Performing Recurring EPC Checks: Example
A connection request is classified into an EPC zone based on attributes defined in a device profile. This check is
always performed when the user logs in; in addition, you have the option of checking at regular intervals
whether a device continues to match the profile for a particular zone.
An example illustrates how this setting might be used. In this scenario the system administrator has given each
systems engineer in the organization a USB device that provides access to resources protected by the SMA
appliance. This provides two-factor authentication: During a user’s session, the appliance repeatedly checks for
the presence of a client certificate associated with a USB device: if the check fails, the session ends. Since an
essential part of the user’s authentication (the client certificate) is on the USB device, authentication data does
not remain on the system when the systems engineer removes the key.
Here’s how it looks from the systems engineer’s perspective:
Insert your personal USB device into any desktop or laptop device (trusted or untrusted).
Enter your PIN number.
Log in for access to the VPN and authenticate. The SMA appliance checks for your client certificate when you log in and at regular intervals thereafter (the interval is set by the SMA appliance administrator). When the USB device is removed, the check fails and the connection is ended.
It’s important for users to understand that their connectivity depends on the presence of the USB
device. For this reason they should also not leave the USB device plugged in and unattended.
Here’s an overview of the configuration steps the administrator must take:
To establish a trust relationship between the USB device and the appliance, you must reference a root CA certificate in the EPC device profile. If it’s not already present, import the certificate to the appliance (click SSL Settings in the main navigation menu, and then click Edit in the CA Certificates area).
Using Appliance Management Console, create a device profile for Windows, Mac, or Linux devices to check for the presence of a client certificate on the USB devices you plan to distribute. The certificate must descend from the root certificate from Step 1. When creating a device profile for Windows, ensure both system and user certificate stores are searched.
Create an EPC Standard zone that requires the device profile from the preceding step.
When you are defining the zone, specify in the Recurring EPC area at what intervals EPC will check the client systems that are classified into this zone. In this case, you might want to perform frequent checks (for example, every 10 minutes).
A device for which there is no profile match—the client certificate does not descend from the root CA certificate identified in the first step, or the USB device has no certificate—will “fall through” to either the Default zone or a Quarantine zone:
To deny access to any connection requests that don’t meet your criteria, configure the Default zone to simply deny access. In the Access restrictions area on the Zone Definition page, select Block VPN access.
If you prefer, you can create a Quarantine zone and customize the message users see; for example, you may want to explain what is required to bring the user’s system into compliance with your security policies.
Was This Article Helpful?
Help us to improve our support portal