The location awareness feature enables a Pulse client to recognize its location and then make the correct connection when the connection is set to connect automatically. For example, a Pulse client that is started in a remote location automatically connects to Pulse Secure Access Service. But that same client automatically connects to Pulse Access Control Service when it is started in the corporate office.
Note: Split tunneling must be enabled to allow resolution of location awareness rules.
Note: Location awareness and session migration are similar because they both simplify connectivity for the user, but they do so under different conditions. With location awareness, the Pulse client makes a decision on where to connect when a user logs in to the computer. Session migration occurs when the user puts the computer into a stand by or hibernate mode without first logging out, and then opens the computer in a different network environment. Location awareness enables the Pulse client to intelligently start a new session. Session migration enables Pulse servers to intelligently migrate an existing session.
Location awareness relies on rules you define for each connection. If the conditions specified in the rules are true, Pulse attempts to make the connection. To set up the location awareness rules that select among many connections, you must define location awareness rules for each connection. Each location awareness rule is based on the endpoint’s ability to reach an IP address or resolve a DNS name over a specified network interface. The following location awareness example includes two connections. The first connection is a Pulse Access Control Service connection that resolves to TRUE when the endpoint is connected to the corporate LAN. The second connection is Pulse Secure Access Service connection that resolves to TRUE when the endpoint is located in a remote location.
Pulse Access Control Service connection
If the DNS server that is reachable on the endpoint’s physical network interface is one of your organization’s internal DNS servers, then establish the connection.
Pulse Secure Access Service connection
If the DNS server that is reachable on the endpoint’s physical network interface is not one of your
organization’s internal DNS servers, and the DNS name of your Pulse Secure Access Service device resolves to the external facing IP address of the Pulse Secure Access Service device, then establish the connection.
Note: Connections can be set to manual, automatic, or controlled by location awareness rules. When the user logs in, the Pulse client attempts every connection in its connections list that is set to automatic or controlled by location awareness rules.
Note: To create a negative location awareness rule, you first create the positive state and then use rule requirement logic to use the rule as a negative condition.
To configure location awareness rules:
1. If you have not already done so, create a connection or open an existing connection.
You can configure location awareness rules for Firewall connections and IC or SA connections. Location awareness rules do not apply to 802.1X or App Acceleration connections.
2. In the Connection is established area, select According to location awareness rules, and then click New.
3. Specify a name for the rule.
4. In the Action list, select one of the following:
• DNS server—Connect if the DNS server associated with the endpoint’s networkproperties is (or is not) set to a certain value or set of values. Specify the DNS serverIP address in the IP address box. Also specify a network interface on which thecondition must be satisfied:
• Any—Use any interface.
Resolve address—Connect if the configured hostname or set of hostnames is (or isnot) resolvable by the endpoint to a particular IP address. Specify the hostname inthe DNS name box and the IP address or addresses in the IP address box. Alsospecify a network interface on which the condition must be satisfied.
5. Click Save Changes.
After you create the rule or rules, you must enable each rule you want to use for the connection. To enable a negative form of a rule, use a custom version of the rule. To enable location awareness rules:
1. In the list of connection awareness rules for a connection, select the check box nextto each rule you want to enable.
2. To specify how to enforce the selected location awareness rules, select one of thefollowing options: • All of the above rules—The condition is TRUE and the connection is attempted onlywhen all
selected location awareness rules are satisfied.
• Any of the above rules—The condition is TRUE and the connection is attemptedwhen any select location awareness rule is satisfied.
• Custom—The condition is TRUE and the connection is attempted only when allselected location awareness rules are satisfied according to the Boolean logic youspecify in the Custom box. Use the Boolean condition to specify a negative locationrule. For example, connect to Pulse Secure access service when Rule–1 is false andRule–2 is true. The boolean logic in the custom box would be: NOT Rule-1 AND
• Rule-2. The accepted Boolean operators are AND, OR, NOT, and the use of ( ). 3. Click Save Changes.
Related Documentation
Understanding Session Migration on page 149
Note: The Pulse client software evaluates IP and DNS policies on network interface changes. DNS lookups occur on DNS configuration changes or when the time-to-live setting (10 minutes) expires for a particular host record. If Pulse cannot resolve the host for any reason, it polls the configured DNS server list every 30 seconds. If the host had been resolved successfully previously and the time-to-live timer has not expired, the polling continues until the timer expires. If the host had not been resolved successfully previously, the resolution attempt fails immediately.