Pulse Policy Secure. Release Notes. Product Release 5.2. Pulse Policy Secure version 5.2R10 Build Pulse Client version 5.1.

Transcription

1 Pulse Policy Secure Release Notes Pulse Policy Secure version 5.2R10 Build Pulse Client version Build Odyssey Access Client version (5.6R20) Default ESAP version 3.03 Product Release 5.2 Release, Build Published Document Version 1.14

2 Pulse Secure, LLC 2700 Zanker Road, Suite 200 San Jose, CA by Pulse Secure, LLC. All rights reserved Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC reserves the right to change, modify, transfer, or otherwise revise this publication without notice. The information in this document is current as of the date on the title page. END USER LICENSE AGREEMENT The Pulse Secure product that is the subject of this technical documentation consists of (or is intended for use with) Pulse Secure software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at By downloading, installing or using such software, you agree to the terms and conditions of that EULA by Pulse Secure, LLC. All rights reserved 2

3 Contents Introduction... 5 Interoperability and Supported Platforms... 5 Hardware Platforms... 5 Virtual Appliance Editions... 5 Upgrade Paths... 6 Problems Resolved in Pulse Policy Secure 5.2R Problems Resolved in Pulse Policy Secure 5.2R New Features in Pulse Policy Secure 5.2R Problems Resolved in Pulse Policy Secure 5.2R Known Issues in Pulse Policy Secure 5.2R Problems Resolved in Pulse Policy Secure 5.2R Known Issues in Pulse Policy Secure 5.2R Problems Resolved in Pulse Policy Secure 5.2R Known Issues in Pulse Policy Secure 5.2R Noteworthy Changes in Pulse Policy Secure 5.2R Problems Resolved in Pulse Policy Secure 5.2R Known Issues in Pulse Policy Secure 5.2R Noteworthy Changes in Pulse Policy Secure 5.2R Problems Resolved in Pulse Policy Secure 5.2R Known Issues in Pulse Policy Secure 5.2R Problems Resolved in Pulse Policy Secure 5.2R New Features in Pulse Policy Secure 5.2R Noteworthy Changes in Pulse Policy Secure 5.2R Problems Resolved in Pulse Policy Secure 5.2R Noteworthy changes in Pulse Policy Secure 5.2R Problems Resolved in Pulse Policy Secure 5.2R Noteworthy changes in Pulse Policy Secure 5.2R Problems Resolved in Pulse Policy Secure 5.2R Problems Resolved in Pulse Policy Secure 5.2R Known Issues in Pulse Policy Secure 5.2R Documentation Documentation Feedback Technical Support Revision History by Pulse Secure, LLC. All rights reserved 3

4 2017 by Pulse Secure, LLC. All rights reserved 4

5 Introduction These release notes contain information about new features, software issues that have been resolved and new issues. For policy reasons, security issues are not normally mentioned in release notes. To find out more about our security advisories, please see our security advisory page: If the information in the release notes differs from the information found in the documentation set, follow the release notes. This is an incremental release notes document that describes the changes made from 5.2R1 release to 5.2R9.1. The 5.2R1 release notes still apply except for the changes mentioned in this document. Please refer to 5.2R1 release notes for the complete version. Interoperability and Supported Platforms Please refer to the Pulse Policy Secure Supported Platforms Guide for supported versions of browsers and operating systems in this release. Hardware Platforms You can install and use this software version on the following hardware platforms: 1. IC4500, IC MAG2600, MAG4610, MAG6610, MAG6611, MAG SM160, MAG SM PSA-300, PSA-3000, PSA-5000, PSA-7000c/f To download software for these hardware platforms, go to: Virtual Appliance Editions This software version is available for the following virtual appliance editions: 1. Demonstration and Training Edition (DTE) 2. Service Provider Edition (SPE) The following table lists the virtual appliance systems qualified with this release. Table 1: Virtual Appliance Qualified Systems Platform Qualified System VMware IBM BladeServer H chassis BladeCenter HS blade server vsphere 5.5 Allocation for virtual appliance: 4vCPU, 4GB memory and 20GB disk space QEMU/KVM v2.3.0 Linux Server CentOS 6.6 on an Intel Xeon CPU 2.27GHz KVM o o o NFS storage mounted in host 24GB memory in host Allocation for virtual appliance: 4vCPU, 4GB memory and 20GB disk space To download the virtual appliance software, go to: by Pulse Secure, LLC. All rights reserved 5

6 Upgrade Paths The following table describes the tested upgrade paths. Table 2: Upgrade Paths Release Pulse Policy Secure Software Upgrade Pulse Secure Desktop 5.1R13 Client Software Upgrade Odyssey Access Client Version PPS Agent (OAC) Standalone OAC Client Endpoint Security Assessment Plug-in (ESAP) Compatibility Network and Security Manager (NSM) Compatibility Automatic updates to this release are supported for all PPS releases after and including PPS 5.1 R1. This release does not support IC4000 and IC6000 devices. These hardware models have reached endof-life (EOL). Pulse Secure Desktop version is upgraded from 5.1R12 to 5.1R13. Refer to the Pulse Secure Desktop Client 5.1 release notes. Odyssey client version remains as 5.6R20. PPS handles 1500 concurrent endpoint upgrades. This release supports the standalone, non-pps version of Odyssey Access Client. Instructions for installing OAC on standalone clients are contained in the help guide under the section Getting Started > Initial Configuration. ESAP package version is the minimum version to be compatible with Pulse Policy Secure version 5.2R10. The default version for ESAP is NSM is not supported by Pulse Secure, LLC. All rights reserved 6

7 Problems Resolved in Pulse Policy Secure 5.2R10 Table 3: Problems Resolved in 5.2R10 Release PRS PRS PRS PRS If the client has multiple certificates and Request Timeout expires (30 seconds by default) the server abandons the authentication session and does not recognize the valid certificate sent by the client. As a result, it fails the authentication with incorrect "Missing or invalid client certificate" error. With activex disabled, Pulse Desktop will not download via the manual links. Upgrade from Pulse 5.2R5 to higher version fails for Mac OSX users. After upgrading PCS, Event Logs are flooded with Host Checker Machine Cert logs. Problems Resolved in Pulse Policy Secure 5.2R9.1 Please refer to SA40771 for issues fixed in this release. New Features in Pulse Policy Secure 5.2R9 The following table describes the major features introduced in this release. Table 4: List of New Features Release Integration with new OPSWAT SDK v4 Pulse Policy Secure leverages OPSWAT integration for endpoint desktop compliance evaluation. With this release the newer version of OPSWAT v4 is used as the earlier version will be EOL ed by end of Note: Ensure that all the servers and clients are upgraded before upgrading to OPSWAT v4. Problems Resolved in Pulse Policy Secure 5.2R9 Addressed Security Vulnerabilities. Please refer to for more details. Table 5: Problems Resolved in 5.2R9 Release PRS PRS Custom SoH (Statement-of-Health) hostchecker policies were not working properly with Pulse client on Windows 10s. Custom SoH (Statement-of-Health) hostchecker policy was failing from web browser by Pulse Secure, LLC. All rights reserved 7

8 PRS PRS PRS PRS Under certain conditions, dsdash process uses 100% CPU. Warning messages are added about the usage of 'Legacy AD mode' with the recommendation to switch mode to 'New AD'. Updated the Transitional Setup Client to 8.1r104 with OpenSSL Version 1.0.1u. In some case upgrading to C5.2Rx may result in the following messages in event logs. These messages have no functional impact and can be safely ignored: Major ERR :35:45 - fpc1 - [ ] System()[] - Error encountered while upgrading cache (Key: vc0/processes/dspwsldaphandler.spec, Value: off Created: 1) The issue has been fixed in C5.2R9. PRS PRS PRS PRS PRS PRS PRS Installed packages are always set as rollback version instead of current version on PSA7000f(s). While creating a GUAM user account, invalid Mobile number error message was seen. JuniperSetupClientApplet.jar is signed with expired cert and not timestamped. After the fix, it is signed with expiry date of 1/14/2019 and timestamped. After logout, tell user "For added security, please close your browser". OPSWAT V4 SDK support has been included. User Admin link takes user to the wrong page. Policy failed messages for AntiVirus check in Host Checker are not displayed properly. Known Issues in Pulse Policy Secure 5.2R9 No known issues. Problems Resolved in Pulse Policy Secure 5.2R8 Addressed Security Vulnerabilities. Please refer to for more details. Table 6: Resolved in This Release PRS PRS AD troubleshooting logs are saved as juniper_ad_logs, they should be renamed to psecure_ad_logs. Config uploader discards multibyte XML strings; target appliance does not get them. Known Issues in Pulse Policy Secure 5.2R8 The table below describes known issues. Table 3: Known Issues in This Release 2017 by Pulse Secure, LLC. All rights reserved 8

9 PRS In some case upgrading to 5.2Rx may result in the following messages in event logs. These messages have no functional impact and can be safely ignored. We are working on fixing the issue in a future release: Major ERR :35:45 - fpc1 - [ ] System()[] - Error encountered while upgrading cache (Key: vc0/processes/dspwsldaphandler.spec, Value: off Created: 1). Problems Resolved in Pulse Policy Secure 5.2R7.1 Addressed Security Vulnerability. Please refer to for more details. Table 7: Resolved in This Release PRS Upgrading the Pulse Secure Installer Service does not restart the Pulse UI. Known Issues in Pulse Policy Secure 5.2R7.1 The table below describes known issues. Table 8: Known Issues in This Release PRS PRS PRS Odyssey doesn't connect to PPS servers unless and until we exit odyssey and relaunch odyssey when we install a patched JIS as admin. Fresh install and upgrade of Odyssey Client prompts for admin credentials followed by reboot. Problem: Restricted users prompted for admin credentials during upgrade. Installation failure ensues if credentials provided. Conditions: If an endpoint device is running the older Juniper Installer Service (version 8.1 or earlier of JIS, which is associated with 5.2 or earlier PPS servers), and if the device s end user is a restricted user, and if the end user attempts to do a web install/upgrade of the Pulse client via IE by connecting a web browser to a 5.3 or later PPS server, then the Pulse ActiveX Control installation will prompt for admin credentials (which a restricted user is unlikely to possess). If the restricted user gets the credentials and enters them, the installation will fail later with the message, You do not have the proper privileges to install the application. Workaround: There are two workarounds to this issue: 1) Have the sysadmin push out the 5.3 Pulse Installer Service (which installs the ActiveX control) before the end users attempt to connect to the 5.3 PPS server via IE. OR 2) Have the end users connect to the 5.3 PPS server using the Pulse client 2017 by Pulse Secure, LLC. All rights reserved 9

10 (rather than using the web browser). PRS Downloading of Odyssey client from Internet Explorer 11 might complain that the package is corrupt or invalid. Workaround: Please refer to the KB windows_7/the-signature-of-this-program-is-corrupt-or/90ff01cd-41f1-426d-96a5- fb1a6852e8e2. Noteworthy Changes in Pulse Policy Secure 5.2R7 Due to a change in the admin console introduced in PPS 5.2R7 to allow for the configuration of the Pulse Secure desktop client's Credential Provider Single-Sign-On functionality, 5.2R7 and later PPS cannot be upgraded to PPS 5.3R1, 5.3R1.1 or 5.3R2. PPS users who want to upgrade to the 5.3 PPS line must upgrade to PPS 5.3R3 or later. Please note that the Credential Provider Single-Sign-On functionality that is configurable from the admin console in PPS 5.2R7 requires the Pulse Desktop Client 5.2R3 or later. Problems Resolved in Pulse Policy Secure 5.2R7 Table 9: Resolved in This Release PRS PRS PRS PRS PRS PRS Signature verification for Host Checker binaries are taking more than 30 secs in some instances, which is causing SetupClient timeout error. Garbage collector should run every 10 minutes on active node to remove stale xauth entries. Configuring "Auto-update virus signatures list" results in Failure to read AV Update Data from cache, as evidenced by Event log messages. Restricted users get admin privileges prompt when trying to upgrade Network Connect and other clients. After Airwatch upgrade, Airwatch server has different REST URLs for APIs, which are not compatible with older PPS releases. Add administrative console options to allow configuration of the Pulse Secure desktop client s Credential Provider Single-Sign-On functionality. Known Issues in Pulse Policy Secure 5.2R7 The table below describes known issues. Table 10: Known Issues in This Release PRS C5.2R7 XML configuration import to C5.3R2 is failing, when configuration 'Use Desktop Credentials' enabled by Pulse Secure, LLC. All rights reserved 10

11 Noteworthy Changes in Pulse Policy Secure 5.2R6 1. Starting from PPS 5.2R6, the Pulse client shipped in the server releases will be signed with a SHA-2 code signing certificate to improve security and ensure compatibility with Microsoft OS s 2016 restrictions on SHA-1 code signing. 2. A warning will be displayed in the Admin UI if the insecure RC4 cipher is enabled. This warning does not properly detect if RC4 is enabled when hardware acceleration is turned on. If hardware acceleration is not enabled, or the device does not have the hardware accelerator installed, the warning works as expected. Problems Resolved in Pulse Policy Secure 5.2R6 Table 11: Resolved in This Release PRS The admin console now gives the system administrator additional flexibility in specifying under what circumstances a Pulse client should attempt to reconnect to a Pulse Secure gateway when a session times out or is deleted. The new option, "Reconnect at Session Timeout or Deletion" can be found in the admin console under: ->Users->Pulse Secure Client->Connection is established->options PRS IC Admin Help page shows version as 5.1, it should be 5.2. PRS PRS PRS PRS A memory leak occurs each time the dashboard page is viewed in a browser. Library signing issue causing Pulse connection failures on Mac OSX (El Capitan). "Allow user to override connection policy" option is always selected and cannot be unselected when certain combinations of Connection Establishment options are selected. A restricted user is prompted for admin credentials when attempting to install the Odyssey client even though the Windows machine has Installer Service preinstalled. PRS When using Windows 10 TH2 or Android's native supplicant for 802.1x connections, authentications fail against the PPS device and connections cannot be established. PRS PRS PRS PRS PRS PRS , PRS PRS When the PPS issues an 'invalid message authentication' error to one of the radius client devices in the range, the event logs do not denote the IP address of the RADIUS client. Occasionally radius process may crash under load. If a PPS cluster under heavy load is registered with Pulse One, it may cause a cluster splits. Unable to download Pulse 5.2R2 installer from PCS/PPS Installers page. Native supplicant 802.1x connections using either the EAP-MD5 or EAP- MSCHAPv2 protocol results in a memory leak in the radius process. If an appliance is registered with the Pulse One server, a process on the appliance leaks approximately 100Mb of virtual memory per year. If an appliance is registered with the Pulse One server, a process on the appliance might occasionally crash by Pulse Secure, LLC. All rights reserved 11

12 PRS PRS PRS PRS PRS PRS PRS PRS PRS XML Import of LDAP Server duplicates the user-attributes. This issue can cause issues with Pulse One being out of sync with the master appliance. Pulse One: when performing config distribution from a master appliance to a target appliance, the order of the role mapping rules and the detailed rules within a resource policy are not preserved. When all nodes in a cluster are registered with Pulse One, after a long run a cluster split may be seen MAC, SQL auth servers cannot be distributed from master appliance to target appliance via Pulse One. AD authentication server configuration cannot be distributed from master appliance to target appliance via Pulse One. When AD auth-server is distributed from master appliance via Pulse One, the target appliance s CPU utilization goes to 100% and will not come back to normal until a reboot. AD auth-server cannot be distributed from master appliance to target appliance via Pulse One. MAC, SQL auth servers cannot be distributed from master appliance to target appliance via Pulse One. When performing config distribution from one a master appliance to a target appliance, the order of the role mapping rules and the detailed rules within a resource policy are not preserved. Known Issues in Pulse Policy Secure 5.2R6 The table below describes known issues. Table 12: Known Issues in This Release PRS PRS The Pulse One configuration settings were part of user settings until 5.2R4 of PPS; and from 5.2R5 of PPS, these settings are part of the system settings. The Pulse One configuration settings will be overwritten when a user settings configuration from 5.2R4 or lesser version, is imported to 5.2R5 or higher. XML import of Pulse One configuration settings are not affected by this change. If Session Timeout Warning option is enabled and Session Extension option is disabled, the Pulse user still sees the session extension popup and is able to extend the session. Problems Resolved in Pulse Policy Secure 5.2R5 Table 13: Resolved in This Release PRS Syslog messages do not contain 'PulseSecure' string in them, causing issues with logging by Pulse Secure, LLC. All rights reserved 12

13 PRS PRS PRS PRS PRS A Windows 10 user shows up as Others instead of Windows 10 in the Device OS column on the PCS/PPS dashboard. Multiple winbindd crashes are causing the appliance to lose connectivity. Restarting services remediates the issue. One possible scenario for these crashes is sustained load with multidomain AD authentication setup. Pulse upgrade from version 5.0 to (57077) fails due to failure in downloading the client package. This issue occurs only when the upgrade is attempted via Pulse Client Application (after Upgrade prompt appears). Display username and serial number from the client certificate for OCSP check access log messages. The configuration XML that is uploaded to Pulse One is not consistent, causing Pulse One to see configuration changes or conflicts which do not actually exist. PRS Importing a C5.1R5 binary system config into a machine running a PPS 5.2R4 build results in a major event log "Error encountered while upgrading cache". New Features in Pulse Policy Secure 5.2R4 NDPP DHE-2048 Key Exchange Enhancement To address the security vulnerability CVE (Logjam issue), a new option has been added under System -> Configuration -> Security -> SSL Options that ensures that all Diffie-Helman key exchanges use a 2048 bit key. The TLS protocol uses Key Exchange algorithms to transfer the pre-master secret between an SSL client and an SSL server. The major key exchange algorithms supported in TLS are RSA, ECDHE and DHE. Security of the TLS transfer depends heavily on the use of stronger keys for key exchange algorithms. The current Diffie-Hellman Key Exchange (DHE) uses 512 or 1024 bits keys which are considered cryptographically weak. If this new option is enabled, the Diffie-Hellman Key Exchange will use 2048-bit keys by Pulse Secure, LLC. All rights reserved 13

14 Noteworthy Changes in Pulse Policy Secure 5.2R4 Pulse Policy Server (PPS) acting as License clients, running C5.1R1 and above will not be able to lease licenses from License Servers running on 8.0R1 to 8.0R4. If you plan to upgrade PPS License clients to C5.1R1 and above versions, you would have to upgrade your License Servers to 8.0R5 and above. See KB40095 for more information. Problems Resolved in Pulse Policy Secure 5.2R4 Table 14: Resolved in This Release PRS If Pulse One is in use, credential renegotiation (which happens every 1-6 days) disables communication with Pulse One. The Notification Channel Status turns gray in Configuration > Pulse One > Settings. Communication usually recovers after an hour or a day. To correct the condition, go to System > Platform and click [Restart Services]. PRS PRS PRS PRS PRS PRS A gateman crash may occur if the following conditions are met: Multiple 802.1x sessions exist pertaining to same mac-address and same IPaddress (for example, switch user in a Windows machine) One session allows auth provision and other session doesn't. During selective pushconfig, the custom computer name in an AD server instance in the target machine, gets over written by the auto-generated computer name. The agent type for Pulse users on Windows 10 show up as "Windows Vista Pulse Secure" on the Active Users page. This has now been fixed to display "Windows 10 Pulse Secure.". Occasionally fedserver process crashes in fedserver replica setup while federating user sessions. Log archiving may fail intermittently. Cert validation on Pulse client fails if server certificate DN includes double quotes. PRS Source IP restriction page is visible under "User realms -> Users -> Authentication policy" with radius only license. PRS PRS PRS PRS PRS When a Pulse user logs in using a Smartcard, the dashboard report displays the Windows login name instead of the username. Language localization is incorrect for Guest User Access Management web pages. Windows 'Onboard' link/button is missing on PPS end user home page on Windows 10 OS. Federation clients that are in A/A cluster configuration sometimes get into a state where they are unable to export federation sessions to the server, and federation client process crashes. Under certain rare conditions, authentication information is not provisioned to the SRX firewall by Pulse Secure, LLC. All rights reserved 14

15 PRS Unable to modify the "Reminder Time" located in Session Options under the User Role. Entering any value in that field and hitting "Save Changes" results in the field being set to "3.". Noteworthy changes in Pulse Policy Secure 5.2R3.2 Support for IC6500-FIPS has been dropped from PPS 5.2r3 onwards. Support for hardware devices, IC6500 and IC4500 have been added on in PPS 5.2r3.2. Problems Resolved in Pulse Policy Secure 5.2R3.2 Table 15: Resolved in This Release PRS IC4500 and IC6500 devices are unable to upgrade to PPS 5.2R3. Noteworthy changes in Pulse Policy Secure 5.2R3 Support for IC6500-FIPS has been dropped from PPS 5.2r3 onwards. This release comes with Pulse One option enabled. However, this option is not available for use until Pulse One SaaS application is officially released. For additional details on Pulse One, please click on Problems Resolved in Pulse Policy Secure 5.2R3 Table 16: Resolved in This Release PRS PRS PRS PRS PRS PRS PRS PRS After login using IE11, a screen is displayed saying "no access to protected resources", which prevents download of Pulse or Odyssey agents. Pulse One Configuration page menu option is not available under configuration section in Admi UI. Host Checker on Windows 10 is stuck on Loading Components screen. After upgrading during the first reboot (post-install), prints error messages like VM-integer expression expected. Upgrades from PPS 5.1 to PPS 5.2 were failing. Secure Meeting does not launch on Windows 10 when using a browser with Java delivery. This can also affect HC launch on PPS. Upgrade to PPS 5.2R3 builds is unsupported and should fail on old hardware, IC4500, IC6500, an IC6500FIPS. Source IP restriction page is visible under "User realms -> Users -> Authentication policy" with radius only license by Pulse Secure, LLC. All rights reserved 15

16 PRS PRS PRS PRS PCS-2263 PCS-2257 PCS-2150 PCS-2121 PCS-1830 Option to enable "Manually by the user" & "Automatically" is available while configuring Pulse 802.1X connection set. Host Check is performed twice for L2 Pulse auth user when the Host Check interval is configured as "0". AD authentication may not correctly fallback to secondary DNS server if the primary is unreachable for IC users. MAC Realm with radius return attributes is failing when the radius return attribute does not belong to the respective radius client. Sitting Cluster nodes changes status from 'GREEN' LED to 'YELLOW' LED. Notification channel not connected after upgrade. Incorrect mouse over text shown for Registration status. Dev needs to make sure Unity-related code is free of static-analysis defects. 2d - Pulse One trace is missing HEAD requests (impedes troubleshooting). Problems Resolved in Pulse Policy Secure 5.2R2 Table 17: Resolved in This Release PRS PRS PRS PRS Host Checker fails to launch when the MMF name does not match between the installed version (Juniper) and updated version (Pulse Secure). Adding new groups for role mapping may timeout or otherwise fail x usage may trigger spurious Program radius recently failed messages. Serial console options are not working for newly created admin users. Known Issues in Pulse Policy Secure 5.2R2 The table below describes known issues. Table 18: Known Issues in This Release PRS Unable to upgrade Odyssey as a restricted user even if Installer Service is installed. Documentation Pulse documentation is available at Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can send your comments to techpubs-comments@pulsesecure.net by Pulse Secure, LLC. All rights reserved 16

17 Technical Support Pulse Polic y Secure Release Notes When you need additional information or assistance, you can contact Pulse Secure Global Support Center (PSGSC): support@pulsesecure.net Call us at (Toll Free, US) For more technical support resources, browse the support (website Revision History The table below lists the revision history for this document. Table 19: Revision History Revision Date July 9, 2015 Sept 9, 2015 Nov 16, 2015 Jan 20, 2016 April 7, 2016 May 24, 2016 June 24, 2016 August 5, 2016 November 2, 2016 February 17, 2017 April 7, 2017 April 18, 2017 September 2, 2017 November 8, 2017 Version 1.0. Created PPS 5.2R2 release notes. Version 1.3. Added PPS 5.2R3 release notes. Version 1.3. Added PPS 5.2R4 release notes. Version 1.4. Added PPS 5.2R5 release notes. Version 1.5. Added PPS 5.2R6 release notes. Added a known issue for PPS 5.2r2 release. Version 1.6. Added PPS 5.2R7 release notes. Version 1.7 Modified the PPS 5.2R7 release notes to incorporate review feedback. Version 1.8 Added PPS 5.2R7.1 release notes. Version 1.9 Added PPS 5.2R8 release notes. Version 1.10 Added Hardware Platforms, Virtual Appliance Editions and Upgrade Paths sections. Version 1.11 Added PPS 5.2R9 release notes. Version 1.12 Changes based on internal review. Version 1.13 Added PPS 5.2R9.1 release notes. Version 1.14 Added PPS 5.2R10 release notes 2017 by Pulse Secure, LLC. All rights reserved 17