We use Pulse Secure devices for remote access. We’ve had a few questions pop up about how we might utilize secure application manager (SAM) to handle some specific scenarios.
We use SAM today for allowing employees to connect and RDP into a “jump” server from their home computers (company issued laptops get a full VPN connection).
SAM works well in this scenario, but I realized that I don’t have the foggiest clue as to how it works at a low level. It isn’t a full VPN - there is no virtual interface and the client computer does not get an IP address on the corporate network. When you RDP into a host, the host sees the connection as coming from the Pulse Secure’s IP address.
Somehow, the SAM client hooks into the tcp/ip stack on the client and proxies traffic meant for the host network via the Pulse Secure box.
Does anyone have any documentation on how SAM does its magic? We are particularly wondering about how DNS lookups are handled.
FYI - They have EOL’d WSAM, but I think JSAM will still be supported - https://kb.pulsesecure.net/articles/Pulse_Technical_Bulletin/TSB43810
As for how WSAM works, you can see here - https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB9536
I know I’ve seen some more in-depth stuff over the past few years on WSAM/JSAM, but can’t locate it at the moment.
If you’re using WSAM or JSAM just for RDP, you can do that clientless right in the Pulse portal website.
With WSAM essentially what happens is that the client installs a driver through the Transport Driver Interface (TDI). When configured on a per-app basis WSAM looks for a specific process and intercepts all traffic from that process. DNS queries to a host are also intercepted and resolved by the Pulse Secure Appliance (PSA). Once the address is resolved and access is permitted the WSAM client will create a port-forwarding channel to send all traffic to PSA.
If you are using destination-based traffic, it basically behaves like JSAM. You must provide an external DNS lookup for traffic to be intercepted; otherwise the connection will fail.
Sheesh.
JSAM - java - no thanks.
That kb article helps a bit, but is incomplete. For example, if we are running destination IP address mode, and on the client I run msctsc.exe /v:host.mycompany.com, how and when does SAM intercept the DNS lookup and send it to the Pulse device for resolution?
It can’t let the client do the DNS resolution because the client’s native DNS host doesn’t know about mycompany.com.