4.3 Configuring Traffic Policies

You can configure a maximum of 250 traffic rules per role, depending on the length of the policy name. If you have configured multiple traffic policies, the policies are prioritized based on the order of their creation.

The roles for a user are created in the Identity Server. These roles are displayed in the traffic policies page by default.In scenarios such as a federated setup, where the role can be injected from another Identity Server, you can add or remove the user-configured roles while creating the traffic policies.

4.3.1 Configuring Policies

You can configure a different set of traffic policies for different roles as follows:

  1. In the Administration Console, click Devices > SSL VPNs > Edit.

  2. Select Traffic Policies from the Policies section.

    Traffic Policies page

  3. Click New. The New dialog box is displayed.

  4. Specify the traffic policy name in the Traffic Policy Name field, then click OK.

  5. (Optional) To enable the full tunneling mode, select Enabling Full Tunneling.

    For more information, see Section 4.4, Configuring Full Tunneling

  6. Click the newly added traffic policy.

    Fill in the following fields:

    Policy Name: Displays the name that you have specified for the traffic policy.

    Role (s): The role to which the traffic rule applies. If the role was created in the Identity Server, it is displayed in Available Roles by default. Select the role you want to assign the traffic policy to and click the forward arrow to send it to Assigned Roles. If you want to assign a traffic policy to multiple roles, press the Ctrl key when selecting the roles.

    To assign a traffic policy to user-defined roles, click the Manage Roles button.

    Click the Add Role icon to add the roles and click the Remove selected roles icon to delete the roles. Click OK to confirm your changes, or click Cancel to discard the changes.

    The role is case-sensitive. If the role configured is Employee and the Identity Server sends a request for employee, the rule is not pushed to the client. You cannot change the role name after you have configured a traffic rule. If you do so, the changes are not reflected in the associated traffic rule.

    Destination Addresses: Specify the destination IP address entries in any of the following formats:

    • A single host IP address. For example, 192.168.1.1

    • A range of IP addresses in the same subnet. For example, 192.168.1.1-192.168.1.10

    • A combination of host address and network mask. For example, 192.168.1.0/255.255.255.0

    • A full tunneling IP address 0.0.0.0.

    NOTE:You can configure a traffic policy with a maximum of 20 IP address entries. However, in Enterprise Mode, the OpenVPN client can add a maximum of 100 routes.

    To add an IP address, click the + icon. To delete an IP address, select the address that you want to delete, then click the - icon. You can also edit the existing IP address.

    NOTE:If the traffic policy includes a host entry, you cannot change the subnet mask.

    Predefined Application: Select a predefined application from the drop-down list.

    Name: Specify a name for the application. This information is optional.

    Protocol: Select a protocol from the drop-down list. You can select TCP, UDP, ICMP, or Any.

    Port: Specify the port number on which the service is available. You can also specify a range of port numbers. You can specify a port range separated by a comma or a hyphen. For example 8, 10, 11-15.

    Specify 0 to allow all ports depending on the protocol.You can configure a maximum of 20 port entries for a traffic policy.

    Action: Specify if a service can be allowed or denied. Select Encrypt to allow the service in encrypted form. Select Deny if you do not want to allow the service.

    Security Level: Specify the minimum level of security to be adhered to by the client machine in order to apply this traffic policy. For more information on how to configure security levels, see Section 4.2, Configuring Client Security Levels.

  7. To delete a traffic policy, select the policy, then click Delete.

  8. To enable a traffic policy, select the policy, then click Enable.

  9. To disable a traffic policy, select the policy, then click Disable.

  10. To save your modifications, click OK, then click Update on the Configuration page.

4.3.2 Ordering Traffic Policies

You can configure multiple traffic policies for a user’s role. These traffic policies can be sorted either based on their priority or alphabetically. Use the Sort On option in the traffic policies page to sort the traffic policies either based on the policy name or based on the priority of policies.

However, for a user, traffic policies are applied based on the order of the traffic policies. For example, the first traffic policy is applied to the user, followed by the second traffic policy, and so on. The rules set in the first traffic policy takes precedence over the next. For example, if you want to allow a user access to an application, and you place the policy as the third policy, the policy would work provided the first and second policy do not deny access to that particular application.

If you want to order the policies based on their priority, you can drag and drop the policies in the order that you want them to be placed. The Sort On option must be set to Priority in order to drag and drop the policies.

4.3.3 Exporting and Importing Traffic Policies

You can export the traffic policies that you have created and save them on your local machine as an XML file. This file can be imported when you want to copy the policies into a new setup or into an existing setup, for example, if you want to add to or duplicate the traffic policies. This feature is also useful when you want to reinstall a setup.

  1. In the Administration Console, click Devices > SSL VPNs > Edit.

  2. Select Traffic Policies from the Policies section. The SSL VPN Traffic Policies page is displayed.

  3. Select the policies that you want to export, then click Export.

  4. Specify a filename for the XML document that saves the configuration.

  5. Specify a location to save the XML file.

  6. To import the exported XML file, select the server into which you want to import the traffic policies.

  7. Click Import in the traffic policies page.

  8. Browse and select the XML file that contains the saved traffic policies.

  9. To save your modifications, click OK, then click Update on the Configuration page.