Transcription
DATASHEETPulse Connect SecureNext-Gen Secure Access for Today’sZero-Trust NetworksProduct DescriptionProduct OverviewBYOD and cloud has increasedthe need for anywhereaccess from devices, bothpersonal productivity (laptop,smartphones, smartpads)or IP-enabled (printers,cameras, phones), to data orapplications that reside in thetraditional datacenter or cloud.Pulse Connect Secure providesa seamless, cost-effective, SSLVPN solution for remote andmobile users from any webenabled device to corporateresources— anytime,anywhere.Enterprises and service providers have the difficult challenge of providing locationanddevice-independent network connectivity that is secure and capable of controllingresource access for authorized users. Breaches and threats continue to spiral out ofcontrol, and increasing numbers of employees and users want to use their own personalproductivity solutions. Pulse Connect Secure provides secure, authenticated access forremote and mobile users from any web-enabled device to corporate resources—anytime, anywhere. It is the most widely deployed SSL VPN for organizations of any size,across every major industry.Pulse Connect Secure includes Pulse Secure Clients and the AppConnect SDK. PulseClients are dynamic, multiservice network clients for mobile and personal computingdevices. Pulse Clients are simply deployed, enabling users to quickly “click and connect”from any device, anywhere. Pulse Secure AppConnect SDK delivers–per–application SSLVPN connectivity for iOS and Android clients, enabling IT to create an even more transparent and secure mobile app experience for their users.Architecture and Key ComponentsPulse Connect Secure is available on Pulse PSA Series Appliance Family, ashardware(Pulse PSA Series) or as a virtual appliance (PSA-V Series) as noted below. PSA3000 Pulse Secure Appliance: Fixed configuration, rack-mount appliance idealfor small and mid-size businesses, supporting up to 200 SSL VPN concurrent users. PSA5000 Pulse Secure Appliance: Fixed configuration appliance ideal for scalablemid-size businesses, supporting up to 2,500 SSL VPN concurrent users. PSA7000 Pulse Secure Appliance: Fixed configuration appliance ideal for meetingthe highest scalability needs of large businesses, supporting up to 25,000 SSL VPNconcurrent users. Virtual Appliances (PSA-V Series): ESXi, KVM, Hyper-V, Microsoft Azure, AmazonAWS, OpenStack Fabric and Alibaba Cloud appliances for scalable elastic deploymentof SSL VPN services. Pulse Secure Virtual Appliances (PSA-V Series) include: PSA3000-V: Supporting 2 vCPU cores and up to 200 users. PSA5000-V: Supporting 4 vCPU cores and up to 2500 users. PSA7000-V: Supporting 8 vCPU cores and up to 25,000 users.For more details on PSA Series Appliance Family, including the specifications andordering information of each model, please refer to the Pulse PSA Series Appliancedatasheets.
Pulse Secure ClientsPulse Clients securely connect users to networks, both data center and cloud. Wrapped in an extremely user-friendly package, PulseClients dynamically enable the appropriate network and security services on users’ endpoints. Users are not distracted from theirwork activities to figure out what network they are on or what service to enable. With Pulse Secure, the connection just works, helpingto deliver the productivity promised by mobile devices. Pulse Client delivers dynamic access control, seamlessly switching betweenremote (SSL VPN) and local (NAC) access control services on Microsoft Windows devices. Pulse Client also enables comprehensiveendpoint security posture assessment for mobile and desktop computing devices, and quarantine and remediate, if necessary.The digital world continues to create workforce productivity beyond BYOD. More enterprises are combining apps and across datacenter and cloud resources to meet growing demand and productivity. The result is a hybrid approach blending private and publicIT architectures. Learn how to embrace Hybrid IT with Pulse Cloud Secure and have the capabilities to blend cloud and datacenteraccess into a seamless user experience for your next generation workforce. Additional details about Pulse Cloud Secure is re/overview/Features and BenefitsTable 1: Key Features of Pulse Connect SecureFEATUREFEATURE DESCRIPTION Layer 3 SSL VPNApplication VPNLayer 7 Web single sign-on (SSO)via SAML Dual-transport (SSL Encapsulating Security Payload) full Layer 3 VPN connectivity with granularaccess control.“Always-on VPN with Lockdown Mode” & “VPN Only Access” modes for Compliance (VPNconnection automatically connects/disconnects based on user’s location).Client/server proxy application that tunnels traffic from specific applications to specificdestinations (available for Windows devices only).“On Demand VPN” and “Per App VPN”, for seamless & secure end user experience. Allows end users to authenticate to the network through a Layer 3 tunnel, while simultaneouslyenjoying SSO to Web applications accessed through their browser via SAML SSO support. Validate and verify devices and users via a set of automated policies to protect networks anddata. Each access attempt is evaluated dynamically and controlled in real-time based on thepolicies in effect. Enables granular control and Zero Trust enforcement for application access.Optimized end-user experience Smooth roaming from remote access to local LAN access (Pulse Policy Secure).Single Sign On (SSO) for rapid, secure access from remote or onsite locations (via integrationwith Pulse Cloud Secure and Pulse Policy Secure)Stateful endpoint integrity andassessment Assess and remediate end user devices prior to authentication with easy policy definition.”Windows 10 (Desktop & Mobile), Mac OS X, Apple iOS, and Android. Users can easily launch SSL VPN via their Web browser, or directly from their desktop.Auto Connect feature allows devices to automatically connect to VPN, either at the time whenthe machine starts or user logs on.VPN on demand feature leverages OS capabilities for auto triggering VPN, seamlessly in thebackground, when an approved application needs corporate access.Conditional AccessFlexible launch options(standalone client, browser-basedlaunch) Supports Pulse Cloud SecureSolution Preconfiguration options(Windows and Mac only) Administrators can preconfigure a Pulse Secure deployment with a list of gateways for end usersto choose from. Adaptive Authentication using dynamic, multi-factor authentication using several user attributes.Administrators can deploy Pulse Secure for remote user authentication using a wide array ofauthentication mechanisms, including biometric authentication support with Windows Hello forBusiness, hardware token, smart card, soft token, smart card, soft token, Google Authenticator,one-time passwords and certificate authentication.Administrators can choose to send AAA traffic via a desired interface (internal / external /management), for delegating user authentication to an Identity Provider. Authentication options www.pulsesecure.netBlend cloud and datacenter access into a seamless user experience for next generationworkers.Ability to add compliance rules for hybrid DC access.
RDP/Telnet/SSH sessions usingHTML5VMware Horizon and Citrix XenApp/XenDesktop VPNGranular SSL Cipher ConfigurationREST API 100% clientless access using HTML5 browsers. Pulse Secure supports the latest versions of VMware and Citrix. For specific details, consult ourSupported Platforms Guide available at www.pulsesecure.net/techpubs Enables the administrator to select specific ciphers over those pre-configured for highly securecompliance. A comprehensive REST-based API for programmatic access to the appliances.End-to-End Layered SecurityPulse Connect Secure provides complete end-to-end layered security, including endpoint client, device, data, and server layeredsecurity controls.Table 2: End-to-End Layered Security Features and BenefitsFEATUREFEATURE DESCRIPTION Endpoint devices can be checked prior to andduring a remote access session to verify anacceptable device security posture requiringinstalled/running endpoint security applications(antivirus, personal firewall, etc.), as well as checkfor IT-required Operating System versions, patchlevel, browser type, and many other requirements. Custom-built checks for specialized customerrequirements are also supported. Noncompliant endpoints can be quarantined,denied access, or granted access, depending onadministrator defined policies. Whenever possible, Host Checker automaticallyremediates noncompliant endpoints by updatingsoftware applications that do not comply tocorporate security policies.BenefitsTrusted NetworkConnect (TNC)support in HostChecker Allows interoperability with diverse endpointsecurity solutions from antivirus to patchmanagement to compliance managementsolutions. Enables customers to leverage existing investmentsin endpoint security solutions from third-partyvendorsAlways-On VPN Ensure all traffic from endpoints is sent over thetunnel which is set up automatically when anInternet connected is detected. Enables organizations to enforce security,compliance and visibility on all traffic fromendpoints even when they are not on-prem.Stateful EndpointComplianceChecking Ensures that endpoint devices meet corporatesecurity policy requirements before being grantednetwork access. Remediates devices and quarantines users, whennecessary. Can ensure that no potentially sensitive data is leftbehind on the endpoint device.Ease of AdministrationIn addition to enterprise-class security benefits, Pulse Connect Secure has a wealth of features that make it easy for the administratorto deploy and manage.Table 3: Ease of Administration Features and BenefitsFEATUREMobile DeviceManagement(MDM) integration(available withPulse Workspace,Microsoft Intune,AirWatch,MobileIron)Secure Browserwww.pulsesecure.netFEATURE DESCRIPTIONBenefits Enables consolidated reporting and dashboards for Extend MDM investments to gain comprehensivesimplified management.endpoint visibility and support additional mobile Leverages MDM attributes for more intelligent anduse cases.centralized policy creation. Facilitates transparent “no touch” MDM-baseddeployment of Pulse Clients to iOS and Androiddevices. A mobile browser for securely accessing corporateweb applications, without the need of installing /managing / launching a VPN client. IT does not have to worry about deploying andmanaging VPN on mobile devices. End user doesnot have to worry about launching VPN. Seamlessend user experience where a user launchesbrowser and accesses his resources, as he wouldnormally expect to.
Secure Access forSAP Applications Embeds Pulse Secure Per-App VPN SDK into SAP’sFiori mobile applications.Integration Ability to support SecurID, Security Assertionwith strongMarkup Language (SAML) including standardsauthentication andbased SAML v2.0 support, and public keyidentity and accessinfrastructure (PKI)/digital certificates.management (IAM)platforms Provides transparent, secure data centerconnectivity for SAP services through the existingPulse Secure VPN appliance. Leverages existing corporate authenticationmethods to simplify administration. Supports federated PKI deployments with client Enables customers who use advanced PKIcertificate authentication. Bridge CA is a PKIdeployments to deploy the Pulse Secure Appliancesextension (as specified in RFC 5280) to cross-certifyto perform strict standards-compliant certificateBridge Certificationclient certificates that are issued by different trustvalidation—before allowing data and applicationsAuthority (BCA)anchors (Root CAs).to be shared between organizations and users.support Also, enables customers to configure policyextensions in the admin UI, to be enforced duringcertificate validation.Multiple hostnamesupportIntuitiveDashboard Design Ability to host different virtual extranet websitesfrom a single appliance. Saves the cost of incremental servers. Eases management overhead. Provides a transparent user experience withdifferentiated entry URLs. View and control enterprise access to the datacenter and cloud from one console. (ReferenceDiagram 1) Quick access to dynamic information and reports. Customizable layouts via drag and dropfunctionality.Customizable user Creation of completely customized sign-on pages.interfacePulse OneCompatiblePulse ApplicationLauncher (PAL) Provides an individualized look for specified roles,streamlining the user experience. With Pulse One, configuring, updating, andmonitoring PSA Series Appliances Family undera centralized management console with thecapabilities of a single device/cluster or across aglobal cluster deployment. Enables companies to conveniently manage,configure, and maintain PSA or Series AppliancesFamily along with Pulse Workspace from onecentral location. Enhanced support for non-JAVA based browsers. Support for latest generation browsers (Apple,Microsoft, Google, Firefox, etc) that do not supportJava and Active X.Diagram 1 - Dynamic UI for Pulse Connect Secure, Version 8.2www.pulsesecure.net
Rich Access Privilege Management CapabilitiesPulse Connect Secure provides dynamic access management capabilities. When users log into Pulse Connect Secure, they passthrough a pre-authentication assessment, and are then dynamically mapped to the session role that combines established network,device, identity, and session policy settings. Users have access only to those resources that are deemed necessary for that session,according to administrator-defined policies.Table 4: Access Privilege Management Features and BenefitsFEATUREDynamic rolemappingwith customexpressionsFEATURE DESCRIPTION Combines network, device, and session attributesto determine which types of access are allowed. A dynamic combination of attributes on a persession basis can be used to make the rolemapping decision.Benefits Enables the administrator to provision by purposefor each unique session. Seamlessly provision SSL VPN user sessions into Provides users, whether remote or local, seamlessNAC sessions upon login.access with a single login to corporate resourcesSSL VPN federation Since session data is shared between the Pulsethat are protected by access control policies.with NACSecure Appliances for SSL VPN and NAC, users Simplifies the end user experience.(Pulse Policyneed to authenticate only one time to get access inSecure)these types of environments.Support for RSAAuthenticationManagerStandards basedbuilt-in Timebased One-TimePassword (TOTP)Multiple sessionsper userUser recordsynchronizationMobile-friendly SSLVPN login pages RSA Authentications Manager 8.1 enables RiskBased Authentication. Offer another authentication layer option via emailaccount. Enables multi-factor authentication usingsmartphones Leverage ubiquitous smart phones to rollout a cost-effective and self-serve two-factorauthentication mechanism, where one timepasscodes are generated by a mobile app.Implemented based on RFC6238 Allows remote users to launch multiple remoteaccess sessions. Enables remote users to have multipleauthenticated sessions open at the same time,such as when accessing VPN from a laptop andfrom a smartphone simultaneously. Supports synchronization of user records suchas user bookmarks across different Pulse SecureAppliances. Ensures a consistent experience for users whooften travel from one region to another andtherefore need to connect to different Pulse SecureAppliances running Pulse Connect Secure. Provides predefined HTML pages that arecustomized for mobile devices, including AppleiPhone and iPad, Google Android, and NokiaSymbian devices. Provides mobile device users with a simplifiedand enhanced user experience and webpagescustomized for their device types.Flexible Single Sign-On (SSO) CapabilitiesPulse Connect Secure offers comprehensive single sign-on (SSO) features. These features increase end user productivity, greatlysimplify administration of large diverse user resources, and significantly reduce the number of help desk calls.Table 5: Flexible Single SSO Features and BenefitsFEATURESAML single signon for cloud andWeb applicationsaccesswww.pulsesecure.netFEATURE DESCRIPTIONBenefits SAML 2.0-based SSO to a variety of Web Single sign-on to a user’s Web and cloud-basedapplications, including many of today’s mostapplications, simplifying the user’s connectivitypopular Software as a Service (SaaS) applicationsexperience.such as Salesforce.com and Google Apps. Includes SSO functionality, even when connectingvia a Pulse Connect Secure Layer 3 VPN tunnel,which is unique in the industry. Pulse Connect Secure supports deployments asboth an SAML Identity Provider (IdP) and as a SAMLService Provider (SP).
KerberosConstrainedDelegation Support for Kerberos Constrained Delegationprotocol. When a user logs into Pulse Connect Secure witha credential that cannot be proxied through tothe backend server, the gateway will retrieve aKerberos ticket on behalf of the user from theActive Directory infrastructure. The ticket will be cached on Pulse Connect Securethroughout the session. When the user accesses Kerberos-protectedapplications, the Appliance will use the cachedKerberos credentials to log the user into theapplication without prompting for a password.Kerberos SSO andNT LAN Manager(NTLMv2) support Pulse Connect Secure will automatically Simplifies the user experience by eliminating usersauthenticate remote users via Kerberos or NTLMv2entering credentials multiple times to accessusing user credentials.different dSSO basicauthentication andNTLMWeb-based SSOforms-based,header variablebased, SAMLbased Eliminates the need for companies tomanage static passwords resulting in reducedadministration time and costs. Standards-based interface for extensive integration Leverages existing servers to authenticate users.with password policies in directory stores (LDAP, Users can manage their passwords directlyAD, and others).through the Pulse Connect Secure interface. Allows users to access other applications orresources that are protected by another accessmanagement system without reentering logincredentials. Alleviates the need for users to enter and maintainmultiple sets of credentials for web-based andMicrosoft applications. Ability to pass user name, credentials, and othercustomer defined attributes to the authenticationforms of other products and as header variables. Enhances user productivity and provides acustomized experience.Provision by PurposePulse Connect Secure includes different access methods. These different methods are selected as part of the user’s role, so theadministrator can enable the appropriate access on a per-session basis, taking into account user, device, and network attributes incombination with enterprise security policies.Table 6: Provisioning Features and BenefitsFEATUREFEATURE DESCRIPTION Single, integrated, remote access client that canalso provide LAN access control, and dynamic VPNPulse Secure Clientfeatures to remote users.Benefits Pulse Client replaces the need to deploy andmaintain multiple, separate clients for differentfunctionalities such as VPN and LAN access control. The end user simply “clicks and connects. Secure access to many different types of webbased applications, including many of today’s mostcommon Web applications such as Outlook WebAccess, SharePoint, and many others. Remote Desktop Protocol (RDP) access in PulseConnect Secure can be delivered over HTML5, viathird-party RDP, through a WebSockets translatorsuch as Ericom (www.ericom.com). Provides the most easily accessible form ofapplication and resource access from a variety ofend user devices with extremely granular securitycontrol options. Completely clientless approach using only a webbrowser. Allows remote users to connect from any mobiledevice that supports
Pulse Secure AppConnect SDK delivers–per–application SSL VPN connectivity for iOS and Android clients, enabling IT to create an even more trans-parent and secure mobile app experience for their users. For more details on PSA
