Pulse Connect Secure (PCS) 9.0Rx – 9.

1R4

New Feature Introduction

Pulse Connect Secure 9.0R1
New Features
Pulse Connect Secure 9.0R1 Highlights
Key Feature Benefit Use Case
PCS on AWS Deploy PCS virtual appliance in AWS AWS services that require PCS connectivity
Supports 2 NIC ARM templates which allows 2
Allows Azure virtual appliances to be deployed
PCS on Azure enhancements NIC deployments with DS2 systems. Supports
with DS2 systems
Active-Active cluster
Configurations synchronized across all the PCS
Supports Configuration-Only cluster up to 4 nodes
WAN Clustering nodes in different datacenters that are connected
in WAN deployments
through WAN
Enhanced End User experience with HTML5 RDP Allows setting of User Experience flags for
HTML5 Enhancements
desktops HTML5 RDP sessions
Handles new JavaScript keywords through new
Rewriter Enhancements Reduces JavaScript related rewriter issues
parser module to reduce rewriter issues
Enhances security and avoids WannaCry kind of SAMBA module upgrade to support SMB v2/v3 for
SMB v2/v3 support for file browsing
issues file browsing

Allows FQDNs in Split Tunneling configurations.

Enables Split tunneling based on FQDNs. Pulse
Benefits Customers using Cloud Services where
FQDN based Split Tunneling Connect Secure updates Split Tunneling policies
management of IP based Split Tunneling
dynamically based on FQDNs
configurations is difficult
 Pulse Connect Secure 9.0R1 Highlights
Key Feature Benefit Use Case
Allows Customers with strict security and
PCS communicates through proxy with PCLS to
Proxy support for PCLS connectivity compliance mandates to use a proxy for
fetch licenses
communicating with PCLS to fetch licenses
Clustering support extended to virtual appliances
VM Clustering support High Availability of PCS Virtual Appliances
on all platforms – Azure, AWS, Hyper-V, KVM
Supports two node Active/Passive cluster for
License Server HA High Availability of License Server Appliances
License server appliances
Enables desktop access through VDI using latest
VMWare 7.3.1 and 7.3.2 support Support latest VMWare Horizon View
VMWare Horizon view
Allows Pulse Secure Client to authenticate with any
Pulse Secure client uses embedded browser for all
Embedded browser for SAML authentication SAML Identity Provider for VPN services using
SAML authentications
inbuilt embedded browser
 Pulse Connect Secure 9.0R1 Highlights

Key Feature Benefit Use Case

Redesigned End-User pages enhances overall login

Redesigned End-User Experience Enhances End-User login experience
experience while accessing cloud services
Easy enablement of Cloud Secure functionality in Reuses existing PCS configurations to enable Cloud
UX enhancements for existing customers
existing PCS customer deployments Secure functionality in existing PCS deployments
Cloud Secure dashboard with prefilled charts helps
Displays the Cloud Secure dashboard with prefilled
Demo Dashboard in demonstrating Cloud Secure features in
data
POCs/Demos
Collect Cloud Access details from customer
Allows collection of data about Cloud Applications
Telemetry environment to better understand their deployments
and MDM servers from customer environments
and deliver more relevant solutions
 Cloud Secure 9.0R1 Highlights

Key Feature Benefit Use Case

On-Premise users get SSO access to Cloud Services
PPS session is reused to provide SSO to Cloud
Location Awareness without establishing VPN. Only One license is
Services without establishing VPN.
consumed.
Triggers VPN connections dynamically on
On Demand VPN enhances End-User experience
Android On-Demand VPN support accessing applications managed by Pulse
by allowing one touch application access
Workspace
Allows remote users to access Office 365 services
AD FS Impersonation enhancements Secure Access to remote users using PCS as Identity Provider instead of
authenticating to On-Premise AD FS server
Secure Access to multiple cloud services behind Enables IdP initiated access to multiple Cloud
IdP Federation Enhancements
Third-Party IdPs through bookmarks Services in IdP federation deployments
Pulse Connect Secure 9.0R2
New Features
Pulse Connect Secure 9.0R2 Highlights
Key Feature Benefit

REST API access for an administrator user can be enabled during initial
REST API enhancement
configuration and while creating a new administrator userin admin console
Credential Provider with LDAP(S) now supports both UPN and domain\
UPN, domain\user formats with LDAP Cred. Provider
user (pre-windows 2000 login) formats.
A new option is provided to prevent the rewriter from pre-populating the
domain name in the intermediation page when using NTLM authentication.
Option to toggle auto populate domain information
Useful in multi-domain environments for the user to provide domain
information themselves, when it is different from the target server domain.
VMWare 7.4 / 7.5Lotus iNotes 9.0(using filters. See KB43863 -
Third Party Applications:(New versions) Supportability of Lotus Notes 9.0 through Rewrite)RSA Authentication
Manager 8.3Windows RS4
Pulse Connect Secure 9.0R2 Highlights
Key Feature Benefit

Cloud Application Visibility enables you to secure and manage cloud

applications. It also provides visibility of the cloud application used by the
Cloud Application Visibility (CAV) user and allows administratorsto set granular access and use policies to
monitor the Cloud Application usage in real time.This is a licensed feature
and it requires Cloud Secure license to be enabled.

Host Checker MacOS 64-bit support Added HC support for Mac OS 64-bit applications.

This feature allows suppressing of VPN connections based on the user

location. Location awareness rules are pushed along with the Wi-Fi profile
Location Awareness for On-premise users on Android
when the user connects to the SSID. This enables On-Premiseusers to get
access to cloud applications without establishing a VPN connection.
With the implementation of SHA256 algorithm support in PCS, the SAML
SHA256 support responses can be signed with both SHA1 or SHA256-based on the service
provider configurations
Pulse Connect Secure 9.0R2 Highlights

Key Feature Benefit

Subscription based licenses are added to existing Cloud Secure

Licensing
Licensing.
Pulse Connect Secure 9.0R3
New Features
Pulse Connect Secure 9.0R3 Highlights
Key Feature Benefit Use Case
Enhanced security by detecting user anomalies and Detects anomalous user activity and challenges
Adaptive Authentication
safeguarding user identity immediately for second factor authentication
Supports segregating AAA traffic to authentication servers
Allows PCS to reach out to external/internal authentication
Decoupling AAA traffic through different interfaces. Earlier AAA traffic could only
servers through different interfaces
be sent over Internal Interface
Default VLAN tagging for PCS appliances in Cluster allows VLAN tagging of Tags untagged packets on the appliance interfaces, before
Clusters outgoing packets. packets traverse to the switches
Better End-User experience by allowing users to launch Supports launching of HTML5 RDP from browser
HTML5 Enhancements
HTML5 RDP from browser bookmarks or URLs bookmarks or customized URLs

Allows interoperability and orchestration via REST APIs. Allows PCS configurations, fetching status & reports via
REST API Enhancements
Parity with DMI REST APIs
Eliminates the need to synchronize TOTP secrets between
Supports Centralized TOTP server for distributed PCS
TOTP Enhancements appliances. Enhances security by hiding QR & backup
deployments within an Enterprise
codes

Resource throttling for Support of cgroups for efficient management of system

Enhances System stability
system stability resources
Pulse Connect Secure 9.0R3 Highlights
Key Feature Benefit Use Case

Core License distribution Flexible licensing mechanism with license server handling the leasing Supports leasing of Core Licenses from License
from License Server of core licenses. License Clients(PSA-V) need not contact PCLS. Server.

Strengthens security with stronger ciphers and allows granular cipher

LDAP over TLS1.1/1.2 Supports LDAP protocol over TLS1.1/1.2.
suite selection for LDAP communication.
INITIAL CONTACT payload in IKEv2 request is
IKEv2 INITIAL CONTACT
Clears all stale sessions and allows new L3 VPN connection with PCS. meant to delete all previous sessions of the existing
support
user and start over fresh.
Customer HTTP response Enhances security by preventing XSS or similar attacks by sending Allows configuring custom HTTP headers and inject
headers for security additional HTTP headers in responses. them in responses.
Replaces attack prone DSID cookie with more secure
Enhances security and prevents reading of PCS cookies by using more
DSDID feature and HTTP only DSDID cookie.
secure DSDID cookie instead of existing DSID cookie.

Provides an option to skip CRL, OCSP revocation

Option to skip certificate
Allows to skip CRL, OCSP revocation checks checks when the revocation service is slow or not
revocation checks
available
Pulse Desktop 9.0R3 Highlights
Key Feature Benefit Use Case
Embedded browser Custom Enhances end-user experience and improves Sign-in Supports using embedded browser in Pulse Desktop Client
Sign In page support performance during authentication with Custom Sign pages
Allows a hidden VPN connection to provide access to
Automatically establishes a hidden tunnel with limited
Stealth Mode Machine tunnels limited resources and supports upgrading to more
access to corporate resources
privileged user tunnels on manual connection.
Allows customers to use L3 and L4(WSAM) connections Allows L3 & L4 tunnels from the same Pulse Desktop
L3 & L4 Coexistence
simultaneously Client
Reduces fragmentation overhead and packet loss by
MTU Enhancement Ignores TCP MSS options in Virtual Adapter MTU
ignoring TCP MSS option in calculating virtual adapter
calculation
MTU
Uses PSAL for HOB/JSAM launch by replacing
Support of PSAL for launching HOB/JSAM application is
deprecated NPAPI plugins in macOS. Ensures better user
HOB/JSAM Enhancements extended to macOS. Detects JAVA version in Windows and
experience by detecting JAVA version in windows system
uses respective PSAL binaries for application launch.
and uses respective PSAL binaries.
WTS support for NLA with Allows using certificates for remote desktop login and
Allows Smartcard with Network Level authentication
Smart Cards honors NLA as well when non cross-domain certs are used
 Cloud Secure 9.0R3 Highlights

Key Feature Benefit Use Case

On-Premise users get SSO access to Cloud Services
PPS session is reused to provide SSO to Cloud
Location Awareness for Android without establishing VPN from Android devices.
Services without establishing VPN
Only One license is consumed.

Secure Access to multiple cloud services behind Supports IdP initiated SSO access to multiple Cloud
IdP Federation Enhancements
Third-Party IdPs through bookmarks. Services in IdP federation deployments

Easy enablement of Cloud Secure functionality.

Cloud Secure UX simplifies configuration inputs
UX Enhancements Dashboard and Reports on Cloud Application
and allows re-using of existing PCS configurations.
access
Enhances security by supporting SHA256 Supports signing SAML responses using SHA-256
SHA256 support
algorithm. algorithm
Pulse Connect Secure 9.0R4
New Features
Pulse Connect Secure 9.0R4 Highlights
Key Feature Description
In thisrelease,this feature is available forVirtual Appliancesi.e., VMware, Hyper-V, KVM, AWS &
User RecordsSynchronization(URS)
Azure.For more details about URS feature,see the “Synchronizing User Records” section in Pulse
enhancement
Connect Secure 9.0R4 Administration Guide.
Prior to 9.0R4 release, the NTP, SNMP, Syslog, and Log archiving services were set to send the
traffic through management port by default. In case the management port was not available, the
Send service traffic via any physical interface
traffic was routed through internal port. From 9.0R4 release, an administrator can modify the settings
of NTP and other services to any physical interface.
In this release, PCS supports two LDAP administrator accounts. By adding the backup account,
Backup administrator account for LDAP
PCSnow has theoption to fallback from one to other if oneaccount fails authentication.
When the system software is upgraded to 9.0R4, the latest set of Trusted Server CAs are uploaded.
Remove and refresh expired Root CAs
Any expired certificates in the default Trusted Server CA store are removed from the system
• Detection of System Integrity Protection (SIP) is available for macOS versions 10.11 and later.
Host Checker enhancement • Command rule enables administrators to check for the versions of the installed applications on the
macOS endpoints.
Pulse Connect Secure 9.0R4 Highlights

Key Feature Description

This release supports snmpget for the following:
Support for snmpget • SNMP monitoring of last day to connect to Pulse cloud or similar.
• SNMP get max number of licensed users displayed under the licensing summary.
When client log upload is enabled at System > Log/Monitoring > Client Logs > Settings, endpoints
PSAL enhancement
utilizing the Pulse Secure Application Launcher (PSAL) can upload client logs.
This feature uses volume-based grouping of the disk partitions so that the administratorcan flexibly
VA Partition for VMWare
define the size or rearrange the layout based on the requirement of the installed image.
IKEv2 Mobility and Multihoming protocol provides better handling of clients that change IP
Support for MOBIKE protoco
addresses.
Pulse Connect Secure 9.0R5
New Features
Pulse Connect Secure 9.0R5 Highlights

Key Feature Description

Report Max Used Licenses to HLS|VLS  From 9.0R5 release, the licensing client (PCS) starts reporting maximum used sessions count instead of
the maximum leased licenses count. For MSP customers, this change helps in billing the tenants based
on maximum sessions used. 
Managing active user sessions  From 9.0R5 release, an administrator is provided with an option to delete selected active user sessions
or all the active user sessions. 
Pulse Connect Secure 9.1R1
New Features
Pulse Connect Secure 9.1R1 Highlights
Key Feature Use Case
Pulse Secure SDP uses PCS appliances which individually act as either an SDP controller or an SDP
gateway. Mobile users of the Pulse Secure Client perform authentication on an SDP controller which
Software Defined Perimeter runs an Authentication, Authorization and Accounting (AAA) Service. The SDP controller then
enables direct communication between the user and the SDP gateways that protect the user’s
authorized resources and enables requested encryption.

Source-NAT Support User access to internet resources from an Azure-based or AWS-based PCS Gateway

Prior to 9.1R1 release, DNS traffic was sent over the Internal interface. Starting with 9.1R1 release,
an administrator can modify the DNS setting to any physical interface namely Internal Port, External
DNS traffic on any physical interface
Port or Management Port.
Pulse Connect Secure 9.1R1 Highlights
Key Feature Use Case
Enhancements include:
REST API Enhancements ▪  Getting Config without Pulse packages such as ESAP package and Pulse Client package
▪  Backing up and restoring binary configuration
User can deploy PSA-V in Kernel-based Virtual Machine using a template.
Deploying PSA-V in KVM

Account Lockout option to manage user authentication failures for admin users of local
Authentication failure management authentication server. The admin user account will be locked after specified number of consecutive
wrong password attempts. The account will be unlocked after the specified lockout period or by
using the Unlock option.
PCS now supports IPv6 traffic over Pulse SAM on Windows 10/8.1/7
Pulse SAM IPv6 support
Pulse Connect Secure 9.1R1 Highlights
Key Feature Use Case
On Mac platform, NPAPI is deprecated. PCS now provides ability to launch all Pulse clients on Mac
MacOS NPAPI Deprecation Fix
using PSAL component.
Support for “client-name” parameter in User can pass "client-name" in HTML5 rdp using launcher method. The %clientname% variable is
HTML5 Access matched with a workstation ID and normally that variable is unique and dedicated remote desktop
computer name.
ECP throttling provides a mechanism to identify and stop all duplicate ECP requests being sent to
ECP Throttling
AD server for authentication thus preventing the user from AD account lock out.
Pulse Cloud Secure 9.1R1 Highlights
Key Feature Use Case
ECP throttling provides a mechanism to identify and stop all duplicate ECP requests being sent to
ECP Throttling
AD server for authentication thus preventing the user from AD account lock out.
Pulse Desktop Client 9.1R1 Highlights
Key Feature Use Case
Pulse Desktop Client can now be launched using a URL. Customers can insert the URL in any tools
Launching Pulse Desktop Client using URL (For example: Support ticket management tool), so that when user clicks on the URL, Pulse Desktop
Client gets invoked and connects to the VPN.
Pulse SAM IPv6 Support Pulse Desktop Client now supports IPv6 traffic tunneling in Pulse SAM mode on Windows 10,
Windows 8.1 and Windows 7 platforms.
When the users select the username or the password field on Pulse Desktop Client installed on a
Automatic Keyboard popup on Surface Pro
Windows Surface device, the virtual keyboard automatically pops up so that user can enter the
PSAM + L3 Tunnel Co-existence
credentials.
Pulse Connect Secure 9.1R2
New Features
Pulse Connect Secure 9.1R2 Highlights

Key Feature Use Case

SP-Initiated SAML SSO  Pulse Secure supports SP-initiated SAML SSO when PCS is configured as IdP in gateway
mode. PCS uses the existing user session in generating SAML assertion for the user for
SSO. 
IDP initiated SAML Single Logout  This feature provides a single logout functionality wherein if a user gets logged out of a
session from one application, PCS (configured as IdP) notifies all other connected
applications of that user with Single Logout. 
Flag Duplicate Machine ID in access logs  Pulse client expects the machine ID is unique on each machine. If multiple endpoints have the
same machine ID, for security reasons, the existing sessions with the same machine id are
closed. 
A new access log message is added to flag the detection of a duplicate Machine ID in the
following format: 
Message: Duplicate machine ID "<Machine_ID>" detected. Ending user session from IP
address <IP_address>. Refer document KB25581 for details. 
Pulse Connect Secure 9.1R2 Highlights
Key Feature Use Case
Microsoft RDWeb HTML5 Access  The newly introduced Microsoft RDWeb resource profile controls access to the published
desktops and applications based on HTML5. The Microsoft RDWeb templates significantly
reduce the configuration time by consolidating configuration settings into one place and by
pre-populating a variety of resource policy settings. 
Note: In the 9.1R2 release, Microsoft RDWeb HTML5 access does not support Single Sign
On. SSO will be made available in the future release. 
Backup configs and archived logs on AWS Two new methods of archiving the configurations and archived logs are available now apart
S3/Azure Storage  from SCP and FTP methods: 
Pulse Connect Secure now supports pushing configurations and archived logs to the S3
bucket in the Amazon AWS deployment and to the Azure storage in the Microsoft Azure
deployment. 
V3 to V4 OPSWAT SDK migration  PCS supports the migration of servers and clients to OPSWAT v4 to take advantage of latest
updates. 
Report Max Used Licenses to HLS|VLS  From 9.1R2 release, the licensing client (PCS) starts reporting maximum used sessions count
instead of the maximum leased licenses count. For MSP customers, this change helps in
billing the tenants based on maximum sessions used. 
Pulse Connect Secure 9.1R3
New Features
Pulse Connect Secure 9.1R3 Highlights
Key Feature Use Case
Consolidated system and troubleshooting The various system logs and troubleshooting logs that help in investigating user access
logs  issues and system issues can be configured and accessed using the Log Selection page. 
Connect to nearest available DC  The LDAP authentication configuration is enhanced in 9.1R3 to locate the nearest Microsoft
domain controllers, which are spread across the globe, by resolving DNS SRV records. 
Zero touch provisioning  From 9.1R3 release, PCS can detect and assign DHCP networking settings automatically at
the PCS VM boot up. In the script included in the PSA-V package, the PCS parameters
should be set to null in order to fetch the networking configuration automatically from the
DHCP server. 
Note: This feature is not supported on PSA hardware. 
PCS hosted in OpenStack cloud  OpenStack is an open source cloud computing platform that allows deploying and managing a
cloud infrastructure as an IaaS service. As part of this release, Pulse Secure supports
deploying PCS KVM in OpenStack cloud. 
VMware tools support  From 9.1R3 release, VMware support is qualified for VMware 10.3.10, ESXi 6.7 Update 2c. 

Debug Log storage expansion  From 9.1R3 release, the maximum debug log size is increased to 1024 MB on hardware
platforms. 
Pulse Connect Secure 9.1R3 Highlights
Key Feature Use Case
Periodic iostat data collection  From 9.1R3 release, the “iostat” information is gathered periodically and made available as
part of node monitoring in system snapshot. 
Control copy/paste option for a user from an 9.1R3 release provides option to the administrators as well as end-user to enable/disable
HTML5 session  copy/paste from HTML5 RDP sessions. This option will be available under User Roles as well
as Admin Created Bookmarks”. 
Enhancements to Local Authentication From 9.1R3 release, for a fresh installation, the valid password range defined is 0-999.
Server default password  Minimum length 10 and maximum length 128 are set as default values. 
Restricting access to default resource From 9.1R3 release, for a fresh installation, the following predefined resource policies are set
policies  to “Deny” state by default. 

• Web Access Resource Policy “Initial Policy for Local Resources” 

• Windows File Access Resource Policy “Initial File Browsing Policy” 

Note: The predefined policy for VPN Tunneling is not provided. 

IKEv2 Fragmentation  IKEv2 packets can be larger than the MTU especially the IKE_AUTH packets which include
the certificate chain. These larger IKE packets get fragmented in the intermediate devices.
This feature implements fragmentation at IKE level and avoids IP fragmentation. 
MSS value for TCP connections on Tun Due to larger IPv6 header as compared to IPv4, if the MSS of the PCS external interface is
devices  not set appropriately, the packets would be dropped on the external interface. This feature
enables to set MSS to a lower value so that TCP connections are not dropped for 6-in-4
cases or when there is NAT translation somewhere in the network before reaching PCS. 
Pulse Connect Secure 9.1R4
New Features
Pulse Connect Secure 9.1R4 Highlights
Key Feature Use Case
PCS VA on Alibaba Cloud  PCS now supports VA deployment on Alibaba Cloud. 

Conditional Access  Conditional Access feature for Cloud Secure provides a mechanism to enforce access control
policies based on user, device and location parameters by defining policies for applications.
Conditional Access policies are evaluated during application access time while roles are
mapped to the session during the session creation time. 
REST API enhancements  Enhancements include: 
- Update to “Getting Active Sessions” 
- Update to “Getting System Information” 
- Added “Fetching the User Login Statistics” 
- Added “Health Check Status” 
- Added “VIP Failover” 
Added “Applying License” 
- Added “Deleting License” 
- Added “Getting License Clients” 
- Added ”Getting License Report from License Server” 
- Added Profiler REST APIs 
Pulse Connect Secure 9.1R4 Highlights

Key Feature Use Case

vTM and PCS Integration for Load Balancing  The Platform Limit, Maximum Licensed User Count and Cluster Name attribute values are
available for optimal load balancing. 
Support for Windows Redstone 6  In 9.1R4 release, Windows Redstone 6 - version 1909 is qualified. 

Support for SharePoint 2019  In 9.1R4 release, SharePoint 2019 is qualified. 

Support for VMware VDI 7.9, and 7.10  In 9.1R4 release, VMware VDI versions 7.9 and 7.10 are qualified. 
Pulse Connect Secure 9.1R4 Highlights
Key Feature Use Case
vTM and PCS Integration for Load Balancing  The Platform Limit, Maximum Licensed User Count and Cluster Name attribute values are
available for optimal load balancing. 
Support for Windows Redstone 6  In 9.1R4 release, Windows Redstone 6 - version 1909 is qualified. 

Support for SharePoint 2019  In 9.1R4 release, SharePoint 2019 is qualified. 

Support for VMware VDI 7.9, and 7.10  In 9.1R4 release, VMware VDI versions 7.9 and 7.10 are qualified. 

Support for Citrix Virtual Apps and Desktops In 9.1R4 release, Citrix Virtual Apps and Desktops 7 1909 is qualified. 
7 1909 
Protect passwords stored in local auth server When a new local authentication server is created, now admin has a choice to store the
using stronger hash  password with strong hashing using pbkdf2. 
Support license reporting per license client  Licensing report is enhanced with usage statistics for each PCS instance - maximum user
count per month per PCS/per MSSP. 
MSSPs can now: 

- generate accurate usage reports of their customers. 

- make the structured report in XML format to enable for parsing and usage for dashboard 
Thank you
For more information, please email [email protected]