Pulse Secure Client for Chrome OS Quick Start Guide
Product Release 5.2
Document Revision 1.0 Published: 2015-07-22
© 2015 by Pulse Secure, LLC. All rights reserved
1
Pulse Secure, LLC 2700 Zanker Road, Suite 200 San Jose, CA 95134 http://www.pulsesecure.net © 2015 by Pulse Secure, LLC. All rights reserved Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Pulse Secure Client for Chrome OS Quick Start Guide The information in this document is current as of the date on the title page.
END USER LICENSE AGREEMENT The Pulse Secure product that is the subject of this technical documentation consists of (or is intended for use with) Pulse Secure software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at http://www.pulsesecure.net/support/eula. By downloading, installing or using such software, you agree to the terms and conditions of that EULA.
© 2015 by Pulse Secure, LLC. All rights reserved
2
Pulse Secure Client for Chrome OS Quick Start Guide
Table of Contents Introduction ...................................................................................................................... 5 Overview .......................................................................................................................................................... 5 Supported Platforms .............................................................................................................................. 6 Supported Features ............................................................................................................................... 6 Limitations ............................................................................................................................................... 7 Diagnostics and Status ......................................................................................................................... 8
Configuring Server VPN Policy ................................................................................................................. 11 Configuring Manual Connections ............................................................................................................... 13 Modifying VPN Connection .......................................................................................................................... 17 Deleting VPN Connection ............................................................................................................................. 18 Starting and Stopping VPN Connections with Chrome OS .................................................................... 19
Chromebook Advanced Sync Settings............................................................................. 20 Managing Certificates on Chromebook ............................................................................ 21
© 2015 by Pulse Secure, LLC. All rights reserved
3
Pulse Secure Client for Chrome OS Quick Start Guide
© 2015 by Pulse Secure, LLC. All rights reserved
4
Pulse Secure Client for Chrome OS Quick Start Guide
CHAPTER 1
Introduction Overview on page 5 Configuring Server VPN Policy on page 11 Configuring Manual Connections on page 13 Modifying VPN Connection on page 17 Deleting VPN Connection on page 18 Starting and Stopping VPN Connections with Chrome OS on page 19
Overview Pulse Secure client for Chrome OS provides secure connectivity between a device running Chrome OS and Pulse Connect Secure. Pulse Secure client for Chrome OS is available from the Chrome Web Store. After installing the Pulse Secure client VPN app on a Chrome OS device, the user can configure a connection and establish Layer 3 VPN (SSL) communications. Configuration on the Pulse Connect Secure gateway to support Pulse Secure clients for Chrome OS is the same as that of Pulse for Windows and Mac OSX. Use the sign-in policies, authentication realms, roles and VPN tunnel policies to define authentication and access permissions. A typical Pulse server configuration for Chrome OS access is to create a realm, a role and a remediation role that are designed for Chrome OS users.
© 2015 by Pulse Secure, LLC. All rights reserved
5
Pulse Secure Client for Chrome OS Quick Start Guide
Figure 1: Chrome Pulse Secure VPN Web Store App Page
Supported Platforms Pulse Secure client for Chrome OS is supported on devices running version 43.0.2357.19 or later of Chrome OS. Pulse Secure client for Chrome OS is supported on Pulse Connect Secure version 8.1 and later.
Supported Features The following features are supported by the Pulse Secure client for Chrome OS:
VPN (SSL) connections to Pulse Connect Secure v8.1 and later
Manual end-user connection and disconnection
Authentication types:
o
Username and password
o
Username and RSA token code (User PIN and system PIN are supported.)
o
Client certificate and smart card
o
Radius challenge/response
o
Secondary authentication
Authentication server prompts for retry, change password, create PIN, change PIN and next-token code
© 2015 by Pulse Secure, LLC. All rights reserved
6
Pulse Secure Client for Chrome OS Quick Start Guide
Realm and role selection
Pre- and post-authentication sign-in notification messages
IPv4
Split tunneling enabled and disabled
NOTE: Pulse for Chrome OS connections always have local subnet access enabled.
Split tunneling policies: IPv4 inclusion and exclusion routes (In split-tunneled mode, the Pulse Connect Secure DNS search-order configuration settings do not apply to Pulse for Chrome OS.)
Host Checker (OS-Check only)
Graceful handling of sleep/wakeup transitions, including session resumption and termination
App download from Google’s Chrome Web Store
Limitations The following features are not available with Pulse Secure client for Chrome OS:
Connections to Pulse Policy Secure gateways or gateways from third parties (Only connections to Pulse Connect Secure gateways are supported.)
Host Checker (only the Host Checker “OS-Check” is supported)
Machine authentication
Location awareness rules
Logon and logoff scripts
WINS server tunnel parameter
UDP-ESP tunnel (only SSL mode is supported)
Certificate trust override prompt
RSA soft-token integration
Session extension
Manual suspend/resume tunnel
Tunnel proxy settings
© 2015 by Pulse Secure, LLC. All rights reserved
7
Pulse Secure Client for Chrome OS Quick Start Guide
Diagnostics and Status After installing the Pulse app on a Google Chrome device, you can see the Pulse Secure icon by clicking on the launcher icon available in the lower left-hand corner of the Google Chrome desktop screen.
Figure 2: Chrome OS Apps List – Pulse Secure icon
© 2015 by Pulse Secure, LLC. All rights reserved
8
Pulse Secure Client for Chrome OS Quick Start Guide
When you click on the Pulse Secure icon, a screen appears that has Status, Pulse Log and About tabs, and Refresh and Clear Credentials buttons.
Figure 3: Diagnostics and Status screen – Pulse Log tab
A brief description about these items is given in the table below.
Table 1: Diagnostics and Status
Item
Description
Status tab
Provides the version of the Pulse client and information about the number of connections attempted (including failures) and packets transmitted. The status is used to verify if connections are being created correctly and if data is being transmitted through the secured tunnel.
Pulse Log tab
Displays detailed diagnostics logs and debug information. If you need help diagnosing a connectivity issue, you may be asked to provide these logs to an authorized support representative.
About tab
Displays the Pulse app version, copyright and trademark information.
Refresh button
Updates the Status and Pulse Log tabs.
Clear Credentials button
Clears any connection’s automatically saved credentials such as the user password or client certificate selection. To clear any other information, use the Edit Connections dialog.
© 2015 by Pulse Secure, LLC. All rights reserved
9
Pulse Secure Client for Chrome OS Quick Start Guide
NOTE: The Status and Pulse Log tabs are static, which means that they will display only the state of the Pulse app at the time the Pulse app was started. The screen will not dynamically update as additional data is transmitted. To update Status or Pulse Log, click the Refresh button.
Related documentation
© 2015 by Pulse Secure, LLC. All rights reserved
Configuring Server VPN Policy on page 11 Configuring Manual Connections on page 13
10
Pulse Secure Client for Chrome OS Quick Start Guide
Configuring Server VPN Policy The Pulse Secure client enables you to secure your company resources using authentication realms, user roles and resource policies. For complete information on the Pulse Connect Secure gateway, see the Pulse Connect Secure documentation. The Pulse Connect Secure gateway checks the authentication policy defined for the authentication realm. The user must meet the security requirements that are defined for a realm's authentication policy. At the realm level, you can specify security requirements based on various elements, such as the user's source IP address or the possession of a client-side certificate. If the user meets the requirements specified by the realm's authentication policy, the gateway forwards the user's credentials to the appropriate authentication server. If this server successfully authenticates the user, then the gateway evaluates the role-mapping rules defined for the realm to determine which roles to assign to the user. The following is a generalized example of configuring a Pulse Connect Secure gateway for the Pulse for Chrome OS app.
1.
Click Users > User Roles and then either select an existing role (preferred) or create a new role.
2.
If creating a new role, specify a name and optional description for the role, for example: Chrome OS Role, Chrome OS VPN Role.
3.
To use certificate authentication at the role level, click Restrictions > Certificate on the role’s General tab, and add the required certificate information.
4.
To sign in, enable certificate authentication by clicking “Only allow users with a client-side certificate signed by Certification Authority”. NOTE: One typical method of installing the client certificate on a Chrome OS device is to send the certificate as an attachment to the Chrome OS user. The certificate must be installed on the Chrome OS device before the user can connect. The user is prompted to select the certificate during the initial Pulse Secure VPN connection process. There are other mechanisms for transferring the certificate to the client, including MDM systems and Google Drive.
5.
Define the trusted client certificate authorities. For complete information on certificate authentication, see Understanding Digital Certificate Security. NOTE: Due to limitations, you must specify the set of client certificate issuer certificate authorities. The Chromebook does not support the specification of root or intermediate certificate authorities in certificate authority hierarchies greater than 2.
© 2015 by Pulse Secure, LLC. All rights reserved
11
Pulse Secure Client for Chrome OS Quick Start Guide
6.
Set the options on the role’s Web and Files tabs as required.
7.
Click Users > User Realms
and then create a new realm or select an existing realm. Configure and save your options on the General and Authentication Policy tabs. 8.
On the Role Mapping tab, click New Rule to create a new role-mapping rule. One option for a role-mapping rule is to create a custom expression that uses the user agent string to identify a Chrome OS device. The Pulse Secure client for Chrome OS user agent string has a form like this: Pulse-Secure/8.1.0.0 (ChromeOS; ARM) PulseVpn/5.2.1.0
You can use all or part of the string in a custom expression that uses the userAgent variable. For example: userAgent = '*ChromeOS*' 9.
Select the role that you created earlier for the Chrome OS users, add it to the Selected Roles list, and then click Save Changes.
Related documentation
© 2015 by Pulse Secure, LLC. All rights reserved
Overview on page 5 Configuring Manual Connections on page 13
12
Pulse Secure Client for Chrome OS Quick Start Guide
Configuring Manual Connections Pulse Secure client for Chrome OS is available from the Chrome Web Store. After the user installs the app, the user can create Pulse Secure VPN connections. Figure 4 shows the Pulse Secure VPN after it has been installed on a Chrome OS device.
Figure 4: Chrome OS Apps List
The Pulse Secure VPN icon in the apps list is used primarily to view connection, versioning and diagnostic information. To configure a VPN connection or to initiate a manual VPN connection, click on the system tray in the lower-right-hand corner of the main Chrome OS screen, then select the VPN option in the popup-menu. Pulse Connect Secure connections will appear in the resulting VPN dialog.
NOTE: If you use client certificate authentication, the client certificate must be installed on the Chrome OS device before the Pulse Secure client can connect.
© 2015 by Pulse Secure, LLC. All rights reserved
13
Pulse Secure Client for Chrome OS Quick Start Guide
To create a Pulse Secure VPN connection on a Chrome OS device:
1.
Go to the system tray, open the popup menu and select the VPN disconnected option. Figure 5: VPN disconnected Option
2.
Tap the Pulse Secure VPN option. Figure 6: Pulse Secure VPN Option
© 2015 by Pulse Secure, LLC. All rights reserved
14
Pulse Secure Client for Chrome OS Quick Start Guide
3.
To create a new connection, tap the “Pulse Secure VPN” option. The Add Connection screen appears. Figure 7: Add Connection screen
4.
In the URL field, specify the URL for the Pulse Connect Secure gateway. You can identify the server using the server IP address, the hostname, or a URL that optionally specifies the port the connection uses and the specific sign-in page. To specify an URL, use the following format: https://hostname[:port][/][sign-in page] The brackets indicate options. If you specify a specific sign-in page, make sure that the name you specify matches what is defined on the Pulse Connect Secure gateway. (Authentication > Signing in > Sign-in pages.)
5.
Specify the optional parameters. If you specify a username, future connection prompts will be seeded with this user name.
After the user saves the new connection, it appears in the VPN list. The user can tap the connection to initiate a VPN connection. The VPN connection state is indicated in the VPN popup menu.
© 2015 by Pulse Secure, LLC. All rights reserved
15
Pulse Secure Client for Chrome OS Quick Start Guide
NOTE: The connection ‘Save identity and password’ option controls whether credentials will be automatically saved or not. Saved credentials are not stored persistently and will be removed on logout, uninstallation and restarting the computer.
© 2015 by Pulse Secure, LLC. All rights reserved
16
Pulse Secure Client for Chrome OS Quick Start Guide
Modifying VPN Connection
To modify a Pulse Secure VPN connection on a Chrome OS device:
1.
Open the Chrome Settings page.
2.
Under Private network settings, select the connection you want to modify.
3.
Click Configure. The Pulse Secure VPN connection configuration screen is displayed. Figure 8: Modify Connection screen
4.
Click Configure to launch the Pulse Secure Edit Connection dialog.
Related documentation
© 2015 by Pulse Secure, LLC. All rights reserved
Configuring Manual Connections on page 13 Deleting VPN Connection on page 18
17
Pulse Secure Client for Chrome OS Quick Start Guide
Deleting VPN Connection
To delete a Pulse Secure VPN connection on a Chrome OS device:
1.
Open the Chrome Settings page.
2.
Under Private network settings, select the Preferred networks…. Figure 9: Delete Connection screen
3.
Select the delete symbol “x” corresponding to the connection you want to remove.
4.
Click Done.
Related documentation
© 2015 by Pulse Secure, LLC. All rights reserved
Configuring Manual Connections on page 13 Modifying VPN Connection on page 17
18
Pulse Secure Client for Chrome OS Quick Start Guide
Starting and Stopping VPN Connections with Chrome OS
To start Pulse Secure VPN connection, in the Chrome OS System menu, click the Pulse Secure VPN connect that you want to start.
Figure 10: Start Pulse Secure VPN Connection
To stop Pulse Secure VPN connection, in the Chrome OS System menu, select the Pulse Secure VPN connect that you want to stop and click Disconnect.
Figure 11: Stop Pulse Secure VPN Connection
© 2015 by Pulse Secure, LLC. All rights reserved
19
Pulse Secure Client for Chrome OS Quick Start Guide
Appendix A
Chromebook Advanced Sync Settings The Advanced Sync Settings option provides the access to apps, extensions, bookmarks and other information across Chromebooks. You can sync:
Apps and extensions from the Chrome Web Store (except extensions containing plug-ins)
Chrome browser settings
Custom wallpapers
Language preferences
Prediction of network actions
1.
On the Settings page, in the Users section, click Advanced sync settings.
To set up sync:
The Advanced sync settings window is displayed. Figure 12: Advanced sync settings window
2.
From the drop-down list, select Sync everything and click OK.
The Pulse Secure VPN extension would be synced to all Chromebook devices with the default settings. You will be able to access apps, extensions, bookmarks and other information across Chromebooks.
© 2015 by Pulse Secure, LLC. All rights reserved
20
Pulse Secure Client for Chrome OS Quick Start Guide
Appendix B
Managing Certificates on Chromebook If you are not using certificates from one of the existing public certificate authorities, you must import the public key certificate of the Pulse Connect Secure (PCS) gateway. This will allow the Chromebook to trust the PCS. If you are using client certificate authentication, you must import the client certificates into the Chromebook certificate store. To import the client certificates:
1.
Go to the chrome tab chrome://certificate-manager.
2.
In the Authorities tab, import the PCS server public key certificates. Figure 13: Certificate Manager – Authorities tab
3.
In the Your Certificates tab, import user certificates.
1.
Open the Chrome browser.
2.
Enter your PCS URL and see if you get an HTTPS certificate error.
To test your certificates:
© 2015 by Pulse Secure, LLC. All rights reserved
21
Pulse Secure Client for Chrome OS Quick Start Guide
Index
A
M
add VPN connection apps and extensions authentication realms authentication types
14 20 5 6
machine authentication modify VPN connection
7 17
P
C certificate authentication certificate manager Chrome Web Store client certificate authentication client certificate authorities custom wallpapers
11 21 5, 7, 13 21 11 20
Pulse Secure VPN icon
13
R Radius challenge/response RSA soft token RSA token code
6 7 6
D delete VPN connection diagnostics DNS
18 8 7
H host checker
7
I IPv4
7
S secondary authentication session extension sign-in notification messages sleep/wakeup transitions smart card split tunneling start VPN connection status stop VPN connection supported features supported platforms sync settings
6 7 7 7 6 7 19 8 19 6 6 20
U
L Layer 3 VPN(SSL) communication local awareness logs
© 2015 by Pulse Secure, LLC. All rights reserved
5 7 8
UDP-ESP tunnel user agent string
7 12
22