Secure Mobile Access 12.4 Administration Guide

Technical Documentation> Management> User Management> Configuring Realms and Communities> Creating and Configuring Communities> Using End Point Control Restrictions in a Community

Secure Mobile Access 12.4.3
Introduction
- About Secure Mobile Access
Installation
- Installation and Initial Setup
Management
- Working with Appliance Management Console
- User Management
Authentication
- Network and Authentication Configuration
Administration
- Security Administration
  - Creating and Managing Resources
    Resource Types
    Built-In Resources
    Secure Mobile Access WorkPlace (Resource Type: URL)
    Connect Tunnel (Resource Type: URL)
    Network Explorer (Resource Type: Network Share)
    Web Resources
    Client/Server Resources
    File Share Resources
    Resources and Resource Groups
    Viewing Resources and Resource Groups
    Adding Resources
    Example: Specifying a URL Alias
    Example: Blocking Email Attachments
    Example: Supporting Exchange on iPhones
    Example: Restricting Access to Sensitive Data
    Editing Resources
    Deleting Resources
    Configuring a Resource as a SharePoint Web Service
    Exclusions
    Using the Exclusions
    Using Variables in Resource and WorkPlace Shortcut Definitions
    Using Session Property Variables
    Using Query-Based Variables
    Creating a Resource Pointing to Users’ Remote Desktops
    Creating a WorkPlace Link Giving Users Access to Their Remote Desktops
    Creating a Variable Containing a Variable
    Modifying Query Results
    Displaying a Series of Shortcuts Using a Single Definition
    Creating and Managing Resource Groups
    Adding Resource Groups
    Example: Working with a URL Redirect
    Editing, Deleting and Copying Resource Groups
    Web Application Profiles
    Viewing Web Application Profiles
    Adding Web Application Profiles
    Preconfigured Web Application Profiles
    Web Application Profile Examples
    How Requests for Web Resources are Evaluated
    Associating one profile with an entire domain
    Editing and Deleting Web Application Profiles
    Configuring a Single Sign-On Authentication Server
    Forms-Based Single Sign-On
    Basic Authentication Forwarding
    NTLM Authentication Forwarding
    Creating Forms-Based Dynamic Single Sign-On Profiles
    Dynamic SSO Profile for Microsoft RDWeb
    Configuring Microsoft RD Web Access in AMC
    Creating Dynamic SSO Profile for Microsoft Remote Desktop Web Client
    Creating Web Application Profile
    Creating RDWeb URL resource with custom access
    Adding RDWeb in start page
    Dynamic SSO Profile for Citrix XenApp
    Configuring Citrix XenApp in AMC
    Creating Dynamic SSO Profile for Citrix XenApp
    Creating Web Application Profile
    Creating Citrix XenApp URL resource with custom access
    Adding Citrix Xenapp in start page
    Kerberos Constrained Delegation
    Configuring Kerberos Constrained Delegation
    Configuring SMA Support for Microsoft Outlook Anywhere
    Viewing User Sessions
  - Access Control Rules
    Configuring Access Control Rules
    Viewing Access Control Rules
    Access Control Rules for Bi-Directional Connections
    Requirements for Reverse and Cross-Connections
    Securing Application Ports for Reverse Connections
    Adding Access Control Rules for a Forward Connection
    Specifying Advanced Access Control Rule Attributes
    Adding Access Control Rules for a Reverse Connection
    Adding a Pair of Access Control Rules for a Cross-Connection
    Configuring Advanced Access Control Rule Attributes
    Access Methods and Advanced Options
    Adding Users and Resources From Within Access Control Rules
    Editing, Copying, and Deleting Access Control Rules
    Resolving Deny Rule Incompatibilities
    Resolving Invalid Destination Resources
    Invalid Resource Examples
- System Administration
End Point Control
Components
Mobile Connect
- Using SMA with Mobile Connect
Appendix
SonicWall Support
- About This Document

Using End Point Control Restrictions in a Community

When you’re creating a community, you have the option of restricting access to users based on the security of their client devices. To do this, specify which End Point Control zones are available to users in this community. There are four types of zones—Deny, Device, Quarantine, and Default. For more information on how to create and configure End Point Control zones, and the device profiles they use to classify connection requests, see Managing EPC with Zones and Device Profiles.

You can also set an inactivity timer, even if you don’t use End Point Control zones for a community, if your users access the appliance using the Connect Tunnel client.

To apply End Point Control restrictions for a community

In the AMC, navigate to User Access > Realms.
Click the link for the community you want to configure, and then click the End Point Control tab.
Use a Deny zone if you have a device profile that is unacceptable in your deployment. You might, for example, want to deny access to any user who has Google Desktop installed on the PC with which they are trying to connect. Select (or create) an entry in the Deny zones list and click the >> button to move it to the In use list. Deny zones are evaluated first (if there’s a match, the user is logged off).

To create a new EPC zone and then add it to the list, click the + (New) icon. For information on how to create a zone, see Defining Zones.
You can assign one or more End Point Control Device zones to the community, which are used to determine which devices are authorized to access a community. If you don’t select a zone, community members are assigned to the default zone, which could limit or even deny access to resources, depending on your access policy. Select the checkbox for a zone in the Device zones list and then click the checkmark () at the top of the list to add it to the In Use list.
If the community references more than one zone, use Move Up and Move Down to arrange their order in the list. Zones are matched in the order they are listed, so it is important to you consider which devices are authorized in each zone. You should place your most specific zones at the top of the list.
If a client device does not match a zone, use the settings in the Zone fallback options area to place it into the default zone, or quarantine the device and (optionally) display a customized page with text and links. See Creating a Quarantine Zone for more information.
To set the Inactivity Timer (which is triggered when there is no keyboard or mouse activity) for community members, select a time limit (ranging from After 3 mins to After 24 hours or Never) from the End inactive user connections list. This is a Windows-only setting that is used by the network tunnel client.

If End Point Control is not used in a community, or at all, the Inactivity Timer is still effective for user sessions, as the Default Zone will still be applied.
Click Save to complete the configuration of the community.

The appliance uses EPC interrogation to check for certain device profile attributes on the client and then classifies the device accordingly. If a Quarantine zone is your fallback option, and if EPC interrogation somehow fails, a device that would normally be quarantined may instead end up in the Default zone.

< Prev Section

Next Section >

Secure Mobile Access 12.4 Administration Guide

Table of Contents

Using End Point Control Restrictions in a Community