en-US
search-icon

Secure Mobile Access 12.0 Deployment Planning Guide

Common VPN Configurations

About the Configurations

The following sections take you through the configuration steps of a typical deployment: relatively open, remote access for employees, and more restricted access for partners. As part of this exercise, we also make WorkPlace appear different, depending on which of the two communities the user belongs to. Following these steps will introduce you to the Appliance Management Console (AMC) and how its configuration elements interact.

The sample deployment, Testing the Deployment Scenario, is followed by brief descriptions of other scenarios for configuring and deploying VPN access for your users.

Deployment Scenario: Remote Access for Employees and Partners

To better understand how to deploy a remote access VPN, go through the steps in this section to set up relatively open access for employees, and more restricted remote access for a less trusted group, partners. The assumption in this scenario is that you have Advanced EPC, which is included in an evaluation license and with the SMA 6200, SMA 7200, EX6000, EX7000, and EX9000 appliances, and is otherwise licensed separately.

First, we’ll lay the foundation for this sample VPN, configuring the items that you’ll make use of later when you set up access for the two communities; see VPN building blocks and their descriptions.

 

VPN building blocks and their descriptions

VPN Building Blocks

Description

Create an authentication realm

Set up a Microsoft Active Directory (AD) authentication server.

See Establishing an Authentication Realm.

Identify users

Add a few test users with names that match ones on your AD server. For this test scenario, we will identify two of them as employees, and two of them as partners.

See Identifying Users.

Add resources

Define just a few resources.

See Adding Resources.

End Point Control

Create two Standard zones of trust: a trusted one for members of the Employees community, and a less trusted one for Partners. Also, create a quarantine zone for devices that don’t fit into either community.

Create WorkPlace styles and layouts

Change how WorkPlace looks on a per-community basis. Though optional, this produces a more polished and customized look. We will modify the default style and layout and use it for the employees community, and then create a different look for the partner community.

See Customizing WorkPlace.

The next step is to put it all together, using the VPN building blocks you created, and configure two communities, an employee community and a partner community. The steps for configuring either community are the same:

 

Setting up communities and their description

Setting Up Communities

Description

Members

Identify the members for each community.

Access methods

Define what access methods are available.

End Point Control

Create zones of trust: a trusted one for members of the Employees community, and a less trusted one for Partners.

WorkPlace appearance

Use different WorkPlace styles and layouts for the two communities.

Access control rule

Create rules for what resources can be accessed by which users.

See Access Control Lists.

Throughout these procedures, remember to click Pending Changes in the upper-right corner in AMC, and then click Apply Changes to save your configuration changes.

Topics:  

Establishing an Authentication Realm

To authenticate your users, you must first define an authentication realm, which is the combination of an existing company directory and an authentication method.

To define an authentication realm:
1
From the main navigation menu, click Realms.
2
Click New realm.
3
Enter a realm name in the Name field. For example, Company XYZ.
4
Click New next to the Authentication server drop-down menu.
5
Select Microsoft Active Directory.
6
Click Continue.
7
Enter a name for the credential type in the Name field. For example, Company Directory.
* 
TIP: Resources sometimes require NTLM credentials to be forwarded to back-end Web servers; Outlook is often set up this way.
8
In the Primary domain controller field, type the host name (assuming you’ve already configured DNS) or IP address for the authentication server.

9
To perform Active Directory searches, the appliance must be able to log on to the authentication server. In the General section:
a
In the Login name field, type the Active Directory login name.
b
In the Password field, type the password that corresponds with the login name.
10
Click the Test button to validate that the connection is properly configured and that the authentication server is accessible from the appliance.
11
Expand the Advanced settings area.

12
Scroll down to the Domain authentication forwarding area to specify how the domain name portion of the credentials will be forwarded.

13
In the Domain authentication section, select either:
Forward a custom domain name, the default, and enter the domain name in either NILM or Kerberos style.
Forward the authentication server name as the domain name.
14
In the One-Time Passwords section, select the Use one-time passwords with this authentication server checkbox to enable a one-time password. This is enabled by default.
a
Enter the length of the password in the Passwords contain field; the default is 8 characters.
b
Select the type of acceptable characters, such as Alphabetic, Numeric from the characters drop-down menu.
c
In the From address field, enter the email address from which email is sent to the user.
d
Optionally, if the primary email address attribute exists on the authentication server, enter it in the Primary email address attribute field.
e
Optionally, if the secondary email address attribute exists on the authentication server, enter it in the Secondary email address attribute field.
f
Enter the subject for the email sent to the user in the Subject field; the default is One time password.
g
Enter the message to be sent to the user in the Body field; the default is Hi {username}, Your one time password is: {password}.
15
To test the message, enter an email address in the Email Address field and click the Send test message button.
16
Click Save. You are returned to the Configure Realm page.
17
From the Authentication server drop-down menu, select the authentication server you just configured (Company Directory).
18
Click Finish (we will create communities within the Company XYZ realm later in this process).

Identifying Users

Using the AD store associated with the Company XYZ realm, add two employees and two partners.

To add users:
1
Click Users & Groups in the main navigation menu, and then click the Users tab.
2
In our sample deployment, we’re going to add just four users (later you’ll see how to control access to resources based on the user on the Access Control page). Click New, and then select Manual entry.
3
Create four user mappings:
a
From the Realm name list, select Company XYZ.
b
In the Username field, enter a username as it appears in your AD server.
c
Click Save and add another.
d
Continue to add three more users.
e
Click Save.

Adding Resources

The SonicWall appliance can manage a wide variety of corporate resources, which are described in Defining Resources. For our sample scenario we will just define a few:

A network share with marketing materials (intended for business partners and visible to employees).
Access to Microsoft Outlook on the Web (intended solely for employees).
To define two corporate resources:
1
Click Resources in the main navigation menu in AMC.
2
Click New, and select Network share.
3
Enter a name for the resource in the Name field. This is the only resource in our sample deployment to which partners will have access. Name it VAR marketing collateral.
4
Using UNC syntax, enter the path for the resource in the Network share field. For example, \\company_xyz\var\marketing.
5
Select Create shortcut on WorkPlace so that a link to the resource will be visible to users.
6
Click Save. VAR marketing collateral is now added to your default resources.
7
Add a second resource:
a
Click New.
b
Select URL.
8
In the Name field, enter Outlook Web Access. This resource is intended for employees only.
9
In the URL field, enter https://mail.company_xyz.com.
10
Select Create shortcut on WorkPlace.
11
Click Save. You should now see two new items in your resource list.

There are some built-in resources, to make setting up a WorkPlace portal easier; they cannot be deleted. The Used column indicates whether a resource is in use (as part of a WorkPlace shortcut or layout, for example). To see where a resource is used, expand its icon. A resource cannot be deleted until it is no longer used by other configuration elements.

Creating Zones of Trust

End Point Control (EPC) provides extensive protection to ensure that your users’ access devices are secure. To keep things simple in this example, we will assume that your appliance has a license for Advanced EPC, and we will create two Standard zones: a trusted one for members of the Employees community, and a less trusted one for Partners. We’ll also set up a Quarantine zone for users (employees or partners) whose devices fail to match the profiles that we specify.

Creating a zone is simply a way of setting one or more conditions that users must meet before they are granted secure, remote access to resources. In our example, the user will be classified into the Trusted zone if a certain antivirus program is running (Norton AntiVirus is used in this example, but you can substitute another program). If the program is not running, the user is classified into the Untrusted zone.

The conditions you set in a real deployment will of course be different—this is just a demonstration of how EPC works.

Topics:  

Creating a Standard Zone for Trusted Users

To create a Standard zone named Trusted for employees:
1
From the main navigation menu in AMC, click End Point Control.
2
If the link next to End Point Control is Disabled, click the link and select the Enable End Point Control checkbox on the Configure General Appliance Options page.
3
Click New, and then select Standard zone from the menu. The Zone Definition - Standard Zone page appears.
4
In the Name field, type Trusted.
5
In the All Profiles list, select the checkbox next to Windows antivirus, and then click the right arrows (>>) to add it to the In Use list. To see the attributes in this built-in profile, click its name.
6
The client device will be checked at login to see if it is running either Norton Antivirus or MacAfee VirusScan. If you want this check to reoccur during a given session, set the interval in minutes in the Recurring EPC area.
7
When you are finished configuring the zone, click Save. The Standard zone named Trusted is now displayed in the list of End Point Control zones. To match this profile, a user’s device must be running the security programs you specified in Step 5.

In this example, we will classify devices that do not match the Standard zone we created into a Quarantine zone named Untrusted; see Creating a Quarantine Zone for Untrusted Users

Creating a Standard Zone for Partners

To create a Standard zone named Partner zone for partners:
1
From the main navigation menu in AMC, click End Point Control.
2
Click New, and then select Standard zone from the menu.
3
In the Name field, type Partner zone.
4
To create a device profile, click New, and then select a platform from the shortcut menu (for example, Microsoft Windows).
5
Enter a name for the device profile in the Name field. For example, Symantec AV.
6
Select Antivirus program from the list of attribute types, and then select a series of antivirus programs. For a match, the client device you plan to use for testing should have one of these products. For example, select Symantec Corp. as the vendor, and then select the first three products in the Product name list, clicking Add to Current Attributes after each one.
7
Click Save.
8
In the All Profiles list, select the checkbox for Symantec AV, and then click the right arrow (>>) button.
9
The client device will be checked at login to see if it is running one of the antivirus programs identified in the Symantec AV device profile. If you want to this check to reoccur during a given session, set the interval in minutes in the Recurring EPC area.
10
When you are finished configuring the zone, click Save. The Standard zone named Partner zone is now displayed in the list of End Point Control zones.

Creating a Quarantine Zone for Untrusted Users

To create a Quarantine zone named Untrusted
1
From the main AMC navigation menu, click End Point Control.
2
Click New, and then select Quarantine zone.
3
Enter a name for the Quarantine zone. For example, Untrusted.
4
In the Customization area, enter the text a user will see if his or her device does not meet the criteria for any of the Standard zones. For example, You are not running an antivirus product from the approved list.
5
Click Save.

Customizing WorkPlace

You can alter the appearance of WorkPlace on a per-community basis by creating different styles and layouts:

Styles are used to customize the look and feel of the WorkPlace login and portal pages. They contain information about fonts, colors, and images that will be displayed on the WorkPlace site.
WorkPlace layouts are used to customize page content in terms of links, groups, navigation, columns, and personal bookmarks. Creating additional layouts is useful if you find that your access policies don’t completely define what you want each user to see.

Both styles and layouts are created independent of communities and can be reused.

In our example we’ll modify the default style and layout slightly for the Employees community, and then create a different look for the Partners community.

Topics:  

Modifying the Default Style and Layout

In our example we’ll modify the default style and layout slightly for the Employees community, and then create a different look for the Partners community.

To modify the default WorkPlace layout and style:
1
Click WorkPlace in the main navigation menu, and then click the Appearance tab.
2
Click Default Style in the Styles area.
3
The default look for WorkPlace is intended for employees in our scenario. For now, just change the banner that employees will see. Type WorkPlace in the Title field.
4
Click Save, and then click Default Layout in the Layouts area.
5
Again, we’ll keep changes to a minimum: on the General page, select Display the Personal Bookmarks group. This automatically displays the content in two columns. Click Save.

Creating a New WorkPlace Style and Layout

The appearance of WorkPlace for the Employees community in this sample deployment has a few changes (the title is different, and personal bookmarks are included in a two-column page layout). Now we’ll create a different look for the partner community.

Topics:  
Creating a WorkPlace Style
To create a WorkPlace style for partners:
1
On the main navigation menu, click WorkPlace, and then click the Appearance tab.
2
In the Styles area, click New.
3
In the Name field, type a unique name for the WorkPlace style. For example, Partners style.
4
In the Font family list, select the type of font you want to use. (In general, a sans-serif font is easier to read online.)
5
In the Color scheme list, click the name of the color scheme you want to use.
6
To replace the SonicWall logo that is displayed in WorkPlace with a different image, use the Replace with field to enter or browse for the .gif or .jpg file you want to use.
7
When Display gradient background behind logo is selected, the accent color of your Color scheme is displayed at the top of each WorkPlace page, gradually going from dark (at the top of the page) to light. Any heading (Title) that you have appears in white.
8
On small form factor devices, the logo specified in the Images area is resized by default. The logo is automatically omitted from WAP and i-mode devices, so this setting does not affect the display on those devices.
9
In the Title field, type WorkPlace for Partners.
10
In the Greeting field, type the introductory text that should appear below the title. If you have multiple pages in WorkPlace, the same text appears on all of them.
11
To further assist the user, you could specify a custom Help file that provides more detailed information about the resources available on your VPN, or describe how to get technical support.
12
Click Save to save Partners style.
Creating a Workplace Layout
To create a WorkPlace layout for partners:
1
On the main navigation menu, click WorkPlace, and then click the Appearance tab.
2
In the Layouts area, click New.
3
In the Name field, type a unique name for the WorkPlace layout. For example, Partners layout.
4
In the Initial content area, either:
Select a layout for any shortcuts and shortcut groups that you’ve defined.
Choose to set up an initial structure for your content and add WorkPlace resources later.
* 
TIP: No matter how you decide to lay out your initial content, you can change it later by adding, removing, or rearranging pages and page content.
5
In the Page navigation area, specify the kind of navigation controls that will be displayed if your content requires more than one page.
6
Specify whether the Intranet Address field will be displayed when this layout is used. It gives users access to resources by typing a resource name (a UNC path, URL, or both).
7
Click Next.
8
Click the Edit page properties link to change the basic properties of this WorkPlace page. Change its name to Partner resources, and then click Save.
9
Use the page, column, and shortcut controls to add pages, content, and rearrange the elements on each page (click Help in AMC for details on using these controls). Rearranging items in a layout or deleting them from a layout does not affect the resource itself, just its appearance in WorkPlace.
10
Click Next to move to the Device Preview page to see how the layout will look on devices with different display capabilities. On a mobile device, for example, the Intranet Address field cannot be displayed, even if it is configured to be part of a layout.
11
Click Finish.

Creating an Employee Community

You must now create a new community for your employees. Normally you would configure this broadly (to include all employees or a group of them). For now, just add two users.

To create a community for your employees:
1
Click Realms in the main navigation menu, click Company XYZ, and then click the Communities page.
2
Click New: the Configure Community page appears.

3
Enter a name for the community in the Name field. For example, Employees.
4
To add users as members of the community, click Edit. The Users and Groups dialog is displayed.
5
Select the checkbox next to two of the users you added.
6
Click Save. The Users and Groups dialog closes and the users are now displayed in the Members list.
7
Click Next to configure the access methods allowed for the Employees community.

Specifying Access Methods for Employees

For each community of users, you can configure which access methods are available: Smart Tunnel Access (IP Protocol), Web-based proxy access (TCP Protocol), or Web access (HTTP).

For the Employees community, it’s likely that you will want to grant open access so that a user can establish remote access using whatever method is appropriate for his or her device. By contrast, the Partners community, in this example, will have only Web access.

The tunnel clients give users an “in-office” experience, with full VPN access to their applications. In the following steps you’ll grant Employees the ability to use OnDemand Tunnel, and set up an IP address pool for the client.

To specify open, tunnel access for employees:
1
In the Tunnel (IP Protocol) section, select the Network tunnel client checkbox. If you don’t have an IP address pool configured yet, a warning is displayed:

2
Click Configure. The Network Tunnel Client Settings page is displayed.
3
Click Edit next to Address pools.
4
On the Address Pools page, click New.
5
In the Name field, enter a label for the IP address pool that will be used to allocate addresses to the network tunnel clients.
6
There are several ways to specify an address pool. If you’re not sure which one to choose, select Translated address pool (Source NAT) so that the appliance will assign non-routable IP addresses to clients and use Source NAT to translate them to a single address. The drawback is that applications that require reverse connections, such as VoIP or active-mode FTP, may not function properly.
7
Click Save. The address pool appears in the Address Pools list.
8
Select the checkbox next to the address pool you just configured.
9
Click Save.
10
Click OK. You should now be back on the Configure Community - Access Methods page.
11
Click Next to define the zone of trust for employees. Go to Creating Zones of Trust.

Configuring End Point Control for Employees

Configure the Employees community to use the zone of trust you configured in Creating a Standard Zone for Trusted Users. (The conditions you set in a real deployment will of course be different—this is just a demonstration of how EPC works.)

To specify the Trusted zone for Employees:
1
In the Standard zones list, select the checkbox next to Trusted and then click the right arrow (>>) button. It is now in the In use list.
2
Under Zone fallback options, click Place into quarantine zone and then select Untrusted from the drop-down menu.
3
Click Next to select WorkPlace appearance settings for employees.

WorkPlace Appearance for Employees

Configure the Employees community to use the WorkPlace look you defined earlier (Modifying the Default Style and Layout).

To specify the Default style and layout for Employees:
1
In the Style list, select Partners style.
2
In the Layout list, select Partners layout.
3
On smaller devices, the layout for this community is automatically changed to accommodate them; for example, the Intranet Address field (if it is part of the layout) will be displayed on an advanced mobile device, but not a basic one.
4
Click Finish.

Creating a Partner Community

To give remote access to partners—a less trusted group of users—create a separate community.

To create a community for partners:
1
From the main navigation menu in AMC, click Realms.
2
Click Company XYZ.
3
On the Configure Realm page, click the Communities link at the top; you’ll see the Employees and Default communities. Click New.
4
Enter a name for the new community in the Name field. For example, Partners.
5
To add users to the Partners community, click Edit. The Users and Groups dialog is displayed.
6
You’ll see the users you added in Identifying Users. Click the checkbox next to one or two of them.
7
Click Next to configure the access methods allowed for partners.

Specifying an Access Method for Partners

The Partners community should be configured for Web access only.

To specify Web access for partners:
1
Clear the Network tunnel client (OnDemand) checkbox; only Web proxy agent should be selected.
2
Click Next to define the zone of trust for partners.

End Point Control for Partners

Configure the Partners community to use the zone of trust you configured earlier (To create a Standard zone named Partner zone for partners:).

To specify the Partner zone for partners:
1
In the Standard zones list, select the checkbox next to Partner zone, and then click the right arrow (>>) button to put it in the In use list.
2
Under Zone fallback options, click Place into quarantine zone and then select Untrusted from the drop-down menu.
3
Click Next to select WorkPlace appearance settings for partners.

WorkPlace Appearance for Partners

Configure the Partners community to use the WorkPlace look you defined earlier (Creating a New WorkPlace Style and Layout).

To specify the new style and layout for the partners community:
1
In the Style list, select Partners style, and in the Layout list, select Partners layout.
2
On smaller devices, the layout for this community is automatically changed to accommodate them; for example, the Intranet Address field (if it is part of the layout) will be displayed on an advanced mobile device, but not a basic one.
3
Click Finish.

Access Control Lists

Broadly speaking, access rules define which resources can be accessed by which users. They can be defined very broadly (all the users in Group X have access to any corporate resource), or very narrowly (the users in Group Y have Web-only access to a single resource).

In our example, we’ll keep it simple and give the Partners community access to the resource named VAR marketing collateral, and give Employees access to all of the resources. The appliance evaluates the rules in numbered order. If a match is found, the permit or deny action is applied and no further rules are evaluated.

Topics:  

Adding a Rule for Limited Resources

To add a rule that gives partners access to VAR marketing collateral:
1
Click Access Control from the AMC navigation menu.
2
Click New.
3
Type a name for the rule (for example, Partner materials).
4
Leave the Action as Permit.
5
Next to the From field, click the Edit button.
6
Select the checkbox next to the Partners community.
7
Click the Edit button next to the To field.
8
Select the checkbox next to VAR marketing collateral in the Resources list.
9
Click Finish and Add Another.

Adding an Unrestricted Rule

To add a rule that gives employees access to all resources:
1
Type a name for the second rule (FT employees only).
2
Leave the Action as Permit.
3
Next to the From field, click the Edit button.
4
Select the checkbox next to the Employees community.
5
Click Finish.

Testing the Deployment Scenario

To test out the scenario you have configured, log in to WorkPlace as an employee, and then (in a separate session) as a partner.

To get to WorkPlace:
1
Click Home in the upper-right corner of any AMC page.
2
Click the link for WorkPlace, just under the appliance image.

Logging In as an Employee

In Creating an Employee Community, you set up two users who belong to the Employees community. Log in using the credentials of one of those users. If you are in the Trusted zone (that is, your device has the attributes specified in the Windows antivirus device profile), among the resources you should see will be the two you set up in Adding Resources.

Logging In as a Partner

In Creating a Partner Community, you set up at least one user who belongs to the Partners community. Log in using the credentials of that user. If you are in the Partners zone—meaning that your device has the attributes specified in the Symantec AV device profile—among the resources you should see will be VAR marketing collateral. This is because the appliance found a match for you in the first access control rule; once a match is found, no further rules are evaluated.

Other Remote Access VPN Scenarios

To better understand how to deploy a remote access VPN, here is an overview of some common scenarios.

Topics:  

Providing Access to Web Resources

Web resources are applications or services that run over the HTTP or HTTPS protocols, such as Microsoft Outlook Web Access or a corporate intranet. There are several ways to give users access to these resources—choose the method that is appropriate for your various audiences. For example, you can give business partners narrow access to a Web application by specifying a particular URL in your resource definition. Employees are granted broader access if you define the domain in which that Web application is located as a resource.

Topics:  

Defining Specific Web Resources

To provide user access to a specific Web application or other Web resource:
1
Define a URL resource on the Add/Edit Resource page.
2
Create an access control rule referencing the URL on the Add/Edit Access Rule page.
3
Add a Web shortcut to WorkPlace on the WorkPlace Shortcuts page.

Web Resources on a Portion of Your Network

To provide user access to any Web resource on a given portion of your network:
1
Define a resource (such as a subnet or IP address range) for the portion of the network containing the Web resources on the Add/Edit Resource page.
2
Create a rule referencing the network object on the Add/Edit Access Rule page.
3
Instruct your users to type the host name or URL for any Web resources in the Intranet Address box on WorkPlace.

All Web Resources on Your Network

To provide user access to all the Web resources on your network:
1
Define a resource (such as a domain) for all internal DNS domains on the Add/Edit Resource page.
2
Create a rule referencing the network object on the Add/Edit Access Rule page.
3
Instruct users to type the host name or URL for any Web resources in the Intranet Address box on WorkPlace.

Web-Based File Access to Entire Networks

To provide Web-based access to all the file system resources within a domain:
1
Define a resource referencing your Windows domain on the Add/Edit Resource page.
2
Create a rule referencing the domain on the Add/Edit Access Rule page.
3
Add a network shortcut referencing the domain on the WorkPlace Shortcuts page.
4
Make sure WorkPlace’s Network Explorer tab is enabled (this is the default state).
5
Instruct your users to click the appropriate link to the file system resource in Network Explorer.

Broad Access to Network Resources

To give users comprehensive access to your network resources from devices that are owned and managed by your organization, distribute the following clients, which run on a wide variety of devices:

Connect Tunnel clients run on Windows, Macintosh, and Linux devices.
The Mobile Connect client gives users with Windows Mobile-powered devices access to both Web and client/server applications.
To allow broad, “in-office,” access to your network:
1
Define a resource referencing your DNS domain on the Add/Edit Resource page.
2
Create a rule referencing the domain on the Add/Edit Access Rule page.
3
Configure and distribute the network tunnel clients to your users.

Remote Access for Mobile Users

There are two remote access solutions for mobile device users:

WorkPlace Mobile is a Web portal that provides access to Web-based applications from virtually any mobile device with a functional Web browser. You also have the option of customizing the appearance of the portal for mobile devices. For detailed information on this solution, see the “WorkPlace and Small Form Factor Devices” section of the Installation and Administration Guide or the AMC online help.
SonicWall Mobile Connect provides fast, safe, easy-to-use secure mobile access to resources from a range of device platforms, including iOS, Android, Mac OS X, and Windows on both smart phones and tablets. Mobile Connect establishes encrypted SSL VPN connections to private networks that are protected by SonicWall SMA or other SonicWall security appliances. The Mobile Connect app is downloaded to a user's mobile device from the App Store, Google Play, Amazon Appstore, or Windows Store.

Additional Partner VPN Scenarios

Here are examples of common steps for deploying a VPN to business partners. These scenarios could also be useful in providing VPN access to contractors or other third-party users who require access to your network resources.

Topics:  

Access to a Specific Web Resource Using an Alias

To provide access to a specific Web resource, using an alias to prevent users from seeing its internal host name:
1
Define a URL resource on the Add/Edit Resource page.
2
Specify an alias for the resource in the page’s Advanced section.
3
Create a rule referencing the URL on the Add/Edit Access Rule page.
4
Add a Web shortcut to WorkPlace on the WorkPlace Shortcuts page.

Web-Based Access to a Client/Server Application

To provide Web access to a client/server application such as a CRM system:
1
Define a network resource on the Add/Edit Resource page, referencing the application’s host name or IP address.
2
Create a rule on the Add/Edit Access Rule page referencing the network resource.
3
Configure the OnDemand and Tunnel client.
4
Add a Web shortcut on the WorkPlace Shortcuts page.

End Point Control Scenarios

Here are some basic examples of how to deploy End Point Control to protect sensitive data and ensure that your network is not compromised when accessed from devices in untrusted environments.

Topics:  

Quarantining Employees on Untrusted Systems

Follow these configuration steps to quarantine an employee who logs in using a device that doesn’t match any of your device profiles. The only resources available will be those that you set up. You could, for example, display a customized page with links to Web resources for bringing the user’s system into compliance with your security policies:

To quarantine an employee on Untrusted systems:
1
Define a device profile on the Device Profile Definition page with an attribute referencing an application or other attribute that is unique to your organization.
2
Configure a Standard zone that references the device profile in step 1.
3
Configure a Quarantine zone that displays a custom Web page with links to resources for bringing a user’s system into compliance.
4
Create a community that references the Standard zone you created, and identify the Quarantine zone as your fallback option. Connection requests from devices that don’t match the trusted profile are automatically assigned to the Quarantine zone.

Denying Access

There may be situations in which you want to deny access to an employee using a device that has an unacceptable profile. For example, follow these configuration steps to deny access to an employee who logs in using a device that is running Google Desktop.

To deny access:
1
Define a device profile with an attribute referencing the Google Desktop application.
2
Reference the device profile in a Deny zone.
3
Reference the Deny zone in the community used by your employees.
4
The appliance determines that the device is running Google Desktop, making it a match for a Deny zone. Deny zones are always evaluated first: if Google Desktop is running, no other zones are evaluated, the access request is denied, and the user is logged out.

Access Policy Scenarios

Access control rules determine what resources are available to users or groups. Rules can be defined broadly to provide access from any access method, or defined narrowly so that only a specific access method is permitted.

VPN connections typically involve what are called forward connections—these are initiated by a user to a network resource. All access methods support forward connections. However, if you are running the network tunnel service and you deploy the network tunnel clients to your users, you can also create access control rules for bi-directional connections.

Access control rules for the Secure Mobile Access VPN, bi-directional connections encompass the following:

Reverse connections from a network resource to a VPN user such as an SMS server that pushes a software update to users’ computers.
Cross-connections using Voice over Internet Protocol (VoIP) applications that enable one VPN user to telephone another VPN user. These connections require a pair of access control rules: one for the forward connection and one for the reverse connection. For information on VoIP scenarios, see Providing Access to Voice Over IP (VoIP).
Other types of bi-directional connections include FTP servers that download files to or upload files from a VPN user, and remote Help Desk applications.

Application-Specific Scenarios

Here are some examples of how to configure the appliance to permit remote users to access some commonly used applications such as Microsoft Outlook Web Access and Citrix.

Topics:  

Providing Access to Outlook Web Access (OWA)

For convenience, AMC includes a pre-configured Web application profile for Microsoft Outlook Web Access (OWA).

To provide user access to OWA:
1
Define a URL resource for the Outlook Web Access server on the Add/Edit Resource page.
2
Select OWA/Single Sign-On as the Web application profile on the Add/Edit Resource page. This automatically configures single sign-on and content translation for OWA.
3
Create an access control rule referencing the OWA server resource on the Add/Edit Access Rule page.
4
Add a Web shortcut to OWA for WorkPlace users on the Add/Edit Web Shortcut page.
5
Use the Start page field on the Add/Edit Web Shortcut page to append more specific information to the URL for OWA.

For example, if you want the shortcut to point to a directory or file other than the root, type a relative path in the Start page field. If the selected URL for Outlook Web Access is owa.company_xyz.com, for example, you could set the start page to /mail/root.asp. The resulting URL would be https://owa.company_xyz.com/mail/root.asp.

You can also create a resource that will block e-mail attachments; see the description of the Matching URL resource type in the AMC help.

Providing Access to Voice Over IP (VoIP)

To permit users running one of the network tunnel clients to call each other using a Voice over IP (VoIP) telephony application, follow the steps outlined next.

To provide access to VoIP users:
1
Ensure that the network tunnel service is running on the appliance; you can do this on the AMC home page or Services page.
2
Create an IP address pool for the network tunnel clients (Connect Tunnel or OnDemand Tunnel) on the Configure Network Tunnel Service page.
3
Ensure that the users who will access the VoIP application belong to a community that is configured to deploy one of the network tunnel clients to their computers. This is done on the Access Methods tab of the Configure Community page.
4
Create an access control rule from the VoIP users to the address pool that will be used for the VoIP application on the Add/Edit Access Rule page.
5
Create a second access control rule from the address pool for the VoIP application to the VoIP users the Add/Edit Access Rule page.

Providing Access to Windows Terminal Services or Citrix Resources

To give users access to an individual Windows Terminal Services or Citrix host, or a Citrix server farm:
1
Install or update the Windows Terminal Services agent or the Citrix agent on the Configure Graphical Terminal Agents page.
2
Define a resource on the Add/Edit Resource page for the Windows Terminal Services or Citrix host, or the Citrix server farm.
3
Create a rule on the Add/Edit Access Rule page referencing the terminal-server resource.
4
Create a WorkPlace shortcut for accessing the Windows Terminal Services host or Citrix resource on the Add/Edit Terminal Shortcut page.

Authentication Scenarios

Realms are used by the appliance for the following key purposes:

Referencing external authentication servers
Provisioning access agents to VPN users, based on community membership
Determining which End Point Control restrictions are imposed on users’ devices
Controlling the user’s login experience at a WorkPlace portal

Using Multiple Realms vs. a Single Realm

If your organization uses only one authentication server, you’ll probably need to configure only one realm in AMC. There are other situations in which multiple authentication servers are required:

Multiple user repositories—If your users are stored in multiple directories, you must create a separate realm for each one. For example, if your employees are stored on an LDAP server, while your business partners are stored on an Active Directory server, create a separate realm for each directory server.
Chained authentication—For increased security, you can require users to authenticate to a single realm using two different authentication methods. For example, you set up RADIUS or a digital certificate as the first authentication method, and LDAP or Active Directory as the second one. To make the login experience for your users a one-step process, configure AMC such that users see only one set of prompts.

Access Component Provisioning

All of the user access components are provisioned or activated through the WorkPlace portal.

Optionally, you can make the Connect Tunnel client components available for users to download and install from another network location (such as a Web server, FTP server, or file server), without requiring them to log in to WorkPlace.

User access agents are deployed on a per-community basis. When configuring a user community, you can specify which access methods will be available to community members to connect to resources on your network.

When a user logs in to WorkPlace for the first time, WorkPlace automatically provisions and installs the appropriate user access agent based on the user’s community settings. The agent that is deployed will be installed on the user’s computer; on subsequent connections from the same computer with the same Web browser, that same agent is automatically deployed.

Topics:  

Deploying the Same Agents to All Users

When you create an authentication realm in AMC, a default community associated with the realm is also automatically created. This single community may be sufficient if you have a homogenous group of users whose resource needs and access methods are identical.

To configure a single community:
1
Create a realm on the General section of the Configure Realm page that references an external authentication server. AMC automatically creates a default community that is referenced by the realm. The default community settings are global and apply to any realms that reference it.
2
Configure the community by selecting the users or groups who belong to it, the access methods they’ll use to connect to the VPN, and optionally any End Point Control options.

If you have a diverse group of remote users, you’ll probably want to create multiple communities.

Deploying Different Agents to Different Users

Multiple communities give you the flexibility to provision different access agents to different populations of users, and to deploy different End Point Control configurations. Even if your users are stored on a single external authentication server, you may want to segment them by function in your organization, by the types of resources to which they need access, or for security reasons.

For example, you may want to create a community for those employees who use IT-managed laptops for remote access, and provision them with the Connect Tunnel client to allow them extensive access to your network resources. For your business partners, you may want to create a community that restricts them to Web access and assigns them to an End Point Control zone that provisions a data protection tool to remove all session data after they log off.

The configuration steps involved in creating multiple communities are described in Deployment Scenario: Remote Access for Employees and Partners.