en-US
search-icon

Secure Mobile Access 12.0 Deployment Planning Guide

Planning Your VPN

About Designing Your VPN

To effectively design your VPN, you must identify who will use it, what types of resources to make available, and which access methods to provide to users so they can reach your network.

Topics:  

Who Will Access Your VPN?

A key consideration in planning your VPN is identifying the users who need to access your network resources. Your user community will have a major impact on how you design and administer your VPN.

Most VPN users generally fall into one of two major categories:

Remote employees. When serving remote and mobile employees, you’ll probably give them relatively open access to enterprise resources. Of course, you can also define a more granular access policy for specific resources that contain sensitive information (such as a payroll application).

Employee computer systems under IT control provide the flexibility to install client software—such as the Connect Tunnel client—on the desktop.

Business partners. Suppliers, vendors, contractors, and other partners generally have restricted access to resources on your network. This requires you to administer more granular resource definitions and access control rules than those typically used for a remote access VPN.

For example, instead of simply defining a domain resource and granting open access privileges, you’ll often need to define specific host resources and manage a more complex access policy. When defining a Web resource you may also want to obscure its internal host name to maintain the privacy of your network.

Because of the administrative and support issues associated with installing client software on computers outside the control of your IT organization, a Web-based access method is often best for business partners.

Which Types of Resources Should Users Have Access To?

The SonicWall SMA appliance manages a wide variety of corporate resources, which fall into the categories described in Types of user resources.

 

Types of user resources

Resource type

Examples

Planning considerations

Web

Microsoft Outlook Web Access

Web-based applications

Web portals

Web servers

When specifying URLs to Web resources, include the http:// or https:// prefix.
Use aliases to obscure host names on private networks.

Client/server

Terminal servers (such as Citrix or WTS)

Microsoft Outlook Lotus Notes

Identify resources by host name, IP address or IP range, subnet IP address, or domain name.

File Shares

Network folders

Shared folders

Network browsing

Windows domains

A specific file system resource can be an entire server (for example, \\ginkgo), a shared folder (\\john\public), or a network folder (\\ginkgo\news).
Defining a Windows domain gives authorized users access to all network file resources.
Topics:  

How Will Users Access Your Resources?

Users can access VPN resources secured by the appliance using a variety of agents and clients. Your deployment options can range anywhere from “managed” desktops controlled by your IT department, to systems outside of your control, including employees’ home computers, partner desktops, and other systems such as kiosks or handheld devices.

How users gain access to your network resources depends on what those resources are. The Connect Tunnel client, for example, is installed on the user’s device and provides the broadest network access and support, and greatest ease of administration. The OnDemand agent also provides broad cross-platform support, but does not handle bi-directional applications like VoIP.

Tunnel, Proxy, or Web: Which Access Method is Best?

The SMA access services and clients offer a wide array of methods with different degrees of capability for reaching your organization’s resources. Use the table below to determine which ones are best for you and your users.

Other factors to consider, aside from technical requirements, are:

Security requirements such as the safeguards you want to put in place on the desktop.
User profiles, including the levels of technical sophistication among your users.
Administrative resources available to manage and support a VPN.

Access method advantages summarizes the access methods and their advantages.

 

Access method advantages

Access Method

Provides Access to

Advantages

Connect Tunnel

Full network access to client/server applications, Web resources, network shares, and bi-directional applications such as VoIP, SMS, and FTP.

Stand-alone client installed from WorkPlace portal or from custom installer package, with no rebooting required.
Enhanced security options including split tunneling, and redirection of all traffic or only local traffic.
Local printing support.
Typically used for remote access on systems that can be readily managed by IT such as a corporate laptop used by a traveling or remote employee.
NOTE: Administrator rights are required for installation.

OnDemand Tunnel

Full network access to client/server applications, Web resources, network shares, and bi-directional applications such as VoIP, SMS, and FTP.

Activated from the WorkPlace portal.
Enhanced security options including split tunneling, and redirection of all or only local traffic.
Local printing support.
Auto-updating (Windows client only).
NOTE: Administrator rights are required for installation.

Mobile Connect

Client/server applications, thin-client applications, and Web resources.

Stand-alone, lightweight application that runs on Windows Mobile-powered devices.

ActiveSync

Email, calendar, contacts, tasks, and out-of-office functions available from the Exchange server.

Convenient email and related functions access from Apple iPhones and iPads, smart phones running the Google Android operating system, and smart phones running the Symbian operating system

Web proxy agent (Internet Explorer)

Any Web resource (including Web-based applications, Web portals, and Web servers) and Windows network shares.

Convenient access from Internet Explorer with ActiveX enabled.
Used as a fallback if OnDemand Tunnel cannot run.
Minimal client configuration and administration tasks.
Users can access any network URL by typing the actual URL in the browser’s address field.
Broad Web-based access to enterprise applications.
Single sign-on.

Translated Web access

Custom Port Mapped Web access

Custom FQDN Mapped Web access

Any Web resource (including Web-based applications, Web portals, and Web servers).

Translated Web on Windows operating systems also offers access to network shares.

Custom Port Mapping provides access via a specific port defined by the administrator, which must be open on the external firewall.

Custom FQDN Mapping provides access via DNS and requires new DNS entries and possibly a new SSL certificate and IP address.

Convenient access to Web and file system resources from any Web browser that supports SSL and has JavaScript enabled.

No client configuration or administration tasks.

Supports the use of aliases to hide internal host names in the browser address bar.

Single sign-on to back-end Web servers.

A good option for providing business partner access, because it does not require any client configuration or administration.

Custom Port Mapping and Custom FQDN Mapping handle Web programming technologies such as AJAX without the limitations of URL rewriting used in translation.

Security Administration

Administering your security policy involves defining resources and then creating access control rules that determine the availability of those resources.

Topics:  

Defining Resources

You have some flexibility when you specify a resource type for a given object on your network. For example, you might define a Web application narrowly as a URL resource for business partners; employees, on the other hand, might be given access to an entire domain, including the Web application.

Topics:  
Web Resources

Any Web resource—such as a Web application, a Web portal, or a Web server—can be defined as a URL resource (they are specified in AMC using the standard http:// or https:// URL syntax). Examples include Microsoft Outlook Web Access and other Web-based e-mail programs, Web portals, corporate intranets, and standard Web servers.

Defining a Web resource as a URL provides several advantages:

You can create a Web shortcut on WorkPlace to give users quick access.
You can define very specific access rules to control which users can access the URL.
You have the option of obscuring (or “aliasing”) the internal host name so it is not publicly exposed.
You can block attachments from being downloaded to untrusted devices, or prevent a Web-based application from displaying restricted data to untrusted devices.

Web traffic is proxied through the Web proxy service, a secure gateway through which users can access private Web resources from the Internet.

Client/Server Resources

Client/server resources encompass applications, file servers, and multiple Web resources and are specified in AMC using either a domain, subnet, IP range, host name, or IP address:

Client/server applications include “traditional” applications developed for a particular operating system, or thin-client applications that are Web-based.
Network shares include Windows file servers or file shares. Network shares are accessible using either OnDemand or Connect Tunnel. (To access a network share using a Web browser, you must instead define it as a file system resource.)
Source networks are referenced in an access rule to permit or deny a connection to a destination resource based on the location from which the request originates. For example, you might permit connections only from a particular domain, or permit them only from a specific IP address.
Graphical terminal agents can be added to WorkPlace as shortcuts that provide access to a terminal server (or Citrix server farm) using a Windows Terminal Services or Citrix client.
Multiple Web resources on your network—whether in a domain, subnet, or IP range—can be defined. This is a convenient way for you to administer multiple Web servers from a single resource in AMC. For example, if you specify a domain (and create the appropriate access rule), users are able to use their Web browsers to access any Web resources contained within that domain. They can also use OnDemand or Connect Tunnel to get to those resources.

On the downside, however, your users cannot access those resources from a shortcut on WorkPlace; instead, they must know the internal host name of the resource. If the Web proxy agent is running, they can enter any URL directly in the browser. However, in translated mode, users must manually type URLs in the Intranet Address box in WorkPlace.

With such a wide scope of resource definitions—from broad resources such as a domain or subnet, down to a single host or IP address—you may wonder how best to define your network resources. Broad resource definitions simplify your job as system administrator, and are typically used when managing a remote access VPN with an open access policy. For example, you could define your internal DNS namespace as a domain and create a single policy rule granting employees access privileges.

On the other hand, a more restrictive security policy requires you to define network resources more narrowly. This approach is typically used when administering a partner VPN. For example, to provide an external supplier with access to an inventory application, you might specify its host name as a resource and create a policy rule specifically granting the supplier access privileges.

File Shares

File shares include Windows network servers or computers containing shared folders and files that users can access through WorkPlace.

You can define a specific file system resource by typing a UNC path, or you can define an entire Windows domain:

A specific file system resource can be an entire server, a shared folder, or a network folder.
A file system resource can also reference a user’s personal folder on the network. This feature allows you to create a single shortcut on WorkPlace that dynamically references a personal folder for the current user.
Defining an entire Windows domain gives authorized users access to all the network file resources within the domain.

The various options for defining a file system resource provide you with the flexibility to create a granular policy that controls access at the server, share, or folder level, or to create a more open policy that provides access to an entire domain.

Managing Access Control with an Access Policy

After you’ve defined your VPN resources, you control which ones are available to users by creating an access policy.

After a user successfully authenticates (that is, his or her identity is verified), the appliance evaluates the rules that control access to specific resources. Rules appear on the Access Control page (see Access Control rules).

Access Control rules

Access control rules are displayed as an ordered list in AMC. When the appliance evaluates a connection request, it begins at the top of the list and works its way down until it finds a match. When it finds a match, the action required by the rule—either Permit or Deny—is applied and no further rules are evaluated.

Access to a resource can be based on several criteria. Most rules control access based on who the user is—that is, the user’s name or group membership—and the destination resource. (If you don’t restrict access to a particular user or destination resource, the word Any appears in the access control list.)

In addition, you can control access based on several other criteria such as:

The EPC zone from which the connection request originates. Suppose you want to require users accessing a sensitive financial application to run a browser cache cleaner after each session. If so, you could configure a rule that allows access only to systems in a trusted zone that are running a particular program.

In Access Control rules, access to Remote office desktops is restricted to users in the Remote group who have device profiles that place them in the Trusted laptop zone.

The address from which the connection request originates. You might want to control access to a resource based on the names of any source networks you want evaluated in the rule.
The access method used to reach the resource. You might want to enable broad access to resources within an internal domain from the network tunnel or proxy agents, but prevent browser-based access to Web servers within the domain.
The day or time of the request. For example, you might give business partners access to a particular application on weekdays from only 9:00 A.M. to 5:00 P.M.

A connection request can be summarized as follows:

1
A user is authenticated and initiates a connection.
2
The appliance analyzes the connection request to identify its attributes (including user and group information, the destination being requested, the source network from which the request originates, and the day or time of the request).
3
The appliance reads the first rule in the access control list and compares it to the request criteria:
If a match is found, the action (Permit or Deny) specified in the rule is applied and no further rules are evaluated.
If no match is found, the appliance evaluates the next rule in the list to see if it matches the request.
4
If the appliance processes all of the rules without finding a match, an implicit Deny rule is applied.

Access Control for Bi-Directional Connections

VPN connections typically involve what are called forward connections, which are initiated by a user to a network resource. However, if you deploy network tunnel clients (Connect Tunnel or OnDemand Tunnel) to your users, bi-directional connections are enabled. Examples of bi-directional connections include an FTP server that downloads files to or uploads files from a VPN user, and remote Help Desk applications.

Within the Secure Mobile Access VPN, bi-directional connections include the following:

Forward connections from a VPN user to a network resource.
Reverse connections from a network resource to a VPN user. An example of a reverse connection is an SMS server that pushes a software update to a user’s machine.
Cross-connections refer specifically to VoIP (Voice over IP) applications that enable one VPN user to telephone another. This kind of connection requires a pair of access control rules: one for the forward connection and one for the reverse connection.

Design Guidelines for Access Rules

Because the appliance processes your access control rules sequentially, the order in which you organize them is significant in terms of whether access is permitted or denied. Carefully review your security policy settings to avoid inadvertently placing rules in the wrong order.

Put your most specific rules at the top of the list. As a general rule, it is best to put your most specific rules at the top of the list. Putting broader rules that grant more permissions at the top of the list may cause the appliance to find a match before it has a chance to process your more restrictive rules.
Be careful with Any rules. If you create a rule that does not restrict access to a particular user or destination resource, carefully consider its impact on policy rules.
Optimizing performance. Because the appliance evaluates rules in sequential order, you can optimize performance by placing the network resources that are accessed most frequently at the top of the list.
Avoid resource and access method incompatibilities. In some very specific cases, certain combinations of resource types and access methods can create problems with your access policy. AMC validates your rule and notifies you of potential problems when you save it. Refer to “Security Administration” in the Installation and Administration Guide for details on resolving incompatibility issues.

End Point Control

You can use End Point Control to classify devices as they attempt to connect to the appliance. When a device matches a profile that you have created, it is assigned to an EPC zone of trust, where the device is granted a certain amount of access, quarantined, or denied access altogether. In addition, once a device is classified into a given zone, you can keep checking it at a set interval to see if it meets your EPC requirements.

An EPC zone can reference one or more device profiles. Multiple device profiles are useful if users with similar VPN access needs use different computer platforms. For example, you could configure an EPC zone that references a device profile for Windows computers, and another zone for Macintosh computers.

Zones are in turn referenced in a community, which determines what data protection agents are deployed. Optionally, you can reference a zone in an access control rule to determine which resources are available to users in that zone.

EPC evaluation process illustrates the EPC evaluation process performed by the SMA appliance when a user connects to it.

EPC evaluation process

Advanced EPC

Advanced EPC provides an extended and detailed list of personal firewall, antivirus, and spyware programs to check for on a client. EPC can be done on Windows, OS X, Linux, Android and iO S.

There are a few device profiles to help you get started: you can use them as is or modify them to suit your access policy and resource requirements. The home-user profiles, for example, check for a wide variety of antivirus and personal firewall programs, while a series of corporate profiles check for programs from particular vendors.

If the preconfigured device profiles don’t address your specific security needs or computing environment, you can create additional profiles that the appliance will use to detect the presence of specified attributes on users’ devices. The types of device profile attributes available are:

Antivirus software
Antispyware software
Application
Client certificate
Directory name
Device ID
File name, size, or timestamp
Personal firewall program
Windows domain
Windows registry entry
Windows version

Putting It All Together: Using Realms and Communities

Realms are the top-level objects that tie together authentication, user management, access agent provisioning, and End Point Control restrictions.

A realm references one authentication server or a pair of them (for chained authentication). Authentication servers must first be defined in AMC, and they are then referenced by a realm that users log in to.

After users log in to the appliance, they are assigned to a community based on the identity supplied during login. By default, all users are assigned to a default community, but you can sort users into different groups based on individual identity or group memberships. In turn, the community defines a default set of access methods and the set of end point restrictions placed on client devices. The community can also determine the appearance of WorkPlace: the layout and style of WorkPlace pages can be tailored to a particular community.

Authenticating with realms and communities shows how a realm authenticates users, assigns them to communities to provision access agents and, with End Point Control enabled, assigns community members to different zones based on the trustworthiness of their computers.

Authenticating with realms and communities

If your network uses a single authentication server to store user information, you’ll probably need to create only one realm in AMC. That realm could then reference the global community that is configured by default in AMC. This would be useful if you have a homogenous user population with identical access requirements.

Using only one realm doesn’t limit your ability to configure more granular levels of user access and End Point Control. AMC allows you to create communities of users within a realm based on their access needs or other security considerations. A community can consist of all the users in a realm, or only selected users or groups.

For example, you might have two distinct groups of users—employees and business partners—requiring different forms of VPN access. The Employee community and Business partner community tables contrast the access agents that are made available to these two groups, and how EPC is used to secure their connections. By creating different WorkPlace styles and layouts you also can determine how WorkPlace looks to members of these two communities.

 

Employee community

Access Agent

EPC

A tunnel client, enabling them to access Web, network, and file share resources.

EPC is used to detect whether employees’ computers are running an antivirus program and firewall before placing them in a trusted zone.

Users connect from trusted computing environments (such as laptops provided by your IT department) and require broad access to your network resources.

 

Business partner community

Access Agent

EPC

Limited, Web-only access

Business partners are assigned to a less-trusted zone where they are provisioned with Cache Cleaner.

Partners connect through unsecured computing environments and require access only to specific, limited resources.