Using End Point Control Restrictions in a Community
When you’re creating a community, you have the option of restricting access to users based on the security of
their client devices. To do this, specify which End Point Control zones are available to users in this community.
There are four types of zones—Deny, Standard, Quarantine, and Default. For more information on how to create
and configure End Point Control zones, and the device profiles they use to classify connection requests, see Managing EPC with Zones and Device Profiles.
You can also set an inactivity timer, even if you don’t use End Point Control zones for a community, if your users
access the appliance using the Connect Tunnel client.
To apply End Point Control restrictions for a community
- In the AMC, navigate to User Access > Realms.
Click the link for the community you want to configure, and then click the End Point Control tab.
Use a Deny zone if you have a device profile that is unacceptable in your deployment. You might, for
example, want to deny access to any user who has Google Desktop installed on the PC with which they
are trying to connect. Select (or create) an entry in the Deny zones list and click the >> button to move it
to the In use list. Deny zones are evaluated first (if there’s a match, the user is logged off).
To create a new EPC zone and then add it to the list, click the + (New) icon. For information on how to
create a zone, see Defining Zones.
- You can assign one or more End Point Control Standard zones to the community, which are used to
determine which devices are authorized to access a community. If you don’t select a zone, community
members are assigned to the default zone, which could limit or even deny access to resources,
depending on your access policy. Select the checkbox for a zone in the Standard zones list and then click
the checkmark () at the top of the list to add it to the In Use list.
- If the community references more than one zone, use Move Up and Move Down to arrange their order
in the list. Zones are matched in the order they are listed, so it is important to you consider which devices
are authorized in each zone. You should place your most specific zones at the top of the list.
- If a client device does not match a zone, use the settings in the Zone fallback options area to place it into
the default zone, or quarantine the device and (optionally) display a customized page with text and links.
See Creating a Quarantine Zone for more information.
To set the Inactivity Timer (which is triggered when there is no keyboard or mouse activity) for
community members, select a time limit (ranging from After 3 mins to After 24 hours or Never) from the End inactive user connections list. This is a Windows-only setting that is used by the network tunnel
If End Point Control is not used in a community, or at all, the Inactivity Timer is still effective
for user sessions, as the Default Zone will still be applied.
Click Save to complete the configuration of the community.
The appliance uses EPC interrogation to check for certain device profile attributes on the
client and then classifies the device accordingly. If a Quarantine zone is your fallback option, and if
EPC interrogation somehow fails, a device that would normally be quarantined may instead end up
in the Default zone.
Was This Article Helpful?
Help us to improve our support portal