Pulse Secure Client Pulse Secure Client for Windows Phone Quick Start Guide Product Release 5.1 Document Revision 1.0 Published: 2015-02-10 2015 by Pulse Secure, LLC. All rights reserved 1
Pulse Secure, LLC 2700 Zanker Road, Suite 200 San Jose, CA 95134 http://www.pulsesecure.net 2015 by Pulse Secure, LLC. All rights reserved Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Pulse Secure Client for Windows Phone Quick Start Guide The information in this document is current as of the date on the title page. END USER LICENSE AGREEMENT The Pulse Secure product that is the subject of this technical documentation consists of (or is intended for use with) Pulse Secure software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at http://www.pulsesecure.net/support/eula. By downloading, installing or using such software, you agree to the terms and conditions of that EULA. 2015 by Pulse Secure, LLC. All rights reserved 2
Table of Contents Introducing Pulse Secure Client for Windows Phone... 5 Pulse Secure Client for Windows Phone Overview... 5 Pulse Secure Client for Windows Phone Supported Platforms... 6 Pulse Secure Client for Windows Phone Supported Features... 6 Pulse Secure Client for Windows Phone Limitations... 7 Configuring Pulse Connect Secure for Pulse Secure Client for Windows Phone VPN Connections. 7 Configuring a Pulse Secure Client Connection for Windows Phone Manual Configuration... 9 Index... 12 2015 by Pulse Secure, LLC. All rights reserved 3
2015 by Pulse Secure, LLC. All rights reserved 4
CHAPTER 1 Introducing Pulse Secure Client for Windows Phone Pulse Secure Client for Windows Phone Overview on page 5 Configuring Pulse Connect Secure for Pulse Secure Client for Windows Phone VPN Connections on page 7 Configuring a Pulse Secure Client Connection for Windows Phone Manual Configuration on page 9 Pulse Secure Client for Windows Phone Overview Pulse Secure client for Windows Phone provides secure connectivity between a Windows Phone and Pulse Connect Secure. Pulse Secure client for Windows Phone is available from the Windows Phone Store. (The Pulse app is visible only when searching from a Windows Phone that is running Windows Phone 8.1.) After installing the Pulse Secure client VPN app on a Windows Phone (Windows Phone 8.1 or later), the user can configure a connection and establish Layer 3 VPN (SSL) communications. Figure 1: Windows Phone Configuration on the Pulse server to support Pulse Secure client for Windows Phone is the same as for the Pulse for Windows client. Use the sign-in policies, authentication realms, roles, and VPN tunnel policies to define authentication and access permissions. A typical Pulse server configuration for Windows Phone access is to create a realm, a role, and a remediation role that are designed for Windows Phone users. 2015 by Pulse Secure, LLC. All rights reserved 5
Pulse Secure Client for Windows Phone Supported Platforms Pulse Secure client for Windows Phone is supported on Windows Phone 8.1 and later. Pulse Secure client for Windows Phone is supported on Pulse Connect Secure R8.0 and later. Pulse Secure Client for Windows Phone Supported Features The following is a list of supported features for the Pulse Secure client for Windows Phone client: Pulse Secure client for Windows Phone supports VPN (SSL) connections to Pulse Connect Secure R8.0 and later. Only one connection at a time can be active. The user can manually connect and disconnect. Username and password. Username and RSA token code. (User PIN and system PIN are supported.) Client certificate, smart card, and virtual smart card. Authentication server prompts for retry, change password, create PIN, change PIN, and specify next token code. Realm and role selection and preferred realm and role. (The user cannot choose to save a connection preference.) Sign-in notification messages. Secondary authentication. HTTPS proxy. IPv4 and IPv6. Pulse Secure client for Windows Phone supports the following tunneling functions: Split tunneling enabled or disabled. NOTE: Pulse for Windows Phone connections always have local subnet access enabled. SSL-VPN connections. Split tunneling policies: IPv4 inclusion and exclusion routes, and IPv6 inclusion routes. In split-tunneled mode, the DNS search order options do not apply. Pulse forwards only those DNS requests contained by the configured DNS suffixes to the specified DNS servers. You can specify the VPN option Search device DNS only to forward all DNS requests to configured DNS servers. 2015 by Pulse Secure, LLC. All rights reserved 6
Pulse Secure Client for Windows Phone Limitations Pulse Secure client for Windows Phone supports connections to Pulse Connect Secure only. The following Pulse features are not available with Pulse Secure client for Windows Phone: Host Checker NOTE: If a user having Pulse Secure client on Windows Phone attempts to connect to a realm or role that has a Host Checker OS check rule enabled, the Windows Phone will fail to check the host. Save realm or role preference Machine authentication Location awareness rules Logon and logoff scripts WINS server tunnel parameter UDP-ESP tunnel (SSL mode only) Certificate trust override prompt RSA soft-token integration Session extension Suspend/resume tunnel Related Documentation Configuring Pulse Connect Secure for Pulse Secure Client for Windows Phone VPN Connections on page 7 Configuring a Pulse Secure Client Connection for Windows Phone - Manual Configuration on page 9 Configuring Pulse Connect Secure for Pulse Secure Client for Windows Phone VPN Connections Pulse Secure client enables you to secure your company resources using authentication realms, user roles, and resource policies. For complete information on the Pulse access management framework, see the Pulse Secure documentation. A Pulse Secure client server checks the authentication policy defined for the authentication realm. The user must meet the security requirements that are defined for a realm's authentication policy, or else the Pulse Secure client server do not forwards the user's credentials to the authentication server. At the realm level, you can specify security requirements based on various elements such as the user's source IP address or the possession of a client-side certificate. If the user meets the requirements specified by the realm's authentication policy, the Pulse Secure client server forwards the user's credentials to the appropriate authentication server. If this server successfully authenticates the user, then the Pulse Secure client server evaluates the role mapping rules defined for the realm to determine which roles to assign to the user. NOTE: If a user having Pulse Secure client on Windows Phone attempts to connect to a realm or role that has any Host Checker OS check rule enabled, the Windows Phone will fail the host check. 2015 by Pulse Secure, LLC. All rights reserved 7
The following is a generalized example of configuring a Pulse server for the Pulse for Windows Phone app. 1. Click Users > User Roles, and then create a new role. You can use an existing role. However, because Host Checker supports different options for each type of device operating system, a typical approach is to create different roles for different devices. 2. Specify a name and optional description for the role, for example, WinPhoneRole, Windows Phone VPN role. 3. To use certificate authentication at the role level, click Restrictions > Certificate on the role s General tab, and add the required certificate information. 4. To sign in, enable certificate authentication by clicking Only allow users with a client-side certificate signed by Certification Authority. One typical method of installing the client certificate on the Windows Phone is to send the certificate as an attachment to the Windows Phone user. The certificate must be installed on the Windows Phone before the user can connect. The user is prompted to select the certificate during the initial Pulse VPN connection process. 5. Define the client certificate, click Add, and then click Save Changes. For complete information on certificate authentication, see Understanding Digital Certificate Security. 6. Set the options on the role s Web and Files tabs as required. 7. Click Users > User Realms, and then create a new realm or select an existing realm. Configure and save your options on the General and the Authentication Policy tabs. 8. On the Role Mapping tab, click New Rule to create a new role mapping rule. One option for a role mapping rule is to create a custom expression that uses the user agent string to identify a Windows Phone. The Pulse Secure client for Windows Phone user agent string is Junos- Pulse/7.4.0.0 (Windows Phone; ARM) JunosPulseVpn/1.0.0.206. You can use all or part of the string in a custom expression that uses the useragent variable. For example, useragent = '*Windows Phone*'. 9. Select the role that you created earlier for the Windows Phone users, add it to the Selected Roles list, and then click Save Changes Related documentation Pulse Secure for Windows Phone Overview on page 5 Configuring a Pulse Secure Client Connection for Windows Phone - Manual Configuration on page 9 2015 by Pulse Secure, LLC. All rights reserved 8
Configuring a Pulse Secure Client Connection for Windows Phone Manual Configuration Pulse Secure client for Windows Phone is available from the Windows Phone Store. (The Pulse app is visible only when searching from a Windows Phone that is running Windows Phone 8.1.) After the user installs the app, the user can create Pulse Secure client VPN connections. Figure 2 on page 9 shows Pulse Secure client VPN after it has been installed on a Windows Phone. Figure 2: Windows Phone Apps List NOTE: To configure a VPN connection, or to initiate a manual VPN connection, use Settings on the phone. Tapping Pulse in the apps list, opens the information screen. You can create, manage, and delete Pulse Connect Secure connections by using Windows Phone Settings. Pulse Connect Secure connections appear as VPN connections in the Networks list. NOTE: If you use client certificate authentication, the client certificate must be installed on the Windows Phone before Pulse Connect Secure can connect. One typical way of installing a certificate is to e-mail it to the user. Once the user taps the certificate in the e-mail, the Windows Phone installs it. To create a Pulse Secure client VPN connection on a Windows Phone: 1. Tap Settings, and then tap VPN. If the status slider is set to On, the phone displays a list of existing VPN connections. Figure 3 on page 10 shows the Windows dialog where you configure the connection. 2015 by Pulse Secure, LLC. All rights reserved 9
Figure 3: Manually Adding a Pulse Connection 2. To create a new connection, tap the plus icon at the bottom of the screen. The Add Profile screen appears. 3. In the Server name or IP address box, specify the target for this connection. You can identify the server using the server IP address, the hostname, or a URL that optionally specifies the port the connection uses and the specific sign-in page. To specify a URL, use the following format: https://hostname[:port][/][sign-in page] The brackets indicate options. Also, if you specify a specific sign-in page, make sure that the name you specify matches what is defined on the Pulse Connect Secure server. (Authentication > Signing in > Sign-in pages.) 4. Tap the Type box to expand it, and then tap Pulse Secure client VPN to select it. 5. Specify a username and password. If you specify a username and password, the prompt for this information does not appear when you activate the connection. For token code authentication, specify a username and leave the password field blank. 6. Enable or disable Connect automatically as needed. 7. The IP ranges option is available if you have enabled the Connect automatically slider. The IP ranges option lets you identify specific IP addresses that can trigger this Pulse VPN connection. When you attempt a connection to an IP address in the specified range, and that address is not reachable, the Pulse VPN connection is activated. 8. The Profile name defaults to the value you entered for Server name or IP address box. The Profile name appears in the VPN list; you can change it as per your requirement. 9. Tap Advanced to set the following: Proxy If you enable the Proxy setting, the app opens a screen where you can specify the settings for connecting to the Pulse Connect Secure server through a proxy server. 2015 by Pulse Secure, LLC. All rights reserved 10
Don t use VPN on company WiFi When you are in the company office, network traffic uses the company WiFi network without first establishing a VPN connection. DNS suffix Virtual network interface DNS suffix specification. Not used by Pulse Secure. Don t use VPN for home WiFi traffic Network traffic uses the home WiFi network without first establishing a VPN connection. After the user saves the new connection, it appears in the VPN list. The user can tap the connection to initiate a VPN connection. When a VPN connection is active, a small lock icon appears next to the WiFi status icon. Related documentation Pulse Secure for Windows Phone Overview on page 5 Host Checker for Pulse Secure Client for Windows Phone Configuring Pulse Connect Secure for Pulse Secure Client for Windows Phone VPN Connections on page 7 2015 by Pulse Secure, LLC. All rights reserved 11
Index V virtual smart card......6 W Windows Phone.5 Windows Store.5 C certificate auth 6 create Pulse connection.9 D DNS Windows Phone....6 L location awareness..7 M machine authentication.7 P Pulse connection.9 creating on Windows Phone.. 9 R RSA soft token 7 RSA token code.6 S sign-in notification messages..6 smart card..6 soft token.5 split tunneling Windows in-box Pulse client..6 supported features... 6 supported platforms 6 T token code.6 U upgrade Windows in-box Pulse client....6 user agent string for Pulse Secure client for Windows Phone...8 Windows Update. 6 2015 by Pulse Secure, LLC. All rights reserved 12
Pulse Secure Client for Windows Phone Quick Start 2015 by Pulse Secure, LLC. All rights reserved 13