Training / PCS Agents / Overview
Module 01 — Getting Started

Overview &
Prerequisites

This guide walks you through deploying Pulse Connect Secure (PCS) agents on Windows Server environments — from initial prerequisites through full validation.

What You'll Learn

INFO About PCS Agents

Pulse Connect Secure (PCS) agents provide secure SSL/TLS-based VPN connectivity, enabling Zero Trust network access. The agent runs as a Windows service and handles authentication, tunnel management, and policy enforcement.

PCS agents support per-app VPN, full-tunnel, and split-tunnel configurations. This guide focuses on the Windows Server deployment model used for server-to-server secure communications.

System Requirements

Component Minimum Recommended
OS Windows Server 2016 Windows Server 2022
RAM 4 GB 8 GB+
Disk 10 GB free 20 GB free
.NET Framework 4.7.2 4.8+
Network TCP 443 (outbound) TCP 443 + UDP 4500
Admin Rights Local Administrator Domain Admin (recommended)

Pre-Installation Checklist

  • Windows Server has all pending updates applied
  • Firewall allows outbound TCP 443 to PCS appliance IP
  • DNS resolution of PCS gateway hostname confirmed
  • .NET Framework 4.7.2 or higher installed
  • Service account credentials prepared (if using non-interactive auth)
  • Existing VPN clients/agents removed or identified
Module 02 — Getting Started

Download &
Verify Agent

Obtain the correct agent package from your PCS appliance admin portal and verify its integrity before installation.

STEP 2.1 Download from PCS Admin Portal Required

Log into the PCS administration portal and navigate to the agent download section. Select the Windows Server variant.

Admin Portal Path
# Browser: Navigate to admin portal https://<PCS-APPLIANCE-IP>/admin/ # Navigation path in portal: System > Agent Packages > Windows > Download Windows Installer
STEP 2.2 Verify Package Integrity Required

Always verify the SHA-256 hash of the downloaded package against the value shown in the admin portal.

PowerShell
# Verify file hash (run as Administrator) Get-FileHash C:\Downloads\PCS-AgentSetup.exe -Algorithm SHA256 # Compare against portal-listed hash: # Expected: A3F2B1C9D4E5F678... # If hashes match → proceed. If not → re-download.
Never install a package whose hash doesn't match. Contact your security team if mismatches persist after re-downloading.
STEP 2.3 Check Digital Signature Optional

Verify the Authenticode signature to confirm the package is signed by Ivanti/Pulse Secure.

PowerShell
Get-AuthenticodeSignature C:\Downloads\PCS-AgentSetup.exe | Select-Object Status, SignerCertificate # Expected output: Status: Valid Subject: CN=Ivanti, Inc., O=Ivanti, Inc., L=South Jordan, S=Utah...
Module 03 — Installation

Agent
Installation

Deploy the PCS agent via GUI installer or silent command-line installation for automated/enterprise deployments.

STEP 3.1 Silent Installation (Recommended) Required

Use the silent install method for reproducible, automated deployments via SCCM, Intune, or Group Policy.

CMD — Run As Administrator
:: Silent installation with logging PCS-AgentSetup.exe /S /v"/qn" /l*v C:\Logs\PCSInstall.log :: With pre-configured gateway URL PCS-AgentSetup.exe /S /v"/qn GATEWAY_URL=https://vpn.company.com" :: Verify service installed sc query PulseSecureService
STEP 3.2 GUI Installation Optional

For manual installs on individual servers, run the setup wizard as Administrator.

  • Right-click PCS-AgentSetup.exe → Run as Administrator
  • Accept license agreement (EULA)
  • Choose install directory (default: C:\Program Files\Pulse Secure\)
  • Select "Windows Service" install type
  • Click Install and wait for completion
  • Reboot if prompted (usually not required on Server)
STEP 3.3 Verify Service Status Required

Confirm the Pulse Secure service is installed and running correctly.

PowerShell
# Check service status Get-Service -Name "PulseSecure*" # Expected output: Status Name DisplayName ------ ---- ----------- Running PulseSecureService Pulse Secure Service # Start service if not running Start-Service -Name "PulseSecureService" # Set to auto-start Set-Service -Name "PulseSecureService" -StartupType Automatic
Module 04 — Installation

Initial
Configuration

Configure the agent to connect to your PCS gateway, set authentication parameters, and define connection profiles.

STEP 4.1 Configure Gateway Connection Required

Set the primary and optional secondary PCS gateway URLs via registry or the admin configuration tool.

Registry — PowerShell
# Navigate to Pulse Secure registry key $RegPath = "HKLM:\SOFTWARE\Pulse Secure\Pulse\ConnectionStore" # Set primary gateway New-ItemProperty -Path $RegPath -Name "GatewayURL" -Value "https://vpn.company.com" -PropertyType String -Force # Set realm (authentication domain) New-ItemProperty -Path $RegPath -Name "Realm" -Value "Users" -PropertyType String -Force # Set role (optional, if realm has multiple roles) New-ItemProperty -Path $RegPath -Name "Role" -Value "WindowsServers" -PropertyType String -Force
STEP 4.2 Configure Authentication Method Required

Define how the agent authenticates to the PCS gateway. Certificate-based auth is recommended for server deployments.

MethodUse CaseConfig Key
CertificateServer-to-server, no user interactionAuthType=CERT
SAMLFederated identity / SSO environmentsAuthType=SAML
LDAP/ADActive Directory domain accountsAuthType=LDAP
Local AuthStandalone / lab environmentsAuthType=LOCAL
Certificate Auth — PowerShell
# Import client certificate to LocalMachine store Import-PfxCertificate -FilePath C:\Certs\client.pfx -CertStoreLocation Cert:\LocalMachine\My -Password (ConvertTo-SecureString "CertPassword" -AsPlainText -Force) # Note the thumbprint Get-ChildItem Cert:\LocalMachine\My | Where Subject -like "*PCS*" | Select Thumbprint, Subject # Configure agent to use certificate thumbprint New-ItemProperty -Path $RegPath -Name "CertThumbprint" -Value "A1B2C3D4E5F6..." -Force
STEP 4.3 Configure Connection Profile (PPKG) Required

Deploy a Pulse Policy Secure Package (.ppkg) to configure connection profiles, split tunneling, and traffic policies.

PowerShell — Deploy PPKG
# Import connection profile package & "C:\Program Files\Pulse Secure\PulseClient.exe" -import C:\Configs\company-profile.ppkg # Verify profile loaded & "C:\Program Files\Pulse Secure\PulseClient.exe" -listconnections # Expected output: Connection: CompanyVPN [https://vpn.company.com] — Realm: Users
After configuration changes, always restart the PulseSecureService: Restart-Service PulseSecureService
Module 05 — Installation

Advanced
Settings

Fine-tune split tunneling, logging verbosity, proxy configuration, and Host Checker policy enforcement.

STEP 5.1 Split Tunneling Configuration Optional

Define which traffic routes through the VPN tunnel vs. directly to the internet. Split-tunnel reduces load on the PCS appliance.

Route Configuration
# View current VPN routes after connection route print # Manually add specific subnets to VPN tunnel # (these should match PCS role/resource policy settings) # Corporate subnets: 10.0.0.0/8, 172.16.0.0/12 # All other traffic: direct internet # Verify split tunnel active via PCS admin portal: # Users > Active Sessions > [session] > Route Table
STEP 5.2 Enable Debug Logging Optional

Enable verbose logging during initial deployment for troubleshooting. Disable in production.

Registry — PowerShell
# Enable debug logging $LogPath = "HKLM:\SOFTWARE\Pulse Secure\Pulse" Set-ItemProperty -Path $LogPath -Name "LogLevel" -Value "Debug" # Log file location C:\ProgramData\Pulse Secure\Logs\pulsetrace.log # Tail log in real-time Get-Content C:\ProgramData\Pulse Secure\Logs\pulsetrace.log -Wait -Tail 50 # Disable debug logging (production) Set-ItemProperty -Path $LogPath -Name "LogLevel" -Value "Error"
STEP 5.3 Host Checker Configuration Optional

Host Checker enforces endpoint compliance (AV status, OS patches, firewall state) before granting VPN access. Policies are defined server-side.

Host Checker policies are defined on the PCS appliance under: Authentication > Endpoint Security > Host Checker Policies. Ensure the server meets all compliance rules before enabling to avoid connection failures.
Verify Host Checker Status
# Check if Host Checker process is running Get-Process -Name "dsHostChecker" -ErrorAction SilentlyContinue # Review host checker log Get-Content "C:\ProgramData\Pulse Secure\Logs\HCLog.txt" -Tail 30
Module 06 — Validation

Testing
Scenarios

Execute these test scenarios to validate your PCS agent deployment before production rollout.

TC-001 Core Test
Basic Connectivity — Gateway Reachability
Verify the agent can reach the PCS gateway and complete the TLS handshake before authentication.
  1. Open PowerShell as Administrator on the target Windows Server
  2. Run: Test-NetConnection -ComputerName vpn.company.com -Port 443
  3. Confirm TcpTestSucceeded: True in output
  4. Run: Invoke-WebRequest https://vpn.company.com -UseBasicParsing
  5. Confirm HTTP 200 or 302 response (not timeout/refused)
Expected Output
ComputerName : vpn.company.com RemoteAddress : 203.0.113.50 RemotePort : 443 TcpTestSucceeded : True
TC-002 Core Test
Agent Authentication & Tunnel Establishment
Test that the agent can authenticate and establish a VPN tunnel using the configured credentials/certificate.
  1. Open Pulse Secure client UI (or run CLI connect command)
  2. Select the configured connection profile
  3. Enter credentials (or confirm cert-based auth proceeds automatically)
  4. Verify status changes to "Connected" with assigned virtual IP
  5. Confirm assigned VIP falls within expected range (e.g., 10.200.0.x)
CLI Connect Command
# Connect via command line (non-interactive / cert auth) & "C:\Program Files\Pulse Secure\PulseClient.exe" -connect "CompanyVPN" # Check connection status & "C:\Program Files\Pulse Secure\PulseClient.exe" -status # Expected: Connection: CompanyVPN — Status: Connected — VIP: 10.200.0.45
TC-003 Scenario Test
Split Tunnel Traffic Verification
Validate that corporate traffic routes through the VPN while internet traffic bypasses the tunnel.
  1. While connected, run route print and capture the routing table
  2. Ping a corporate internal server: ping 10.0.1.10 — should succeed via VPN
  3. Ping a public DNS server: ping 8.8.8.8 — should succeed via local NIC
  4. Use tracert 10.0.1.10 — first hop should be VPN virtual gateway IP
  5. Use tracert 8.8.8.8 — first hop should be your LAN default gateway
TC-004 Scenario Test
Reconnect After Network Interruption
Simulate network disruption and verify the agent auto-reconnects within the expected timeout period.
  1. Establish VPN connection and confirm stable state
  2. Disable the NIC temporarily: Disable-NetAdapter -Name "Ethernet" -Confirm:$false
  3. Wait 30 seconds to simulate disconnection
  4. Re-enable NIC: Enable-NetAdapter -Name "Ethernet"
  5. Observe Pulse agent status — should reconnect automatically within 60 seconds
  6. Check logs for RECONNECT_ATTEMPT and CONNECTED events
TC-005 Security Test
Host Checker Policy Enforcement
Verify that non-compliant endpoints are denied access per Host Checker policies.
  1. Temporarily disable Windows Firewall service on a test server
  2. Attempt to connect to the VPN
  3. Verify connection is denied with message: "Host Checker policy failed"
  4. Re-enable Windows Firewall and re-attempt
  5. Verify connection succeeds and access is restored
🔒 Only perform TC-005 on an isolated test server. Never disable firewall on production systems.
Module 07 — Validation

Validation
Checks

Complete these automated validation checks to confirm your deployment is fully operational and production-ready.

Validation Dashboard

⚙️
Service Running
Click to mark
🔑
Auth Success
Click to mark
🔒
Tunnel Active
Click to mark
🌐
Routes Correct
Click to mark
🛡️
Host Checker
Click to mark
📋
Logs Clean
Click to mark

Automated Validation Script

PowerShell — Full Validation
# PCS Agent Deployment Validation Script # Run as Administrator $Results = @() # 1. Service Status $svc = Get-Service "PulseSecureService" -ErrorAction SilentlyContinue $Results += [PSCustomObject]@{ Check = "Service Running" Status = if ($svc.Status -eq "Running") { "PASS" } else { "FAIL" } Detail = $svc.Status } # 2. Registry Config Present $regOK = Test-Path "HKLM:\SOFTWARE\Pulse Secure\Pulse\ConnectionStore" $Results += [PSCustomObject]@{ Check = "Registry Config" Status = if ($regOK) { "PASS" } else { "FAIL" } Detail = if ($regOK) { "Key exists" } else { "Key missing" } } # 3. Gateway Reachability $gwURL = (Get-ItemProperty "HKLM:\SOFTWARE\Pulse Secure\Pulse\ConnectionStore").GatewayURL $gwHost = ([System.Uri]$gwURL).Host $ping = Test-NetConnection -ComputerName $gwHost -Port 443 $Results += [PSCustomObject]@{ Check = "Gateway TCP:443" Status = if ($ping.TcpTestSucceeded) { "PASS" } else { "FAIL" } Detail = $gwHost } # 4. Log file exists $logExists = Test-Path "C:\ProgramData\Pulse Secure\Logs\pulsetrace.log" $Results += [PSCustomObject]@{ Check = "Log File Present" Status = if ($logExists) { "PASS" } else { "WARN" } Detail = if ($logExists) { "Found" } else { "Not yet created" } } # 5. Output Results $Results | Format-Table -AutoSize $Results | Export-Csv C:\Logs\PCS-Validation-$(Get-Date -f yyyyMMdd).csv -NoTypeInformation Write-Host "`nValidation complete. Results saved." -ForegroundColor Green

Portal-Side Validation

  • PCS admin portal → Users → Active Sessions shows connected server
  • Session shows correct Role, Realm, and assigned Virtual IP
  • Host Checker status shows "Passed" for all policies
  • Event log (System > Reports > User Access Log) shows no auth errors
  • Bandwidth utilization visible in portal dashboard
Module 08 — Validation

Trouble-
shooting

Common issues and resolutions encountered during PCS agent deployments on Windows Server.

ERR-01 Service Fails to Start Common

The PulseSecureService fails to start, shows "Stopped" status, or immediately crashes after starting.

Diagnosis
# Check Windows Event Log for service errors Get-WinEvent -FilterHashtable @{LogName='System'; Id=7034,7031} -MaxEvents 10 # Check application log for PulseSecure errors Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='PulseSecure'} -MaxEvents 20 # Resolution: Reinstall with repair flag PCS-AgentSetup.exe /S /v"/qn REINSTALL=ALL"
ERR-02 Authentication Fails — Certificate Error Common

Connection attempt returns "Certificate not found" or "Authentication server rejected the certificate".

Diagnosis & Fix
# Verify certificate is in LocalMachine\My store Get-ChildItem Cert:\LocalMachine\My | FL Subject, Thumbprint, NotAfter # Check certificate hasn't expired Get-ChildItem Cert:\LocalMachine\My | Where {$_.NotAfter -lt (Get-Date)} # Verify service account has READ access to private key $cert = Get-ChildItem Cert:\LocalMachine\My\<THUMBPRINT> $rsaKey = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($cert) # If $null, private key is missing — re-import PFX with private key
ERR-03 Tunnel Drops Intermittently Common

VPN connects successfully but drops every few minutes. Often caused by keep-alive timeouts or MTU issues.

MTU Fix
# Test MTU path (run while connected to VPN) ping 10.0.1.1 -f -l 1400 ping 10.0.1.1 -f -l 1350 # Set MTU on VPN adapter (replace "Pulse Secure" with actual adapter name) netsh interface ipv4 set subinterface "Pulse Secure" mtu=1350 store=persistent # Also adjust keep-alive in PCS portal: # System > Configuration > Network > Keep Alive Settings # Set idle timeout to 3600+ seconds for server workloads
ERR-04 Host Checker Failing Unexpectedly Situational

Connection blocked by Host Checker even though the server appears to meet all requirements.

Diagnosis
# Review Host Checker log for specific failure Get-Content "C:\ProgramData\Pulse Secure\Logs\HCLog.txt" -Tail 50 | Select-String "FAIL|ERROR|policy" # Common causes logged: # "AV not found" → Ensure Windows Defender is running # "Firewall disabled" → Start Windows Firewall service # "OS patch check failed" → Install missing Windows updates # Verify Windows Security Center status Get-MpComputerStatus | Select AMServiceEnabled, AntivirusEnabled, RealTimeProtectionEnabled
You have completed the PCS Agent Training Guide. For further escalation, collect logs from C:\ProgramData\Pulse Secure\Logs\ and open a support case with your PCS administrator or Ivanti support.