Secure Mobile Access 12.4 Administration Guide

Configuring the Default Zone

AMC provides a global Default zone that serves as a fail-safe to either allow or block VPN access for any connection requests that don’t match the other zones you set up. When the appliance receives a connection request that it can’t classify into a zone—meaning it can’t identify the client device’s operating system, browser, or other attributes—that device is automatically placed in the Default zone. You can choose whether to grant or deny VPN access to users whose devices are assigned to the Default zone.

Unlike other zones, the Default zone does not include device profiles, but it can be configured to require the presence of a data protection agent. The Default zone is implicitly present in every community configured in AMC.

To provide a limited degree of access to users whose connection requests don’t meet your criteria for a trusted relationship, you can include the Default zone in a restrictive access control rule. For example, you could let users access their email by including the Default zone in a “permit” access control rule limited to Web browsers connecting to Outlook Web Access.

If a restrictive access policy that requires a high degree of trustworthiness and does not allow connection requests unless they are explicitly defined, setting the Default zone to Block VPN access is the best strategy. Keep in mind that if your other zones and access control rules inadvertently omit legitimate users, the Default zone will block them without exception.

To configure the Default zone

  1. In the AMC, navigate to User Access > End Point Control.

    The End Point Control page displays.

  2. In the Zones and Profiles section, click Edit next to Zones.

    The Zones and Profiles page displays.

  3. Click Default zone in the table.

    The Edit Default Zone page displays.

    The Name field is dimmed as the name for this zone cannot be changed.

  4. In the Access restrictions section, select whether the appliance will Allow VPN access or Block VPN access for devices that are placed in the Default zone. If you select Block VPN access, users who are assigned to the Default zone are logged off of the appliance.

  5. In the Access method restrictions section, specify which access methods, if any, will not be allowed for clients that are classified into this zone.

  6. In the Data protection section, select whether client devices placed in the Default zone are required to have Cache Cleaner to connect. Cache Cleaner provides enhanced data protection on all platforms except Linux platforms.

  7. Expand the Client security section.

  8. In the Persistent Session Information group, enable Allow storage of persistence session information on client system if you want persistent information to be stored with local applications running on the client system.
  9. By default, user connections to a device zone are not dropped when the connection is inactive. However, a inactivity timer can be set In the Inactivity timer area to end the connection after a set period of inactivity. The inactivity timer interval can be set from 3 minutes to 24 hours. By default, in a Zone Inactivity timeout is set to Never.

    In earlier releases, the Inactivity Timer was part of Community attributes.

  10. In the Recurring EPC section, you can specify how often EPC checks are done. Select:

    • Check endpoint at login to perform an EPC check only once (at login)

    • Check endpoint at login and every <n> minutes thereafter at login and then every <n> minutes for the duration of the session.

  11. Expand the Advanced section.

  12. The connection between devices and the appliance can handle interruptions—such as suspending a session and later resuming it, or temporarily losing connectivity—without requiring that users reauthenticate, as long as the device is using the same IPv4 or IPv6 IP address.

    To allow users to resume sessions from a different IP address—for example, when roaming from one IP subnet to another by plugging into another part of your network—select the Allow user to resume session from multiple IP addresses checkbox in the Advanced area.

    For Secure Network Detection to work, this checkbox must be checked to allow users to resume sessions from multiple IP addresses.

  13. Click Save.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.