To provide a limited degree of access to users whose connection requests don’t meet your criteria for a trusted
relationship, you can include the Default zone in a restrictive access control rule. For example, you could let
users access their email by including the Default zone in a “permit” access control rule limited to Web browsers
connecting to Outlook Web Access.
If a restrictive access policy that requires a high degree of trustworthiness and does not allow connection
requests unless they are explicitly defined, setting the Default zone to Block VPN access is the best strategy.
Keep in mind that if your other zones and access control rules inadvertently omit legitimate users, the Default zone will block them without exception.
In the AMC, navigate to User Access > End Point Control.
The End Point Control page displays.
In the Zones and Profiles section, click Edit next to Zones.
The Zones and Profiles page displays.
Click Default zone in the table.
The Edit Default Zone page displays.
The Name field is dimmed as the name for this zone cannot be changed.
In the Access restrictions section, select whether the appliance will Allow VPN access or Block VPN
access for devices that are placed in the Default zone. If you select Block VPN access, users who are
assigned to the Default zone are logged off of the appliance.
In the Access method restrictions section, specify which access methods, if any, will not be allowed for
clients that are classified into this zone.
In the Data protection section, select whether client devices placed in the Default zone are required to
have Cache Cleaner to connect. Cache Cleaner provides enhanced data protection on all platforms except
Expand the Client security section.
- In the Persistent Session Information group, enable Allow storage of persistence session information on client system if you want persistent information to be stored with local applications running on the client system.
By default, user connections to a device zone are not dropped when the connection is inactive. However,
a inactivity timer can be set In the Inactivity timer area to end the connection after a set period of
inactivity. The inactivity timer interval can be set from 3 minutes to 24 hours. By default, in a Zone Inactivity timeout is set to Never.
In earlier releases, the Inactivity Timer was part of Community attributes.
In the Recurring EPC section, you can specify how often EPC checks are done. Select:
Expand the Advanced section.
The connection between devices and the appliance can handle interruptions—such as suspending a
session and later resuming it, or temporarily losing connectivity—without requiring that users
reauthenticate, as long as the device is using the same IPv4 or IPv6 IP address.
To allow users to resume sessions from a different IP address—for example, when roaming from one IP
subnet to another by plugging into another part of your network—select the Allow user to resume
session from multiple IP addresses checkbox in the Advanced area.
For Secure Network Detection to work, this checkbox must be checked to allow users to
resume sessions from multiple IP addresses.