlined user experience.
Clustering over high latency networks
Configuration-sync over high-latency networks has been added to the clustering framework, supporting up to 100ms latencies. At this time, session sync and connection profile using global static IP pools are not supported over high-latency networks.
NDcPP and JITC CAT II Certifications
The fixes and enhancements made to comply with NDcPP and JITC CAT II certifications in v8.2 have been merged in 9.0R1. Customers subject to these compliance mandates can upgrade to 9.0R1 to get the latest enhancements, without compromising on their certifications.
High Availability for License Servers (A/P)
This release adds support for 2-node active/passive clustering of the License Server, including physical as well as virtual editions of the license server. Cloud platforms – AWS and Azure are not supported for A/P clustering of license servers.
Extend IPv6 support for iOS
Pulse Connect Secure server-side enhancements have been made in this release to support iOS clients to use 6-in-6 IPv6 in ESP mode.