5.10 VPN Enforcement Policy

The following instructions assume that you are using the Create New VPN Enforcement Policy Wizard (see Creating Security Policies) or that you are on the Details page for an existing VPN Enforcement policy (see Editing a Policy’s Details).

Typically, the VPN Enforcement policy is used to provide greater security at locations such as public wireless hotspots and hotel access points. When a device enters one of these locations, referred to as a Trigger location, it attempts to detect the Internet. If the Internet is detected, the VPN Enforcement policy settings are applied. You can configure the settings to create a basic policy or an advanced policy. We recommend that you review Understanding the VPN Enforcement Policy to decide what kind of policy best meets your needs.

5.10.1 Understanding the VPN Enforcement Policy

You can configure the policy as a basic policy or an advanced policy. Both are described below.

Basic Policy

A basic VPN Enforcement policy consists of one or more Trigger locations, a method for detecting the Internet, a method for initiating a VPN connection, and a VPN location, as shown in the following figure.

With a basic policy, the following process occurs:

  1. When a device enters a Trigger location, it attempts to detect the Internet. There are two methods you can choose from to detect the Internet: 1) Web page retrieval or 2) network traffic monitoring.

  2. If the Internet is detected, the rest of the process takes place; otherwise, the device remains in the Trigger location.

  3. (Optional) A VPN connection is initiated. There are two methods you can choose from to initiate the connection: 1) execute a command to launch a VPN client or 2) display a message with a link that allows the user to launch a VPN client or informs the user that he or she needs to launch the VPN client some other way.

  4. The location switches from the Trigger location to the VPN location and the VPN location’s security policies are enforced. This occurs whether or not the VPN connection has been established.

  5. The VPN location is exited when the device changes to a non-Trigger location or all network connections are dropped.

Advanced Policy

An advanced VPN Enforcement policy includes the same elements as a basic policy, but also provides the option of using a Pre-VPN location.

In some situations, going directly to the VPN location might enforce security policies that prevent the device from establishing a VPN connection. For example, many businesses, such as hotels and motels, use semi-public networks that provide minimal Internet access until the user logs in or accepts a usage agreement. Immediately switching to the VPN location might enforce security policies that prevent the user from completing the login or agreement. To resolve this issue, you can use a Pre-VPN location with security policies that allow the user to perform the required activities and gain the full Internet access required to establish the VPN connection.

The following figure shows an advanced VPN Enforcement policy:

With an advanced policy, the following process occurs:

  1. When a device enters a Trigger location, it attempts to detect the Internet. There are two methods you can choose from to detect the Internet: 1) Web page retrieval or 2) network traffic monitoring.

  2. If the Internet is detected, the rest of the process takes place; otherwise, the device remains in the Trigger location.

  3. (Optional) A VPN connection is initiated. There are two methods you can choose from to initiate the connection: 1) execute a command to launch a VPN client or 2) display a message with a link that allows the user to launch a VPN client or informs the user that he or she needs to launch the VPN client some other way.

  4. The location switches from the Trigger location to the Pre-VPN location and the Pre-VPN location’s security policies are enforced.

  5. The location switches from the Pre-VPN location to the VPN location based on one or both of the following methods (that you choose from):

    • A VPN connection is detected. To use this method, you must enable and configure the VPN detection option in the policy.

    • The delay period expires. You determine the delay period.

  6. The VPN location is exited when one of the following events occurs:

    • The device changes to a non-Trigger location.

    • All network connections are dropped.

    • No VPN traffic is detected for a specified amount of time (the default is 2 minutes). To use this exit method, you must enable and configure the VPN detection option in the policy.

The advanced policy can also be configured with an optional Timeout location, as shown in the following figure:

With an advanced policy that includes a Timeout location, the following process occurs:

  1. When a device enters a Trigger location, it attempts to detect the Internet. There are two methods you can choose from to detect the Internet: 1) Web page retrieval or 2) network traffic monitoring.

  2. If the Internet is detected, the rest of the process takes place; otherwise, the device remains in the Trigger location.

  3. (Optional) A VPN connection is initiated. There are two methods you can choose from to initiate the connection: 1) execute a command to launch a VPN client or 2) display a message with a link that allows the user to launch a VPN client or informs the user that he or she needs to launch the VPN client some other way.

  4. The location switches from the Trigger location to the Pre-VPN location and the Pre-VPN location’s security policies are enforced.

  5. The location switches from the Pre-VPN location to the VPN location if a VPN connection is detected. This requires that you have enabled and configured the VPN detection option in the policy.

    or

    The location switches from the Pre-VPN location to the Timeout location if the delay expires before a VPN connection is detected.

  6. The VPN or Timeout location is exited when one of the following events occurs:

    • The device changes to a non-Trigger location.

    • All network connections are dropped.

    • (VPN location only) No VPN traffic is detected for a specified amount of time (the default is 2 minutes). To use this exit method, you must enable and configure the VPN detection option in the policy.

5.10.2 Configure Trigger Locations

The Trigger Location tab lets you define the policy’s Trigger locations, Internet detection method, and VPN client launch commands.

Trigger Locations

A Trigger location is a location in which you want the VPN Enforcement policy settings applied. You can specify one or more locations. To specify a location, click Add, select the location, then click OK to add it to the list.

Internet Detection Method

This setting is only for the Advanced Version.

When a device enters a Trigger location, it attempts to detect the Internet. If the Internet is detected, the VPN Enforcement policy settings are applied.

To detect the Internet, the device can use one of two methods. It can attempt to retrieve a Web page, or it can monitor the network adapters for traffic from specific addresses. Both methods cannot be used at the same time. You must select one method and then provide the appropriate configuration information for the method.

Retrieve Web Pages

Select this option to use Web page retrieval as the Internet detection method. With this method, the device tries to retrieve specific Web pages to verify Internet access. You can use the default Web pages, custom Web pages, or both:

  • Use the default Web pages: Select this option to have the device try to retrieve one of the internally-defined Web pages.

  • Use the Web pages included in the list: Select this option to define custom Web pages to retrieve, then click New to add a Web page. If you select Validate while adding the Web page, the header information from the retrieved Web page (HTML file) must contain the domain name specified in the URL; if it does not, the Web page is considered invalid and Internet access remains unverified. Only use the Validate option with URLs that include a domain name; the option does not support URLs with IP addresses.

Monitor Network Traffic

Select this option to use network traffic monitoring to determine whether or not the Internet is present. You determine which network adapters to monitor and define the network traffic that indicates the presence of the Internet.

  • Adapters to monitor: Specify the adapter types and specific adapters to monitor:

    • Adapter Type: Select whether you want to monitor All adapter types, Wired adapters only, or Wireless adapters only.

    • Adapter Names: To monitor all adapters of the selected Adapter Type, leave the adapter list empty. To monitor specific adapters only, type an adapter name and then click Add to add it to the list. Adapter names are not case sensitive. In addition, partial matching is used. For example, Adapter1 not only matches Adapter1 but also matches adapter10 and acme adapter100. The more complete the name, the more limited the matches.

  • Network Traffic: Add the network addresses you want to use to determine if the device can access the Internet. The Internet is active if the ZENworks Endpoint Security Agent receives a ping reply from any of the addresses or detects continuous packet streams from any of the addresses.

    Click New to display the Add Network Traffic Address dialog box, select the address type (IP address or DNS), then enter the address using one of the following formats:

    • xxx.xxx.xxx.xxx: Standard dotted-decimal notation for a single IP address. For example, 123.45.167.100.

    • xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx: Standard dotted-decimal notation for a range of IP addresses. For example, 123.45.167.100-123.45.167.125.

    • xxx.xxx.xxx.xxx/n: Standard CIDR (Classless Inter-Domain Routing) notation for IP addresses. For example, 123.45.167.100/24 matches all IP addresses that start with 123.45.167.

    • www.domain_name: Standard domain name notation. For example, www.novell.com.

    • www.domain_name/n: Standard CIDR (Classless Inter-Domain Routing) notation for a domain name. For example, www.novell.com/16.

    The addresses are tested in the order they are listed, from top to bottom. Use the Move Up and Move Down options to reorder the list.

Connect Settings

You can use the Connect Settings to initiate a VPN connection after the Internet is detected. The Connect Command lets you automatically launch a VPN client while the VPN Message lets you create a message that prompts the user to launch the client.

  • Use Connect Command: This option lets you automatically launch the VPN client after the Internet is detected. If you don’t want the VPN client automatically launched, you can use the Use VPN Message option instead.

    • Link: Specify the executable path for the VPN client.

    • Parameters: Specify any parameters you want used when launching the client. Enter the parameters in the format required by the client.

  • Use VPN Message: This option lets you display a message to the user. Additionally, you can include a hyperlink that enables the user to launch the VPN client.

    For example, if you selected the Use Connect Command option, you might provide a message informing the user that his or her current location requires a VPN connection to maintain security. The Endpoint Security Agent displays the message before launching the VPN client.

    Or, you can use this option without the Use Connect Command option. In this case, you would provide a message and a link to the VPN client. The user would then click the link to launch the client.

    Select the option, then fill in the following fields:

    • Title of Message Window: Specify the Message Window’s title. For example, “Launch VPN Client.”

    • Body: Provide the text for the message body.

    • Message Hyperlink: If you want to include a hyperlink in the message, select Include message hyperlink, then fill in the following:

      • Display Text: The text to display as the hyperlink in the message.

      • Link: The command or Web URL to be executed when the display text is clicked. Any link that starts with http, https, or www is treated as a Web URL and launches a Web browser. Any other link is treated as an executable command. For example, you might include www.acme.com/vpn to a open a Web page that provides the VPN login.

      • Parameters: Applies only to executable commands, not to Web URLs. Specify any parameters that you want appended to the executable command. A space is automatically added between the executable command and the first parameter.

5.10.3 Configure VPN Traffic

This setting is only for the Advanced Version.

VPN traffic detection enables the device to detect when a VPN connection is established and active. VPN traffic detection serves two purposes:

  • If the policy includes a Pre-VPN location, VPN detection allows the device to initiate a switch from the Pre-VPN location to the VPN location after the VPN connection is established. If VPN detection is not enabled, you must configure the switch to occur after a specific period of time. For more information about the Pre-VPN location, see Understanding the VPN Enforcement Policy.

  • To exit the VPN location after a period of VPN traffic inactivity. If VPN detection is not enabled, the VPN location is not exited until 1) the device changes location or 2) all network connections are dropped.

To use VPN traffic detection, select Enable VPN Traffic Detection, then fill in the following fields:

  • Adapters to monitor: Specify the adapter types and specific adapters to monitor:

    • Adapter Type: Select whether you want to monitor All adapter types, Wired adapters only, or Wireless adapters only.

    • Adapter Names: To monitor all adapters of the selected Adapter Type, leave the adapter list empty. To monitor specific adapters only, type an adapter name and then click Add to add it to the list. Adapter names are not case sensitive. In addition, partial matching is used. For example, Adapter1 not only matches Adapter1 but also matches adapter10 and acme adapter100. The more complete the name, the more limited the matches.

  • Network Traffic: Add the network addresses you want to use to determine if the device has an active VPN connection. The connection is active if the ZENworks Endpoint Security Agent receives a ping reply from any of the addresses or detects continuous packet streams from any of the addresses.

    Click New to display the Add Network Traffic Address dialog box, select the address type (IP address or DNS), then enter the address using one of the following formats:

    • xxx.xxx.xxx.xxx: Standard dotted-decimal notation for a single IP address. For example, 123.45.167.100.

    • xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx: Standard dotted-decimal notation for a range of IP addresses. For example, 123.45.167.100-123.45.167.125.

    • xxx.xxx.xxx.xxx/n: Standard CIDR (Classless Inter-Domain Routing) notation for IP addresses. For example, 123.45.167.100/24 matches all IP addresses that start with 123.45.167.

    • www.domain_name: Standard domain name notation. For example, www.novell.com.

    • www.domain_name/n: Standard CIDR (Classless Inter-Domain Routing) notation for a domain name. For example, www.novell.com/16.

    The addresses are tested in the order they are listed, from top to bottom. Use the Move Up and Move Down options to reorder the list.

5.10.4 Configure Pre-VPN Location

This setting is only for the Advanced Version.

As soon as the Internet is detected, the location switches from the Trigger location to the VPN location. In some situations, going directly to the VPN location might enforce security policies that prevent the device from establishing a VPN connection.

For example, many businesses, such as hotels and motels, use semi-public networks that provide minimal Internet access until the user logs in or accepts a usage agreement. Immediately switching to the VPN location might enforce security policies that prevent the user from completing the login or agreement. To resolve this issue, you can use a Pre-VPN location with security policies that allow the user to perform the required activities and gain the full Internet access required to establish the VPN connection.

Using a Pre-VPN location is optional. To use a Pre-VPN location, select Use a Pre-VPN location, then fill in the following fields:

  • Pre-VPN Location: Select the location you want to use for the Pre-VPN location. This can be any location other than the one you plan to use as the VPN location.

  • Exit Criteria: The exit criteria determines when the Pre-VPN location switches to the VPN location. You can use one or both of the following options:

    • Switch from the Pre-VPN location to the VPN location when VPN traffic is detected: This option applies only if you’ve enabled VPN detection. Select this option to switch as soon as a VPN traffic is detected.

    • Switch from the Pre-VPN location after XX minutes: Select this option to switch after a specific amount of time, then specify the time in minutes (the default is 5 minutes).

5.10.5 Configure VPN Location

This setting is only for the Advanced Version.

The VPN location is a location that provides the security policies you want enforced while using the VPN connection. It cannot be the same location as a Trigger location or the Pre-VPN location.

  • VPN Location: Select the location whose security policies you want to use during the VPN connection.

  • Exit the VPN location if no VPN traffic has been detected for XX minutes: This option applies only if you have enabled VPN traffic detection. By default, the VPN location is exited only if 1) a network environment change causes a switch to a new location or 2) all network connection is lost. Select this option to also enable the device to exit the VPN location if no VPN traffic is detected, then specify the inactivity time (the default is 2 minutes).

  • Use Disconnect Command: Select this option if you want to execute a command when leaving the VPN location, the fill in the following fields:

    • Link: Specify the command to execute.

    • Parameters: Specify any parameters associated with the command. A space is automatically added between the executable command and the first parameter.