WIXLIB

Host CheckerDeployment GuideReleasePublishedPCS 8.3R3January 2019 2019 by Pulse Secure, LLC. All rights reserved1

Host Checker DeploymentGuidePulse Secure, LLC2700 Zanker Road,Suite 200 San Jose CA 95134https://www.pulsesecure.netPulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of theirrespective owners.Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC reservesthe right to change, modify, transfer, or otherwise revise this publication without notice.Products made or sold by Pulse Secure or components thereof might be covered by one or more of thefollowing patents that are owned by or licensed to Pulse Secure: U.S. Patent Nos. 5,473,599, 5,905,725,5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899,6,552,918, 6,567,902, 6,578,186, and 6,590,785.Host Checker- Deployment GuideThe information in this document is current as of the date on the title page.END USER LICENSE AGREEMENTThe Pulse Secure product that is the subject of this technical documentation consists of (or is intended for usewith) Pulse Secure software. Use of such software is subject to the terms and conditions of the End User LicenseAgreement (“EULA”) posted at https://www.pulsesecure.net. By downloading, installing or using such software,you agree to the terms and conditions of that EULA. 2019 by Pulse Secure, LLC. All rights reserved2

Host Checker DeploymentGuideContentsOverview. 5Client-side Requirements for Host Checker . 5Qualified Platforms. 5Compatible Platforms . 5Windows Clients . 6Installer Package Files and File Location . 6Additional Installer Package Files and File Locations . 6Files Remaining After Uninstall . 8Registry Modifications . 8Macintosh Clients . 9Application and Additional Files Installed by Host Checker . 9Files Remaining After Uninstall . 9Log files Installed by Host Checker . 10Linux Clients. 10Files Created by Host Checker After Installation and Connection Establishment . 10Files Remaining After Uninstall . 10Log Files Installed by Host Checker. 10Required Rights to Run and Install Applications . 11Configuring Global Host Checker Settings . 12Perform Check Every X Minutes . 12Client-side Process, Login Inactivity Timeout . 12Auto-upgrade Host Checker . 13Perform Dynamic Policy Reevaluation . 13Create Host Checker Connection Control Policy . 13Virus Signature Version Monitoring . 13Host Checker Policies . 14Configuring a Host Checker Policy . 16Predefined Antivirus Check . 16Predefined Firewall Policy . 17Predefined Anti-Spyware Policy . 19Predefined: OS Checks . 19Predefined: Hard Disk Encryption . 21Predefined: Patch Management . 22Custom 3rd Party NHC Check . 23Custom Ports Policy . 23Custom Process Policy . 24Custom File Policy. 25 2019 by Pulse Secure, LLC. All rights reserved3

Host Checker DeploymentGuideCustom Registry Settings Policy . 26Custom NetBIOS Policy . 27Custom MAC Address Policy . 28Custom Machine Certificate Policy . 29Custom Advanced Host Checking. 30Custom Statement of Health . 31Custom Remote IMV . 32Configuring Host Checker Restrictions . 33Step by Step Configuration for a Test Scenario . 35Objective . 35Configuration . 36 2019 by Pulse Secure, LLC. All rights reserved4

Host Checker DeploymentGuideOverviewHost Checker is a client-side agent that performs endpoint checks on hosts that connect to Pulse ConnectSecure. You can invoke Host Checker before displaying an Pulse Connect Secure sign-in page to a user andwhen evaluating a role mapping rule or resource policy.Pulse Connect Secure and Host Checker comply with the standards produced by the Trusted Network Connect(TNC) subgroup of the Trusted Computing Group. For more information about IMVs and IMCs, seewww.trustedcomputinggroup.org.Pulse Connect Secure can check hosts for endpoint properties using a variety of rule types, including rules thatcheck for and install advanced malware protection; predefined rules that check for antivirus software, firewalls,malware, spyware, specific operating systems, third party DLLs, ports, processes, files, registry key settings, andthe NetBIOS name, MAC address, or certificate of the client machine.Client-side Requirements for Host CheckerQualified PlatformsThe platforms listed in the “qualified” category have been systematically tested by Pulse Secure QA departmentas part of the Pulse Connect Secure 8.3R3 release.PlatformWindowsOperating System, List of Browsers and Java Environment Windows 10 RedStone-2 Enterprise/Pro/Home Version 1703 build 10.0.15063.332, 64-bit,Internet Explorer 11, Edge, Google Chrome &, Firefox 52 ESR, Oracle JRE 8 update 131 Windows 10 Enterprise/Pro/Home, Internet Explorer 11, Edge, Google Chrome & Firefox52 ESR, Oracle JRE 8 Windows 8.1 Update/Professional Enterprise 64-bit, Internet Explorer 11, Google Chrome& Firefox 52 ESR, Oracle JRE 8 Windows 7 Enterprise SP1 64-bit, Internet Explorer 11, Google Chrome & Firefox 52 ESR,Oracle JRE 8MacMac OS X 10.12, Safari 10.1, Safari 9.0 Oracle JRE 8LinuxUbuntu 14.04 LTS, Firefox 52, ESR, 64-bitSolarisAgentless host check is supported on Solaris 10, 32-bit, using Firefox 24 ESRCompatible PlatformsThe platforms listed in the “compatible” category have not been systematically tested by Pulse Secure QAdepartment in Pulse Connect Secure 8.3R3 release but based on testing in previous releases and knowledge ofthe platform Pulse Secure expects that the functionality will work and will fully support these platforms. 2019 by Pulse Secure, LLC. All rights reserved5

Host Checker DeploymentGuidePlatformWindowsMacLinuxOperating System, List of Browsers and Java Environment Windows-10 Redstone 3 Version 1709 OS Build 16299.15 64-bit, Internet Explorer 11,Edge, Google Chrome 61, Firefox 52 ESR, Oracle JRE 8 update 144 Windows 8.1 Update/Professional/Enterprise 32-bit, Internet Explorer 11, GoogleChrome& Firefox 38 ESR, Oracle JRE 8 Windows 8 Basic edition/Professional/Enterprise 32-bit & 64-bit, Internet Explorer 10,Google Chrome and Firefox 31 & later, Oracle JRE 7 and later Windows 7 Ultimate/Professional/Home Basic/Home 32-bit or 64-bit Windows 7Enterprise (32-bit), Internet Explorer 11, Google Chrome & Firefox 31 and later, Oracle JRE7 and later Mac OS High Sierra Version 10.13, Safari 11.0 Oracle JRE/JDK 8 Mac OS X 10.10, 10.11, Safari 10.1, Safari 8.0 Oracle JRE 8 Mac OS X 10.9, Safari 9.1.3, Safari 9.0, Safari 7.0 Oracle JRE 8 Mac OS X 10.8, Safari 6.2.8, Safari 6.0 Oracle JRE 8 openSUSE 12.1, Firefox 38 ESR openSUSE 12.1, Firefox 52 ESR, 32-bit openSUSE 11.x, 10.x, Oracle JRE 8 Ubuntu 16.04 LTS, Firefox 52, ESR, 64-bit Ubuntu 15.04, Firefox 52, ESR, 64-bit Ubuntu 12.04 LTS, 11.x, 10.x, 9.10, Oracle JRE 7 and later RHEL 5, Firefox 52 ESR, 32-bit RHEL 7, Firefox 52 ESR, 64-bit Fedora 23 (32 bit), Firefox 52 ESR 32-bit Fedora 23 (64 bit), Firefox 52 ESR 64-bit CentOS 6.4, Firefox 52, 32-bit/64-bitWindows ClientsTo run Host Checker, Pulse Connect Secure downloads the dsHostCheckerSetup.exe package to the user’sclient. This package is responsible for downloading additional files to the user’s system in order to run HostChecker. Host Checker deletes the dsHostCheckerSetup.exe package after installation is complete.Installer Package Files and File LocationHost Checker installs the following file: %TEMP%\dsHostCheckerSetup.exeAdditional Installer Package Files and File LocationsHost Checker installs the following additional files on the client in % APPDATA % \Roaming\PulseSecure\Host Checker: 2019 by Pulse Secure, LLC. All rights reserved6

Host Checker DeploymentGuide AdvancedIMC.dll CertAuthIMC.dll dsHostChecker.exe dsHostCheckerProxy.exe dsHostCheckerResource de.dll dsHostCheckerResource en.dll dsHostCheckerResource es.dll dsHostCheckerResource fr.dll dsHostCheckerResource ja.dll dsHostCheckerResource ko.dll dsHostCheckerResource zh.dll dsHostCheckerResource zh cn.dll dsInstallerClient.dll dsnsisdll.dll dsWinClient.dll dsWinClientResource DE.dll dsWinClientResource EN.dll dsWinClientResource ES.dll dsWinClientResource FR.dll dsWinClientResource JA.dll dsWinClientResource KO.dll dsWinClientResource ZH.dll dsWinClientResource ZH CN.dll EPCheck.dll hcimc.dll hcUtils.dll install.log JSystemIMC.dll libeay32.dll msvcp60.dll OpswatIMC.dll restore win2k.txt restore win98.txt salib OSSL.dll SoHIMC.dll ssleay32.dll tnc config uninstall.exe versionInfo.ini Microsoft.VC80.CRT/Microsoft.VC80.CRT.manifest Microsoft.VC80.CRT/msvcp80.dll Microsoft.VC80.CRT/msvcr80.dll 2019 by Pulse Secure, LLC. All rights reserved7

Host Checker DeploymentGuideIn addition, if you implement policies that download or check for third-party software, Host Checker may installadditional DLLs in subdirectories of: % APPDATA % \Pulse Secure\Host Checker.Files Remaining After Uninstall % APPDATA % \Pulse Secure\Host Checker\install.logRegistry ModificationsHost Checker sets the following registry values:StringSet inbrowserTypeHKEY CURRENT USER\Software\Pulse Secure\Host Checker\browserTypeDevice IdentifierHKEY CURRENT USER\Software\Pulse Secure\Device Id\DeviceIdEnableLoggingHKEY CURRENT USER\Software\Pulse Secure\Host Checker\EnableLoggingInstallPathHKEY CURRENT USER\Software\Pulse Secure\Host Checker\InstallPathLanguageHKEY CURRENT USER\Software\Pulse Secure\Host Checker\LanguagelevelHKEY CURRENT USER\Software\Pulse Secure\Host Checker\Debug\dsHostChecker\levelLogFileHKEY CURRENT USER\Software\Pulse Secure\Host Checker\Debug\dsHostChecker\LogFileProduct TypeHKEY CURRENT USER\Software\Pulse Secure\Device Id\SAAdditionally, Host Checker sets the following values inHKEY CURRENT nstall\PulseSecure Host Checker:StringSet toDisplayIcon“ %APPDATA% \Pulse Secure\Host Checker\dsHostChecker.exe”DisplayName“Pulse Secure Host Checker”DisplayVersioncurrent product version numberPublisher“Pulse Secure, LLC” 2019 by Pulse Secure, LLC. All rights reserved8

Host Checker DeploymentGuideQuietUninstallString“ %APPDATA% \Pulse Secure\Host Checker\uninstall.exe” /S”StartupApp“ %APPDATA% \Pulse Secure\Host Checker\dsHostChecker.exe”StopApp“ %APPDATA% \Pulse Secure\Host Checker\dsHostChecker.exe -stop”UninstallString“ %APPDATA% \Pulse Secure\Host Checker\uninstall. �� %APPDATA% mentioned in above paths expands to various directories based on OS.In Windows 7, Windows 8.1, Windows 10, C:\Users\ UserName \AppData\RoamingLog File LocationsYou can enable or disable client-side logs through the System Log/Monitoring Client Logs Settings tab ofthe Web console. When you enable logging, Host Checker adds log files to the following locations: C:\Documents and Settings\All Users\Application Data\Pulse Secure\Logging\debuglog.log (WindowsXP) C:\Users\username\AppData\Roaming\PulseWindows 7) C:\Users\Public\Pulse Secure\Logging\debuglog.log (Windows Vista and Windows 7) C:\Users\ UserName \AppData\Roaming (Windows 8.1 and Windows 10) C:\ProgramData\Pulse Secure\Logging when the client has Pulse Client ndMacintosh ClientsThe following information applies to Macintosh clients only.Application and Additional Files Installed by Host CheckerHost Checker installs the following files on the Macintosh client: HOME/Library/Application Support/Pulse Secure/HostChecker.app HOME/Library/Application Support/Pulse Secure/DeviceIdFiles Remaining After UninstallThere is no Host Checker uninstall on the Macintosh client. 2019 by Pulse Secure, LLC. All rights reserved9