Pulse Secure VPN on openSUSE

Hi.

I’m trying to get Pulse Secure VPN working on my openSUSE Leap 42.1 install. Pulse Secure normally supports RedHat, CentOS and Ubuntu. When I execute the startup script, /usr/local/pulse/PulseClient.sh <parms>, the script wants to install these dependencies:

yum install glibc.i686 nss.i686 zlib.i686 (That’s what the startup script spits out on the commandline. I’m not trying to use yum on openSUSE!)

My understanding is glibc.i686 is the same as glibc-32bit, but the script doesn’t recognize its already installed location? How do I redirect the dependency? Or do I need to update the startup script for openSUSE?

For the other dependencies,

nss.i686 is the same as nss-mdns-32bit?
zlib.i686 is the same as ghc-zlib or jzlib?

Thanks!

First,
You should post the guide you’re following.
A quick search returns numerous hits of articles about various organizations and companies releasing customized versions, so you need to know if there are any special requirements.

With a bit of amusement,
I see that Pulsesecure has updated much of their VPN install documentation as of last year but the content shows is only up to Windows 8.1 (not even 10). And, all the Linux distro documentation is old, very old with SUSE/openSUSE possibly the oldest (v 12.1). Wow, is that really old.

That said, assuming that their documentation will work, I recommend most of your effort should be based on this when downloading the official install

Option: Install from Pulseconnect

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB25230
which was last modified in 2010 (!).

The article suggests you need

Beyond that, it gets a bit complicated…

The packages you list may be old package names that have since been changed. It’s unknown whether your script is looking for simply package names or the commands themselves, and if the command specifies a version…
You can search on the root of the packagename and you’ll probably find that many will be already installed on your system, but without knowing the exact utility the install script is calling you can’t know exactly how to fulfill the requirement.

So, for instance once any package installed, you can run the following to list the package contents to see if the application’s needs should be fulfilled

rpm -ql *packagename *

If any of those packages your script wants installed exist, you can either use yum (yes, it’s there and works but is not recommended) or simply subsitute “zypper” for the yum command, eg

zypper in *package1 package2 package3*

**
Option: Install a package from somewhere else**
As I noted in the beginning,
You might have better luck running a more up to date package from a 3rd party rather from Pulse themselves.
But, of course beware the dangers of using software from non-official sources…
So,
For instance, here is one from Isreal Institute of Technology
https://cis.technion.ac.il/en/central-services/communication/install-juniper-ubuntu/

And, here is one from the University of New Hampshire.
https://cis.technion.ac.il/en/central-services/communication/install-juniper-ubuntu/

Note that both the above <might> support 64-bit which would mean seamless and minimal issues installing on openSUSE (follow the RHEL/Fedora instructions for both).

You can also search through Github for Pulse Connect install scripts, a lot of time people create a script for some specific need and post (I do the same).

HTH,
TSU

Thanks for the quick reply and research…

These are the two pages I initially looked at: (the second one, you also referenced)

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40126
https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB25230

IT grabbed for me, this package, which is the latest on Pulse Secure’s site: (In order to download, the serial number of the product purchased must be supplied, which is why IT did it.)

pulse-8.2R5.1.i386.rpm

I installed the package via zypper.

I tried executing the shell script using this format, which is in the docs:

/usr/local/pulse/PulseClient.sh -h <PCS appliance IP/hostname> -u <vpn username> -p <vpn password -U <PCS SIGNINURL> -r <Realm>

Example: /usr/local/pulse/.PulseClient.sh -h secure.company.com -u user01 -p password01 -U https://secure.company.com/linux -r “Realm Name”

Of course, I substituted with the correct parameters for the VPN I’m trying to connect to.

The startup script PulseClient.sh wanted to install:

glibc.i686, nss.i686 and zlib.i686

These aren’t openSUSE names for the packages, so I’m at a loss as to which packages I need to install to satisfy the requirements. However, I do have 32-bit and 64-bit versions of glibc and nss installed. I’m unclear about which zlib it’s referring to.

It was recommended that instead of using the commandline, I should launch the GUI instead, which I can from the “Start” menu. It doesn’t launch though, probably because of the dependent libraries not being in the correct place as in RedHat, CentOS, or Ubuntu?

The first problem I would like to solve right now is, which zlib do I need to install?

The second problem is how to point the client program to use the openSUSE location of the libraries.

I think after that, I should be able to launch via GUI and start things up.

686 is 32 bit In openSUSE the package name will have 32bit in it. So in Yast search for the root name ie name without .686 and see what you find.

To answer your question about how to resolve the dependency issue, the install script has to be inspected.

I don’t think it should be a violation of your license to post the script somewhere, but if you want to be relatively safe you can post to a pastebin and set an expiration of a few days (long enough for readers to view). Or, if you paid for support maybe Pulsesecure would be willing to work with you and then update their documentation accordingly… Because in this case I suspect that there should not be much if any difference between the instructions for installing on Fedora or RHEL vs openSUSE (They have an opportunity to fix any possible Fedora or RHEL errors as well).

TSU

Hi,

Someone here might be able to help you with the package dependencies but if no one can, then my advice is to create a ticket and send it to the tech support team. In my experience so far only AirVPN has a decent and usable gui client called eddie that works cross platform, e.g. Windows, Mac and Linux and it works both on .rpm and .deb based distros, and it has some bells and whistles that you might or might not need, but I havent tried ALL vpn clients nor all .rpm and .deb based distros so don’t take my word for it :wink:

Of course there is always the command line client and the network manager way but hey some folks just like to point and click.
Good luck.

Yes, I figured that out from searching references on i686. I have 32-bit versions of glibc and nss already installed. For zlib, there are quite a few options, from a compression library to a GUI library. Which is the common zlib on RedHat, CentOS or Ubuntu?

Unfortunately my workplace only officially supports Windows and MacOS with Pulse Secure VPN. I’m allowed to use GNU/Linux, but I’m on my own as far as getting it to work. I don’t have any direct contact with Pulse Secure.

Pulse Secure VPN was selected by my workplace and they, my workplace, only supports Windows and MacOS.

You won’t be able to get any real help unless you can post the script for inspection.
You can change parts of the script beforehand if it contains any sensitive information, but if it’s a very generic script which doesn’t contain the remote server address and encryption keys, then it’s probably safe to post.

Primary things that should be identified as possible causes for errors which you can also try to find on your own…

  • Fixed paths instead of relative paths
  • Testing for package names instead of commands
  • Testing for specific OS, not including current openSUSE

TSU

Hi,

I found this thread after having looked for some help to get pulse secure installed and run on OpenSuse Leap42.

I am in the same situation as linuxvinh.

First, I found 2 different files to install Pulse Secure on Linux, as given in this website:
https://cis.technion.ac.il/en/central-services/communication/install-juniper-ubuntu/

  • RPM (for CentOS/RedHat)
  • DEB (Ubuntu/Debian)

(note: It is also this same link that I follow to try install pulse secure)

I tried to install RPM, and I got to the same situation as linuxvinh, with the same dependencies missing. I installed yum but this still doesn’t work : there is no repos configured. I found on the internet that it was actually no good idea to install yum on OpenSuse and I abandoned the idea of configuring the repos and installing the dependencies in this way.

Now, I am trying to install the deb version. I had to install first dpkg and then, executing:
sudo dpkg -i ps-pulse-ubuntu-debian.deb
I get this error
dpkg: error: failed to open package info file `/var/lib/dpkg/available’ for reading: No such file or directory

Can you tell me how to do things properly to get dpkg install Pulse Secure?

I am quite new to Linux and each time I solve a step, I find new difficulties or bugs, so I am wondering if I’ve done everything wrong.

Is there another command that can install .deb?
I have tried apt-get and zypper instead of dpkg, but no provider found.

Thank you for your help.

Hi,
Welcome to your first steps in openSUSE.
Some basic concepts to help you along…

The two main packaging systems in the Linux world are RPM and DEB.
They’re very different and don’t work well together except by special extraction utilities, so don’t try to install DEB packages or if you do we have a utility you can use to extract the contents called “alien.”

A number of distros are RPM-based including openSUSE, others include Fedora, CentOS, RHEL and Mandriva.
There are a few Package Managers for the base packaging system and for the longest time Fedora, CentOS and RHEL have used yum.
Although you can use yum commands on an openSUSE, we have our own more capable tool called “zypper,” you can display a variety of options (not completely everything) with the following. In fact, for most commands you can use the “–help” flag to test whether the command is installed and working.

zypper --help

If you prefer a graphical tool, you should start by opening YAST, it’s the centralized “Here you can do nearly everything you can think of” which is comparable but is vastly much, much more than the MSWindows Control Panel. You can find YAST in your Desktop’s menu or invoke from a console

yast2

Within YAST, you’ll find a number of modules (of which many more can be installed for various configuration and management) including Software Installation and Management. Open it and search for, and install anything in your configured repositories. If you can’t find what you want, then either install more repositories or go to https://software.opensuse.org.

But, keep in mind where this thread has progressed to above…
If your business doesn’t mind, these 3rd party versions of Pulse Secure can be tried but not guaranteed to work.
Without actually seeing the contents of the install script, it’s unlikely any Forum readers can offer fixes, but I did list the most likely things to look for if you want to try to fix the script yourself.

TSU

Hi,

thank you for the explanations.

Now that you tell me I should not try to install the DEB package, I went back to the RPM version, which I deinstalled (with Yast) and re-installed again using

sudo zypper install <file downloaded from the Technion website.rpm>

Everything is fine until there. Then, I try to create a VPN connection with the command line, as indicated in the README file:

The command line client can be launched using the command below :
    /usr/local/pulse/PulseClient.sh -h <PCS appliance IP/hostname> -u <vpn username> -p <vpn password> -U <PCS SIGNINURL>

    eg:
    /usr/local/pulse/PulseClient.sh -h 10.209.118.244 -u user1 -p PulseSecure -U https://10.209.118.244


The following output results:

There are no enabled repos.
 Run "yum repolist all" to see the repos you have.
 You can enable repos with yum-config-manager --enable <repo>
Failed to install dependencies.Please execute following command manually.
 yum install glibc.i686 nss.i686 zlib.i686
executing command : /usr/local/pulse/pulsesvc                                                                  
VPN Password:      

I enter the password and press Enter, and I simply get back to the command line with no extra output.

Here my first question joins the problem of linuxvinh:

  1. how to install these dependencies on OpenSuse Leap 42?
  2. I understood that you have to check what’s in the script, and I can post the PulseClient.sh file, I think there is nothing confidential, anyone can download the package, install it and look inside. Now, how could I upload this PulseClient.sh in the forum so that you can see it? ^^"

Then, I wanted to check what happened with the connection, if it is there or not. There is a command line called S for status:

/usr/local/pulse/PulseClient.sh -S

But I end up with an error message. I found how to solve this other issue here: https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40110 but I don’t know how to “set $HOME environment variable to writable path”… 3) is it something to do in the PulseClient.sh script ?

If you could help me with those 3 issues, I would be very grateful.

Use https://paste.opensuse.org/ and post the link to it here.

I’m unclear of the legality of posting PulseClient.sh, so I didn’t post it. Instead, I spent some time looking at the script. It’s hard coded to look for centOS 6/7, Ubuntu 14/15 and RedHat 7. For those distros, it does checks for library dependencies and tries to install missing ones. I gave up on the commandline approach.

I went with the GUI version instead:

/usr/local/pulse/pulseUi <— to execute from the commandline, but brings up GUI

I first tried executing from the “Start” menu with searching for the Pulse Secure program. It would execute, but quit. I needed to see the error messages, so I executed from the commandline (see above). This gave me error messages and after a few executions and eliminating error messages one by one, I installed with YaST:

glibc-32bit
nss-mdns-32bit
libwebkitgtk-1_0-0-32bit (There’s a -3_0 that I didn’t install.)
glib-networking-32bit
p11-kit-32bit

Also, I had to copy libpulseui.so from /usr/local/pulse to /usr/lib:

cp -p /usr/local/pulse/libpulseui.so /usr/lib (Do as superuser.)

It still doesn’t work, but I got a lot further. I am able to get to the login and password of the company’s site. I see on the commandline that it was starting up the VPN, but then quits with “reason = 6” (see below). That’s as far as I’ve gotten.


20161213013411.52864 pulsesvc[p25672.t25672] pulseui.info In launchTunnel() (pulseUi.cpp:904)
20161213013411.53046 pulsesvc[p25672.t25695] pulseui.info In startPulseService (pulseUi.cpp:991)
20161213013411.68496 pulsesvc[p25672.t25695] pulseui.info pid of pulsesvc = 0 (pulseUi.cpp:159)
20161213013411.115712 pulsesvc[p25672.t25695] pulseui.info pid of pulsesvc = 25698 (pulseUi.cpp:159)
20161213013413.146109 pulsesvc[p25672.t25695] pulseui.info received onDisconnect with reason = 6 (pulseUiLib.cpp:470)
20161213013413.146236 pulsesvc[p25672.t25695] pulseui.info waiting for Pulse service to stop! (pulseUi.cpp:178)
20161213013413.146265 pulsesvc[p25672.t25695] pulseui.info done… (pulseUi.cpp:180)
20161213013413.146282 pulsesvc[p25672.t25695] pulseui.info Exiting connection thread (pulseUi.cpp:1049)

Thanks, here is the PulseSecure.sh script :
xxxxxxxxxxxx
OpenSuse is not supported, but maybe one can add it with the corresponding packages… what do you say?

Hi Linuxvinh,

thank you very much for posting what you have done! As you said it is not obvious that posting the script is legal, I edited my previous message and deleted the link. The paste should be erased in 6 days.

I also took a look to the script but didn’t try things in my own.

Now, I installed all the packages you listed with “zypper install” and I get the GUI finally working!

The connection to the server seems also to be working, but I am not sure.

So far, I didn’t receive the same output as you, and no error message. I have to look deeper in it.

Thank you again.

galerkin1,

I think if you got it to work, then if you look at File->Connections->Advanced Status Details, you would see Bytes Transmitted/Bytes Received/Encryption Type/etc. filled with values.

I got to observe a working install on MacOS and those values are filled in.

Oh, the most obvious indicator is the Connect next to the connection name says Disconnect. Mine goes directly back to Connect after I enter the credentials.

I’m refocusing back to the specific error I’m getting…

“20161213013413.146109 pulsesvc[p25672.t25695] pulseui.info received onDisconnect with reason = 6 (pulseUiLib.cpp:470)”

I found this page which explains a debugging method for reason = 6:

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB15981

"Reason #6 - Client-side Antivirus or Malware protection software is blocking the NC connection

Temporarily disable all 3rd party Anti-Virus, Filrewall and Malware protection on the client PC to see if one or more of these settings are preventing the connection from being established. If NC launches successfully with all 3rd party AV, FW and Malware software disabled, re-enable them one-by-one, checking the NC connection after each change, and determine which 3rd party app is blocking the NC connection. Then, fine-tune that application to allow the NC connection."

The page is in relation with Windows, but perhaps the problem is with Firewall settings? Do I need specific ports open? By default, openSUSE locks down most ports, so should certain ones be opened? Does this seem like the direction to pursue?