In the AMC, navigate to User Access > End Point Control.
The End Point Control page displays.
In the Zones and Profiles section, click Edit next to Zones.
Click the + (New) icon and select Device zone from the dropdown list.
The Add Device Zone page displays.
- In the Name field, type a meaningful name for the zone (for example, Windows firewall required). If a
zone will be referenced by mobile device users, keep the name short so that all of it is visible on the
(Optional) In the Description field, type a descriptive comment about the zone.
In the All Device Zone Profiles list, select the checkbox for any device profiles that you want to require in the zone, and then click the check mark icon. Only one of the profiles in the In Use list needs to match for the device to be placed in the zone you are creating.
If there are no device profiles previously configured, click + (New) icon to add one. See Defining Device Profiles for a Zone for more information on creating profiles.
In the Access method restrictions area, select which access methods, if any, will not be allowed for clients that are classified into this zone.
Specify whether a Data protection agent is required. Cache Cleaner provides enhanced protection on all platforms except Linux platforms.
Check the top checkbox in the Device Authorization area to require users to authorize their personal device before a VPN connection is established. By default, this checkbox is always unchecked (disabled).
To change the authorization terms that users must agree to, type the desired authorization terms in the Terms section of the Device Authorization area.
The Device Authorization checkbox must be checked to edit the terms.
By default, a user authorization expires 180 days after the device was last used. When device
authorization is enabled, you can disable zone authorization expiration by unchecking the expiration
checkbox or change the number of days before expiration by typing the desired number of days.
- Expand the Client security area.
- In the Persistent Session Information group, enable Allow storage of persistence session information on client system if you want persistent information to be stored with local applications running on the client system.
By default, user connections to a device zone are not dropped when the connection is inactive. However,
a inactivity timer can be set In the Inactivity timer area to end the connection after a set period of
inactivity. The inactivity timer interval can be set from 3 minutes to 24 hours. By default, in a Zone Inactivity timeout is set to Never.
In earlier releases, the Inactivity Timer was part of Community attributes.
In the Recurring EPC area, you can select how often EPC checks are done:
See Performing Recurring EPC Checks: Example for a description of a scenario where the appliance
repeatedly checks for the presence of a USB device: when the check fails, the session ends. By default,
the end point is checked at login.
The connection between devices and the appliance can handle interruptions—such as suspending a
session and later resuming it, or temporarily losing connectivity—without requiring that users
reauthenticate, as long as the device is using the same IPv4 or IPv6 IP address.
To allow users to resume sessions from a different IP address—for example, when roaming from one IP
subnet to another by plugging into another part of your network—select the Allow user to resume
session from multiple IP addresses checkbox in the Advanced area.